GLPI on Ubuntu 24.04 on Azure User Guide
Overview
GLPI is a leading open source IT Service Management (ITSM) and IT Asset Management (ITAM) platform. From an ordinary browser your team can run a helpdesk, log and track tickets, build a CMDB and asset inventory, manage software licences and contracts, and report on it all. The cloudimg image ships GLPI 11.0.8 served by nginx and PHP 8.3 FPM on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. GLPI runs behind an nginx reverse proxy on port 80. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique Super-Admin password is generated on the first boot of every VM, and all four of GLPI's well known default accounts are secured. Backed by 24/7 cloudimg support.
What is included:
- GLPI 11.0.8 served by nginx and PHP 8.3 FPM, managed by systemd
- A bundled MariaDB 10.11 server holding the GLPI database, already installed and ready
- The GLPI web console on
:80served from the hardenedpublic/web root - A per VM Super-Admin password generated on first boot and recorded in a root only file
- All four GLPI default accounts secured: the
glpiSuper-Admin password is rotated per VM, andtech,normalandpost-onlyare disabled - MariaDB bound to
127.0.0.1only, never exposed to the network - Two dedicated Azure data disks: the MariaDB database at
/var/lib/mysqland the GLPI files, dumps and sessions at/var/lib/glpi nginx.service,php8.3-fpm.serviceandmariadb.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point; size up for larger inventories, more agents or heavier ticket volumes. NSG inbound: allow 22/tcp from your management network and 80/tcp for the web console. GLPI serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
Sign in to the Azure Portal, choose Create a resource, search the Marketplace for GLPI by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disks on the Disks tab, then Review + create then Create.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name glpi \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open port 80 to the web console:
az vm open-port --resource-group <your-rg> --name glpi --port 80
Step 3 - Confirm the services are running
SSH in as azureuser and confirm nginx, PHP FPM and MariaDB are all active. Note that MariaDB listens only on 127.0.0.1:3306 while nginx serves the web console on port 80.
systemctl is-active nginx php8.3-fpm mariadb glpi-firstboot
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
Every VM generates its own GLPI Super-Admin password on first boot and writes it, along with the login user and URL, to a root only credentials file. Read it with sudo:
sudo cat /root/glpi-credentials.txt

You sign in to the GLPI web console as user glpi with the GLPI_ADMIN_PASSWORD from this file. On the box itself you can also run sudo mariadb to reach the database directly over the local socket without a password.
Step 5 - Sign in to the GLPI web console
Browse to http://<vm-public-ip>/ and sign in with username glpi and the password from Step 4, leaving the login source on GLPI internal database.

Once signed in you land on the Central dashboard, GLPI's home page. The left menu gives you Assets, Assistance (the helpdesk), Management, Tools, Administration and Setup, while the dashboard tiles summarise your tickets, assets, software and more.

Step 6 - Log a helpdesk ticket
Open Assistance then Tickets and use the + button to raise a new ticket. Give it a title and description, set the type, category, urgency and requester, attach any files, then click Add. Technicians can then assign, track and resolve the ticket through its lifecycle.

Step 7 - Manage assets and inventory
Open the Assets menu to manage your IT estate: computers, monitors, software, network devices, peripherals, printers, racks and more. Each asset type has its own inventory list with search, filtering and bulk actions, and links to the tickets, contracts and licences associated with it.

Step 8 - The secured default accounts
A stock GLPI install ships four well known default accounts: glpi, tech, normal and post-only. The cloudimg image secures all four before capture: the glpi Super-Admin password is rotated to a unique per VM secret, and tech, normal and post-only are disabled. You can confirm the state directly, and run the built in round-trip check which proves the per VM administrator signs in while every default login is rejected:
mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(name,' is_active=',is_active) FROM glpi.glpi_users WHERE name IN ('glpi','tech','normal','post-only') ORDER BY FIELD(name,'glpi','tech','normal','post-only')"
sudo bash /usr/local/sbin/glpi-cred-roundtrip.sh

Step 9 - Verify the stack and where your data lives
Confirm the GLPI version, the health endpoint, the two dedicated data disks and the installed GLPI schema. The MariaDB database lives on the data disk mounted at /var/lib/mysql, and GLPI's variable data (uploaded documents, dumps, sessions and cache) lives on the data disk mounted at /var/lib/glpi, so all of your state is kept separate from the operating system disk and rides with the VM:
sudo -u www-data php /var/www/glpi/bin/console --version
curl -sI http://127.0.0.1/healthz | head -1
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /var/lib/mysql; findmnt -no SOURCE,TARGET,FSTYPE,SIZE /var/lib/glpi

Adding your own domain and TLS
The appliance serves plain HTTP on port 80. For production, front GLPI with your own domain and a TLS certificate, then update GLPI's base URL under Setup then General so notification links and the API use the public address. You can terminate TLS with Azure Application Gateway, an nginx or Caddy reverse proxy, or a managed load balancer with a certificate for your domain.
Security notes
- GLPI serves plain HTTP on port 80. For anything beyond a trusted network, put it behind your own TLS terminating reverse proxy or Azure Application Gateway with a certificate for your domain.
- The bundled MariaDB listens on
127.0.0.1only and is never reachable from the network. Administer it through GLPI or over SSH. - All four GLPI default accounts are secured on every VM: the
glpiSuper-Admin password is unique per VM, andtech,normalandpost-onlyare disabled. Keep/root/glpi-credentials.txtprotected and change the password from within GLPI if you share access. - Restrict inbound
80/tcpin your NSG to the networks that need the web console.
Support
This image is maintained by cloudimg with 24/7 support. If you need help deploying or operating GLPI on Azure, contact us at cloudimg.co.uk.