MTA — Modernize Traditional Apps with @Docker #swarm, case study 3 @pandorafms #monitoring cluster

Continuing with my previous post about MTA (Squid Cluster and ZoneMinder) this guide shows how to deploy in a Swarm cluster an Open Source Monitoring Tool Pandora FMS NG.

Image for post
Image for post
Pandora console

Pandora FMS Community version can be compared with other free tools like Nagios, Zabbix or OpenNMS, although Pandora FMS Community edition is more flexible than their competitors.

After this brief introduction let see the stack for running Pandora on Docker Swarm and lets discuss later changes and decisions made over the application deployment, here docker-compose.yml file:

Pandora docker-compose.yml stack definition and Apache SSL conf

first file is Docker Swarm stack definition and second file is a config file propagated to above deployment using Docker config functionality either by command line or by using Portainer configs section. Deep dive into docker-compose.yml:

  • There three separate services MySQL (mysql), Monitoring Server (server) and Console Server (web), except for MySQL the other two can be scale up to get more throughput, here a big picture of Pandora architecture
Image for post
Image for post
Pandora FMS architecture
  • MYSQL_ROOT_PWD and MYSQL_DATABASE_PASSWORD are externally defined to not store sensitive information into stack files, MYSQL_ROOT_HOST is defined as % to prevent deny access from console or server instances when they are relocated into another private network
  • db_data is a volume where MySQL store persistent data
  • net is a private network used to connect only Pandora console, web and cron instances, MySQL will be not reachable from outside the stack and consequently strong secured
  • web_plugin volume is persistent storage used by Pandora web console and server when upload custom plugins or actions such as Swarm monitoring agent and Slack notification script
  • 41121 port is exposed using Docker service mesh, this port is used by Pandora external agents for sending monitoring information to the monitoring servers using Tentacle protocol, by exposing this port using Docker service mesh if you are running multiples replicas of Pandora server service Docker will route in a round robin way each connection from external agents to any monitoring server replica, this provides a fault tolerant deployment for the most CPU time consuming process
  • cron service deployed using replicas 0 is called from outside by swarm-scheduler service, this decision is to align to Docker best practices of separate responsibility in services and do not run background process in containers, crontab configuration file look like:
  • web service share web_plugin volume with Pandora server container and web_certs volume with an external stack responsibly for registering and renewing LetsEntrypt SSL certs.
  • Pandora web console service is exposed outside Swarm cluster using a HAProxy Load Balancer, VIRTUAL_HOST defines that this service is reached only using SSL, SERVICE_PORTS defines that Pandora Web console is listening using SSL on port 443, HEALTH_CHECK trick tells HAProxy that the connection between Apache and the Load Balancer is made using TLS, EXTRA_SETTINGS defines some values to prevent DDOS attack to this service, Pandora web console and HAProxy are interconnected by reverse_proxy external overlay network

after first startup you will get Pandora FMS up and running as is shown in these screen shots:

Image for post
Image for post
Pandora FMS login screen
Image for post
Image for post
Pandora FMS main dashboard
Image for post
Image for post
Swarm Agent monitoring plugin in action

finally some related stacks which interacts with Pandora FMS stack

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store