Keeping track of your IT assets as you grow can be difficult, as more laptops, switches, servers are added to your system these also have Certificates, Licences and other items which need to be tracked against them. Also as your system grows knowing what impact turning something off will have on other servers and services is also important especially if these are client-facing systems.
What you need is a Configuration Management Database (CMDB) a central location to store all the details of your IT systems which can then be grouped and used to feed other systems.
There are plenty of these around and a Google will find you no end of free and commercial options.
This post covers an open-source option that has been around for a long time GLPI and as such is mature, has a lot of support and has available online help.
What is GLPI?
Gestionnaire Libre de Parc Informatique, or "Free IT Equipment Manager" in English is a GNU based IT asset management and issue tracking system written in PHP.
GLPI is a web-based application helping companies to manage their information system. The solution is able to build an inventory of all the organization's assets and to manage administrative and financial tasks.
The system's functionalities help IT Administrators to create a database of technical resources, as well as a management and history of maintenances actions. Users can declare incidents or requests (based on asset or not) thanks to the Helpdesk feature.
GLPI has been around since 2003
What is OCSInventory?
Open computers and software inventory is an assets management solution. Since 2001, OCS Inventory has been looking to make hardware and software inventory of computers more efficient. OCS Inventory queries its agents to know the soft and hard composition of each machine, each server. OCS Inventory also queries the network to discover the active elements that cannot receive an agent. Since version 2.0, OCS Inventory integrates the functionality of SNMP scans.
OCSInventory is the brains of the operation, it collects the Hardware and software inventories into a central location, this data is then passed to GLPI as the processing front end where Tickets and additional information such as Licences, Certificates etc can be collated and reported on.
Installation
Installation is being run in a standalone configuration (everything on a single box) it's not a huge leap of faith to see how to use an external database if needed.
The RHEL 8.x install has SELinux turned off (there are instructions on the link below to use with SELinux Enabled) and over HTTP, not HTTPS (again, there are instructions to do this on the links in the references section below)
I built this as an internal test system
- vCPU - 2
- RAM - 4Gb
- DISK - 200Gb
All commands are run as root
Install GLPI
Prerequisites
Update the system
dnf update
Install the additional repositories
dnf install epel-release
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
Once REMI is installed use the PHP 7.4 it supplies
dnf module reset php
dnf module enable php:remi-7.4
Run an update again
dnf update
This may update/reinstall PHP if it's installed
Next, install the required software
GLPI requires PHP > 5.6, MySQL > 5.6 or MariaDB > 10.0.
dnf install httpd mariadb-server php php-{curl,fileinfo,gd,json,zip, intl,mbstring,mysqli,session,zlib,simplexml,xml,cli,domxml,imap,ldap,openssl,xmlrpc,pecl-apcu} wget tar zip bzip2
Configure PHP
Open php.ini in an editor
nano /etc/php.ini
Find and set the following in the file
memory_limit = 512M
file_uploads = On
max_execution_time = 30
session.auto_start = 0
session.use_trans_sid = 0
Save and exit the file
Disable SELinux
Edit the selinux configuration, this is optional and the link below in references will explain which restorecon commands to run should you want to use SELinux
nano /etc/selinux/config
change
SELINUX=enforcing
to
SELINUX=disabled
Save and exit the file
Configure MariaDB
On this howto we are using a locally hosted MariaDB instance, if you want to use a Db on a different box, that's fine create the Db and user on that Db instead.
Start and Enable MariaDB
systemctl enable --now mariadb
Run the MySQL Security script, setting a root password and allowing root access only from localhost.
