Cannot install netdata from source (the source directory does not include netdata-installer.sh). Leaving all files in /tmp/netdata-kickstart-RH8spBRm6P

Help
,
1

hello,
unable to install. help figuring out what’s causing failure and sort it out would be appreciated.

[root@kingdom ~]# bash <(curl -Ss https://my-netdata.io/kickstart.sh)
/dev/fd/63: line 167: /tmp/netdata-test.PNaYZuGkMR: Permission denied
System : Linux
Operating System : GNU/Linux
Machine : x86_64
BASH major version:
— Fetching script to detect required packages… —
[/tmp/netdata-kickstart-RH8spBRm6P]# curl -q -sSL --connect-timeout 10 --retry 3 --output /tmp/netdata-kickstart-RH8spBRm6P/install-required-packages.sh https://raw.githubusercontent.com/netdata/netdata/master/packaging/installer/install-required-packages.sh OK

— Running downloaded script to detect required packages… —
[/tmp/netdata-kickstart-RH8spBRm6P]# /bin/bash /tmp/netdata-kickstart-RH8spBRm6P/install-required-packages.sh netdata Loading /etc/os-release …
You should have EPEL enabled to install all the prerequisites.
Check: How to Enable EPEL Repository on RHEL, Rocky & Alma Linux

CentOS Version: 7 …
Checking for epel …

/etc/os-release information:
NAME : CentOS Linux
VERSION : 7 (Core)
ID : centos
ID_LIKE : rhel fedora
VERSION_ID : 7

We detected these:
Distribution : centos
Version : 7
Codename : 7 (Core)
Package Manager : install_yum
Packages Tree : centos
Detection Method: /etc/os-release
Default Python v: 2 (will install python3 too)

Searching for distro_sdk …
Searching for autoconf_archive …

Checking if package ‘autoconf-archive’ is installed…
Searching for autogen …
Checking if package ‘autogen’ is installed…
Searching for cmake …
Checking if package ‘cmake’ is installed…
Searching for libz_dev …
Checking if package ‘zlib-devel’ is installed…
Searching for libuuid_dev …
Checking if package ‘libuuid-devel’ is installed…
Searching for libmnl_dev …
Checking if package ‘libmnl-devel’ is installed…
Searching for json_c_dev …
Checking if package ‘json-c-devel’ is installed…
Searching for libuv …
Checking if package ‘libuv-devel’ is installed…
Searching for lz4 …
Checking if package ‘lz4-devel’ is installed…
Searching for openssl …
Checking if package ‘openssl-devel’ is installed…
Searching for judy …
Searching for libelf …
Checking if package ‘elfutils-libelf-devel’ is installed…
Searching for python3 …
Checking if package ‘python3’ is installed…

The following command will be run:

IMPORTANT <<
Please make sure your system is up to date
by running: yum update

yum install autoconf-archive autogen cmake elfutils-libelf-devel json-c-devel libmnl-devel libuv-devel lz4-devel python3

Press ENTER to run it >
yum install autoconf-archive autogen cmake elfutils-libelf-devel json-c-devel libmnl-devel libuv-devel lz4-devel python3
Loaded plugins: fastestmirror, universal-hooks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 10 kB 00:00:00

