使用者工具

網站工具


tech:librenms

CentOS7 安裝 LibreNMS

  • CentOS Linux release 7.5.1804 (Core)

安裝程序

  1. 安裝需要的套件
    yum install epel-release
    rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
    yum install composer cronie fping git ImageMagick jwhois mariadb mariadb-server mtr MySQL-python net-snmp net-snmp-utils nginx nmap php72w php72w-cli php72w-common php72w-curl php72w-fpm php72w-gd php72w-mbstring php72w-mysqlnd php72w-process php72w-snmp php72w-xml php72w-zip python-memcached rrdtool
  2. 建立 librenms 用戶
    useradd librenms -d /opt/librenms -M -r
    usermod -a -G librenms nginx
  3. 設定 /etc/php.ini
    :
    [Date]
    ; Defines the default timezone used by the date functions
    ; http://php.net/date.timezone
    date.timezone = Asia/Taipei
    :
  4. 重新開機
    sync;sync;sync;reboot
  5. 下載 LibreNMS
    cd /opt
    composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master
  6. 出現異常與警告訊息, 重新開機後再執行
    cd /opt/librenms
    ./scripts/composer_wrapper.php install --no-dev
  7. 建立 DB Server
    systemctl start mariadb
    mysql -u root

    password 要依照自己需要設定

    CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
    CREATE USER 'librenms'@'localhost' IDENTIFIED BY '**password**';
    GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
    FLUSH PRIVILEGES;
    exit
    vi /etc/my.cnf
    [mysqld]
    datadir=/var/lib/mysql
    :
    :
    # instructions in http://fedoraproject.org/wiki/Systemd
    innodb_file_per_table=1
    sql-mode=""
    lower_case_table_names=0
    :
    systemctl enable mariadb
    systemctl restart mariadb
  8. 建立 Web Server
    vi /etc/php-fpm.d/www.conf
    :
    ;user = apache
    user = nginx
    ; RPM: Keep a group allowed to write in log dir.
    group = apache
    
    ; The address on which to accept FastCGI requests.
    ; Valid syntaxes are:
    ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
    ;                            a specific port;
    ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
    ;                            a specific port;
    ;   'port'                 - to listen on a TCP socket to all addresses
    ;                            (IPv6 and IPv4-mapped) on a specific port;
    ;   '/path/to/unix/socket' - to listen on a unix socket.
    ; Note: This value is mandatory.
    ;listen = 127.0.0.1:9000
    listen = /var/run/php-fpm/php7.2-fpm.sock
    
    ; Set listen(2) backlog.
    ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
    ;listen.backlog = 511
    
    ; Set permissions for unix socket, if one is used. In Linux, read/write
    ; permissions must be set in order to allow connections from a web server. Many
    ; BSD-derived systems allow connections regardless of permissions.
    ; Default Values: user and group are set as the running user
    ;                 mode is set to 0660
    ;listen.owner = nobody
    ;listen.group = nobody
    ;listen.mode = 0660
    listen.owner = nginx
    listen.group = nginx
    listen.mode = 0660
    
    ; When POSIX Access Control Lists are supported you can set them using
    ; these options, value is a comma separated list of user/group names.
    :
    systemctl enable php-fpm
    systemctl restart php-fpm
  9. 設定 nginx
    vi /etc/nginx/conf.d/librenms.conf
    server {
     listen      80;
     server_name librenms.example.com;
     root        /opt/librenms/html;
     index       index.php;
    
     charset utf-8;
     gzip on;
     gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
     location / {
      try_files $uri $uri/ /index.php?$query_string;
     }
     location /api/v0 {
      try_files $uri $uri/ /api_v0.php?$query_string;
     }
     location ~ \.php {
      include fastcgi.conf;
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      fastcgi_pass unix:/var/run/php-fpm/php7.2-fpm.sock;
     }
     location ~ /\.ht {
      deny all;
     }
    }
    systemctl enable nginx
    systemctl restart nginx
  10. 建立 SELinux 與 Allow fping
    yum install policycoreutils-python
     
    semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
    restorecon -RFvv /opt/librenms/logs/
    semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
    restorecon -RFvv /opt/librenms/rrd/
    semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'
    restorecon -RFvv /opt/librenms/storage/
    semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.*)?'
    semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'
    restorecon -RFvv /opt/librenms/bootstrap/cache/
    setsebool -P httpd_can_sendmail=1
    setsebool -P httpd_execmem 1
    vi /tmp/http_fping.tt
    module http_fping 1.0;
    
    require {
    type httpd_t;
    class capability net_raw;
    class rawip_socket { getopt create setopt write read };
    }
    
