NeDi installation and upgrading on RHEL EL8 and EL7 Linux

NeDi (Network Discovery) is an open source network monitoring tool. Please see first the general information in the NeDi.

This page describes how to install NeDi on RHEL (and clones such as AlmaLinux, RockyLinux, and CentOS) Linux servers. See also the general NeDi_installation page.

On the dedicated server for NeDi download the file nedi-XXX.tgz (select the current version in stead of XXX) from the NeDi download page. Paying customers may download the latest version (currently 2.3) from the NeDi_customer page.

NeDi installation on EL8

If you restore a database dump onto a different server running a newer MySQL or MariaDB version you must read the section Upgrade of MySQL/MariaDB below!

Enable the EPEL repository, see the EPEL instructions. Install these packages:

dnf install gcc httpd mod_ssl php php-mysqlnd mariadb-server mariadb-devel php-snmp php-gd php-process patch net-snmp net-snmp-utils rrdtool rrdtool-perl tcpdump
dnf install perl-Algorithm-Diff perl-Net-Telnet perl-Net-DNS perl-Socket6 perl-Test-Exception perl-DBD-MySQL perl-Module-Build perl-Net-SNMP
dnf install perl-CPAN perl-App-cpanminus

Now you can install the required CPAN modules:

cpanm RRD::Simple
cpanm Time::HiRes::Value

Ansible installation

If you are using an Ansible server for installation, install this ansible-galaxy collection on the server:

ansible-galaxy collection install community.general

so that you can install Perl modules like this playbook example:

- name: Install perl-RRD-Simple package
  community.general.cpanm:
    name: RRD::Simple

The attached Ansible task file main.yml may be used to set up your own playbook for installing NeDi with Ansible.

NeDi Installation on CentOS/RHEL 7

Enable the EPEL repository, see the EPEL instructions. Install prerequisite packages:

yum install httpd mod_ssl php php-mysql mariadb-server mariadb-devel php-snmp php-gd php-process patch
yum install net-snmpnet-snmp-utils rrdtool rrdtool-perl tcpdump postgresql.x86_64 php-pgsql.x86_64
yum install perl-Algorithm-Diff perl-Net-Telnet perl-Net-DNS perl-Socket6 perl-Test-Exception perl-DBD-Pg.x86_64 perl-Module-Build
yum install perl-CPAN perl-App-cpanminus

Then install additional packages from EPEL:

yum install perl-Net-SNMP perl-IO-Pty-Easy.noarch

Some packages must be installed manually as CPAN modules:

cpanm RRD::Simple
cpanm Time::HiRes::Value

NeDi installation on EL9

WARNING: At the time of writing (June 2023) NeDi version 2.3 does not yet support the MariaDB version 10.5, which is part of EL9 (RHEL 9 and clones). You have to use EL8 with MariaDB 10.3 in stead.

The EL9 MariaDB database is version 10.5. See the 10.5 release notes at https://mariadb.com/kb/en/changes-and-improvements-in-mariadb-10-5/ Note this new driver:

Switch Perl DBI scripts from DBD::mysql to DBD::MariaDB driver (MDEV-19755)

Install the new driver by:

cpanm DBD::MariaDB

Patching the Perl NET::SNMP module Message.pm

NeDi the perl-Net-SNMP library (Net::SNMP, not to be confused with the Net-SNMP package), which hasn’t been updated since 2010. There is a problem with the Message.pm module which may lead to many fake events in NeDi

latency xxx exceeds threshold yyy

If you want to fix this problem, the only way is to manually patch the Message.pm module (no updates seem to be coming) to use the Time-HiRes-Value module. You may download the attached file Message.pm.diff. This patch was provided by the author of NeDi.

Patch the /usr/share/perl5/vendor_perl/Net/SNMP/Message.pm file (as root):

cd /usr/share/perl5/vendor_perl/Net/SNMP
patch < Message.pm.diff

Install NeDi

Create a nedi user in group apache with home directory /var/nedi:

useradd --gid apache --shell /bin/bash --create-home --home-dir /var/nedi/ --comment "NeDi user" nedi

Create some dynamic subdirectories needed, then unpack the files to the nedi user’s home directory:

mkdir -p /var/nedi/log
cd /var/nedi
tar xzvf .../nedi-XXX.tgz
chown -R nedi.apache /var/nedi/*

Security: Check if this is really needed Make the /var/nedi/ directory tree group-writable (group apache meaning the Apache web server):

chmod -R g+w /var/nedi/*

Note: It is important not to make the directories /var/nedi and /var/nedi/.ssh group-writable, since this will cause security problems with SSH logins.

