Setup & Install GLPI on CentOS 7Setup & Install GLPI on CentOS 7

What is GLPI?:

     GLPI is a free and open source information resource-manager that can be used for a multitude of items such as: inventory management, ticket tracking, and centralized documentation. In the right hands GLPI can become a very powerful tool for your business that can help reduced costs and time waste. GLPI also offers tons of plugins to enhance workflows and even automate your inventory needs. Needless to say GLPI is a very handy tool that is becoming more and more popular with IT departments.

Goal of this Article:?

     In this article, my goal is to go over how to setup & install GLPI from the beginning to the end. This will also include proper SELinux commands, as so many articles that I read on how to setup GLPI tell you to shut this off. I will explain more later on why shutting off SELinux is a bad thing to do.  This will be a very basic configuration as just to give you a proof of concept. To learn more about GLPI and its features please come back later as I plan on making a lot more articles on the ins and outs of GLPI. 

Environment Overview:

     Before we begin the setup & installation of GLPI, I would like to go over from a high level the tools and packages that I will be using for this guide.  I will be using CentOS 7 minimal 1804 with some extra repositories (epel-release, REMI, and MariaDB). Along with those extra packages there are a lot of smaller packages that you will not need right away but that will prove useful as you build out your own GLPI instance later on.

 
Name: CentOS 7 Web Server Database PHP
Description: 1804 minimal installation Apache 2.4.x + MariaDB 10.0+ 7.x +

Please note:

  • I will do my best to explain what each package and command does so that you have a better understanding of what you are going to be installing. 

Initial Setup:

     To start you will need to open an ssh session to your CentOS 7 machine, if you are on windows you can use putty to achieve this. Once you are logged into your system run the following commands:

yum -y install epel-release

Command Explanation
Extra packages for enterprise Linux or epel is a special interest group from fedora that creates and maintains addition sets of packages for RHEL, SL and other Linux distros.

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Command Explanation
Providing the  latest versions of the PHP stack, full featured, and some other software, to the Fedora and Enterprise Linux.

yum -y install yum-utils

Command Explanation
yum-utils is a collection of useful programs for managing yum repositories and packages.

yum -y install net-tools vim wget mlocate

Command Explanation

  • net-tools
    • This command installs and allows for the use of the ifconfig command.
  • vim
    • A highly configurable text editor also known as vi.
  • wget
    • Program that can be used to retrieve content from web pages.
  • mlocate
    • Program to help you find file locations

Prerequisites Setup:

     After downloading and installing some baseline packages you will need to create and enable a MariaDB repository. Now we need to create a MariaDB repo because the standard and epel-release repositories do not have the required version of mariadb that is needed for GLPI to run properly. 

vim /etc/yum.repos.d/MariaDB.repo

     Edit the newly created file with the following information

MariaDB.repo

  • [mariadb]
  • name = MariaDB
  • baseurl = http://yum.mariadb.org/10.1/centos7-amd64
  • gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
  • gpgcheck=1

     Remember earlier in this article when we used “yum” to install the REMI repo? Now it’s time to enable the REMI repo and select the PHP package\version to install that is needed for GLPI to run properly.

yum-config-manager --enable remi-php73 [Install PHP 7.3]

Command Explanation
–enable remi-php73 is allowing us to bypass epel-release’s php version and use the latest stable php version from the remi repo. AS GLPI requires PHP 5.6 or higher to work we are going to be configuring this with PHP 7.3.

     Please note, we are going to download GLPI from github in this command but we wont use it right now.

wget https://github.com/glpi-project/glpi/releases/download/9.3.2/glpi-9.3.2.tgz

Command Explanation

  • wget
    • This command tells the system to download a package from a web address
yum -y install http php php-mysql php-pdo php-gd php-mbstring php-imap php-ldap php-domxml php-xmlrpc php-pecl-apcu php-opcache php-pear-CAS mariadb-server mariadb

Command Explanation

  • http
    • Apache web server used for displaying websites
  • php
  • php-mysql php-xxxxxx…etc
    • Extra PHP packages that allow for database communications, graph display, email…etc
  • mariadb-server and mariadb
    • Mariadb is a popular open source version of MySQL.

     Now that we have all our preq’s and packages installed lets makes some slight tweaks to the “php.ini” file per GLPI’s official documentation.

php -i | grep "Loaded Configuration File"

Command Explanation
This is a simple command to tell you where php is currently looking at for it’s configuration file.

vim /etc/php.ini

     Locate the following lines in the “php.ini” file and make the appropriate changes with what is listed below. Please note in the newer version of PHP the limits are usually much greater then what is recommend by GLPI. This is fine, as what is listed below is the recommend minimum that is need for GLPI.

  • Example:
    • (PHP7.x) memory_limit = 128M (This is the default right out of the gate for PHP 7.x)

php.ini

  • memory_limit = 64M ;              // max memory limit
  • file_uploads = on ;
  • max_execution_time = 600 ;   // not mandatory but advised
  • register_globals = off ;            // not mandatory but advised
  • magic_quotes_sybase = off ;
  • session.auto_start = off ;
  • session.use_trans_sid = 0 ;   // not mandatory but advised

     Next we need to allow communications though the CentOS firewall service so that Apache will work correctly. 

