Goals:
To provides a step-by-step guide to Deploy a Zabbix server on a newly installed CentOS 7 server.
Requirements:
Here the hardware requirements for a application deployment would be a combination of the base Operating System requirements and the application requirements.
Base Operating System Hardware Requirements
Find in article: How to setup a new CentOS 7 server
Application Hardware Requirements
| CPU | RAM | Database/Partition | Monitored hosts |
|---|---|---|---|
| 2 CPU cores | 2GB | MySQL InnoDB/40GB | 500 |
Plan:
- Server Prep
- Configure Apache
- Configure PHP
- Configure MariaDB
- Configure Zabbix
- Configure SELinux for Zabbix
- Configure HTTPS
Step 1: Server Prep
1.1: Update the server
Input: sudo yum -y update
1.2: Set the server name
Input: sudo hostnamectl set-hostname zabbix.lnxark.org
1.3: Configure the server time.
1.3.1: Install chrony.
Input: sudo yum -y install chrony
1.3.2: Enable Chrony
Input: sudo systemctl enable chronyd
1.3.3: Make a backup of the originial chronyd daemon configuration file /etc/chrony.conf:
Input: sudo cp --archive /etc/chrony.conf /etc/chrony.conf.bck-$(date +'%F@%T')
1.3.4: Configure chrony by adding the desired time server
If you don’t have a local network time server:
Input1: sudo sed -i -r -e "s/^((server|pool).*)/# \1 # commented by $(whoami) on $(date +"%F @ %T")/" /etc/chrony.conf Input2: echo -e "\n# added by $(whoami) on $(date +"%F @ %T") \npool 2.fedora.pool.ntp.org iburst" | sudo tee -a /etc/chrony.conf
If you do have a local network time server
Input1: sudo sed -i -r -e "s/^((server|pool).*)/# \1 # commented by $(whoami) on $(date +"%F @ %T")/" /etc/chrony.conf Input2: echo -e "\n# added by $(whoami) on $(date +"%F @ %T") \nserver time.lnxark.org iburst" | sudo tee -a /etc/chrony.conf
1.3.5: Restart the chronyd daemon
Input: sudo systemctl restart chronyd
Step 2: Configure Apache
2.1: Install Apache/httpd.
Input: sudo yum -y install httpd
2.2: Start the service and enable it.
Input: sudo systemctl start httpd \ && \ sudo systemctl enable httpd
2.3: check if httpd was properly installed.
Input: sudo netstat -plntu Output: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name ... tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12400/httpd
Step 3: Configure PHP
3.1: add the webtatic and the EPEL repository.
To install the needed packages and extensions. We will need to add the following repos
Input: sudo yum -y install epel-release
Input: sudo rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm Output: Retrieving https://mirror.webtatic.com/yum/el7/webtatic-release.rpm warning: /var/tmp/rpm-tmp.ikf5Kt: Header V4 RSA/SHA1 Signature, key ID 62e74ca5: NOKEY Preparing… ################################# [100%] Updating / installing… 1:webtatic-release-7-3 ################################# [100%]
3.2: Now install PHP 7.2 packages
Input: sudo yum -y install mod_php72w php72w-cli php72w-common php72w-devel php72w-pear php72w-gd php72w-mbstring php72w-mysql php72w-xml php72w-bcmath
3.3: Edit the default ‘php.ini’ file.
Input: sudo cp /etc/php.ini /etc/php.ini.orgi
Input:
sudo vim /etc/php.ini
Edit File:
...
max_execution_time = 600
...
max_input_time = 600
...
memory_limit = 256M
...
post_max_size = 32M
...
upload_max_filesize = 16M
...
date.timezone = America/New_York
Note: For a list of acceptable timezones, view the list on the site below: https://www.php.net/manual/en/timezones.america.php
3.4: Now restart the httpd service.
Input: sudo systemctl restart httpd
Step 4: Configure MariaDB
4.1: Install mariadb-server.
Input: sudo yum -y install mariadb-server
4.2: Create DB logical volumes
Install gdisk to create partitions
Input: sudo yum install gdisk -y
Create a partition for DB
Add or use available hard disk space to create a partition for the Database(DB)
Input: sudo gdisk /dev/sdb
Input: sudo partprobe
Create a Logical Volume from the new partition
By making a logical volume, you can increase the size of the of the DB storage with another partition when storage starts to fill up.