Protect configuration files which might reveal important information about your network:

chmod 660 /var/nedi/nedi.conf /var/nedi/seedlist

Create system links to the NeDi files:

ln -s /var/nedi/nedi.conf /etc/nedi.conf  # NeDi configuration file
mv /var/www/html /var/www/html.orig       # Move default Apache html files out of the way
ln -s /var/nedi/html/ /var/www/html       # Link to NeDi html files

The PHP configuration file /etc/php.ini must be edited so that PHP will recognize code between <? and ?> tags as PHP source, so change this parameter:

short_open_tag = On

For reasons of security turn off this option in /etc/php.ini:

expose_php = Off

SELinux permissive mode

Security concern: NeDi has been designed to execute many scripts through the Apache web server. This is going to conflict with the SELinux Enforcing security mode, and you must consider the security implications of allowing the Apache web server write access to the NeDi server’s file system.

SELinux is configured in /etc/selinux/config and it should be set to Permissive mode:

SELINUX=permissive

Either reboot the server, or set Permissive mode immediately using this command:

setenforce Permissive

See the man-page httpd_selinux for information about Apache and SELinux.

Warning messages from SELinux will appear in the system syslog /var/log/messages.

Configuring NeDi for secure SELinux operation

Optional: Configuring the correct SELinux settings for the whole of NeDi (/var/nedi) is probably going to be really complicated. Here are some initial settings to get started.

Set SELinux security context for normal files in the nedi user’s home directory (do not set on the .ssh/ folder):

setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t /var/nedi/*

For NeDi operation you must allow Apache to write to some directories. Make sure these directories have correct ownership and permissions:

# chown nedi.apache /var/nedi/html/map /var/nedi/sysobj
# chmod g+w /var/nedi/html/map /var/nedi/sysobj
# ls -lad /var/nedi/html/map /var/nedi/sysobj
drwxrwxr-x. 2 nedi apache  4096 Jan  6 15:11 /var/nedi/html/map
drwxrwxr-x. 2 nedi apache 36864 Jan  6 15:11 /var/nedi/sysobj

and then configure SELinux to permit read-write access for Apache:

chcon -R -t httpd_sys_rw_content_t /var/nedi/html/map
chcon -R -t httpd_sys_rw_content_t /var/nedi/sysobj/

NeDi database services

Mariadb database service

Start the MariaDB service:

systemctl start mariadb
systemctl enable mariadb
systemctl status mariadb

Secure the database (root password etc.) by running:

/usr/bin/mysql_secure_installation

Initialize NeDi database

See the NeDi_installation page about database initialization. If this is an initial installation of NeDi, initialize a completely blank Nedi database by:

cd /var/nedi/
./nedi.pl -i

For the mysql admin user/pass use root and the database password selected above.

For upgrading NeDi starting with NeDi 1.4, you can use -i nodrop for updating an existing DB structure without the need for DB admin credentials. Alternatively -i updatedb will do just that without any loss of data.

For version 1.4.300 or 1.5.038 or 1.6.100:

./nedi.pl -i updatedb

The MySQL root account will be required for this operation.

NeDi syslog and moni daemons

NeDi requires two running daemon processes:

• syslog.pl syslog daemon which stores events directly in the database.

• moni.pl monitoring daemon for polling uptime and checking connectivity of services.

First download the service scripts from here:

• nedi-monitor.service

• nedi-syslog.service

Add the Systemd services:

systemctl enable nedi-monitor.service
systemctl enable nedi-syslog.service
systemctl start nedi-monitor.service
systemctl start nedi-syslog.service
systemctl status nedi-monitor.service
systemctl status nedi-syslog.service

On EL7 systems you must first install these scripts:

• nedi-monitor

• nedi-syslog

• Copy files:

  chmod 755 nedi-monitor nedi-syslog
  cp nedi-monitor nedi-syslog /usr/libexec/
  cp nedi-monitor.service nedi-syslog.service /etc/systemd/system/
  

Documentation is in the systemd.service manual page.

Apache web service

We will use the Apache web server provided by the httpd RPM package.

