Guide d'installation de Pandora FMS sur un serveur Ubuntu

Prérequis

  • Serveur Ubuntu 22.04 avec les droits d'utilisateur root.
  • Connexion Internet.

Outils de base

Dans une fenêtre de terminal avec l'utilisateur root :

apt install -y gawk sed grep

rm -rf /opt/pandora/deploy
mkdir -p /opt/pandora/deploy
cd /opt/pandora/deploy

apt update
apt install -y net-tools vim curl wget \
  software-properties-common apt-transport-https\
  ca-certificates gnupg lsb-release

Apache2 et PHP 8

add-apt-repository ppa:ondrej/php
apt update
apt upgrade
apt install -y php8.0-fpm php8.0-common libapache2-mod-fcgid php8.0-cli apache2
a2enmod proxy_fcgi setenvif
systemctl reload apache2
a2enconf php8.0-fpm
systemctl restart php8.0-fpm

Dépendances de la console Web du PFMS

apt install -y \
  ldap-utils postfix \
  wget graphviz \
  xfonts-75dpi xfonts-100dpi \
  xfonts-ayu xfonts-intl-arabic \
  xfonts-intl-asian xfonts-intl-phonetic \
  xfonts-intl-japanese-big xfonts-intl-european \
  xfonts-intl-chinese xfonts-intl-japanese \
  xfonts-intl-chinese-big libzstd1 \
  gir1.2-atk-1.0 libavahi-common-data\
  cairo-perf-utils libfribidi-bin \
  php8.0-mcrypt php8.0-gd \
  php8.0-curl php8.0-mysql \
  php8.0-ldap php8.0-fileinfo \
  php8.0-gettext php8.0-snmp\
  php8.0-mbstring php8.0-zip \
  php8.0-xml rpc php8.0-xml \
  php8.0-yaml libnet-telnet-perl\
  whois cron

Dépendances du serveur PFMS

apt install -y \
  perl nmap\
  fping sudo \
  net-tools nfdump \
  expect openssh-client \
  postfix unzip \
  xprobe coreutils \
  libmoosex-role-timer-perl libmoosex-perl \
  libdbd-mysql-perl libcrypt-mysql-perl \
  libhttp-request-ascgi-perl liblwp-useragent-chicaching-perl \
  liblwp-protocol-https-perl snmp\
  libnetaddr-ip-perl libio-socket-ssl-perl\
  libio-socket-socks-perl libio-socket-ip-perl \
  libio-socket-inet6-perl libnet-telnet-perl \
  libjson-perl libencode-perl \
  cron libgeo-ip-perl\
  arping snmp-mibs-downloader \
  openjdk-8-jdk

mkdir -m 0755 -p /etc/apt/keyrings

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
  sudo gpg --yes --dearmor -o /etc/apt/keyrings/docker.gpg

threw out \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list

apt update -y
apt-get install -y \
  docker-ce docker-ce-cli containerd.io\
  docker-buildx-plugin docker-compose-plugin

systemctl disable docker --now
systemctl disable docker.socket --now

Dépendances à superviser par WMI

curl -O https://firefly.pandorafms.com/pandorafms/utils/bin/wmic
curl -O https://firefly.pandorafms.com/pandorafms/utils/bin/pandorawmic
chmod +x pandorawmic wmic
cp -a wmic /usr/bin/
cp -a pandorawmic /usr/bin/

Fping

rm -f /usr/sbin/fping
ln -s /usr/bin/fping /usr/sbin/fping

Google Chrome Tool

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
ln -s /usr/bin/google-chrome /usr/bin/chromium-browser

VMware Tool

apt install -y \
  lib32z1 lib32z1 \
  build-essential uuid uuid-dev \
  libssl-dev perl-doc\
  libxml-libxml-perl libcrypt-ssleay-perl \
  libsoap-lite-perl libmodule-build-perl
wget https://firefly.pandorafms.com/pandorafms/utils/VMware-vSphere-Perl-SDK-7.0.0-16453907.x86_64.tar.gz
tar -xzvf VMware-vSphere-Perl-SDK-7.0.0-16453907.x86_64.tar.gz
cd vmware-vsphere-cli-distrib/
sed --follow-symlinks -i -e "s/[^#].*show_EULA().*/ #show_EULA();/g" vmware-install.pl
./vmware-install.pl -default
cd ..

