Jisoo's server setup

This page details step-by-step instructions on how to set up my camel server from a fresh install. This page has two purposes: I want to have one nice page about sysadmin with many examples so that I can easily figure out the right command and right syntax without having to spend time on searching google or lookup man pages. Another purpose is that in case of hardware crash or upgrade, I want to rebuild my server as quickly as possible from a fresh Linux (Red-Hat) install.

User accounts

Firewall/NAT setup

commands:

• iptables : change firewall (iptables) setting
• iptables-save : view current setting
• service iptables save : save current iptables setting

files:

• /etc/sysconfig/iptables : firewall setting that the kernel reads upon boot
• /etc/sysctl.conf : to turn on NAT.
• /proc/sys/net/ipv4/ip_forward : r/w flag for NAT status (0 if NAT is off, 1 if NAT is on)

Firewall

eth0 connects to CS network, eth1 to RT-local (10.10.x.x), and eth2 to private (10.0.3.x) network. tun0 is for VPN tunnel (10.82.2.x).

Allow all packets from eth2 (private), eth1 (RT-local), and tun0 (VPN):

# iptables -t filter -I RH-Firewall-1-INPUT -s 10.0.3.2/24 -i eth2 -j ACCEPT
# iptables -t filter -I RH-Firewall-1-INPUT 2 -s 10.10.0.0/24 -i eth1 -j ACCEPT
# iptables -t filter -A RH-Firewall-1-INPUT -i tun+ -j ACCEPT

To open tcp port 80 (web) and udp port 1194 (openvpn):

# iptables -t filter -I RH-Firewall-1-INPUT 12 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -t filter -I RH-Firewall-1-INPUT 10 -p udp -m udp --dport 1194 -j ACCEPT

Change number 12 or 10 appropriately.

NAT

Outgoing packets from eth2 routes via eth0 using NAT:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Save iptable settings:

# service iptables save

Now tell kernel to enable NAT:

# echo 1 > /proc/sys/net/ipv4/ip_forward

Change a config file to always enable NAT upon reboot:

open /etc/sysctl.conf, set net.ipv4.ip_forward = 1

Port forwarding (virtual server)

To allow port forward, for example port 6881-6889 to 10.0.3.178:

# iptables -t nat -I PREROUTING -p tcp --dport 6881:6889 -j DNAT --to-destination 10.0.3.178

VPN (OpenVPN)

Download/install packages: openvpn, lzo2.

# wget http://dag.wieers.com/rpm/packages/openvpn/openvpn-2.0.9-1.el5.rf.i386.rpm
# wget http://dag.wieers.com/rpm/packages/lzo2/lzo2-2.0.2-3.el5.rf.i386.rpm
# rpm -i *.rpm

Create certificates: follow the certificate creation steps here, and place the certificates/keys under =/etc/openvpn/keys/.

Edit /etc/openvpn/server.conf from the default config file to specify parameters as follows:

local 141.212.110.110
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.82.2.0 255.255.255.0
push "route 10.0.3.0 255.255.255.0"
cipher AES-128-CBC
user nobody
group nobody

Run the server:

# service openvpn start

File system mount/NFS setup

commands:

• mount -l : get list of mounted filesystem
• exportfs -a : exports NFS mounts
• service nfs start : start nfs daemon
• chkconfig --level 35 nfs on : enable nfs on runlevel 3 and 5
• showmount -e camel : show nfs export list

files:

• /etc/exports : list of exports and configuration option
• /etc/auto.master : client's automount configuration

Local file system mount

Mount /dev/hda2 and /dev/md0 on /mnt/oldcamel and /mnt/x respectively:

Create mount points by # mkdir /mnt/oldcamel /mnt/x.

Then add following lines to /etc/fstab:

/dev/hda2                 /mnt/oldcamel          ext3    defaults     1 2
/dev/md0                  /mnt/x                 ext3    defaults     1 2

Mount filesystems: # mount /mnt/oldcamel; mount /mnt/x.

NFS export

Export /mnt/x/share and /share to my private network (10.0.3.176/28). Former is backed by raid and latter is for bulk store. Each export has directories owned by individual users.

