Developer Linux > Redhat Installation

From Geneabase

Jump to: navigation, search

There are 8 Linux servers in the current hardware topology:

2 gateway servers (GatewayA and GatewayB)
2 file servers (FileServerA and FileServerB)
2 generic servers (LinuxA1 and LinuxB1)
1 Asteriks VOIP server (pbx.geneabase.com)
1 monitoring server, monitor.geneabase.com.

The gateway servers and VOIP servers run on CentOS 5.6. The other servers have been configured with the Redhat Enterprise Linux 6 operating system.

Documentation of RHEL 6 is included in Redhat Enterprise Linux Documentation

1 Generic options for all installations
2 Installation of Generic Server
3 Monitor Server and Repo Installation
- 3.1 Install PGP key
- 3.2 Configure SFTP
4 Fileserver Installation
5 Gateway server installation
- 5.1 NTP configuration
- 5.2 Mail configuration
6 Workstation installation
7 Legacy Installation
8 Dropbox Installation
9 Schema server Installation
10 Asterix Installation
11 System Recovery and Migration
12 Static Webserver for Subsites
13 Status Server

Generic options for all installations

Initial configuration

Create the environment directory in sysconfig:

 mkdir -p /etc/sysconfig/geneabase/env

And create the following files there, each containing a single variable on the first and only line of that file:

SERVERID: Globally Unique Identifier, which can be created in sqlserver (select NEWID()), mysql (select uuid()), or in Visual Studio > Tools > Create GUID.
SERVERDOMAIN: The domain prefix of the division that this server is part from, eg. nl.geneabase.com, uk.geneabase.com, etc.
SERVERNAME: The unique name within the division to identify this server in a more friendly way than by its GUID. In some cases this name can be appended to the server domain to get a full internet address, but that is not always the case (some servers may have multiple addresses, multiple ip's).
SERVERTYPE: This file describes the primary role of the server, which may be 'Fileserver', 'Webserver', 'Database', 'Mailserver', 'Nameserver', 'STS', 'Statusserver', 'Messageserver', 'Buildserver', 'Workstation', 'Gateway', 'Legacy' or 'Mixed'.

These files can be read by shellscripts with:

SERVERID=`cat /etc/sysconfig/geneabase/env/SERVERID|head -1`

Install geneabase software

Make sure you have installed and configured Git, as described in Git config, after that, issue the following command:

 cd /opt
 git clone git@github.com:Toutatis/Geneabase-RHEL geneabase

Configure Yum

Install rpmforge Check out which is the latest release at: http://packages.sw.be/rpmforge-release/

copy that package with wget, such as:

wget   http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Make sure that the following channels are enabled in RHN for that system (you need to have registered the system with RedHat as "RHN Classic Subscription Management"):

RHEL Server Supplementary (v. 6 64-bit x86_64)
RHEL Server Optional (v. 6 64-bit x86_64)

Edit /etc/yum.repos.d/rpmforge.repo, leave [rpmforge] enabled, enable [rpmforge-extras], and add the line includepkgs=none to both repository sections. Add packages that are to be retrieved later to that list.

Create the new file /etc/yum.repos.d/geneabase.repo with the following content:

[geneabase]
name=Geneabase repository for custom packages
baseurl=http://repo.geneabase.com/rhel6
gpgkey=http://repo.geneabase.com/RPM-GPG-KEY-geneabase
enabled=1

Provided that you now have access to the geneabase repository, install the EPEL repository release:

yum install epel-release

Now install a bunch of packages:

 yum install policycoreutils-python setroubleshoot setroubleshoot-server gcc python-devel perl-Net-DNS perl-TimeDate perl-Algorithm-Numerical-Shuffle perl-Log-Log4perl perl-DBIx-Log4perl perl-Net-DNS

Configure profile

Create a new file /etc/profile.d/geneabase.sh. Depending the type of server roles that you are installing (some servers have multiple roles), add the following lines to it:

. /opt/geneabase/common/profile.sh
. /opt/geneabase/[secondary role]/profile.sh
. /opt/geneabase/[primary role]/profile.sh
. /etc/sysconfig/clock
export ZONE
export SERVERID=`cat /etc/sysconfig/geneabase/env/SERVERID|head -1`
export SERVERDOMAIN=`cat /etc/sysconfig/geneabase/env/SERVERDOMAIN|head -1`
export SERVERNAME=`cat /etc/sysconfig/geneabase/env/SERVERNAME|head -1`
export SERVERTYPE=`cat /etc/sysconfig/geneabase/env/SERVERTYPE|head -1`
export PATH=/opt/geneabase/local/$SERVERDOMAIN/$SERVERNAME/bin:/opt/geneabase/local/$SERVERDOMAIN/bin:$PATH

