Aller au contenu

LibreNMS

LibreNMS

Prérequis

Bash
1
apk --update --no-cache add busybox-extras acl bash bind-tools binutils ca-certificates coreutils curl file fping git graphviz imagemagick ipmitool iputils libcap-utils mariadb-client monitoring-plugins mtr net-snmp net-snmp-tools nginx nmap openssl openssh-client perl php83 php83-cli php83-ctype php83-curl php83-dom php83-fileinfo php83-fpm php83-gd php83-gmp php83-json php83-ldap php83-mbstring php83-mysqlnd php83-opcache php83-openssl php83-pdo php83-pdo_mysql php83-pecl-memcached php83-pear php83-phar php83-posix php83-session php83-simplexml php83-snmp php83-sockets php83-tokenizer php83-xml php83-zip python3 py3-pip rrdtool runit sed shadow ttf-dejavu tzdata util-linux whois
Bash
1
apk --update --no-cache add -t build-dependencies build-base linux-headers make mariadb musl-dev python3-dev

Python

Bash
1
pip3 install --upgrade --break-system-packages pip
Bash
1
pip3 install python-memcached mysqlclient --upgrade --break-system-packages

Distro

Bash
1
2
3
4
5
6
7
curl -sSL https://getcomposer.org/installer | php -- --install-dir=/usr/bin --filename=composer
rm -rf /var/www/* /tmp/*
echo "/usr/sbin/fping -6 \$@" > /usr/sbin/fping6
chmod +x /usr/sbin/fping6
chmod u+s,g+s /bin/ping
chmod u+s,g+s /bin/ping6
chmod u+s,g+s /usr/lib/monitoring-plugins/check_icmp
Bash
1
2
3
4
5
setcap cap_net_raw+ep /usr/bin/nmap
setcap cap_net_raw+ep /usr/sbin/fping
setcap cap_net_raw+ep /usr/sbin/fping6
setcap cap_net_raw+ep /usr/lib/monitoring-plugins/check_icmp
setcap cap_net_raw+ep /usr/lib/monitoring-plugins/check_ping

Créer un utilisateur

Bash
1
2
3
4
addgroup librenms
adduser -D -h /home/librenms -G librenms -s /bin/ash -D librenms 
curl -sSLk -q https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro -o /usr/bin/distro
chmod +x /usr/bin/distro

Installation

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
cd /opt
apk --update --no-cache add -t build-dependencies build-base linux-headers musl-dev python3-dev
git clone --depth=1 https://github.com/librenms/librenms.git
cd /opt/librenms
pip3 install --ignore-installed -r requirements.txt --upgrade --break-system-packages
composer install --no-dev --no-interaction --no-ansi
mkdir ./config.d
cp ./config.php.default /config.php
cp ./snmpd.conf.example /etc/snmp/snmpd.conf
sed -i '/runningUser/d' lnms
echo "foreach (glob(\"/data/config/*.php\") as \$filename) include \$filename;" >> ./config.php
echo "foreach (glob(\"/opt/librenms/config.d/*.php\") as \$filename) include \$filename;" >> ./config.php
git clone https://github.com/librenms-plugins/Weathermap.git ./html/plugins/Weathermap
cd ./html/plugins/Weathermap
git reset --hard 0b2ff643b65ee4948e4f74bb5cad5babdaddef27
chown -R nobody:nogroup /opt/librenms
apk del build-dependencies
cd /opt/librenms

Fix

Bash
1
2
ln -s /opt/librenms/lnms /usr/bin/lnms
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

Droits

Bash
1
2
3
4
chown -R librenms:librenms /opt/librenms
chmod 771 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/

wrapper

Bash
1
2
3
su - librenms
/opt/librenms/scripts/composer_wrapper.php install --no-dev
exit

PHP

Bash
1
sed -i.bak 's/;date.timezone =/date.timezone = Europe\/Paris/g' /etc/php83/php.ini

MariaDB

Bash
1
nano /etc/my.cnf.d/mariadb-server.cnf

Sous la section [mysqld] ajouter :

Text Only
1
2
innodb_file_per_table=1
lower_case_table_names=0
Bash
1
2
3
4
mysql_install_db --user=mysql --datadir=/var/lib/mysql
rc-service mariadb start
rc-update add mariadb
mysql_secure_installation

Création de la table

Bash
1
mysql -u root -p
SQL
1
2
3
4
5
CREATE USER 'librenms'@'localhost' IDENTIFIED BY '';
CREATE DATABASE IF NOT EXISTS librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
QUIT;

PHP

Bash
1
2
cp /etc/php83/php-fpm.d/www.conf /etc/php83/php-fpm.d/www.conf.save
nano /etc/php83/php-fpm.d/www.conf

Changer user et group par

Text Only
1
2
user = librenms
group = librenms

NGINX

Configuration

nginx.conf

Bash
1
2
mv /etc/nginx/nginx.conf /etc/nginx/[old]-nginx.conf
nano /etc/nginx/nginx.conf
Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
user nginx;
worker_processes auto;

