Pre-Installation Tasks

Mount the Space Storage Volume

The root directory specified by the ContainerRoot setting contains the mount points for all TeamDrive Agents on the host.

The container root (by default /teamdrive) is the mount point for a dedicated file system that provides the requirements outlined in chapter Storage Requirements.

By default, the directory /teamdrive has already been created by the td-webportal RPM package.

All data will be written to this directory as belonging to the apache user.

Mount the file system and create the respective mount entry in /etc/fstab to enable automatic mounting of the file system at bootup. Please consult your Operating System documentation for details on how to perform this step.

Make sure to set the rights to:

chown apache:apache /teamdrive

TeamDrive Agents Sandboxing

The Web Portal use a systemd-sandboxing to run the TeamDrive Agent (see https://www.redhat.com/sysadmin/mastering-systemd for details). A TeamDrive Agent is started for each user that logs into the Web Portal.

The systemd-sandboxing makes sure, that the TeamDrive Agent started for an user has only access to the users folder below /teamdrive.

The sandboxing script will be installed together with the web portal and therefor no additional manual configuration is necessary.

Installing the TeamDrive Agent

The current version of the TeamDrive Agent used by the Web Portal is stored in the MinimumAgentVersion setting. The ContainerImage setting stores the name of the Container image currently in use by the Web Webportal. If the version of the Agent in ContainerImage is less than MinimumAgentVersion it will be automatically updated.

If this required TeamDrive Agent does not exist on the host then it will be automatically download and installed on your host.

To install or update the TeamDrive Agent used by the Web Portal use the upgrade command: start yvva and execute upgrade_now;;:

[root@webportal ~]# yvva
Welcome to yvva shell (version 1.5.13).
Enter "go" or end the line with ';;' to execute submitted code.
For a list of commands enter "help".

UPGRADE COMMANDS:
-----------------
To upgrade from the command line, execute:
yvva --call=upgrade_now --config-file="/etc/yvva.conf"

upgrade_now;;
Upgrade the database structure and agent sandbox container (this command cannot be undone).

Leave the yvva shell by typing quit.

Installing SSL certificates

The default Apache HTTP Server installation ships with self-signed SSL certificates for testing purposes. We strongly recommend to purchase and install proper SSL certificates and keys and to adjust the configuration in file /etc/httpd/conf.d/ssl.conf accordingly before moving the server into production.

The exact installation process depends on how you obtain or create the SSL key and certificate, please refer to the respective installation instructions provided by your certificate issuer.

OS-Hardening

Excute the OS-Hardening script:

/opt/teamdrive/webportal/docker/os_hardening.sh

and reboot the system. After the reboot verify the results:

inspec exec https://github.com/dev-sec/linux-baseline
lynis audit system

Note on Lynis results: The Lynis Hardening index should reach ~ 90. The remaining recommendations are not easy to implement or cant be activated without blocking the Web Portal functionality like the mentioned apache modules.

Starting the Web Portal

After all configuration steps have been performed, we can start the TeamDrive Web Portal to conclude the initial installation/configuration.

Starting td-webportal

To activate the yvvad-based td-webportal background task you have to start the service using the provided init script.

The configuration file /etc/td-hosting.conf defines how this process is run. You usually don’t have to modify these settings.

To start the td-webportal program, use the service command as user root:

[root@webportal ~]# service td-webportal start
Starting TeamDrive Web Portal:                       [  OK  ]

Use the status option to the service command to verify that the service has started:

[root@webportal ~]# service td-webportal status
yvvad (pid  2506) is running...

If td-webportal does not start (process yvvad is not running), check the log file /var/log/td-webportal.log for errors. See chapter Troubleshooting for details.

Starting the Apache HTTP Server

Now the Apache HTTP Server can be started, which provides the TeamDrive Web Portal functionality via mod_yvva.

You can start the service manually using the following command:

[root@webportal ~]# service httpd start

Warning

At this point, the Web Portal’s web server is answering incoming requests from any web client that can connect to its address. For security purposes, you should not make it accessible from the public Internet until you have concluded the initial configuration, e.g. by blocking external accesses using a firewall.

Check the log file /var/log/httpd/error_log and /var/log/td-webportal.log for startup messages and possible errors:

[notice] Apache/2.4.37 OpenSSL/1.1.1g configured
-- resuming normal operations
[notice] mod_yvva 1.5.4 ((Aug 13 2020 18:27:47) loaded
[notice] Logging (=error) to: /var/log/td-webportal.log

Please consult chapter Troubleshooting if there is an error when starting the service.