Munkireport-PHP on Ubuntu 16.04 w/ SQL
After deciding Docker wasn't a direction I wanted to head infrastructure wise I decided to pursue Ubuntu host... but I also wanted to update the infrastructure, so I decided to pursue an option like this:
- Ubuntu 16.o4
- PHP 7
- Non-local SQL
I've cited him once and I'll do it again, Clayton Burlison has a great blog post on such a thing for Ubuntu 14.04 (less non-local db)which was the basic outline I used to move forward with this project.
The Setup
Lesson: 14.04 ≠ 16.04 (What's New in Ubuntu 16.04)
Base OS
- Ubuntu 16.04 Server
- 2GB RAM
- 2 Cores
- ssh
The Pieces
PHP
[code language="bash"]apt-get install nginx php7.0-fpm php7.0-mysql php7.0-xml[/code]
- php7.0-mysql
- php7.0-fpm
- php7.0-xml
- nginx
- Web Server
- php7.0-ldap
- If you want to tie in LDAP/AD
- I haven't got this working 100%
- (and may not, depends on other workload items)
Modify php.ini, cgi.fix_pathinfo=1 to cgi.fix_pathinfo=0
[code language="php" collapse="true"
title="/etc/php/7.0/fpm/php.ini selection"]; cgi.fix_pathinfo
provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and
to not grok
; what PATH_INFO is. For more information on PATH_INFO, see the cgi
specs. Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.
A setting
; of zero causes PHP to behave as before. Default is 1. You should fix
your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0[/code]
It's buried deep down in that config somewhere, you're just going to have to search for it...
Restart PHP
[code language="bash"]systemctl restart php7.0-fpm[/code]
[[NGINX]{style=”font-family:Merriweather, Georgia, ‘Times New Roman’, Times, serif;line-height:1.7;background-color:#ffffff;”} ]{.s1}
Certificates
I am not going to dig into certs, plenty of others have done a far better job than I could, here is a great reference article specifically on what we will be doing:
How To Secure Nginx with Let's Encrypt on Ubuntu 16.04
You don't have to use Let's Encrypt obviously, hopefully if you are doing this for your Org you have a CA and you can do everything by the books that way-
Config
Modify [/etc/nginx/sites-enabled/default]{.s1}
The follow configuration is for serving Munkireport over https as well as having http redirect to https.
[code language="text" collapse="true"
title="/etc/nginx/sites-enabled/default"]
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}
server {
server_name munkireport;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /usr/share/nginx/html/report;
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html/report;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info \^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[/code]
Note: Change the following for server name, and in our instance we needed to make sure since we are using 16.04 / PHP 7 we are calling that .sock as well
[code language="php"]28 fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;[/code]
Configuring Munkireport
Install
[code language="bash"]sudo git clone https://github.com/munkireport/munkireport-php /usr/share/nginx/html/report[/code]
I followed suite to Clayton's guide and linked [munkireport for easier access as admin, completely optional-]{.s1}
[code language="bash"]sudo ln -s /usr/share/nginx/html/report ~/report[/code]
Config
The main config file for munki report is located here: [/usr/share/nginx/html/report/config.php (not config_default)]{.s1}
You can find various customizations you can do in Munkireport on the wiki. I chose these configurations to start with:
Server (required)
[code language="php"]
$conf['index_page'] = 'index.php?';
$conf['sitename'] = 'MunkiReport';
$conf['allow_migrations'] = FALSE;
$conf['debug'] = TRUE;
$conf['timezone'] =
\@date_default_timezone_get(America/Los_Angles); //your time zone see
http://php.net/manual/en/timezones.php
$conf['vnc_link'] = "vnc://%s:5900"; //
standard vnc port
$conf['ssh_link'] = "ssh://admin@%s"; //
your local admin name
ini_set('session.cookie_lifetime', 43200);
$conf['locale'] = 'en_US';
$conf['lang'] = 'en';
$conf['keep_previous_displays'] = TRUE;
[/code]
I won't delve into this to deep.
- Change the local admin you want to ssh into your machines as, replace admin.
- You can find proper formatting for your timezone here.
- Toggle whatever else, cookie length, previous display is all preferential.
