LibreNMS on Raspberrian

This will get you from a minimal raspberrian installation to the working LibreNMS. I will show you how to install it and get data pumped in. The basic steps are:
- Install MySQL 5.5
- Install php 5.6
- Install nginx
- Getting LibreNMS
- Create librenms user
- Setting up LibreNMS
- Getting systems connected

Installing MySQL 5.5
Installing the MySQL server version 5.5
aptitude install mysql-server
Configuring the MySQL server
This is my my.cnf:
# # The MySQL database server configuration file. # # You can copy this to one of: # - "/etc/mysql/my.cnf" to set global options, # - "~/.my.cnf" to set user-specific options. # # One can use all long options that the program supports. # Run program with --help to get a list of available options and with # --print-defaults to see which it would actually understand and use. # # For explanations see # http://dev.mysql.com/doc/mysql/en/server-system-variables.html # This will be passed to all mysql clients # It has been reported that passwords should be enclosed with ticks/quotes # escpecially if they contain "#" chars... # Remember to edit /etc/mysql/debian.cnf when changing the socket location. [client] port = 3306 socket = /var/run/mysqld/mysqld.sock # Here is entries for some specific programs # The following values assume you have at least 32M ram # This was formally known as [safe_mysqld]. Both versions are currently parsed. [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice = 0 [mysqld] # # * Basic Settings # user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp lc-messages-dir = /usr/share/mysql skip-external-locking skip-slave-start skip-name-resolve default-time-zone = '+00:00' # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 127.0.0.1 # # * Fine Tuning # key_buffer = 16M max_allowed_packet = 16M thread_stack = 192K thread_cache_size = 8 # This replaces the startup script and checks MyISAM tables if needed # the first time they are touched myisam-recover = BACKUP #max_connections = 100 #table_cache = 64 thread_concurrency = 2 # # * Query Cache Configuration # query_cache_limit = 1M query_cache_size = 16M # # * Logging and Replication # # Both location gets rotated by the cronjob. # Be aware that this log type is a performance killer. # As of 5.1 you can enable the log at runtime! #general_log_file = /var/log/mysql/mysql.log #general_log = 1 # # Error log - should be very few entries. # log_error = /var/log/mysql/error.log # # Here you can see queries with especially long duration slow_query_log_file = /var/log/mysql/mysql-slow.log slow_query_log = 1 long_query_time = 2 log_queries_not_using_indexes # # The following can be used as easy to replay backup logs or for replication. # note: if you are setting up a replication slave, see README.Debian about # other settings you may need to change. #server-id = 1 #log_bin = /var/log/mysql/mysql-bin.log expire_logs_days = 10 max_binlog_size = 100M #binlog_do_db = include_database_name #binlog_ignore_db = include_database_name # # * InnoDB # # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. # Read the manual for more InnoDB related options. There are many! innodb_data_file_path = idbdata01:2G:autoextend #Innodb-Logfiles innodb_log_group_home_dir = /var/lib/mysql # Big = faster, but longer recovery times innodb_log_file_size = 1024M innodb_log_files_in_group = 2 innodb_open_files = 1024M innodb_file_per_table=1 #innodb_buffer_pool_size = 61440M innodb_buffer_pool_instances = 8 # 0, 2 for top performance, 1 for reliability innodb_flush_log_at_trx_commit = 2 #dont use OS Cache, direct Write forced innodb_flush_method = O_DIRECT innodb_thread_concurrency = 2 #Buffer Pool size given for HugePages #innodb_additional_mem_pool_size = 5M innodb_use_sys_malloc = 0 #innodb_log_buffer_size = 8M #innodb_lock_wait_timeout = 50 federated = ON # # * Security Features # # Read the manual, too, if you want chroot! # chroot = /var/lib/mysql/ # # For generating SSL certificates I recommend the OpenSSL GUI "tinyca". # # ssl-ca=/etc/mysql/cacert.pem # ssl-cert=/etc/mysql/server-cert.pem # ssl-key=/etc/mysql/server-key.pem [mysqldump] quick quote-names max_allowed_packet = 16M [mysql] #no-auto-rehash # faster start of mysql but no tab completition [isamchk] key_buffer = 16M # # * IMPORTANT: Additional settings that can override those from this file! # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/
Creating the database for librenms
