Munkireport-PHP on Ubuntu 16.04 w/ SQL

Overview

After deciding Docker wasn’t a direction I wanted to head infrastructure wise I decided to pursue Ubuntu host… but I also wanted to update the infrastructure, so I decided to pursue an option like this:

  • Ubuntu 16.o4
  • PHP 7
  • Non-local SQL

I’ve cited him once and I’ll do it again, Clayton Burlison has a great blog post on such a thing for Ubuntu 14.04 (less non-local db)which was the basic outline I used to move forward with this project.

The Setup

Lesson: 14.04 ≠ 16.04 (What’s New in Ubuntu 16.04)

Base OS

  • Ubuntu 16.04 Server
  • 2GB RAM
  • 2 Cores
  • ssh

The Pieces

PHP

apt-get install nginx php7.0-fpm php7.0-mysql php7.0-xml
  • php7.0-mysql
  • php7.0-fpm
  • php7.0-xml
  • nginx
    • Web Server
  • php7.0-ldap
    • If you want to tie in LDAP/AD
    • I haven’t got this working 100%
    • (and may not, depends on other workload items)

Modify php.ini, cgi.fix_pathinfo=1 to cgi.fix_pathinfo=0

; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting
; of zero causes PHP to behave as before. Default is 1. You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0

It’s buried deep down in that config somewhere, you’re just going to have to search for it…

Restart PHP

systemctl restart php7.0-fpm

NGINX

Certificates

I am not going to dig into certs, plenty of others have done a far better job than I could, here is a great reference article specifically on what we will be doing:

How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04

You don’t have to use Let’s Encrypt obviously, hopefully if you are doing this for your Org you have a CA and you can do everything by the books that way-

Config

Modify  /etc/nginx/sites-enabled/default

The follow configuration is for serving Munkireport over https as well as having http redirect to https.

server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$host$request_uri;
}

server {
server_name munkireport;
listen 443 ssl;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
root /usr/share/nginx/html/report;
index index.php index.html index.htm;
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;

location = /50x.html {
root /usr/share/nginx/html/report;
try_files $uri $uri/ =404;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Note: Change the following for server name, and in our instance we needed to make sure since we are using 16.04 / PHP 7 we are calling that .sock as well

28 fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;

Configuring Munkireport

Install

sudo git clone https://github.com/munkireport/munkireport-php /usr/share/nginx/html/report

I followed suite to Clayton’s guide and linked munkireport for easier access as admin, completely optional-

sudo ln -s /usr/share/nginx/html/report ~/report

Config

The main config file for munki report is located here: /usr/share/nginx/html/report/config.php (not config_default)

You can find various customizations you can do in Munkireport on the wiki. I chose these configurations to start with:

Server (required)

$conf['index_page'] = 'index.php?';
$conf['sitename'] = 'MunkiReport';
$conf['allow_migrations'] = FALSE;
$conf['debug'] = TRUE;
$conf['timezone'] = @date_default_timezone_get(America/Los_Angles); //your time zone see http://php.net/manual/en/timezones.php
$conf['vnc_link'] = "vnc://%s:5900"; // standard vnc port
$conf['ssh_link'] = "ssh://admin@%s"; // your local admin name
ini_set('session.cookie_lifetime', 43200);
$conf['locale'] = 'en_US';
$conf['lang'] = 'en';
$conf['keep_previous_displays'] = TRUE;

I won’t delve into this to deep.

  • Change the local admin you want to ssh into your machines as, replace admin.
  • You can find proper formatting for your timezone here.
  • Toggle whatever else, cookie length, previous display is all preferential.

Authorized Users (required)

This is the default setting:

/*
|===============================================
| Authorized Users of Munki Report
|===============================================
| Visit http://yourserver.example.com/report/index.php?/auth/generate to generate additional local values
*/
$auth_config['root'] = '$P$BUqxGuzR2VfbSvOtjxlwsHTLIMTmuw0'; // Password is root

As noted above you can generate user/hash psw here:

http://yourserver.example.com/report/index.php?/auth/generate

But, remember we did two things, 1. redirected to 443 and change the root of the site, so it would look like this:

https://yourserver.example.com/index.php?/auth/generate

Enable Modules

For this I essentially said “yes” to all in testing to see what I actually wanted in production:

/*
Enabled Modules
*/
$conf['modules'] = array('ard','bluetooth','certificate','crashplan','directory_service','disk_report','displays_info','filevault_status','installhistory','inventory','localadmin','location','munkiinfo','munkireport','network','power','printer','profile','security','service','warranty','wifi');

You can also view all default available modules on the wiki.

