Operating System Installation and Configuration¶

Base Operating System Installation¶

Perform a minimal OS installation of a recent RHEL8 or derivative Linux distribution, using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.

The system should have IP connectivity, using a fixed IP address and a resolvable fully qualified domain name. For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).

Additionally, a local or remote MTA (e.g. Postfix or Sendmail) needs to be installed and configured so the system is capable of sending email.

Boot up the system and log in as the root user.

Time Synchronization with Chrony NTP Server¶

We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). For CentOS 8 Chrony will be used and is already installed in general.

For CentOS 8 Chrony will be used instead of NTP. Chrony is already installed in general.

Disable SELinux¶

The TeamDrive Registration Server currently can not be run when SELinux is enabled. Edit the file /etc/selinux/config and set SELINUX=disabled.

Reboot the system or change the SELinux enforcing mode at run time using the following command:

[root@regserver install]# setenforce 0

Firewall Configuration¶

You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that must be reachable from the Internet are 80 (http) and 443 (https). Optionally, port 2021 for SSH access (not the default SSH Port 22) can be opened to facilitate remote administration, but access to this port should be restricted to known and trusted IP addresses or networks only.

On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:

• SSH
• Secure WWW (HTTPS)
• WWW (HTTP)

To configure the firewall, disable the two unnecessary services:

firewall-cmd --remove-service=cockpit --permanent
firewall-cmd --remove-service=dhcpv6-client --permanent

and enable HTTP (80) and HTTPS (443):

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload

Enable additional protections based on your local requirements or security policies.

You can check the result with firewall-cmd –list-all –zone=public:

  [root@regserver ~]# firewall-cmd --list-all --zone=public
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:

• Secure WWW (Port 443 for HTTPS)
• WWW (Port 80 for HTTP)
• SMTP (Port 25 for sending mails using a public mail server; in case of using SSL-communication to the mail server, also Ports 465, 587)
• DNS Lookup (Port 53 for DNS communication with a public DNS server)

Installing MySQL Server¶

The TeamDrive Registration Server requires a MySQL database to store its information. This document assumes that the MySQL instance runs on the same host as the Registration Server itself, connecting to it via the local socket file.

Alternatively, it’s possible to use an external MySQL Server. In this case, you need to make sure that this external MySQL instance is reachable via TCP from the Registration Server (usually via TCP port 3306) and that the teamdrive MySQL user is defined correctly (e.g. the MySQL username in the remote database would become teamdrive@regserver.yourdomain.com instead of teamdrive@localhost).

Most MySQL installations usually do not allow the root user to log in from a remote host. In this case the installation script is unable to create the dedicated teamdrive user automatically and you need to perform this step manually before performing the installation of the TeamDrive Registration Server databases.

Especially the correct definition of the host part is critical, as MySQL considers username@regserver and username@regserver.yourdomain.com as two different users.

Install the MySQL Client and Server packages from the default repository:

dnf install mysql mysql-server

For reliablility and performance reasons, we recommend placing the MySQL data directory /var/lib/mysql on a dedicated file system or storage volume.

The default maximum file handle limit in CentOS is 1024 which might be to less for the amount of file handles and database connections for the TeamDrive apache module. The amount of file handles can be calculated: tables (currently 26) x 2 (2 files per table) x apache processes x 2 (for restarting the apache). For less than 100 users it will be 26 x 2 x 20 x 2 = 2080 file handles, for 500 users 26 x 2 x 50 x 2 = 2200 file handles and for more than 1000 users 26 x 150 x 2 = 15600

To be save, we increase the value to 65535 in the following three configuration files.

First: Create /etc/sysctl.d/mysql.conf with the following call and content:

echo "fs.file-max = 65535" >> /etc/sysctl.d/mysql.conf

Second: Increase the hard and soft limits in /etc/security/limits.conf. Add the below lines before the #End, save and exit:

* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535

After the change execute:

sysctl -p

Third: For MySQL, create an override file for the service:

mkdir -pv /etc/systemd/system/mysqld.service.d
echo "LimitNOFILE=65535" >> /etc/systemd/system/mysqld.service.d/override.conf
echo "LimitNPROC=65535" >> /etc/systemd/system/mysqld.service.d/override.conf

After the change execute:

systemctl daemon-reload

Please start the MySQL server now and tell systemd to start the service automatically at boot:

[root@regserver ~ ]# systemctl start mysqld.service
[root@regserver ~ ]# systemctl enable mysqld.service

Run the secure installation script and follow the recommendations:

[root@regserver ~ ]# mysql_secure_installation

Securing the MySQL server deployment.

Enter password for user root:

The existing password for the user account root has expired. Please set
a new password.

...

Answer the questions with:

• VALIDATE PASSWORD COMPONENT? N
• Remove anonymous users? Y
• Disallow root login remotely? Y
• Remove test database and access to it? Y
• Reload privilege tables now? Y

MySQL is now up and running. It will be populated with the required databases and tables during the Registration Server installation process.

Apache Setup and Configuration¶

The TeamDrive Clients use the HTTP protocol to communicate with the Registration Server. The Registration Server’s Administraion Console is based on the PHP scripting language; both are served by the Apache HTTP server.

