Installation de Pandora FMS Open sur Ubuntu

Installation sur un serveur Ubuntu 22.04.1 ou 22.04.2 avec les droits d'utilisateur root, systemd activé et une connexion internet.

Installation en ligne pour Ubuntu (22.04 LTS) :

curl -SsL https://raw.githubusercontent.com/pandorafms/pandorafms/develop/extras/deploy-scripts/pandora_deploy_community_ubuntu_2204_gh.sh | bash

Dans une fenêtre de terminal avec l'utilisateur root :

apt install -y gawk sed grep ping
rm -rf /opt/pandora/deploy
mkdir -p /opt/pandora/deploy
cd /opt/pandora/deploy
apt update
apt install -y net-tools vim curl wget \
 software-properties-common apt-transport-https \
 ca-certificates gnupg lsb-release

add-apt-repository ppa:ondrej/php
apt update
apt upgrade
apt install -y php8.0-fpm php8.0-common libapache2-mod-fcgid php8.0-cli apache2
a2enmod proxy_fcgi setenvif
systemctl reload apache2
a2enconf php8.0-fpm
systemctl restart php8.0-fpm

apt install -y \
 ldap-utils postfix \
 wget graphviz \
 xfonts-75dpi xfonts-100dpi \
 xfonts-ayu xfonts-intl-arabic \
 xfonts-intl-asian xfonts-intl-phonetic \
 xfonts-intl-japanese-big xfonts-intl-european \
 xfonts-intl-chinese xfonts-intl-japanese \
 xfonts-intl-chinese-big libzstd1 \
 gir1.2-atk-1.0 libavahi-common-data \
 cairo-perf-utils libfribidi-bin \
 php8.0-mcrypt php8.0-gd \
 php8.0-curl php8.0-mysql \
 php8.0-ldap php8.0-fileinfo \
 php8.0-gettext php8.0-snmp \
 php8.0-mbstring php8.0-zip \
 php8.0-xmlrpc php8.0-xml \
 php8.0-yaml libnet-telnet-perl \
 whois cron

apt install -y \
 perl nmap \
 fping sudo \
 net-tools nfdump \
 expect openssh-client \
 unzip xprobe coreutils \
 libio-compress-perl libmoosex-role-timer-perl \
 libdbd-mysql-perl libcrypt-mysql-perl \
 libhttp-request-ascgi-perl liblwp-useragent-chicaching-perl \
 liblwp-protocol-https-perl snmp \
 libnetaddr-ip-perl libio-socket-ssl-perl \
 libio-socket-socks-perl libio-socket-ip-perl \
 libio-socket-inet6-perl libnet-telnet-perl \
 libjson-perl libencode-perl \
 cron libgeo-ip-perl \
 arping snmp-mibs-downloader \
 snmptrapd  libnsl2 make \
 openjdk-8-jdk
 
mkdir -m 0755 -p /etc/apt/keyrings
 
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
 sudo gpg --yes --dearmor -o /etc/apt/keyrings/docker.gpg
 
echo \
 "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu  $(lsb_release -cs) stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list
 
apt update -y
apt-get install -y \
 docker-ce docker-ce-cli containerd.io \
 docker-buildx-plugin docker-compose-plugin
 
systemctl disable docker --now
systemctl disable docker.socket --now
 
rm -f /usr/sbin/fping
ln -s /usr/bin/fping /usr/sbin/fping

wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
dpkg -i google-chrome-stable_current_amd64.deb
ln -s /usr/bin/google-chrome /usr/bin/chromium-browser

apt install -y \
 libnetaddr-ip-perl \
 coreutils libdbd-mysql-perl \
 libxml-simple-perl libgeo-ip-perl \
 libio-socket-inet6-perl libxml-twig-perl \
 libnetaddr-ip-perl

systemctl stop ufw.service
systemctl disable ufw
systemctl stop apparmor
systemctl disable apparmor

curl -O https://repo.percona.com/apt/percona-release_latest.generic_all.deb
apt install -y gnupg2 lsb-release ./percona-release_latest.generic_all.deb
percona-release setup ps80
apt install -y percona-server-server percona-xtrabackup-80

systemctl start mysql
 
mysql -uroot -p
 
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'pandora';
 
create database pandora;
 
CREATE USER  pandora IDENTIFIED BY 'pandora';
 
ALTER USER 'pandora' IDENTIFIED WITH mysql_native_password BY 'pandora';
 
