NeDi installation and upgrading on CentOS and RHEL

Contents

• NeDi installation and upgrading on CentOS and RHEL

  • Installation on CentOS/RHEL

  • CentOS7 and RHEL7

  • Patching the Perl NET::SNMP module Message.pm

  • Install NeDi

  • SELinux permissive mode

    • Configuring NeDi for secure SELinux operation

  • NeDi database services

  • Mariadb database service (CentOS 7)

  • Initialize NeDi database

  • NeDi syslog and moni daemons

    • Daemons on CentOS 7

  • Apache web service

  • Apache and SSL security

  • Apache on CentOS/RHEL 7

  • Firewall rules for web services (CentOS7)

  • Crontab jobs

  • Upgrading NeDi software

  • Backup and restore of NeDi server

  • Restore of a NeDi backup

  • Upgrading the MySQL database version

NeDi (Network Discovery) is an open source network monitoring tool. Please see first the general information in the NeDi.

This page describes how to install NeDi CentOS and RHEL Linux servers.

On the dedicated server for NeDi the NeDi file nedi-XXX.tgz from the NeDi download page. Paying customers may download the latest version (currently 1.8) from the NeDi_customer page.

See also the general NeDi_installation page.

Installation on CentOS/RHEL

The present information has been tested on CentOS 7 and RHEL Linux 7 servers, and it probably also works on RHEL 8 (and EL8 clones) - testing needed. As a preliminary add the EPEL package repository, where you install the newest version of epel-release:

• CentOS:

  yum install epel-release
  

• RHEL7: See https://fedoraproject.org/wiki/EPEL

CentOS7 and RHEL7

Install prerequisites:

yum install httpd mod_ssl php php-mysql mariadb-server mariadb-devel php-snmp php-gd php-process patch
yum install net-snmpnet-snmp-utils rrdtool rrdtool-perl tcpdump postgresql.x86_64 php-pgsql.x86_64
yum install perl-Algorithm-Diff perl-Net-Telnet perl-Net-DNS perl-Socket6 perl-Test-Exception perl-DBD-Pg.x86_64 perl-Module-Build

(the mysql-server has been replaced by mariadb-server).

Then install additional packages from EPEL:

yum install perl-Net-SNMP perl-IO-Pty-Easy.noarch

Some packages are not in EL7 nor EPEL and must be installed manually. First the RRD-Simple package:

wget http://search.cpan.org/CPAN/authors/id/N/NI/NICOLAW/RRD-Simple-1.44.tar.gz
tar xzvf RRD-Simple-1.44.tar.gz
cd RRD-Simple-1.44   # See the INSTALL file
perl Makefile.PL
perl Build
perl Build test
perl Build install
cd ..

Then install the Time-HiRes-Value package:

wget http://search.cpan.org/CPAN/authors/id/P/PE/PEVANS/Time-HiRes-Value-0.08.tar.gz
tar xzvf Time-HiRes-Value-0.08.tar.gz
cd Time-HiRes-Value-0.08
perl Makefile.PL
perl Build.PL
perl Build test
perl Build install
cd ..

If you employ the Postgresql database, install the Class-DBI-Pg package:

wget http://search.cpan.org/CPAN/authors/id/D/DM/DMAKI/Class-DBI-Pg-0.09.tar.gz
tar xzvf Class-DBI-Pg-0.09.tar.gz
cd Class-DBI-Pg-0.09/
perl Makefile.PL
perl Build.PL
perl Build installdeps  # Installs many dependencies
perl Build test
perl Build install
cd ..

Patching the Perl NET::SNMP module Message.pm

NeDi the perl-Net-SNMP library (Net::SNMP, not to be confused with the Net-SNMP package), which hasn’t been updated since 2010. There is a problem with the Message.pm module which may lead to many fake events in NeDi

latency xxx exceeds threshold yyy

If you want to fix this problem, the only way is to manually patch the Message.pm module (no updates seem to be coming) to use the Time::HiRes module. Patch the /usr/share/perl5/vendor_perl/Net/SNMP/Message.pm file (as root):

cd /usr/share/perl5/vendor_perl/Net/SNMP
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/Message.pm.diff.elX   # X = 6 or 7
patch < Message.pm.diff.elX   # X = 6 or 7

You may also download the attached file Message.pm.diff.el7 (CentOS/RHEL7). This patch was provided by the author of NeDi.

