Instalasi iTop pada sistem operasi Linux¶
Persiapan¶
Spesifikasi¶
Komponen perangkat lunak:
- Apache 2.4.x
- MariaDB-client 10.4.x
- PHP 7.4.x
- iTop 2.7.x
Komponen perangkat keras:
Kebutuhan | Rekomendasi | |||||
---|---|---|---|---|---|---|
Ticket bulanan | Pengguna | CIs | Peladen | CPU | Memori | Penyimpanan |
< 200 | < 20 | < 50k | 1 peladen: Seluruh komponen | 2vCPU | 4Gb | 10Gb |
< 5000 | < 50 | < 200k | 2 peladen: Web + App & DB | 4vCPU | 8Gb | 20Gb |
> 5000 | > 50 | > 200k | 2 peladen: Web + App & DB | 8vCPU | 16Gb | 50Gb |
Matriks kompatibilitas
Komponen | Minimum | Didukung | Disarankan |
---|---|---|---|
PHP | 5.6 | 7.3 | 7.4 |
MySQL | 5.6 | 5.7 | - |
MariaDB | 10.1 | 10.3 | 10.4 |
Repositori Apache, PHP, & MariaDB¶
Variable
MARIADB_VER="10.4"
PHP_VER="7.4"
Repositori
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm && \
yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
yum update -y
dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
dnf install -y https://rpms.remirepo.net/enterprise/remi-release-8.rpm && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
dnf update -y
apt-get update && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
software-properties-common wget gnupg-curl && \
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
echo "deb http://packages.sury.org/php/ $(lsb_release -sc) main" \
> /etc/apt/sources.list.d/php.list && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
software-properties-common wget gnupg && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER"
wget -O /etc/apt/trusted.gpg.d/apache2.gpg https://packages.sury.org/apache2/apt.gpg && \
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg && \
echo "deb http://packages.sury.org/apache2/ $(lsb_release -sc) main" > \
/etc/apt/sources.list.d/apache2.list && \
echo "deb http://packages.sury.org/php/ $(lsb_release -sc) main" > \
/etc/apt/sources.list.d/php.list && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
software-properties-common gnupg-curl && \
add-apt-repository -y ppa:ondrej/apache2 && \
add-apt-repository -y ppa:ondrej/php && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update
apt-get update && \
apt-get -y install apt-transport-https lsb-release ca-certificates curl \
software-properties-common && \
add-apt-repository -y ppa:ondrej/apache2 && \
add-apt-repository -y ppa:ondrej/php && \
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update
Instalasi Apache, PHP, & MariaDB¶
Instalasi
yum install -y httpd
yum-config-manager --enable remi-php73
yum install -y php php-{mysqlnd,xml,cli,soap,ldap,gd,zip,json,mbstring} graphviz
yum install -y MariaDB-server MariaDB-client
systemctl enable --now httpd mariadb
dnf module reset php
dnf module install -y php:remi-$PHP_VER
dnf install -y httpd
yum install -y php php-{mysqlnd,xml,cli,soap,ldap,gd,zip,json,mbstring} graphviz
dnf install -y MariaDB-server MariaDB-client
systemctl enable --now httpd mariadb
apt-get install -y apache2
apt-get install -y php$PHP_VER-{mysql,xml,cli,soap,ldap,gd,zip,json,mbstring} \
libapache2-mod-php$PHP_VER graphviz
apt-get install -y mariadb-server-$MARIADB_VER
systemctl enable --now apache2 mariadb-server-$MARIADB_VER
Jika terpisah antara aplikasi web dan pangkalan data, cukup instal klien peladen pangkalan data pada peladen aplikasi web
Instalasi MariaDB-client
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
yum update -y && yum install -y MariaDB-client
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | && \
bash -s -- --mariadb-server-version="mariadb-$MARIADB_VER" && \
apt-get update && apt-get install -y mariadb-client
Menguji instalasi Apache + PHP¶
PHP Info
echo "<?php phpinfo();?>" > /var/www/html/info.php
Buka peramban dan coba akses http://ALAMAT_IP/info.php
Konfigurasi pangkalan data¶
Eksekusi mysql_secure_installation
mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n]
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n]
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
