[教學] LibreNMS 在 AlmaLinux 9.7 的企業級監控完整部署:Nginx + PHP 8.3 + MariaDB + SELinux 實戰指南(含 Weathermap/Oxidized)
📚 延伸閱讀:相關技術系列
📝 文章筆記
LibreNMS 完整安裝教學:LNMP Stack 建立與 WeatherMap 配置
本篇以 AlmaLinux 9.7 為基礎環境,示範 LibreNMS 的完整企業級監控平台建置流程,包含 Nginx + PHP 8.3 + MariaDB 的 LNMP Stack 安裝、SELinux 設定、以及 Weathermap 與 Oxidized 的整合配置。適合需要在 RHEL 9 系列環境部署網路監控平台的網管人員參考。
Step 1. 安裝 LNMP Stack (Linux+Nginx+MariaDB+PHP))
# Linux OS Update
sudo yum update -y
# 確定及設定系統時區
timedatectl set-timezone Asia/Taipei
timedatectl
Step 2. 新增 LibreNMS 使用者
useradd librenms -d /opt/librenms -M -r -s "$(which bash)"
創建一個名為 librenms 的新系統用戶,該用戶將用於運行 LibreNMS。運行以下指令創建新用戶 librenms。
- -d /opt/librenms:指定新用戶的主目錄為/opt/librenms。
- -M:不為新用戶創建主目錄。
- -r:定義新用戶為系統用戶。
- -s “$(which bash)”:指定新用戶要bash的shell。
Step 3. 安裝必要套件
sudo dnf update -y
sudo dnf install -y epel-release
sudo dnf install -y https://rpms.remirepo.net/enterprise/remi-release-9.rpm
Step 4. 安裝與設定 Nginx
安裝 nginx 服務
dnf install nginx -y
sudo firewall-cmd --add-service={http,https} --permanent
sudo firewall-cmd --reload
# 驗證防火牆規則列表。應該在規則列表中看到 HTTP 和 HTTPS 協議。
sudo firewall-cmd --list-all
啟動服務
systemctl start nginx ; systemctl enable nginx
重啟服務
systemctl restart nginx
sudo systemctl status nginx
Step 5. 配置 Web Server
vim /etc/nginx/conf.d/librenms.conf
server {
listen 80;
server_name 192.168.101.108;
root /opt/librenms/html;
index index.php;
charset utf-8;
gzip on;
gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ [^/]\.php(/|$) {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass unix:/run/php-fpm-librenms.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
sudo nginx -t
現在運行以下命令來驗證 Nginx 配置。如果成功,您應該會看到諸如「測試成功 – 語法正確」之類的輸出。
啟動與管理服務:
systemctl start nginx ; systemctl enable nginx
systemctl restart nginx
sudo systemctl status nginx
Step 6. 安裝與配置 MariaDB
安裝資料庫
sudo dnf install -y mariadb-server
# 啟動 mariadb 服務
systemctl start mariadb ; systemctl enable mariadb
sudo systemctl restart mariadb
# 初始化資料庫
sudo mariadb-secure-installation
設定MariaDB,初始化資料庫,設定密碼,除了開始直接Enter,其他的選擇都輸入Y
Enter current password for root (enter for none): Enter
Set root password? [Y/n]: Y
New password: (password)
Re-enter new password: (password)
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y
在 server.cnf 檔手動增加以下內容 sudo vim /etc/my.cnf.d/mariadb-server.cnf
innodb_file_per_table=1
lower_case_table_names=0
新增加 LibreNMS 資料庫欄位
mariadb -u root -p
CREATE DATABASE librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'passwdlibrenms';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
ALTER DATABASE librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
FLUSH PRIVILEGES;
SHOW GRANTS FOR 'librenms'@'localhost';