Install NeDi

Create a nedi user in group apache with home directory /var/nedi:

useradd -g apache -s /bin/bash -m -d /var/nedi/ -c "NeDi user" nedi

Create some dynamic subdirectories needed, then unpack the files to the nedi user’s home directory:

mkdir -p /var/nedi/log
cd /var/nedi
tar xzvf .../nedi-XXX.tgz
chown -R nedi.apache /var/nedi/*

Security: Check if this is really needed Make the /var/nedi/ directory tree group-writable (group apache meaning the Apache web server):

chmod -R g+w /var/nedi/*

Note: It is important not to make the directories /var/nedi and /var/nedi/.ssh group-writable, since this will cause security problems with SSH logins.

Protect configuration files which might reveal important information about your network:

chmod 660 /var/nedi/nedi.conf /var/nedi/seedlist

Create system links to the NeDi files:

ln -s /var/nedi/nedi.conf /etc/nedi.conf  # NeDi configuration file
mv /var/www/html /var/www/html.orig       # Move default Apache html files out of the way
ln -s /var/nedi/html/ /var/www/html       # Link to NeDi html files

The PHP configuration file /etc/php.ini must be edited so that PHP will recognize code between <? and ?> tags as PHP source, so change this parameter:

short_open_tag = On

For reasons of security turn off this option in /etc/php.ini:

expose_php = Off

SELinux permissive mode

Security concern: NeDi has been designed to execute many scripts through the Apache web server. This is going to conflict with the SELinux Enforcing security mode, and you must consider the security implications of allowing the Apache web server write access to the NeDi server’s file system.

SELinux is configured in /etc/selinux/config and it should be set to Permissive mode:

SELINUX=permissive

Either reboot the server, or set Permissive mode immediately using this command:

setenforce Permissive

See the man-page httpd_selinux for information about Apache and SELinux.

Warning messages from SELinux will appear in the system syslog /var/log/messages.

Configuring NeDi for secure SELinux operation

Optional: Configuring the correct SELinux settings for the whole of NeDi (/var/nedi) is probably going to be really complicated. Here are some initial settings to get started.

Set SELinux security context for the nedi user’s home directory:

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /var/nedi

For NeDi operation you must allow Apache to write to some directories. Make sure these directories have correct ownership and permissions:

# chown nedi.apache /var/nedi/html/map /var/nedi/sysobj
# chmod g+w /var/nedi/html/map /var/nedi/sysobj
# ls -lad /var/nedi/html/map /var/nedi/sysobj
drwxrwxr-x. 2 nedi apache  4096 Jan  6 15:11 /var/nedi/html/map
drwxrwxr-x. 2 nedi apache 36864 Jan  6 15:11 /var/nedi/sysobj

and then configure SELinux to permit read-write access for Apache:

chcon -R -t httpd_sys_rw_content_t /var/nedi/html/map
chcon -R -t httpd_sys_rw_content_t /var/nedi/sysobj/

NeDi database services

Mariadb database service (CentOS 7)

Start the MariaDB service:

systemctl start mariadb
systemctl enable mariadb
systemctl status mariadb

Secure the database (root password etc.) by running:

/usr/bin/mysql_secure_installation

Initialize NeDi database

See the NeDi_installation page about database initialization. To get a completely blank Nedi database do:

cd /var/nedi/
./nedi.pl -i

For the mysql admin user/pass use root and the database password selected above.

For upgrading NeDi starting with NeDi 1.4, you can use -i nodrop for updating an existing DB structure without the need for DB admin credentials. Alternatively -i updatedb will do just that without any loss of data.

For version 1.4.300 or 1.5.038 or 1.6.100:

./nedi.pl -i updatedb

The MySQL root account will be required for this operation.

NeDi syslog and moni daemons

NeDi requires two running daemon processes:

• syslog.pl syslog daemon which stores events directly in DB.

• moni.pl monitoring daemon for polling uptime and checking connectivity of services.

