Skip to content

Latest commit

 

History

History
558 lines (416 loc) · 14.8 KB

Install-Under-CentOS_LEMP.md

File metadata and controls

558 lines (416 loc) · 14.8 KB

Installing on CentOS 7

LEMP (Linux, Nginx, MySQL, PHP) Required packages

Web Server

  1. Install Nginx

    yum install -y nginx
  2. Enable and start the service to ensure it starts when the system reboots

    systemctl start nginx
    systemctl enable nginx

Example configuration file for Nginx and SSL

This example assumes you have your own certificates already. You should make sure you change the paths to match your setup.

Replace YourOwnCertFile.crt and YourOwnCertFile.key with the names of the files holding your certificate (.crt) and private key (.key).

/etc/nginx/conf.d/cacti.conf
# Advanced config for NGINX
#server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

# Redirect all HTTP traffic to HTTPS
server {
   listen 80;
   server_name cacti.yourdomain.com; #No one likes unencrypted web servers
   #return 301 https://$host$request_uri; # some nginx do not support 'return';
}

# SSL configuration
server {
   listen 443 ssl default deferred;
   server_name cacti.yourdomain.com;
   root /usr/share/nginx/html/cacti;
   index index.php index.html index.htm;

   # Compression increases performance0
   gzip on;
   gzip_types      text/plain text/html text/xml text/css application/xml application/javascript application/x-javascript application/rss+xml application/xhtml+xml;
   gzip_proxied    no-cache no-store private expired auth;
   gzip_min_length 1000;

   location / {
      try_files $uri $uri/ /index.php$query_string;
   }

   error_page 404 /404.html;
   error_page 500 502 503 504 /50x.html;
   location = /50x.html {
      root /usr/share/nginx/html/;
   }

   location ~ \.php$ {
      alias /usr/share/nginx/html/cacti;
      index index.php
      try_files $uri $uri/ =404;
      fastcgi_split_path_info ^(.+\.php)(/.+)$;

      # you may have to change the path here for your OS
      fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include /etc/nginx/fastcgi_params;
   }

   location /cacti {
      root /usr/share/nginx/html/;
      index index.php index.html index.htm;
      location ~ ^/cacti/(.+\.php)$ {
         try_files $uri =404;
         root /usr/share/nginx/html;

         # you may have to change the path here for your OS
         fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
         fastcgi_index index.php;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         include /etc/nginx/fastcgi_params;
      }

      location ~* ^/cacti/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
         expires max;
         log_not_found off;
      }
   }

   location /doc/ {
      alias /usr/share/nginx/html/cacti/doc/;
      location ~* ^/docs/(.+\.(html|md|txt))$ {
         root /usr/share/nginx/html/cacti/;
         autoindex on;
         allow 127.0.0.1; # Change this to allow your local networks
         allow ::1;
         deny all;
      }
   }

   location /cacti/rra/ {
      deny all;
   }

   ## Access and error logs.
   access_log /var/log/nginx/cacti_access.log;
   error_log  /var/log/nginx/cacti_error.log info;

   ssl_certificate      /etc/ssl/certs/YourOwnCertFile.crt;
   ssl_certificate_key  /etc/ssl/private/YourOwnCertKey.key;

   # Improve HTTPS performance with session resumption
   ssl_session_cache shared:SSL:10m;
   ssl_session_timeout 5m;

   # Enable server-side protection against BEAST attacks
   #ssl_prefer_server_ciphers on;
   ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

   # Disable SSLv3
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

   # Diffie-Hellman parameter for DHE cipher suites
   # $ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
   ssl_dhparam /etc/ssl/certs/dhparam.pem;

   # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
}

Database Server

The choice between MySQL server and MariaDB is normally down to the OS maintainers if you use one of the predefined LAMP setup installations. If you are deciding between these yourself, you should research this via your favorite search engine.

Whilst MySQL is the original open source SQL database server created in 1995 which is now owned by Oracle, MariaDB is designed as a drop-in replacement by some of the original MySQL developers / owners. This will likely continue to be a drop-in alternative until there is a major divergence that can not be bridged.

MySQL

  1. Install MySQL server

    yum install -y mysql mysql-server
  2. Enable and start the service to ensure it starts when the system reboots

    systemctl enable mysqld
    systemctl start mysqld

MariaDB

  1. Install MariaDB server

    yum install -y MariaDB-server MariaDB-client
  2. Enable and start the service to ensure it starts when the system reboots

    systemctl enable mariadb
    systemctl start mariadb

MySQL/MariaDB common tasks and recommendations

IMPORTANT: Secure your MySQL installation before doing any more changes

/usr/bin/mysql_secure_installation

The following MySQL/MariaDB recommendations may vary depending on your system setup. In any case, Cacti will prompt you with more accurate recommendations during the installation.