This will automatically set up the correct environment when you login. For example, for the Fileserver, the primary role is 'fileserver', and there is no secundary role, so that line can be removed. To setup this environment in your current terminal session, issue the command:

 . /etc/profile.d/geneabase.sh

Note that the last line has the highest priority, since it may redefine variables from earlier lines.

The ZONE environment variable is used by /opt/geneabase/common/perl/Data/Column/DateTime.pm.

Configure Log4perl

Many perl scripts require a default log4perl configuration. Therefore:

 mkdir /etc/log4perl
 cp /opt/geneabase/common/etc/default_log4perl.conf /etc/log4perl/default.conf
 mkdir /var/log/geneabase

 mkdir /var/report

Configure firewall

Preconfigured firewall scripts are located in the bin directory of each server role. If the PATH environment variable is set up correctly in the profile configuration (previous section), it should suffice to execute the following command:

 config.firewall

Configure selinux

SeLinux must be enabled on all servers. This is the default at Redhat 6 installation, and can be configured by editing the file /etc/sysconfig/selinux. SeLinux must be configured as targeted. If you encounter any problems, make sure the service auditd is running, and check the log at /var/log/audit/audit.log.

Installing freeTDS

FreeTDS is required on those RedHat servers that need to connect to the Microsoft SQL Server database. RPM packages are available at the geneabase repository (origin: sw.be). To install these:

 yum install freetds freetds-devel perl-DBD-Sybase perl-DBIx-Log4perl perl-Data-UUID perl-DateTime-Format-Sybase perl-DateTime-Format-Epoch perl-Net-DNS

Then edit the existing file /etc/freetds.conf, and add the configuration:

[Geneabase]
   host = <INTERNAL_IP_ADDRESS_OF_DATABASE>
   port = 1433
   tds version = 8

and test the database connection with:

 tsql -S Geneabase -U <username> -P <password>

or with this little perl script (replace PASSWORD with the actual password):

#!/usr/bin/perl
use DBI;
my $dbh = DBI->connect("dbi:Sybase:server=Geneabase",
                       'Geneabase', 'PASSWORD', {PrintError => 0}) or
  die "Unable for connect to server $DBI::errstr";
my $sth = $dbh->prepare("select \@\@servername");
if($sth->execute) {
    while(my @dat = $sth->fetchrow) {
	print "succesfully connected to server '@dat'\n";
    }
}

Installing UPS software

APC PowerChute for Linux is utter crap. For servers that are attached to APC unit, install Apcupsd. You can get it from epel with:

 yum install apcupsd-gui

This will install apcsupsd plus gabcmon, which can be used to control the ups.

Adding Gnome to a CentOS 6 minimal install

  yum groupinstall "Desktop" "Desktop Platform" "X Window System" "Fonts"

Installation of Generic Server

RHEL 6 installation option: webserver, no customiziations

CENTOS 6 installation options: basisc server, accept all the default packages, and add to that:

Applications:
* Internet Browser
Desktops:
* Desktop
  * tigervnc-server
* Desktop Platform
* Fonts
* X Window System
Servers:
* Server Platform
* System administration tools
   * screen

optional packages:

yum install git rpm-build rpmdevtools

setup build tree for rpm

 rpmdev-setuptree

edit /root/.bashr and remove the -i aliases

Monitor Server and Repo Installation

The monitor server is located at another facility than the other servers of geneabase, and has four roles:

monitor all services, and notify the administrator when problems occur.
provide status reports to repository admins, at the domain monitor.geneabase.com.
receive backups from the geneabase servers, to safequard data for extreme calamities.
hosting the yum repository for all custom packages, at the domain repo.geneabase.com.

