by vlad mencl reannz technical contribution · icinga2 (originally based on nagios) is the...
TRANSCRIPT
![Page 1: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/1.jpg)
1eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
eduroam ancillary servicesREANNZ technical contribution
by Vlad Mencl
August 6, 2018 (XeAP-2 workshop day 2, session 1)
![Page 2: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/2.jpg)
2eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
• About Me - Vlad Mencl• AdminTool (DjNRO) - user interface
○ After break: lab: deploying and configuring AdminTool with containers
• Metrics: ELK brief overview○ After break: lab: deploying and configuring ELK with
containers
Presentation Outline
![Page 3: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/3.jpg)
3eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
• Software Engineer at REANNZ since August 2015○ Came with Tuakiri (NZ Identity Federation) merging into REANNZ○ Worked in R&E space at U of Canterbury for ~ 9 years
■ BeSTGRID, NeSI, PRAGMA
• My CS academic past (in Component based software development)○ Charles University (Prague, Czech Republic): PhD 2004○ United Nations University International Institute for Software
Technology (UNU-IIST) in Macao, China (2005-2006)○ University of New Hampshire, USA (2002)
Vlad Mencl: About me
![Page 4: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/4.jpg)
4eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Administration tool for the National Roaming Operator (NRO) to manage participating institutions● Tracks Institutions, Radius Servers, Locations● Self-administration by approved institutional administrators
○ Users can have externally managed accounts or internal accounts:■ SAML Federation login■ Social login (Google/Twitter/….)■ Internal accounts on in the application (last resort)
○ User’s identity gets linked with their institution by an NRO administrator
● Map of Service Locations for End users● XML of Service Locations to push upstream to eduroam Global
AdminTool (DjNRO)
![Page 5: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/5.jpg)
5eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Name: Django (framework) + NRO● Comes from GRNET (Greece)● Collaborating with the GRNET team on DjNRO code
○ Several (minor) pull requests already merged
● REANNZ is using this tool internally at https://member.eduroam.net.nz○ So far for Service Locations only
■ (Radius was already fully configured when deploying this tool)
DjNRO: the code base
![Page 6: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/6.jpg)
6eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
End-users see an interactive map of service locations
DjNRO - For users
![Page 7: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/7.jpg)
7eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
DjNRO: Institutional administrators: self-service interface
![Page 8: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/8.jpg)
8eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
DjNRO: NRO administration interface (super-user / DB access)
NRO Administrator can see and modify all objects(via the Django CRUD interface)
![Page 9: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/9.jpg)
9eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Service Locations: /general/institution.xml● All locations globally: /services/allpoints… and more ...Future:● eduroam NRS config● monitoring config
DjNRO: Data Exports
![Page 10: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/10.jpg)
10eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
AdminTool/DjNRO Benefits: your eduroam is visible
for your users to find you….
![Page 11: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/11.jpg)
11eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Let users find your eduroam site on the go with the eduroam companion App
Search for “eduroam companion” in
Google Play or the AppStore
AdminTool/DjNRO Benefits: eduroam companion app
![Page 12: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/12.jpg)
12eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● REANNZ Prod site: https://member.eduroam.net.nz/(uses Google + SAML login)
● XeAP-2 deployment: https://nz-rad1.tein.aarnet.edu.au/(newer version with Google login)
Demo
![Page 13: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/13.jpg)
13eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Planned enhancements to DjNRO:• More exports: generating NRS FreeRadius config, monitoring config• Tracking additional information
○ Radius server type and capabilities…○ Institutions identity store type and capabilities○ Institutional policy URLs○ Service location hardware type and capabilities○ Contact type + SMS capability
• Approval workflow○ NRO to approve sensitive actions (like adding a new realm) done by
institutional admins.
AdminTool Future Work
![Page 14: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/14.jpg)
14eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● We use the ELK stack (ElasticSearch, Logstash, Kibana)
○ ElasticSearch is the back-end search engine (and “database”)
○ Logstash is the pipeline to feed the data in:
■ Receive data from other systems
■ Pre-process (parse) known log formats into (semi-)structured data
■ Push into ElasticSearch
○ Kibana: data visualization platform
■ Explore the data in ElasticSearch
■ Value yet to be explored
Metrics services: ELK stack
![Page 15: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/15.jpg)
15eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Filebeat: forward logs to Logstash● AdminTool deployment comes with a forwarder of the
Apache logs○ More a proof-of-concept, but could be useful...
● Separate forwarder of Radius linelog○ Separate forwarders for freeradius and radsecproxy
● Just add another Docker container...
Metrics: importing data
![Page 16: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/16.jpg)
16eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Icinga2 (originally based on Nagios) is the monitoring system
● Icingaweb2 provides the web interface to Icinga
● Use Icinga to monitor all Radius servers
○ NRS servers and institutional radius servers
○ Status checks and attempt logins with rad_eap_test
○ Send out alerts as appropriate
○ Credentials and other connection details available in DjNRO
■ And so are admin contact email addresses.
■ So it should be possible to generate the full configuration.
● So far, prototype configuration for a single host available
○ But still need to design a scalable approach to configuration.
Monitoring services: Icinga2 + Icingaweb2
![Page 17: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/17.jpg)
17eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
Questions?
After break:● Deploying Admin Tool with Docker● Deploying Metrics (ELK) with Docker
Questions?
![Page 18: by Vlad Mencl REANNZ technical contribution · Icinga2 (originally based on Nagios) is the monitoring system Icingaweb2 provides the web interface to Icinga Use Icinga to monitor](https://reader034.vdocument.in/reader034/viewer/2022042313/5edd515fad6a402d66685db2/html5/thumbnails/18.jpg)
18eXtending eduroam in the Asia Pacific (XeAP-2), APAN46, August 2018
● Admintool athttps://nz-rad1.tein.aarnet.edu.au/
● Metrics athttps://nz-rad1.tein.aarnet.edu.au:9443
● Monitoring athttps://nz-rad1.tein.aarnet.edu.au:8443/
ALL: login: “admin” / “admin-password-XeAP2”
Explore now