Pre-Installation Tasks¶
CentOS Hardening¶
We recommend to harden the CentOS system as described in CentOS Hardening.
After installation execute the script:
/opt/teamdrive/hostserver/mysql/os_hardening.sh
to automatically configure the hardening settings. Reboot the system afterwards, because the settings will ony be activate after a reboot.
Check the results with both tools:
inspec exec https://github.com/dev-sec/linux-baseline
lynis audit system
Mount the Space Storage Volume¶
The toplevel directory /spacedata contains the mount points for all space
volumes. By default, the mount point vol01 has already been created by the
td-hostserver RPM package. Note that it must be owned by the user that the
Apache HTTP Server runs under (usually apache).
You need to create a dedicated file system that provides the requirements outlined in chapter Storage Requirements.
Mount the file system and create the respective mount entry in /etc/fstab
to enable automatic mounting of the file system at bootup. Please consult your
Operating System documentation for details on how to perform this step.
Warning
The space volume’s file system must be mounted to /spacedata/vol01,
not /spacedata, to make it possible to mount additional volumes
underneath the /spacedata directory, if required.
Verifying File Locking¶
The Space Storage Volume must provide reliable file locking. This is not always the case with certain network mounted (NFS) volumes, which should be verified before usage.
TDLogTest is a tool which simulates the concurrent access and locking patterns generated by multiple TeamDrive Clients. This tool can be used to test whether file locking support is compatible with the TeamDrive Hosting Service.
Note
The test cannot confirm with 100% certainty, whether an NFS volume is
compatible with TeamDrive. However, failure of the test indicates that
a volume is unfit to servie as /spacedata on a Host Server.
The following is a step-by-step guide to running TDLogTest:
Download the package from:
http://s3download.teamdrive.net/HostServer/TDLogTest-1485.tar.gzand copy it to the Host Server machine.
Create a test directory on the Space Volume, for example:
mkdir /spacedata/vol01/TDLogTest
Enter this directory and extract the content of the tar archive, for example:
tar zxvf ~/TDLogTest-1485.tar.gz
Edit
TDLogTest.cfg, set the path in TDLOGS to the directory to be used for testing.
Initialize the test directory by running:
./initTDLogTest
Start the test by running:
./startTDLogTest
The script spawns a (definable) number of reader and writer background processes
which log their progress to STDOUT. Errors will be logged to TDLogTest.err by
default. To stop the test, call ./stopTDLogTest.
Keep the test running for a while. Try using different values for readers and writers
as well, by stopping the test and passing different options to startTDLogTest.
Also try creating multiple test directories and spawning more readers/writers using
a different location.
If there are multiple Host Server instances connected to the same NFS volume then the test must be performed from multiple instances simultaneously, after the initial test with one instance succeeded.
Replacing the self-signed SSL certificates with proper certificates¶
The default Apache HTTP Server installation ships with self-signed SSL certificates for testing purposes. We strongly recommend to purchase and install proper SSL certificates and keys before moving the server into production.
You will need a properly signed SSL certificate (+ key) and an intermediate certificate (certificate chain) from a trusted authority.
Edit /etc/httpd/conf.d/ssl.conf and enter the absolute location of your files into the appropriate settings:
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_domain.key
Depending on your certificate provider and your security needs, you probably want to set:
SSLCertificateChainFile /path/to/server-chain.crt
or:
SSLCACertificateFile /path/to/gd_bundle.crt
After saving the changes, restart your httpd and watch out for errors:
[root@localhost ~]# service httpd restart
Now you can logout and proceed with the configuration via browser to register the Web Portal as described in “Associating the Web Portal with a Provider” section in the web portal documentation. For production use please read the following two chapters about the necessary storage.
Starting the Host Server Instance¶
After all configuration steps have been performed, we can start the TeamDrive Services to conclude the initial installation/configuration.
Starting td-hostserver¶
To activate the yvvad-based td-hostserver background task you have to
start the service using the provided init script.
The configuration file /etc/td-hosting.conf defines how this process is
run. You usually don’t have to modify these settings.
To start the td-hostserver program, use the service command as user
root:
[root@hostserver ~]# service td-hostserver start
Starting TeamDrive Hosting Services:                       [  OK  ]
Use the status option to the service command to verify that the
service has started:
[root@hostserver ~]# service td-hostserver status
yvvad (pid  2506) is running...
If td-hostserver does not start (process yvvad is not running), check
the log file /var/log/td-hostserver.log for errors. See chapter
Troubleshooting for details.
Starting the Apache HTTP Server¶
Now the Apache HTTP Server can be started, which provides the TeamDrive Host
Server functionality (via mod_pspace) as well as access to the TeamDrive
Hosting Service Administration Console and API (via mod_yvva).
You can start the service manually using the following command:
[root@hostserver ~]# service httpd start
Warning
At this point, the Host Server’s web server is answering incoming requests from any web client that can connect to its address. For security purposes, you should not make it accessible from the public Internet until you have concluded the initial configuration, e.g. by blocking external accesses using a firewall.
Check the log file /var/log/httpd/error_log, /var/log/td-hostserver.log,
and /var/log/mod_pspace.log for startup messages and possible errors:
[notice] mod_yvva 1.4.1 (Jan 10 2017 11:57:45) loaded
[notice] Logging (=error) to: /var/log/td-hostserver.log
[notice] Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1k-fips configured
-- resuming normal operations
[notice] mod_pspace 1.7.10 Loaded; Build Nov 17 2016 16:55:00;
Crash-Reporting-Disabled
Please consult chapter Troubleshooting if there is an error when starting the service.
Note
You may observe Admin API Errors like the following one:
Admin API, Error loading parameters: Host Server setup has not been completed
These errors can be ignored at this stage. They are caused by the fact that the Host Server has not been configured and registered with a Registration Server yet. This step will be described in the following chapter.