mysql_secure_installation
Setup GLPI Database
Once the secure install script is complete login to MariaDB with the root password you've set
mysql -u root -p
Create a new database
create database glpidb;
Add a user with rights to the Database
Change Qw3rty123? to a password of your liking
grant all on glpidb.* to glpiadmin@localhost identified by 'Qw3rty123?';
Reload
flush privileges;
and
quit
Download and Install GLPI
Open the GLPI Releases page on GitHub
glpi-projectRight-click on the TGZ for the latest version and copy the link (9.5.5 at time of writing)
On the GLPI server run
wget https://github.com/glpi-project/glpi/releases/download/9.5.5/glpi-9.5.5.tgz
Once downloaded extract the file into the httpd folder
tar xzf glpi-9.5.5.tgz -C /var/www/html/
Set the appropriate permissions
chown -R apache:apache /var/www/html/glpi
chmod -R 755 /var/www/html/glpi
Finally, create a config file for Apache
nano /etc/httpd/conf.d/glpi.conf
<VirtualHost *:80>
ServerName glpi.mynetwork.local
DocumentRoot /var/www/html/glpi
ErrorLog "/var/log/httpd/glpi_error.log"
CustomLog "/var/log/httpd/glpi_access.log" combined
<Directory> /var/www/html/glpi/config>
AllowOverride None
Require all denied
</Directory>
<Directory> /var/www/html/glpi/files>
AllowOverride None
Require all denied
</Directory>
</VirtualHost>
Change the line to something more relevant to you
ServerName glpi.mynetwork.local
Save and Exit
Enable Apache
Start Apache and enable it post reboot
systemctl enable --now httpd
Enable the local Firewall
firewall-cmd --add-port={80,443}/tcp --permanent
firewall-cmd --reload
Finish the GLPI Install
You can now finalize the setup of GLPI from the browser.
I've taken these screen grabs directly from the https://kifarunix.com/ web page.
Use the address, http://glpi-server-IP-or-Hostname.
Choose your installation language.
Accept the terms and conditions of the GLPI license and click continue.
Click install, then verify that all prerequisites are met. Ignore the CAS extension warning if you are not using CAS authentication and the SELinux Warning if you've disabled SELinux
After all is set, proceed to configure Database connection settings;
Choose your GLPI database.
Wait for the database initialization to complete. Then click continue to follow through other steps and finally login to your GLPI web interface.
To login to GLPI web interface, there are a number of default user accounts you can use;
| Name | Username | Account Type |
| glpi | glpi | Admin account |
| tech | tech | Technical Account |
| normal | normal | Normal Account |
| post-only | postonly | Post only account |
Simply login as Admin, glpi and make the necessary changes including removing the default accounts above as well as resetting the password and username for GLPI admin user once you are logged in.
Remove installation file;
mv /var/www/html/glpi/install/install.php /var/www/html/glpi/install/install.php.old
I've found a bug in the OCSInventory plugin when using VirtualHost to rectivy this change
/etc/httpd/conf.d/glpi.conf
To look as follows
<Directory /usr/share/glpi/install>
# Install is only allowed via local access (from the GLPI server).
# Add your IP address if you need it for remote installation,
# but remember to remove it after installation for security.
<IfModule mod_authz_core.c>
# Apache 2.4
Require local
Require ip 41.90.37.36
# Require ip ##.##.##.##
</IfModule>
<IfModule !mod_authz_core.c>
# Apache 2.2
Order Deny,Allow
Deny from All
Allow from 127.0.0.1
Allow from ::1
</IfModule>
Save and exit
Restart httpd
service httpd restart
You may need to clear cookies
GLPI is now installed.
Fixing a Bug with Timezones
I noted that the time was 1 hour out for me (in the UK) and even adding
date.time = Europe\London
into
/etc/php.ini
made no difference (even after restarting PHP and apache)
The GLPI interface states that it can't change the Timezone because of MySQL permissions.
To fix this run on the GLPI server:
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -p -u root mysql
Then login to the MariaDB
mysql -uroot -p
and run
GRANT SELECT ON `mysql`.`time_zone_name` TO 'glpiadmin'@'localhost';
FLUSH PRIVILEGES;
quit
Restart Apache (optional)
service httpd restart
Login to GLPI as the user glpi
Head to
Setup -> General -> Default Values
Next to Timezone should be a drop-down Window
Select your timezone and save.
