HOWTO Centos 7 Install

[apratchettfan]

--OS is Centos 7 Minimal ISO with Cacti 1.0.4
--Install OS using normal install, added hostname and static IP
--Lets not bring up the whole never root thing

#this is all via console, you can mostly copy and paste
# Update install and add a couple of utilities
yum update -y
yum install wget -y

#I like phpmyadmin for database stuff, so install the epel to get it
wget http://dl.fedoraproject.org/pub/epel/7/ ... noarch.rpm
rpm -ivh epel-release-7-9.noarch.rpm

#Using Maria vs MySQL, need to add yum repo --got this right from the mariadb website
# there isnt a default rpm, so we have to make it.
vi /etc/yum.repos.d/MariaDB.repo
# MariaDB 10.1 CentOS repository list - created 2017-03-07 03:37 UTC
# http://downloads.mariadb.org/mariadb/repositories/
[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

#New repo, clean up yum
yum clean all

#all our repos are installed so install DB, webserver, php rrdtool and snmp "stuff"
yum install -y yum install MariaDB-server MariaDB-client
yum install httpd httpd-devel php-mysql php-pear php-common php-gd php-devel php php-ldap php-mbstring php-cli -y
yum install php-snmp net-snmp-utils net-snmp-libs rrdtool phpmyadmin -y

#removing the mail server that was installed, not a necessary thing but its a habit
systemctl stop postfix
yum -y remove postfix

# i personally like the iptables vs firewalld -- install ipatbles and turn off firewalld
yum -y install iptables-services
systemctl stop firewalld
systemctl mask firewalld
systemctl enable iptables

#create a default set of rules for iptables
iptables -F
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
service iptables save
systemctl start iptables

# only allow ip address from a 1.1.1.XXX or a 2.2.2.XXX address to connect to the phpmyadmin site
sed -i -e 's/Require ip 127.0.0.1/Require ip 1.1.1 2.2.2/g' /etc/httpd/conf.d/phpMyAdmin.conf
sed -i -e 's/Allow from 127.0.0.1/Allow from 1.1.1 2.2.2/g' /etc/httpd/conf.d/phpMyAdmin.conf

# start up web, dataBase and SNMP services
service httpd start
service mariadb start
service snmpd start

# Set the services to start on boot
systemctl enable httpd.service
systemctl enable mariadb.service
systemctl enable snmpd.service

# set the default security and root account for the mariaDB this script is provided by the MariaDB
/usr/bin/mysql_secure_installation

#remove/change some variables in the default php.ini
grep -v "upload_tmp_dir" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "session.save_path" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "allow_url_fopen" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "allow_url_include" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "expose_php" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "disable_functions" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "upload_max_filesize" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini
grep -v "post_max_size" /etc/php.ini > tempphp.ini; mv -f tempphp.ini /etc/php.ini

echo 'date.timezone = America/New_York' >> /etc/php.ini
echo 'upload_tmp_dir = "/tmp"' >> /etc/php.ini
echo 'session.save_path = "var/lib/php/session"' >> /etc/php.ini
echo 'allow_url_fopen = Off' >> /etc/php.ini
echo 'allow_url_include = Off' >> /etc/php.ini
echo 'expose_php = Off' >> /etc/php.ini
echo 'upload_max_filesize = 10M' >> /etc/php.ini
echo 'post_max_size = 10M' >> /etc/php.ini

#using this server with SeLinux enabled, so need to let apache read the php.ini file
chcon -t httpd_sys_content_t /etc/php.ini

#modify the httpd.conf to allow virtual hosts
sed -i -e 's/#NameVirtualHost /NameVirtualHost /g' /etc/httpd/conf/httpd.conf
sed -i -e 's/#ServerName www.example.com:80/ServerName cacti.yourdomain.com:80/g' /etc/httpd/conf/httpd.conf

#allow .htaccess files in the cacti web directory
echo '<Directory "/var/www/html/cacti.yourdomain.com/public_html">' >> /etc/httpd/conf/httpd.conf
echo 'AllowOverride All' >> /etc/httpd/conf/httpd.conf
echo '</Directory>' >> /etc/httpd/conf/httpd.conf

#make directories to store indiviual vhost configurations and then add the directory for apache to include
mkdir /etc/httpd/conf.d/vhost
echo 'IncludeOptional conf.d/vhost/*.conf' >> /etc/httpd/conf/httpd.conf

#make directories to store the cacti web files and log files
mkdir /var/www/html/cacti.yourdomain.com
mkdir /var/www/html/cacti.yourdomain.com/logs

#SeLinux needs to allow apache to use the logs folder
chcon -R -t httpd_log_t /var/www/html/cacti.yourdomain.com/logs