Add following lines to /etc/exports:

/mnt/x/share   10.0.3.176/28(rw,root_squash,sync)
/share   10.0.3.176/28(rw,root_squash,sync)

Launch daemon:

# service nfs start or # exportfs -a

Launch nfs on runlevel 3 and 5:

# chkconfig --level 35 nfs on

Test from a client if exports are visible: [client]# showmount -e camel

Samba

Export home directories with RTCL as the workgroup. Restrict access to local net (i.e., eth2, 10.0.3.0/24). Our firewall setting should already allow local smb access.

commands:

• service smb start : start samba service
• chkconfig smb on : enable sambe

files:

• /etc/samba/smb.conf : samba configuration file

Edit /etc/samba/smb.conf as follows: Under [global],

    workgroup = rtcl
    server string = camel Samba Server
    interfaces = lo eth2 10.0.3.2/24
...
    log file = /var/log/samba/%m.log
    max log size = 50

Then launch system-config-samba to add & map samba user. Re-edit smb.conf to add following:

    map archive = no

This will make samba not to associate 'archive' attribute in Windows with user executable attribute in Unix.

Start samba service:

# service smb start

Launch samba upon reboot:

# chkconfig smb on

Web server setup

httpd (Apache)

files:

• /etc/httd/conf/httpd.conf : apache configuration
• /mnt/x/www/ : web root on raid

First, make sure httpd (apache) package is installed. Then move on to edit /etc/httpd/conf/httpd.conf, specifying the server name:

...
ServerName camel.eecs.umich.edu:80

Check the firewall and open port 80 if not.

Now, I use /mnt/x/www as the server root, instead of system default /var/www/. Make /var/www/ a symbolic link to /mnt/x/www.

Run and register the web service as usual:

# service httpd start
# chkconfig httpd on

Media wiki

TBF

SCM server setup

Perforce

Run perforce on port 1666 with repository located at /mnt/x/p4root, log at /var/log/p4err, and journal at /var/log/p4journal.

Refer to the PerforceServerSetup for general guide. We should already have user perforce and group p4admin.

First, download p4/p4d/p4.1/p4d.1 from here and here, and then install:

# install -o root -g root -m 755 -t /usr/local/bin p4 p4d
# install -o root -g root -m 644 -t /usr/local/share/man/man1 p4.1 p4d.1

Depending on the situation, we need to create new journal and error log:

# touch /var/log/p4err /var/log/p4journal
# chown perforce:p4admin /var/log/p4err /var/log/p4journal

Download init script p4d here, edit the file to change params, place it under /usr/rc.d/init.d with execute permission, then execute follow:

# chkconfig --add p4d
# service p4d start

See if the server is running:

$ p4 -p camel:1666 info

Subversion

Our objective is to make svn repositories accessible via http://camel.eecs.umich.edu/repos/reponame

commands:

• htpasswd -c /etc/htpasswdfile username : create a http authentication file. To add a user/password, omit -c option.
• svnadmin create /path/to/repository : subversion repository administration (creating repository)

files:

• /etc/httpd/conf.d/subversion.conf : subversion apache module configuration file
• /var/www/svn : my base location to repositories (symbolic link to /mnt/x/www/svn/)

We're going to use web-based (WebDAV) interface for accessing repository. Therefore, as prerequisites, we need httpd to be up and running and the subversion packages (subversion and mod_dav_svn) installed in the system.

Edit /etc/httpd/conf.d/subversion.conf:

<Location /repos>
   DAV svn
   SVNParentPath /mnt/x/www/svn

   # Limit write permission to list of valid users.
   <LimitExcept GET PROPFIND OPTIONS REPORT>
      # Require SSL connection for password protection.
      # SSLRequireSSL

      AuthType Basic
      AuthName "Subversion Public Auth"
      AuthUserFile /etc/svn-auth-muri08wp
      Require valid-user
   </LimitExcept>
</Location>

Now, use htpasswd to create the authentication file ' /etc/svn-auth-muri08wp ' or whatever.

# htpasswd -c /etc/svn-auth-muri08wp jisooy
... enter password upon prompt 
# htpasswd /etc/svn-auth-muri08wp otheruser
...

Restart http server:

# service httpd reload

To create a repository, follow these steps:

# svnadmin create /var/www/svn/awesomeproject
# chown -R apache:apache /var/www/svn/awesomeproject

-- Main.jisooy - 24 Nov 2008