Versions Compared

Old Version 113

changes.mady.by.user John Sinclair

Saved on

compared with

New Version 114

changes.mady.by.user John Sinclair

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Rename from The Opmantek Installer to The FirstWave Installer


Info
titleOpmantek FirstWave Installer

All Opmantek FirstWave products make use of an interactive installer program that greatly simplifies both initial installation AND upgrading an existing installation.

...

This document explains the most essential installer features.

Table of Contents

Installation of

...

FirstWave Applications

Prerequisites

  • With the exception of Open-AudIT, which can be installed on Windows Server or Linux, all Opmantek FirstWave applications are available for Linux 64-bit systems only.
    Redhat/CentOS6, Debian 7, Ubuntu 10 and newer are supported (basically anything running glibc 2.3 and up).
  • The latest versions of our applications can be found at: https://opmantekfirstwave.com/networksoftware-tools-downloaddownloads/
  • To run the installer you need superuser/root access on the system in question.
  • Please note that as of Feb 2017, all Opmantek FirstWave applications require that /tmp is mounted with execute permissions (i.e. mounted without the noexec mount flag).
    See below for an alternate procedure if your /tmp is non-executable.

...


FirstWave Applications Download Formats

In the past our applications were provided in the form of a compressed tar file, which required some manual steps for unpacking and installer invocation. As of February 2016 we've switched to a self-extracting download format which makes this aspect much more user-friendly.

All Opmantek FirstWave product releases from 16 June 2016 onwards include the installer in both pre-compiled and source form, to ensure that you can install the software on a system without Perl present. The source form of the installer is provided for diagnostic purposes; by default the self-extracting run file will start the pre-compiled installer version.

When you download an Opmantek FirstWave Application, the file will be called <product name>-<version>.run and your browser will likely prompt you regarding what to do with this '.run' file; you should tell it to Save the file. If you are installing the application onto a different system than the one where you downloaded the file, you'll have to use scp or some other file transfer method of your choice to transfer the .run file to the target system.

Info
titleBest Practice

As a best practice, Opmantek FirstWave recommends you create a dedicated directory, perhaps named "installs" to download and run the installer from. If you are using the Opmantek FirstWave VM we recommend creating this folder in /data/installs/


Preparation: Is /tmp directory mounted noexec and/or is fapolicyd service installed and running?

The OMK and NMIS installers' will not execute successfully unless it is able to unpack itself and is then able to execute the ./pre-install.sh script within the unpacked directory:

...

  • noexec mounted /tmp Change (required by OMK Installers and NMIS Installers):

    Code Block
    # Please read the next paragraph 'Starting the Installer' too, for more details on the installer!


# The OpmantekFirstWave installers cannot install from a noexec mounted directory, so we need to install from an alternative location:
# - for this example we have chosen directory '/data/installs/':
sudo mkdir -p /data/installs
cd /data/installs

# We need to instruct only this command we are about to execute with current directory set as environment variable TMPDIR:
# Place the installer  in the current directory, then ..

# This command as given sets TMPDIR to the current directory (not /tmp/) - there is a space character between the two stop characters in 'TMPDIR=. ./'
# TMPDIR=.<space>./

TMPDIR=. ./opReports-4.2.2-test-noexec.run

# To be safe we ensure TMPDIR is unset after successful execution of the installer by executing this command:
unset TMPDIR

# The installer will now install using current directory as /tmp
# Unfortunately when the installer runs in this way, not using /tmp/ directory, it doesn't clean up after itself, so we clean up manually:
ls
opReports-4.2.2-test-noexec.run
selfgz3021223337

# The installer always unpacks to a directory of glob pattern selfgz*, so we clean up by removing directory selfgz3021223337:
rm -rf selfgz*



Debugging PAR Script Unpack Locations

Bash one-liner command to find the scripts executing as PAR executables on a server and where their PAR unpacked directory is located:

Code Block
sudo find / -type f ! -name 'main.pl' -regextype posix-egrep -regex '^.*?/par-[^/]+/cache-[^/]+/inc/script.*' 2>/dev/null|xargs -I{} sudo ls -lA '{}';

	-rw-r--r--. 1 root root 37741 Feb  7 15:09 /tmp/par-726f6f74/cache-5372daa5f1e09cab20da623efbb20c3c4f14b1a8/inc/script/opcharts-cli.pl

# Using this approach I tracked down the above execution of opcharts-cli.pl to be by an NMIS9 plugin SubnetImport.pm, which is executed by nmis9d.service daemon

# Unfortunately systemd services do not pick up this global environment variable, so nmis9d service needs to be edited:
# first we check the needed 'EnvironmentFile' entry is not already included with:
sudo systemctl cat nmis9d
# then, if necessary, edit nmis9d service
sudo systemctl edit nmis9d

# Ensure the service is configured to use PAR_GLOBAL_TMPDIR environment variable as set in /etc/environment
# by adding the following entry to [Service]
# - add [Service] section if it is not already present
# - note the '=-' which instructs nmis9d.service not to fail on file /etc/environment not being found:

[Service]
EnvironmentFile=-/etc/environment



# reload the edited service
sudo systemctl daemon-reload


# restart the nmis9d service
sudo systemctl restart nmis9d



Debugging fapolicyd

Stop the fapolicyd service and run fapolicyd in the foreground with '--debug-deny' parameter:

Code Block
sudo systemctl stop fapolicyd

# For debugging fapolicyd, please read:
# https://www.mankier.com/8/fapolicyd
# ...
# --debug-deny
# leave the daemon in the foreground for debugging. Event information is written to stderr only when the decision is to deny access.

sudo /usr/sbin/fapolicyd --debug-deny

Loaded 16 rules
Changed to uid 990
Initializing the database
fapolicyd integrity is 0
backend rpmdb registered
backend file registered
Loading rpmdb backend
Loading file backend
Checking database
Importing data from rpmdb backend
Importing data from file backend
Entries in DB: 28117
Loaded from all backends(without duplicates): 28117
Database checks OK
added /dev/shm mount point
added / mount point
added /var mount point
added /boot mount point
added /tmp mount point
added /data mount point
added /run/user/1000 mount point
Starting to listen for events
rule=15 dec=deny_audit perm=execute auid=-1 pid=2302 exe=/usr/local/omk/bin/opha-cli.exe : path=/tmp/par-726f6f74/cache-00548e237c0c0fdd9581d8236e7b57e47c9024b4/opha-cli.pl ftype=application/x-executable
rule=15 dec=deny_audit perm=execute auid=-1 pid=2303 exe=/usr/local/omk/bin/opreports-scheduler.exe : path=/tmp/par-726f6f74/cache-815c07b0877113fa7553963226f8855aa1160121/opreports-scheduler.exe ftype=application/x-executable
rule=15 dec=deny_audit perm=execute auid=-1 pid=2306 exe=/usr/local/omk/bin/opha-cli.exe : path=/tmp/par-726f6f74/cache-00548e237c0c0fdd9581d8236e7b57e47c9024b4/opha-cli.pl ftype=application/x-executable
rule=15 dec=deny_audit perm=execute auid=-1 pid=2542 exe=/usr/local/omk/bin/baseline.exe : path=/tmp/par-726f6f74/cache-62f960e7d5fb11c6bcbb34fba76fe5030b04477c/baseline.exe ftype=application/x-executable
rule=15 dec=deny_audit perm=execute auid=-1 pid=2695 exe=/usr/local/omk/bin/opreports-scheduler.exe : path=/tmp/par-726f6f74/cache-815c07b0877113fa7553963226f8855aa1160121/opreports-scheduler.exe ftype=application/x-executable
...
...