# Configures default error logger.
error_log /var/log/nginx/error.log warn; # Log warn, error, crit, alert, emerg

events {
    # The maximum number of simultaneous connections that can be opened by a worker process.
    worker_connections 1024; # increase if you need more connections
}

http {
    # server_names_hash_bucket_size controls the maximum length
    # of a virtual host entry (ie the length of the domain name).
    server_names_hash_bucket_size   64; # controls the maximum length of a virtual host entry (ie domain name)
    server_tokens                   off; # hide who we are, don't show nginx version to clients
    sendfile                        on; # can cause issues

    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length. If the stated content
    # length is greater than this size, then the client receives the HTTP
    # error code 413. Set to 0 to disable. Default is '1m'.
    client_max_body_size 0;

    # nginx will find this file in the config directory set at nginx build time
    # Includes mapping of file name extensions to MIME types of responses
    include mime.types;

    # fallback in case we can't determine a type
    default_type application/octet-stream;

    # buffering causes issues, disable it
    # increase buffer size. still useful even when buffering is off
    proxy_buffering off;
    proxy_buffer_size 4k;

    # allow the server to close the connection after a client stops responding. Frees up socket-associated memory.
    reset_timedout_connection on;

    # Specifies the main log format.
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" "$http_x_forwarded_for"';

    # Sets the path, format, and configuration for a buffered log write.
    # Buffer log writes to speed up IO, or disable them altogether
    access_log /var/log/nginx/access.log main buffer=16k;
    #access_log off;

    # Include files with config snippets into the root context.
    include conf.d/*.conf;

    # Includes virtual hosts configs.
    include http.d/*.conf;
}

Configuration SSL

Bash
1
2
mkdir /etc/nginx/conf.d
nano /etc/nginx/conf.d/ssl-params.inc

Puis copier ce contenu :

Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# secure nginx, see https://cipherli.st/

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver_timeout 5s;

# https://hstspreload.org
# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;

add_header Referrer-Policy                   "no-referrer"       always;
add_header X-Content-Type-Options            "nosniff"           always;
add_header X-Frame-Options                   "SAMEORIGIN"        always;
add_header X-Permitted-Cross-Domain-Policies "none"              always;
add_header X-Robots-Tag                      "noindex, nofollow" always;
add_header X-XSS-Protection                  "1; mode=block"     always;

Génération du fichier ssl_dhparam

Cela peut être un peu long.

Bash
1
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096

librenms.conf

Bash
1
2
mv /etc/nginx/http.d/default.conf /etc/nginx/http.d/default.conf.old
nano /etc/nginx/http.d/librenms.conf
Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
server {
    listen      80;
    server_name librenms.exemple.fr;
    root        /opt/librenms/html;
    index       index.php;

    charset utf-8;
    gzip on;
    gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
    location ~ [^/]\.php(/|$) {
        #fastcgi_pass unix:/run/php-fpm-librenms.sock;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi.conf;
    }
    location ~ /\.(?!well-known).* {
        deny all;
    }
}

Conf

Bash
1
2
3
4
5
ln -s /opt/librenms/lnms /usr/bin/lnms
cd /opt/librenms
mkdir ./config.d
cp ./config.php.default ./config.php
cp ./snmpd.conf.example /etc/snmp/snmpd.conf
Bash
1
nano /opt/librenms/.env

ajouter DB_SOCKET=/var/run/mysqld/mysqld.sock

Bash
1
nano /opt/librenms/config.php

Décommenter le user ajouter

Text Only
1
2
#https://community.librenms.org/t/poller-not-running-from-cron/12236/4
$config['db_socket'] = '/var/run/mysqld/mysqld.sock';
Bash
1
nano /etc/crontabs/root
Text Only
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
#LIBRENMS
33      */6     *       *       *       runuser -l librenms -c "/opt/librenms/cronic /opt/librenms/discovery-wrapper.py 1"
*/5     *       *       *       *       runuser -l librenms -c "/opt/librenms/discovery.php -h new >> /dev/null 2>&1"

*/5     *       *       *       *       runuser -l librenms -c "/opt/librenms/cronic /opt/librenms/poller-wrapper.py 16"
*       *       *       *       *       runuser -l librenms -c "/opt/librenms/alerts.php >> /dev/null 2>&1"

*/5     *       *       *       *       runuser -l librenms -c "/opt/librenms/poll-billing.php >> /dev/null 2>&1"
01      *       *       *       *       runuser -l librenms -c "/opt/librenms/billing-calculate.php >> /dev/null 2>&1"
*/5     *       *       *       *       runuser -l librenms -c "/opt/librenms/check-services.php >> /dev/null 2>&1"
# Scheduler
*       *       *       *       *       runuser -l librenms -c "/opt/librenms/artisan schedule:run --no-ansi --no-interaction > /dev/null 2>&1"

# Daily maintenance script. DO NOT DISABLE!
# If you want to modify updates:
#  Switch to monthly stable release: https://docs.librenms.org/General/Releases/
#  Disable updates: https://docs.librenms.org/General/Updating/
19      0       *       *       *       runuser -l librenms -c "/opt/librenms/daily.sh >> /dev/null 2>&1"
Bash
1
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms

Droits

Bash
1
chown -R librenms:librenms /opt/librenms

Démarrer les services

Bash
1
2
3
rc-service nginx start
rc-service php-fpm83 start
rc-service snmpd start
Bash
1
2
3
rc-update add nginx
rc-update add php-fpm83
rc-update add snmpd