exit
# 重新啟動資料庫
systemctl restart mariadb
Step 7. 安裝 PHP 8.3
dnf module reset php -y
dnf module list php -y
dnf module install php:remi-8.3 -y
Step 8. 設定 PHP 環境參數
設定 php 服務,修改「vim /etc/php.ini」,尋找關鍵字 date.timezone = 新增 Asia/Taipei
sed -i "s|^;date.timezone =.*$|date.timezone = Asia/Taipei|" /etc/php.ini
sed -i "s|^max_execution_time =.*$|max_execution_time = 60|" /etc/php.ini
sed -i "s|^memory_limit =.*$|memory_limit = 512M |" /etc/php.ini
Step 9. 設定 PHP-FPM
複製 librenms PHP-FPM 設定檔
cp /etc/php-fpm.d/www.conf /etc/php-fpm.d/librenms.conf
設定 librenms PHP-FPM vim /etc/php-fpm.d/librenms.conf。將原是 [www] 修改為 [librenms]
user = librenms
group = librenms
listen = /run/php-fpm-librenms.sock
# 指令修改
sed -i 's/\[www\]/\[librenms\]/g' /etc/php-fpm.d/librenms.conf
sed -i "s|^user = apache.*$|user = librenms|" /etc/php-fpm.d/librenms.conf
sed -i "s|^group = apache.*$|group = librenms|" /etc/php-fpm.d/librenms.conf
sed -i "s|^listen = /run/php-fpm/www.sock.*$|listen = /run/php-fpm-librenms.sock|" /etc/php-fpm.d/librenms.conf
設定開機自動啟動及重啟服務
systemctl enable php-fpm ; systemctl restart php-fpm
ss -pl | grep php-fpm
Step 10. 安裝 LibreNMS 依賴套件
sudo dnf install -y bash-completion cronie fping git ImageMagick mariadb-server mtr net-snmp net-snmp-utils nginx nmap php-fpm php-cli php-common php-curl php-gd php-gmp php-json php-mbstring php-process php-snmp php-xml php-zip php-mysqlnd python3 python3-PyMySQL python3-redis python3-memcached python3-pip python3-systemd rrdtool unzip
Step 11. 下載與權限設定
git clone https://github.com/librenms/librenms.git /opt/librenms
Step 12. Set permissions
chown -R librenms:librenms /opt/librenms
chmod 771 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
Step 13. Install PHP dependencies
注意 單行執行!
sudo su - librenms
cd /opt/librenms
./scripts/composer_wrapper.php install --no-dev
Step 14. SELinux fping 權限修復
使用VIM 編輯器命令建立一個文件檔案 http_fping.tt。將以下指令碼複製到檔案中。這將允許 SELinux 下執行執行 fping 命令。
sudo vim http_fping.tt
module http_fping 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
class process setrlimit;
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
allow httpd_t self:process setrlimit;
完成後將檔案存檔退出編輯器。最後,運行以下指令編譯檔案並新增到SELinux中。
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp
sudo setsebool -P httpd_can_network_connect 1
sudo semanage permissive -a httpd_t
setcap cap_net_raw+ep /usr/sbin/fping
semodule -l | grep http_fping
Step 15. 配置 SELinux 安全標籤
以下指令為 LibreNMS設置標籤,允許網路伺服器發送電子郵件,並執行需要安裝的程序。
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/html(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/(rrd|storage)(/.*)?'
semanage fcontext -a -t httpd_log_t "/opt/librenms/logs(/.*)?"
