LibreNMS on Raspberrian

by | Sep 5, 2016 | 0 comments

This will get you from a minimal raspberrian installation to the working LibreNMS. I will show you how to install it and get data pumped in. The basic steps are:

  • Install MySQL 5.5
  • Install php 5.6
  • Install nginx
  • Getting LibreNMS
  • Create librenms user
  • Setting up LibreNMS
  • Getting systems connected

 

Installing MySQL 5.5

Installing the MySQL server version 5.5

aptitude install mysql-server
Configuring the MySQL server

This is my my.cnf:

#
# The MySQL database server configuration file.
#
# You can copy this to one of:
# - "/etc/mysql/my.cnf" to set global options,
# - "~/.my.cnf" to set user-specific options.
# 
# One can use all long options that the program supports.
# Run program with --help to get a list of available options and with
# --print-defaults to see which it would actually understand and use.
#
# For explanations see
# http://dev.mysql.com/doc/mysql/en/server-system-variables.html

# This will be passed to all mysql clients
# It has been reported that passwords should be enclosed with ticks/quotes
# escpecially if they contain "#" chars...
# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
[client]
port		= 3306
socket		= /var/run/mysqld/mysqld.sock

# Here is entries for some specific programs
# The following values assume you have at least 32M ram

# This was formally known as [safe_mysqld]. Both versions are currently parsed.
[mysqld_safe]
socket		= /var/run/mysqld/mysqld.sock
nice		= 0

[mysqld]
#
# * Basic Settings
#
user		= mysql
pid-file	= /var/run/mysqld/mysqld.pid
socket		= /var/run/mysqld/mysqld.sock
port		= 3306
basedir		= /usr
datadir		= /var/lib/mysql
tmpdir		= /tmp
lc-messages-dir	= /usr/share/mysql
skip-external-locking
skip-slave-start
skip-name-resolve
default-time-zone  = '+00:00'

#
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
bind-address		= 127.0.0.1

#
# * Fine Tuning
#
key_buffer		= 16M
max_allowed_packet	= 16M
thread_stack		= 192K
thread_cache_size       = 8
# This replaces the startup script and checks MyISAM tables if needed
# the first time they are touched
myisam-recover         = BACKUP
#max_connections        = 100
#table_cache            = 64
thread_concurrency     = 2
#
# * Query Cache Configuration
#
query_cache_limit	= 1M
query_cache_size        = 16M
#
# * Logging and Replication
#
# Both location gets rotated by the cronjob.
# Be aware that this log type is a performance killer.
# As of 5.1 you can enable the log at runtime!
#general_log_file        = /var/log/mysql/mysql.log
#general_log             = 1
#
# Error log - should be very few entries.
#
log_error = /var/log/mysql/error.log
#
# Here you can see queries with especially long duration
slow_query_log_file = /var/log/mysql/mysql-slow.log
slow_query_log      = 1
long_query_time = 2
log_queries_not_using_indexes
#
# The following can be used as easy to replay backup logs or for replication.
# note: if you are setting up a replication slave, see README.Debian about
#       other settings you may need to change.
#server-id		= 1
#log_bin			= /var/log/mysql/mysql-bin.log
expire_logs_days	= 10
max_binlog_size         = 100M
#binlog_do_db		= include_database_name
#binlog_ignore_db	= include_database_name
#
# * InnoDB
#
# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
# Read the manual for more InnoDB related options. There are many!
innodb_data_file_path   = idbdata01:2G:autoextend

#Innodb-Logfiles
innodb_log_group_home_dir = /var/lib/mysql
# Big = faster, but longer recovery times
innodb_log_file_size    = 1024M
innodb_log_files_in_group = 2

innodb_open_files   = 1024M
innodb_file_per_table=1
#innodb_buffer_pool_size   = 61440M
innodb_buffer_pool_instances  = 8

# 0, 2 for top performance, 1 for reliability
innodb_flush_log_at_trx_commit  = 2

#dont use OS Cache, direct Write forced
innodb_flush_method   = O_DIRECT
innodb_thread_concurrency = 2


#Buffer Pool size given for HugePages
#innodb_additional_mem_pool_size  = 5M
innodb_use_sys_malloc   = 0
#innodb_log_buffer_size   = 8M
#innodb_lock_wait_timeout = 50
federated     = ON