Daemons on CentOS 7

On RHEL/CentOS 7 systems download the startup scripts and add the services:

wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-monitor
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-monitor.service
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-syslog
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-syslog.service
chmod 755 nedi-monitor nedi-syslog
cp nedi-monitor nedi-syslog /usr/libexec/
cp nedi-monitor.service nedi-syslog.service /usr/lib/systemd/system/
systemctl enable nedi-monitor.service
systemctl enable nedi-syslog.service
systemctl start nedi-monitor.service
systemctl start nedi-syslog.service
systemctl status nedi-monitor.service
systemctl status nedi-syslog.service

You may also download the files here:

• nedi-monitor

• nedi-syslog

• nedi-monitor.service

• nedi-syslog.service

Apache web service

We will use the Apache web server provided by the httpd RPM package.

An SSL-encrypted NeDi web-page must be configured because critical information such as login passwords are used. For an introduction see Setting up an SSL secured Webserver with CentOS. The unencrypted HTTP service on port 80 should be redirected to the SSL-encrypted port 443 (see https://wiki.apache.org/httpd/RedirectSSL) as shown in the example below.

You may either use a self-signed SSL certificate, or use a commercial SSL certificate valid for your web server according to your site’s security policies. The SSL certificate files must be copied to the /etc/pki/tls/{certs,private}/ directories (see above CentOS instructions).

In the Apache configuration directory /etc/httpd/conf.d/ create the file 03nedi.conf and change DNS domain names (here example.com) as required:

NameVirtualHost *:80
<VirtualHost *:80>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  Redirect / https://nedi.example.com/
</VirtualHost>

NameVirtualHost *:443
<VirtualHost _default_:443>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  DocumentRoot /var/www/html/
  # Security: Cross-Site Tracing issues: http://www.apacheweek.com/issues/03-01-24
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  # Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  Header always append X-Frame-Options SAMEORIGIN
  DirectoryIndex index.php
  Options -Indexes
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/ca.crt            # Example only
  SSLCertificateKeyFile /etc/pki/tls/private/ca.key       # Example only
  # Disable obsolete SSLv2/3 and TLS v1.0 protocols:
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
  # See https://mozilla.github.io/server-side-tls/ssl-config-generator/
  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  SSLHonorCipherOrder on
  Header always add Strict-Transport-Security "max-age=15768000"
</VirtualHost>

Test the Apache configuration by:

apachectl configtest

Apache and SSL security

Advice about SSL security in Apache:

• https://wiki.mozilla.org/Security/Server_Side_TLS#Apache

The SSLCipherSuite (Cipher Suite available for negotiation in SSL handshake) configuration is really complicated. Strong recommendations are in:

• Server_Side_TLS

• tls-ssl-cipher-hardening

In fact, one may generate an appropriate Apache SSL configuration including SSLCipherSuite in the page:

• https://mozilla.github.io/server-side-tls/ssl-config-generator/

Apache on CentOS/RHEL 7

There seems to be a bug in the httpd package file /etc/httpd/conf.modules.d/00-lua.conf giving a syslog error message:

httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/00-lua.conf: Cannot load modules/mod_lua.so into server: /etc/httpd/modules/mod_lua.so: undefined symbol: apr_bcrypt_encode

Comment out (insert #) the line 1 in /etc/httpd/conf.modules.d/00-lua.conf.

When the configuration test is OK, start the httpd service:

systemctl enable httpd
systemctl start httpd
systemctl status httpd

Firewall rules for web services (CentOS7)

A nice introduction is RHEL7: How to get started with Firewalld.

Configure firewalld rules for HTTP/HTTPS (ports 80,443) by adding:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

Crontab jobs

For automatic device discovery use cron jobs. Add some crontab commands for user nedi using the command:

crontab -e -u nedi

to add these hourly jobs:

0 0 * * * /var/nedi/nedi.pl -p -B2 > /var/nedi/log/nedi-backup.lastrun 2>&1
0 1-23 * * * /var/nedi/nedi.pl -p > /var/nedi/log/nedi.lastrun 2>&1

Upgrading NeDi software

From time to time a new version of NeDi may become available (see Installation above for downloads), and you may want to install the update.

The upgrading process must be run as the root user.

Stop all NeDi services:

systemctl stop httpd
systemctl stop nedi-monitor
systemctl stop nedi-syslog

and comment out the discovery scripts in crontab:

crontab -e -u nedi

Now make a database backup as shown in the section below, just for safety.

