Instalasi OCS Inventory NG pada CentOS 8¶
Persiapan¶
Spesifikasi¶
- 1x peladen basis data
- MySQL atau MariaDB (db06-mysql-8)
- MariaDB lebih disarankan
- Managed Database DigitalOcan akan digunakan untuk implemenentasi kali ini
- 3x peladen aplikasi, terbagi sebagai berikut
- 1x peladen administrasi (app18-invensi-adm), antarmuka bagi admin untuk melakukan mengelola inventaris, umumnya hanya melihat
- 1x peladen komunikasi (app18-invensi-kom), menangani proses komunikasi agen dan basis data
- 1x peladen distribusi paket (app18-invensi-dis), menampung seluruh paket-paket yang akan dipasangkan ke setiap perangkat yang terdapat pada inventaris
- 1x block volume (vol06)
Arsitektur¶
Topologi¶
Konfgurasi DB¶
Saat menggunakan instalasi peladen basis data terpisah, perlu membuat database dan pengguna
CREATE DATABASE ocsweb;
CREATE USER 'ocs'@'CommunicationServerIP' IDENTIFIED BY 'ocs';
CREATE USER 'ocs'@'AdministrationConsoleIP' IDENTIFIED BY 'ocs';
GRANT ALL PRIVILEGES ON ocsweb.* TO 'ocs'@'CommunicationServerIP' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON ocsweb.* TO 'ocs'@'AdministrationConsoleIP' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Repositori¶
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
wget https://rpms.remirepo.net/enterprise/remi-release-8.rpm
wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el8.ocs.noarch.rpm
dnf install -y ocsinventory-release-latest.el8.ocs.noarch.rpm epel-release-latest-8.noarch.rpm remi-release-8.rpm
Proses¶
Instalasi RPM¶
Peladen Administrasi¶
MariaDB¶
mysql_secure_installation
mysqladmin -u root -p version
mysql -u root -p
CREATE DATABASE ocsweb;
CREATE USER 'ocs'@'localhost' IDENTIFIED BY 'ocs';
GRANT ALL PRIVILEGES ON ocsweb.* TO 'ocs'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Apache2¶
dnf install -y httpd
systemctl enable httpd
systemctl start httpd
PHP¶
yum-config-manager --enable remi
dnf module reset php
dnf module install -y php:remi-7.3
dnf install -y --enablerepo=PowerTools ocsinventory
nano /etc/php.ini
;max_execution_time = 30
;max_input_time = 60
;memory_limit = 128M
;post_max_size = 8M
;upload_max_filesize = 2M
max_execution_time = 120
max_input_time = 240
memory_limit = 512M
post_max_size = 101M
upload_max_filesize = 100M
systemctl restart httpd
FirewallD¶
Karena pemasangan kali ini dilakukan pada DigitalOcean, pemanfaatan CloudFirewall akan dioptimalkan. Maka firewall pada CentOS dapat dinonaktifkan
systemctl stop firewalld
systemctl disable firewalld
Konfigurasi peladen basis data¶
cp /etc/httpd/conf.d/ocsinventory-server.conf{,.`date +"%Y%m%d"`}
nano /etc/httpd/conf.d/ocsinventory-server.conf
PerlSetEnv OCS_DB_HOST 10.20.30.11
PerlSetEnv OCS_DB_PORT 3306
PerlSetEnv OCS_DB_NAME app18_invensi
PerlSetEnv OCS_DB_LOCAL app18_invensi
PerlSetEnv OCS_DB_USER app18_invensi
PerlSetVar OCS_DB_PWD ***
PerlSetEnv OCS_DB_SSL_ENABLED 0
# PerlSetEnv OCS_DB_SSL_CA_CERT /etc/ssl/certs/ca-certificate.crt
PerlSetEnv OCS_DB_SSL_MODE SSL_MODE_PREFERRED
systemctl restart httpd
cp /usr/share/ocsinventory-reports/ocsreports/dbconfig.inc.php{,.`date +"%Y%m%d"`}
cat << EOF > /usr/share/ocsinventory-reports/ocsreports/dbconfig.inc.php
<?php
define("DB_NAME", "app18_invensi");
define("SERVER_READ","10.20.30.11");
define("SERVER_WRITE","10.20.30.11");
define("SERVER_PORT", 3306);
define("COMPTE_BASE","app18_invensi");
define("PSWD_BASE","***");
define("ENABLE_SSL","0");
define("SSL_MODE","SSL_MODE_PREFERRED");
//define("SSL_KEY","/path/to/client-key.pem");
//define("SSL_CERT","/path/to/client-cert.pem");
//define("CA_CERT","/etc/ssl/certs/ca-certificate.crt");
?>
EOF
Buka laman $FQDN/ocsreports/install.php setelah melakukan perubahan konfigurasi basis data, lalu isikan parameter koneksi ke panggalakan data untuk finaliasi perubahan.
