Difference between revisions of "Installing GLPI"
From Notes_Wiki
m |
m |
||
Line 38: | Line 38: | ||
tasks: | tasks: | ||
- name: Download GLPI from Internet | |||
get_url: url="{{ glpi_download_url }}" dest="{{ glpi_local_path }}" | |||
- name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd | |||
yum: name={{ item }} state=present | |||
with_items: | |||
- httpd | |||
- mod_ssl | |||
- php | |||
- php-ldap | |||
- mysql-server | |||
- php-mysql | |||
- php-mbstring | |||
- php-gd | |||
- MySQL-python | |||
notify: | notify: | ||
- restart apache | |||
- stat: path="{{httpd_document_root}}/index.html" | |||
register: index_html | |||
- name: Copy iptables file if not present already | |||
template: src=iptables dest=/etc/sysconfig/iptables | |||
notify: | |||
- restart iptables | |||
- restart fail2ban | |||
- name: Extract glpi downloaded sources in /var/www/html | |||
unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache | |||
when: index_html.stat.exists == False | |||
- name: Copy index.html file to documentroot | |||
copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache | |||
- name: Ensure files are owned by apache user | |||
file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes | |||
- name: Start and Enable httpd, mysqld | |||
service: name={{ item }} state=started enabled=yes | |||
with_items: | |||
- httpd | |||
- mysqld | |||
- name: Create glpi database in mysql | |||
mysql_db: name=glpi | |||
- name: Create glpi user and give all permissions on glpi database | |||
mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL | |||
- name: Print web instructions | |||
debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost. Login using glpi:glpi" | |||
- name: Print post setup instructions | |||
debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server" | |||
handlers: | handlers: | ||
- name: restart apache | |||
service: name= | service: name=httpd state=restarted | ||
- name: restart iptables | |||
service: name=iptables state=restarted | |||
- name: restart fail2ban | |||
service: name=fail2ban state=restarted | |||
</pre> | </pre> | ||
Line 101: | Line 121: | ||
</pre> | </pre> | ||
in same folder | in same folder | ||
The script also assumes availability of iptables jinja2 template with following content in the same folder: | |||
<pre> | |||
*filter | |||
:INPUT ACCEPT [0:0] | |||
:FORWARD ACCEPT [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
#Accept loopback connections | |||
-A INPUT -i lo -j ACCEPT | |||
#Rate limit new connections to 20 new connections per 30 seconds | |||
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set | |||
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_" | |||
-A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP | |||
#Accept ICMP ping requests at limited rate | |||
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT | |||
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG | |||
-A INPUT -p icmp --icmp-type echo-request -j DROP | |||
#Allow ongoing connections | |||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
#Allow incoming SSH connections. Hopefully denyhosts will take care of bruteforce attacks | |||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT | |||
#Allow incoming HTTP, HTTPS connection | |||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT | |||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT | |||
#Allow incoming NRPE queries for nagios | |||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT | |||
#Allow SNMP queries for cacti | |||
-A INPUT -p udp -m udp --dport 161 -j ACCEPT | |||
-A INPUT -p udp -m udp --dport 162 -j ACCEPT | |||
#These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them | |||
-A INPUT -p udp -m udp --dport 67 -j DROP | |||
-A INPUT -p udp -m udp --dport 137 -j DROP | |||
-A INPUT -p udp -m udp --dport 138 -j DROP | |||
-A INPUT -p udp -m udp --dport 17500 -j DROP | |||
#Do not log igmp connections either | |||
-A INPUT -p igmp -j DROP | |||
#Log all other "blocked_input_" attempts | |||
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_" | |||
#Reply with proper ICMP error message and reject the connection | |||
-A INPUT -j REJECT --reject-with icmp-host-prohibited | |||
#For VMs NAT or bridge access | |||
-A FORWARD -j ACCEPT | |||
# | |||
# | |||
##Output rules | |||
#Allow outgoing connections to localhost | |||
-A OUTPUT -o lo -j ACCEPT | |||
#Allow ongoing connections | |||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
#Allow DNS queries | |||
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT | |||
#Allow server to send emails. Required for receiving logwatch emails | |||
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT | |||
#Allow DHCP queries | |||
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT | |||
##Allow server to contact web-servers. Required for yum update and installation | |||
#For restrictive configurations this can be disabled after install | |||
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT | |||
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT | |||
#Allow outgoing requests to LDAP server | |||
-A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT | |||
#Allow outgoing requests to LDAPS server | |||
#-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT | |||
#Allow ping requests | |||
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | |||
#Allow outgoing connections to OSSEC server | |||
-A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT | |||
#Log all other "blocked_output_" attempts | |||
-A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_" | |||
#Reply with proper ICMP error message and reject the connection | |||
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited | |||
COMMIT | |||
# | |||
</pre> | |||
Once installation is complete use following script for post-installation setup ('<tt>glpi_postsetup.yaml</tt>'): | Once installation is complete use following script for post-installation setup ('<tt>glpi_postsetup.yaml</tt>'): | ||
Line 117: | Line 213: | ||
</pre> | </pre> | ||
<yambe:breadcrumb>Glpi|Glpi</yambe:breadcrumb> |
Revision as of 03:30, 14 May 2015
<yambe:breadcrumb>Glpi|Glpi</yambe:breadcrumb>
Installing GLPI
Manual installation
To manually install GLPI on a machine use following steps:
- Download latest stable GLPI from Internet ( https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz at time of this writing)
- Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
- Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
- Create /var/www/html/index.html to redirect to glpi as explained at Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh
- chown -R apache:apache /var/www/html
- service httpd start; chkconfig httpd on
- service mysqld start; chkconfig mysqld on
- Start mysql using 'mysql' command and use following:
- create database glpi;
- grant all on glpi.* to glpi@localhost identified by '<password>'
-
- where <password> can be replaced suitably.