itop.cnf
cat << EOF > /etc/my.cnf.d/itop.cnf
[mysqld]
innodb_buffer_pool_size = 512M
query_cache_size = 32M
query_cache_limit = 1M
innodb_default_row_format = DYNAMIC
innodb_large_prefix = true
# max_allowed_packet : should be set to a value bigger than upload_max_filesize in php.ini
max_allowed_packet =
EOF
#
systemctl restart mariadb
Menyiapkan pangkalan data¶
Variabel
# variable
PELADEN_APLIKASI="%"
PELADEN_PANGKALAN_DATA="localhost"
PENGGUNA_APLIKASI="app_itop"
PANGKALAN_DATA_APLIKASI="app_itop"
SANDI_APLIKASI="app_itop"
CHARSET="utf8mb4"
COLLATION="utf8mb4_general_ci"
Membuat pangkalan data, pengguna aplikasi dan memberikan aksesnya
mysql -uroot -hlocalhost -p <<EOF
CREATE DATABASE ${PANGKALAN_DATA_APLIKASI} CHARACTER SET = '${CHARSET}' COLLATE = '${COLLATION}';
GRANT ALL PRIVILEGES ON ${PANGKALAN_DATA_APLIKASI}.* TO '${PENGGUNA_APLIKASI}'@'${PELADEN_APLIKASI}' IDENTIFIED BY '${SANDI_APLIKASI}';
FLUSH PRIVILEGES;
EOF
Proses¶
Instalasi iTop¶
Ada beberapa pilihan dalam melakukan instalasi iTop, diantaranya adalah:
Pilihan instalasi
-
Direktori root
Dokumen aplikasi web berada pada direktori root dari peladen web, misalkan/var/www/html
-
Sub direktori
Pilihan ini dapat digunakan jika belum ingin menggunankan domain, dalam hal ini berarti mengakses instalasi dapat melalui alamat IP lalu subdirektori. Sebagai contohhttp://10.20.30.40/itop
-
Domain / sub domain
Pilihan domain / sub domain dapat digunakan dengan sebelumnya sudah dipastikan peladen web dapat diakses menggunakan FQDN (Full Qualify Domain Name). Lalu perlu ditambahkan konfigurasi Virtualhost pada Apache2, agar instalasi dapat diakses. Sebagai contoh,http://itop.domain.tld
Variabel
TAUTAN_SUMBER_ITOP="https://sourceforge.net/projects/itop/files/itop"
VERSI_ITOP="2.7.5-1"
RILIS_ITOP="7770"
PENGGUNA_PELADEN_WEB="apache"
GRUP_PELADEN_WEB="apache"
PENGGUNA_PELADEN_WEB="www-data"
GRUP_PELADEN_WEB="www-data"
Unduh & instal
wget $TAUTAN_SUMBER_ITOP/$VERSI_ITOP/iTop-$VERSI_ITOP-$RILIS_ITOP.zip
mkdir $VERSI_ITOP
unzip iTop-$VERSI_ITOP-$RILIS_ITOP.zip -d $VERSI_ITOP
LOKASI_DIREKTORI="/var/www/html"
LOKASI_DIREKTORI="/var/www/html/itop"
NAMA_DOMAIN="itop.domain.tld"
LOKASI_DIREKTORI="/var/www/$NAMA_DOMAIN/html"
mkdir -p $LOKASI_DIREKTORI/{conf,data,env-production,log}
cp -aRv ./$VERSI_ITOP/web/* $LOKASI_DIREKTORI
chown -Rv $PENGGUNA_PELADEN_WEB:$GRUP_PELADEN_WEB $LOKASI_DIREKTORI
rm -rf $VERSI_ITOP
Apache2 - hos virtual¶
Variabel
# variable
NAMA_DOMAIN="itop.domain.tld"
NAMA_PENGGUNA="deploy"
SUREL_LE="[email protected]"
Sub domain
Membuat direktori dokumen dan log, serta memberikan akses kepada pengguna dan grup layanan pelden web
mkdir -p /var/www/$NAMA_DOMAIN/{html,log}
chown -R $NAMA_PENGGUNA:$NAMA_PENGGUNA /var/www/$NAMA_DOMAIN/html
Membuat contoh berkas HTML untuk menguji fungsional host virtual
cat << EOF | tee /var/www/$NAMA_DOMAIN/html/index.html
<html>
<head>
<title>Selamat datang pada laman situs Keren!</title>
</head>
<body>
<h1>Sukses! Alamat virtual $NAMA_DOMAIN, telah berfungsi dengan baik!</h1>
</body>
</html>
EOF
cat << EOF | tee /etc/httpd/conf.d/$NAMA_DOMAIN.conf
<VirtualHost *:80>
ServerName $NAMA_DOMAIN
ServerAlias $NAMA_DOMAIN
DocumentRoot /var/www/$NAMA_DOMAIN/html
ErrorLog /var/www/$NAMA_DOMAIN/log/error.log
CustomLog /var/www/$NAMA_DOMAIN/log/requests.log combined
</VirtualHost>
EOF
cat << EOF | tee /etc/apache2/conf.d/$NAMA_DOMAIN.conf
<VirtualHost *:80>
ServerName $NAMA_DOMAIN
ServerAlias $NAMA_DOMAIN
DocumentRoot /var/www/$NAMA_DOMAIN/html
ErrorLog /var/www/$NAMA_DOMAIN/log/error.log
CustomLog /var/www/$NAMA_DOMAIN/log/requests.log combined
</VirtualHost>
EOF
SELinux¶
Sistem operasi CentOS dan RHEL secara bawaan mengaktifkan SELinux sebagai
Kebijakan global log Apache2
LOKASI_DIREKTORI_LOG="/var/log/httpd"
LOKASI_DIREKTORI_LOG="/var/log/apache2"
# periksa sebelum
ls -dlZ $LOKASI_DIREKTORI_LOG
# terapkan konteks pada direktori log
semanage fcontext -a -t httpd_log_t "$LOKASI_DIREKTORI_LOG(/.*)?"
