iTop 2.7安装笔记

截至本文发布,iTop 最新版本是 2.7。本文记录安装过程。官方安装文档在 itop wiki 上。本文是在树莓派4B 上安装,系统为 Ubuntu 19.10。

软硬件需求

官方文档给出的最小硬件需求如下表所示。

Ticket created per monthConsole UsersCMDB: CIsServersCPUMemoryDisk for MySQL
200< 2050kAn all in one server2vCPU4Gb10Gb
< 5000< 50200kTwo servers: Web + MySQL4vCPU8Gb20Gb
> 5000> 50> 200kTwo servers: Web + MySQL8vCPU16Gb50Gb
iTop 硬件需求

iTop 是基于 PHP 和 MySQL 的程序,有以下软件要求:

  • Web 服务器,Nginx,Apache 之类
  • Graphviz,用于展示影响分析图表
  • PHP 模块需求:ctype, dom, iconv, json, mysqli, soap
  • php-gd 是可选择的,但如果需要用 CKEditor 上传图片和调整图片大小,需要安装此模块。
  • 全新安装的 2.7 版本默认的加密算法是 Sodium,如果需要使用其他加密方法,需要安装对应模块。
  • 数据库版本最低为 MySQL 5.6 或者 MariaDB 10.1, 推荐 MariaDB 10.3 或者 MySQL 5.7,MySQL 8 works but is not recommended if you have high volumes of data.
  • Galera clusters with multiple masters are NOT supported by iTop, because such clusters do not properly implement the GET_LOCK MySQL function

安装依赖软件

PHP

apt install php7.3 php7.3-fpm php7.3-xml php7.3-mysql php7.3-soap php7.3-ldap php7.3-zip php7.3-json php7.3-mbstring php7.3-gd graphviz

PHP 的参数调整见参考资料 4。建议设置

memory_limit = 256M

MySQL

apt install mysql-server mysql-client

使用以下命令初始化 MySQL,主要是将数据目录放到一个空间充足并且 IO 足够快的盘里(我是用树莓派安装的,一开始将 datadir 放在了优盘上,导致速度很慢,编译模型很慢甚至失败,更新数据库更是从没成功过,一直 504,参见 此文)。

# 如果用了 apparmor,需要将新目录加到列表里
# cat /etc/apparmor.d/usr.sbin.mysqld |grep data
# Allow data dir access
  /data/mysql/ r,
  /data/mysql/** rwk,
mysqld --initialize --user=mysql --datadir /data/mysql

Ubuntu 19.10 上默认的 MySQL 版本是 8。用以下方式设置密码,使用 mysql_native_password 方式。

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'test';

建议设置 /etc/alternaltive/my.cnf

  innodb_buffer_pool_size = 512M
  query_cache_size = 32M
  query_cache_limit = 1M

Nginx配置

Nginx 需要配置 path_info,Portal 需要用到。

	fastcgi_connect_timeout 300s;
	fastcgi_send_timeout 300s;
	fastcgi_read_timeout 300s;

	include enable-php-pathinfo.conf;

enble-php-pathinfo.conf 内容为:

        location ~ [^/]\.php(/|$)
        {
            fastcgi_pass  unix:/tmp/php-fpm.sock;
            fastcgi_index index.php;
            include fastcgi.conf;
            include pathinfo.conf;
        }

pathinfo.conf:

fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO       $path_info;
try_files $fastcgi_script_name =404;

APCu

If you are using APCu on mutiple instances, after a Move To Production, the cache must be cleared on all instances. As we have no tools for doing this, practically speaking this means:

  • either restart all web servers
  • or do not use APCu

安装 iTop

交互式安装

iTop 最新版本可以在 SourceForge 上下载。下载解压到 Web 目录,设置正确的权限之后,通过浏览器访问 domin/setup/ 即可开始安装。

自动安装

参考 官方文档

后台任务

In order to operate properly, iTop maintenance operations and asynchronous tasks must be executed on a regular basis. In order to ease the installation, all the background tasks have been grouped to be launched from a single file: webservices/cron.php