  • EA4: 104.219.172.10
  • cpanel-addons-production-feed: 104.219.172.10
  • cpanel-plugins: 104.219.172.10
  • base: mirror.hostduplex.com
  • epel: sjc.edge.kernel.org
  • extras: sjc.edge.kernel.org
  • updates: sjc.edge.kernel.org
    Resolving Dependencies
    → Running transaction check
    —> Package autoconf-archive.noarch 0:2017.03.21-1.el7 will be installed
    —> Package autogen.x86_64 0:5.18-5.el7 will be installed
    → Processing Dependency: autogen-libopts(x86-64) = 5.18-5.el7 for package: autogen-5.18-5.el7.x86_64
    → Processing Dependency: libguile-2.0.so.22(GUILE_2.0)(64bit) for package: autogen-5.18-5.el7.x86_64
    → Processing Dependency: libopts.so.25()(64bit) for package: autogen-5.18-5.el7.x86_64
    → Processing Dependency: libguile-2.0.so.22()(64bit) for package: autogen-5.18-5.el7.x86_64
    → Processing Dependency: libgc.so.1()(64bit) for package: autogen-5.18-5.el7.x86_64
    —> Package cmake.x86_64 0:2.8.12.2-2.el7 will be installed
    → Processing Dependency: libarchive.so.13()(64bit) for package: cmake-2.8.12.2-2.el7.x86_64
    —> Package elfutils-libelf-devel.x86_64 0:0.176-4.el7 will be installed
    —> Package json-c-devel.x86_64 0:0.11-4.el7_0 will be installed
    —> Package libmnl-devel.x86_64 0:1.0.3-7.el7 will be installed
    —> Package libuv-devel.x86_64 1:1.40.0-1.el7 will be installed
    → Processing Dependency: libuv(x86-64) = 1:1.40.0-1.el7 for package: 1:libuv-devel-1.40.0-1.el7.x86_64
    → Processing Dependency: libuv.so.1()(64bit) for package: 1:libuv-devel-1.40.0-1.el7.x86_64
    —> Package lz4-devel.x86_64 0:1.7.5-3.el7 will be installed
    —> Package python3.x86_64 0:3.6.8-13.el7 will be installed
    → Processing Dependency: python3-libs(x86-64) = 3.6.8-13.el7 for package: python3-3.6.8-13.el7.x86_64
    → Processing Dependency: python3-setuptools for package: python3-3.6.8-13.el7.x86_64
    → Processing Dependency: python3-pip for package: python3-3.6.8-13.el7.x86_64
    → Processing Dependency: libpython3.6m.so.1.0()(64bit) for package: python3-3.6.8-13.el7.x86_64
    → Running transaction check
    —> Package autogen-libopts.x86_64 0:5.18-5.el7 will be installed
    —> Package gc.x86_64 0:7.2d-7.el7 will be installed
    —> Package guile.x86_64 5:2.0.9-5.el7 will be installed
    —> Package libarchive.x86_64 0:3.1.2-14.el7_7 will be installed
    —> Package libuv.x86_64 1:1.40.0-1.el7 will be installed
    —> Package python3-libs.x86_64 0:3.6.8-13.el7 will be installed
    —> Package python3-pip.noarch 0:9.0.3-7.el7_7 will be installed
    —> Package python3-setuptools.noarch 0:39.2.0-10.el7 will be installed
    → Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================
Package Arch Version Repository Size

Installing:
autoconf-archive noarch 2017.03.21-1.el7 base 612 k
autogen x86_64 5.18-5.el7 base 582 k
cmake x86_64 2.8.12.2-2.el7 base 7.1 M
elfutils-libelf-devel x86_64 0.176-4.el7 base 40 k
json-c-devel x86_64 0.11-4.el7_0 base 20 k
libmnl-devel x86_64 1.0.3-7.el7 base 32 k
libuv-devel x86_64 1:1.40.0-1.el7 epel 36 k
lz4-devel x86_64 1.7.5-3.el7 base 21 k
python3 x86_64 3.6.8-13.el7 base 69 k
Installing for dependencies:
autogen-libopts x86_64 5.18-5.el7 base 66 k
gc x86_64 7.2d-7.el7 base 158 k
guile x86_64 5:2.0.9-5.el7 base 3.8 M
libarchive x86_64 3.1.2-14.el7_7 base 319 k
libuv x86_64 1:1.40.0-1.el7 epel 152 k
python3-libs x86_64 3.6.8-13.el7 base 7.0 M
python3-pip noarch 9.0.3-7.el7_7 updates 1.8 M
python3-setuptools noarch 39.2.0-10.el7 base 629 k

Transaction Summary

Install 9 Packages (+8 Dependent packages)

