Operating System Installation and Configuration

Base Operating System Installation

Perform a minimal OS installation of a recent RHEL6 or derivative Linux distribution, using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.

The system should have IP connectivity, using a fixed IP address and a resolvable fully qualified domain name. For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).

Additionally, a local or remote MTA (e.g. Postfix or Sendmail) needs to be installed and configured so the system is capable of sending email.

Boot up the system and log in as the root user.

Enable Time Synchronization With NTP

We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:

[root@regserver install]# yum install ntp
[root@regserver install]# service ntpd start
[root@regserver install]# chkconfig ntpd on

Edit and update the configuration file /etc/ntp.conf, if necessary for your local environment.

Disable SELinux

The TeamDrive Registration Server currently can not be run when SELinux is enabled. Edit the file /etc/selinux/config and set SELINUX=disabled.

Reboot the system or change the SELinux enforcing mode at run time using the following command:

[root@regserver install]# echo 0 > /selinux/enforce

Firewall Configuration

You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that must be reacheable from the Internet are 80 (http) and 443 (https). Optionally, port 22 (SSH) can be opened to facilitate remote administration, but access to this port should be restricted to known and trusted IP addresses or networks only.

On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:

  • SSH
  • Secure WWW (HTTPS)
  • WWW (HTTP)

To configure the firewall, you need to run the following commands:

[root@regserver install]# yum install system-config-firewall-tui \
newt-python
[root@regserver install]# system-config-firewall-tui

Follow the instructions to configure the firewall. Enable additional protections based on your local requirements or security policies.

You can check the result with iptables -L:

[root@regserver ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Installing MySQL Server

The TeamDrive Registration Server requires a MySQL database to store its information. This document assumes that the MySQL instance runs on the same host as the Registration Server itself, connecting to it via the local socket file.

Alternatively, it’s possible to use an external MySQL Server. In this case, you need to make sure that this external MySQL instance is reachable via TCP from the Registration Server (usually via TCP port 3306) and that the teamdrive MySQL user account is defined correctly (e.g. the MySQL username in the remote database would become teamdrive@regserver.yourdomain.com instead of teamdrive@localhost).

Most MySQL installations usually do not allow the root user to log in from a remote host. In this case the installation script is unable to create the dedicated teamdrive user automatically and you need to perform this step manually before performing the installation of the TeamDrive Registration Server databases.

Especially the correct definition of the host part is critical, as MySQL considers username@hostserver and username@hostserver.yourdomain.com as two different user accounts.

To set up the Registration Server using a local MySQL Database, install the MySQL Client and Server packages:

[root@hostserver ~]# yum install mysql mysql-server

For reliablility and performance reasons, we recommend placing the MySQL data directory /var/lib/mysql on a dedicated file system or storage volume.

Please start the MySQL server, run the secure installation script and follow the recommendations. Make sure to create a password for the MySQL root user and take note of it:

[root@regserver ~ ]# service mysqld start
Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h regserver.yourdomain.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

                                                           [  OK  ]
Starting mysqld:                                           [  OK  ]
[root@regserver ~ ]# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): <Enter>
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] <y>
New password: <mysql_root_pw>
Re-enter new password: <mysql_root_pw>
Password updated successfully!
Reloading privilege tables..
... Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] <Enter>
... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] <Enter>
... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] <Enter>
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] <Enter>
... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

MySQL is now up and running so you can proceed with creating the teamdrive user and the MySQL databases required for the TeamDrive Host Server.

Apache / PHP Setup and Configuration

The TeamDrive Clients use the HTTP protocol to communicate with the Registration Server’s Apache instance and the Admin Console is based on the PHP scripting language.

Install the Apache http Server by running the following command:

[root@regserver ~]# yum install httpd mod_ssl

The Apache webserver needs to be changed to run as httpd.worker and not as httpd.prefork. To change this, you need to uncomment the HTTPD variable on top of /etc/sysconfig/httpd.