Input: sudo pvcreate /dev/sdb1
Input: sudo vgcreate DB_data /dev/sdb1
Input: sudo lvcreate -L +40G -n mariadb_data DB_data
Configure the new logical volume to a file system.
The best filesystem for a MariaDB server is ext4, XFS, or Btrfs. Why those three? All are solid enterprise journaling filesystems that scale nicely from small to very large files and very large storage volumes. I like to work with XFS
Input: sudo mkfs.xfs /dev/DB_data/mariadb_data
4.3: mount a lvm volume to the /var/lib/mysql directory so that storage can be increased over time
I find that you have to log into root first, to begin adding the logical volume partition and editing the /etc/fstab, this will save time.
Input: sudo su -
Locate the newly created block partition by the drive name given during the lvcreate command above:
Input: blkid | grep mariadb
Input: blkid | grep mariadb >> /etc/fstab
Input: vim /etc/fstab
Configure the mount points in the /etc/fstab, I prefer using the UUID for the the added partition:
Input: mount -a
4.4: After the installation is complete, start the service and enable. To ensure that the daemon launches at system boot.
Input: sudo systemctl start mariadb
Input: sudo systemctl enable mariadb
4.5: Now run the command below to configure MariaDB root password.
Input: sudo mysql_secure_installation
4.6: Create a new database for our Zabbix installation
Input: mysql -u root -p
4.6.1: And run the following MySQL queries on the shell.
Input: create database zabbix;
Input: grant all privileges on zabbix.* to zabbix@'localhost' identified by '<user_passwd>';
Input: grant all privileges on zabbix.* to zabbix@'%' identified by '<user_passwd>';
Input: flush privileges;
Step 5: Configure Zabbix
5.1: Add the Zabbix repository.
Input: sudo rpm -Uvh https://repo.zabbix.com/zabbix/4.0/rhel/7/x86_64/zabbix-release-4.0-1.el7.noarch.rpm
5.2: Now install Zabbix and zabbix support packages using the yum command below.
Input: sudo yum -y install zabbix-get zabbix-server-mysql zabbix-web-mysql zabbix-agent
5.3: Import the Zabbix database sample to your ‘zabbix’ database.
Input: cd /usr/share/doc/zabbix-server-mysql-4.0.5/
Input: gunzip create.sql.gz
Input: mysql -u root -p zabbix < create.sql
5.4: Configure the database for Zabbix server
5.4.1: Edit file /etc/zabbix/zabbix_server.conf
Input: sudo cp /etc/zabbix/zabbix_server.conf \ /etc/zabbix/zabbix_server.conf.orig
Input: sudo vim /etc/zabbix/zabbix_server.conf
5.4.2: Change the values of the configuration as shown below:
Edit File:
...
DBPassword=password
5.5: Configure PHP for Zabbix frontend
5.5.1: Edit file /etc/httpd/conf.d/zabbix.conf
Input: sudo cp /etc/httpd/conf.d/zabbix.conf \ /etc/httpd/conf.d/zabbix.conf.orig
Input: sudo vim /etc/httpd/conf.d/zabbix.conf
Edit File:...php_value date.timezoneAmerica/New_York
5.5.2: Start the Zabbix server and agent daemons
Input:
sudo systemctl restart zabbix-server zabbix-agent httpd
Input: sudo systemctl enable zabbix-server zabbix-agent httpd
5.5.3: Configure the firewall
- http = 80/tcp
- https = 443/tcp
- zabbix server = 10051/tcp
Input: sudo firewall-cmd --permanent --add-port=80/tcp
Input: sudo firewall-cmd --permanent --add-port=443/tcp
Input: sudo firewall-cmd --permanent --add-port=10051/tcp
Input: sudo firewall-cmd --reload
5.5.4: verify the changes
Input: sudo firewall-cmd --list-all
Step 6: Configure SELinux for Zabbix
At this phase if you have SELinux enabled, you will get an error similar to the one below:
Output: cannot start preprocessing service: Cannot bind socket to "/var/run/zabbix/zabbix_server_preprocessing.sock": [13] Permission denied.