Total download size: 22 M
Installed size: 93 M
Is this ok [y/d/N]: y
Downloading packages:
(1/17): autogen-5.18-5.el7.x86_64.rpm | 582 kB 00:00:00
(2/17): gc-7.2d-7.el7.x86_64.rpm | 158 kB 00:00:00
(3/17): guile-2.0.9-5.el7.x86_64.rpm | 3.8 MB 00:00:00
(4/17): json-c-devel-0.11-4.el7_0.x86_64.rpm | 20 kB 00:00:00
(5/17): libarchive-3.1.2-14.el7_7.x86_64.rpm | 319 kB 00:00:00
(6/17): autogen-libopts-5.18-5.el7.x86_64.rpm | 66 kB 00:00:00
(7/17): libmnl-devel-1.0.3-7.el7.x86_64.rpm | 32 kB 00:00:00
(8/17): libuv-1.40.0-1.el7.x86_64.rpm | 152 kB 00:00:00
(9/17): lz4-devel-1.7.5-3.el7.x86_64.rpm | 21 kB 00:00:00
(10/17): python3-3.6.8-13.el7.x86_64.rpm | 69 kB 00:00:00
(11/17): python3-libs-3.6.8-13.el7.x86_64.rpm | 7.0 MB 00:00:00
(12/17): python3-pip-9.0.3-7.el7_7.noarch.rpm | 1.8 MB 00:00:00
(13/17): libuv-devel-1.40.0-1.el7.x86_64.rpm | 36 kB 00:00:00
(14/17): python3-setuptools-39.2.0-10.el7.noarch.rpm | 629 kB 00:00:00
(15/17): autoconf-archive-2017.03.21-1.el7.noarch.rpm | 612 kB 00:00:01
(16/17): cmake-2.8.12.2-2.el7.x86_64.rpm | 7.1 MB 00:00:03
(17/17): elfutils-libelf-devel-0.176-4.el7.x86_64.rpm | 40 kB 00:00:03

Total 5.7 MB/s | 22 MB 00:00:03
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : python3-pip-9.0.3-7.el7_7.noarch 1/17
Installing : python3-setuptools-39.2.0-10.el7.noarch 2/17
Installing : python3-libs-3.6.8-13.el7.x86_64 3/17
Installing : python3-3.6.8-13.el7.x86_64 4/17
Installing : gc-7.2d-7.el7.x86_64 5/17
Installing : 5:guile-2.0.9-5.el7.x86_64 6/17
Installing : 1:libuv-1.40.0-1.el7.x86_64 7/17
Installing : libarchive-3.1.2-14.el7_7.x86_64 8/17
Installing : autogen-libopts-5.18-5.el7.x86_64 9/17
Installing : autogen-5.18-5.el7.x86_64 10/17
Installing : cmake-2.8.12.2-2.el7.x86_64 11/17
Installing : 1:libuv-devel-1.40.0-1.el7.x86_64 12/17
Installing : autoconf-archive-2017.03.21-1.el7.noarch 13/17
Installing : lz4-devel-1.7.5-3.el7.x86_64 14/17
Installing : elfutils-libelf-devel-0.176-4.el7.x86_64 15/17
Installing : json-c-devel-0.11-4.el7_0.x86_64 16/17
Installing : libmnl-devel-1.0.3-7.el7.x86_64 17/17
Verifying : autogen-libopts-5.18-5.el7.x86_64 1/17
Verifying : autogen-5.18-5.el7.x86_64 2/17
Verifying : 5:guile-2.0.9-5.el7.x86_64 3/17
Verifying : libmnl-devel-1.0.3-7.el7.x86_64 4/17
Verifying : libarchive-3.1.2-14.el7_7.x86_64 5/17
Verifying : json-c-devel-0.11-4.el7_0.x86_64 6/17
Verifying : python3-3.6.8-13.el7.x86_64 7/17
Verifying : elfutils-libelf-devel-0.176-4.el7.x86_64 8/17
Verifying : cmake-2.8.12.2-2.el7.x86_64 9/17
Verifying : lz4-devel-1.7.5-3.el7.x86_64 10/17
Verifying : python3-pip-9.0.3-7.el7_7.noarch 11/17
Verifying : python3-setuptools-39.2.0-10.el7.noarch 12/17
Verifying : 1:libuv-devel-1.40.0-1.el7.x86_64 13/17
Verifying : 1:libuv-1.40.0-1.el7.x86_64 14/17
Verifying : python3-libs-3.6.8-13.el7.x86_64 15/17
Verifying : gc-7.2d-7.el7.x86_64 16/17
Verifying : autoconf-archive-2017.03.21-1.el7.noarch 17/17