semanage fcontext -a -t bin_t '/opt/librenms/librenms-service.py'
restorecon -RFvv /opt/librenms
setsebool -P httpd_can_sendmail=1
setsebool -P httpd_execmem 1
chcon -t httpd_sys_rw_content_t /opt/librenms/.env
chmod 775 /opt/librenms/{rrd,logs}/ -R
Additional SELinux problems may be found by executing: audit2why < /var/log/audit/audit.log
Step 16. 配置 SNMP 服務
在LibreNMS 安裝上設置 snmpd 服務,該服務將用於監視網路設備。將默認SNMP配置複製到/etc/snmp/snmpd.conf並使用下面的Vim編輯器打開。
cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
vim /etc/snmp/snmpd.conf
使用新密碼更改默認 SNMP 密碼 RANDOMSTRINGGOESHERE。
# Change RANDOMSTRINGGOESHERE to your preferred SNMP community string
com2sec readonly default RANDOMSTRINGGOESHERE
完成後保存檔案並關閉編輯器。
sudo curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
sudo chmod +x /usr/bin/distro
# 啟動與檢查
systemctl enable snmpd
systemctl restart snmpd
systemctl status snmpd
Step 17. 附加 LibreNMS 設置 (排程與自動補全)
Enable lnms command completion:此功能使您有機會像使用普通 linux 指令一樣在使用lnms。
ln -s /opt/librenms/lnms /usr/bin/lnms
cp /opt/librenms/misc/lnms-completion.bash /etc/bash_completion.d/
su - librenms
lnms [TAB]
設定Cron job進行 LibreNMS 輪詢。
cp /opt/librenms/dist/librenms.cron /etc/cron.d/librenms
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms
Enable the scheduler
cp /opt/librenms/dist/librenms-scheduler.service /opt/librenms/dist/librenms-scheduler.timer /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable librenms-scheduler.timer
sudo systemctl start librenms-scheduler.timer
sudo systemctl daemon-reload
# 重啟所有相關服務
systemctl restart php-fpm mariadb snmpd nginx
Step 18. Installing LibreNMS via Web Browser
(請在瀏覽器輸入您的伺服器 IP 進行圖形化安裝程序)
Step 19. 登入後檢測需修復的設定
修復後
需要新增本地設備監控。
新增後
只用 SNMP 新增設備。
Step 20. 啟用 HTTPS 加密連線
NGINX 設定 HTTPS 網頁加密連線,建立自行簽署的 SSL 憑證。
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
sudo vim /etc/nginx/conf.d/librenms.conf
server {
listen 80;
server_name 192.168.101.108;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.101.108;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /opt/librenms/html;
index index.php;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
access_log /opt/librenms/logs/librenms.nginx.access.log;
error_log /opt/librenms/logs/librenms.nginx.error.log;
charset utf-8;
gzip on;
gzip_types text/css application/javascript text/javascript application/x-javascript image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ \.php$ {
fastcgi_pass unix:/run/php-fpm-librenms.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
location ~ /\.ht {
deny all;
}
location ~ /\.(?!well-known).* {
deny all;
}
}
systemctl restart php-fpm mariadb snmpd nginx
openssl ciphers -V
openssl s_client -connect 192.168.101.108:443
Step 21. Librenms plugins 服務應用-WeatherMap
安裝PHP擴充套件與套件:
dnf install php-pear -y
# 安裝WeatherMap套件
git clone https://github.com/librenms-plugins/Weathermap.git /opt/librenms/html/plugins/Weathermap
# 刷新權限
chown -R librenms:librenms /opt/librenms/html/plugins/Weathermap/
chmod 775 /opt/librenms/html/plugins/Weathermap/configs
chmod 775 /opt/librenms/html/plugins/Weathermap/output
chcon -R -t httpd_cache_t /opt/librenms/html/plugins/Weathermap/
[備註:如果有使用SELinux需要再輸入下面指令]
chcon -R -t httpd_cache_t /opt/librenms/html/plugins/Weathermap/
設定排程:vim /etc/cron.d/librenms
*/1 * * * * librenms /opt/librenms/html/plugins/Weathermap/map-poller.php >> /dev/null 2>&1
開啟外掛插件
新增地圖 (檔名需 .conf 結尾)。
修改地圖屬性:Map Title
Map Title: 改成自己想要的名稱
Output Image Filename: 檔案名稱要.png結尾
Output HTML Filename: 檔案名稱要.html結尾
Step 22. 流量圖預設顯示藍色調校
LINK node07485-Lan
WIDTH 5
INFOURL https://nms.wda.gov.tw:443/graphs/type=port_bits/id=29/
OVERLIBGRAPH https://nms.wda.gov.tw:443/graph.php?height=100&width=512&id=29&type=port_bits&legend=no