Install the Apache HTTP Server and the mod_ssl Apache module by running the following command:

dnf install httpd mod_ssl

For security reasons, we also advise to disable the so-called “Server Signature” - a feature that adds a line containing the server version and virtual host name to server-generated pages (e.g. internal error documents, directory listings, etc). Change the configuration in /etc/httpd/conf/httpd.conf as follows:

ServerSignature Off

By default, the server version and operating system is also displayed in the Server response header field, e.g. Server: Apache/2.4.6 (CentOS). To suppress this output, we suggest to update the ServerTokens option as follows:

ServerTokens Prod

In addition disable the Apache default index page in the configuration file: /etc/httpd/conf.d/welcome.conf, by changing: ErrorDocument 403 /.noindex.html to ErrorDocument 403 default using this call:

sed -i 's/\/\.noindex.html/default/' /etc/httpd/conf.d/welcome.conf

The TeamDrive Registration Server only requires a few Apache modules to be enabled. To reduce the memory footprint, please deactivate unnecessary modules in the apache configuration.

Enable “Prefork” Mode¶

The mod_yvva module requires that apache run in prefork mode. Note that Apache will crash when running in a different mode.

To set the mode, execute:

sed -e '/LoadModule mpm_event_module/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-mpm.conf
sed -e '/#LoadModule mpm_prefork_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-mpm.conf

which will comment out the mpm_event_module and uncomment the mpm_prefork_module. The result should look:

# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines.  See the httpd.conf(5) man
# page for more information on changing the MPM.
...
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
...
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
...
#LoadModule mpm_event_module modules/mod_mpm_event.so

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-dav.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-lua.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-proxy.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/01-cgi.conf
sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/10-proxy_h2.conf

sed -e '/LoadModule/ s/^#*/#/' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule access_compat_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule actions_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule alias_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule authz_core_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule autoindex_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule dir_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule headers_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule log_config_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule mime_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule rewrite_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule setenvif_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule slotmem_shm_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule socache_shmcb_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule unixd_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf
sed -e '/#LoadModule version_module/ s/^#*//' -i /etc/httpd/conf.modules.d/00-base.conf

Disable access logs¶

The TeamDrive clients are polling the same url periodically like for invitations. To prevent the same requests from overflowing the log file, the access logs should be deactivated:

sed -e '/    CustomLog/ s/^#*/    #/' -i /etc/httpd/conf/httpd.conf
sed -e '/TransferLog/ s/^#*/#/' -i /etc/httpd/conf.d/ssl.conf
sed -e '/CustomLog/ s/^#*/#/' -i /etc/httpd/conf.d/ssl.conf

Configure mod_ssl¶

In order to facilitate access to the Registration Server’s API and initial setup screens via SSL, the following needs to be added to the end of the default <VirtualHost> section in /etc/httpd/conf.d/ssl.conf:

Include conf.d/td-regserver.httpd.conf.ssl
</VirtualHost>

PHP¶

The Registration Server’s Admin Console requires PHP and the PEAR framework to enable a few additional PHP packages which are not available in RPM format.

CentOS 8 will be shipped with a not longer supported PHP version. PHP only supports version 8.x. To install the latest version 8 add the two additional Remi and EPEL repositories and enable PHP 8.1:

dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf install https://rpms.remirepo.net/enterprise/remi-release-8.rpm
dnf module enable php:remi-8.1
dnf install php php-cli php-common php-mysqlnd php-mbstring

You can use pear list to get a list of installed PHP packages.

Finally, we need to change a few PHP-related configuration options. Please edit the /etc/php.ini file and change the following values by executing the search and replace calls using sed:

sed -i 's/expose_php = On/expose_php = Off/g' /etc/php.ini
sed -i 's/error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT/error_reporting = Off/g' /etc/php.ini
sed -i 's/display_errors = On/display_errors = Off/g' /etc/php.ini
sed -i 's/display_startup_errors = On/display_startup_errors = Off/g' /etc/php.ini
sed -i 's/allow_url_fopen = On/allow_url_fopen = Off/g' /etc/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 900/g' /etc/php.ini
sed -i 's/max_input_time = 60/max_input_time = 900/g' /etc/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 55M/g' /etc/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 50M/g' /etc/php.ini
sed -i 's/max_file_uploads = 20/max_file_uploads = 2/g' /etc/php.ini
sed -i 's/memory_limit = 128M/memory_limit = 512M/g' /etc/php.ini
sed -i 's/disable_functions =/disable_functions = system, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo/g' /etc/php.ini
sed -i 's/session.use_strict_mode = 0/session.use_strict_mode=On/g' /etc/php.ini
sed -i 's/session.cookie_httponly =/session.cookie_httponly=On/g' /etc/php.ini
sed -i 's/session.cookie_secure =/session.cookie_secure=On/g' /etc/php.ini
sed -i 's/session.cookie_samesite =/session.cookie_samesite="Strict"/g' /etc/php.ini
sed -i 's/session.cookie_lifetime = 0/session.cookie_lifetime = 14400/g' /etc/php.ini
sed -i 's/session.cache_expire = 180/session.cache_expire = 30/g' /etc/php.ini
sed -i 's/session.sid_length = 26/session.sid_length = 128/g' /etc/php.ini
sed -i 's/session.gc_maxlifetime = 1440/session.gc_maxlifetime = 600/g' /etc/php.ini
sed -i 's/session.sid_bits_per_character = 5/session.sid_bits_per_character = 6/g' /etc/php.ini
sed -i 's/;date.timezone =/date.timezone = Europe\/Berlin/g' /etc/php.ini

Now create the following directory for storing the PHP session data:

install -d -o apache -g apache /var/lib/php/session