restorecon -Rv $LOKASI_DIREKTORI_LOG
# periksa sesudah
ls -dlZ $LOKASI_DIREKTORI_LOG
drwxr-xr-x. 2 root root unconfined_u:object_r:httpd_sys_content_t:s0 6 May 20 01:02 $LOKASI_DIREKTORI_LOG
drwxr-xr-x. 2 root root unconfined_u:object_r:httpd_log_t:s0 6 May 20 01:02 $LOKASI_DIREKTORI_LOG
systemctl restart httpd
ls -lZ $LOKASI_DIREKTORI_LOG
total 4
-rw-r--r--. 1 root root system_u:object_r:httpd_log_t:s0 0 May 20 01:24 error.log
-rw-r--r--. 1 root root system_u:object_r:httpd_log_t:s0 405 May 20 01:24 requests.log
SELinux
setsebool -P httpd_unified 1
matchpathcon -V $LOKASI_DIREKTORI/*
restorecon -Rv $LOKASI_DIREKTORI
systemctl restart httpd
Firewall¶
FirewallD & UFW
systemctl status firewalld
systemctl enable --now firewalld
firewall-cmd --get-default-zone
firewall-cmd --list-all
firewall-cmd --list-all-zones
firewall-cmd --list-service --zone=external
firewall-cmd --set-default-zone=external
firewall-cmd --change-interface=eth0 --zone=external
firewall-cmd --list-all --zone=external
#
nmcli c mod eth1 connection.zone external
firewall-cmd --get-active-zone
#
firewall-cmd --get-services
ls /usr/lib/firewalld/services
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
firewall-cmd --list-service
systemctl status ufw
systemctl enable --now ufw
# TODO
Penyelesaian¶
Optimasi & Pengamanan Instalasi¶
Ekstensi PHP¶
APCu
Variabel
PATH_PHPINI="/etc/php.ini"
Instalasi
yum install -y php-pecl-apcu
yum install -y php-pear httpd-devel pcre-devel gcc make
Variabel
PATH_PHPINI="/etc/php/7.4/mods-available/apcu.ini"
Instalasi
apt-get install php-acpu
php.ini / apcu.ini
cp $PATH_PHPINI{,.`date +"%Y%m%d%H%M"`}
cat << EOF >> $PATH_PHPINI
apc.enabled=1
# Memory Segments
apc.shm_size=512M
## PHP file cache 1 hour ##
apc.ttl=3600
## User cache 2 hour ##
apc.user_ttl=7200
## Garbage collection 1 hour ##
apc.gc_ttl=3600
EOF
#
Memuat ulang layanan peladen web
systemctl restart httpd
systemctl restart apache2
Diffie–Hellman key exchange¶
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
LE Snippets¶
letsencrypt.conf
#
mkdir -p /var/lib/letsencrypt/.well-known
chgrp apache /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
#
cat << EOF > /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
EOF
#
cat << EOF > /etc/httpd/conf.d/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
EOF
Certbot / Let’s Encrypt¶
Variabel
SUREL_LE="[email protected]"
NAMA_DOMAIN="itop.domain.tld"
Instalasi Certbot
# bin
wget https://dl.eff.org/certbot-auto
mv certbot-auto /usr/local/bin/certbot-auto
chown root /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
# cert
/usr/local/bin/certbot-auto --apache \
-m $SUREL_LE -d $NAMA_DOMAIN --agree-tos
/usr/local/bin/certbot-auto enhance --apache --redirect --hsts --uir
/usr/local/bin/certbot-auto enhance --auto-hsts
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew -q" | sudo tee -a /etc/crontab > /dev/null
Integrasi¶
OCS Inventory¶
sudo -u www-data /usr/bin/php /var/www/html/itop/extensions/ocsng-data-collector/exec.php --console_log_level=9 --configure_only