Operating System Installation and Configuration¶
Base Operating System Installation¶
Perform a minimal OS installation of a recent RHEL6/7 or derivative Linux distribution, using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
The system should have IP connectivity, using a fixed IP address and a resolvable fully qualified domain name. For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Additionally, a local or remote MTA (e.g. Postfix or Sendmail) needs to be installed and configured so the system is capable of sending email.
Boot up the system and log in as the root user.
Enable Time Synchronization With NTP¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:
[root@regserver install]# yum install ntp [root@regserver install]# service ntpd start [root@regserver install]# chkconfig ntpd on
Edit and update the configuration file
/etc/ntp.conf, if necessary for your
The TeamDrive Registration Server currently can not be run when SELinux is enabled.
Edit the file
/etc/selinux/config and set
Reboot the system or change the SELinux enforcing mode at run time using the following command:
(CentOS 6) [root@regserver install]# echo 0 > /selinux/enforce (CentOS 7) [root@regserver install]# setenforce 0
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that must be reachable from the Internet are 80 (http) and 443 (https). Optionally, port 22 (SSH) can be opened to facilitate remote administration, but access to this port should be restricted to known and trusted IP addresses or networks only.
On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, you need to run the following commands:
[root@regserver install]# yum install system-config-firewall-tui \ newt-python [root@regserver install]# system-config-firewall-tui
Follow the instructions to configure the firewall. Enable additional protections based on your local requirements or security policies.
You can check the result with
[root@regserver ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:
- Secure WWW (Port 443 for HTTPS)
- WWW (Port 80 for HTTP)
- SMTP (Port 25 for sending mails using a public mail server; in case of using SSL-communication to the mail server, also Ports 465, 587)
- DNS Lookup (Port 53 for DNS communication with a public DNS server)
Installing MySQL Server¶
The TeamDrive Registration Server requires a MySQL database to store its information. This document assumes that the MySQL instance runs on the same host as the Registration Server itself, connecting to it via the local socket file.
Alternatively, it’s possible to use an external MySQL Server. In this case,
you need to make sure that this external MySQL instance is reachable via TCP
from the Registration Server (usually via TCP port 3306) and that the
teamdrive MySQL user account is defined correctly (e.g. the MySQL username
in the remote database would become
Most MySQL installations usually do not allow the
root user to log in from
a remote host. In this case the installation script is unable to create the
teamdrive user automatically and you need to perform this step
manually before performing the installation of the TeamDrive Registration
Especially the correct definition of the host part is critical, as MySQL
as two different user accounts.
Since CentOS 7 MySQL is no longer in CentOS’s repositories and MariaDB has become the default database system offered. We recommend installing the mysql community server instead. If you are installing on CentOS 7 then perform the following steps:
[root@regserver ~]# yum update [root@regserver ~]# wget http://repo.mysql.com/mysql-community-release-el7-5.noarch.rpm [root@regserver ~]# rpm -ivh mysql-community-release-el7-5.noarch.rpm [root@regserver ~]# yum update
To set up the Registration Server using a local MySQL Database, install the MySQL Client and Server packages:
[root@regserver ~]# yum install mysql mysql-server
For reliablility and performance reasons, we recommend placing the MySQL data
/var/lib/mysql on a dedicated file system or storage volume.
Please start the MySQL server:
[root@regserver ~ ]# service mysqld start Initializing MySQL database: Installing MySQL system tables... OK Filling help tables... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h regserver.yourdomain.com password 'new-password' Alternatively you can run: /usr/bin/mysql_secure_installation which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the manual for more instructions. You can start the MySQL daemon with: cd /usr ; /usr/bin/mysqld_safe & You can test the MySQL daemon with mysql-test-run.pl cd /usr/mysql-test ; perl mysql-test-run.pl Please report any problems with the /usr/bin/mysqlbug script! [ OK ] Starting mysqld: [ OK ]
Run the secure installation script and follow the recommendations.
Make sure to create a password for the MySQL
root user and take
note of it:
[root@regserver ~ ]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MySQL to secure it, we'll need the current password for the root user. If you've just installed MySQL, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): <Enter> OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MySQL root user without the proper authorisation. Set root password? [Y/n] <y> New password: <mysql_root_pw> Re-enter new password: <mysql_root_pw> Password updated successfully! Reloading privilege tables.. ... Success! By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] <Enter> ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] <Enter> ... Success! By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] <Enter> - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] <Enter> ... Success! Cleaning up... All done! If you've completed all of the above steps, your MySQL installation should now be secure. Thanks for using MySQL!
MySQL is now up and running. It will be populated with the appropriate user account, databases and tables during the Registration Server installation process.
Apache / PHP Setup and Configuration¶
The TeamDrive Clients use the HTTP protocol to communicate with the Registration Server. The Registration Server’s Administraion Console is based on the PHP scripting language; both are served by the Apache HTTP server.
Install the Apache HTTP Server and the
mod_ssl Apache module by running
the following command:
[root@regserver ~]# yum install httpd mod_ssl
CentOS 6 is shipped with Apache 2.2 and CentOS 7 with Apache 2.4. For this reason we include a section for each version of the Web-server below.
For security reasons, we also advise to disable the so-called “Server
Signature” - a feature that adds a line containing the server version and
virtual host name to server-generated pages (e.g. internal error documents,
directory listings, etc). Change the configuration in
/etc/httpd/conf/httpd.conf as follows:
By default, the server version and operating system is also displayed in the
Server response header field, e.g.