CREATE DATABASE librenms; GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost' IDENTIFIED BY '<password>' ; FLUSH PRIVILEGES; exit
Installing the PHP 5.6
Next step is to install all the necessary php related packages:
aptitude install php5-cli php5-mysql php5-gd php5-snmp php-pear php5-curl php5-fpm snmp graphviz php5-mcrypt php5-json fping imagemagick whois mtr-tiny nmap python-mysqldb snmpd php-net-ipv4 php-net-ipv6 rrdtool git
Don’t forget to set the timezone to UTC in the /etc/php5/fpm/php.ini and /etc/php5/cli/php.ini:
[Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = 'Etc/UTC'
Now we can restart the php5 subsystem:
service php5-fpm restart php5enmod mcrypt
Install the nginx
You guessed right, a next step is an install, the install of nginx.
aptitude install nginx-full
And this are the changes to the /etc/nginx/nginx.conf
# make sure to turn this off server_tokens off; limit_req_zone $binary_remote_addr zone=login:10m rate=3r/m; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main;
I did add a global restrictions, which I will use later in the process to set standards for all new servers. And some standards for ssl too.
#/etc/nginx/global/restrictions.conf # Prevent clickjacking add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1;mode=block"; add_header Content-Security-Policy "default-src 'self' data: piwik.klammeraffe.org 'unsafe-inline'; report-uri https://www.linuxpinguin.de/r.php"; # enable Gzip gzip on; # Turn on gZip gzip_disable msie6; gzip_static on; gzip_comp_level 9; gzip_proxied any; gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript; # Block nessus if ($http_user_agent ~ (Nessus|BadBoys ) { return 403; } #location ~ ^/wp-login.php* { # limit_req zone=login nodelay; #} # Deny all attempts to wp-includes/js/swfupload. location ~ /wp-includes/js/swfupload { deny all; access_log off; log_not_found off; } location ~ ^/\.well-known/* { allow all; } location ~ ^/\.well-known/acme-challenge/* { allow all; } # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~ /\. { deny all; #access_log off; #log_not_found off; } # Deny access to any files with a .php extension in the uploads directory location ~* ^/wp-content/uploads/.*.php$ { deny all; access_log off; log_not_found off; } # Deny access to any files with a .php extension in the uploads directory for multisite location ~* /files/(.*).php$ { deny all; access_log off; log_not_found off; } #/etc/nginx/global/ssl.conf ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/ssl/dh4096.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; #ssl_stapling on; #ssl_stapling_verify on;
Creating the librenms user
useradd librenms -d /opt/librenms -M -r usermod -a -G librenms www-data
Getting the librenms software
cd /opt git clone https://github.com/librenms/librenms.git librenms cd /opt/librenms mkdir rrd logs chmod 775 rrd
Setting up the web interface
Write this into the file /etc/nginx/sites-available/librenms.example.com
server { listen 80; server_name librenms.example.com; root /opt/librenms/html; index index.php; include /etc/nginx/global/restrictions.conf; access_log /opt/librenms/logs/access_log main; error_log /opt/librenms/logs/error_log; location / { try_files $uri $uri/ @librenms; } location ~ \.php { include fastcgi.conf; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; } location ~ /\.ht { deny all; } location @librenms { rewrite api/v0(.*)$ /api_v0.php/$1 last; rewrite ^(.+)$ /index.php/$1 last; } }
And now activate this
cd /etc/nginx/sites-enabled ln -s ../sites-available/librenms.example.conf service nginx restart