Authorized Users (required)
This is the default setting:
[code language="php"]
/*
|===============================================
| Authorized Users of Munki Report
|===============================================
| Visit http://yourserver.example.com/report/index.php?/auth/generate
to generate additional local values
*/
$auth_config['root'] = '$P$BUqxGuzR2VfbSvOtjxlwsHTLIMTmuw0'; //
Password is root
[/code]
As noted above you can generate user/hash psw here:
[code language="php"]
http://yourserver.example.com/report/index.php?/auth/generate
[/code]
But, remember we did two things, 1. redirected to 443 and change the root of the site, so it would look like this:
[code language="php"]
https://yourserver.example.com/index.php?/auth/generate
[/code]
Enable Modules
For this I essentially said "yes" to all in testing to see what I actually wanted in production:
[code language="php"]
/*
Enabled Modules
*/
$conf['modules'] =
array('ard','bluetooth','certificate','crashplan','directory_service','disk_report','displays_info','filevault_status','installhistory','inventory','localadmin','location','munkiinfo','munkireport','network','power','printer','profile','security','service','warranty','wifi');
[/code]
You can also view all default available modules on the wiki.
Database Info
These will all be specific to your remote db:
- yourhost
- db_name
- db_user
- db_user_password
[code language="php"]
/*
Database Info
*/
$conf['pdo_dsn'] = 'mysql:host=yourhost;dbname=db_name';
$conf['pdo_user'] = 'db_user';
$conf['pdo_pass'] = 'db_user_password';
$conf['pdo_opts'] = array(PDO::MYSQL_ATTR_INIT_COMMAND
=> 'SET NAMES utf8');
[/code]
Optional: Install mysql-client and check connection to db, this was helpful to see why I couldn't initially connect. Wether it was server side or db side.
Apps to Track
Again these are completely preferential...
[code language="php"]
/*
Apps to track
*/
$conf['apps_to_track'] = array('Safari','Firefox','Google
Chrome','Java','1Password','Adobe
Reader','Numbers','Keynote','Pages','Microsoft Remote
Desktop','Microsoft Excel','Microsoft Outlook','Microsoft
PowerPoint','Microsoft Word');
[/code]
Aside-
- I had never tinkered with this too much before this iteration of munkireport, but I decided to insert in some applications I was not pushing out- and unfortunately it works for anything in Applications, so I saw somehtings I didn't want to see... but thats the admin life right?
IP Ranges/Vlans
Predefining these ranges allows for better graphing in the network reports, but again isn't anything needed, but nice for an overview of the fleet. I wont delve into that- you can see more on the modules portion on the wiki..
NGINX Settings
[code language="bash"]sudo nano /etc/nginx/nginx.conf[/code]
Find "[default_type application/octet-stream;" and comment that out.]{.s1}
To test nginx config,
[code language="bash"]nginx -c /etc/nginx/nginx.conf -t[/code]
Client
Enroll
Remember your modified url differs from the "default" in more than just domain, on the client you can run:
sudo /bin/bash -c "$(curl -s https://example.com/index.php?/install)"
And once you get it working how you like you can just create an installable package from the same location:
bash -c "$(curl http://example.com/index.php?/install)" bash -i ~/Desktop
This places an installer package with the current version on your Desktop, from there you can modify or deploy as needed.
Report/Check In†
To check if the reporting functionality is working you could run $ managedsoftwareupdate or what I did is just specifically call the postflight script:
/usr/local/munki/postflight
Thoughts:
- †php7.0-xml, whoops
- When I first did the install everything seemed to work until we got to the /postflight and the client would be unable to report back to the server
- Realized, hey, we needed this- tbh I don't know if it was an oversight or just blatently functionality change. I'll yeild the floor to someone more wise than myself.
- SQL Cluster
- Before, munkireport, sitting on a OS X server was setup "out of the box" was great, but this allows for replication of the db which is 1. nice to say we have and 2. also nice if something was ever to happen to the location/machine its running on
- 16.04 Patches / Landscape
- If you use a patch management system, such as Landscape, this is an incredible time saver when patching vms en mass.
- Anyone whose operated server on macOS before knows how much fun patching can be- and that many times iTunes is a needed update. /me eyeroll
- I did it for the green lock.
- SSL! Kapaow! Was a big reason I set out to do this, NGINX made it easy, and its super nice to have.
- No more upstart.
Final Question:
Why not just run it in Docker?
- This is strictly my opinion... but a couple variables.
- My environment
- Being used to using Ubuntu and having a patch management system it was nice to keep it "the same" even though its one of the first 16.04 servers
- My time commitment
- I tried to learn Docker and I, kind of, got it- ish. It just wasn't in the cards.
- YES, super easy to setup. Bleep-boop, pull, run, and you're all set. But to be honest, I need it to fit into a box, be easy to maintain, and not something I had to research to try and troubleshoot (for now).
- My environment
Resources Mentioned
How To Secure Nginx with Let's Encrypt on Ubuntu 16.04
Apache vs Nginx: Practical Considerations:
tldr; In the end, there is no one-size-fits-all web server, so use the solution that best aligns with your objectives.
Shout out to Jeff who helped a ton with this, you sir, are a cert
wizard. {.alignnone
.wp-image-1563 width=”38” height=”38”}