Munin: Dynazoom not working (suEXEC)

Yesterday I was introducing the Munin Server Monitoring tool for Linux. Read the posts here. Running the tool is easy and straightforward. However there is one feature, that is causes problems: the Dynazoom. Clicking at a graphic to enlarge it brings a script to front that is called Dynazoom. This script allows to zoom inside the selected monitoring screen and displays a distinct range of time. That sounds very useful and it is very useful indeed.

Unfortunately there are different problems regarding this feature. The zoomed images are rendered by demand. To do this the front end is calling a Perl script, located at /usr/lib/munin/cgi/munin-cgi-graph. If there is no image shown but rather an error symbol, you can open a more specific error message by opening the image directly (right-click) or use a developer tool of your choice inspecting the network traffic and requests.

By default Munin adds a scriptalias to its own apache.conf to make the rendering script available. The problem is the permission this script runs with - called from the request. In most cases you can fix the permission issue editing the the apache.conf file for the munin-cgi-graph alias. According to your server configuration this is all you have to do.
//Change the following line 
Allow from localhost 127.0.0.0/8 ::1
// to this
Allow from all

Workaround - Dynazoom with suEXEC


If you are using a server configuration with suEXEC it is a bit more complicated. suEXEC locks the script to a defined document root . All scripts outside this directory cannot be executed. You will get a 500 Internal Server Error and the log will contain
#APACHE ERROR LOG

[...] [error] [client ...] suexec policy violation: see suexec log for more details
[...] [error] [client ...] Premature end of script headers: munin-cgi-graph

#SUEXEC LOG

[...]: command not in docroot (/usr/lib/munin/cgi/munin-cgi-graph)

The easiest option is to turn off suEXEC but it is not the best idea.

It is possible to change the directory compiling suEXEC by yourself or by using suEXEC custom. However, if you are using a server management tool like Froxlor it is not possible to change the default directory to another without destroying the server infrastructure. To solve this problem, you have to copy the Perl script from Munin into your suEXEC root directory. In order to find out what directory is your root execute suexec -V in your shell (DOC_ROOT line). Furthermore you have to adjust the Apache config to run per scripts in the subdirectory where the scripts are located now.
    # host file for your IP or domain
[...]
# /var/www is the DOC_ROOT
Alias /munin-cgi /var/www/munin/munin-cgi
<Directory /var/www/munin/munin-cgi>
Order allow,deny
Allow from all
Options +ExecCGI
AddHandler cgi-script cgi pl
</Directory>
[...]
</VirtualHost>

You also need a .htaccess file using mod_rewrite inside your script directory. Because the scripts are called without a file extension you have to rewrite the address.
RewriteEngine on
RewriteRule (.*munin-cgi-graph)/(.*)$ $1.pl/$2

Calling the script now should execute the script but also returns some errors regarding permission violation from the Perl script.  Depending on your server and Apache configuration you now have to spread correct directory and file permissions for the script. You have to set the group from the Munin directories to the SuexecUserGroup from where the Munin script will be called. Under certain circumstances you also have to adjust the permissions to give writing access to the script.
sudo chown -R munin:yourgrouphere /var/lib/munin/cgi-temp
sudo chmod -R 770 var/lib/cgi-temp

sudo chown -R munin:yourgrouphere /var/lib/munin/datafile
sudo chmod -R 642 /var/lib/munin/datafile

sudo chown -R munin:yourgrouphere /var/lib/munin/de
sudo chmod -R 642 /var/lib/munin/de

sudo chown -R munin:yourgrouphere /var/lib/munin/limits
sudo chmod -R 642 /var/lib/munin/limits

sudo chown -R munin:yourgrouphere /var/lib/munin/localdomain
sudo chmod -R 642 /var/lib/munin/localdomain

sudo chown -R munin:yourgrouphere /var/log/munin/
sudo chmod -R 660 var/log/munin

The script should now be running and generate the requested graphs.

Problems, ideas or further advices? Leave a comment or contact me :)