Database Info

These will all be specific to your remote db:

  • yourhost
  • db_name
  • db_user
  • db_user_password
/*
Database Info
*/
$conf['pdo_dsn'] = 'mysql:host=yourhost;dbname=db_name';
$conf['pdo_user'] = 'db_user';
$conf['pdo_pass'] = 'db_user_password';
$conf['pdo_opts'] = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');

Optional: Install mysql-client  and check connection to db, this was helpful to see why I couldn’t initially connect. Wether it was server side or db side.

Apps to Track

Again these are completely preferential…

/*
Apps to track
*/
$conf['apps_to_track'] = array('Safari','Firefox','Google Chrome','Java','1Password','Adobe Reader','Numbers','Keynote','Pages','Microsoft Remote Desktop','Microsoft Excel','Microsoft Outlook','Microsoft PowerPoint','Microsoft Word');

Aside-

  • I had never tinkered with this too much before this iteration of munkireport, but I decided to insert in some applications I was not pushing out- and unfortunately it works for anything in Applications, so I saw somehtings I didn’t want to see… but thats the admin life right?

IP Ranges/Vlans

Predefining these ranges allows for better graphing in the network reports, but again isn’t anything needed, but nice for an overview of the fleet. I wont delve into that- you can see more on the modules portion on the wiki..

NGINX Settings

sudo nano /etc/nginx/nginx.conf

Find “default_type application/octet-stream;” and comment that out.

To test nginx config,

nginx -c /etc/nginx/nginx.conf -t

Client

Enroll

Remember  your modified url differs from the “default” in more than just domain, on the client you can run:

sudo /bin/bash -c "$(curl -s https://example.com/index.php?/install)"

And once you get it working how you like you can just create an installable package from the same location:

bash -c "$(curl http://example.com/index.php?/install)" bash -i ~/Desktop

This places an installer package with the current version on your Desktop, from there you can modify or deploy as needed.

Report/Check In†

To check if the reporting functionality is working you could run $ managedsoftwareupdate or what I did is just specifically call the postflight script:

/usr/local/munki/postflight

Thoughts:

  • †php7.0-xml, whoops
    • When I first did the install everything seemed to work until we got to the /postflight and the client would be unable to report back to the server
    • Realized, hey, we needed this- tbh I don’t know if it was an oversight or just blatently functionality change. I’ll yeild the floor to someone more wise than myself.
  • SQL Cluster
    • Before, munkireport, sitting on a OS X server was setup “out of the box” was great, but this allows for replication of the db which is 1. nice to say we have and 2. also nice if something was ever to happen to the location/machine its running on
  • 16.04 Patches / Landscape
    • If you use a patch management system, such as Landscape, this is an incredible time saver when patching vms en mass.
    • Anyone whose operated server on macOS before knows how much fun patching can be- and that many times iTunes is a needed update. /me eyeroll
  • I did it for the green lock.
    • SSL! Kapaow! Was a big reason I set out to do this, NGINX made it easy, and its super nice to have.
  • No more upstart.

Final Question:

Why not just run it in Docker?

  • This is strictly my opinion… but a couple variables.
    • My environment
      • Being used to using Ubuntu and having a patch management system it was nice to keep it “the same” even though its one of the first 16.04 servers
    • My time commitment
      • I tried to learn Docker and I, kind of, got it- ish.  It just wasn’t in the cards.
      • YES, super easy to setup. Bleep-boop, pull, run, and you’re all set. But to be honest, I need it to fit into a box, be easy to maintain, and not something I had to research to try and troubleshoot (for now).

Resources Mentioned

What’s New in Ubuntu 16.04

Munkireport-PHP Github

How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04

mySQL 5.7  on 16.04 (local db)

munki-in-a-box

Apache vs Nginx: Practical Considerations:

tldr; In the end, there is no one-size-fits-all web server, so use the solution that best aligns with your objectives.

Shout out to Jeff who helped a ton with this, you sir, are a cert wizard. MERLINREST

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s