Setting up GLPI and OCSInventory-NG on RHEL8 to make Asset Management easier.

Keeping track of your IT assets as you grow can be difficult, as more laptops, switches, servers are added to your system these also have Certificates, Licences and other items which need to be tracked against them. Also as your system grows knowing what impact turning something off will have on other servers and services is also important especially if these are client-facing systems.

What you need is a Configuration Management Database (CMDB) a central location to store all the details of your IT systems which can then be grouped and used to feed other systems.

There are plenty of these around and a Google will find you no end of free and commercial options.

This post covers an open-source option that has been around for a long time GLPI and as such is mature, has a lot of support and has available online help.

What is GLPI?

Gestionnaire Libre de Parc Informatique, or "Free IT Equipment Manager" in English is a GNU based IT asset management and issue tracking system written in PHP.

GLPI is a web-based application helping companies to manage their information system. The solution is able to build an inventory of all the organization's assets and to manage administrative and financial tasks.

The system's functionalities help IT Administrators to create a database of technical resources, as well as a management and history of maintenances actions. Users can declare incidents or requests (based on asset or not) thanks to the Helpdesk feature.

GLPI has been around since 2003

What is OCSInventory?

Open computers and software inventory is an assets management solution. Since 2001, OCS Inventory has been looking to make hardware and software inventory of computers more efficient. OCS Inventory queries its agents to know the soft and hard composition of each machine, each server. OCS Inventory also queries the network to discover the active elements that cannot receive an agent. Since version 2.0, OCS Inventory integrates the functionality of SNMP scans.

OCSInventory is the brains of the operation, it collects the Hardware and software inventories into a central location, this data is then passed to GLPI as the processing front end where Tickets and additional information such as Licences, Certificates etc can be collated and reported on.

Installation

Installation is being run in a standalone configuration (everything on a single box) it's not a huge leap of faith to see how to use an external database if needed.

The RHEL 8.x install has SELinux turned off (there are instructions on the link below to use with SELinux Enabled) and over HTTP, not HTTPS (again, there are instructions to do this on the links in the references section below)

I built this as an internal test system

vCPU - 2
RAM - 4Gb
DISK - 200Gb

All commands are run as root

Install GLPI

Prerequisites

Update the system

dnf update

Install the additional repositories

dnf install epel-release

dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm

Once REMI is installed use the PHP 7.4 it supplies

dnf module reset php

dnf module enable php:remi-7.4

Run an update again

dnf update

This may update/reinstall PHP if it's installed

Next, install the required software

GLPI requires PHP > 5.6, MySQL > 5.6 or MariaDB > 10.0.

dnf install httpd mariadb-server php php-{curl,fileinfo,gd,json,zip, intl,mbstring,mysqli,session,zlib,simplexml,xml,cli,domxml,imap,ldap,openssl,xmlrpc,pecl-apcu} wget tar zip bzip2

Configure PHP

Open php.ini in an editor

nano /etc/php.ini

Find and set the following in the file

memory_limit = 512M
file_uploads = On
max_execution_time = 30
session.auto_start = 0
session.use_trans_sid = 0

Save and exit the file

Disable SELinux

Edit the selinux configuration, this is optional and the link below in references will explain which restorecon commands to run should you want to use SELinux

nano /etc/selinux/config

change

SELINUX=enforcing

SELINUX=disabled

Save and exit the file

Configure MariaDB

On this howto we are using a locally hosted MariaDB instance, if you want to use a Db on a different box, that's fine create the Db and user on that Db instead.

Start and Enable MariaDB

systemctl enable --now mariadb

Run the MySQL Security script, setting a root password and allowing root access only from localhost.

mysql_secure_installation

Setup GLPI Database

Once the secure install script is complete login to MariaDB with the root password you've set

mysql -u root -p

Create a new database

create database glpidb;

Add a user with rights to the Database

Change Qw3rty123? to a password of your liking

grant all on glpidb.* to glpiadmin@localhost identified by 'Qw3rty123?';

Reload

flush privileges;

and

quit

Download and Install GLPI

Open the GLPI Releases page on GitHub

Right-click on the TGZ for the latest version and copy the link (9.5.5 at time of writing)