# When finished debugging, press CTRL+C to kill this foreground fapolicyd process:
^C shutting down...


# I traced the above few issues returned while debugging to cron jobs not reading /etc/environment
# and therefore not picking up the environment variable PAR_GLOBAL_TMPDIR
# Here is the solution to this issue:
#
# To ensure cron jobs cron jobs read /etc/environment and pick up the environment variable PAR_GLOBAL_TMPDIR,
# prepend the following code to the command:
export $(/usr/bin/xargs < /etc/environment)||:;
# For example /etc/cron.d/opreports:
# was 
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root 	/usr/local/omk/bin/opreports-scheduler.exe
# and becomes
        # this cron schedule runs the opReports scheduler every 5 minutes
        #
        # m h dom month dow user command
        */5 * * * *   root	export $(/usr/bin/xargs < /etc/environment)||:; /usr/local/omk/bin/opreports-scheduler.exe  


# Restart the fapolicyd service when debugging is finished: 
sudo systemctl start fapolicyd


Starting the Installer

Starting the self-extracting installer is trivial: you simply tell your shell to run it.

...

Please note that the installer needs to run with root privileges, and will terminate with an error message if this requirement is not met.


Available Installer Options

You can see an overview of the available options related  to the self-extracting aspect when you start a run file with --help:

...

  • NMIS9 Compatible OMK Application Installers created on or after 2020-08-18 will include a new option '-D':  Dependency Check Mode  to assist with installation in a disconnected (air-gapped) environment:
    • When run with  Dependency Check Mode  enabled the installer will not perform an install, but write a file containing a list of dependencies to the /tmp/ directory.
      For example, sh ./opCharts-4.1.1.run -- -D  run as a normal user, would start the installer in Dependency Check Mode (-D) and only create a list of dependencies at /tmp/omk_dependency_check_opcharts upon completion.
  • If you want to perform a simulation run of the installation, use the -n option: the installer will only print what it would do, what files it would copy and so on, but will not perform any of these steps.
  • By default the installer is interactive and will prompt you for decisions and confirmations; If you want to run it in non-interactive batch mode, use the -y option.
    In this case all dialogs and prompts are automatically answered with the default answer (usually 'y').
  • The -p preseed-file option, supports a feature for better non-interactive installations: answers to the installer's questions can now be preseeded before the installer is invoked. See Smarter non-interactive installation with Preseeding
  • Please note that in non-interactive mode the installer will abort upgrades if critical incompatibilities (e.g. license type) are detected; the option to overrule the installer in such situations is only present when the installer is running interactively.
  • Certain installer choices can be preset for non-interactive mode:
    1. Setting the environment variable NO_LOCAL_MONGODB to a non-empty value instructs the installer to not install a local MongoDB server even if none is present.
      Please note that you will have to manually adjust the Opmantek FirstWave daemon init scripts or systemd unit files after installation, as these express the dependency on a local MongoDB installation.
    2. NMIS9 compatible Opmantek FirstWave Applications released after 13 May 2020 will offer a more comprehensive option '-m f' or '-m F' to instruct the installer to skip all MongoDB related instructions completely during the install.
      This option is more comprehensive than environment variable NO_LOCAL_MONGODB.
      NO_LOCAL_MONGODB only prevents install of MongoDB, but does not not skip other MongoDB related instructions that will be executed by the installer.
      Please note that you may have to manually adjust the Opmantek FirstWave daemon init scripts or systemd unit files after installation, should these express the dependency on a local MongoDB installation.

...

For example, sh ./opFlow-3.0.5.run --keep -- -n would start the installer in simulation mode (-n) and leave the unpacked files behind (--keep) when done.


Logs and Backups

The installer saves a log of all actions taken, files copied etc. in the installation directory as install.log, ie. normally it'll be in /usr/local/omk/install.log. Subsequent upgrades or installations of other Opmantek FirstWave products will add to that logfile, so you may very well want to remove or clear the install.log file before upgrading or adding extra software.

