截至本文发布,iTop 最新版本是 2.7。本文记录安装过程。官方安装文档在 itop wiki 上。本文是在树莓派4B 上安装,系统为 Ubuntu 19.10。
Contents
软硬件需求
官方文档给出的最小硬件需求如下表所示。
| Ticket created per month | Console Users | CMDB: CIs | Servers | CPU | Memory | Disk for MySQL |
| < 200 | < 20 | < 50k | An all in one server | 2vCPU | 4Gb | 10Gb |
| < 5000 | < 50 | < 200k | Two servers: Web + MySQL | 4vCPU | 8Gb | 20Gb |
| > 5000 | > 50 | > 200k | Two servers: Web + MySQL | 8vCPU | 16Gb | 50Gb |
iTop 是基于 PHP 和 MySQL 的程序,有以下软件要求:
- Web 服务器,Nginx,Apache 之类
- Graphviz,用于展示影响分析图表
- PHP 模块需求:ctype, dom, iconv, json, mysqli, soap
- php-gd 是可选择的,但如果需要用 CKEditor 上传图片和调整图片大小,需要安装此模块。
- 全新安装的 2.7 版本默认的加密算法是
Sodium,如果需要使用其他加密方法,需要安装对应模块。 - 数据库版本最低为 MySQL 5.6 或者 MariaDB 10.1, 推荐 MariaDB 10.3 或者 MySQL 5.7,MySQL 8 works but is not recommended if you have high volumes of data.
- Galera clusters with multiple masters are NOT supported by iTop, because such clusters do not properly implement the
GET_LOCKMySQL function
安装依赖软件
PHP
apt install php7.3 php7.3-fpm php7.3-xml php7.3-mysql php7.3-soap php7.3-ldap php7.3-zip php7.3-json php7.3-mbstring php7.3-gd graphvizPHP 的参数调整见参考资料 4。建议设置
memory_limit = 256MMySQL
apt install mysql-server mysql-client使用以下命令初始化 MySQL,主要是将数据目录放到一个空间充足并且 IO 足够快的盘里(我是用树莓派安装的,一开始将 datadir 放在了优盘上,导致速度很慢,编译模型很慢甚至失败,更新数据库更是从没成功过,一直 504,参见 此文)。
# 如果用了 apparmor,需要将新目录加到列表里
# cat /etc/apparmor.d/usr.sbin.mysqld |grep data
# Allow data dir access
/data/mysql/ r,
/data/mysql/** rwk,
mysqld --initialize --user=mysql --datadir /data/mysqlUbuntu 19.10 上默认的 MySQL 版本是 8。用以下方式设置密码,使用 mysql_native_password 方式。
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'test';建议设置 /etc/alternaltive/my.cnf:
innodb_buffer_pool_size = 512M
query_cache_size = 32M
query_cache_limit = 1MNginx配置
Nginx 需要配置 path_info,Portal 需要用到。
fastcgi_connect_timeout 300s;
fastcgi_send_timeout 300s;
fastcgi_read_timeout 300s;
include enable-php-pathinfo.conf;enble-php-pathinfo.conf 内容为:
location ~ [^/]\.php(/|$)
{
fastcgi_pass unix:/tmp/php-fpm.sock;
fastcgi_index index.php;
include fastcgi.conf;
include pathinfo.conf;
}pathinfo.conf:
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
try_files $fastcgi_script_name =404;APCu
If you are using APCu on mutiple instances, after a Move To Production, the cache must be cleared on all instances. As we have no tools for doing this, practically speaking this means:
- either restart all web servers
- or do not use APCu
安装 iTop
交互式安装
iTop 最新版本可以在 SourceForge 上下载。下载解压到 Web 目录,设置正确的权限之后,通过浏览器访问 domin/setup/ 即可开始安装。
自动安装
参考 官方文档。
后台任务
In order to operate properly, iTop maintenance operations and asynchronous tasks must be executed on a regular basis. In order to ease the installation, all the background tasks have been grouped to be launched from a single file: webservices/cron.php
The following features rely on the activation of cron.php
- Notification when a ticket reach a threshold (TTO/TTR) will not happen without this web service to be called. (Task:CheckStopWatchThresholds)
- Check ticket SLA. Tickets reaching the limits will be passed into Escalation TTO/TTR states.
