NeDi installation and upgrading on CentOS and RHEL

NeDi (Network Discovery) is an open source network monitoring tool. Please see first the general information in the NeDi page.

This page describes how to install NeDi on CentOS and RHEL Linux servers.

Installation on CentOS/RHEL

The present information refers to CentOS 6/7 and RHEL Linux 6/7 servers. As a preliminary add the EPEL package repository, where you install the newest version of epel-release:

CentOS6 and RHEL6

Install prerequisites:

yum install httpd mod_ssl php php-mysql mysql-server php-snmp php-gd php-process patch rrdtool-perl net-snmp rrdtool

Some packages are only available in the RepoForge (was: RPMforge) Yum repository. For example, for CentOS 6 x86_64:

yum install http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm

Warning: RepoForge is no longer being maintained!

You may also try to find RPMs in http://rpm.pbone.net/

Then install additional packages:

yum install perl-Algorithm-Diff perl-Net-Telnet perl-Socket6 perl-Net-SNMP perl-RRD-Simple.noarch perl-Time-HiRes-Value.noarch perl-Class-DBI-Pg.noarch perl-DBD-Pg.x86_64 perl-IO-Pty-Easy.noarch

CentOS7 and RHEL7

Install prerequisites:

yum install httpd mod_ssl php php-mysql mariadb-server mariadb-devel php-snmp php-gd php-process patch
yum install net-snmp rrdtool rrdtool-perl postgresql.x86_64 php-pgsql.x86_64
yum install perl-Algorithm-Diff perl-Net-Telnet perl-Socket6 perl-Test-Exception perl-DBD-Pg.x86_64 perl-Module-Build

(the mysql-server has been replaced by mariadb-server).

Then install additional packages from EPEL:

yum install perl-Net-SNMP perl-IO-Pty-Easy.noarch

Some packages are not in EL7 nor EPEL and must be installed manually. First the RRD-Simple package:

wget http://search.cpan.org/CPAN/authors/id/N/NI/NICOLAW/RRD-Simple-1.44.tar.gz
tar xzvf RRD-Simple-1.44.tar.gz
cd RRD-Simple-1.44   # See the INSTALL file
perl Makefile.PL
perl Build
perl Build test
perl Build install
cd ..

Then install the Time-HiRes-Value package:

wget http://search.cpan.org/CPAN/authors/id/P/PE/PEVANS/Time-HiRes-Value-0.08.tar.gz
tar xzvf Time-HiRes-Value-0.08.tar.gz
cd Time-HiRes-Value-0.08
perl Makefile.PL
perl Build.PL
perl Build test
perl Build install
cd ..

If you employ the Postgresql database, install the Class-DBI-Pg package:

wget http://search.cpan.org/CPAN/authors/id/D/DM/DMAKI/Class-DBI-Pg-0.09.tar.gz
tar xzvf Class-DBI-Pg-0.09.tar.gz
cd Class-DBI-Pg-0.09/
perl Makefile.PL
perl Build.PL
perl Build installdeps  # Installs many dependencies
perl Build test
perl Build install
cd ..

Patching the Perl NET::SNMP module Message.pm

NeDi uses the perl-Net-SNMP library (Net::SNMP, not to be confused with the Net-SNMP package), which hasn't been updated since 2010. There is a problem with the Message.pm module which may lead to many fake events in NeDi like:

latency xxx exceeds threshold yyy

If you want to fix this problem, the only way is to manually patch the Message.pm module (no updates seem to be coming) to use the Time::HiRes module. Patch the /usr/share/perl5/vendor_perl/Net/SNMP/Message.pm file (as root):

cd /usr/share/perl5/vendor_perl/Net/SNMP
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/Message.pm.diff.elX   # X = 6 or 7
patch < Message.pm.diff.elX   # X = 6 or 7

You may also download the attached file Message.pm.diff.el6 (CentOS/RHEL6) or Message.pm.diff.el7 (CentOS/RHEL7). This patch was provided by the author of NeDi.

