Difference between revisions of "Installing GLPI"

From Notes_Wiki
m
m
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>Glpi|Glpi</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Web based tools or applications]] > [[Glpi|glpi]] > [[Installing GLPI]]
=Installing GLPI=


==Manual installation==
==Manual installation==


To manually install GLPI on a machine use following steps:
To manually install GLPI on a machine use following steps:
#Download latest stable GLPI from Internet ( https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz at time of this writing)
#Download latest stable GLPI from Internet ( http://glpi-project.org/spip.php?article41 at time of this writing)
#Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
#Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
#:Latest version of GLPI required php5.6
#Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
#Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
#Create /var/www/html/index.html to redirect to glpi as explained at [[Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh]]
#Create /var/www/html/index.html to redirect to glpi as explained at [[Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh]]
Line 16: Line 16:
#::create database glpi;
#::create database glpi;
#::grant all on glpi.* to glpi@localhost identified by '&lt;password&gt;'
#::grant all on glpi.* to glpi@localhost identified by '&lt;password&gt;'
#::flush privileges;
#:</pre>
#:</pre>
#::where &lt;password&gt; can be replaced suitably.
#::where &lt;password&gt; can be replaced suitably.
# Visit http://<server>/glpi and setup GLPI  
# Visit http://<server>/glpi and setup GLPI  
# Login using username glpi and password glpi
# Login using username glpi and password glpi




Line 38: Line 40:


     tasks:
     tasks:
    - name: Download GLPI from Internet
      - name: Download GLPI from Internet
      get_url: url="{{ glpi_download_url }}"  dest="{{ glpi_local_path }}"
        get_url: url="{{ glpi_download_url }}"  dest="{{ glpi_local_path }}"
 
 
    - name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd  
      - name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd
      yum: name={{ item }} state=present
        yum: name={{ item }} state=present
      with_items:
        with_items:
        - httpd
          - httpd
        - mod_ssl
          - mod_ssl
        - php
          - php
        - php-ldap
          - php-ldap
        - mysql-server
          - mysql-server
        - php-mysql
          - php-mysql
        - php-mbstring
          - php-mbstring
        - php-gd
          - php-gd
        - MySQL-python
          - MySQL-python
       notify:
        notify:
        - restart apache
          - restart apache
   
 
    - name: Extract glpi downloaded sources in /var/www/html
 
      unarchive: copy=no src="{{ glpi_local_path }}" dest="{{ httpd_document_root }}" owner=apache group=apache #creates="{{ httpd_document_root }}"/index.html
       - stat: path="{{httpd_document_root}}/index.html"
        register: index_html
 
      - name: Copy iptables file if not present already
        template: src=iptables dest=/etc/sysconfig/iptables
        notify:
          - restart iptables
          - restart fail2ban
 
      - name: Extract glpi downloaded sources in /var/www/html
        unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache
        when: index_html.stat.exists == False
 
      - name: Copy index.html file to documentroot
        copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache
 
      - name: Ensure files are owned by apache user
        file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes
 
      - name: Start and Enable httpd, mysqld
        service: name={{ item }} state=started enabled=yes
        with_items:
          - httpd
          - mysqld
 
      - name: Create glpi database in mysql
        mysql_db: name=glpi


    - name: Copy index.html file to documentroot
      - name: Create glpi user and give all permissions on glpi database
      copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache
        mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL


    - name: Ensure files are owned by apache user
      - name: Print web instructions
      file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes
        debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost.  Login using glpi:glpi"


    - name: Start and Enable httpd, mysqld
      service: name={{ item }} state=started enabled=yes
      with_items:
        - httpd
        - mysqld


    - name: Create glpi database in mysql
       - name: Print post setup instructions
       mysql_db: name=glpi
        debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server"
 
    - name: Create glpi user and give all permissions on glpi database
      mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL


    - name: Print web instructions
      debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost.  Login using glpi:glpi"
   
    - name: Print post setup instructions
      debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server"


     handlers:
     handlers:
    - name: restart apache
      - name: restart apache
       service: name=httpd state=restarted
        service: name=httpd state=restarted
 
       - name: restart iptables
        service: name=iptables state=restarted
 
      - name: restart fail2ban
        service: name=fail2ban state=restarted
 
</pre>
</pre>


Line 101: Line 123:
</pre>
</pre>
in same folder
in same folder
The script also assumes availability of iptables jinja2 template with following content in the same folder:
<pre>
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#Accept loopback connections
-A INPUT -i lo -j ACCEPT
#Rate limit new connections to 20 new connections per 30 seconds
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_"
-A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP
#Accept ICMP ping requests at limited rate
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG
-A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow ongoing connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow incoming SSH connections.  Hopefully denyhosts will take care of bruteforce attacks
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#Allow incoming HTTP, HTTPS connection
-A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
#Allow incoming NRPE queries for nagios
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT
#Allow SNMP queries for cacti
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
#These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them
-A INPUT -p udp -m udp --dport 67 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 17500 -j DROP
#Do not log igmp connections either
-A INPUT -p igmp -j DROP
#Log all other "blocked_input_" attempts
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_"
#Reply with proper ICMP error message and reject the connection
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#For VMs NAT or bridge access
-A FORWARD -j ACCEPT
#
#
##Output rules
#Allow outgoing connections to localhost
-A OUTPUT -o lo -j ACCEPT
#Allow ongoing connections
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow DNS queries
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#Allow server to send emails.  Required for receiving logwatch emails
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
#Allow DHCP queries
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
##Allow server to contact web-servers.  Required for yum update and installation
#For restrictive configurations this can be disabled after install
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#Allow outgoing requests to LDAP server
-A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT
#Allow outgoing requests to LDAPS server
#-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT
#Allow ping requests
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#Allow outgoing connections to OSSEC server
-A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT
#Log all other "blocked_output_" attempts
-A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_"
#Reply with proper ICMP error message and reject the connection
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#
</pre>