Install OCSInventory
Install Server
Some repos need to be added to download the necessary files
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
wget https://rpms.remirepo.net/enterprise/remi-release-8.rpm
wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el8.ocs.noarch.rpm
Install the Repo RPM's
Note if you already have EPEL or REMI installed then these two RPM's might cause a conflict
dnf install ocsinventory-release-latest.el8.ocs.noarch.rpm epel-release-latest-8.noarch.rpm remi-release-8.rpm
Install yum-utils and enable the Remi repo
dnf install yum-utils
yum-config-manager --enable remi
Have Remi supply the PHP
dnf module reset PHP
dnf module install php:remi-7.3
On CentOs there is a repo named PowerTools, this isn't available on RHEL8, use the following instead or there will be issues trying to install the OCSserver package.
subscription-manager repos --enable "codeready-builder-for-rhel-8-$(arch)-rpms"
Install OCS
dnf install ocsinventory
Start MariaDB
systemctl enable mariadb
systemctl start mariadb
Set the Root password
mysql_secure_installation
Start Apache
systemctl enable httpd
systemctl start httpd
Start PHP-FPM
systemctl enable php-fpm
systemctl start php-fpm
Enable the Firewall
firewall-cmd--zone=public--add-service=http--permanent
firewall-cmd--zone=public--add-service=https--permanent
firewall-cmd--reload
Open your Web browser and head over to
http://your server/ocsreports
Fill in the information to connect to MySQL database server with a user who has the ability to create database, tables, indexes, etc (usually root):
- MySQL user name: root
- MySQL user password: root password
- MySQL hostname: localhost
- MySQL Database: ocsweb
Don't enable SSL
Once the install has complete (may require a Db files update, this needs to be run)
Point your browser to the URL http://<Server name or IP>/ocsreports and login in with admin as user and admin as password.
Install Agents
There are details on the OCS page for installing agents on various platforms, for this example I'm using RHEL8 and ProxMox machines.
Installing UNIX Agent with APT
On Debian-based distributions such as Proxmox you can install the agent with APT
You need to add a repository using the following command
$ curl -sS http://deb.ocsinventory-ng.org/pubkey.gpg | sudo apt-key add -
$ echo "deb http://deb.ocsinventory-ng.org/debian/ <distribution_codename> main" | sudo tee /etc/apt/sources.list.d/ocsinventory.list
$ sudo apt update
You will have to replace by one of the following term depending on the installation context :
- buster | stable
- stretch | oldstable
- sid | unstable
Then install the agent using :
$ sudo apt install ocsinventory-agent
On Ubuntu-based distributions you can install the agent with APT
You need to add our repository using the following command
$ curl -sS http://deb.ocsinventory-ng.org/pubkey.gpg | sudo apt-key add -
$ echo "deb http://deb.ocsinventory-ng.org/ubuntu/ <distribution_codename> main" | sudo tee /etc/apt/sources.list.d/ocsinventory.list
$ sudo apt update
You will have to replace by one of the following term depending on the installation context :
- focal | stable
- bionic | oldstable
- xenial | backport
Then install the agent using :
$ sudo apt install ocsinventory-agent
Installing UNIX Agent with RPM
On Centos 7 you can install the unix agent with RPM
You need to have "wget" to download the repo of EPEL and OCS
$ sudo wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el7.ocs.noarch.rpm
You can install the repo with "yum"
$ sudo yum install ocsinventory-release-latest.el7.ocs.noarch.rpm epel-release-latest-7.noarch.rpm
I found the Perl SNMP Module was also not installed but needed
yum install -y perl-Net-SNMP
To install the unix agent and requirement use this command:
$ sudo yum install ocsinventory-agent
On Redhat 8 you can install the unix agent with RPM
You need to have "wget" to download the repo of EPEL and OCS
$ sudo wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el8.ocs.noarch.rpm
You can install the repo with "dnf"
$ sudo dnf install ocsinventory-release-latest.el8.ocs.noarch.rpm epel-release-latest-8.noarch.rpm
Install the Code Ready Builder
subscription-manager repos --enable "codeready-builder-for-rhel-8-$(arch)-rpms"I found the Perl SNMP Module was also not installed but needed
yum install -y perl-Net-SNMP
To install the unix agent and requirement use this command:
$ sudo dnf --enablerepo=epel-playground install ocsinventory-agent
Configure Agents
The Agent installs a basic config under
/etc/ocsinventory/ocsinventory-agent.cfg
This needs to be edited
#
# OCS Inventory "Unix Unified Agent" Configuration File
#
# options used by cron job overides this (see /etc/sysconfig/ocsinventory-agent)
#
# Server URL, unconmment if needed
server = 192.168.98.123
# Administrative TAG (optional, must be filed before first inventory)
# tag = your_tag
# How to log, can be File,Stderr,Syslog
logger = Stderr
logfile = /var/log/ocsinventory-agent/ocsinventory-agent.log
The important line is
server = 192.168.98.123
This needs to be the IP or DNS name of your OCS server
Note: I had an issue with the initial server I was using doing a redirect for GLPI on the IP, Iwould get a deflating error. Don't use 301 style redirects.