You will see the line:

#HTTPD=/usr/sbin/httpd.worker

Please change it to:

HTTPD=/usr/sbin/httpd.worker

Change the worker-specific configuration options in /etc/httpd/conf/httpd.conf as follows:

<IfModule worker.c>
StartServers         4
MaxClients         300
MinSpareThreads     75
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  10000
</IfModule>

Note

Please note, that these values depend heavily on the amount of Clients you need to serve, how frequent they contact the Registration Server for updates, and how much memory your system provides. You should adapt these values to match your environment and requirements. Consult the Apache http Server documentation for a detailed description of these values:

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, FTP directory listings, etc):

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.2.15 (CentOS). To suppress this output, we suggest to update the ServerTokens option as follows:

ServerTokens Prod

The TeamDrive Registration Server only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration. Only the following modules should be enabled in /etc/httpd/conf/httpd.conf:

LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

Comment out the following variables in /etc/httpd/conf/httpd.conf to avoid syntax errors caused by the disabled modules:

# LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no
pl pt pt-BR ru sv zh-CN zh-TW
# ForceLanguagePriority Prefer Fallback
# BrowserMatch "Mozilla/2" nokeepalive
# BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
# BrowserMatch "RealPlayer 4\.0" force-response-1.0
# BrowserMatch "Java/1\.0" force-response-1.0
# BrowserMatch "JDK/1\.0" force-response-1.0
# BrowserMatch "Microsoft Data Access Internet Publishing Provider"
redirect-carefully
# BrowserMatch "^WebDrive" redirect-carefully
# BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
# BrowserMatch "^gnome-vfs/1.0" redirect-carefully
# BrowserMatch "^XML Spy" redirect-carefully
# BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

In a production setting we also advise to disable the access log, because all clients will poll the same URL and it doesn’t make sense to log each request. To facilitate this, comment out the following line in the default httpd.conf:

# CustomLog logs/access_log combined

Because the Apache http Server has been configured to use the threaded “worker” multi-processing module (MPM), we can not use the embedded PHP Apache module mod_php.so. Therefore we need to set up a FastCGI configuration, where PHP is running in its own memory space.

Unfortunately, the required FastCGI Apache module mod_fastcgi is not included in RHEL6 and derivative distributions and needs to be installed from a third-party package repository:

[root@regserver ~]# yum install \
http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.x86_64.rpm
[root@regserver ~]# yum install mod_fastcgi

The Registration Server’s Admin Console requires PHP and the PEAR framework to enable a few additional PHP packages which are not available in RPM format. Please use the following commands to install these components:

[root@regserver ~]# yum install php-pear php-mysql php-fpm php-mbstring
[root@regserver ~]# pear install HTTP_Request2 DB MDB2 \
MDB2_Driver_mysql Log HTTP Auth

You can use pear list to get a list of installed PHP packages.

Finally, we need to change a few PHP-related configuration options. Please edit the /etc/php.ini file and change the following values:

expose_php = Off
max_execution_time = 900
max_input_time = 900
post_max_size = 55M
upload_max_filesize = 50M

Also uncomment and set the time zone setting according to your chosen time zone:

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = Europe/Berlin

Now, configure the mod_fastcgi Apache module by making the following modifications to the /etc/httpd/conf.d/fastcgi.conf configuration file.

Change the following configuration option:

FastCgiWrapper On

to:

FastCgiWrapper Off

Finally, add the following section to the end of the file:

<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /var/www/cgi-bin/php5-fcgi
FastCgiExternalServer /var/www/cgi-bin/php5-fcgi -socket \
/var/run/php5-fpm.sock -pass-header Authorization
</IfModule>

That will make it possible for Apache to pass PHP code back to PHP-FPM and get the response once the code has been executed.

The PHP-FPM listens on a TCP port by default. In order to reserve TCP ports for Apache, change the PHP-FPM configuration to listen on a socket instead. Edit /etc/php-fpm.d/www.conf and change change this line:

listen = 127.0.0.1:9000

as follows:

listen = /var/run/php5-fpm.sock

Now create the following directory for storing the PHP session data:

[root@regserver ~]# install -d -o apache -g apache /var/lib/php/session

Warning

Please do not start the Apache http Server until you have concluded the Registration Server configuration as outlined in chapter Registration Server Configuration!