6.1: To address this, install the package policycoreutils-python and download the finished module for SELinux and use it.
Input: sudo yum install policycoreutils-python
Input: cd ~
Input: curl https://support.zabbix.com/secure/attachment/53320/zabbix_server_add.te > zabbix_server_add.te
6.2: Configure SELinux with module
Input: sudo checkmodule -M -m -o zabbix_server_add.mod zabbix_server_add.te
Input: sudo semodule_package -m zabbix_server_add.mod -o zabbix_server_add.pp
Input: sudo semodule -i zabbix_server_add.pp
6.3: Restart zabbix-server.
Input: sudo systemctl restart zabbix-server
6.3.1: If for some reason the restart fails, the daemon has probably frozen. To address this kill the daemon and start it again
Input: sudo pkill zabbix_server
Input: sudo systemctl start zabbix-server
6.4: Set SELinux permissions for zabbix to work with a web server and database.
Input: sudo setsebool -P httpd_can_connect_zabbix on
Input: sudo setsebool -P httpd_can_network_connect_db on
6.5: Restart Apache
Input: sudo systemctl restart httpd
Step 7: Configure HTTPS
7.1: Create a DNS A record
7.1.1: Open RSAT DNS MSC
7.1.2: Create the new A record using the server hostname
7.2: Check if that the DNS record is being detected by servers
7.2.1: Check via the server nslookup
Input: sudo nslookup <server_hostname>
or
Check via a web browser
7.3: SSL/TLS configuration
7.3.1: Create the ssl dir
Input:
mkdir -p /etc/httpd/ssl/{crs,cert,private,cnf,inter}
7.3.2: Create a openssl.cnf
Input: cp /etc/pki/tls/openssl.cnf /etc/httpd/ssl/cnf/zabbix_ssl.cnf
Input: vim /etc/httpd/ssl/cnf/zabbix_ssl.cnf
Edit File: # # Example OpenSSL configuration file for use with Let's Encrypt. # This is only being used for generation of certificate requests. # Modified from a standard example by Parliament Hill Computers Ltd. # # This definition stops the following lines choking if HOME isn't # defined. HOME = . RANDFILE = $ENV::HOME/.rnd [ req ] default_bits = 2048 distinguished_name = req_distinguished_name attributes = req_attributes # Stop confirmation prompts. All information is contained below. prompt = no # The extensions to add to a certificate request - see [ v3_req ] req_extensions = v3_req [ req_distinguished_name ] # Describe the Subject (ie the origanisation). # The first 6 below could be shortened to: C ST L O OU CN # The short names are what are shown when the certificate is displayed. # Eg the details below would be shown as: # Subject: C=UK, ST=Hertfordshire, L=My Town, O=Some Organisation, OU=Some Department, CN=www.example.com/emailAddress=bofh@example.com # Leave as long names as it helps documentation countryName= <Your Country Acronym> stateOrProvinceName= <Your State> localityName= <Your City Name> organizationName= <Your Organisation> organizationalUnitName= <Your Department> commonName= <Server hostname> emailAddress= <webmaster_email> [ req_attributes ] # None. Could put Challenge Passwords, don't want them, leave empty [ v3_req ] # X509v3 extensions to add to a certificate request # See x509v3_config # What the key can/cannot be used for: basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth,serverAuth # The subjectAltName is where you give the names of extra web sites. # You may have more than one of these, so put in the section [ alt_names ] # If you do not have any extra names, comment the next line out. subjectAltName = @alt_names # List of all the other DNS names that the certificate should work for. # alt_names is a name of my own invention [ alt_names ] DNS.1 = devel.example.com DNS.2 = ipv6.example.com DNS.3 = ipv4.example.com DNS.4 = test.example.com DNS.5 = party.example.com
7.3.3: Generate a CSR for Apache Using OpenSSL
Input: openssl genrsa -out /etc/httpd/ssl/private/zabbix_ssl.key 2048
Input: openssl req \ -config /etc/httpd/ssl/cnf/zabbix_ssl.cnf \ -new \ -key /etc/httpd/ssl/private/zabbix_ssl.key \ -out /etc/httpd/ssl/csr/zabbix_ssl.csr