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Command Explanation
This command adds a persistent rule to your firewall to allow http traffic ie port 80 to your system.

     Next we will enable Apache and the mariadb services so that they will auto start on reboots.

systemctl enable httpd
systemctl enable mariadb

     After we have enabled both Apache and the mariadb database service, you will need to start them.

systemctl start httpd
systemctl start mariadb

Database Setup and Configurations:

     Now that the MariaDB database is up and running we need to change its default configuration to be more secure.

mysql_secure_installation

Command Explanation
This will start an initial configuration screen for mariadb

     You can read through the following section or you can check out the condensed commands below of what you will need to fill out

MariaDB Settings

  • Set root password? [Y/n]                                      ## Y, Enter ##
  • New password:                                                     ## Enter the new database root password ##
  • Remove anonymous users? [Y/n]                        ## Y, Enter ##
  • Disallow root login remotely? [Y/n]                    ## Press Enter ##
  • Remove test database and access to it? [Y/n]      ## Press Enter ##
  • Reload privilege tables now? [Y/n]                     ## Press Enter ##

mysql terminal view

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL SERVERS IN PRODUCTION USE!
PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we’ll need the current password for the root user.
If you’ve just installed MySQL, and you haven’t set the root password yet, the password will be blank, so you should just press enter here.

Enter current password for root (enter for none): ## Press Enter ##
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MySQL root user without the proper authorization.

Set root password? [Y/n] ## Press Enter ##
New password: ## Enter new password ##
Re-enter new password: ## Re-enter new password ##
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them.
This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.

Remove anonymous users? [Y/n] ## Press Enter ##
… Success!

Normally, root should only be allowed to connect from ‘localhost’. This ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] ## Press Enter ##
… Success!
By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.

Remove test database and access to it? [Y/n] ## Press Enter ##
– Dropping test database…
… Success!G
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.

Reload privilege tables now? [Y/n] ## Press Enter ##
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MySQL installation should now be secure.

Thanks for using MySQL!

     After securing the MariaDB database we can now prep a GLPI database as well as create a service account for GLPI. Login into MariaDB using the username and password you specified earlier during the initial “mysql_secure_installation” process.

mysql -u root -p
create database glpi;
CREATE USER 'SAYOURUSER'@'localhost' IDENTIFIED BY 'YOURPASSWORD';
GRANT ALL PRIVILEGES ON glpi. * TO 'SAYOURUSER'@'localhost' IDENTIFIED BY 'YOURPASSWORD';
FLUSH PRIVILEGES;

Setup and Install GLPI:

     Remember the GLPI package that was download earlier? Locate the GLPI package and run the following commands against it.

tar -xvf glpi-9.x.x.tgz

Command Explanation

  • TAR
    • TAR is an archive program
      • -xvf means to verbosely extract the tar ball

     After extracting the tar ball you will have a folder called GLPI, copy that exacted GLPI folder to the Apache web directory. In CentOS, that is located at “/var/www/html”

cp -R glpi /var/www/html

Command Explanation

  • CP
    • CP means to copy files or folders
      • -R means to recursively copy files and folders

     Since we are installing GLPI from its source, the permissions get a little funky so we will need to assign the correct user and permissions for that GLPI folder.

chmod -R 755 /var/www/html/glpi

Command Explanation

  • chmod
    • Used to change access permissions to file object
      • -R is recursive for everything
      • 755 permission types for: owner, group, and other
chown -R apache:apache /var/www/html/glpi

Command Explanation

  • chown
    • Changing the owner and group for a file or folder
      • -R is recursive for everything
      • apache:apache is the owner/group

     So you may be thinking well that wasn’t so hard and you are right. Those commands are in the GLPI documentation though the following commands are not, which if not applied will stop this install in its tracks! Also on a slight side note if someone tells you to disable SELinux you stop and slap them in the face. SELinux is an amazing security tool that can be the last line of defense if your system was ever to become compromised. Yes SELinux can be hard to learn at first but it is worth it.

chcon -R -t httpd_sys_rw_content_t /var/www/html/glpi/

Command Explanation

  • chcon
    • Changes the SELinux context for files.
      • -R is recursive
      • -t is the context type
      • httpd_sys_rw_content_t is the type meaning the file can be accessed from the internet.
setsebool -P httpd_can_network_connect 1
setsebool -P httpd_can_network_connect_db 1
setsebool -P httpd_can_sendmail 1

Command Explanation

  • setsebool
    • SELinux policy rules
    • -P persistent across reboots
    • httpd_can_xxx_xxx 1, boolean type and 1 is to turn on

Finish GLPI Installation via Web Interface:

     The rest of the installation is very simple and easy to do. Please take a look that the pictures below to finish getting your GLPI installation up and running.

Thoughts?:

     Thank you for taking the time to read this article, I hope that it was helpful in some way to you. If you noticed anything wrong or have a better way of doing this please don’t hesitate to comment below or send me a email. Thank you!

References:


Celerium.Org Logo


Leave a Reply