On the GLPI server run

wget https://github.com/glpi-project/glpi/releases/download/9.5.5/glpi-9.5.5.tgz

Once downloaded extract the file into the httpd folder

tar xzf glpi-9.5.5.tgz -C /var/www/html/

Set the appropriate permissions

chown -R apache:apache /var/www/html/glpi

chmod -R 755 /var/www/html/glpi

Finally, create a config file for Apache

nano /etc/httpd/conf.d/glpi.conf

<VirtualHost *:80>
   ServerName glpi.mynetwork.local
   DocumentRoot /var/www/html/glpi

   ErrorLog "/var/log/httpd/glpi_error.log"
   CustomLog "/var/log/httpd/glpi_access.log" combined

   <Directory> /var/www/html/glpi/config>
       AllowOverride None
       Require all denied
   </Directory>
   <Directory> /var/www/html/glpi/files>
       AllowOverride None
       Require all denied
   </Directory>
</VirtualHost>

Change the line to something more relevant to you

ServerName glpi.mynetwork.local

Save and Exit

Enable Apache

Start Apache and enable it post reboot

systemctl enable --now httpd

Enable the local Firewall

firewall-cmd --add-port={80,443}/tcp --permanent
firewall-cmd --reload

Finish the GLPI Install

You can now finalize the setup of GLPI from the browser.

I've taken these screen grabs directly from the https://kifarunix.com/ web page.

Use the address, http://glpi-server-IP-or-Hostname.

Choose your installation language.

Accept the terms and conditions of the GLPI license and click continue.

Click install, then verify that all prerequisites are met. Ignore the CAS extension warning if you are not using CAS authentication and the SELinux Warning if you've disabled SELinux

After all is set, proceed to configure Database connection settings;

Choose your GLPI database.

Wait for the database initialization to complete. Then click continue to follow through other steps and finally login to your GLPI web interface.

To login to GLPI web interface, there are a number of default user accounts you can use;

Name	Username	Account Type
glpi	glpi	Admin account
tech	tech	Technical Account
normal	normal	Normal Account
post-only	postonly	Post only account

Simply login as Admin, glpi and make the necessary changes including removing the default accounts above as well as resetting the password and username for GLPI admin user once you are logged in.

Remove installation file;

mv /var/www/html/glpi/install/install.php /var/www/html/glpi/install/install.php.old

I've found a bug in the OCSInventory plugin when using VirtualHost to rectivy this change

/etc/httpd/conf.d/glpi.conf

To look as follows

<Directory /usr/share/glpi/install>

# Install is only allowed via local access (from the GLPI server).
# Add your IP address if you need it for remote installation,
# but remember to remove it after installation for security.

<IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
    Require  ip 41.90.37.36
    # Require ip ##.##.##.##
</IfModule>
<IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Allow from ::1
</IfModule>

Save and exit

Restart httpd

service httpd restart

You may need to clear cookies

GLPI is now installed.

Fixing a Bug with Timezones

I noted that the time was 1 hour out for me (in the UK) and even adding

date.time = Europe\London

into

/etc/php.ini

made no difference (even after restarting PHP and apache)

The GLPI interface states that it can't change the Timezone because of MySQL permissions.

To fix this run on the GLPI server:

mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -p -u root mysql

Then login to the MariaDB

mysql -uroot -p

and run

GRANT SELECT ON `mysql`.`time_zone_name` TO 'glpiadmin'@'localhost';
FLUSH PRIVILEGES;

quit

Restart Apache (optional)

service httpd restart

Head to

Setup -> General -> Default Values

Next to Timezone should be a drop-down Window

Select your timezone and save.

Install OCSInventory

Install Server

Some repos need to be added to download the necessary files

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

wget https://rpms.remirepo.net/enterprise/remi-release-8.rpm

wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el8.ocs.noarch.rpm

Install the Repo RPM's

Note if you already have EPEL or REMI installed then these two RPM's might cause a conflict

dnf install ocsinventory-release-latest.el8.ocs.noarch.rpm epel-release-latest-8.noarch.rpm remi-release-8.rpm

Install yum-utils and enable the Remi repo

dnf install yum-utils 
yum-config-manager --enable remi

Have Remi supply the PHP

dnf module reset PHP 
dnf module install php:remi-7.3

On CentOs there is a repo named PowerTools, this isn't available on RHEL8, use the following instead or there will be issues trying to install the OCSserver package.

