phpIPAM – Automatic host availability, discovery check, PING errors

To totally unlock this section you need to Log-in


Login

From version 0.9 of phpIPAM on there is a option to automatically check statuses of configured hosts for selected subnets, and discovery of new hosts. We received some related questions about it, so here is a short description and guide for it.

Firstly, pcntl support for php cli is advised so phpipam can do parallel icmp checks, this greatly reduces time required for checking status. You can check if your installation is ok with following command:

php -m | grep pcntl

Configure the parameters for pinging

Set the time parameters for status under Administration > IPAM settings (Ping status intervals), phpipam will set host as down/up based on this values. Also, set the proper icmp parameters and paths.

Select which networks to check

subnet scan selection

Now you have to select which subnets should scan for statuses for configured hosts.

Go to edit subnet and check “Check hosts status”. This will tell the cron script to check the status of hosts inside this subnet. “Discover new hosts” will try to find new hosts for this subnet and will automatically add them to phpipam database.

phpIPAM - Automatic host availability, discovery check, PING errors

Add cron script

We suggest checking it per 15 minutes:

# update host statuses exery 15 minutes
*/15 * * * * /usr/local/bin/php /usr/local/www/phpipam/functions/scripts/pingCheck.php
*/15 * * * * /usr/local/bin/php /usr/local/www/phpipam/functions/scripts/discoveryCheck.php

Change the paths according to your installation of course. That should be it. We would advise to run the script manually for the first time to see if any errors are present.

PING Scan Errors

Many issues reported with scanning subnets and updating host statuses are related to SElinux being enabled. So far the solution was to completely disable SElinux, but this was more workaround than anything else. A phpipam user was kind enough to share SElinux policy that should be used with phpipam if SElinux is enabled on your server.

Basically it permits the opening of raw IP sockets for non-root users, that are required for executing ping command. Create the file http_ping.tt and add the following to it:

module http_ping 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

Run the following commands (as root user):

checkmodule -M -m -o http_ping.mod http_ping.tt
semodule_package -o http_ping.pp -m http_ping.mod
semodule -i http_ping.pp

This also helps to check status, with setenforce 0:

[[email protected] selinux]# getenforce
Enforcing
[[email protected] selinux]# setenforce 0
[[email protected] selinux]# getenforce
Permissive
[[email protected] selinux]#

Than add correct permission to ping:

[[email protected] selinux]# ls -ls `which fping`
88 -rwxr-xr-x. 1 root root 89927 Apr 3 17:11 /usr/local/sbin/fping
[[email protected] selinux]# chmod 4755 /usr/local/sbin/fping

[[email protected] selinux]# ls -ls `which ping`
88 -rwsr-xr-x. 1 root root 89927 Apr 3 17:19 /usr/sbin/ping
[[email protected] selinux]# chmod 4755 /usr/sbin/ping
[[email protected] selinux]#