LibreNMS Permissions Resetting

We have three servers running LibreNMS where I work to monitor our various network devices. By and large, the software is fantastic, and we’ve built up over two years of data for hundreds of devices, which is exceptionally useful for troubleshooting. There are some quirks monitoring some of our hardware, but overall it’s been pretty good.

Recurring permissions error

That said, sometime in 2019 I think, I started seeing a permissions error whenever I ran validate.php:

[FAIL] Some folders have incorrect file permissions, this may cause issues.
[FIX]:
sudo chown -R librenms:librenms /opt/librenms
sudo setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
sudo chmod -R ug=rwX /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/

In some cases, these permissions errors cause the daily update not to run, in other cases, it causes users without admin permissions to get errors after login or to not be able to see all the device info. On two of our servers, the worst issue is that the ajax search stops working, so we can’t search for devices in the upper-right corner of the web UI, we have to click Devices > All Devices, then enter the IP or device name, then hit the search button to search for things, which is frustrating when you’re trying to research a problem. Once I manually run the sudo chown / chmod and setfacl commands, things start working normally again.

Lots of others have this issue as well. It doesn’t seem to affect the same files, but different files on different instances.

LibreNMS permissions error workaround

That I’m aware of, there is no ‘fix’ for this. However, you can setup a cronjob to run the commands regularly so that you don’t have to deal with the side effects. Personally, I run it every 10 minutes on each machine because it’s disruptive when you can’t use the front-page search function. However, it appears others use the crojob ‘fix’ as well, and they seem to run it less often.

Here’s a breakdown of how I do it using an Ubuntu server, a user with sudo access and nano as the editor. If you’re using something not Debian-based, it will be a little different.

Create and open the file:

user@host:~$ sudo nano /opt/fixlibrenms.sh

Type in ‘#!/bin/sh’ at the very top of the editor with no leading space, then go down a line or two and enter in the commands output by validate.php

#!/bin/sh

sudo chown -R librenms:librenms /opt/librenms
sudo setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
sudo chmod -R ug=rwX /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/

To close the editor and save the file, press Ctrl+X, then ‘y’, then press Enter.

Next, you need to make the file executable. You can do this by typing:

user@host:~$ sudo chmod +x /opt/fixlibrenms.sh

After that’s set, type in the following to edit the root user’s crontab file:

user@host:~$ sudo crontab -e

Once it’s open, enter in the following text inside (or whatever you deem appropriate):

*/10 * * * * /opt/fixlibrenms.sh

Like with fixlibrenms.sh, to save and close the crontab file, press Ctrl+X, then ‘y’, then Enter.

Here are some other options if you don’t want to run it every 10 minutes:

Every hour at 5 minutes after:
5 * * * * /opt/fixlibrenms.sh

Every morning at 1am:
0 1 * * * /opt/fixlibrenms.sh

There are a number of crontab generators available to help with syntax for various date/time combinations, though I think this one seems pretty simple to use.

Once you’ve saved the crontab file, your script will automatically run the validate.php fix for files or folders with invalid permissions.

Related Articles:

Posted on Published

Leave a Reply

Your email address will not be published. Required fields are marked *