Operating System Configuration

Installing a base operating system

Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 7 (RHEL 7) or derivative Linux distribution (e.g. CentOS 7, Oracle Linux 7), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.

For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).

Boot up the system and log in as the root user, either via the console or via an SSH connection.

Enable Time Synchronization with NTP

We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). This can be achieved by installing the ntp package and enabling the NTP daemon:

[root@webportal install]# yum install ntp
[root@webportal install]# service ntpd start
[root@webportal install]# chkconfig ntpd on

Edit and update the configuration file /etc/ntp.conf, if necessary for your local environment.

Disable SELinux

The TeamDrive Web Portal currently can not be run when SELinux is enabled. Edit the file /etc/selinux/config and set SELINUX=disabled.

Reboot the system or change the SELinux enforcing mode at run time using the following command:

[root@webportal install]# setenforce 0

Firewall configuration

You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 22 (SSH, optional for remote administration), 80 (http) and 443 (https).

On a minimal installation, you can install and use the text-based firewall configuration utility to enable access to the following services:

  • SSH
  • Secure WWW (HTTPS)
  • WWW (HTTP)

To configure the firewall, you need to run:

[root@webportal install]# yum install system-config-firewall system-config-firewall-tui newt-python
[root@webportal install]# system-config-firewall-tui

Follow the instructions to configure the firewall (in case of an error starting the firewall gui, reboot the machine). Enable additional protections based on your local requirements or security policies.

You can check the result with iptables -L:

[root@webportal ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:

  • Secure WWW (Port 443 for HTTPS)
  • WWW (Port 80 for HTTP)
  • DNS Lookup (Port 53 for DNS communication with a public DNS server)

Installing the Postfix MTA (optional)

If you intend to use the email-based two-factor authentication for accessing the Web Portal Administration Console, or if you want to be notified about Space Volumes running out of disk space via email, the TeamDrive Web Portal needs to be configured to send out these notifications via SMTP.

The Yvva Runtime Environment that provides the foundation for the Web Portal is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.

If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Web Portal to your mail server using the appropriate protocol and credentials.

We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:

[root@regserver ~]# yum install postfix mailx cyrus-sasl-plain

The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.

See the Postfix SMTP client documentation at http://www.postfix.org/smtp.8.html for details on how to configure Postfix to use a relay server and make sure to test the correct operation by sending local emails using the mail command line utility and watching the Postfix log file /var/log/maillog for errors.

Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:

[root@regserver ~]# chkconfig postfix on