  1. Edit your server.cnf file

    vim /etc/my.cnf.d/server.cnf

    The following [mysqld] section is a base configuration. The installer will provide recommendations based on the actual system which will be more tailored to your environment.

    If using MariaDB less than version 11.1 or MySQL use the settings below. Note that you should revise up or down your settings depending on the Cacti recommendation that you see once you start the installer.

    [mysqld]
    character_set_client            = utf8mb4
    character-set-server            = utf8mb4
    collation-server                = utf8mb4_unicode_ci
    innodb_file_format              = Barracuda
    max_allowed_packet              = 16777777
    max_heap_table_size             = 500M
    join_buffer_size                = 32M
    innodb_file_per_table           = ON
    innodb_large_prefix             = 1
    innodb_buffer_pool_size         = 500M
    innodb_additional_mem_pool_size = 90M
    innodb_flush_log_at_trx_commit  = 2
    log-error                       = /var/log/mysql/mysql-error.log
    log-queries-not-using-indexes   = 1
    slow-query-log                  = 1
    slow-query-log-file             = /var/log/mysql/mysql-slow.log

    If using MariaDB 11.0 or higher, use the settings below:

    [mariadb]
    character_set_client            = utf8mb4
    character_set_server            = utf8mb4
    collation_server                = utf8mb4_unicode_ci
    max_heap_table_size             = 500M
    join_buffer_size                = 32M
    innodb_buffer_pool_size         = 8G
    innodb_doublewrite              = OFF
    tmp_table_size                  = 500M
    log-error                       = /var/log/mysql/mysql-error.log
    log-queries-not-using-indexes   = 1
    slow-query-log                  = 1
    slow-query-log-file             = /var/log/mysql/mysql-slow.log
  2. Restart MySQL/MariaDB service to pick up the changes

    systemctl restart mysql
  3. Populate timezone table with available timezones

    mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql

Setup Cacti database

  1. Login to MySQL/MariaDB as root to create Cacti database

    # mysql -u root -p
    MariaDB [(none)]> create database if not exists cacti;
    Query OK, 1 row affected (0.00 sec)
  2. Import Cacti database from SQL file

    MariaDB [(none)]> use cacti;
    Database changed
    MariaDB [(cacti)]> source /var/www/html/cacti/cacti.sql
  3. Grant Cacti username access to Cacti database. Replace your_cacti_username and your_cacti_password with your own details.

    MariaDB [(none)]> GRANT ALL PRIVILEGES ON cacti.* TO 'your_cacti_username'@'localhost' IDENTIFIED BY 'your_cacti_password';
    Query OK, 0 rows affected (0.00 sec)
  4. Grant cacti username to MySQL timezone table

    MariaDB [(none)]> GRANT SELECT ON mysql.time_zone_name TO 'cacti'@'localhost';
    Query OK, 0 rows affected (0.00 sec)
    MariaDB [(none)]> FLUSH PRIVILEGES;
    Query OK, 0 rows affected (0.00 sec)
  5. Save the Database Charset and Collation

    MariaDB [(none)]> ALTER DATABASE cacti CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
    MariaDB [(none)]> FLUSH PRIVILEGES;

Common PHP packages

PHP

PHP and various packages are all required by Cacti for successful operation

  1. Install PHP and required packages.

    yum install -y php php-common php-bcmath php-cli \
    php-mysqlnd php-gd php-gmp php-intl \
    php-json php-ldap php-mbstring \
    php-pdo php-pear php-snmp php-process \
    php-xml php-zip php-fpm

Note: php-fpm is only required if your Web Server is Nginx

  1. Set a timezone to your PHP.INI configuration

    Edit php.ini, typically located at /etc/php.ini

    date.timezone = Pacific/Auckland
  2. Disable insecure cgi.fix_pathinfo

    cgi.fix_pathinfo=0

Setup php-fpm

  1. Enable and start the service to ensure it starts when the system reboots

    systemctl start php-fpm
    systemctl enable php-fpm
  2. Edit /etc/php-fpm.d/www.conf

    Find listen = 127.0.0.1:9000 and add the following line below

    listen = /var/run/php-fpm/php-fpm.sock

    Find listen.owner and listen.group and set them to nginx

    listen.owner = nginx
    listen.group = nginx

    Find user and group and set them to nginx

    user = nginx
    group = nginx

    Restart php-fpm to pick up the changes

    systemctl restart php-fpm

RRDtool

RRDtool is required to store the data retrieved from devices in .rra files to produce the graphs which are shown within Cacti

yum install -y rrdtool

SNMP

SNMP is used to query most devices for information.

yum install -y net-snmp net-snmp-utils
echo "rocommunity public" > /etc/snmp/snmpd.conf
systemctl enable snmpd
systemctl start snmpd

Cacti

The following steps will show you how to manually download, install and configure the basics for Cacti.

