Installing GLPI

From Notes_Wiki
Revision as of 14:46, 28 July 2022 by Saurabh (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI

Manual installation

To manually install GLPI on a machine use following steps:

  1. Download latest stable GLPI from Internet ( http://glpi-project.org/spip.php?article41 at time of this writing)
  2. Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
    Latest version of GLPI required php5.6
  3. Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
  4. Create /var/www/html/index.html to redirect to glpi as explained at Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh
  5. chown -R apache:apache /var/www/html
  6. service httpd start; chkconfig httpd on
  7. service mysqld start; chkconfig mysqld on
  8. Start mysql using 'mysql' command and use following:
    create database glpi;
    grant all on glpi.* to glpi@localhost identified by '<password>'
    flush privileges;
    where <password> can be replaced suitably.
  9. Visit http://<server>/glpi and setup GLPI
  10. Login using username glpi and password glpi


Automated installation

For automated installation of glpi use following ansible script ('glpi.yaml'):

---
  - name: Download and install glpi
    hosts: glpi_servers
    remote_user: root
 
    vars:
      glpi_download_url: https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz
      glpi_local_path: /root/glpi.tar.bz2
      httpd_document_root: /var/www/html/
      mysql_glpi_password: rekall123

    tasks:
      - name: Download GLPI from Internet
        get_url: url="{{ glpi_download_url }}"  dest="{{ glpi_local_path }}"

      - name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd
        yum: name={{ item }} state=present
        with_items:
          - httpd
          - mod_ssl
          - php
          - php-ldap
          - mysql-server
          - php-mysql
          - php-mbstring
          - php-gd
          - MySQL-python
        notify:
          - restart apache


      - stat: path="{{httpd_document_root}}/index.html"
        register: index_html

      - name: Copy iptables file if not present already
        template: src=iptables dest=/etc/sysconfig/iptables
        notify:
          - restart iptables
          - restart fail2ban

      - name: Extract glpi downloaded sources in /var/www/html
        unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache
        when: index_html.stat.exists == False

      - name: Copy index.html file to documentroot
        copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache

      - name: Ensure files are owned by apache user
        file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes

      - name: Start and Enable httpd, mysqld
        service: name={{ item }} state=started enabled=yes
        with_items:
          - httpd
          - mysqld

      - name: Create glpi database in mysql
        mysql_db: name=glpi

      - name: Create glpi user and give all permissions on glpi database
        mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL

      - name: Print web instructions
        debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost.  Login using glpi:glpi"


      - name: Print post setup instructions
        debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server"


    handlers:
      - name: restart apache
        service: name=httpd state=restarted

      - name: restart iptables
        service: name=iptables state=restarted

      - name: restart fail2ban
        service: name=fail2ban state=restarted

The ansible script assumes availability of index.html with following content:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-type" content="text/html;charset=UTF-8" />
	<meta http-equiv="Refresh" content="0; URL=glpi" />
</head>
<body>
</body>
</html>

in same folder

The script also assumes availability of iptables jinja2 template with following content in the same folder:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#Accept loopback connections
-A INPUT -i lo -j ACCEPT
#Rate limit new connections to 20 new connections per 30 seconds
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set
-A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_"
-A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP
#Accept ICMP ping requests at limited rate
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG
-A INPUT -p icmp --icmp-type echo-request -j DROP
#Allow ongoing connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow incoming SSH connections.  Hopefully denyhosts will take care of bruteforce attacks
-A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT
#Allow incoming HTTP, HTTPS connection
-A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT
#Allow incoming NRPE queries for nagios
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT
#Allow SNMP queries for cacti
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
#These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them
-A INPUT -p udp -m udp --dport 67 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 17500 -j DROP
#Do not log igmp connections either
-A INPUT -p igmp -j DROP
#Log all other "blocked_input_" attempts
-A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_"
#Reply with proper ICMP error message and reject the connection
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#For VMs NAT or bridge access
-A FORWARD -j ACCEPT
#
#
##Output rules
#Allow outgoing connections to localhost
-A OUTPUT -o lo -j ACCEPT
#Allow ongoing connections
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow DNS queries
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
#Allow server to send emails.  Required for receiving logwatch emails
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
#Allow DHCP queries
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
##Allow server to contact web-servers.  Required for yum update and installation
#For restrictive configurations this can be disabled after install
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
#Allow outgoing requests to LDAP server
-A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT
#Allow outgoing requests to LDAPS server
#-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT
#Allow ping requests
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
#Allow outgoing connections to OSSEC server
-A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT
#Log all other "blocked_output_" attempts
-A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_"
#Reply with proper ICMP error message and reject the connection
-A OUTPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
#


Once installation is complete use following script for post-installation setup ('glpi_postsetup.yaml'):

---
  - name: Remove install/install.php from glpi
    hosts: glpi_servers
    remote_user: root
 
    vars:
      httpd_document_root: /var/www/html/

    tasks:
    - name: Remove install/install.php file
      file: path="{{ httpd_document_root }}"glpi/install/install.php state=absent
   



Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI