Developer Linux > Redhat Installation

From Geneabase
Jump to: navigation, search

There are 8 Linux servers in the current hardware topology:

The gateway servers and VOIP servers run on CentOS 5.6. The other servers have been configured with the Redhat Enterprise Linux 6 operating system.

Documentation of RHEL 6 is included in Redhat Enterprise Linux Documentation

Contents

[edit] Generic options for all installations

[edit] Initial configuration

Create the environment directory in sysconfig:

 mkdir -p /etc/sysconfig/geneabase/env

And create the following files there, each containing a single variable on the first and only line of that file:

SERVERID
Globally Unique Identifier, which can be created in sqlserver (select NEWID()), mysql (select uuid()), or in Visual Studio > Tools > Create GUID.
SERVERDOMAIN
The domain prefix of the division that this server is part from, eg. nl.geneabase.com, uk.geneabase.com, etc.
SERVERNAME
The unique name within the division to identify this server in a more friendly way than by its GUID. In some cases this name can be appended to the server domain to get a full internet address, but that is not always the case (some servers may have multiple addresses, multiple ip's).
SERVERTYPE
This file describes the primary role of the server, which may be 'Fileserver', 'Webserver', 'Database', 'Mailserver', 'Nameserver', 'STS', 'Statusserver', 'Messageserver', 'Buildserver', 'Workstation', 'Gateway', 'Legacy' or 'Mixed'.

These files can be read by shellscripts with:

SERVERID=`cat /etc/sysconfig/geneabase/env/SERVERID|head -1`

[edit] Install geneabase software

Make sure you have installed and configured Git, as described in Git config, after that, issue the following command:

 cd /opt
 git clone git@github.com:Toutatis/Geneabase-RHEL geneabase

[edit] Configure Yum

Install rpmforge Check out which is the latest release at: http://packages.sw.be/rpmforge-release/

copy that package with wget, such as:

wget   http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -Uvh rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm

Make sure that the following channels are enabled in RHN for that system (you need to have registered the system with RedHat as "RHN Classic Subscription Management"):

Edit /etc/yum.repos.d/rpmforge.repo, leave [rpmforge] enabled, enable [rpmforge-extras], and add the line includepkgs=none to both repository sections. Add packages that are to be retrieved later to that list.

Create the new file /etc/yum.repos.d/geneabase.repo with the following content:

[geneabase]
name=Geneabase repository for custom packages
baseurl=http://repo.geneabase.com/rhel6
gpgkey=http://repo.geneabase.com/RPM-GPG-KEY-geneabase
enabled=1

Provided that you now have access to the geneabase repository, install the EPEL repository release:

yum install epel-release

Now install a bunch of packages:

 yum install policycoreutils-python setroubleshoot setroubleshoot-server gcc python-devel perl-Net-DNS perl-TimeDate perl-Algorithm-Numerical-Shuffle perl-Log-Log4perl perl-DBIx-Log4perl perl-Net-DNS

[edit] Configure profile

Create a new file /etc/profile.d/geneabase.sh. Depending the type of server roles that you are installing (some servers have multiple roles), add the following lines to it:

. /opt/geneabase/common/profile.sh
. /opt/geneabase/[secondary role]/profile.sh
. /opt/geneabase/[primary role]/profile.sh
. /etc/sysconfig/clock
export ZONE
export SERVERID=`cat /etc/sysconfig/geneabase/env/SERVERID|head -1`
export SERVERDOMAIN=`cat /etc/sysconfig/geneabase/env/SERVERDOMAIN|head -1`
export SERVERNAME=`cat /etc/sysconfig/geneabase/env/SERVERNAME|head -1`
export SERVERTYPE=`cat /etc/sysconfig/geneabase/env/SERVERTYPE|head -1`
export PATH=/opt/geneabase/local/$SERVERDOMAIN/$SERVERNAME/bin:/opt/geneabase/local/$SERVERDOMAIN/bin:$PATH

This will automatically set up the correct environment when you login. For example, for the Fileserver, the primary role is 'fileserver', and there is no secundary role, so that line can be removed. To setup this environment in your current terminal session, issue the command:

 . /etc/profile.d/geneabase.sh

Note that the last line has the highest priority, since it may redefine variables from earlier lines.

The ZONE environment variable is used by /opt/geneabase/common/perl/Data/Column/DateTime.pm.

[edit] Configure Log4perl

Many perl scripts require a default log4perl configuration. Therefore:

 mkdir /etc/log4perl
 cp /opt/geneabase/common/etc/default_log4perl.conf /etc/log4perl/default.conf
 mkdir /var/log/geneabase
 mkdir /var/report

[edit] Configure firewall

Preconfigured firewall scripts are located in the bin directory of each server role. If the PATH environment variable is set up correctly in the profile configuration (previous section), it should suffice to execute the following command:

 config.firewall

[edit] Configure selinux

SeLinux must be enabled on all servers. This is the default at Redhat 6 installation, and can be configured by editing the file /etc/sysconfig/selinux. SeLinux must be configured as targeted. If you encounter any problems, make sure the service auditd is running, and check the log at /var/log/audit/audit.log.

[edit] Installing freeTDS

FreeTDS is required on those RedHat servers that need to connect to the Microsoft SQL Server database. RPM packages are available at the geneabase repository (origin: sw.be). To install these:

 yum install freetds freetds-devel perl-DBD-Sybase perl-DBIx-Log4perl perl-Data-UUID perl-DateTime-Format-Sybase perl-DateTime-Format-Epoch perl-Net-DNS

Then edit the existing file /etc/freetds.conf, and add the configuration:

[Geneabase]
   host = <INTERNAL_IP_ADDRESS_OF_DATABASE>
   port = 1433
   tds version = 8

and test the database connection with:

 tsql -S Geneabase -U <username> -P <password>

or with this little perl script (replace PASSWORD with the actual password):

#!/usr/bin/perl
use DBI;
my $dbh = DBI->connect("dbi:Sybase:server=Geneabase",
                       'Geneabase', 'PASSWORD', {PrintError => 0}) or
  die "Unable for connect to server $DBI::errstr";
my $sth = $dbh->prepare("select \@\@servername");
if($sth->execute) {
    while(my @dat = $sth->fetchrow) {
	print "succesfully connected to server '@dat'\n";
    }
}

[edit] Installing UPS software

APC PowerChute for Linux is utter crap. For servers that are attached to APC unit, install Apcupsd. You can get it from epel with:

 yum install apcupsd-gui

This will install apcsupsd plus gabcmon, which can be used to control the ups.

[edit] Adding Gnome to a CentOS 6 minimal install

  yum groupinstall "Desktop" "Desktop Platform" "X Window System" "Fonts"

[edit] Installation of Generic Server

RHEL 6 installation option: webserver, no customiziations

CENTOS 6 installation options: basisc server, accept all the default packages, and add to that:

Applications:
* Internet Browser
Desktops:
* Desktop
  * tigervnc-server
* Desktop Platform
* Fonts
* X Window System
Servers:
* Server Platform
* System administration tools
   * screen

optional packages:

yum install git rpm-build rpmdevtools

setup build tree for rpm

 rpmdev-setuptree

edit /root/.bashr and remove the -i aliases

[edit] Monitor Server and Repo Installation

The monitor server is located at another facility than the other servers of geneabase, and has four roles:

  1. monitor all services, and notify the administrator when problems occur.
  2. provide status reports to repository admins, at the domain monitor.geneabase.com.
  3. receive backups from the geneabase servers, to safequard data for extreme calamities.
  4. hosting the yum repository for all custom packages, at the domain repo.geneabase.com.
yum install createrepo cpan2rpm

All packages will be placed at the RPMS and SRPMS directory in /var/yum_repo/rhel6Server/. Each time we add new packages, execute the command:

 createrepo /var/yum_repo/rhel6
 restorecon -R /var/yum_repo/rhel6
 # or for rhel5 packages:
 createrepo -s sha /var/yum_repo/rhel5
 restorecon -R /var/yum_repo/rhel5
semanage fcontext -a -t httpd_sys_content_t  "/var/yum_repo(/.*)?"
restorecon -v -R /var/yum_repo
 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/monitor/htdocs(/.*)?"
 restorecon -v -R /opt/geneabase/monitor/htdocs
 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/error(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/error

setsebool -P httpd_can_network_connect on


 next if $module =~ /Win32API/;
NameVirtualHost *
<VirtualHost *>
    ServerName repo.geneabase.com
    DocumentRoot /var/yum_repo
   <Directory /var/yum_repo>
      Options +Indexes
      Order Allow,Deny
      Allow from all
   </Directory>
</VirtualHost>
<VirtualHost *>
   ServerName monitor.geneabase.com
   DocumentRoot /opt/geneabase/monitor/htdocs
  <Location />
    AuthType Basic
    AuthBasicAuthoritative  Off
    AuthName "Monitor Service"
    AuthMySQLEnable On
    AuthMySQLHost localhost
    AuthMySQLUser authmysql
    AuthMySQLPassword [MYSQL-PASSWORD]
    AuthMySQLDB Fileserver
    AuthMySQLUserTable vUserIpv4
    AuthMySQLNameField Username
    AuthMySQLPasswordField Password
    AuthMySQLPwEncryption none
    AuthMySQLAuthoritative On
    AuthMySQLUserCondition "IpAddress = '%a'"
    require valid-user
  </Location>

</VirtualHost>

Since the monitor server is only accessible by trusted users (by firewall configuration), it is a nice place to make the linux documentation available online. Place the following content in /etc/httpd/conf.d/docs.conf:

Alias /docs /usr/share/doc
<Directory /usr/share/doc>
  AddType text/plain .patch .indirect .direct .master .schema .pl .py .sh .cgi .php .c
  Options +Indexes
  Order Allow,Deny
  Allow from all
</Directory>

Make sure the webserver starts at bootup:

chkconfig --level 345 httpd on
service httpd start

[edit] Install PGP key

 cd
 mkdir .gnupg
 gpg --gen-key
 gpg --export -a 'YOUR NAME' > RPM-GPG-KEY-yourname
 rpm --import RPM-GPG-KEY-yourname

add the following line to ~/.rpmmacros:

 %_gpg_name YOUR NAME

and sign any package with

 rpm --addsign some-package.rpm

All rpm packages that are currently hosted at the monitor server are signed with the public key of Roberto Bourgonjen, which can be found in the directory /opt/geneabase/common/etc/RPM-GPG-KEY-roberto.

[edit] Configure SFTP

 setsebool -P ftp_home_dir on

[edit] Fileserver Installation

[edit] Install software

RHEL 6 installation option: webserver, no customizations

 yum install apr-util-devel httpd-devel gcc gcc-c++ libmcrypt libmcrypt-devel\
   apr-devel memcached memcached-devel ImageMagick mod_auth_mysql perl-MediaWiki-API\
 perl-Cache-Memcached mod_perl perl-Mcrypt mod_filecrypt percona-xtrabackup
 yum remove mod_wsgi php webalizer

[edit] Environment setup

Create the file /etc/profile.d/geneabase.sh, containing the following:

. /opt/geneabase/common/profile.sh
. /opt/geneabase/fileserver/profile.sh

To activate this profile for your current session, type:

. /etc/profile.d/geneabase.sh

[edit] Configure SELinux

setsebool -P httpd_can_network_connect on
 setsebool -P allow_httpd_sys_script_anon_write on
 setsebool -P allow_httpd_anon_write on
 semanage fcontext -a -t httpd_sys_content_t "/volume(/.*)?"
 semanage fcontext -a -t public_content_rw_t "/volume/[0-9]{3}/[A-Za-z0-9]/[A-Za-z0-9](/.*)?"
 semanage fcontext -a -t public_content_rw_t "/volume/[0-9]{3}/TEMP(/.*)?"
 restorecon -v -R /volume
 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/htdocs(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/htdocs
 semanage fcontext -a -t httpd_sys_content_t  "/opt/geneabase/fileserver/error(/.*)?"
 restorecon -v -R /opt/geneabase/fileserver/error

[edit] Mount storage volumes

 blkid /dev/sdd
 UUID=11b27754-1345-41ee-9cc5-ef9aa626bf6d /volume/010 ext4 defaults,noatime 0 0
 mount /volume/010
 volume.init 010

On development machines you may want to mount external volumes via nfs read-only. To do this, do

 setsebool -P httpd_use_nfs on

[edit] Install wildcard SSL certificate

Each division needs it's own wildcard SSL certificate. In this example we will create the certificate for the NL division. Replace nl with the division code for other divisions.

 mkdir /etc/ssl/certs/nl_geneabase_com
 cd /etc/ssl/certs/
 make nl_geneabase_com.key
 when asked for the Common Name, enter *.nl.geneabase.com
 make nl_geneabase_com.csr
 mv nl_geneabase_com.key /etc/pki/tls/private/
 restorecon -r -v /etc/pki/tls/private/
 
 cat nl_geneabase_com.csr

remove the password from the key:

 cd /etc/pki/tls/private/
 openssl rsa -in nl_geneabase_com.key -out nl_geneabase_com-nopass.key
 mv nl_geneabase_com-nopass.key nl_geneabase_com.key
 chmod 600 nl_geneabase_com.key

request SSL certificate, using this csr: https://www.sslcertificaten.nl/SSLCertificaatDomein

unpack the delivered certificates to /etc/pki/tls/certs/nl_geneabase_com/, and possibly rename them, resulting in the following files:

 /etc/pki/tls/private/nl_geneabase_com.key
 /etc/pki/tls/certs/nl_geneabase_com/STAR_nl_geneabase_com.crt
 /etc/pki/tls/certs/nl_geneabase_com/AddTrustExternalCARoot.crt
 /etc/pki/tls/certs/nl_geneabase_com/PositiveSSLCA2.crt
 restorecon -r -v /etc/pki/tls/certs
 restorecon -r -v /etc/pki/tls/private

Create a tar of these files to distribute to other servers:

 tar cvzf nl_geneabase_com.tgz -C / \
          etc/pki/tls/private/nl_geneabase_com* \
          etc/pki/tls/certs/nl_geneabase_com

Alternatively, if you've done all this already, and you have an archive named nl_geneabase_com.tgz, you could install these with the command:

  tar xvzf nl_geneabase_com.tgz -C /

The matching apache SSL configuration should read:

SSLCertificateFile /etc/pki/tls/certs/nl_geneabase_com/STAR_nl_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/nl_geneabase_com.key
SSLCertificateChainFile /etc/pki/tls/certs/nl_geneabase_com/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/nl_geneabase_com/PositiveSSLCA2.crt

[edit] Configure Memcached

 chkconfig memcached --level 345 on

edit /etc/rc.d/init.d/memcached and add the following:

PORT=11211
USER=memcached
MAXCONN=10000
CACHESIZE=512
PRIVATE_IF=10.0.0.2
OPTIONS=""

add the $PRIVATE_IF variable right after port:

 daemon --pidfile ${pidfile} memcached -d -p $PORT -l $PRIVATE_IF -u $USER [...]

start the service:

 service memcached start

[edit] Configure MySQL

Complete the steps layed out in MySQL config.

create the mysql database using the following scripts in /opt/geneabase/fileserver/model/sql:

 mysql --password=[YOURPASSWORD] < create_database.sql
 mysql --password=[YOURPASSWORD] < set_permissions.sql
 mysql Fileserver --password=[YOURPASSWORD] < core_data.sql

After importing the core data, you need to create the missing Config entry, using the mysql command similar to (update values according to that particular server instance):

mysql> insert into Cluster values (1,'c1');
mysql> insert into Rack values (1,'A',1,1);
mysql> insert into Config (ConfigID,MajorVersion,MinorVersion,RackID) value (1,1,16,1);

instead of importing the core data using core_data.sql, you can import a complete backup with the commands:

 mysql --password=[YOURPASSWORD] < drop_triggers.sql
 zcat Fileserver.sql.gz | mysql Fileserver --password=[YOURPASSWORD]
 mysql --password=[YOURPASSWORD] < create_triggers.sql

When setting permissions with set_permissions.sql, we need to flush the privilege tables by mysql:

 mysqladmin flush-privileges --password=[YOURPASSWORD]

To create the core_data.sql file from existing server, use the command:

  mysqldump --password=[YOURPASSWORD] Fileserver --no-create-info --complete-insert --skip-triggers Repository AdminUser AdminUser_NetDomain NetDomain Repository_AdminUser Repository_AllowShare Category Filetype Cluster Rack  > core_data.sql

To create a backup dump of the entire database, use the command

 mysqldump --password=[YOURPASSWORD] Fileserver --no-create-info --complete-insert --skip-triggers | gzip  > Fileserver.sql.gz

In case of development server installation, enable access from ModelRight at our workstation:

mysql> create user 'root'@'[workstation-ip]' identified by [PASSWORD];
mysql> grant all on *.* TO  'root'@'[workstation-ip]';

We also need to give other fileservers in the cluster read access to our database, with command similar to:

mysql > create user 'FileserverA'@'a.c1.files.geneabase.com' identified by '[somepassword]';
mysql > GRANT SELECT ON `Fileserver`.* TO 'FileserverA'@'a.c1.files.geneabase.com';

and for volume.compare we also need to give specific write access.:

 mysql > GRANT INSERT ON `Fileserver`.Discrepancy TO 'FileserverA'@'a.c1.files.geneabase.com';

[edit] Mysql root password

We don't want to store the MySQL root password in our scripts, but yet we need a way to run unattended mysql scripts as root in cron jobs and in init.d. It is a sound assumption that the password is best guarded when stored in the root directory, after all, whoever is able to locally compromise the root account, has full control over mysql anyway, with or without a password.

 echo "YOUR MYSQL ROOT PASSWORD" >/root/.mysql-password
 chmod 660 /root/.mysql-password

Then, edit /root/.bashrc, and add the following in it:

 alias my='mysql Fileserver --user=root --password=`cat /root/.mysql-password`'

This way we don't have to type the database, username and password every time when running the mysql client from the command line, we can simply type:

 my

[edit] Configure Apache

There are three apache servers running on the fileserver:

[edit] Regular httpd


LogFormat "%h %{User}n %{Repository}n %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %f %D %V" combined
CustomLog logs/access_log combined
<IfModule worker.c>
StartServers         3
MaxClients           10000
ServerLimit          400
MinSpareThreads      25
MaxSpareThreads      10000
ThreadsPerChild      25
MaxRequestsPerChild  0
</IfModule>
LoadFile /usr/lib64/libcurl.so
LoadModule memcache_module /usr/lib64/httpd/modules/mod_memcache.so
LoadModule filecrypt_module  /usr/lib64/httpd/modules/mod_filecrypt.so
FileCryptClusterSecret [CLUSTER_SECRET]
FileCryptAnonSecret [ANON_SECRET]
FileCryptSessionServiceUrl http://[internal api]/ssecrets/raw/
FileCryptSessionCookie gbsession
MemcacheServer 127.0.0.1:11211 min=0 smax=16 max=32 ttl=600
ServerName [FILESEVER_HOSTNAME]
Alias /myerror /opt/geneabase/fileserver/error
ErrorDocument 404 /myerror/notfound.html
ErrorDocument 403 /myerror/forbidden.html
<Location /i/>
    Order deny,allow
    Deny from all
    Allow from [LIST YOUR INTERNAL DOMAINS that are allowd unencrypted access]
</Location>

since this file contains the Fileserver secrets, make sure it is not world readable:

 chmod 600 /etc/httpd/conf.d/fileserver.conf  
 DocumentRoot /opt/geneabase/fileserver/htdocs

LoadModule ssl_module modules/mod_ssl.so
Listen [FIRST-IPADDRESS-HERE]:443
Listen [SECOND-IPADDRESS-HERE]:443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost [FIRST-IPADDRESS-HERE]:443>
ErrorLog logs/error_log
CustomLog logs/access_log combined
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/geneabase/STAR_c1_files_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/STAR_c1_files_geneabase_com-nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/UTNAddTrustServerCA.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/PositiveSSLCA.crt
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>
<VirtualHost [SECOND-IPADDRESS-HERE]:443>
ErrorLog logs/error_log
CustomLog logs/access_log combined
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/geneabase/STAR_geneabase_com.crt
SSLCertificateKeyFile /etc/pki/tls/private/STAR_geneabase_com-nopass.key
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/AddTrustExternalCARoot.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/UTNAddTrustServerCA.crt
SSLCertificateChainFile /etc/pki/tls/certs/geneabase/PositiveSSLCA.crt
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</VirtualHost>
/var/log/httpd/*log {
    daily
    rotate 365
    missingok
    notifempty
    sharedscripts
    compress
    delaycompress
    postrotate
        /sbin/service httpd reload > /dev/null 2>/dev/null || true
        killall -USR1 logwatcher 2> /dev/null || true
    endscript
}
 chkconfig httpd --level 345 on
 service httpd start

After you have completed these steps, pointing a browser to the address of the server should result in this screen:

FileServiceScreen.png

If you do not see this screen, SELinux is one of the first suspects:

 tail -f /var/log/messages /var/log/audit/audit.log

To test the crypt service, run the following test script (replacing the variables with the appropriate ipadresses):

 fileserver.test-crypt $APACHEIP $MEMCACHEDIP

It should complete without any errors.

[edit] Api httpd

 fileserver.setup.httpd-api
<IfModule prefork.c>
StartServers 5
MinSpareServers 2
MaxSpareServers 10
ServerLimit      30
MaxClients       30
MaxRequestsPerChild  4000
</IfModule>
 semanage port -a -t http_port_t -p tcp 888

verify that this has worked:

 semanage port -l | grep http_port_t
chkconfig httpd-api --level 345 on
service httpd-api start

In order to log in to the admin website, you need to have set up the following:

  1. AdminUser entry
  2. NetDomain entry
  3. link between AdminUser and NetDomain through a AdminUser_NetDomain entry.

Suppose you already have an AdminUser account set up, you may need to add the other two. You can do this with sql command very similar (but certainly not identical, update the numbers) to:

mysql> insert into NetDomain (Name,Ipv4) values ('vFileserverA','192.168.170.129');
mysql> insert into AdminUser_NetDomain values (10,1);

[edit] Sync httpd

 fileserver.setup.httpd-sync
<IfModule prefork.c>
StartServers 9
MinSpareServers 1
MaxSpareServers 9
ServerLimit      15 # some extra room for status requests
MaxClients       15
MaxRequestsPerChild  4000
</IfModule>
chkconfig httpd-sync --level 345 on
service httpd-sync start

[edit] Configure Firewall

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# external loginservers update keys in memcached:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 11211 -s 192.168.0.0/16 -j ACCEPT

and restart the filewall with

service iptables restart

[edit] Configure uptdatedb

[edit] Configure bonding

BOOTPROTO=none
ONBOOT=yes
MTU=9000
SLAVE=yes
MASTER=bond0
DEVICE=bond0
IPADDR=192.168.4.20
NETMASK=255.255.255.0
MTU=9000
ONBOOT=yes
BOOTPROTO=none
USERCTL=no
BONDING_OPTS="mode=0"
TYPE=Ethernet
IPV6INIT=no
 alias bond0 bonding
 192.168.0.0/16 via 192.168.4.1 dev bond0
 ifup bond0

[edit] Configure Cron

 cd /etc/cron.daily/
 ln -s /opt/geneabase/fileserver/bin/fileserver.daily.cron .

[edit] Gateway server installation

[edit] NTP configuration

Edit /etc/ntp.conf and add/replace the following items:

# our network
restrict 95.211.75.96 mask 255.255.255.224
restrict 95.211.75.64 mask 255.255.255.224
restrict 192.168.5.0 mask 255.255.255.0

server 0.nl.pool.ntp.org
server 1.nl.pool.ntp.org
server 2.nl.pool.ntp.org

The 192.168.* address should match the internal network for this rack.

 chkconfig ntpd --level 345 on
 service ntpd restart

The gateway servers may then be used by all machines in our network. If possible, provide the ip adressses of both gateways.

[edit] Mail configuration

All local appliances hosted in the same rack of the gateway server use this server as smtp server for mailing out error alerts. These appliances should be configured to send the mail from racka@geneabase.com (Rack A), or rackb@geneabase.com (Rack B) with the ip adress of the local gateway configured as smtp server.

 yum install sendmail sendmail-cf
95.211.75.67 RELAY
95 REJECT

This will only allow the VPN router to use this server as a relay. Replace that ip adress with the ip adress of the VPN router. All connections outside the 95 network will be blocked anyway by the firewall (otherwise, we should list 1 .. 254 at the rejection list as well, there is no other way to do this in sendmail).

 make restart -C /etc/mail

[edit] Workstation installation

The latest version of firefox should be available in the geneabase repository. If this is not the version, a good starting point to get the latest release is here, rebuild and install first xulrunner, and then firefox.

If you are having trouble with networking on VMWare, you may need to manually update

 /etc/udev/rules.d/70-persistent-net.rules

To run samba:

 setsebool -P samba_export_all_rw 1

To install multimedia:

 yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime
 yum install adobe-release
 yum install flash-plugin
 yum install mplayer mplayer-gui gstreamer-ffmpeg

Install the w32Codecs. (Required for xvid and other proprietary formats.):

 wget http://www1.mplayerhq.hu/MPlayer/releases/codecs/mplayer-codecs-20061022-1.x86_64.rpm
 wget http://www1.mplayerhq.hu/MPlayer/releases/codecs/mplayer-codecs-extra-20061022-1.x86_64.rpm
 yum install mplayer-codecs-*

[edit] Legacy Installation

 cd /opt
 git clone git@github.com:Toutatis/Toutatis-Legacy toutatis
 yum install perl-Bit-Vector perl-Text-Wrapper perl-Date-Calc perl-GD perl-XML-Twig perl-Time-modules perl-Data-UUID ImageMagick-perl perl-Image-ExifTool perl-PDF-API2 perl-Crypt-Blowfish perl-GD-Graph perl-Spreadsheet-WriteExcel tetex-latex perl-JSON perl-Cache-Memcached sendmail dovecot telnet mod_perl mod_ssl perl-Mcrypt perl-GDGraph
 mkdir /var/spool/toutatis /var/log/toutatis
 chown toutatis:toutatis /var/spool/toutatis /var/log/toutatis
 fixtexmf
 setsebool -P allow_httpd_anon_write 1
 semanage fcontext -a -t public_content_rw_t "/var/spool/toutatis(/.*)?"  
 semanage fcontext -a -t httpd_sys_content_t "/var/data/toutatis(/.*)?"
 semanage fcontext -a -t public_content_rw_t "/var/data/toutatis/[0-9a-z]{2}/[0-9a-z]{2}/.*"
 restorecon -r /var/data/toutatis
 restorecon -r /var/spool/toutatis


In mysql, create the following users:

with the command:

create user '[USER]'@'localhost' identified by '[PASSWORD]';
grant select, insert, delete, update, lock tables on *.* to '[USER]'@'localhost';

[edit] Dropbox Installation

Dropbox can be installed from rpmforge. On the server, we create a special user for it, dropbox, and add this line to /etc/sysconfig/dropbox

 DROPBOX_USERS=dropbox

After installing dropbox in Centos 5 or 6, the following line needs to be added to the file /etc/prelink.conf:

 -b /usr/libexec/dropbox

This is to prevent prelink from 'optimising' the dropbox executable during bootup, since this optimisation screws up the dropbox binary after a reboot.

If you would want to set the documentroot of website to a user's dropbox folder, issue the following commands:

 semanage fcontext -a -t httpd_sys_content_t  "/home/dropbox/Dropbox/Websites(/.*)?"
 restorecon -v -r /home/dropbox/Dropbox/Websites
 setsebool -P httpd_enable_homedirs 1

alternatively, we can use the dropbox deamon which dropbox currently provides: https://www.dropbox.com/install?os=lnx

 cd ~ && wget -O - "https://www.dropbox.com/download?plat=lnx.x86_64" | tar xzf -

set the umask of your local account

 umask 022

also put this in .bash_profile

set it up with ~/.dropbox-dist/dropbox

then, to run it as a daemon, run command (as the dropbox account user)

 crontab -e

and put the following in it:

 @reboot umask 022; ~/.dropbox-dist/dropboxd
 */5 * * * * /sbin/restorecon -i -r ~/Dropbox

[edit] Schema server Installation

Geneabase XML schema's are hosted at schemas.geneabase.com. This website is mapped to the Schemas directory in Geneabase dropbox.

 semanage fcontext -a -t httpd_sys_content_t  "/home/geneabase/Dropbox/Schemas(/.*)?"
 restorecon -v -r /home/geneabase/Dropbox/Schemas
 chmod g+rx /home/geneabase

[edit] Asterix Installation

yum install asterisk asterisk-sounds-core-en-ulaw

[edit] System Recovery and Migration

When trying to mount old harddrives with LVM partitions on them, these harddrives can be mounted by inserting it in an USB recepticle like Sharkoon, and issue the following commands:

[root@samurai ~]# lvscan
  inactive          '/dev/VolGroup00/LogVol00' [461.75 GiB] inherit
  inactive          '/dev/VolGroup00/LogVol01' [3.91 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_root' [925.14 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_swap' [5.88 GiB] inherit
[root@samurai ~]# lvchange -ay VolGroup00
[root@samurai ~]# lvscan
  ACTIVE            '/dev/VolGroup00/LogVol00' [461.75 GiB] inherit
  ACTIVE            '/dev/VolGroup00/LogVol01' [3.91 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_root' [925.14 GiB] inherit
  ACTIVE            '/dev/vg_samurai/lv_swap' [5.88 GiB] inherit

The drive is then accessible at /dev/VolGroup00/LogVol00 or can be opened through the desktop gui.

[edit] Static Webserver for Subsites

yum install perl-HTML-Tidy

[edit] Status Server

 mkdir /var/spool/status
 chown apache:apache /var/spool/status
 setsebool -P allow_httpd_anon_write on
 semanage fcontext -a -t public_content_rw_t "/var/spool/status(/.*)?"
 restorecon -v /var/spool/status
Personal tools
Namespaces
Variants
Actions
Geneabase newsletter
* indicates required
Architecture
Webservices
Datamodel
Import / Export
Participation
Developer Linux
Developer Microsoft
Print/export
Toolbox