The /var/nedi directory contains a lot of NeDi state information (RRD graphs, switch configurations, etc.) which you want to preserve across the update. So first make a backup of the old version /var/nedi:

tar czf $HOME/nedi-old-version-backup.tar.gz /var/nedi

Also make backup copies of all changed configuration files to some backup directory, for example:

cd /var/nedi
cp -p nedi.conf seedlist nedi.pl trap.pl ... <backup-directory>

Here we back up also the Perl (.pl) files (for example, trap.pl) in case you have made any changes manually.

Then overwrite /var/nedi by the new version (here 1.6.100):

cd /var/nedi
tar xzvf <downloaddir>/nedi-1.6.100.tgz

If there are any patch-files, unpack the latest file as well (for example):

tar xzvf <downloaddir>/nedi-1.6p2.tgz

The patch files are cumulative, so only the latest one will be used.

Now make a backup of the new files and copy your old configuration files:

cp nedi.conf nedi.conf.new
cp seedlist seedlist.new
cp -p $HOME/nedi.conf nedi.conf.OLD
cp $HOME/seedlist seedlist

Now you have to edit (do not copy) nedi.conf because changes always appear in new versions! You have to go through nedi.conf.OLD and copy any local changes into the new nedi.conf file. The meld command is extremely useful for comparing files, install it by:

yum install meld

Set correct user and group ownership:

chown -R nedi.apache /var/nedi/*
chmod -R g+w /var/nedi/*

Note: It is important not to make the directories /var/nedi and /var/nedi/.ssh group-writable, since this will cause security problems with SSH logins.

Notice: The web interface user admin now has the default password admin. Change the admin password as described in our NeDi page.

For major releases only, the MySQL database structures may need updating. This is not required for patch-releases! See the MySQL service section above before doing:

./nedi.pl -i updatedb

When the upgrading has completed successfully, restart all NeDi services (as root user):

systemctl start httpd
systemctl start nedi-monitor
systemctl start nedi-syslog

and re-enable the discovery scripts in crontab:

crontab -e -u nedi

Backup and restore of NeDi server

In order to backup the entire NeDi server to a different location (for disaster recovery or migration), the following files must be backed up:

1. The directory tree /var/nedi.

2. Make a MySQL database mysqldump using this script /root/mysqlbackup (insert the correct MySQL password):

   #!/bin/sh
   # MySQL Backup Script for All Databases
   HOST=localhost
   BACKUPFILE=/root/mysql_dump
   USER=root
   PWD='**********'
   DUMP_ARGS="--opt --flush-logs --quote-names"
   DATABASES="--all-databases"
   /usr/bin/mysqldump --host=$HOST --user=$USER --password=$PWD $DUMP_ARGS --result-file=$BACKUPFILE $DATABASES
   

   Write permission to $BACKUPFILE is required.

Make regular database dumps, for example by a crontab job:

# MySQL database backup
30 7 * * * /root/mysqlbackup

Note: Using the GUI page System-Snapshot one may perform a Database Snapshot - this is just a special database inside the MySQL server, not a backup. The page System-Export also allows export of database contents.

Restore of a NeDi backup

Step 1: The directory tree /var/nedi must be restored in stead of the vanilla distribution files, and the above installation instructions must be followed.

Step 2: NeDi_s MySQL database contents must be loaded from the backup. To restore a MySQL database see for example How do I restore a MySQL .dump file?. As user root input the above created backup file:

mysql -u root -p < /root/mysql_backup

The MySQL password will be asked for.

If you for some reason need to drop the existing MySQL database, the NeDi command is:

cd /var/nedi/
./nedi.pl -i

Upgrading the MySQL database version

If you migrate NeDi to a new system with a new version of the MySQL database, for example upgrading MySQL 5.1 on CentOS 6 to MariaDB 5.5 on CentOS 7, there are some extra steps.

See Upgrading from MySQL to MariaDB about running the mysql_upgrade command:

mysql_upgrade

whenever major (or even minor) version upgrades are made, or when migrating from MySQL to MariaDB.

It may be necessary to restart the mysqld service or reboot the server after the upgrade (??).