Let’s Encrypt¶
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
mkdir -p /var/lib/letsencrypt/.well-known
chgrp apache /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt
Snippets¶
nano /etc/httpd/conf.d/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
nano /etc/httpd/conf.d/ssl-params.conf
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM
# Requires Apache 2.4.36 & OpenSSL 1.1.1
SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:prime256v1
# Older versions
# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
Virtualhost¶
nano /etc/httpd/conf.d/invensi.proxsis.co.id.conf
<VirtualHost *:80>
ServerName invensi.proxsis.co.id
Redirect permanent / https://invensi.proxsis.co.id/
</VirtualHost>
<VirtualHost *:443>
ServerName invensi.proxsis.co.id
Protocols h2 http:/1.1
DocumentRoot /var/www/html
ErrorLog /var/log/httpd/invensi.proxsis.co.id-error.log
CustomLog /var/log/httpd/invensi.proxsis.co.id-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/invensi.proxsis.co.id/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/invensi.proxsis.co.id/privkey.pem
</VirtualHost>
systemctl restart httpd
Cron¶
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto -q renew --renew-hook \"systemctl reload httpd\"" | tee -a /etc/crontab > /dev/null
Instalasi manual¶
Peladen Administrasi¶
dnf install -y httpd \
perl-XML-Simple \
perl-DBI \
perl-DBD-MySQL \
perl-Net-IP \
php-gd
Peladen Komunikasi¶
yum install -y httpd \
perl-XML-Simple \
perl-Compress-Zlib \
perl-DBI \
perl-DBD-MySQL \
perl-Net-IP \
perl-SOAP-Lite \
perl-Archive-Zip \
perl-Mojolicious \
perl-Plack \
perl-XML-Entities \
perl-Switch
Peladen Distribusi¶
<IfModule mod_perl.c>
PerlSetEnv OCS_MODPERL_VERSION 2
PerlSetEnv OCS_DB_HOST 10.20.30.5
PerlSetEnv OCS_DB_PORT 25060
PerlSetEnv OCS_DB_NAME proxsis_ocs27
PerlSetEnv OCS_DB_LOCAL proxsis_ocs27
PerlSetEnv OCS_DB_USER pgs_ocs27
PerlSetVar OCS_DB_PWD uyjnwx0mx2mcxd9o
PerlSetEnv OCS_DB_SSL_ENABLED 1
PerlSetEnv OCS_DB_SSL_CA_CERT /etc/ssl/certs/ca-certificate.crt
PerlSetEnv OCS_DB_SSL_MODE SSL_MODE_PREFERRED
PerlSetEnv OCS_OPT_LOGPATH "/var/log/ocsinventory-server"
PerlSetEnv OCS_OPT_DBI_PRINT_ERROR 0
PerlSetEnv OCS_OPT_UNICODE_SUPPORT 1
PerlAddVar OCS_OPT_TRUSTED_IP 127.0.0.1
PerlSetEnv OCS_OPT_WEB_SERVICE_ENABLED 0
PerlSetEnv OCS_OPT_WEB_SERVICE_RESULTS_LIMIT 100