    #============= httpd_t ==============
    allow httpd_t self:capability net_raw;
    allow httpd_t self:rawip_socket { getopt create setopt write read };
    checkmodule -M -m -o http_fping.mod /tmp/http_fping.tt
    semodule_package -o /tmp/http_fping.pp -m http_fping.mod
    semodule -i /tmp/http_fping.pp
  11. 設定 firewall
    firewall-cmd --zone public --add-service http
    firewall-cmd --permanent --zone public --add-service http
    firewall-cmd --zone public --add-service https
    firewall-cmd --permanent --zone public --add-service https
    <code>
      - 設定 snmpd <code sh>
    cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
     
    vi /etc/snmp/snmpd.conf

    將 RANDOMSTRINGGOESHERE 改成你要的 community 字串

    # Change RANDOMSTRINGGOESHERE to your preferred SNMP community string
    #com2sec readonly  default         RANDOMSTRINGGOESHERE
    com2sec readonly  default         **community_string**
    :
    #syslocation Rack, Room, Building, City, Country [GPSX,Y]
    syslocation Taipei, Taiwan
    #syscontact Your Name <[email protected]>
    syscontact Jonathan Tsai <[email protected]>
    :
    curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
    chmod +x /usr/bin/distro
    systemctl enable snmpd
    systemctl restart snmpd
  12. 定義 cron table
    cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms
  13. 設定定時清 log
    cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms
  14. 設定權限
    chown -R librenms:librenms /opt/librenms
    setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
    setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
  15. 至網頁介面進行安裝 網址 Exp. http://192.168.11.200/install.php
    1. 如果這時候無法出現安裝畫面, 表示 nginx default 設定沒有移除
      vi /etc/nginx/nginx.conf
      :
          include             /etc/nginx/mime.types;
          default_type        application/octet-stream;
      
          # Load modular configuration files from the /etc/nginx/conf.d directory.
          # See http://nginx.org/en/docs/ngx_core_module.html#include
          # for more information.
          include /etc/nginx/conf.d/*.conf;
      
      #    server {
      #        listen       80 default_server;
      #        listen       [::]:80 default_server;
      #        server_name  _;
      #        root         /usr/share/nginx/html;
      #
      #        # Load configuration files for the default server block.
      #        include /etc/nginx/default.d/*.conf;
      #
      #        location / {
      #        }
      #
      #        error_page 404 /404.html;
      #            location = /40x.html {
      #        }
      #
      #        error_page 500 502 503 504 /50x.html;
      #            location = /50x.html {
      #        }
      #    }
      
      # Settings for a TLS enabled server.
      #
      #    server {
      :
      systemctl restart nginx
    2. 依照網頁出現的 6 個 Stage 執行
    3. Stage 5 將產生的設定參數資料手動寫入 /opt/librenms/config.php
      vi /opt/librenms/config.php
    4. 調整參數檔案權限
      chown librenms:librenms /opt/librenms/config.php
  16. 再來應該就可以透過網頁依照上一步驟建立的帳號登入

設定自動找尋區域網路內可納管設備

  • 假設區網為 192.168.1.0/24 (192.168.1.1 - 192.168.1.254)
  • SNMP 都是設定為 v1 / v2c , Community 設定為 public 或 ichiayi_snmp
  1. 先安裝 python-ipaddress 模組 yum install python-ipaddress
  2. 先手動加入一個設備進行監管 Exp. 192.168.1.1
  3. vi /opt/librenms/config.php
    :
    # Auto-Discovery
    // v1 or v2c
    $config['snmp']['community'][] = "public";
    $config['snmp']['community'][] = "ichiayi_snmp";
     
    $config['nets'][] = '192.168.1.0/24';
     
    $config['autodiscovery']['nets-exclude'][] = '192.168.1.1/32';
     
    $config['discovery_by_ip'] = true;
  4. 第一次可以手動執行一次
    cd /opt/librenms
    ./snmp-scan.py

    結果:

    [[email protected] librenms]# ./snmp-scan.py
    Scanning IPs:
    ..............................................................................................................................................................................................................................................++++++++++-----
    
    Scanned 253 IPs: 0 known devices, added 10 devices, failed to add 5 devices, 1 ips excluded by config
    Runtime: 104.31 seconds
  5. 之後在區域網路內的新設備如果有啟用 snmp v1 / v2c communty 符合設定的值, 可以在五分鐘內被自動加入