Installed:
autoconf-archive.noarch 0:2017.03.21-1.el7 autogen.x86_64 0:5.18-5.el7 cmake.x86_64 0:2.8.12.2-2.el7
elfutils-libelf-devel.x86_64 0:0.176-4.el7 json-c-devel.x86_64 0:0.11-4.el7_0 libmnl-devel.x86_64 0:1.0.3-7.el7
libuv-devel.x86_64 1:1.40.0-1.el7 lz4-devel.x86_64 0:1.7.5-3.el7 python3.x86_64 0:3.6.8-13.el7

Dependency Installed:
autogen-libopts.x86_64 0:5.18-5.el7 gc.x86_64 0:7.2d-7.el7 guile.x86_64 5:2.0.9-5.el7
libarchive.x86_64 0:3.1.2-14.el7_7 libuv.x86_64 1:1.40.0-1.el7 python3-libs.x86_64 0:3.6.8-13.el7
python3-pip.noarch 0:9.0.3-7.el7_7 python3-setuptools.noarch 0:39.2.0-10.el7

Complete!

All Done! - Now proceed to the next step.

OK

[/tmp/netdata-kickstart-RH8spBRm6P]# curl -q -sSL --connect-timeout 10 --retry 3 --output /tmp/netdata-kickstart-RH8spBRm6P/sha256sum.txt https://storage.googleapis.com/netdata-nightlies/sha256sums.txt OK

[/tmp/netdata-kickstart-RH8spBRm6P]# curl -q -sSL --connect-timeout 10 --retry 3 --output /tmp/netdata-kickstart-RH8spBRm6P/netdata-latest.tar.gz https://storage.googleapis.com/netdata-nightlies/netdata-latest.tar.gz OK

[/tmp/netdata-kickstart-RH8spBRm6P]# tar -xf netdata-latest.tar.gz OK

ABORTED Cannot install netdata from source (the source directory does not include netdata-installer.sh). Leaving all files in /tmp/netdata-kickstart-RH8spBRm6P

2

Hello @Kingdom-of-Heaven-and-Prayers-Ministries,

Firstly I am glad that we could help you.

About the white theme, please try to redirect for the address https://sub.domain.com/#;theme=white;help=true, for me the additional help=true helped to keep the white theme.

Best regards!

3

@Thiago-Marques-0
thank you very much.
we got some additional help from a great gentleman named Ruikai at LSWS, since we’re using LiteSpeed WS,

first we added remote proxy as an external app with this link litespeed_wiki:proxy:lsws-as-a-proxy-rewrite [LiteSpeed Wiki]

then we created a subdomain sub.domain.com and we added in the htaccess this rule

RewriteEngine On
RewriteRule ^(.*)$ http://127.0.0.1:19999/$1 [P,L]

and in the server made the autossl for the sub.domain.com
and now we can access securely and correctly.

however one more thing.
how do we get to load the white dashboard after visiting simply sub.domain.com ?

we tried a redirect rule in the htaccess
like

Redirect /sub https://sub.domain.com/#menu_system_submenu_cpu;theme=white

but nothing still loading dark skin.

thanks for helping

1 Like
4

Hello @Kingdom-of-Heaven-and-Prayers-Ministries ,

Yes, I had a mistake, I apologize for this, I copied and paste the previous information. You are right, we have two different files, one for the public key and another for the certificate.