Oracle outil client

mkdir -p /opt/oracle
wget https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-basic-linux.x64-19.8.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip
rm -fr /opt/oracle/*
unzip instantclient-basic-linux.x64-19.8.0.0.0dbru.zip -d /opt/oracle/
unzip instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip -d /opt/oracle/

cat>> /root/.profile <<'EOF_ENV'
#!/bin/bash
VERSION=19.8
export PATH=$PATH:/opt/oracle/instantclient_19_8
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/oracle/instantclient_19_8
export ORACLE_HOME=/opt/oracle/instantclient_19_8
EOF_ENV
source '/root/.profile'

Dépendances IPAM

apt install -y \
  xprobe libnetaddr-ip-perl \
  coreutils libdbd-mysql-perl \
  libxml-simple-perl libgeo-ip-perl \
  libio-socket-inet6-perl libxml-twig-perl \
  libnetaddr-ip-perl

Dépendances ODBC pour MS SQL

curl -sSL https://packages.microsoft.com/keys/microsoft.asc | \
  tee /etc/apt/trusted.gpg.d/microsoft.asc
curl -sSL https://packages.microsoft.com/config/ubuntu/20.04/prod.list | \
  tee /etc/apt/sources.list.d/microsoft-prod.list
apt update
env ACCEPT_EULA=Y apt install -y msodbcsql17

AppArmor et Configuration UFW

systemctl stop ufw.service
systemctl disable ufw
systemctl stop apparmor
systemctl disable apparmor

Installation MySQL

curl -O https://repo.percona.com/apt/percona-release_latest.generic_all.deb
apt install -y gnupg2 lsb-release ./percona-release_latest.generic_all.deb
percona-release setup ps80
apt install -y percona-server-server percona-xtrabackup-80

systemctl start mysql

mysql -uroot -p

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'pandora';

create database pandora;

CREATE USER pandora IDENTIFIED BY 'pandora';

ALTER USER 'pandora' IDENTIFIED WITH mysql_native_password BY 'pandora';

GRANT ALL PRIVILEGES ON pandora.* TO 'pandora';

exit;

cat> /etc/mysql/my.cnf <<EOF_DB
[mysqld]
datadir=/var/lib/mysql
user=mysql
character-set-server=utf8mb4
skip-character-set-client-handshake
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Mysql optimizations for Pandora FMS
# Please check the documentation in http://pandorafms.com for better results
max_allowed_packet = 64M
innodb_buffer_pool_size = grep -i total /proc/meminfo | head-1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/..*$/M/g"
innodb_lock_wait_timeout = 90
innodb_file_per_table
innodb_flush_log_at_trx_commit = 0
innodb_flush_method = O_DIRECT
innodb_log_file_size = 64M
innodb_log_buffer_size = 16M
innodb_io_capacity = 300
thread_cache_size = 8
thread_stack = 256K
max_connections = 100
key_buffer_size=4M
read_buffer_size=128K
read_rnd_buffer_size=128K
sort_buffer_size=128K
join_buffer_size=4M
skip-log-bin
sql_mode=""
log-error=/var/log/mysql/error.log
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
EOF_DB

  systemctl restart mysql

Installation de Pandora FMS

curl -LSs --output \
  pandorafms_console-7.0NG.tar.gz\
  "http://firefly.pandorafms.com/pandorafms/latest/Tarball/LTS/pandorafms_console-7.0NG.tar.gz"

curl -LSs --output \
  pandorafms_server-7.0NG.tar.gz\
  "http://firefly.pandorafms.com/pandorafms/latest/Tarball/LTS/pandorafms_server-7.0NG.tar.gz"

curl -LSs --output \
  pandorafms_agent_linux-7.0NG.tar.gz\
  "http://firefly.pandorafms.com/pandorafms/latest/Tarball/LTS/pandorafms_agent_linux-7.0NG.tar.gz"