設定告警通知

  • 設定 E-Mail 通知
    • Global Settings → Alerting Settings
      • General alert settings : Default contact ← 填上要接收通知的 E-Mail
        • Exp.
      • Email options 依照實際寄送的 Mail Server 方式設定
        • Exp.
  • 設定告警通知規則
    • Alerts → Alert Rules
      • 當監控的設備無法連線就通知

加裝 Nagios Plugin 增加監控能力

  • 安裝語法
    yum install nagios-plugins-all
  • 更改設定檔
    vi /opt/librenms/config.php
    :
    # nagios-plugins-all
    $config['show_services']           = 1;
    $config['nagios_plugins']   = "/usr/lib64/nagios/plugins";
    chmod +x /usr/lib64/nagios/plugins/*
  • 設定定時起動 services-wrapper.py
    vi /etc/cron.d/librenms
    :
    */5  *    * * *   librenms    /opt/librenms/services-wrapper.py 1
    
    # Daily maintenance script. DO NOT DISABLE!
    :
    service crond restart
  • 可以透過 Add Service 增加設定檢查 SSL 憑證到期日, mail 服務運作是否正常…等等的設定
  • 如果要研究所有 plugin 的語法, 可以直接到 /usr/lib64/nagios/plugins 目錄內下命令測試 Exp. ssmtp → check_ssmtp
    cd /usr/lib64/nagios/plugins/
    ./check_ssmtp --help

看結果

  • 因為網站大量使用 Web Virtual Host 方式設定, 但檢查 SSL 憑證到期日都只會回應預設的網址憑證到期日.. Exp. www.ichiayi.com 與 svn.ichiayi.com
    ./check_http -H www.ichiayi.com --ssl -C 30,10
    SSL OK - Certificate 'www.ichiayi.com' will expire in 79 days on 2019-06-14 23:34 +0800/CST.
    
    ./check_http -H svn.ichiayi.com --ssl -C 30,10
    SSL OK - Certificate 'www.ichiayi.com' will expire in 79 days on 2019-06-14 23:34 +0800/CST.

    所以看到 svn.ichiayi.com 回應出來的結果會出現 www.ichiayi.com , 這問題可以增加 –sni 參數來解決

    ./check_http -H www.ichiayi.com --ssl --sni -C 30,10
    SSL OK - Certificate 'www.ichiayi.com' will expire in 79 days on 2019-06-14 23:34 +0800/CST.
    
    ./check_http -H svn.ichiayi.com --ssl --sni -C 30,10
    SSL WARNING - Certificate 'svn.ichiayi.com' expires in 29 day(s) (2019-04-26 15:26 +0800/CST).

設定 Device Dependencies 設備依存關係

  • Device Dependencies 可以減少不必要的告警通知, 例如 Firewall 故障, Firewall 內所有的主機當然無法使用, 此時可以設定裡面所有的主機的 Parents 是 Firewall 減少不必要的告警通知
  • Exp. 192.168.1.254 是 Firewall, 192.168.1.222 是內部 Wifi 設備, 外部監控的 LibreNMS 可以設定 192.168.1.222 有個 Parents 是 192.168.1.254 可點下參考相關設定畫面

每日自動更版失敗處理

  • 先透過執行 daily.sh 看錯誤訊息
    su - librenms
    ./daily.sh
  • 看錯誤訊息進行處理, Exp. git 檔案被更改, 就移除這些檔案後, 在執行 daily.sh
  • 如果無法解決, 可以透過 validate.php 來檢查
    ./vaildate.php
    :
    [FAIL]  Some folders have incorrect file permissions, this may cause issues.
            [FIX]:
            sudo chown -R librenms:librenms /opt/librenms
            sudo setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/libr                                              enms/bootstrap/cache/ /opt/librenms/storage/
            sudo chmod -R ug=rwX /opt/librenms/rrd /opt/librenms/logs /opt/librenms/                                              bootstrap/cache/ /opt/librenms/storage/
            Files:
             /opt/librenms/storage/framework/views/cdca770a337e07f2364ec770e7b408621                                              95170d7.php

    就依照內容說明去修正

    su - root
    chown -R librenms:librenms /opt/librenms
    setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
    chmod -R ug=rwX /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
  • 其他實用的修復 script:
    • 修復 git 目錄檔案 ./scripts/github-remove

參考網址

tech/librenms.txt · 上一次變更: 2019/06/15 16:58 由 jonathan_tsai