Install NeDi

Create a nedi user in group apache with home directory /var/nedi:

useradd -g apache -s /bin/bash -m -d /var/nedi/ -c "NeDi user" nedi

Create some dynamic subdirectories needed, then unpack the files to the nedi user's home directory:

mkdir -p /var/nedi/log
cd /var/nedi
tar xzvf .../nedi-XXX.tgz
chown -R nedi.apache /var/nedi/

Security: Check if this is really needed Make the /var/nedi/ directory tree group-writable (group apache meaning the Apache web server):

chmod -R g+w /var/nedi/

Protect configuration files which might reveal important information about your network:

chmod 660 /var/nedi/nedi.conf /var/nedi/seedlist

Create system links to the NeDi files:

ln -s /var/nedi/nedi.conf /etc/nedi.conf  # NeDi configuration file
mv /var/www/html /var/www/html.orig       # Move default Apache html files out of the way
ln -s /var/nedi/html/ /var/www/html       # Link to NeDi html files

The PHP configuration file /etc/php.ini must be edited so that PHP will recognize code between <? and ?> tags as PHP source, so change this parameter:

short_open_tag = On

For reasons of security turn off this option in /etc/php.ini:

expose_php = Off

SELinux permissive mode

Security concern: NeDi has been designed to execute many scripts through the Apache web server. This is going to conflict with the SELinux Enforcing security mode, and you must consider the security implications of allowing the Apache web server write access to the NeDi server's file system.

SELinux is configured in /etc/selinux/config and it should be set to Permissive mode:

SELINUX=permissive

Either reboot the server, or set Permissive mode immediately using this command:

setenforce Permissive

See the man-page httpd_selinux for information about Apache and SELinux.

Warning messages from SELinux will appear in the system syslog /var/log/messages.

Configuring NeDi for secure SELinux operation

Optional: Configuring the correct SELinux settings for the whole of NeDi (/var/nedi) is probably going to be really complicated. Here are some initial settings to get started.

Set SELinux security context for the nedi user's home directory:

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /var/nedi

For NeDi operation you must allow Apache to write to some directories. Make sure these directories have correct ownership and permissions:

# chown nedi.apache /var/nedi/html/map /var/nedi/sysobj
# chmod g+w /var/nedi/html/map /var/nedi/sysobj
# ls -lad /var/nedi/html/map /var/nedi/sysobj
drwxrwxr-x. 2 nedi apache  4096 Jan  6 15:11 /var/nedi/html/map
drwxrwxr-x. 2 nedi apache 36864 Jan  6 15:11 /var/nedi/sysobj

and then configure SELinux to permit read-write access for Apache:

chcon -R -t httpd_sys_rw_content_t /var/nedi/html/map
chcon -R -t httpd_sys_rw_content_t /var/nedi/sysobj/

NeDi database services

MySQL database service (CentOS 6)

Start the MySQL service:

chkconfig mysqld on
service mysqld start

Make sure to configure the MySQL root password as instructed at first invocation of mysqld, or run:

/usr/bin/mysql_secure_installation

Mariadb database service (CentOS 7)

Start the MariaDB service:

systemctl start mariadb
systemctl enable mariadb
systemctl status mariadb

Secure the database (root password etc.) by running:

/usr/bin/mysql_secure_installation

Initialize NeDi database

See the NeDi_installation page about database initialization. To get a completely blank Nedi database do:

cd /var/nedi/
./nedi.pl -i

For the mysql admin user/pass use root and the database password selected above.

For upgrading NeDi, starting with NeDi 1.4, you can use -i nodrop for updating an existing DB structure without the need for DB admin credentials. Alternatively -i updatedb will do just that without any loss of data.

For version 1.4.300 or 1.5.038 or 1.6.100:

./nedi.pl -i updatedb

Other versions:

./nedi.pl -i nodrop

The MySQL root account will be required for this operation.

NeDi syslog and moni daemons

NeDi requires two running daemon processes:

  • syslog.pl syslog daemon which stores events directly in DB.
  • moni.pl monitoring daemon for polling uptime and checking connectivity of services.
Daemons on CentOS 6

On RHEL/CentOS 6 systems download the startup scripts to the /etc/init.d/ directory (these scripts are based upon this Initscript_template example.)