install packages

yum install createrepo cpan2rpm

All packages will be placed at the RPMS and SRPMS directory in /var/yum_repo/rhel6Server/. Each time we add new packages, execute the command:

 createrepo /var/yum_repo/rhel6Server
 restorecon -R /var/yum_repo/rhel6Server
 # or for rhel5 packages:
 createrepo -s sha /var/yum_repo/rhel5
 restorecon -R /var/yum_repo/rhel5

add SeLinux context for /var/yum_repo

semanage fcontext -a -t httpd_sys_content_t  "/var/yum_repo(/.*)?"
restorecon -v -R /var/yum_repo

also add SeLinux context for /opt/geneabase/monitor/htdocs

 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/monitor/htdocs(/.*)?"
 restorecon -v -R /opt/geneabase/monitor/htdocs

we're reusing the error pages from the fileserver here, make sure SELinux context is set up:

 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/error(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/error

allow connections to other servers from httpd (use by Monitor::Stats):

setsebool -P httpd_can_network_connect on

hack the file /usr/lib/rpm/perl.req and add in the process_file function (after "next if $module eq 'of';"):

 next if $module =~ /Win32API/;

add the following file as /etc/httpd/conf.d/monitor.conf

NameVirtualHost *
<VirtualHost *>
    ServerName repo.geneabase.com
    DocumentRoot /var/yum_repo
   <Directory /var/yum_repo>
      Options +Indexes
      Order Allow,Deny
      Allow from all
   </Directory>
</VirtualHost>
<VirtualHost *>
   ServerName monitor.geneabase.com
   DocumentRoot /opt/geneabase/monitor/htdocs
  <Location />
    AuthType Basic
    AuthBasicAuthoritative  Off
    AuthName "Monitor Service"
    AuthMySQLEnable On
    AuthMySQLHost localhost
    AuthMySQLUser authmysql
    AuthMySQLPassword [MYSQL-PASSWORD]
    AuthMySQLDB Fileserver
    AuthMySQLUserTable vUserIpv4
    AuthMySQLNameField Username
    AuthMySQLPasswordField Password
    AuthMySQLPwEncryption none
    AuthMySQLAuthoritative On
    AuthMySQLUserCondition "IpAddress = '%a'"
    require valid-user
  </Location>

</VirtualHost>

Since the monitor server is only accessible by trusted users (by firewall configuration), it is a nice place to make the linux documentation available online. Place the following content in /etc/httpd/conf.d/docs.conf:

Alias /docs /usr/share/doc
<Directory /usr/share/doc>
  AddType text/plain .patch .indirect .direct .master .schema .pl .py .sh .cgi .php .c
  Options +Indexes
  Order Allow,Deny
  Allow from all
</Directory>

Make sure the webserver starts at bootup:

chkconfig --level 345 httpd on
service httpd start

Install PGP key

 cd
 mkdir .gnupg
 gpg --gen-key
 gpg --export -a 'YOUR NAME' > RPM-GPG-KEY-yourname
 rpm --import RPM-GPG-KEY-yourname

add the following line to ~/.rpmmacros:

 %_gpg_name YOUR NAME

and sign any package with

 rpm --addsign some-package.rpm

All rpm packages that are currently hosted at the monitor server are signed with the public key of Roberto Bourgonjen, which can be found in the directory /opt/geneabase/common/etc/RPM-GPG-KEY-roberto.

Configure SFTP

 setsebool -P ftp_home_dir on

Fileserver Installation

Install software

RHEL 6 installation option: webserver, no customizations

 yum install apr-util-devel httpd-devel gcc gcc-c++ libmcrypt libmcrypt-devel\
   apr-devel memcached memcached-devel ImageMagick mod_auth_mysql perl-MediaWiki-API\
 perl-Cache-Memcached mod_perl perl-Mcrypt mod_filecrypt

 yum remove mod_wsgi php webalizer

Environment setup

Create the file /etc/profile.d/geneabase.sh, containing the following:

. /opt/geneabase/common/profile.sh
. /opt/geneabase/fileserver/profile.sh

To activate this profile for your current session, type:

. /etc/profile.d/geneabase.sh

Configure SELinux

allow connections to memcached from httpd:

setsebool -P httpd_can_network_connect on

allow writing of files by httpd (note: not sure if the first line is still required)

 setsebool -P allow_httpd_sys_script_anon_write on
 setsebool -P allow_httpd_anon_write on

add SeLinux context for /volume

 semanage fcontext -a -t httpd_sys_content_t "/volume(/.*)?"
 semanage fcontext -a -t public_content_rw_t "/volume/[0-9]{3}/[A-Za-z0-9]/[A-Za-z0-9](/.*)?"
 semanage fcontext -a -t public_content_rw_t "/volume/[0-9]{3}/TEMP(/.*)?"