GRANT ALL PRIVILEGES ON pandora.* TO 'pandora';
 
exit;

cat > /etc/mysql/my.cnf << EOF_DB
[mysqld]
datadir=/var/lib/mysql
user=mysql
character-set-server=utf8mb4
skip-character-set-client-handshake
# Disabling symbolic-links is recommended to prevent assorted security risks
symbolic-links=0
# Mysql optimizations for Pandora FMS
# Please check the documentation in http://pandorafms.com for better results
max_allowed_packet = 64M
innodb_buffer_pool_size = grep -i total /proc/meminfo | head -1 | awk '{printf "%.2f \n", $(NF-1)*0.4/1024}' | sed "s/\\..*$/M/g"
innodb_lock_wait_timeout = 90
innodb_file_per_table
innodb_flush_log_at_trx_commit = 0
innodb_flush_method = O_DIRECT
innodb_log_file_size = 64M
innodb_log_buffer_size = 16M
innodb_io_capacity = 300
thread_cache_size = 8
thread_stack    = 256K
max_connections = 100
key_buffer_size=4M
read_buffer_size=128K
read_rnd_buffer_size=128K
sort_buffer_size=128K
join_buffer_size=4M
skip-log-bin
sql_mode=""
log-error=/var/log/mysql/error.log
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
EOF_DB

systemctl restart mysql

curl -LSs --output \
 pandorafms_console-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_console-7.0NG.772.tar.gz"
 
curl -LSs --output \
 pandorafms_server-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_server-7.0NG.772_x86_64.tar.gz"
 
curl -LSs --output \
 pandorafms_agent_linux-7.0NG.tar.gz \
 "https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz"

Console web de PFMS

tar xvzf pandorafms_console-7.0NG.tar.gz
 
cp -Ra pandora_console /var/www/html/
 
rm -f /var/www/html/pandora_console/*.spec

Serveur PFMS

useradd pandora
 
mv pandorafms_server-7.0NG.tar.gz /opt/pandora/deploy/
 
cd /opt/pandora/deploy
 
tar xvfz pandorafms_server-7.0NG.tar.gz
 
cd pandora_server
 
./pandora_server_installer --install

Agent PFMS

apt install -y libyaml-tiny-perl perl coreutils wget curl unzip procps python3 python3-pip
 
mv pandorafms_agent_linux-7.0NG.tar.gz /opt/pandora/deploy/
 
cd /opt/pandora/deploy
 
tar xvzf pandorafms_agent_linux-7.0NG.tar.gz
 
cd unix
 
./pandora_agent_installer --install
 
cp -a tentacle_client /usr/local/bin/

curl --output pandora_gotty.deb https://github.com/pandorafms/pandorafms/releases/download/tools/pandora_gotty_1.1.0.deb
apt install -y ./pandora_gotty.deb

cat > /etc/apache2/conf-available/ssl-params.conf << EOF_PARAM
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
 
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 
    SSLHonorCipherOrder On
 
    Header always set X-Frame-Options DENY
 
    Header always set X-Content-Type-Options nosniff
 
    # Requires Apache>= 2.4
 
    SSLCompression off
 
    SSLUseStapling on
 
    SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
 
    # Requires Apache>= 2.4.11
 
    SSLSessionTickets Off
EOF_PARAM

a2enmod ssl
a2enmod headers
a2enmod rewrite
a2enconf ssl-params
a2ensite default-ssl
a2enconf ssl-params
apache2ctl configtest
 
systemctl restart apache2
systemctl enable mysql --now
systemctl enable apache2 --now
systemctl enable php8.0-fpm --now

mysql -uroot -ppandora
 
use pandora;
 
source /var/www/html/pandora_console/pandoradb.sql
 
source /var/www/html/pandora_console/pandoradb_data.sql
 
exit;

cat > /var/www/html/pandora_console/include/config.php << EO_CONFIG_F
<?php
\$config["dbtype"] = "mysql";
\$config["dbname"]="pandora";
\$config["dbuser"]="pandora";
\$config["dbpass"]="pandora";
\$config["dbhost"]="127.0.0.1";
\$config["homedir"]="/var/www/html/pandora_console";
\$config["homeurl"]="/pandora_console";
error_reporting(0);
\$ownDir = dirname(__FILE__) . '/';
include (\$ownDir . "config_process.php");
EO_CONFIG_F

cat > /etc/apache2/conf-enabled/pandora_security.conf << EO_CONFIG_F
ServerTokens Prod
<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>
EO_CONFIG_F

chmod 600 /var/www/html/pandora_console/include/config.php
 
chown -R www-data:www-data /var/www/html/pandora_console
 
mv /var/www/html/pandora_console/install.php /var/www/html/pandora_console/install.done

ln -s /etc/php/8.0/fpm/php.ini /etc/
 
sed --follow-symlinks -i -e "s/^max_input_time.*/max_input_time = -1/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^max_execution_time.*/max_execution_time = 0/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^upload_max_filesize.*/upload_max_filesize = 800M/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^memory_limit.*/memory_limit = 800M/g" /etc/php.ini
 
sed --follow-symlinks -i -e "s/.*post_max_size =.*/post_max_size = 800M/" /etc/php.ini
 
sed --follow-symlinks -i -e "s/^disable_functions/;disable_functions/" /etc/php.ini
 
echo 'TimeOut 900' > /etc/apache2/conf-enabled/timeout.conf
echo 'ProxyTimeout 300'>> /etc/apache2/conf-enabled/timeout.conf