Then add the system services and start them:

cd /etc/init.d/
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-monitor
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-syslog
chmod 755 nedi-monitor nedi-syslog
chkconfig --add nedi-monitor
chkconfig --add nedi-syslog
service nedi-monitor start
service nedi-syslog start

You may also download the files here:

Daemons on CentOS 7

On RHEL/CentOS 7 systems download the startup scripts and add the services:

wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-monitor
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-monitor.service
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-syslog
wget ftp://ftp.fysik.dtu.dk/pub/NeDi/nedi-syslog.service
chmod 755 nedi-monitor nedi-syslog
cp nedi-monitor nedi-syslog /usr/libexec/
cp nedi-monitor.service nedi-syslog.service /usr/lib/systemd/system/
systemctl enable nedi-monitor.service
systemctl enable nedi-syslog.service
systemctl start nedi-monitor.service
systemctl start nedi-syslog.service
systemctl status nedi-monitor.service
systemctl status nedi-syslog.service

You may also download the files here:

Apache web service

We will use the Apache web server provided by the httpd RPM package.

An SSL-encrypted NeDi web-page must be configured because critical information such as login passwords are used. For an introduction see Setting up an SSL secured Webserver with CentOS. The unencrypted HTTP service on port 80 should be redirected to the SSL-encrypted port 443 (see https://wiki.apache.org/httpd/RedirectSSL) as shown in the example below.

You may either use a self-signed SSL certificate, or use a commercial SSL certificate valid for your web server according to your site's security policies. The SSL certificate files must be copied to the /etc/pki/tls/{certs,private}/ directories (see above CentOS instructions).

In the Apache configuration directory /etc/httpd/conf.d/ create the file 03nedi.conf and change DNS domain names (here example.com) as required:

NameVirtualHost *:80
<VirtualHost *:80>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  Redirect / https://nedi.example.com/
</VirtualHost>

NameVirtualHost *:443
<VirtualHost _default_:443>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  DocumentRoot /var/www/html/
  # Security: Cross-Site Tracing issues: http://www.apacheweek.com/issues/03-01-24
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  # Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  Header always append X-Frame-Options SAMEORIGIN
  DirectoryIndex index.php
  Options -Indexes
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/ca.crt            # Example only
  SSLCertificateKeyFile /etc/pki/tls/private/ca.key       # Example only
  # Disable obsolete SSLv2/3 and TLS v1.0 protocols:
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
  # See https://mozilla.github.io/server-side-tls/ssl-config-generator/
  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  SSLHonorCipherOrder on
  Header always add Strict-Transport-Security "max-age=15768000"
</VirtualHost>

Test the Apache configuration by:

apachectl configtest

Apache and SSL security

Advice about SSL security in Apache:

The SSLCipherSuite (Cipher Suite available for negotiation in SSL handshake) configuration is really complicated. Strong recommendations are in:

In fact, one may generate an appropriate Apache SSL configuration including SSLCipherSuite in the page:

Apache on CentOS/RHEL 6

Start the Apache web service on CentOS/RHEL 6:

chkconfig httpd on
service httpd start

Apache on CentOS/RHEL 7

There seems to be a bug in the httpd package file /etc/httpd/conf.modules.d/00-lua.conf giving a syslog error message:

httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/00-lua.conf: Cannot load modules/mod_lua.so into server: /etc/httpd/modules/mod_lua.so: undefined symbol: apr_bcrypt_encode

Comment out (insert #) the line 1 in /etc/httpd/conf.modules.d/00-lua.conf.

When the configuration test is OK, start the httpd service:

systemctl enable httpd
systemctl start httpd
systemctl status httpd

Firewall rules for web services (CentOS6)

Configure IPTables firewall rules for HTTP/HTTPS (ports 80,443) by adding in /etc/sysconfig/iptables:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

and restart the iptables service:

service iptables restart

You may want to restrict which IP addresses can access the web server by specifying to IPTables the IP source address explicitly using -s, some examples are:

-A INPUT -s 10.0.0.0/24 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -s 10.0.0.123 -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

Firewall rules for web services (CentOS7)

A nice introduction is RHEL7: How to get started with Firewalld.

Configure firewalld rules for HTTP/HTTPS (ports 80,443) by adding:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

Crontab jobs

For automatic device discovery use cron jobs. Add some crontab commands for user nedi using the command:

crontab -e -u nedi

to add these hourly jobs:

0 0 * * * /var/nedi/nedi.pl -p -B2 > /var/nedi/log/nedi-backup.lastrun 2>&1
0 1-23 * * * /var/nedi/nedi.pl -p > /var/nedi/log/nedi.lastrun 2>&1

Upgrading NeDi software

From time to time a new version of NeDi may become available (see Installation above for downloads), and you may want to install the update.