When you specifiy * this means that Netdata will listen all interface, and when you specify an IP, Netdata will listen only the specific interface. The syntax is IP:PORT=FLAGS and * means all interfaces and default port 19999. This means that with the example:

 bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force *:20000=netdata.conf^SSL=optional *:20001=dashboard|registry

Netdata will listen the default port 19999 and force users to use SSL with it, here all options are avaiable. With the port 20000 the access can be done with TLS when https is used or a normal access when http is used, for both cases is only possible to access the file netdata.conf. Finally for the port 20001, we will never have a TLS access with it, and it is possible to access the dashboard and the registry.

The example that I used

bind to = 192.168.0.54:19999=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

It is only possible to access Netdata with an internal IP that is from the internal network 192.168.0.0/24 and the access will always be encrypted, because when http is used, Netdata redirects to https.

Best regards!

5

@Thiago-Marques-0
Thank you.

Just so to make sure, the Link you sent for TLS Doc, shows:

[web]
    ssl key = /etc/netdata/ssl/key.pem
    ssl certificate = /etc/netdata/ssl/cert.pem

but your example shows :

[web]
    ssl key = /etc/netdata/ssl/key.pem
    ssl certificate = /etc/netdata/ssl/key.pem

did you mean to have key and certificate be both key.pem instead of cert.pem for certificate?

Also for the sake of proper understanding, whats the difference between

[web]
    bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force *:20000=netdata.conf^SSL=optional *:20001=dashboard|registry

which prior dashboard starts with ‘*=’ versus

bind to = 192.168.0.54:19999=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

that starts straight up with ‘=’ prior dashboard ?

6

@Kingdom-of-Heaven-and-Prayers-Ministries , firstly I apologize, because when I read these sentences :

However we changed this value ? tls version = 1.2 and re run openssl req -newkey rsa:2048 -nodes -sha512 -x509 -days 365 -keyout key.pem -out cert.pem … but still having ERR_SSL_PROTOCOL_ERROR …
I understood that you already had created the certificate. Let me give a more complete explanation that will help you and other users.

The first step to enalbe TLS encrypted connection is to create a TLS certificate, this can be done using openssl with the command you gave us :

openssl req -newkey rsa:2048 -nodes -sha512 -x509 -days 365 -keyout key.pem -out cert.pem

This will generate a self sign certificate, that will create some warnings when Netdata is accessed.

Another possibility is to use a free TLS certificate from letsencrypt, you can see more details about how to generate the certificate here.

If you do not like any of these options, you can also generate a certificate using another authoritative certificate like GoDaddy .

When you have the certificate and public key, you will need to store them inside /etc/netdata/ssl.

After this you can do the following configuration inside your netdata.conf:

[web]
    ssl key = /etc/netdata/ssl/key.pem
    ssl certificate = /etc/netdata/ssl/key.pem
    bind to = 192.168.0.54:19999=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

Changing the file names and IPs according you need.

Please, remember that to encrypt the connection is not enough to avoid access on your server, for this, it would be necessary to use nginx or apache with login or to create a VPN between your host and the server. For sure the bind to will need to have restrictions. This does not mean that you do not need to encrypt the access, this is for sure something very important.

Finally, to clarify a confusion I made, the bash-5.0$ is my terminal, I copied and paste the data here and I forgot to remove the terminal text. I apologize for this!

Best regards!

7

thank you. We tried and it says :

bash: bash-5.0$: command not found

however under /etc/netdata/ssl/ ls , nothing is found there.

8

@Kingdom-of-Heaven-and-Prayers-Ministries I installed a VM with CentOS 7 now and I used the following configuration:

[web]
    ssl key = /etc/netdata/ssl/key.pem
    ssl certificate = /etc/netdata/ssl/key.pem
    bind to = 192.168.0.54:19999=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

And I accessed from other host using an encrypted connection. I did not set any TLS version or cypher, with this Netdata is using the default given by OpenSSL library.