First Run the Agent
With the agent installed and the config file set correctly run
ocsinventory-agent
This should send data back yo your OCS server
If it doesn't then run
tail /var/log/ocsinventory-agent/ocsinventory-agent.log
To see if there were any errors
Also try running
ocsinventory-agent --debug
Check that
perl-Net-SNMP
Is installed
If you'd like to do this in a more scripted fashion for mass deployment have a look at
Or the Ansible Role
OCSInventory-NGRunning the Agent on a schedule
Having the Agent run on a schedule ensures the data from the servers is kept up to date, how often you run the agent depends on your requirements.
To run the OCSInventory agent on a schedule there are some options:
- Cron - Create a Cron Job on the server locally to run ocsinventory-agent
- Jenkins - I've setup Jenkins run run an ansible playbook which executes the agent on all the ansible managed hosts to a schedule.
- Daemon Mode - Run "ocsinventory-agent --daemon"
Each of these has its pros and cons for scalability.
Connect GLPI and OCSInventory using the GLPI Plugin
To have OCSInventory and GLPI communicate with each other a plugin needs to be installed.
Install the Plugin
Head over to the plugin release page
pluginsGLPIDownload the latest version to the GLPI server
wget https://github.com/pluginsGLPI/ocsinventoryng/releases/download/1.7.3/glpi-ocsinventoryng-1.7.3.tar.gz
Decompress it
tar -xzvf glpi-ocsinventoryng-1.7.3.tar.gz -C /var/www/html/glpi/plugins/
Set permissions
chmod 755 -R /var/www/html/glpi/plugins/
chown apache:apache /var/www/html/glpi/plugins/ -R
In Glpi open Setup -> Plugins
If this is the first time you've entered plugins then you'll be asked if you want to use Marketplace. Select Later
The OcsInventory NG plugin should be listed
Click on install to the right under Actions
The install will take a few seconds, once done a popup will appear
And you'll see under Actions that the Plugin isn't enabled
Either click on the red icon under actions or enable in the notification popup to enable to plugin
A configuration spanner will appear..
This will take you to the same location as Tools -> OCSInventory NG
Configure the Plugin
On the OCS Inventory server under Configuration -> General Configuration Select Server on the left and Enable Trace Deleted
Scroll down and click on Update
Back on the GLPI Server Under Tools -> OCS Inventory NG
Click on Add an OCSNG server
Enter the appropriate details to connect to your OCS database then click on Add
The screen will refresh and prompt you to add again, you will need to click on Tools -> OCS Inventory NG again
Check settings by clicking on
Once you're happy the settings are correct for you and the Database connects click on the Inventory Import tab
Click on Import new computers
A list of the inventoried servers in OCSInventory should import into GLPI
Scroll to the end of the page, and with the devices to import selected click Import
Once complete and it can take a while depending on the number of devices a report on what happened will display
Click on
Assets -> Computers
And you'll be presented with a list of imported devices into GLPI
Schedule Automatic Imports
Add the following to crontab
*/1 * * * * /bin/php /var/www/html/glpi/front/cron.php &> /dev/null
In GLPI head to Setup -> Automatic actions
Find ocsng in the list and open it
Set the appropriate run time
Click on Save
Test by clicking on Execute
Every hour GLPI will not check OCS for new servers to add to its inventory.
Further Integrations
This is the basics, the next stage of this journey is to do SNMP scan's of the networks to pull in agentless devices and to set up groups (systems).
I'd like to use the ticketing system as a risk register and pull in RSS Feeds from systems that alert over required patches...
Finally, I'd like CheckMK to be fed by the GLPI system
All future posts
References
koromicha
pluginsGLPImuhamadfaizhttps://computingforgeeks.com/how-to-install-glpi-on-centos-rhel-8/