Operating System Configuration¶
Installing a base operating system¶
Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 6 (RHEL 6) or derivative Linux distribution (e.g. CentOS 6, Oracle Linux 6), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Boot up the system and log in as the root user, either via the console or via an SSH connection.
Enable Time Synchronization with NTP¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:
[root@webportal install]# yum install ntp
[root@webportal install]# service ntpd start
[root@webportal install]# chkconfig ntpd on
Edit and update the configuration file /etc/ntp.conf, if necessary for your
local environment.
Disable SELinux¶
The TeamDrive Web Portal currently can not be run when SELinux is enabled.
Edit the file /etc/selinux/config and set SELINUX=disabled.
Reboot the system or change the SELinux enforcing mode at run time using the following command:
[root@webportal install]# echo 0 > /selinux/enforce
Firewall configuration¶
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).
On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:
- SSH
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, you need to run:
[root@webportal install]# yum install system-config-firewall system-config-firewall-tui newt-python
[root@webportal install]# system-config-firewall-tui
Follow the instructions to configure the firewall (in case of an error starting the firewall gui, reboot the machine). Enable additional protections based on your local requirements or security policies.
You can check the result with iptables -L:
[root@webportal ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Installing the Postfix MTA (optional)¶
If you intend to use the email-based two-factor authentication for accessing the Web Portal Administration Console, or if you want to be notified about Space Volumes running out of disk space via email, the TeamDrive Web Portal needs to be configured to send out these notifications via SMTP.
The Yvva Runtime Environment that provides the foundation for the Web Portal is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.
If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Web Portal to your mail server using the appropriate protocol and credentials.
We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:
[root@regserver ~]# yum install postfix mailx cyrus-sasl-plain
The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.
See the Postfix SMTP client documentation at
http://www.postfix.org/smtp.8.html for details on how to configure Postfix to
use a relay server and make sure to test the correct operation by sending
local emails using the mail command line utility and watching the Postfix
log file /var/log/maillog for errors.
Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:
[root@regserver ~]# chkconfig postfix on