An SSL-encrypted NeDi web-page must be configured because critical information such as login passwords are used. For an introduction see Setting up an SSL secured Webserver with CentOS. The unencrypted HTTP service on port 80 should be redirected to the SSL-encrypted port 443 (see https://wiki.apache.org/httpd/RedirectSSL) as shown in the example below.

You may either use a self-signed SSL certificate, or use a commercial SSL certificate valid for your web server according to your site’s security policies. The SSL certificate files must be copied to the /etc/pki/tls/{certs,private}/ directories (see above CentOS instructions).

In the Apache configuration directory /etc/httpd/conf.d/ create the file 03nedi.conf and change DNS domain names (here example.com) as required:

NameVirtualHost *:80
<VirtualHost *:80>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  Redirect / https://nedi.example.com/
</VirtualHost>

NameVirtualHost *:443
<VirtualHost _default_:443>
  AddDefaultCharset Off
  ServerAdmin webmaster@example.com
  ServerName nedi.example.com
  DocumentRoot /var/www/html/
  # Security: Cross-Site Tracing issues: https://www.apacheweek.com/issues/03-01-24
  RewriteEngine On
  RewriteCond %{REQUEST_METHOD} ^TRACE
  RewriteRule .* - [F]
  # Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
  Header always append X-Frame-Options SAMEORIGIN
  DirectoryIndex index.php
  Options -Indexes
  SSLEngine On
  SSLCertificateFile /etc/pki/tls/certs/ca.crt            # Example only
  SSLCertificateKeyFile /etc/pki/tls/private/ca.key       # Example only
  # Disable obsolete SSLv2/3 and TLS v1.0 protocols:
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
  # See https://mozilla.github.io/server-side-tls/ssl-config-generator/
  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  SSLHonorCipherOrder on
  Header always add Strict-Transport-Security "max-age=15768000"
</VirtualHost>

Test the Apache configuration by:

apachectl configtest

Apache and SSL security

Advice about SSL security in Apache:

• https://wiki.mozilla.org/Security/Server_Side_TLS#Apache

The SSLCipherSuite (Cipher Suite available for negotiation in SSL handshake) configuration is really complicated. Strong recommendations are in:

• Server_Side_TLS

• tls-ssl-cipher-hardening

In fact, one may generate an appropriate Apache SSL configuration including SSLCipherSuite in the page:

• https://mozilla.github.io/server-side-tls/ssl-config-generator/

There seems to be a bug in the CentOS/RHEL 7 httpd package file /etc/httpd/conf.modules.d/00-lua.conf giving a syslog error message:

httpd: Syntax error on line 56 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.modules.d/00-lua.conf: Cannot load modules/mod_lua.so into server: /etc/httpd/modules/mod_lua.so: undefined symbol: apr_bcrypt_encode

On EL7 comment out (insert #) the line 1 in /etc/httpd/conf.modules.d/00-lua.conf.

Start the web service

When the Apache configuration test is OK, start the httpd service:

systemctl enable httpd
systemctl start httpd
systemctl status httpd

A nice introduction is RHEL7: How to get started with Firewalld.

Configure firewalld rules for HTTP/HTTPS (ports 80,443) by adding:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

NeDi Crontab jobs

For automatic device discovery use cron jobs. Add some crontab commands for user nedi using the command:

crontab -e -u nedi

to add these hourly jobs:

0 0 * * * /var/nedi/nedi.pl -p -B2 > /var/nedi/log/nedi-backup.lastrun 2>&1
0 1-23 * * * /var/nedi/nedi.pl -p > /var/nedi/log/nedi.lastrun 2>&1

Upgrading NeDi software

From time to time a new version of NeDi may become available (see Installation above for downloads), and you may want to install the update.

The upgrading process must be run as the root user.

Stop all NeDi services:

systemctl stop httpd
systemctl stop nedi-monitor
systemctl stop nedi-syslog

and comment out the discovery scripts in crontab:

crontab -e -u nedi

Now make a database backup as shown in the section below, just for safety.

The /var/nedi directory contains a lot of NeDi state information (RRD graphs, switch configurations, etc.) which you want to preserve across the update. So first make a backup of the old version /var/nedi:

tar czf $HOME/nedi-old-version-backup.tar.gz /var/nedi

Also make backup copies of all changed configuration files to some backup directory, for example:

cd /var/nedi
cp -p nedi.conf seedlist nedi.pl trap.pl ... <backup-directory>

Here we back up also the Perl (.pl) files (for example, trap.pl) in case you have made any changes manually.