PerlSetEnv OCS_OPT_OPTIONS_NOT_OVERLOADED 0
PerlSetEnv OCS_OPT_COMPRESS_TRY_OTHERS 1
# ===== MAIN SETTINGS =====
PerlSetEnv OCS_OPT_LOGLEVEL 0
PerlSetEnv OCS_OPT_PROLOG_FREQ 12
PerlSetEnv OCS_OPT_INVENTORY_ON_STARTUP 0
PerlSetEnv OCS_OPT_AUTO_DUPLICATE_LVL 15
PerlSetEnv OCS_OPT_SECURITY_LEVEL 0
PerlSetEnv OCS_OPT_LOCK_REUSE_TIME 600
PerlSetEnv OCS_OPT_TRACE_DELETED 0
# ===== INVENTORY SETTINGS =====
PerlSetEnv OCS_OPT_FREQUENCY 0
PerlSetEnv OCS_OPT_INVENTORY_DIFF 1
PerlSetEnv OCS_OPT_INVENTORY_TRANSACTION 1
PerlSetEnv OCS_OPT_INVENTORY_WRITE_DIFF 1
PerlSetEnv OCS_OPT_INVENTORY_CACHE_ENABLED 1
PerlSetEnv OCS_OPT_INVENTORY_CACHE_REVALIDATE 7
PerlSetEnv OCS_OPT_INVENTORY_CACHE_KEEP 1
# ===== SOFTWARES DEPLOYMENT SETTINGS =====
PerlSetEnv OCS_OPT_DOWNLOAD 0
PerlSetEnv OCS_OPT_DOWNLOAD_PERIOD_LENGTH 10
PerlSetEnv OCS_OPT_DOWNLOAD_CYCLE_LATENCY 60
PerlSetEnv OCS_OPT_DOWNLOAD_FRAG_LATENCY 60
PerlSetEnv OCS_OPT_DOWNLOAD_GROUPS_TRACE_EVENTS 1
PerlSetEnv OCS_OPT_DOWNLOAD_PERIOD_LATENCY 60
PerlSetEnv OCS_OPT_DOWNLOAD_TIMEOUT 7
PerlSetEnv OCS_OPT_DOWNLOAD_EXECUTION_TIMEOUT 120
PerlSetEnv OCS_OPT_DEPLOY 0
# ===== GROUPS SETTINGS =====
PerlSetEnv OCS_OPT_ENABLE_GROUPS 1
PerlSetEnv OCS_OPT_GROUPS_CACHE_OFFSET 43200
PerlSetEnv OCS_OPT_GROUPS_CACHE_REVALIDATE 43200
# ===== IPDISCOVER SETTINGS =====
PerlSetEnv OCS_OPT_IPDISCOVER 2
PerlSetEnv OCS_OPT_IPDISCOVER_BETTER_THRESHOLD 1
PerlSetEnv OCS_OPT_IPDISCOVER_LATENCY 100
PerlSetEnv OCS_OPT_IPDISCOVER_MAX_ALIVE 14
PerlSetEnv OCS_OPT_IPDISCOVER_NO_POSTPONE 0
PerlSetEnv OCS_OPT_IPDISCOVER_USE_GROUPS 1
# ===== INVENTORY FILES MAPPING SETTINGS =====
PerlSetEnv OCS_OPT_GENERATE_OCS_FILES 0
PerlSetEnv OCS_OPT_OCS_FILES_FORMAT OCS
PerlSetEnv OCS_OPT_OCS_FILES_OVERWRITE 0
PerlSetEnv OCS_OPT_OCS_FILES_PATH /tmp
# ===== FILTER SETTINGS =====
PerlSetEnv OCS_OPT_PROLOG_FILTER_ON 0
PerlSetEnv OCS_OPT_INVENTORY_FILTER_ENABLED 0
PerlSetEnv OCS_OPT_INVENTORY_FILTER_FLOOD_IP 0
PerlSetEnv OCS_OPT_INVENTORY_FILTER_FLOOD_IP_CACHE_TIME 300
PerlSetEnv OCS_OPT_INVENTORY_FILTER_ON 0
# ===== DATA FILTER =====
PerlSetEnv OCS_OPT_DATA_FILTER 0
# ===== REGISTRY SETTINGS =====
PerlSetEnv OCS_OPT_REGISTRY 1
# ===== SNMP SETTINGS =====
PerlSetEnv OCS_OPT_SNMP 0
PerlSetEnv OCS_OPT_SNMP_INVENTORY_DIFF 1
PerlSetEnv OCS_OPT_SNMP_PRINT_HTTPS_ERROR 1
