Setup & Install OCSng on CentOS 7

Setup & Install OCSng on CentOS 7

What is OCSng?:

     Open Computers and Software Inventory” or OCS for short, is an open source assets management and deployment solution. OCS contains tons of great features and has come a long way from when they first launched back in 2005. One of the amazing features of OCS are the agents, OCS’s agents gather the software and hardware composition of every computer or server and in turn send that off to an on-prem OCS server for centralized management.

     Now since version 2.0, OCS Inventory works and is compatible with SNMP. With the new SNMP scans functionality OCS can now inventory assets that cannot except an agent like: printers, scanner, routers, computer without agents… and much more. Another great feature to mention is the new plugins that OCS supports and offers. Two of my personal favorites are the BitLocker and Uptime plugins that you can install. 

Goal of this Article:

     In this article, my goal is to go over how to setup & install OCSng from the beginning to the end including the proper SELinux commands. This will be a very basic configuration, just to give you a proof of concept. To learn more about OCS and its features please come back later as I plan on making a lot more articles on the ins and outs of OCS. 

Environment Overview:

     Before we begin the setup & installation of OCS, I would like to go over from a high level the tools and packages that I will be using for this guide.  I will be using CentOS 7 minimal 1804 with some extra repositories (epel-release, REMI, and MariaDB). Along with those extra packages there are a lot of smaller packages that you will not need right away but will prove useful as you build out your own OCS instance later on.

 
Name: CentOS 7 Web Server Database PHP
Description: 1804 minimal installation Apache 2.4.x + MariaDB 10.0+ 7.x +

Please note:

  • If you have installed GLPI on the box already, please skip to “Prerequisite Setup:” section where you are installing extra php and perl modules.
  • I will do my best to explain what each package and command does so that you have a better understanding of what you are going to be installing. 

Initial Setup:

     To start you will need to open an ssh session to your CentOS 7 machine, if you are on windows you can use putty to achieve this. Once you are logged into your system run the following commands:

yum -y install epel-release

Command Explanation
Extra packages for enterprise Linux or epel is a special interest group from fedora that creates and maintains addition sets of packages for RHEL, SL and other Linux distros.

yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm

Command Explanation
Providing the latest versions of the PHP stack, full featured, and some other software, to the Fedora and Enterprise Linux.

yum -y install yum-utils

Command Explanation
yum-utils is a collection of useful programs for managing yum repositories and packages.

yum -y install net-tools vim wget mlocate

Command Explanation

  • net-tools
    • This command installs and allows for the use of the ifconfig command.
  • vim
    • A highly configurable text editor also known as vi.
  • wget
    • Program that can be used to retrieve content from web pages.
  • mlocate
    • Program to help you find file locations

Prerequisite Setup:

     After downloading and installing some baseline packages you will need to create and enable a MariaDB repository.

vim /etc/yum.repos.d/MariaDB.repo

     Edit the newly created file with the following information

MariaDB.repo

  • [mariadb]
  • name = MariaDB
  • baseurl = http://yum.mariadb.org/10.1/centos7-amd64
  • gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
  • gpgcheck=1

     Remember earlier in this article when we used “yum” to install the REMI repo? Now it’s time to enable the REMI repo and select the PHP package\version to install that is needed for OCS to run properly.

yum-config-manager --enable remi-php73 [Install PHP 7.3]

Command Explanation
–enable remi-php73 is allowing us to bypass epel-release’s php version and use the latest stable php version from the remi repo.

     Please note, we are going to download the OCS server from github in this command but we wont use it right now.

wget https://github.com/OCSInventory-NG/OCSInventory-ocsreports/releases/download/2.5/OCSNG_UNIX_SERVER_2.5.tar.gz

Command Explanation

  • wget
    • This command tells the system to download a package from a web address

[—If GLPI is installed, run the following command and then skip to the “Database Setup and Configurations:” section of this article below.—]

yum -y install http mariadb mariadb-server php php-common php-domxml php-gd php-imap php-ldap php-mbstring php-mysql php-opcache php-pdo php-pear-CAS php-pecl-apcu php-pecl-zip php-soap php-xmlrpc perl-Archive-Zip perl-Compress-Zlib perl-DBD-MySQL perl-DBI perl-Mojolicious perl-Net-IP perl-Plack perl-SOAP-Lite perl-Switch perl-XML-Entities perl-XML-Simple

Command Explanation

  • http
    • Apache web server used for displaying websites
  • mariadb-server and mariadb
    • Mariadb is a popular open source version of MySQL.
  • php
  • perl
    • Perl is a popular open source programming language that is popular with web development.

     Now that we have all our preq’s and packages installed lets makes some slight tweaks to the “php.ini” file.

php -i | grep "Loaded Configuration File"

Command Explanation
This is a simple command to tell you where php is currently looking at for it’s configuration file.

vim /etc/php.ini

     Locate the following lines in the “php.ini” file and make the appropriate changes with what is listed below. Please note in the newer version of PHP the limits are usually much greater then what is recommend by OCS. This is fine, as what is listed below is the recommend minimum that is need for OCS.

