Installing GLPI
From Notes_Wiki
Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI
Manual installation
To manually install GLPI on a machine use following steps:
- Download latest stable GLPI from Internet ( http://glpi-project.org/spip.php?article41 at time of this writing)
- Install httpd, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd and MySQL-python packages
- Latest version of GLPI required php5.6
- Extract glpi sources in /var/www/html so that various files are in /var/www/html/glpi
- Create /var/www/html/index.html to redirect to glpi as explained at Redirecting_site_using_apache_configuration#Redirect_using_HTML_META_refresh
- chown -R apache:apache /var/www/html
- service httpd start; chkconfig httpd on
- service mysqld start; chkconfig mysqld on
- Start mysql using 'mysql' command and use following:
- create database glpi;
- grant all on glpi.* to glpi@localhost identified by '<password>'
- flush privileges;
-
- where <password> can be replaced suitably.
- Visit http://<server>/glpi and setup GLPI
- Login using username glpi and password glpi
Automated installation
For automated installation of glpi use following ansible script ('glpi.yaml'):
---
- name: Download and install glpi
hosts: glpi_servers
remote_user: root
vars:
glpi_download_url: https://forge.indepnet.net/attachments/download/1954/glpi-0.85.2.tar.gz
glpi_local_path: /root/glpi.tar.bz2
httpd_document_root: /var/www/html/
mysql_glpi_password: rekall123
tasks:
- name: Download GLPI from Internet
get_url: url="{{ glpi_download_url }}" dest="{{ glpi_local_path }}"
- name: Install apache, mod_ssl, php, php-ldap, mysql-server, php-mysql, php-mbstring, php-gd
yum: name={{ item }} state=present
with_items:
- httpd
- mod_ssl
- php
- php-ldap
- mysql-server
- php-mysql
- php-mbstring
- php-gd
- MySQL-python
notify:
- restart apache
- stat: path="{{httpd_document_root}}/index.html"
register: index_html
- name: Copy iptables file if not present already
template: src=iptables dest=/etc/sysconfig/iptables
notify:
- restart iptables
- restart fail2ban
- name: Extract glpi downloaded sources in /var/www/html
unarchive: copy=no src="{{glpi_local_path}}" dest="{{httpd_document_root}}" owner=apache group=apache
when: index_html.stat.exists == False
- name: Copy index.html file to documentroot
copy: src=index.html dest="{{ httpd_document_root }}" owner=apache group=apache
- name: Ensure files are owned by apache user
file: dest="{{ httpd_document_root }}" owner=apache group=apache recurse=yes
- name: Start and Enable httpd, mysqld
service: name={{ item }} state=started enabled=yes
with_items:
- httpd
- mysqld
- name: Create glpi database in mysql
mysql_db: name=glpi
- name: Create glpi user and give all permissions on glpi database
mysql_user: name=glpi password="{{ mysql_glpi_password }}" priv=glpi.*:ALL
- name: Print web instructions
debug: msg="Please visit http://{{ ansible_default_ipv4.address }} and setup glpi using MySQL username glpi, password {{ mysql_glpi_password }} and host localhost. Login using glpi:glpi"
- name: Print post setup instructions
debug: msg="After setup is complete also run glpi_postsetup.yaml playbook to remove install/install.php file from glpi server"
handlers:
- name: restart apache
service: name=httpd state=restarted
- name: restart iptables
service: name=iptables state=restarted
- name: restart fail2ban
service: name=fail2ban state=restarted
The ansible script assumes availability of index.html with following content:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-type" content="text/html;charset=UTF-8" /> <meta http-equiv="Refresh" content="0; URL=glpi" /> </head> <body> </body> </html>
in same folder
The script also assumes availability of iptables jinja2 template with following content in the same folder:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #Accept loopback connections -A INPUT -i lo -j ACCEPT #Rate limit new connections to 20 new connections per 30 seconds -A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --set -A INPUT ! -p udp -m state --state NEW -m recent --name new_limit --rcheck --seconds 30 --hitcount 20 -m limit --limit 2/min -j LOG --log-prefix "new_limit_" -A INPUT ! -p udp -m state --state NEW -m recent --name ssh_limit --rcheck --seconds 30 --hitcount 20 -j DROP #Accept ICMP ping requests at limited rate -A INPUT -p icmp --icmp-type echo-request -m limit --limit 60/minute --limit-burst 120 -j ACCEPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 2 -j LOG -A INPUT -p icmp --icmp-type echo-request -j DROP #Allow ongoing connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow incoming SSH connections. Hopefully denyhosts will take care of bruteforce attacks -A INPUT -m state --state NEW -p tcp -m tcp --dport 22 -j ACCEPT #Allow incoming HTTP, HTTPS connection -A INPUT -m state --state NEW -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp --dport 443 -j ACCEPT #Allow incoming NRPE queries for nagios -A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j ACCEPT #Allow SNMP queries for cacti -A INPUT -p udp -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT #These UDP ports receive too much spam and hence we do not need to log "blocked_input_" for them -A INPUT -p udp -m udp --dport 67 -j DROP -A INPUT -p udp -m udp --dport 137 -j DROP -A INPUT -p udp -m udp --dport 138 -j DROP -A INPUT -p udp -m udp --dport 17500 -j DROP #Do not log igmp connections either -A INPUT -p igmp -j DROP #Log all other "blocked_input_" attempts -A INPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_input_" #Reply with proper ICMP error message and reject the connection -A INPUT -j REJECT --reject-with icmp-host-prohibited #For VMs NAT or bridge access -A FORWARD -j ACCEPT # # ##Output rules #Allow outgoing connections to localhost -A OUTPUT -o lo -j ACCEPT #Allow ongoing connections -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #Allow DNS queries -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT #Allow server to send emails. Required for receiving logwatch emails -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT #Allow DHCP queries -A OUTPUT -p udp -m udp --dport 67 -j ACCEPT ##Allow server to contact web-servers. Required for yum update and installation #For restrictive configurations this can be disabled after install -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT #Allow outgoing requests to LDAP server -A OUTPUT -p tcp -m tcp --dport 389 -j ACCEPT #Allow outgoing requests to LDAPS server #-A OUTPUT -p tcp -m tcp --dport 636 -j ACCEPT #Allow ping requests -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT #Allow outgoing connections to OSSEC server -A OUTPUT -p udp -m udp --dport 1514 -j ACCEPT #Log all other "blocked_output_" attempts -A OUTPUT -m state --state NEW -m limit --limit 2/min -j LOG --log-prefix "blocked_output_" #Reply with proper ICMP error message and reject the connection -A OUTPUT -j REJECT --reject-with icmp-host-prohibited COMMIT #
Once installation is complete use following script for post-installation setup ('glpi_postsetup.yaml'):
---
- name: Remove install/install.php from glpi
hosts: glpi_servers
remote_user: root
vars:
httpd_document_root: /var/www/html/
tasks:
- name: Remove install/install.php file
file: path="{{ httpd_document_root }}"glpi/install/install.php state=absent
Home > CentOS > CentOS 6.x > Web based tools or applications > glpi > Installing GLPI