TARGET ./172.21.40.30/port-id29.rrd:INOCTETS:OUTOCTETS
NODES node07485 Lan
BANDWIDTH 600M
修改 /opt/librenms/html/plugins/Weathermap/overlib.js:
Edit overlib.js
# 修改前
if (typeof ol_fgcolor==‘undefined’) var ol_fgcolor=“#CCCCFF”;
# 修改後
if (typeof ol_fgcolor==‘undefined’) var ol_fgcolor=“#FFFFFF”;
Step 23. 登入頁面自定義
Vim /opt/librenms/resources/views/auth/public-status.blade.php
@extends('layouts.librenmsv1')
@section('title')
{{ __('Public Devices') }}
@append
@section('content')
<div class="container-fluid">
<div class="row">
<div class="col-md-offset-4 col-md-4">
@include('auth.login-form')
</div>
</div>
</div>
@endsection
@section('css')
<style>
body {
padding-top: 0;
}
</style>
@endsection
@section('javascript')
<script class="code" type="text/javascript">
$(document).ready(function () {
$("#ToggleLogon").on("click", function () {
document.getElementById('public-logon').style.display = "block";
document.getElementById('public-status').style.display = "none";
});
$("#ToggleStatus").on("click", function () {
document.getElementById('public-logon').style.display = "none";
document.getElementById('public-status').style.display = "block";
});
});
</script>
@endsection
Step 24. 安裝 Composer 作曲家
sudo wget https://getcomposer.org/composer-stable.phar
sudo mv composer-stable.phar /usr/bin/composer
sudo chmod +x /usr/bin/composer
Step 25. Validate & Fix 系統修復
./validate.php # librenms修復 設定 > 組態驗證
Y 確認修復 / Attempt to automatically fix
sudo chown -R librenms:librenms /opt/librenms
sudo setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
sudo chmod -R ug=rwX /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
Step 26. 故障排除 (Troubleshooting)
su - librenms
/opt/librenms/scripts/github-remove -d
FAIL: Secure session cookies are not enabled
修復 LibreNMS 中出現的 "FAIL: Secure session cookies are not enabled" 錯誤。
sudo vim /opt/librenms/.env
# 文件中添加或修改以下行
SESSION_SECURE_COOKIE=true
緩存設定與重啟服務:
sudo /opt/librenms/lnms config:cache
sudo systemctl restart nginx
完成以上步驟後,應該已經啟用了安全會話 Cookie,並且錯誤已經解決。
setcap cap_net_raw+ep /usr/sbin/fping
Step 27. SELinux 全面解決方式
檢查和設定:
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_network_relay 1
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/path/to/directory(/.*)?"
sudo restorecon -R /path/to/directory
sudo semanage permissive -a httpd_t
暫時測試方式:
sudo ausearch -m avc -ts recent | audit2allow -m fping_custom > fping_custom.te
sudo checkmodule -M -m -o fping_custom.mod fping_custom.te
sudo semodule_package -o fping_custom.pp -m fping_custom.mod
sudo semodule -i fping_custom.pp
sudo semodule -l | grep fping_custom
fping ::1
sudo systemctl restart nginx.service
sudo systemctl restart snmpd
sudo systemctl restart mariadb
sudo ausearch -m avc -ts recent
使用腳本 validate.php 來確保您擁有正確的 LibreNMS 配置。
su - librenms
./validate.php
Step 28. MariaDB 進階效能調校
sudo vim /etc/my.cnf.d/mariadb-server.cnf 在 [mysqld] 增加:
collation-server=utf8mb4_unicode_ci
character-set-server=utf8mb4
innodb_file_format=Barracuda
innodb_large_prefix=1
innodb_doublewrite=OFF
max_heap_table_size=128M
tmp_table_size=128M
join_buffer_size=20M
sort_buffer_size=2M
innodb_buffer_pool_size=2048M
innodb_flush_log_at_timeout=3
innodb_read_io_threads=32
innodb_write_io_threads=16
innodb_io_capacity=5000
innodb_io_capacity_max=10000
innodb_buffer_pool_instances=9
Step 29. LibreNMS && Oxidized 備份網管設備設定檔
dnf install ruby ruby-devel make cmake which sqlite-devel openssl-devel libssh2-devel gcc libicu-devel gcc-c++ redhat-rpm-config
useradd -m -d /home/oxidbackup oxidbackup
passwd oxidbackup
su - oxidbackup
gem install oxidized oxidized-web
dnf erase ruby
dnf install gnupg2 wget curl -y
curl -sSL https://get.rvm.io | bash
☕ 感謝您的閱讀!
寫技術文章不容易,若這篇教學對您有幫助:
- 分享 給您的同事或社群
- 留言 讓我知道這篇文有用
- 回報 任何操作上的問題
留言
張貼留言