Operating System Configuration¶
Installing a base operating system¶
Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 7 (RHEL 7) or derivative Linux distribution (e.g. CentOS 7, Oracle Linux 7), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Boot up the system and log in as the root user, either via the console or via an SSH connection.
Enable Time Synchronization with NTP¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:
[root@webportal install]# yum install ntp [root@webportal install]# service ntpd start [root@webportal install]# chkconfig ntpd on
Edit and update the configuration file
/etc/ntp.conf, if necessary for your
The TeamDrive Web Portal currently can not be run when SELinux is enabled.
Edit the file
/etc/selinux/config and set
Reboot the system or change the SELinux enforcing mode at run time using the following command:
[root@webportal install]# setenforce 0
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).
On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, you need to run:
[root@webportal install]# yum install system-config-firewall system-config-firewall-tui newt-python [root@webportal install]# system-config-firewall-tui
Follow the instructions to configure the firewall (in case of an error starting the firewall gui, reboot the machine). Enable additional protections based on your local requirements or security policies.
You can check the result with
[root@webportal ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:
- Secure WWW (Port 443 for HTTPS)
- WWW (Port 80 for HTTP)
- DNS Lookup (Port 53 for DNS communication with a public DNS server)
Installing the Postfix MTA (optional)¶
If you intend to use the email-based two-factor authentication for accessing the Web Portal Administration Console, or if you want to be notified about Space Volumes running out of disk space via email, the TeamDrive Web Portal needs to be configured to send out these notifications via SMTP.
The Yvva Runtime Environment that provides the foundation for the Web Portal is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.
If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Web Portal to your mail server using the appropriate protocol and credentials.
We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:
[root@regserver ~]# yum install postfix mailx cyrus-sasl-plain
The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.
See the Postfix SMTP client documentation at
http://www.postfix.org/smtp.8.html for details on how to configure Postfix to
use a relay server and make sure to test the correct operation by sending
local emails using the
/var/log/maillog for errors.
Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:
[root@regserver ~]# chkconfig postfix on