- Visit http://<server>/glpi and setup GLPI
- Login using username glpi and password glpi
Automated installation
For automated installation of glpi use following ansible script ('glpi.yaml'):
--- - name: Download and install glpi hosts: glpi_servers remote_user: root vars: glpi_download_url: https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz glpi_local_path: /root/glpi.tar.bz2 httpd_document_root: /var/www/html/ mysql_glpi_password: rekall123 tasks: - name: Download GLPI from Internet get_url: url="{{ glpi_download_url }}" dest="{{ glpi_local_path }}" - name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd yum: name={{ item }} state=present with_items: - httpd - mod_ssl - php - php-ldap - mysql-server - php-mysql - php-mbstring - php-gd - MySQL-python notify: - restart apache - stat: path="{{httpd_document_root}}/index.html" register: index_html - name: Copy iptables file if not present already template: src=iptables dest=/etc/sysconfig/iptables notify: - restart iptables - restart fail2ban - name: Extract glpi downloaded sources in /var/www/html unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache when: index_html.stat.exists == False - name: Copy index.html file to documentroot copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache - name: Ensure files are owned by apache user file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes - name: Start and Enable httpd, mysqld service: name={{ item }} state=started enabled=yes with_items: - httpd - mysqld - name: Create glpi database in mysql mysql_db: name=glpi - name: Create glpi user and give all permissions on glpi database mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL - name: Print web instructions debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost. Login using glpi:glpi" - name: Print post setup instructions debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server" handlers: - name: restart apache service: name=httpd state=restarted - name: restart iptables service: name=iptables state=restarted - name: restart fail2ban service: name=fail2ban state=restarted
The ansible script assumes availability of index.html with following content:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta http-equiv="Refresh" content="0; URL=glpi" /> </head> <body> </body> </html>
in same folder
The script also assumes availability of iptables jinja2 template with following content in the same folder:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #Accept loopback connections -A INPUT -i lo -j ACCEPT #Rate limit new connections to 20 new connections per 30 seconds -A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set -A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_" -A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP #Accept ICMP ping requests at limited rate -A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG -A INPUT -p icmp --icmp-type echo-request -j DROP #Allow ongoing connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow incoming SSH connections. Hopefully denyhosts will take care of bruteforce attacks -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT #Allow incoming HTTP, HTTPS connection -A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT #Allow incoming NRPE queries for nagios -A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT #Allow SNMP queries for cacti -A INPUT -p udp -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT #These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them -A INPUT -p udp -m udp --dport 67 -j DROP -A INPUT -p udp -m udp --dport 137 -j DROP -A INPUT -p udp -m udp --dport 138 -j DROP -A INPUT -p udp -m udp --dport 17500 -j DROP #Do not log igmp connections either -A INPUT -p igmp -j DROP #Log all other "blocked_input_" attempts -A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_" #Reply with proper ICMP error message and reject the connection -A INPUT -j REJECT --reject-with icmp-host-prohibited #For VMs NAT or bridge access -A FORWARD -j ACCEPT # # ##Output rules #Allow outgoing connections to localhost -A OUTPUT -o lo -j ACCEPT #Allow ongoing connections -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow DNS queries -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT #Allow server to send emails. Required for receiving logwatch emails -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT #Allow DHCP queries -A OUTPUT -p udp -m udp --dport 67 -j ACCEPT ##Allow server to contact web-servers. Required for yum update and installation #For restrictive configurations this can be disabled after install -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT #Allow outgoing requests to LDAP server -A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT #Allow outgoing requests to LDAPS server #-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT #Allow ping requests -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT #Allow outgoing connections to OSSEC server -A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT #Log all other "blocked_output_" attempts -A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_" #Reply with proper ICMP error message and reject the connection -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT #
Once installation is complete use following script for post-installation setup ('glpi_postsetup.yaml'):
--- - name: Remove install/install.php from glpi hosts: glpi_servers remote_user: root vars: httpd_document_root: /var/www/html/ tasks: - name: Remove install/install.php file file: path="{{ httpd_document_root }}"glpi/install/install.php state=absent
<yambe:breadcrumb>Glpi|Glpi</yambe:breadcrumb>