subscription-manager repos --enable "codeready-builder-for-rhel-8-$(arch)-rpms"

Install OCS

dnf install ocsinventory

Start MariaDB

systemctl enable mariadb 
systemctl start mariadb

Set the Root password

mysql_secure_installation

Start Apache

systemctl enable httpd 
systemctl start httpd

Start PHP-FPM

systemctl enable php-fpm 
systemctl start php-fpm

Enable the Firewall

firewall-cmd--zone=public--add-service=http--permanent
firewall-cmd--zone=public--add-service=https--permanent
firewall-cmd--reload

Open your Web browser and head over to

http://your server/ocsreports

Fill in the information to connect to MySQL database server with a user who has the ability to create database, tables, indexes, etc (usually root):

MySQL user name: root
MySQL user password: root password
MySQL hostname: localhost
MySQL Database: ocsweb

Don't enable SSL

Once the install has complete (may require a Db files update, this needs to be run)

Point your browser to the URL http://<Server name or IP>/ocsreports and login in with admin as user and admin as password.

Install Agents

There are details on the OCS page for installing agents on various platforms, for this example I'm using RHEL8 and ProxMox machines.

Setting up the UNIX agent using repository on client computers - OCS Inventory Documentation

OCS Inventory Documentation

Installing UNIX Agent with APT

On Debian-based distributions such as Proxmox you can install the agent with APT

You need to add a repository using the following command

$ curl -sS http://deb.ocsinventory-ng.org/pubkey.gpg | sudo apt-key add -
$ echo "deb http://deb.ocsinventory-ng.org/debian/ <distribution_codename> main" | sudo tee /etc/apt/sources.list.d/ocsinventory.list
$ sudo apt update

You will have to replace by one of the following term depending on the installation context :

buster | stable
stretch | oldstable
sid | unstable

Then install the agent using :

$ sudo apt install ocsinventory-agent

On Ubuntu-based distributions you can install the agent with APT

You need to add our repository using the following command

$ curl -sS http://deb.ocsinventory-ng.org/pubkey.gpg | sudo apt-key add -
$ echo "deb http://deb.ocsinventory-ng.org/ubuntu/ <distribution_codename> main" | sudo tee /etc/apt/sources.list.d/ocsinventory.list
$ sudo apt update

You will have to replace by one of the following term depending on the installation context :

focal | stable
bionic | oldstable
xenial | backport

Then install the agent using :

$ sudo apt install ocsinventory-agent

Installing UNIX Agent with RPM

On Centos 7 you can install the unix agent with RPM

You need to have "wget" to download the repo of EPEL and OCS

$ sudo wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el7.ocs.noarch.rpm

You can install the repo with "yum"

$ sudo  yum install ocsinventory-release-latest.el7.ocs.noarch.rpm epel-release-latest-7.noarch.rpm

I found the Perl SNMP Module was also not installed but needed

yum install -y perl-Net-SNMP

To install the unix agent and requirement use this command:

$ sudo yum install ocsinventory-agent

On Redhat 8 you can install the unix agent with RPM

You need to have "wget" to download the repo of EPEL and OCS

$ sudo wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
$ sudo wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el8.ocs.noarch.rpm

You can install the repo with "dnf"

$ sudo  dnf install ocsinventory-release-latest.el8.ocs.noarch.rpm epel-release-latest-8.noarch.rpm

Install the Code Ready Builder

subscription-manager repos --enable "codeready-builder-for-rhel-8-$(arch)-rpms"

I found the Perl SNMP Module was also not installed but needed

yum install -y perl-Net-SNMP

To install the unix agent and requirement use this command:

$ sudo dnf --enablerepo=epel-playground install ocsinventory-agent

Configure Agents

The Agent installs a basic config under

/etc/ocsinventory/ocsinventory-agent.cfg

This needs to be edited

# 
# OCS Inventory "Unix Unified Agent" Configuration File
#
# options used by cron job overides this (see /etc/sysconfig/ocsinventory-agent)
#

# Server URL, unconmment if needed
server = 192.168.98.123

# Administrative TAG (optional, must be filed before first inventory)
# tag = your_tag

# How to log, can be File,Stderr,Syslog
logger = Stderr
logfile = /var/log/ocsinventory-agent/ocsinventory-agent.log

The important line is

server = 192.168.98.123

This needs to be the IP or DNS name of your OCS server

Note: I had an issue with the initial server I was using doing a redirect for GLPI on the IP, Iwould get a deflating error. Don't use 301 style redirects.