create /volume, and optionally add volumes beneath

 restorecon -v -R /volume

 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/htdocs(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/htdocs

 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/error(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/error

Mount storage volumes

find the UUID's of the attached volumes with:

 blkid /dev/sdd

create the appropriate directory in /volume, and add an entry to /etc/fstab:

 UUID=11b27754-1345-41ee-9cc5-ef9aa626bf6d /volume/010 ext4 defaults,noatime 0 0

after that, you can mount the volume with

 mount /volume/010

and initialize that volume (creating directory tree) with

 volume.init 010

On development machines you may want to mount external volumes via nfs read-only. To do this, do

 setsebool -P httpd_use_nfs on

Install wildcard SSL certificate

Each division needs it's own wildcard SSL certificate. In this example we will create the certificate for the NL division. Replace nl with the division code for other divisions.

 mkdir /etc/ssl/certs/nl_geneabase_com
 cd /etc/ssl/certs/
 make nl_geneabase_com.key

create csr, when asked for the password, enter the agreed, secret password

 when asked for the Common Name, enter *.nl.geneabase.com

 make nl_geneabase_com.csr
 mv nl_geneabase_com.key /etc/pki/tls/private/
 restorecon -r -v /etc/pki/tls/private/
 
 cat nl_geneabase_com.csr

remove the password from the key:

 cd /etc/pki/tls/private/
 openssl rsa -in nl_geneabase_com.key -out nl_geneabase_com-nopass.key
 mv nl_geneabase_com-nopass.key nl_geneabase_com.key
 chmod 600 nl_geneabase_com.key

request SSL certificate, using this csr: https://www.sslcertificaten.nl/SSLCertificaatDomein

unpack the delivered certificates to /etc/pki/tls/certs/nl_geneabase_com/, and possibly rename them, resulting in the following files:

 /etc/pki/tls/private/nl_geneabase_com.key

 /etc/pki/tls/certs/nl_geneabase_com/STAR_nl_geneabase_com.crt
 /etc/pki/tls/certs/nl_geneabase_com/AddTrustExternalCARoot.crt
 /etc/pki/tls/certs/nl_geneabase_com/PositiveSSLCA2.crt

restore SELinux settings for these new files

 restorecon -r -v /etc/pki/tls/certs
 restorecon -r -v /etc/pki/tls/private

Create a tar of these files to distribute to other servers:

 tar cvzf nl_geneabase_com.tgz -C / \
          etc/pki/tls/private/nl_geneabase_com* \
          etc/pki/tls/certs/nl_geneabase_com

Alternatively, if you've done all this already, and you have an archive named nl_geneabase_com.tgz, you could install these with the command:

  tar xvzf nl_geneabase_com.tgz -C /

This entire routine should be repeated for STAR_geneabase.com (to match the domain files.geneabase.com)

The matching apache SSL configuration should read:

SSLCertificateFile /etc/pki/tls/certs/nl_geneabase_com/STAR_nl_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/nl_geneabase_com.key
SSLCertificateChainFile /etc/pki/tls/certs/nl_geneabase_com/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/nl_geneabase_com/PositiveSSLCA2.crt

Configure Memcached

configure and start memcached

 chkconfig memcached --level 345 on

edit /etc/rc.d/init.d/memcached and add the following:

PORT=11211
USER=memcached
MAXCONN=10000
CACHESIZE=512
PRIVATE_IF=10.0.0.2
OPTIONS=""

add the $PRIVATE_IF variable right after port:

 daemon --pidfile ${pidfile} memcached -d -p $PORT -l $PRIVATE_IF -u $USER [...]

start the service:

 service memcached start

Configure MySQL

Complete the steps layed out in MySQL config.

create the mysql database using the following scripts in /opt/geneabase/fileserver/model/sql:

 mysql --password=[YOURPASSWORD] < create_database.sql
 mysql --password=[YOURPASSWORD] < set_permissions.sql
 mysql Fileserver --password=[YOURPASSWORD] < core_data.sql