cat > /var/www/html/index.html << EOF_INDEX
<meta HTTP-EQUIV="REFRESH" content="0; url=/pandora_console/">
EOF_INDEX
 
systemctl restart apache2
 
systemctl restart php8.0-fpm

cat> /etc/snmp/snmptrapd.conf <<EOF
authCommunity log public
disableAuthorization yes
EOF

sed -i -e "s/^dbhost.*/dbhost 127.0.0.1/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbname.*/dbname pandora/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbuser.*/dbuser pandora/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s|^dbpass.*|dbpass pandora|g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^dbport.*/dbport 3306/g" /etc/pandora/pandora_server.conf
 
sed -i -e "s/^#.mssql_driver.*/mssql_driver 17/g" /etc/pandora/pandora_server.conf

grep -q "group www-data" /etc/pandora/pandora_server.conf || \
cat>> /etc/pandora/pandora_server.conf<<EOF_G
#Adding group www-data to assing remote-config permission correctly for ubuntu 22.04
group www-data
EOF_G

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf

cat>> /etc/sysctl.conf <<EO_KO
# Pandora FMS Optimization
# default=5
net.ipv4.tcp_syn_retries = 3
# default=5
net.ipv4.tcp_synack_retries = 3
# default=1024
net.ipv4.tcp_max_syn_backlog = 65536
# default=124928
net.core.wmem_max = 8388608
# default=131071
net.core.rmem_max = 8388608
# default = 128
net.core.somaxconn = 1024
 
# default = 20480
net.core.optmem_max = 81920
 
EO_KO
 
sysctl --system

chown pandora:www-data /var/log/pandora
 
chmod g+s /var/log/pandora
 
cat> /etc/logrotate.d/pandora_server <<EO_LR
/var/log/pandora/pandora_server.log
/var/log/pandora/web_socket.log
/var/log/pandora/pandora_server.error {
        su root apache
        weekly
        missingok
        size 300000
        rotate 3
        maxage 90
        compress
        notifempty
        copytruncate
        create 660 pandora apache
}
 
/var/log/pandora/pandora_snmptrap.log {
        su root apache
        weekly
        missingok
        size 500000
        rotate 1
        maxage 30
        notifempty
        copytruncate
        create 660 pandora apache
}
 
EO_LR

cat> /etc/logrotate.d/pandora_agent <<EO_LRA
/var/log/pandora/pandora_agent.log {
        su root apache
        weekly
        missingok
        size 300000
        rotate 3
        maxage 90
        compress
        notifempty
        copytruncate
}
 
EO_LRA
 
chmod 0644 /etc/logrotate.d/pandora_server
 
chmod 0644 /etc/logrotate.d/pandora_agent

/etc/init.d/pandora_server start
 
systemctl enable pandora_server
 
service tentacle_serverd start
 
systemctl enable tentacle_serverd

echo "* * * * * root wget -q -O - --no-check-certificate --load-cookies /tmp/cron-session-cookies --save-cookies /tmp/cron-session-cookies --keep-session-cookies http://127.0.0.1/pandora_console/enterprise/cron.php>> $PANDORA_CONSOLE/log/cron.log" >> /etc/crontab
 
echo "@hourly         root    bash -c /etc/cron.hourly/pandora_db" >> /etc/crontab

Configuration à distance de l'agent :

sed -i "s/^remote_config.*$/remote_config 1/g" /etc/pandora/pandora_agent.conf
 
/etc/init.d/pandora_agent_daemon start
 
systemctl enable pandora_agent_daemon

PhantomJS

sed --follow-symlinks -i -e "s/^openssl_conf = openssl_init/#openssl_conf = openssl_init/g" /etc/ssl/openssl.cnf

Postfix

systemctl enable postfix --now

OpenSSL

sed -i '/default = default_sect/a legacy = legacy_sect' /etc/ssl/openssl.cnf
sed -i 's/# activate = 1/activate = 1/' /etc/ssl/openssl.cnf
sed -i '/activate = 1/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf

SSH banner

[ "$(curl -s ifconfig.me)" ] && ipplublic=$(curl -s ifconfig.me)
 
cat > /etc/issue.net << EOF_banner
 
Welcome to Pandora FMS appliance on Ubuntu
------------------------------------------
Go to Public http://$ipplublic/pandora_console to login web console
$(ip addr | grep -w "inet" | grep -v "127.0.0.1" | grep -v "172.17.0.1" | awk '{print $2}' | awk -F '/' '{print "Go to Local http://"$1"/pandora_console to login web console"}')
 
You can find more information at http://pandorafms.com
 
EOF_banner
 
rm -f /etc/issue
ln -s /etc/issue.net /etc/issue
 
echo 'Banner /etc/issue.net'>> /etc/ssh/sshd_config

Pour accéder à la console Web, tapez l'adresse IP (ou URL) de l'appareil suivie de /pandora_console/ .

Les identifiants de connexion par défaut sont :

• utilisateur: admin
• mot de passe : pandora

Retour à l'index de la documentation du Pandora FMS