First Run the Agent

With the agent installed and the config file set correctly run

ocsinventory-agent

This should send data back yo your OCS server

If it doesn't then run

tail /var/log/ocsinventory-agent/ocsinventory-agent.log

To see if there were any errors

Also try running

ocsinventory-agent --debug

Check that

perl-Net-SNMP

Is installed

If you'd like to do this in a more scripted fashion for mass deployment have a look at

OCS Inventory NG Agent 2.x on Unix Operating Systems - OCS Inventory Documentation

OCS Inventory Documentation

Or the Ansible Role

Running the Agent on a schedule

Having the Agent run on a schedule ensures the data from the servers is kept up to date, how often you run the agent depends on your requirements.

To run the OCSInventory agent on a schedule there are some options:

Cron - Create a Cron Job on the server locally to run ocsinventory-agent
Jenkins - I've setup Jenkins run run an ansible playbook which executes the agent on all the ansible managed hosts to a schedule.
Daemon Mode - Run "ocsinventory-agent --daemon"

Each of these has its pros and cons for scalability.

Connect GLPI and OCSInventory using the GLPI Plugin

To have OCSInventory and GLPI communicate with each other a plugin needs to be installed.

Install the Plugin

Head over to the plugin release page

Download the latest version to the GLPI server

wget https://github.com/pluginsGLPI/ocsinventoryng/releases/download/1.7.3/glpi-ocsinventoryng-1.7.3.tar.gz

Decompress it

tar -xzvf glpi-ocsinventoryng-1.7.3.tar.gz -C /var/www/html/glpi/plugins/

Set permissions

chmod 755 -R /var/www/html/glpi/plugins/
chown apache:apache /var/www/html/glpi/plugins/ -R

In Glpi open Setup -> Plugins

If this is the first time you've entered plugins then you'll be asked if you want to use Marketplace. Select Later

The OcsInventory NG plugin should be listed

Click on install to the right under Actions

The install will take a few seconds, once done a popup will appear

And you'll see under Actions that the Plugin isn't enabled

Either click on the red icon under actions or enable in the notification popup to enable to plugin

A configuration spanner will appear..

This will take you to the same location as Tools -> OCSInventory NG

Configure the Plugin

On the OCS Inventory server under Configuration -> General Configuration Select Server on the left and Enable Trace Deleted

Scroll down and click on Update

Back on the GLPI Server Under Tools -> OCS Inventory NG

Click on Add an OCSNG server

Enter the appropriate details to connect to your OCS database then click on Add

The screen will refresh and prompt you to add again, you will need to click on Tools -> OCS Inventory NG again

Check settings by clicking on

Once you're happy the settings are correct for you and the Database connects click on the Inventory Import tab

Click on Import new computers

A list of the inventoried servers in OCSInventory should import into GLPI

Scroll to the end of the page, and with the devices to import selected click Import

Once complete and it can take a while depending on the number of devices a report on what happened will display

Click on

Assets -> Computers

And you'll be presented with a list of imported devices into GLPI

Schedule Automatic Imports

Add the following to crontab

*/1 * * * * /bin/php /var/www/html/glpi/front/cron.php &> /dev/null

In GLPI head to Setup -> Automatic actions

Find ocsng in the list and open it

Set the appropriate run time

Click on Save

Test by clicking on Execute

Every hour GLPI will not check OCS for new servers to add to its inventory.

Further Integrations

This is the basics, the next stage of this journey is to do SNMP scan's of the networks to pull in agentless devices and to set up groups (systems).

I'd like to use the ticketing system as a risk register and pull in RSS Feeds from systems that alert over required patches...

Finally, I'd like CheckMK to be fed by the GLPI system

All future posts

References

https://computingforgeeks.com/how-to-install-glpi-on-centos-rhel-8/

The 13" Macbook M1 - 1 Month usage review

The case for Opera as your primary Web Browser

0 Comments