Page MenuHomeFreeBSD

net-mgmt/librenms: Update to 1.35, many improvements
ClosedPublic

Authored by feld on Jan 14 2018, 3:59 PM.

Details

Summary

Update to 1.35

Improvements:

  • All files should be owned root:wheel except logs and rrd which need to be writable by the app
  • Add missing php posix extension
  • Do not install config.php by default. This breaks the install process which won't run if this file exists
  • Clean up automatic PLIST creation: don't install .orig or .bak files, don't add @dir as they aren't needed
  • Patch LibreNMS to make /validate/ page not produce warnings about files not being writable (for git updates)
  • Remove the Updates validation check altogether as we won't be using git to update
  • Patch the User validation check to only check the logs and rrd dir and ensure the correct user owns them
  • Change the default user in the generated config to "www"
  • Patch the File Lock code to put the lock file in /tmp and not in the WWWDIR which should not be writable
  • Update message in installer to use WWWDIR as suggested path for config.php
  • Use shebangfix instead of patch where applicable
  • Fix APACHEMOD port option and declaration of the USES=php

I may have forgotten something but this is the bulk of it.

Previously the LibreNMS port/package was not very easy to install or use and the result was an insecure
mess. Upsteam projects too often expect users to "git checkout" and run
everything in a directory writable by the www user which makes it a
juicy target for exploits.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

net-mgmt/librenms/files/patch-config.php.default
1 ↗(On Diff #37936)

I have thought about moving config.php to /usr/local/etc and providing a symlink

net-mgmt/librenms/files/patch-config.php.default
1 ↗(On Diff #37936)

That would be a simple change to the port but I'd like to avoid piling on even *more* changes in this review. My goal with this was to

  1. make it possible for a user to install the package and follow upstream docs to setup
  2. make it more "FreeBSD & packaged friendly"
  3. secure it out of the box

I have a few more improvements up my sleeve and I can include that in the next round.

net-mgmt/librenms/files/patch-config.php.default
1 ↗(On Diff #37936)

Agreed.

I'm also considering moving the graph data to /var/db/librenms

@dvl @feld Lets commit this one and leave the other changes proposed for the next version to come

This revision is now accepted and ready to land.Jan 15 2018, 7:28 PM

Do not silence any of the steps in do-install

Add newsyslog config file so logs get rotated

This revision now requires review to proceed.Jan 18 2018, 7:54 PM

INSTALL_DATA not INSTALL_SHARE...

Just adding this one little feature before committing as gigantic logs
are going to bite someone someday.

Actually not going to commit with the newsyslog.conf because I hate the way this is handled right now in FreeBSD. The "include" statement in /etc/newsyslog.conf will grab every file so we can't even install with a .sample so users can customize log rotation to their liking...

This revision was not accepted when it landed; it landed in state Needs Review.Jan 18 2018, 8:22 PM
This revision was automatically updated to reflect the committed changes.