Installation de la console PFMS

tar xvzf pandorafms_console-7.0NG.tar.gz

cp -Ra pandora_console /var/www/html/

rm -f /var/www/html/pandora_console/*.spec

Installation du serveur PFMS

useradd pandora

mv pandorafms_server-7.0NG.tar.gz /opt/pandora/deploy/

cd /opt/pandora/deploy

tar xvfz pandorafms_server-7.0NG.tar.gz

cd pandora_server

./pandora_server_installer --install

Installation de l'agent PFMS

apt install -y libyaml-tiny-perl perl coreutils wget curl unzip procps python3 python3-pip

mv pandorafms_agent_linux-7.0NG.tar.gz /opt/pandora/deploy/

cd /opt/pandora/deploy

tar xvzf pandorafms_agent_linux-7.0NG.tar.gz

unix cd

./pandora_agent_installer --install

cp -a tentacle_client /usr/local/bin/

Installation GoTTY

cd /opt/pandora/deploy

wget https://firefly.pandorafms.com/pandorafms/utils/gotty_linux_amd64.tar.gz

tar xvzf gotty_linux_amd64.tar.gz

mv gotty /usr/bin/

Configuration pour SSL

cat> /etc/apache2/conf-available/ssl-params.conf <<EOF_PARAM
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

     SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

     SSLHonorCipherOrder On

     Header always set X-Frame-Options DENY

     Header always set X-Content-Type-Options nosniff

     # Requires Apache>= 2.4

     SSLCompression off

     SSLUseStapling on

     SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

     # Requires Apache>= 2.4.11

     SSLSessionTickets Off
EOF_PARAM

a2enmod ssl
a2enmod headers
a2enmod rewrite
a2enconf ssl-params
a2ensite default-ssl
a2enconf ssl-params
apache2ctl configtest

systemctl restart apache2
systemctl enable mysql --now
systemctl enable apache2 --now
systemctl enable php8.0-fpm --now

Structure et données dans MySQL

mysql -uroot -ppandora

wear pandora;

source /var/www/html/pandora_console/pandoradb.sql

source /var/www/html/pandora_console/pandoradb_data.sql

exit;

Configuration de PHP et d'Apache2

cat> /var/www/html/pandora_console/include/config.php <<EO_CONFIG_F
<?php
\$config["dbtype"] = "mysql";
\$config["dbname"]="pandora";
\$config["dbuser"]="pandora";
\$config["dbpass"]="pandora";
\$config["dbhost"]="127.0.0.1";
\$config["homedir"]="/var/www/html/pandora_console";
\$config["homeurl"]="/pandora_console";
error_reporting(0);
\$ownDir = dirname(__FILE__) . '/';
include (\$ownDir . "config_process.php");
EO_CONFIG_F

cat> /etc/apache2/conf-enabled/pandora_security.conf <<EO_CONFIG_F
ServerTokens Prod
<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
EO_CONFIG_F

chmod 600 /var/www/html/pandora_console/include/config.php

chown -R www-data:www-data /var/www/html/pandora_console

mv /var/www/html/pandora_console/install.php /var/www/html/pandora_console/install.done

ln -s /etc/php/8.0/fpm/php.ini /etc/

sed --follow-symlinks -i -e "s/^max_input_time.*/max_input_time = -1/g" /etc/php.ini

sed --follow-symlinks -i -e "s/^max_execution_time.*/max_execution_time = 0/g" /etc/php.ini

sed --follow-symlinks -i -e "s/^upload_max_filesize.*/upload_max_filesize = 800M/g" /etc/php.ini

sed --follow-symlinks -i -e "s/^memory_limit.*/memory_limit = 800M/g" /etc/php.ini

sed --follow-symlinks -i -e "s/.*post_max_size =.*/post_max_size = 800M/" /etc/php.ini

sed --follow-symlinks -i -e "s/^disable_functions/;disable_functions/" /etc/php.ini

cat> /var/www/html/index.html <<EOF_INDEX
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
EOF_INDEX