I suspect that Netdata could not access the key or certificate, please, can you verify the permission of these files? It is expected something like this

bash-5.0$ ls -l /etc/netdata/ssl/
total 8
-rw-r--r-- 1 netdata netdata 1302 Apr 14  2020 cert.pem
-rw------- 1 netdata netdata 1704 Apr 14  2020 key.pem

Also check if you have some error message like To use encryption it is necessary to set "ssl certificate" and "ssl key" in [web] ! inside your /var/log/netdata/error.log.

Now about your question there is a work around now that it is already installed?, I never used this option, because I am always compiling the branch I am working. I will verify with the team and I will bring an answer later for you.

Best regards!

9

Thank you for your reply. Just so we don’t forget, we’re seeing an update button on the top “update now” … but nothing happens clicking on… since installation was prevented by the temp folder do we need to redo the same remount of /tmp with permission each time we need updating or there is a work around now that it is already installed?

For the TLS you’re right. We’re having only the TLS 1.2 supported on server.
However we changed this value ? tls version = 1.2 and re run openssl req -newkey rsa:2048 -nodes -sha512 -x509 -days 365 -keyout key.pem -out cert.pem …
but still having ERR_SSL_PROTOCOL_ERROR …

is this right ? bind to = localhost:19990 *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force
we tried also bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

no success

Thanks for your guidance

10

@Kingdom-of-Heaven-and-Prayers-Ministries your configuration looks like right, there is only one thing that I am not sure, so we will need to confirm together. I remember that CentOS 7 was using an old OpenSSL version that does not support TLS 1.3, please, can you run the following request:

openssl s_client -connect localhost:19999

If everything is ok, the openssl will print the public key and the available ciphers.
If something different happens, this means that you will need to use an old TLS with the official openssl packages or to compile a new OpenSSL that supports TLS 1.3.

Best regards!

11

Thank you. Sorry for the imprecision of the question. But yes we meant how to restrict access and you’ve answered.

here is what it looks like:

[web]
ssl key = /etc/netdata/ssl/key.pem
ssl certificate = /etc/netdata/ssl/cert.pem
tls version = 1.3
tls ciphers = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# ses max window = 15
# des max window = 15
mode = none
# listen backlog = 4096
default port = 19990
bind to = *=dashboard|registry|badges|management|streaming|netdata.conf^SSL=force

We can access the interface after we allowed only localhost and external IP to http://dash.domain.com:19990

Then, we followed (hopefully) the doc for the TLS.
It was generated, but not sure what we got wrong, the attempt to access https://dash.domain.com:19990 is returning error SSL:

“This site can’t provide a secure connection dash.domain.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR”

your help will be appreciated. Thank you

12

Hi @Kingdom-of-Heaven-and-Prayers-Ministries,

Firstly I am glad that you could install.

I am not sure if I understood your question. If your question is about IPs accessing the dashboard, this can be controlled with the option bind to, for example, if you want to give access only for your internal network, and Netdata is running on a machine with IP 192.168.0.1 you can set:

[web]
     bind to = 192.168.0.1:19999

Now, if you want to add authentication methods for users to access Netdata, unfortunately this cannot be done at the moment using an internal configuration, but you can use nginx.

If your request is related with encrypt connection, you will need to add a TLS certificate for the web server, and we have instructions for this here.

If my understanding about “secure this” is wrong, please, let me know and I will give to you a better answer.

Best regards!

13

thanks. that solved the issue. Can already see something on the link.
Now how do we secure this? it seems open to everyone.

14

Hello @Kingdom-of-Heaven-and-Prayers-Ministries ,

Considering that you are running your installation on a CentOS 7, it is possible that your /tmp directory has some restrictions to run binaries. I remember some users already reported a problem like yours here.

Please, can you try to remount your /tmp with permission to execute binaries on it?

Best regards!