After importing the core data, you need to create the missing Config entry, using the mysql command similar to (update values according to that particular server instance):

mysql> insert into Cluster values (1,'c1');
mysql> insert into Rack values (1,'A',1,1);
mysql> insert into Config (ConfigID,MajorVersion,MinorVersion,RackID) value (1,1,16,1);

instead of importing the core data using core_data.sql, you can import a complete backup with the commands:

 mysql --password=[YOURPASSWORD] < drop_triggers.sql
 zcat Fileserver.sql.gz | mysql Fileserver --password=[YOURPASSWORD]
 mysql --password=[YOURPASSWORD] < create_triggers.sql

When setting permissions with set_permissions.sql, we need to flush the privilege tables by mysql:

 mysqladmin flush-privileges --password=[YOURPASSWORD]

To create the core_data.sql file from existing server, use the command:

  mysqldump --password=[YOURPASSWORD] Fileserver --no-create-info --complete-insert --skip-triggers Repository AdminUser AdminUser_NetDomain NetDomain Repository_AdminUser Repository_AllowShare Category Filetype Cluster Rack  > core_data.sql

To create a backup dump of the entire database, use the command

 mysqldump --password=[YOURPASSWORD] Fileserver --no-create-info --complete-insert --skip-triggers | gzip  > Fileserver.sql.gz

In case of development server installation, enable access from ModelRight at our workstation:

mysql> create user 'root'@'[workstation-ip]' identified by [PASSWORD];
mysql> grant all on *.* TO  'root'@'[workstation-ip]';

We also need to give other fileservers in the cluster read access to our database, with command similar to:

mysql > create user 'FileserverA'@'a.c1.files.geneabase.com' identified by '[somepassword]';
mysql > GRANT SELECT ON `Fileserver`.* TO 'FileserverA'@'a.c1.files.geneabase.com';

and for volume.compare we also need to give specific write access.:

 mysql > GRANT INSERT ON `Fileserver`.Discrepancy TO 'FileserverA'@'a.c1.files.geneabase.com';

Mysql root password

We don't want to store the MySQL root password in our scripts, but yet we need a way to run unattended mysql scripts as root in cron jobs and in init.d. It is a sound assumption that the password is best guarded when stored in the root directory, after all, whoever is able to locally compromise the root account, has full control over mysql anyway, with or without a password.

 echo "YOUR MYSQL ROOT PASSWORD" >/root/.mysql-password
 chmod 660 /root/.mysql-password

Then, edit /root/.bashrc, and add the following in it:

 alias my='mysql Fileserver --user=root --password=`cat /root/.mysql-password`'

This way we don't have to type the database, username and password every time when running the mysql client from the command line, we can simply type:

my

Configure Apache

There are three apache servers running on the fileserver:

httpd - serves regular files, and is publicly accessible
httpd-admin - used to upload files and update file properties, only accessible for authenticated users
httpd-sync - used to synchronize files between fileservers, only accessible to other fileservers

Regular httpd

edit /etc/httpd/conf/httpd.conf and edit the Listen directives to match the internal and external interfaces. Also do this for /etc/httpd/conf.d/ssl.conf. Make sure the virtualhost directive in ssl.conf is not defined for __default__ but for the external ip address.

also in /etc/httpd/conf/httpd.conf edit the LogFormat as follows:


LogFormat "%h %{User}n %{Repository}n %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %f %D %V" combined

define the "combined" format in ssl.conf with the line (within the VirtualHost directive):

CustomLog logs/access_log combined

Edit the file /etc/sysconfig/httpd and uncomment the line "HTTPD=/usr/bsbin/httpd.worker". This will configure the httpd in threaded MPM.

Configure the number of servers for threaded MPM, depending on the hardware. On a server with 16Gb memory, this should be fine.

<IfModule worker.c>
StartServers         3
MaxClients           10000
ServerLimit          400
MinSpareThreads      25
MaxSpareThreads      10000
ThreadsPerChild      25
MaxRequestsPerChild  0
</IfModule>

add configuration file /etc/httpd/conf.d/fileserver.conf with the following content:

LoadFile /usr/lib64/libcurl.so
LoadModule memcache_module /usr/lib64/httpd/modules/mod_memcache.so
LoadModule filecrypt_module  /usr/lib64/httpd/modules/mod_filecrypt.so
FileCryptClusterSecret [CLUSTER_SECRET]
FileCryptAnonSecret [ANON_SECRET]
FileCryptSessionServiceUrl http://[internal api]/ssecrets/raw/
FileCryptSessionCookie gbsession
MemcacheServer 127.0.0.1:11211 min=0 smax=16 max=32 ttl=600
ServerName [FILESEVER_HOSTNAME]
Alias /myerror /opt/geneabase/fileserver/error
ErrorDocument 404 /myerror/notfound.html
ErrorDocument 403 /myerror/forbidden.html
<Location /i/>
    Order deny,allow
    Deny from all
    Allow from [LIST YOUR INTERNAL DOMAINS that are allowd unencrypted access]
</Location>

since this file contains the Fileserver secrets, make sure it is not world readable:

 chmod 600 /etc/httpd/conf.d/fileserver.conf

add the following configuration options to /etc/httpd/conf/httpd.conf

 DocumentRoot /opt/geneabase/fileserver/htdocs

edit the file /etc/httpd/conf.d/ssl.conf, to match the following (replace the four instances of [XXX-IPADDRESS-HERE]):


LoadModule ssl_module modules/mod_ssl.so
Listen [FIRST-IPADDRESS-HERE]:443
Listen [SECOND-IPADDRESS-HERE]:443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost [FIRST-IPADDRESS-HERE]:443>
ErrorLog logs/error_log
CustomLog logs/access_log combined
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/geneabase/STAR_c1_files_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/STAR_c1_files_geneabase_com-nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/UTNAddTrustServerCA.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/PositiveSSLCA.crt
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost [SECOND-IPADDRESS-HERE]:443>
ErrorLog logs/error_log
CustomLog logs/access_log combined
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/geneabase/STAR_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/STAR_geneabase_com-nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/UTNAddTrustServerCA.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/PositiveSSLCA.crt
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>

commment out all the lines in the following files in the directory /etc/httpd/conf.d/: perl.conf, auth_mysql.conf, welcome.conf and manual.conf, or replace these files with a file containing just a single #. The reason for not deleting the files is that the redhat update system will then put them back when an update for the corresponding package is installed.

edit the file /etc/logrotate.d/httpd, in particular the line concerning logwatcher, to match the following:

/var/log/httpd/*log {
    daily
    rotate 365
    missingok
    notifempty
    sharedscripts
    compress
    delaycompress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
        killall -USR1 logwatcher 2> /dev/null || true
    endscript
}

configure init and start the server

 chkconfig httpd --level 345 on
 service httpd start

Doublecheck /etc/sysconfig/iptables to see if port 80 is opened.

After you have completed these steps, pointing a browser to the address of the server should result in this screen:

If you do not see this screen, SELinux is one of the first suspects:

 tail -f /var/log/messages /var/log/audit/audit.log

To test the crypt service, run the following test script (replacing the variables with the appropriate ipadresses):

 fileserver.test-crypt $APACHEIP $MEMCACHEDIP

It should complete without any errors.

Api httpd

run the command:

 fileserver.setup.httpd-api

Edit the section Listen of the file /etc/httpd-api/conf/httpd.conf, to match the ip-address that is dedicated to the api access.
Also in /etc/httpd-api/conf/httpd.conf, configure the number of servers.

<IfModule prefork.c>
StartServers 5
MinSpareServers 2
MaxSpareServers 10
ServerLimit      30
MaxClients       30
MaxRequestsPerChild  4000
</IfModule>

run the commands:

chkconfig httpd-api --level 345 on
service httpd-api start

In order to log in to the admin website, you need to have set up the following:

AdminUser entry
NetDomain entry
link between AdminUser and NetDomain through a AdminUser_NetDomain entry.

Suppose you already have an AdminUser account set up, you may need to add the other two. You can do this with sql command very similar (but certainly not identical, update the numbers) to:

mysql> insert into NetDomain (Name,Ipv4) values ('vFileserverA','192.168.170.129');
mysql> insert into AdminUser_NetDomain values (10,1);

Sync httpd

run the command:

 fileserver.setup.httpd-sync

Edit the section Listen of the file /etc/httpd-sync/conf/httpd.conf, to match the ip-address that is dedicated to the administrative access.
Also in /etc/httpd-sync/conf/httpd.conf, configure the number of servers. By default, 8 synchronize workers are active at each node, each connecting with keepalive. So you'll need at least that much, but depending on the number of nodes in the cluster this may need to be increased. The following is good for a 2-node cluster.