Unless this is the very first installation of an Opmantek FirstWave product on this system, the installer will offer taking a backup of all affected files before the installation commences. This backup will be saved in the root user's home directory as omk-backup-YYYY-MM-DD.tgz. Thebackup includes:

  • all the directories that the installer will later copy files to,
  • the conf directory,
  • the old software manifest,
  • and the old install.log.


Software Dependencies

Wherever possible the installer will help you with the installation of any missing software dependencies, using yum or apt-get depending on your operating system platform.

...

In other cases where the dependency is a "soft" one or where automatic installation isn't an option you will be shown a warning dialog about the missing dependency and the installer will wait until you confirm before continuing.


Product Coexistence, Migration and Upgrades

Before installing any Opmantek FirstWave software components, a thorough check of the existing state of your system will be made to ensure that the new product does integrate correctly with other already existing Opmantek FirstWave products. This check relies on the software manifests stored in the installation directory (default /usr/local/omk) and the product tarball, and thus won't be fully precise if no manifests exist.

When an installation of older/legacy Opmantek FirstWave products is detected or if the manifest is missing, then the installer will take a comprehensive backup snapshot of your installation directory first. This is to ensure that you could revert back to the pre-installation state quickly and with minimal downtime, should the installer unexpectedly fail the coexistence check or break existing old applications. Here is an example of the prompts in this situation:

Code Block
++++++++++++++++++++++++++++++++++++++++++++++++++++++
An old legacy installation was detected.
++++++++++++++++++++++++++++++++++++++++++++++++++++++

The installer has found a pre-existing installation of one or more
OpmantekFirstWave products in /usr/local/omk. 

The installation can proceed but may cause disruptions to installed
legacy products other than opEvents.

If you agree to continue, the installer will take a backup snapshot
of your complete previous installation and then prepare the
installation environment for opEvents.

Do you want to continue the installation?
Type 'y' or hit <Enter> to accept, any other key for 'no': y
Creating legacy snapshot, please wait...

Snapshot created, file name: /root/omk-legacy-2014-07-14.tgz

The installer has created a full snapshot of your previous installion
in /root/omk-legacy-2014-07-14.tgz. The installation of opEvents will now proceed.

Should you need to revert to your previous installation status,
simply remove all contents of /usr/local/omk and unpack the snapshot:
rm -rf /usr/local/omk/* && tar -C / -xzvf /root/omk-legacy-2014-07-14.tgz

Hit <Enter> when ready to continue:

If the installer detects an unresolvable conflict between the module dependencies for your existing products and the new product, it will abort the installation with a detailed error message: in this case we recommend that you contact Opmantek FirstWave Support for a resolution.

For product upgrades the installer will perform the same check and upgrade only the files and modules that are required, taking great care to not damage the function of any other existing Opmantek FirstWave products. In that case the installer will also recommend a shut down of any Opmantek FirstWave daemons before the installation commences, so that all files can be copied safely and without negatively affecting running daemons.


Integration and Initial Configuration

After all necessary files have been installed in their appropriate locations the installer will take care of integrating your product with the operating system, web servers and so on.

Typically this will at the minimum involve the installation of up-to-date init scripts for the Opmantek FirstWave daemon, integration of the Opmantek FirstWave GUI with your Apache webserver, setting up of log rotation and the optional first start of the Opmantek FirstWave daemon. The dialogs in question are all very similar to the following:

Code Block
++++++++++++++++++++++++++++++++++++++++++++++++++++++
 Updated init script for the OpmantekFirstWave daemon available
++++++++++++++++++++++++++++++++++++++++++++++++++++++

Ok to install the init script for the OpmantekFirstWave daemon? 
Type 'y' or hit <Enter> to accept, any other key for 'no': y

...

Code Block
++++++++++++++++++++++++++++++++++++++++++++++++++++++
Opmantek FirstWave Daemon Startup
++++++++++++++++++++++++++++++++++++++++++++++++++++++


The OpmantekFirstWave daemon can now be started, but you might want to delay 
that until you have adjusted the configuration files.