#Rotate the log files so they dont get to be one huge file
touch /etc/logrotate.d/cacti.yourdomain.com
echo '/var/www/html/'cacti.yourdomain.com'/logs/access.log /var/www/html/'cacti.yourdomain.com'/logs/error.log{' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'missingok' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'daily' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'dateext' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'extension .log' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'rotate 30' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'notifempty' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'sharedscripts' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'delaycompress' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'postrotate' >> /etc/logrotate.d/cacti.yourdomain.com
echo ' /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true' >> /etc/logrotate.d/cacti.yourdomain.com
echo 'endscript' >> /etc/logrotate.d/cacti.yourdomain.com
echo '}' >> /etc/logrotate.d/cacti.yourdomain.com

#Create the vhost configuration file for the website fqdn
touch /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo '<VirtualHost *:80>'cacti.yourdomain.com >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'Alias /cacti /var/www/html/cacti.yourdomain.com/public_html' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'ServerName 'cacti.yourdomain.com >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'ServerAlias www.'cacti.yourdomain.com >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'DocumentRoot /var/www/html/'cacti.yourdomain.com'/public_html' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'ServerAdmin ed.harvey@cacti.yourdomain.com' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'ErrorLog /var/www/html/'cacti.yourdomain.com'/logs/error.log' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'CustomLog "/var/www/html/'cacti.yourdomain.com'/logs/access.log" combined' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'DirectoryIndex index.php' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo 'Options Indexes FollowSymLinks' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf
echo '</VirtualHost>' >> /etc/httpd/conf.d/vhost/cacti.yourdomain.com.conf

#download and unzip cacti
cd /var/www/html/cacti.yourdomain.com/
wget http://www.cacti.net/downloads/cacti-1.0.4.tar.gz
tar -zxf cacti-1.0.4.tar.gz

#change to folder name to public_html vs the deafult cacti-1.0.4
mv cacti-1.0.4/ public_html

#after changing and adding http configs, restart the web server
systemctl restart httpd.service

#make the cacti db cacti and user cacti (phpmyadmin will allow you to make a user and a db at one time)
# i used phpmyadmin to do this, but it is possible to do it via the mysql command line.
#to use php myadmin, go to http://yourservername/phpmyadmin or http://yourserveripaddress/phpmyadmin

systemctl restart mariadb.service

#import deafult cacti data into the new datatabse
cd /var/www/html/cacti.yourdomain.com/public_html/
mysql -u cacti -p cacti < cacti.sql

#cacti uses an include file to define the dabatase name, the database user and user password in the config.php file
#replace the existing values with the new made ones
vi /var/www/html/cacti.yourdomain.com/public_html/include/config.php

#Cacti requires SeLinux changes on at least 2 directories as well as allowing apache to write to the folders
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/rra/
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/log/
chown -R apache /var/www/html/cacti.yourdomain.com/public_html/rra/ /var/www/html/cacti.yourdomain.com/public_html/log/

#Have the poller run every 5 minutes
vi /etc/cron.d/cacti
*/5 * * * * /usr/bin/php /var/www/html/cacti.yourdomain.com/public_html/poller.php > /dev/null 2>&1

#During the cacti install, the installer requires the DB server to have timezone tables and permission to reference.
#the maria install didnt populate the data, so have to load it into the default system database
mysql_tzinfo_to_sql /usr/share/zoneinfo | mysql -u root -p mysql

#cati requires the new cacti db user to have select on one of the newley created time zone tables.
# i used phpmyadmin to do this but it can be done via command line
#grant cacti user select permission on mysql db, timezone name table

#During the web Install file permissions need to be loosened
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/

#actual cacti install, the installer is web based
# browse to http://yourserverip.com and it should run an installer.

#after the install is completed, reapply some default permissions
chown -R root:root /var/www/html/cacti.yourdomain.com/public_html/
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html/log
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html/cache/boost
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html/cache/mibcache
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html/cache/realtime
chown -R apache:apache /var/www/html/cacti.yourdomain.com/public_html/cache/spikekill

#all newly created folders and directories need proper SeLinux so re-write SeLinux
chcon -R -t httpd_sys_content_t /var/www/html/cacti.yourdomain.com/public_html
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/log
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/cache/boost
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/cache/mibcache
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/cache/realtime
chcon -R -t httpd_sys_content_rw_t /var/www/html/cacti.yourdomain.com/public_html/cache/spikekill

[JorisFRST]

Thanks,

looks like I still got some issues getting selinux to play ball with ping...
I know it's selinux, but can't figure it out.

I know this is not te solution :
"SELinux is preventing /usr/bin/ping from getopt access on the rawip_socket Unknown.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ping should be allowed getopt access on the Unknown rawip_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ping' --raw | audit2allow -M my-ping
# semodule -i my-ping.pp
"

[Osiris]

https://github.com/Cacti/cacti/issues/185