The Tentacle protocol is used by Pandora FMS for the transmission of information. It is a lightweight file transport protocol that Pandora FMS uses mainly to send information from agents and satellite servers to Pandora FMS’ main server. It is versatile, secure, multi platform and easy to use, designed to be used from the command line and without the need for additional configuration files.
The operation consists of a client-server system, in which the client is always the one that initiates the communication.
The communication can be secured by using a password, SSL certificates, or even both.
Let’s see the different possibilities of use that Tentacle offers, and examples of manual testing from the command line.
Later we will explain how to configure the server with the options that we want to automate its operation, and how to modify these parameters in the client side so that the Pandora agents use the desired options when they use the tentacle_client to send files to the server.
Command line usage
We assume that we have the necessary components installed, and the binaries in
For security reasons
tentacle_server cannot be executed with the root user, we can use the
pandora user or create one to make the tests.
First we run
tentacle_server indicating the input directory where the received files will be stored. It is important to take into account the permissions on the directory indicated for the user that executes
tentacle_server -s /tmp
We will have already raised the tentacle server in its default port,
41121. We can check it by launching
nmap -p 41121 127.0.0.1 to check that port
41121 is listening.
If we need to modify the tentacle listening port, for example to pick up several instances at once, we can use the
We can display the help of tentacle_server with
perldoc -F /usr/bin/tentacle_server for extended information about its use and parameters.
tentacle_server -s /tmp -p 41122
And again we can check if it works correctly by launching nmap against the desired IP and port, in this case:
nmap -p 41122 127.0.0.1
tentacle_server is up and listening, we can send a file from the client. To do this, just launch the following command:
tentacle_client -a 192.168.1.10 -v /tmp/test.txt
-a parameter we indicate the IP address of the server to which we will send the file, with
-v we activate the verbosity so that it shows us messages of the steps carried out, and finally we indicate the file to be sent.
We can display the help of
perldoc -F /usr/bin/tentacle_client for extended information about its use and parameters.
Possible failures in sending:
tentacle_serveris up in another port. Check with nmap, and use the
-poption from client to choose the correct port.
- Connectivity through required ports limited by firewall.
- The file to be sent is already on the server machine.
- The file to be sent is too heavy. Change the maximum weight in
Next we see the different options that tentacle presents for its use with security options, and examples of use.
- Using tentacle as a proxy for file forwarding. Options
tentacle_server -b ip_server -g 41121
- Simple transfer of a file limited to a maximum size of 1 MByte and deposited on
tentacle_server -m 1048576 -s /tmp -v tentacle_client -a 192.168.1.1 -v /home/user/myfile.dat
- Simple transfer on port 65000 with overwrite mode enabled.
tentacle_server -o -p 65000 -s /tmp -v tentacle_client -a 192.168.1.1 -p 65000 -v /home/user/myfile.dat
- Simple transfer with password-based authentication
tentacle_server -x password -s /tmp -v tentacle_client -a 192.168.1.1 -x password -v /home/user/myfile.dat
- Secure transfer, no client certificate.
tentacle_server -e cert.pem -k key.pem -w -s /tmp -v tentacle_client -a 192.168.1.1 -c -v /home/user/myfile.dat
- Secure transfer with customer certificate.
tentacle_server -e cert.pem -k key.pem -f cacert.pem -w -s /tmp -v tentacle_client -a 192.168.1.1 -e cert.pem -k key.pem -v /home/user/myfile.dat
- Secure transfer with customer certificate and additional password authentication.
tentacle_server -x password -e cert.pem -k key.pem -f cacert.pem -w -s /tmp -v tentacle_client -a 192.168.1.1 -x password -e cert.pem -k key.pem -v /home/user/myfile.dat
Once the manual operation tests have been successful, we can automate the parameters used so that they start automatically with the tentacle service.
These configuration modifications must be done in the tentacle_serverd startup script, usually located in
/etc/init.d/tentacle_serverd, and the important parameters are
PANDORA_SERVER_PATH, the input directory. Equivalent to the
TENTACLE_PORT, by default
41121, equivalent to the
-poption. Very important if we want to raise more than one instance of tentacle_server, since we will have to indicate a different port to
41121if it is already in use.
TENTACLE_EXT_OPTS, for all the additional options that we want to use. The security options such as password, certificates or maximum file weight will go in this line.
It is recommended to make manual tests before making permanent changes to the Tentacle configuration to see if they work correctly. For example, in a secure configuration with certificates and a proxy agent (note that you must always write the full path of the certificates for it to work):
- The service is lifted manually.
sudo -u user tentacle_server -x password -e /path/tentaclecert.pem -k /path/tentaclekey.pem -f cacert.pem -s /tmp -v
- The proxy is lifted manually (this step is only necessary if one is to be used).
sudo -u user tentacle_server -b ip_server -g 41124
tentacle_clientis launched manually:
sudo -u user tentacle_client -a ip_proxy/ip_server -x password -e /path/tentaclecert.pem -k /path/tentaclekey.pem -v /bin/ls #(or any file you want))
If the file is sent correctly, we can proceed to permanently configure the
tentacle_server and clients.
To automate the communication with specific options from the client, it is necessary to make the changes in the configuration file of the Pandora agents,
pandora_agent.conf. We should locate the line
server_opts, decomment it and then use the necessary parameters. Example:
server_opts -p 41122 -x password
Some of the parameters will be used automatically based on the agent configuration (specified in the
pandora_agent.conf file). These are the IP address of the server, equivalent to
-a, or the file to be sent, which will be the .data generated by the agent with the information collected from the monitoring.
Whenever our configuration and use of tentacle with Pandora FMS is not the default one, we should previously make all the manual tests by command line to make sure that we are doing a correct use of the options and discard possible failures. In the same way if something fails we should make manual tests to see where the failure can be found.