This guide was run on CentOS 8.2 installed from the minimal ISO, running on KVM virtual machine. During install I chose the “Minimal Install”. My guide is based on the CentOS 7 guide here: https://phpipam.net/news/phpipam-installation-on-centos-7/
Preparing the Environment and Installing requirements
Take a snapshot of the VM
# install all the updates
sudo dnf update
# useful extras
sudo dnf install vim fish
# install all the phpIPAM dependencies
sudo dnf install httpd mariadb-server php php-cli php-gd php-common php-ldap php-pdo php-pear php-snmp php-xml php-mysqlnd php-mbstring php-json php-gmp git
Note – in the CentOS 7 guide it says to install php-mcrypt
but I wasn’t able to find that package for CentOS 8, so I just skipped it.
Configuring and running MySQL (MariaDB) database server
Take a snapshot of the VM
# start and enable the mariadb service
systemctl enable --now mariadb
Now set up the database
# make mariadb install secure
mysql_secure_installation
Follow the prompts to get a secure config
Configuring and running Apache webserver
Take a snapshot of the VM
# enable and start httpd
systemctl enable --now httpd
Main apache configuration is in file /etc/httpd/conf/httpd.conf
. Open it and change directory settings for /var/www/html to allow mod_rewrite URL rewrites:
# uncomment and modify this line:
ServerName locahost:80
# Set all this
<Directory "/var/www/html">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride All
Order allow,deny
Allow from all
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
Set correct timezone to /etc/php.ini to avoid php warnings:
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Australia/Darwin
And restart apache
systemctl restart httpd
And enable some firewall rules
root@ipam ~# firewall-cmd --permanent --add-port=80/tcp
success
root@ipam ~# firewall-cmd --permanent --add-port=443/tcp
success
Downloading phpipam files and configure phpipam
Get all the files from git
root@ipam ~# cd /var/www/html
root@ipam /v/w/html# ls
root@ipam /v/w/html# git clone https://github.com/phpipam/phpipam.git .
Cloning into '.'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 26190 (delta 2), reused 3 (delta 0), pack-reused 26171
Receiving objects: 100% (26190/26190), 18.39 MiB | 4.61 MiB/s, done.
Resolving deltas: 100% (19193/19193), done.
root@ipam /v/w/html (master)# git checkout 1.4
Branch '1.4' set up to track remote branch '1.4' from 'origin'.
Switched to a new branch '1.4'
root@ipam /v/w/html (1.4)# git submodule init
Submodule 'app/login/captcha' (https://github.com/dapphp/securimage.git) registered for path 'app/login/captcha'
Submodule 'functions/GoogleAuthenticator' (https://github.com/PHPGangsta/GoogleAuthenticator) registered for path 'functions/GoogleAuthenticator'
Submodule 'functions/PHPMailer' (https://github.com/PHPMailer/PHPMailer.git) registered for path 'functions/PHPMailer'
Submodule 'functions/php-saml' (https://github.com/onelogin/php-saml.git) registered for path 'functions/php-saml'
Submodule 'functions/qrcodejs' (https://github.com/davidshimjs/qrcodejs) registered for path 'functions/qrcodejs'
root@ipam /v/w/html (1.4)# git submodule update
Cloning into '/var/www/html/app/login/captcha'...
Cloning into '/var/www/html/functions/GoogleAuthenticator'...
Cloning into '/var/www/html/functions/PHPMailer'...
Cloning into '/var/www/html/functions/php-saml'...
Cloning into '/var/www/html/functions/qrcodejs'...
Submodule path 'app/login/captcha': checked out '1ecb884797c66e01a875c058def46c85aecea45b'
Submodule path 'functions/GoogleAuthenticator': checked out '3baa997f399d4afd5d6a81d42244ec9cc3eeb080'
Submodule path 'functions/PHPMailer': checked out '59495db0b14c17f5a370359df0ad7b2e004391a2'
Submodule path 'functions/php-saml': checked out 'ea5b7822aa1b4ce14aa88d0e35edf65ebb2f91c8'
Submodule path 'functions/qrcodejs': checked out '04f46c6a0708418cb7b96fc563eacae0fbf77674'
root@ipam /v/w/html (1.4)#
Fix any permissions
sudo chown -R apache:apache /var/www/html/
sudo chcon -t httpd_sys_content_t –R /var/www/html/
cd /var/www/html/
find . -type f -exec chmod 0644 {} \;
find . -type d -exec chmod 0755 {} \;
sudo chcon -R -t httpd_sys_rw_content_t app/admin/import-export/upload/
sudo chcon -R -t httpd_sys_rw_content_t app/subnets/import-subnet/upload/
sudo chcon -R -t httpd_sys_rw_content_t css/1.4.0/images/logo/
Configuring database connection
Copy and modify the out-of-box config file
root@ipam /v/w/html (1.4) [1]# cp config.dist.php config.php
root@ipam /v/w/html (1.4)# vim config.php
Change the block at the top for your config, then any other parts you want to use
Installing phpIPAM
We are now ready to install phpipam. Open browser and go to http://ip_address/ to start with automatic database installation. For MySQL connection enter root username and password you created in point 1.4, this will only be used to create required databases, tables and grants. After installation is completed phpipam will used username/password entered in config.php file to access database, root password is not stored anywhere.
I personally went for the “Mysql Import Instructions” as I didn’t have any luck with the automatic install
Enabling network scanning – Setting up SELinux rules
By default ip scanning using ping won’t work from phpIPAM, because selinux will block the access to the ping sockets and things. However, the selinux module to fix this is easy to make. The general flow goes like this:
# Make sure the auditing tools are available
dnf install policycoreutils-python-utils setroubleshoot
# disable the dontaudit logs to show all blocked things.
semodule --build --disable_dontaudit
# set enforcing mode off so we get all things that would have been denied
setenforce 0
# watch the audit logs to find what is being blocked - saving to ipam-selinux-blocks.log file
tail -f /var/log/audit/audit.log -n0 | grep denied --line-buffered | tee ipam-selinux-blocks.log
# now go try running the scan/ping in phpIPAM
# Now you can create a policy module from the logs
cat ipam-selinux-blocks.log | audit2allow -M phpipam
semodule -i phpipam.pp
# reboot
# Log back in, and make sure you are in enforcing mode
root@ipam ~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31
# Now try re-running the phpIPAM scan to see if it works with enforcing on
My SELinux Type Enforcement file
root@ipamprd1 ~/p/s/files (master)# cat phpipam.te
## SELinux module for phpIPAM
module phpipam 1.0;
require {
type squid_port_t;
type snmpd_var_lib_t;
type httpd_t;
type smtp_port_t;
class tcp_socket name_connect;
class icmp_socket create;
class dir read;
class file { open read write getattr setattr };
class rawip_socket { create getopt setopt read write };
class capability { net_raw net_admin };
}
#============= httpd_t ==============
allow httpd_t self:capability { net_raw net_admin };
allow httpd_t self:icmp_socket create;
allow httpd_t self:rawip_socket { create getopt setopt read write };
allow httpd_t snmpd_var_lib_t:dir read;
allow httpd_t snmpd_var_lib_t:file { open read write getattr setattr };
root@ipamprd1 ~/p/s/files (master)# cat build_selinux_module.sh
#!/bin/sh
checkmodule -M -m -o /tmp/phpipam.mod phpipam.te
semodule_package -o phpipam.pp -m /tmp/phpipam.mod