Server: Apache/2.2.15 (CentOS).
To suppress this output, we suggest to update the
ServerTokens option as
The TeamDrive Registration Server only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.
Apache 2.2 (CentOS 6)¶
Only the following modules should be enabled in
LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule log_config_module modules/mod_log_config.so LoadModule headers_module modules/mod_headers.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so
Comment out the following variables in
/etc/httpd/conf/httpd.conf to avoid
syntax errors caused by the disabled modules:
# LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW # ForceLanguagePriority Prefer Fallback # BrowserMatch "Mozilla/2" nokeepalive # BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 # BrowserMatch "RealPlayer 4\.0" force-response-1.0 # BrowserMatch "Java/1\.0" force-response-1.0 # BrowserMatch "JDK/1\.0" force-response-1.0 # BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully # BrowserMatch "^WebDrive" redirect-carefully # BrowserMatch "^WebDAVFS/1." redirect-carefully # BrowserMatch "^gnome-vfs/1.0" redirect-carefully # BrowserMatch "^XML Spy" redirect-carefully # BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
In a production setting we also advise to disable the access log, because all
clients will poll the same URL and it doesn’t make sense to log each request.
To facilitate this, comment out the following line in the default
# CustomLog logs/access_log combined
Apache 2.4 (CentOS 7)¶
In the directory:
/etc/httpd/conf.modules.d comment out all modules in the
following config files. Using the linux stream editor (sed) with the following
regular expression will add a ‘#’ comment sign in each line starting with
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf
/etc/httpd/conf.modules.d/00-base.conf and leave only the following
modules enabled by adding a ‘#’ comment in front of all other modules:
LoadModule access_compat_module modules/mod_access_compat.so LoadModule actions_module modules/mod_actions.so LoadModule alias_module modules/mod_alias.so LoadModule authz_core_module modules/mod_authz_core.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule dir_module modules/mod_dir.so LoadModule headers_module modules/mod_headers.so LoadModule log_config_module modules/mod_log_config.so LoadModule mime_module modules/mod_mime.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule unixd_module modules/mod_unixd.so LoadModule version_module modules/mod_version.so
In order to facilitate access to the Registration Server’s API and initial
setup screens via SSL, the following needs to be added to the end of the
<VirtualHost> section in
Include conf.d/td-regserver.httpd.conf.ssl </VirtualHost>
The Apache HTTP Server package includes a self-signed SSL certificate for testing purposes. If you connect to the server using a web browser, it will likely raise an error about an untrusted/insecure connection. You should consider replacing this certificate with an appropriate one.
Follow the instructions provided by your certificate authority on how to obtain and install an SSL certificate for the Apache HTTP Server.
Verify your SSL configuration using the service from SSL Labs:
https://www.ssllabs.com/ssltest/analyze.html and make sure that
the “Handshake Simulation” is working for current platforms and browser. The
following ssl parameters for the apache web server will create an A-rating
and make sure that the handshake is working for current platforms and browser:
SSLProtocol all -SSLv2 -SSLv3
The Registration Server’s Admin Console requires PHP and the PEAR framework to enable a few additional PHP packages which are not available in RPM format.
CentOS 6 and 7 will be shipped with a not longer supported PHP 5.3 / 5.4 version. PHP only supports version 5.6. To install this version add the two additional Remi and EPEL repositories.
For CentOS 6:
[root@regserver ~]# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm [root@regserver ~]# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm [root@regserver ~]# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm
For CentOS 7:
[root@regserver ~]# wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm [root@regserver ~]# wget http://rpms.famillecollet.com/enterprise/remi-release-7.rpm [root@regserver ~]# rpm -Uvh remi-release-7*.rpm epel-release-7*.rpm
Please activate the PHP 5.6 version in the new repository:
yum-config-manager --enable remi-php56
Use the following commands to install the required PHP components:
[root@regserver ~]# yum install php php-pear php-mysql php-mbstring [root@regserver ~]# pear channel-update pear.php.net [root@regserver ~]# pear install HTTP_Request2 MDB2 MDB2_Driver_mysql Log HTTP2 Auth
You can use
pear list to get a list of installed PHP packages.
Finally, we need to change a few PHP-related configuration options. Please edit
/etc/php.ini file and change the following values:
expose_php = Off max_execution_time = 900 max_input_time = 900 post_max_size = 55M upload_max_filesize = 50M
Also uncomment and set the time zone setting according to your chosen time zone:
[Date] ; Defines the default timezone used by the date functions ; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone date.timezone = Europe/Berlin
Now create the following directory for storing the PHP session data:
[root@regserver ~]# install -d -o apache -g apache /var/lib/php/session
Do not start the Apache HTTP Server until you have concluded the Registration Server installation and you are ready to proceed with the Registration Server Setup!
Installing the Postfix MTA (optional)¶
The TeamDrive Registration Server needs to be able to send out various notifications (e.g. Space invitations, License modifications) via SMTP.
The Yvva Runtime Environment that provides the foundation for the Registration Server is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.
If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Registration Server to your mail server using the appropriate protocol and credentials.
We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:
[root@regserver ~]# yum install postfix mailx cyrus-sasl-plain
The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.
See the Postfix SMTP client documentation at
http://www.postfix.org/smtp.8.html for details on how to configure Postfix to
use a relay server and make sure to test the correct operation by sending
local emails using the
/var/log/maillog for errors.
Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:
[root@regserver ~]# chkconfig postfix on