# ===== SESSION SETTINGS =====
PerlSetEnv OCS_OPT_SESSION_VALIDITY_TIME 600
PerlSetEnv OCS_OPT_SESSION_CLEAN_TIME 86400
PerlSetEnv OCS_OPT_INVENTORY_SESSION_ONLY 0
# ===== TAG =====
PerlSetEnv OCS_OPT_ACCEPT_TAG_UPDATE_FROM_CLIENT 0
# ===== PLUGINS =====
PerlSetEnv OCS_PLUGINS_PERL_DIR "/etc/ocsinventory/ocsinventory-server/perl"
PerlSetEnv OCS_PLUGINS_CONF_DIR "/etc/ocsinventory/ocsinventory-server/plugins"
# ===== DEPRECATED =====
PerlSetEnv OCS_OPT_PROXY_REVALIDATE_DELAY 3600
PerlSetEnv OCS_OPT_UPDATE 0
############ DO NOT MODIFY BELOW ! #######################
# External modules
PerlModule Apache::DBI
PerlModule Compress::Zlib
PerlModule XML::Simple
# Ocs plugins
PerlModule Apache::Ocsinventory::Plugins::Apache
PerlModule Apache::Ocsinventory::Plugins
# Ocs
PerlModule Apache::Ocsinventory
PerlModule Apache::Ocsinventory::Server::Constants
PerlModule Apache::Ocsinventory::Server::System
PerlModule Apache::Ocsinventory::Server::Communication
PerlModule Apache::Ocsinventory::Server::Inventory
PerlModule Apache::Ocsinventory::Server::Duplicate
# Capacities
PerlModule Apache::Ocsinventory::Server::Capacities::Registry
PerlModule Apache::Ocsinventory::Server::Capacities::Update
PerlModule Apache::Ocsinventory::Server::Capacities::Ipdiscover
PerlModule Apache::Ocsinventory::Server::Capacities::Download
PerlModule Apache::Ocsinventory::Server::Capacities::Notify
PerlModule Apache::Ocsinventory::Server::Capacities::Snmp
# SSL apache settings
#SSLEngine "SSL_ENABLE"
#SSLCertificateFile "SSL_CERTIFICATE_FILE"
#SSLCertificateKeyFile "SSL_CERTIFICATE_KEY_FILE"
#SSLCACertificateFile "SSL_CERTIFICATE_FILE"
#SSLCACertificatePath "SSL_CERTIFICATE_PATH"
#SSLVerifyClient "SSL_VALIDATE_CLIENT"
Penyelesaian¶
Rujukan¶
- http://wiki.ocsinventory-ng.org/02.Newbie-documentation/OCS-Inventory-NG-Basics/
- https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-8/
- https://github.com/cve-search/cve-search
- https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/
- https://www.digitalocean.com/community/tutorials/how-to-install-mariadb-on-centos-8
- https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-centos-8
- https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mariadb-php-lamp-stack-on-centos-8
- https://www.digitalocean.com/community/tutorials/how-to-install-mongodb-on-centos-7