The upgrading process must be run as the root user.

Stop all NeDi services:

service httpd stop
service nedi-monitor stop
service nedi-syslog stop

and comment out the discovery scripts in crontab:

crontab -e -u nedi

Now make a database backup as shown in the section below, just for safety.

The /var/nedi directory contains a lot of NeDi state information (RRD graphs, switch configurations, etc.) which you want to preserve across the update. So first make a backup of the old version /var/nedi:

tar czf $HOME/nedi-old-version-backup.tar.gz /var/nedi

Also make backup copies of all changed configuration files to some backup directory, for example:

cd /var/nedi
cp -p nedi.conf seedlist nedi.pl trap.pl ... <backup-directory>

Here we back up also the Perl (.pl) files (for example, trap.pl) in case you have made any changes manually.

Then overwrite /var/nedi by the new version (here 1.6.100):

cd /var/nedi
tar xzvf <downloaddir>/nedi-1.6.100.tgz

If there are any patch-files, unpack the latest file as well (for example):

tar xzvf <downloaddir>/nedi-1.6p2.tgz

The patch files are cumulative, so only the latest one will be used.

Now restore your old configuration files:

mv nedi.conf nedi.conf.new
mv seedlist seedlist.new
cp -p $HOME/nedi.conf $HOME/seedlist .

Set correct user and group ownership:

chown -R nedi.apache /var/nedi
chmod -R g+w /var/nedi

Notice: The web interface user admin now has the default password admin. Change the admin password as described in our NeDi page.

The MySQL database structures may need updating, see the MySQL service section above before doing:

./nedi.pl -i updatedb

When the upgrading has completed successfully, restart all NeDi services (as root user):

service httpd start
service nedi-monitor start
service nedi-syslog start

and re-enable the discovery scripts in crontab:

crontab -e -u nedi

Backup and restore of NeDi server

In order to backup the entire NeDi server to a different location (for disaster recovery or migration), the following files must be backed up:

  1. The directory tree /var/nedi.
  2. Make a MySQL database mysqldump using this script /root/mysqlbackup (insert the correct MySQL password):

    #!/bin/sh
    # MySQL Backup Script for All Databases
    HOST=localhost
    BACKUPFILE=/root/mysql_dump
    USER=root
    PWD='**********'
    DUMP_ARGS="--opt --flush-logs --quote-names"
    DATABASES="--all-databases"
    /usr/bin/mysqldump --host=$HOST --user=$USER --password=$PWD $DUMP_ARGS --result-file=$BACKUPFILE $DATABASES

    Write permission to $BACKUPFILE is required.

Make regular database dumps, for example by a crontab job:

# MySQL database backup
30 7 * * * /root/mysqlbackup

Note: Using the GUI page System-Snapshot one may perform a Database Snapshot - this is just a special database inside the MySQL server, not a backup. The page System-Export also allows export of database contents.

Restore of a NeDi backup

Step 1: The directory tree /var/nedi must be restored in stead of the vanilla distribution files, and the above installation instructions must be followed.

Step 2: NeDi's MySQL database contents must be loaded from the backup. To restore a MySQL database see for example How do I restore a MySQL .dump file?. As user root input the above created backup file:

mysql -u root -p < /root/mysql_backup

The MySQL password will be asked for.

If you for some reason need to drop the existing MySQL database, the NeDi command is:

cd /var/nedi/
./nedi.pl -i

Upgrading the MySQL database version

If you migrate NeDi to a new system with a new version of the MySQL database, for example upgrading MySQL 5.1 on CentOS 6 to MariaDB 5.5 on CentOS 7, there are some extra steps.

See Upgrading from MySQL to MariaDB about running the mysql_upgrade command:

mysql_upgrade

whenever major (or even minor) version upgrades are made, or when migrating from MySQL to MariaDB.

It may be necessary to restart the mysqld service or reboot the server after the upgrade (??).

IT-wiki: NeDi_installation_on_CentOS (last edited 2018-02-15 15:44:03 by OleHolmNielsen)