<IfModule prefork.c>
StartServers 9
MinSpareServers 1
MaxSpareServers 9
ServerLimit      15 # some extra room for status requests
MaxClients       15
MaxRequestsPerChild  4000
</IfModule>

run the commands:

chkconfig httpd-sync --level 345 on
service httpd-sync start

Configure Firewall

add the following lines to /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# external loginservers update keys in memcached:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 192.168.0.0/16 -j ACCEPT

and restart the filewall with

service iptables restart

Configure uptdatedb

add /volume to PRUNEPATHS variable of /etc/updatedb.conf, to prevent building an index of these files

Configure bonding

to the /etc/sysconfig/network-scripts/ifcfg-ethX configuration of two or more internal network cards, add the following:

BOOTPROTO=none
ONBOOT=yes
MTU=9000
SLAVE=yes
MASTER=bond0

create /etc/sysconfig/network-scripts/ifcfg-bond0, containing the following:

DEVICE=bond0
IPADDR=192.168.4.20
NETMASK=255.255.255.0
MTU=9000
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="mode=0"
TYPE=Ethernet
IPV6INIT=no

create /etc/modprobe.d/bonding.conf, containing the following:

 alias bond0 bonding

add static route for entire VPN, by putting the following line in /etc/sysconfig/network-scripts/route-bond0:

 192.168.0.0/16 via 192.168.4.1 dev bond0

start the interface

 ifup bond0

Configure Cron

 cd /etc/cron.daily/
 ln -s /opt/geneabase/fileserver/bin/fileserver.daily.cron .

Gateway server installation

NTP configuration

Edit /etc/ntp.conf and add/replace the following items:

# our network
restrict 95.211.75.96 mask 255.255.255.224
restrict 95.211.75.64 mask 255.255.255.224
restrict 192.168.5.0 mask 255.255.255.0

server 0.nl.pool.ntp.org
server 1.nl.pool.ntp.org
server 2.nl.pool.ntp.org

The 192.168.* address should match the internal network for this rack.

 chkconfig ntpd --level 345 on
 service ntpd restart

The gateway servers may then be used by all machines in our network. If possible, provide the ip adressses of both gateways.

Mail configuration

All local appliances hosted in the same rack of the gateway server use this server as smtp server for mailing out error alerts. These appliances should be configured to send the mail from racka@geneabase.com (Rack A), or rackb@geneabase.com (Rack B) with the ip adress of the local gateway configured as smtp server.

install mail

 yum install sendmail sendmail-cf

remove the localhost restriction from /etc/mail/sendmail.mc

create the file /etc/mail/relay-domains, and list the domains that the appliances will be sending their mails *to*, each domain on a line.

edit /etc/mail/access, and add the following

95.211.75.67 RELAY
95 REJECT

This will only allow the VPN router to use this server as a relay. Replace that ip adress with the ip adress of the VPN router. All connections outside the 95 network will be blocked anyway by the firewall (otherwise, we should list 1 .. 254 at the rejection list as well, there is no other way to do this in sendmail).

rebuild and restart sendmail

 make restart -C /etc/mail

Workstation installation

The latest version of firefox should be available in the geneabase repository. If this is not the version, a good starting point to get the latest release is here, rebuild and install first xulrunner, and then firefox.

If you are having trouble with networking on VMWare, you may need to manually update

 /etc/udev/rules.d/70-persistent-net.rules

To run samba:

 setsebool -P samba_export_all_rw 1

To install multimedia:

 yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime
 yum install adobe-release
 yum install flash-plugin
 yum install mplayer mplayer-gui gstreamer-ffmpeg

Install the w32Codecs. (Required for xvid and other proprietary formats.):

 wget http://www1.mplayerhq.hu/MPlayer/releases/codecs/mplayer-codecs-20061022-1.x86_64.rpm
 wget http://www1.mplayerhq.hu/MPlayer/releases/codecs/mplayer-codecs-extra-20061022-1.x86_64.rpm
 yum install mplayer-codecs-*