Do you want to start the OpmantekFirstWave daemon now?
Type 'y' or hit <Enter> to accept, any other key for 'no': n
Skipping start of OMKD
Please note that you will have to start the OpmantekFirstWave daemon to activate 
the OpmantekFirstWave GUI. You can do so by running 'service omkd start' as 
the root user.

Hit <Enter> when ready to continue:

...

Code Block
++++++++++++++++++++++++++++++++++++++++++++++++++++++
opEvents is Ready for Configuration
++++++++++++++++++++++++++++++++++++++++++++++++++++++

This initial installation of opEvents is now complete.

However, to configure and fine-tune the application suitably for
your environment you will need to make certain configuration adjustments.

We highly recommend that you visit the documentation site for opEvents at

  https://community.opmantek.com/display/opEvents/Home

The next step is to determine what configuration changes
will be required for your environment.

If you have started the OpmantekFirstWave and the opEvents daemons,
then your new opEvents dashboard should now be accessible at

  http://<HOSTNAME_OR_IP>/omk/opEvents/

If your browser is running on the same machine as opEvents was 
installed onto, this would be http://localhost/omk/opEvents/

++++++++++++++++++++++++++++++++++++++++++++++++++++++
installation complete.
++++++++++++++++++++++++++++++++++++++++++++++++++++++


FAQ

  • What's this warning about "incorrect checksum detected"?
    This can happen very infrequently, if you are installing an older Opmantek FirstWave application on top of newer ones, or if you've made extensive changes to your system's Opmantek FirstWave files.
    We strive hard to line up our releases properly so that everything meshes cleanly, but every now and then there are minor changes to files that older installer versions aren't quite aware of.

    In general this warning dialog is safe to answer with 'yes' and the installer will leave your system in a consistent working state (by replacing the unrecognizable/mismatching file with a known good version from the shipped product).

...

Please feel free to submit your comment here or email us with your questions!


Upgrading NMIS 9 Compatible

...

FirstWave Applications

We have made significant changes on our internal code for all our applications to work on OpmantekFirstWave's latest and fastest platform, however, previously installed product are not compatible with these new changes. 

...


Uninstalling

...

FirstWave Applications

Because Opmantek applications FirstWave Applications share code and modules wherever possible, uninstalling a single application is not completely trivial.

Using the Uninstaller

As of September 2016, all application releases include an unistaller tool which performs a limited uninstallation of a particular application. It's easy to use, but primarily disables an application without removal of application data or files. The uninstaller offers a simulation mode, too. You simply start it up with the application module in question, e.g.

Code Block
# -n invokes the simulation mode
/usr/local/omk/bin/uninstaller.exe -n opCharts
...
Would remove opCharts from load_applications list in opCommon.nmis.
Would restart service omkd.
Would stop service nmisd.
Would move init script nmisd to /root/uninstall-backup.


Manual Removal

If you desire a more permanent and complete application removal you will have to remove all Opmantek FirstWave applications: it is infeasibly complicated to determine which files and code modules are removable and which have to remain behind to keep the remaining applications in working shape.

A checklist for complete removal would involve the following steps:

  • Removal of all Opmantek FirstWave daemon init scripts from /etc/init.d
    This may include init scripts for omkd, nmisd, opeventsd, opconfigd, nfdump, opflowd.
    You should stop the daemons before removing the init scripts.
  • Removal of cron schedules for the Opmantek FirstWave applications
    This may include files in /etc/cron.d named oaeopaddressopconfigopevents,
    opflowopreportsoptrend.
  • Removal of all of /usr/local/omk, /var/log/omk/data/omk
    The latter two may not be present (but will be if your system started as an Opmantek Virtual Appliance).
  • Cleanup or removal of the Opmantek FirstWave applications' MongoDB databases
    Unless you are actively using MongoDB you might simply stop the mongod daemon and remove the database files (typically under /var/lib/mongodb or /data/mongodb for the Opmantek FirstWave VM).