#
# * Security Features
#
# Read the manual, too, if you want chroot!
# chroot = /var/lib/mysql/
#
# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
#
# ssl-ca=/etc/mysql/cacert.pem
# ssl-cert=/etc/mysql/server-cert.pem
# ssl-key=/etc/mysql/server-key.pem



[mysqldump]
quick
quote-names
max_allowed_packet	= 16M

[mysql]
#no-auto-rehash	# faster start of mysql but no tab completition

[isamchk]
key_buffer		= 16M

#
# * IMPORTANT: Additional settings that can override those from this file!
#   The files must end with '.cnf', otherwise they'll be ignored.
#
!includedir /etc/mysql/conf.d/

 

Creating the database for librenms
CREATE DATABASE librenms;
GRANT ALL PRIVILEGES ON librenms.*
  TO 'librenms'@'localhost'
  IDENTIFIED BY '<password>'
;
FLUSH PRIVILEGES;
exit
Installing the PHP 5.6
Next step is to install all the necessary php related packages:

aptitude install php5-cli php5-mysql php5-gd php5-snmp php-pear php5-curl php5-fpm snmp graphviz php5-mcrypt php5-json  fping imagemagick whois mtr-tiny nmap python-mysqldb snmpd php-net-ipv4 php-net-ipv6 rrdtool git

Don’t forget to set the timezone to UTC in the /etc/php5/fpm/php.ini and /etc/php5/cli/php.ini:

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = 'Etc/UTC'

Now we can restart the php5 subsystem:

service php5-fpm restart
php5enmod mcrypt
Install the nginx
You guessed right, a next step is an install, the install of nginx.

aptitude install nginx-full

And this are the changes to the /etc/nginx/nginx.conf

# make sure to turn this off
server_tokens off;
limit_req_zone $binary_remote_addr zone=login:10m rate=3r/m;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
        access_log /var/log/nginx/access.log main;

I did add a global restrictions, which I will use later in the process to set standards for all new servers. And some standards for ssl too.

#/etc/nginx/global/restrictions.conf
# Prevent clickjacking
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1;mode=block";
add_header Content-Security-Policy "default-src 'self' data: piwik.klammeraffe.org 'unsafe-inline'; report-uri https://www.linuxpinguin.de/r.php";

# enable Gzip
gzip on; # Turn on gZip
gzip_disable msie6;
gzip_static on;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;

# Block nessus
if ($http_user_agent ~ (Nessus|BadBoys ) {
  return 403;
}

#location ~ ^/wp-login.php* {
#  limit_req zone=login nodelay;
#}

# Deny all attempts to wp-includes/js/swfupload.
location ~ /wp-includes/js/swfupload {
  deny all;
  access_log off;
  log_not_found off;
}

location ~ ^/\.well-known/* {
  allow all;
}

location ~ ^/\.well-known/acme-challenge/* {
  allow all;
}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
location ~ /\. {
  deny all;
  #access_log off;
  #log_not_found off;
}

# Deny access to any files with a .php extension in the uploads directory
location ~* ^/wp-content/uploads/.*.php$ {
  deny all;
  access_log off;
  log_not_found off;
}

# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/(.*).php$ {
  deny all;
  access_log off;
  log_not_found off;
}

#/etc/nginx/global/ssl.conf
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dh4096.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout  5m;
#ssl_stapling on;
#ssl_stapling_verify on;

 

Creating the librenms user
useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms www-data
Getting the librenms software
cd /opt
git clone https://github.com/librenms/librenms.git librenms
cd /opt/librenms
mkdir rrd logs
chmod 775 rrd
Setting up the web interface

Write this into the file /etc/nginx/sites-available/librenms.example.com

server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;
 include /etc/nginx/global/restrictions.conf;
 access_log  /opt/librenms/logs/access_log main;
 error_log   /opt/librenms/logs/error_log;
 location / {
  try_files $uri $uri/ @librenms;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/var/run/php5-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
 location @librenms {
  rewrite api/v0(.*)$ /api_v0.php/$1 last;
  rewrite ^(.+)$ /index.php/$1 last;
 }
}

And now activate this

cd /etc/nginx/sites-enabled
ln -s ../sites-available/librenms.example.conf
service nginx restart