- Automated Backups.
- Automatic deletion of useless attachments and in-line images, created during an object creation or edition which was cancelled (Task: InlineImageGC which runs hourly)
- Asynchronous emails. By default, this option is disabled. To enable it, set 'email_asynchronous' to 1 in the configuration file (Task: ExecAsyncTask)
- Many Extensions rely on this cron as well, for exemple: Ticket Creation from Email, Approval Automation, Communication to Customers,…
在 crontab 中添加。
*/5 * * * * www-data /usr/bin/php /var/www/html/itop/webservices/cron.php --param_file=/etc/itop-cron.params >>/var/log/itop-cron.log 2>&1Since the arguments passed to cron.php on the command line are visible to other users on the system, a recommended practice is to move all the sensitive parameters away from the command line. This is the purpose of the “parameter file”. param_file 的形式如下:
# This is a parameter file
#
# If a parameter is given both in the file and in the arguments,
# then the value given as argument is retained
#
# Authentication
auth_user = qwertyuiop
auth_pwd = ded!catedL0g1n
# My web service
size_min = 20 # Megabytes
time_limit = 40 # Minutes配置文件中的一些需要关注的定时任务相关设置:
- cron_max_execution_time:Duration (seconds) of the page cron.php, must be shorter than php setting max_execution_time and shorter than the web server response timeout
- cron_sleep:Duration (seconds) before cron.php checks again if something must be done
- email_asynchronous:If set to 1, the emails are sent off line, which requires cron.php to be activated. Exception: some features like the email test utility will force the serialized mode
安全设置
关键目录的权限设置
Here are file directories that must be denied to the web users :
- conf : directory and all of its content
- data : directory and all of its content
- datamodels : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
- env-* : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
- extensions : allow only files having one of those extensions : css|scss|js|map|png|bmp|gif|jpe?g|svg|tiff|woff2?|ttf|eot|html
- lib : directory and all of its content
- log : directory and all of its content
You should also prevent directory listing.
使用HTTPS
You should serve your pages only using the https protocol.
As stated by wikipedia: it protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication.
防止 session theft
While PHP default configuration is quite relevant from a security point of view, it can be enhanced: you should change the default value for those entries:
session.cookie_httponly: In order to prevent malicious javascript code to sniff the user's session, you should enablesession.cookie_httponlysession.cookie_secure: If you use https, you should enable this directive so cookies are only sent over secure connections
额外的HTTP头
虽然不像前面的配置那样关键,但您可以在web服务器中配置这些http头,以便添加额外的安全层。由于这个页面试图保持简单,所以这里提到的标题通常可以调整为更严格的。
- Strict-Transport-Security 设置为
"max-age=63072000; includeSubdomains;" env=HTTPS,强制使用 HTTPS - X-Frame-Options 设置为
"sameorigin"。This indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>。(这一条在需要嵌入 Grafana 或者 Kubernetes Dashboard 时应该会有影响) - X-Content-Type-Options 设置为
"nosniff"。This allows to opt-out of MIME type sniffing (the MIME types advertised in the Content-Type headers should not be changed)。 - Content-Security-Policy 设置有助于检测和减轻跨站点脚本攻击(XSS)和数据注入攻击。
参考资料
1. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Astart
2. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Ainstalling_itop
3. https://www.itophub.io/wiki/page?id=2_7_0%3Afeature%3Aencrypt_data
4. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Aphp_and_mysql_configuration#mysql_recommandations
5. https://www.itophub.io/wiki/page?id=2_7_0%3Ainstall%3Asecurity
6. https://www.itophub.io/wiki/page?id=2_7_0%3Aadvancedtopics%3Aautomatic_install
7. https://www.itophub.io/wiki/page?id=2_7_0%3Aadmin%3Acron
发表回复