  1. Download Cacti source code from Cacti Web Site

    cd /tmp
    wget https://www.cacti.net/downloads/cacti-1.y.z.tar.gz
    tar -zxvf cacti-1.y.z.tar.gz
    mv -v cacti-1.y.z /usr/share/nginx/html/cacti
  2. Edit the config.php file

    mv -v /usr/share/nginx/html/cacti/include/config.php-dist /usr/share/nginx/html/cacti/include/config.php
  3. Update database_ fields with your own details. This section only applies to the Main Cacti Server

    $database_type     = 'mysql';
    $database_default  = 'your_cacti_database';
    $database_hostname = 'localhost';
    $database_username = 'your_cacti_username';
    $database_password = 'your_cacti_password';
    $database_port     = '3306';
    $database_ssl      = false;
    $database_ssl_key  = '';
    $database_ssl_cert = '';
    $database_ssl_ca   = '';
  4. Set your cookie domain to match your web site domain name

    $cacti_cookie_domain = 'cacti.yourdomain.com';
  5. Create your cron task file or systemd units file

    Starting with Cacti 1.2.16, you have the option to use either the legacy Crontab entry, or an optional cactid units file and server to run your Cacti pollers.

    For Crontab use, follow the instructions below:

    Create and edit /etc/cron.d/cacti file. Make sure to setup the correct path to poller.php

    */5 * * * * nginx php /var/www/html/cacti/poller.php &>/dev/null

    For systemd unit's file install, you will need to modify the included units file to following your install location and desired user and group's to run the Cacti poller as. To complete the task, follow the procedure below:

    vim /var/www/html/cacti/service/cactid.service (edit the path)
    touch /etc/sysconfig/cactid
    cp -p /var/www/html/cacti/service/cactid.service /etc/systemd/system
    systemctl enable cactid
    systemctl start cactid
    systemctl status cactid

    The systemd units file makes managing a highly available Cacti setup a bit more convenient.

Spine

  1. Install the necessary packages to compile and install spine

    yum install -y autoconf automake libtool dos2unix help2man \
    openssl-devel mariadb-devel net-snmp-devel
  2. Download spine source code from Cacti Web Site

    Go to /tmp to download the source code and extract it

    cd /tmp
    wget https://www.cacti.net/downloads/spine/cacti-spine-1.y.z.tar.gz
    tar -zxvf cacti-spine-1.y.z.tar.gz
    cd cacti-spine-1.y.z
  3. Run the configure script and compile spine.

    # ./configure
    # make &  make install
    config/install-sh -c -d '/usr/local/spine/bin'
    /bin/sh ./libtool   --mode=install /usr/bin/install -c spine '/usr/local/spine/bin'
    libtool: install: /usr/bin/install -c spine /usr/local/spine/bin/spine
    config/install-sh -c -d '/usr/local/spine/etc'
    /usr/bin/install -c -m 644 spine.conf.dist '/usr/local/spine/etc'
    config/install-sh -c -d '/usr/local/spine/share/man/man1'
    /usr/bin/install -c -m 644 spine.1 '/usr/local/spine/share/man/man1'
  4. Edit spine.conf

    Rename spine.conf.dist to spine.conf

    mv -v /usr/local/spine/etc/spine.conf.dist /usr/local/spine/etc/spine.conf
    vi /usr/local/spine/etc/spine.conf
  5. Now set up your database connection

    DB_Host       localhost
    DB_Database   your_cacti_database
    DB_User       your_cacti_username
    DB_Pass       your_cacti_password
    DB_Port       3306
    #DB_UseSSL    0
    #RDB_SSL_Key
    #RDB_SSL_Cert
    #RDB_SSL_CA

Security Enhanced Linux (SELinux)

If you are having issues to access the web page, disable SELinux temporarily to prove that the issues come from the SELinux policy. It is NOT recommended to disable SELinux permanently.

CentOS has a lot of documentation on how to make your SELinux policy right.

Check SELinux status

getenforce

Disable SELinux temporarily

setenforce 0

Enable SELinux back

setenforce 1

Note: If you installed Cacti out of /usr/share/nginx/html make sure you fix up all SELinux context and permissions.


Copyright (c) 2004-2024 The Cacti Group