Then overwrite /var/nedi by the new version (here 1.6.100):

cd /var/nedi
tar xzvf <downloaddir>/nedi-1.6.100.tgz

If there are any patch-files, unpack the latest file as well (for example):

tar xzvf <downloaddir>/nedi-1.6p2.tgz

The patch files are cumulative, so only the latest one will be used.

Now make a backup of the new files and copy your old configuration files:

cp nedi.conf nedi.conf.new
cp seedlist seedlist.new
cp -p $HOME/nedi.conf nedi.conf.OLD
cp $HOME/seedlist seedlist

Now you have to edit (do not copy) nedi.conf because changes always appear in new versions! You have to go through nedi.conf.OLD and copy any local changes into the new nedi.conf file. The meld command is extremely useful for comparing files, install it by:

yum install meld

Set correct user and group ownership:

chown -R nedi.apache /var/nedi/*
chmod -R g+w /var/nedi/*

Note: It is important not to make the directories /var/nedi and /var/nedi/.ssh group-writable, since this will cause security problems with SSH logins.

Notice: The web interface user admin now has the default password admin. Change the admin password as described in our NeDi page.

For major releases only, the MySQL database structures may need updating. This is not required for patch-releases! See the MySQL service section above before doing:

./nedi.pl -i updatedb

When the upgrading has completed successfully, restart all NeDi services (as root user):

systemctl start httpd
systemctl start nedi-monitor
systemctl start nedi-syslog

and re-enable the discovery scripts in crontab:

crontab -e -u nedi

Backup and restore of NeDi server

In order to backup the entire NeDi server to a different location (for disaster recovery or migration), the following files must be backed up:

1. The directory tree /var/nedi.

2. Make a MySQL database mysqldump using this script /root/mysqlbackup (insert the correct MySQL password):

   #!/bin/sh
   # MySQL Backup Script for All Databases
   HOST=localhost
   BACKUPFILE=/root/mysql_dump
   USER=root
   PWD='**********'
   DUMP_ARGS="--opt --flush-logs --quote-names"
   DATABASES="--all-databases"
   /usr/bin/mysqldump --host=$HOST --user=$USER --password=$PWD $DUMP_ARGS --result-file=$BACKUPFILE $DATABASES
   

   Write permission to $BACKUPFILE is required.

Make regular database dumps, for example by a crontab job:

# MySQL database backup
30 7 * * * /root/mysqlbackup

Note: Using the GUI page System-Snapshot one may perform a Database Snapshot - this is just a special database inside the MySQL server, not a backup. The page System-Export also allows export of database contents.

Restore of a NeDi backup

Step 1: The directory tree /var/nedi must be restored in stead of the vanilla distribution files, and the above installation instructions must be followed.

Step 2: NeDi_s MySQL database contents must be loaded from the backup. To restore a MySQL database see for example How do I restore a MySQL .dump file?. As user root input the above created backup file:

mysql -u root -p < /root/mysql_backup

The MySQL password will be asked for.

If you for some reason need to drop the existing MySQL database, the NeDi command is:

cd /var/nedi/
./nedi.pl -i

Upgrade of MySQL/MariaDB

NOTE: At the time of writing (June 2023) NeDi version 2.3 does not yet support the MariaDB version 10.5, which is part of EL9 (RHEL 9 and clones). You have to use EL8 with MariaDB 10.3.

If you restore a database dump onto a different server running a newer MySQL or MariaDB version there are some extra steps:

• Consult the Upgrading_MariaDB page with detailed instructions for upgrading between MariaDB versions or from MySQL.

You should run the mysql_upgrade command whenever major (or even minor) version upgrades are made , or when migrating from MySQL to MariaDB:

mysql_upgrade -p

It may be necessary to force an upgrade if you have restored a database dump made on an earlier version of MariaDB, say, when migrating from CentOS7/RHEL7 to CentOS8/RHEL8:

mysql_upgrade -p --force

It may be necessary to restart the mysqld service or reboot the server after this upgrade (??).

When migrating a database from CentOS/RHEL 7 (EL7) to RHEL 8 (and EL8 clones) you should read Upgrading from MariaDB 5.5 to MariaDB 10.0 since there are some incompatible changes between 5.5 and 10.