  • Example:
    • (PHP7.x) memory_limit = 128M (This is the default right out of the gate for PHP 7.x)

php.ini

  • memory_limit = 64M ;              // max memory limit
  • file_uploads = on ;
  • max_execution_time = 600 ;   // not mandatory but advised
  • register_globals = off ;            // not mandatory but advised
  • magic_quotes_sybase = off ;
  • session.auto_start = off ;
  • session.use_trans_sid = 0 ;   // not mandatory but advised

     Next we need to allow communications though the CentOS firewall service so that Apache will work correctly. 

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Command Explanation
This command adds a persistent rule to your firewall to allow http traffic ie port 80 to your system.

     Then we will enable apache and the mariadb services so that they will auto start on reboots.

systemctl enable httpd
systemctl enable mariadb

     After we have enabled both apache and the mariadb database service, you will need to start them.

systemctl start httpd
systemctl start mariadb

Database Setup and Configurations:

     Now that the MariaDB database is up and running we need to change its default configuration to be more secure.

mysql_secure_installation

Command Explanation
This will start an initial configuration screen for mariadb

     You can read through the following section or you can check out the condensed commands below of what you will need to fill out.

mysql terminal view

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL SERVERS IN PRODUCTION USE!
PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we’ll need the current password for the root user.
If you’ve just installed MySQL, and you haven’t set the root password yet, the password will be blank, so you should just press enter here.

Enter current password for root (enter for none): ## Press Enter ##
OK, successfully used password, moving on…
Setting the root password ensures that nobody can log into the MySQL root user without the proper authorization.

Set root password? [Y/n] ## Press Enter ##
New password: ## Enter new password ##
Re-enter new password: ## Re-enter new password ##
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them.
This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment.

Remove anonymous users? [Y/n] ## Press Enter ##
… Success!

Normally, root should only be allowed to connect from ‘localhost’. This ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] ## Press Enter ##
… Success!
By default, MySQL comes with a database named ‘test’ that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment.

Remove test database and access to it? [Y/n] ## Press Enter ##
– Dropping test database…
… Success!G
– Removing privileges on test database…
… Success!
Reloading the privilege tables will ensure that all changes made so far will take effect immediately.

Reload privilege tables now? [Y/n] ## Press Enter ##
… Success!

Cleaning up…

All done! If you’ve completed all of the above steps, your MySQL installation should now be secure.

Thanks for using MySQL!

MariaDB Settings

  • Set root password? [Y/n]                                      ## Y, Enter ##
  • New password:                                                     ## Enter the new database root password ##
  • Remove anonymous users? [Y/n]                        ## Y, Enter ##
  • Disallow root login remotely? [Y/n]                    ## Press Enter ##
  • Remove test database and access to it? [Y/n]      ## Press Enter ##
  • Reload privilege tables now? [Y/n]                     ## Press Enter ##

     After securing the mariadb database we can now prep a OCS database as well as create a service account for OCS. Login to mariadb using the username and password you specified earlier during the initial “mysql_secure_installation” process.

  • Please Note:
    • I recommend during the initial setup to use the default database,username and password, as I have run across issues where the setup will not work correctly if altered. You can change the username and password later from the default without any issues.
mysql -u root -p
create database ocsweb;
CREATE USER 'ocs'@'localhost' IDENTIFIED BY 'ocs';
GRANT ALL PRIVILEGES ON ocsweb. * TO 'ocs'@'localhost' IDENTIFIED BY 'ocs';
FLUSH PRIVILEGES;

Install OCS Inventory Server:

     After prepping a database we will now go ahead and install the OCS server from a repo. This is not the complete setup as OCS has multiple server types.

wget https://rpm.ocsinventory-ng.org/ocsinventory-release-latest.el7.ocs.noarch.rpm
yum install ocsinventory-release-latest.el7.ocs.noarch.rpm

Now run the following command to install the OCS inventory server

yum install ocsinventory-server

Install the OCS Management Server:

     Remember the OCS server package that was download earlier? Locate the OCS package and run the following commands against it.

tar -xvzf OCSNG_UNIX_SERVER_2.5.tar.gz

Command Explanation

  • TAR
    • TAR is an archive program
      • -xvf means to verbosely extract the tar ball
cd OCSNG_UNIX_SERVER_2.5
ls -la

Command Explanation

  • ls
    • Used to list the contents of a directory
      • -l means to list long instead of the default parallel view
      • -a means to show attributes of the files

     In your terminal you will see a list of files and folders, look for the file called setup.sh and run the following command against it

sh setup.sh

Command Explanation

  • sh
    • sh means shell and refers to the old UNIX command line interpreter 
      • sh setup.sh means you are telling the linux OS to run this file for me

     I wont show the entire OCS setup dump here, as it’s a lot of information to look through. Instead you can check out the gallery or you can glance over the condensed output below of what you will need to fill out during the installation process.