systemctl restart apache2

systemctl restart php8.0-fpm

Configuration de l'agent et du serveur PFMS

cat> /etc/snmp/snmptrapd.conf <<EOF
authCommunity log public
disableAuthorization yes
EOF

sed -i -e "s/^dbhost.*/dbhost 127.0.0.1/g" /etc/pandora/pandora_server.conf

sed -i -e "s/^dbname.*/dbname pandora/g" /etc/pandora/pandora_server.conf

sed -i -e "s/^dbuser.*/dbuser pandora/g" /etc/pandora/pandora_server.conf

sed -i -e "s|^dbpass.*|dbpass pandora|g" /etc/pandora/pandora_server.conf

sed -i -e "s/^dbport.*/dbport 3306/g" /etc/pandora/pandora_server.conf

sed -i -e "s/^#.mssql_driver.*/mssql_driver 17/g" /etc/pandora/pandora_server.conf

grep -q "group www-data" /etc/pandora/pandora_server.conf || \
cat>> /etc/pandora/pandora_server.conf<<EOF_G
#Adding group www-data to assigning remote-config permission correctly for ubuntu 22.04
group www-data
EOF_G

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf

cat> /etc/pandora/pandora_server.env <<'EOF_ENV'
#!/bin/bash
VERSION=19.8
export PATH=$PATH:/opt/oracle/instantclient_19_8
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/oracle/instantclient_19_8
export ORACLE_HOME=/opt/oracle/instantclient_19_8
export OPENSSL_CONF=/etc/ssl
EOF_ENV

cat>> /etc/sysctl.conf <<EO_KO
# Pandora FMS Optimization
#default=5
net.ipv4.tcp_syn_retries = 3
#default=5
net.ipv4.tcp_synack_retries = 3
#default=1024
net.ipv4.tcp_max_syn_backlog = 65536
#default=124928
net.core.wmem_max = 8388608
#default=131071
net.core.rmem_max = 8388608
#default = 128
net.core.somaxconn = 1024

#default = 20480
net.core.optmem_max = 81920

EO_KO

sysctl --system

chown pandora: www-data /var/log/pandora

chmod g+s /var/log/pandora

cat> /etc/logrotate.d/pandora_server <<EO_LR
/var/log/pandora/pandora_server.log
/var/log/pandora/web_socket.log
/var/log/pandora/pandora_server.error {
         your apache root
         weekly
         missingok
         size 300000
         rotate 3
         max age 90
         compress
         notifempty
         copytruncate
         create 660 pandora apache
}

/var/log/pandora/pandora_snmptrap.log {
         your apache root
         weekly
         missingok
         size 500000
         rotate 1
         max age 30
         notifempty
         copytruncate
         create 660 pandora apache
}

EO_LR

cat> /etc/logrotate.d/pandora_agent <<EO_LRA
/var/log/pandora/pandora_agent.log {
         your apache root
         weekly
         missingok
         size 300000
         rotate 3
         max age 90
         compress
         notifempty
         copytruncate
}

EO_LRA

chmod 0644 /etc/logrotate.d/pandora_server

chmod 0644 /etc/logrotate.d/pandora_agent

Tentacle et cron

/etc/init.d/pandora_server start

systemctl enablepandora_server

service tentacle_server start

systemctl enable tentacle_server

echo "* * * * * root wget -q -O - --no-check-certificate --load-cookies /tmp/cron-session-cookies --save-cookies /tmp/cron-session-cookies --keep -session-cookies http://127.0.0.1/pandora_console/enterprise/cron.php>> $PANDORA_CONSOLE/log/cron.log">> /etc/crontab

echo "@hourly root bash -c /etc/cron.hourly/pandora_db">> /etc/crontab

Configuration distante de l'agent :

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf

/etc/init.d/pandora_agent_daemon start

systemctl enable pandora_agent_daemon

Connexion au PFMS

Pour accéder à la console Web, tapez l'adresse IP (ou URL) de l'appareil suivie de /pandora_console/ .

Les identifiants de connexion par défaut sont les suivants

  • utilisateur: admin
  • mot de passe: pandora

Retour à l'index de la documentation du Pandora FMS