The following features rely on the activation of cron.php

  • Notification when a ticket reach a threshold (TTO/TTR) will not happen without this web service to be called. (Task:CheckStopWatchThresholds)
  • Check ticket SLA. Tickets reaching the limits will be passed into Escalation TTO/TTR states.
  • Automated Backups.
  • Automatic deletion of useless attachments and in-line images, created during an object creation or edition which was cancelled (Task: InlineImageGC which runs hourly)
  • Asynchronous emails. By default, this option is disabled. To enable it, set 'email_asynchronous' to 1 in the configuration file (Task: ExecAsyncTask)
  • Many Extensions rely on this cron as well, for exemple: Ticket Creation from Email, Approval Automation, Communication to Customers,…

在 crontab 中添加。

*/5 * * * * www-data /usr/bin/php /var/www/html/itop/webservices/cron.php --param_file=/etc/itop-cron.params >>/var/log/itop-cron.log 2>&1

Since the arguments passed to cron.php on the command line are visible to other users on the system, a recommended practice is to move all the sensitive parameters away from the command line. This is the purpose of the “parameter file”. param_file 的形式如下:

# This is a parameter file
#
# If a parameter is given both in the file and in the arguments,
# then the value given as argument is retained
#
 
# Authentication
auth_user = qwertyuiop
auth_pwd = ded!catedL0g1n
 
# My web service
size_min = 20 # Megabytes
time_limit = 40 # Minutes

配置文件中的一些需要关注的定时任务相关设置:

  • cron_max_execution_time:Duration (seconds) of the page cron.php, must be shorter than php setting max_execution_time and shorter than the web server response timeout
  • cron_sleep:Duration (seconds) before cron.php checks again if something must be done
  • email_asynchronous:If set to 1, the emails are sent off line, which requires cron.php to be activated. Exception: some features like the email test utility will force the serialized mode

安全设置

关键目录的权限设置

Here are file directories that must be denied to the web users :

  • conf : directory and all of its content
  • data : directory and all of its content
  • datamodels : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
  • env-* : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
  • extensions : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
  • lib : directory and all of its content
  • log : directory and all of its content

You should also prevent directory listing.

使用HTTPS

You should serve your pages only using the https protocol.

As stated by wikipedia: it protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.

防止 session theft

While PHP default configuration is quite relevant from a security point of view, it can be enhanced: you should change the default value for those entries:

  • session.cookie_httponly : In order to prevent malicious javascript code to sniff the user's session, you should enable session.cookie_httponly
  • session.cookie_secure: If you use https, you should enable this directive so cookies are only sent over secure connections

额外的HTTP头

虽然不像前面的配置那样关键,但您可以在web服务器中配置这些http头,以便添加额外的安全层。由于这个页面试图保持简单,所以这里提到的标题通常可以调整为更严格的。

  • Strict-Transport-Security 设置为 "max-age=63072000; includeSubdomains;" env=HTTPS,强制使用 HTTPS
  • X-Frame-Options 设置为 "sameorigin"。This indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>。(这一条在需要嵌入 Grafana 或者 Kubernetes Dashboard 时应该会有影响)
  • X-Content-Type-Options 设置为 "nosniff"。This allows to opt-out of MIME type sniffing (the MIME types advertised in the Content-Type headers should not be changed)。
  • Content-Security-Policy 设置有助于检测和减轻跨站点脚本攻击(XSS)和数据注入攻击。

参考资料

1. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Astart
2. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Ainstalling_itop
3. https://www.itophub.io/wiki/page?id=2_7_0%3Afeature%3Aencrypt_data
4. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Aphp_and_mysql_configuration#mysql_recommandations
5. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Asecurity
6. https://www.itophub.io/wiki/page?id=2_7_0%3Aadvancedtopics%3Aautomatic_install
7. https://www.itophub.io/wiki/page?id=2_7_0%3Aadmin%3Acron

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注