Operating System Configuration¶
Installing a base operating system¶
Start by performing a minimal OS installation of a recent 64-bit Red Hat Enterprise Linux 9 or derivative Linux distribution (CentOS 9), using your preferred installation method (manual install, Kickstart, etc). The details of how to perform this task are out of the scope of this document.
For performing the installation, the system needs to be able to establish outgoing TCP connections (mainly to download additional components).
Boot up the system and log in as the root user, either via the console or via an SSH connection.
Time Synchronization with Chrony NTP Server¶
We strongly advise that the clocks of all servers in a TeamDrive installation are synchronized using the Network Time Protocol (NTP). For CentOS 9 Chrony will be used and is already installed in general.
Disable SELinux¶
The TeamDrive Web Portal currently can not be run when SELinux is enabled.
Edit the file /etc/selinux/config and set SELINUX=disabled.
Reboot the system or change the SELinux enforcing mode at run time using the following command:
[root@webportal install]# setenforce 0
Firewall configuration¶
You should configure a local firewall so the server is protected against remote attacks. The only TCP ports that should be reachable from outside are 2021 (SSH, optional for remote administration), 80 (http) and 443 (https).
On a minimal installation please enable access to the following services:
- SSH
- Secure WWW (HTTPS)
- WWW (HTTP)
To configure the firewall, disable the two unnecessary services:
firewall-cmd --remove-service=cockpit --permanent
firewall-cmd --remove-service=dhcpv6-client --permanent
and enable HTTP (80) and HTTPS (443):
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
firewall-cmd --reload
Enable additional protections based on your local requirements or security policies.
You can check the result with firewall-cmd --list-all --zone=public:
[root@webportal ~]# firewall-cmd --list-all --zone=public
      public
        target: default
        icmp-block-inversion: no
        interfaces:
        sources:
        services: http https ssh
        ports:
        protocols:
        masquerade: no
        forward-ports:
        source-ports:
        icmp-blocks:
        rich rules:
In case of using an external company firewall enable the above ports for the incoming traffic. For outgoing communication please enable:
- Secure WWW (Port 443 for HTTPS)
- WWW (Port 80 for HTTP)
- DNS Lookup (Port 53 for DNS communication with a public DNS server)
Installing the Postfix MTA (optional)¶
If you intend to use the email-based two-factor authentication for accessing the Web Portal Administration Console, or if you want to be notified about Space Volumes running out of disk space via email, the TeamDrive Web Portal needs to be configured to send out these notifications via SMTP.
The Yvva Runtime Environment that provides the foundation for the Web Portal is only capable of sending out email using plain SMTP via TCP port 25 to a local or remote MTA.
If your mail server requires some form of authentication or transport layer encryption like SSL/TLS, you need to set up a local MTA that relays all outgoing email from the TeamDrive Web Portal to your mail server using the appropriate protocol and credentials.
We recommend configuring a local Postfix instance to perform this duty. The following packages need to be installed:
[root@regserver ~]# dnf install postfix mailx cyrus-sasl-plain
The detailed configuration of the local Postfix instance depends heavily on your local environment and how the remote MTA accepts remote submissions and is out of the scope of this document.
See the Postfix SMTP client documentation at
http://www.postfix.org/smtp.8.html for details on how to configure Postfix to
use a relay server and make sure to test the correct operation by sending
local emails using the mail command line utility and watching the Postfix
log file /var/log/maillog for errors.
Once the Postfix service has been configured correctly, ensure that it will be started automatically upon system boot:
[root@regserver ~]# systemctl enable postfix