Legacy Installation

 cd /opt
 git clone git@github.com:Toutatis/Toutatis-Legacy toutatis

 yum install perl-Bit-Vector perl-Text-Wrapper perl-Date-Calc perl-GD perl-XML-Twig perl-Time-modules perl-Data-UUID ImageMagick-perl perl-Image-ExifTool perl-PDF-API2 perl-Crypt-Blowfish perl-GD-Graph perl-Spreadsheet-WriteExcel tetex-latex perl-JSON perl-Cache-Memcached sendmail dovecot telnet mod_perl mod_ssl perl-Mcrypt perl-GDGraph

 mkdir /var/spool/toutatis /var/log/toutatis
 chown toutatis:toutatis /var/spool/toutatis /var/log/toutatis
 fixtexmf

 setsebool -P allow_httpd_anon_write 1
 semanage fcontext -a -t public_content_rw_t "/var/spool/toutatis(/.*)?"  
 semanage fcontext -a -t httpd_sys_content_t "/var/data/toutatis(/.*)?"
 semanage fcontext -a -t public_content_rw_t "/var/data/toutatis/[0-9a-z]{2}/[0-9a-z]{2}/.*"
 restorecon -r /var/data/toutatis
 restorecon -r /var/spool/toutatis

In mysql, create the following users:

buildindex
buildarchives
ttwebmail
ttsendmail
recordqueue
downloadqueue
apache
toutatis

with the command:

create user '[USER]'@'localhost' identified by '[PASSWORD]';
grant select, insert, delete, update, lock tables on *.* to '[USER]'@'localhost';

Dropbox Installation

Dropbox can be installed from rpmforge. On the server, we create a special user for it, dropbox, and add this line to /etc/sysconfig/dropbox

 DROPBOX_USERS=dropbox

After installing dropbox in Centos 5 or 6, the following line needs to be added to the file /etc/prelink.conf:

 -b /usr/libexec/dropbox

This is to prevent prelink from 'optimising' the dropbox executable during bootup, since this optimisation screws up the dropbox binary after a reboot.

If you would want to set the documentroot of website to a user's dropbox folder, issue the following commands:

 semanage fcontext -a -t httpd_sys_content_t  "/home/dropbox/Dropbox/Websites(/.*)?"
 restorecon -v -r /home/dropbox/Dropbox/Websites
 setsebool -P httpd_enable_homedirs 1

alternatively, we can use the dropbox deamon which dropbox currently provides: https://www.dropbox.com/install?os=lnx

 cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -

set the umask of your local account

 umask 022

also put this in .bash_profile

set it up with ~/.dropbox-dist/dropbox

then, to run it as a daemon, run command (as the dropbox account user)

 crontab -e

and put the following in it:

 @reboot umask 022; ~/.dropbox-dist/dropboxd
 */5 * * * * /sbin/restorecon -i -r ~/Dropbox

Schema server Installation

Geneabase XML schema's are hosted at schemas.geneabase.com. This website is mapped to the Schemas directory in Geneabase dropbox.

Create user geneabase, install dropbox and attach dropbox@geneabase.com account to the Dropbox folder in /home/geneabase.

fix permissions:

 semanage fcontext -a -t httpd_sys_content_t  "/home/geneabase/Dropbox/Schemas(/.*)?"
 restorecon -v -r /home/geneabase/Dropbox/Schemas
 chmod g+rx /home/geneabase

Asterix Installation

yum install asterisk asterisk-sounds-core-en-ulaw

System Recovery and Migration

When trying to mount old harddrives with LVM partitions on them, these harddrives can be mounted by inserting it in an USB recepticle like Sharkoon, and issue the following commands:

[root@samurai ~]# lvscan
  inactive          '/dev/VolGroup00/LogVol00' [461.75 GiB] inherit
  inactive          '/dev/VolGroup00/LogVol01' [3.91 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_root' [925.14 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_swap' [5.88 GiB] inherit
[root@samurai ~]# lvchange -ay VolGroup00
[root@samurai ~]# lvscan
  ACTIVE            '/dev/VolGroup00/LogVol00' [461.75 GiB] inherit
  ACTIVE            '/dev/VolGroup00/LogVol01' [3.91 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_root' [925.14 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_swap' [5.88 GiB] inherit

The drive is then accessible at /dev/VolGroup00/LogVol00 or can be opened through the desktop gui.

Static Webserver for Subsites

yum install perl-HTML-Tidy

Status Server

 mkdir /var/spool/status
 chown apache:apache /var/spool/status
 setsebool -P allow_httpd_anon_write on
 semanage fcontext -a -t public_content_rw_t "/var/spool/status(/.*)?"
 restorecon -v /var/spool/status