OCS Management Settings

  • Which host is running database server [localhost] ?     ## Enter ##
  • On which port is running database server [3306] ?      ## Enter ##
  • Where is Apache daemon binary [/usr/sbin/httpd] ?     ## Enter ##
  • Where is Apache main configuration file [/etc/httpd/conf/httpd.conf] ?     ## Enter ##
  • Which user account is running Apache web server [apache] ?     ## Enter ##
  • Which user group is running Apache web server [apache] ?     ## Enter ##
  • Where is PERL interpreter binary [/usr/bin/perl] ?     ## Enter ##
  • Do you wish to setup Communication server on this computer ([y]/n)?     ## Y, Enter ##
  • Where to put Communication server log directory [/var/log/ocsinventory-server] ?     ## Enter ##
  • Where to put Communication server plugins configuration files [/etc/ocsinventory-server/plugins] ?     ## Enter ##
  • Where to put Communication server plugins Perl modules files [/etc/ocsinventory-server/perl] ?     ## Enter ##
  • Do you wish to setup Rest API server on this computer ([y]/n)?     ## Y, Enter ##
  • Where do you want the API code to be store [/usr/lib/perl5/vendor_perl] ?     ## Enter ##
  • Do you allow Setup renaming Communication Server Apache configuration file to ‘z-ocsinventory-server.conf’ ([y]/n) ?      ## Y, Enter ##
  • Checking for Administration Server directories: Do you wish to continue ([y] /n)?     ## Y, Enter ##
  • Where to copy Administration Server static files for PHP Web Console [/usr/share/ocsinventory-reports]?     ## Enter ##
  • Where to create writable/cache directories [/var/lib/ocsinventory-reports]?      ## Enter ##

Configuring the OCS Management Server:

     Since we are installing OCS from its source, the permissions get a little funky so we will need to assign the correct user and permissions.

chmod -R 766 /usr/share/ocsinventory-reports

Command Explanation

  • chmod
    • Used to change access permissions to file object
      • -R is recursive for everything
      • 766 are permission types for: owner, group, and other
chown -R apache:apache /usr/share/ocsinventory-reports/
chown -R apache:apache /var/lib/ocsinventory-reports/

Command Explanation

  • chown
    • Changing the owner and group for a file or folder
      • -R is recursive for everything
      • apache:apache is the owner/group
chcon -R -t httpd_sys_rw_content_t /usr/share/ocsinventory-reports/

Command Explanation

  • chcon
    • Changes the SELinux context for files.
      • -R is recursive
      • -t is the context type
      • httpd_sys_rw_content_t is the type meaning the file can be accessed from the internet.

     After all that we will need to do some clean up on the installation files and database. First we will need to move OCS’s default “install.php” file or the web interface will throw a warning if you don’t.

mv /usr/share/ocsinventory-reports/ocsreports/install.php /usr/share/ocsinventory-reports/ocsreports/install.php.bck

Command Explanation

  • mv
    • Move or rename a file 
      • When you move a file to the same folder it is already in, you can define a new name for it.

     Now lets change the default password that was setup on the OCS database in the beginning.

MySQL -u root -p
update mysql.user set password = password ('NEW-PASSWORD') where user = 'ocs';
flush privileges;

     After changing the default password we will now need to update our OCS configuration files to reflect that change.

vim /etc/httpd/conf.d/z-ocsinventory-server.conf

z-ocsinventory-server.conf

  • PerlSetVar OCS_DB_PWD “New-Password”
/usr/share/ocsinventory-reports/ocsreports/dbconfig.inc.php

dbconfig.inc.php

  • define(“PSWD_BASE”,”New-Password”);

     And last but not least don’t forget to restart both your apache and mariadb services.

systemctl restart httpd
systemctl restart mariadb

Finish OCS Installation via Web Interface:

     The rest of the installation is very simple and easy to do. Please refer to the pictures below to finish getting your OCS installation up and running.

Installing the Windows OCS Agent:

     Now that the server is setup, lets get an agent installed so you can have a proof of concept. On a windows machine download the agent from OCS’s site. 

     After you have the windows agent downloaded, extract the contents and follow along with the gallery below making the necessary changes to fit the IP or name of your server.

     Give the windows agent a few minutes, then back in the OCS interface refresh the page and go to the “All Computers” section and you should now see the windows machine you just installed the agent on.

Thoughts?:

     Thank you for taking the time to read this article, I hope that it was helpful in some way to you. If you noticed anything wrong or have a better way of doing this please don’t hesitate to comment below or send me a email. Thank you!

References:


Celerium.Org Logo


Leave a Reply