Once installation is complete use following script for post-installation setup ('<tt>glpi_postsetup.yaml</tt>'):
Once installation is complete use following script for post-installation setup ('<tt>glpi_postsetup.yaml</tt>'):
Line 117: Line 215:
    
    
</pre>
</pre>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[Web based tools or applications]] > [[Glpi|glpi]] > [[Installing GLPI]]

Latest revision as of 14:46, 28 July 2022

Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI

Manual installation

To manually install GLPI on a machine use following steps:

  1. Download latest stable GLPI from Internet ( http://glpi-project.org/spip.php?article41 at time of this writing)
  2. Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
    Latest version of GLPI required php5.6
  3. Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
  4. Create /var/www/html/index.html to redirect to glpi as explained at Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh
  5. chown -R apache:apache /var/www/html
  6. service httpd start; chkconfig httpd on
  7. service mysqld start; chkconfig mysqld on
  8. Start mysql using 'mysql' command and use following: 
    create database glpi;
    

    grant all on glpi.* to glpi@localhost identified by '<password>'
    

    flush privileges;
    where <password> can be replaced suitably.
  9. Visit http://<server>/glpi and setup GLPI
  10. Login using username glpi and password glpi


Automated installation

For automated installation of glpi use following ansible script ('glpi.yaml'): 

---
  - name: Download and install glpi
    hosts: glpi_servers
    remote_user: root
 
    vars:
      glpi_download_url: https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz
      glpi_local_path: /root/glpi.tar.bz2
      httpd_document_root: /var/www/html/
      mysql_glpi_password: rekall123

    tasks:
      - name: Download GLPI from Internet
        get_url: url="{{ glpi_download_url }}"  dest="{{ glpi_local_path }}"

      - name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd
        yum: name={{ item }} state=present
        with_items:
          - httpd
          - mod_ssl
          - php
          - php-ldap
          - mysql-server
          - php-mysql
          - php-mbstring
          - php-gd
          - MySQL-python
        notify:
          - restart apache


      - stat: path="{{httpd_document_root}}/index.html"
        register: index_html

      - name: Copy iptables file if not present already
        template: src=iptables dest=/etc/sysconfig/iptables
        notify:
          - restart iptables
          - restart fail2ban

      - name: Extract glpi downloaded sources in /var/www/html
        unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache
        when: index_html.stat.exists == False

      - name: Copy index.html file to documentroot
        copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache

      - name: Ensure files are owned by apache user
        file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes

      - name: Start and Enable httpd, mysqld
        service: name={{ item }} state=started enabled=yes
        with_items:
          - httpd
          - mysqld

      - name: Create glpi database in mysql
        mysql_db: name=glpi

      - name: Create glpi user and give all permissions on glpi database
        mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL

      - name: Print web instructions
        debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost.  Login using glpi:glpi"


      - name: Print post setup instructions
        debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server"


    handlers:
      - name: restart apache
        service: name=httpd state=restarted

      - name: restart iptables
        service: name=iptables state=restarted

      - name: restart fail2ban
        service: name=fail2ban state=restarted

The ansible script assumes availability of index.html with following content: 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
	<meta http-equiv="Refresh" content="0; URL=glpi" />
</head>
<body>
</body>
</html>

in same folder

The script also assumes availability of iptables jinja2 template with following content in the same folder: 

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#Accept loopback connections
-A INPUT -i lo -j ACCEPT
#Rate limit new connections to 20 new connections per 30 seconds
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_"
-A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP
#Accept ICMP ping requests at limited rate
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG
-A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow ongoing connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow incoming SSH connections.  Hopefully denyhosts will take care of bruteforce attacks
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#Allow incoming HTTP, HTTPS connection
-A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
#Allow incoming NRPE queries for nagios
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT
#Allow SNMP queries for cacti
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
#These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them
-A INPUT -p udp -m udp --dport 67 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 17500 -j DROP
#Do not log igmp connections either
-A INPUT -p igmp -j DROP
#Log all other "blocked_input_" attempts
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_"
#Reply with proper ICMP error message and reject the connection
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#For VMs NAT or bridge access
-A FORWARD -j ACCEPT
#
#
##Output rules
#Allow outgoing connections to localhost
-A OUTPUT -o lo -j ACCEPT
#Allow ongoing connections
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow DNS queries
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#Allow server to send emails.  Required for receiving logwatch emails
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
#Allow DHCP queries
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
##Allow server to contact web-servers.  Required for yum update and installation
#For restrictive configurations this can be disabled after install
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#Allow outgoing requests to LDAP server
-A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT
#Allow outgoing requests to LDAPS server
#-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT
#Allow ping requests
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#Allow outgoing connections to OSSEC server
-A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT
#Log all other "blocked_output_" attempts
-A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_"
#Reply with proper ICMP error message and reject the connection
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#


Once installation is complete use following script for post-installation setup ('glpi_postsetup.yaml'): 

---
  - name: Remove install/install.php from glpi
    hosts: glpi_servers
    remote_user: root
 
    vars:
      httpd_document_root: /var/www/html/

    tasks:
    - name: Remove install/install.php file
      file: path="{{ httpd_document_root }}"glpi/install/install.php state=absent



Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Installing_GLPI&oldid=6768"