Recipe for EMS Department Servers

LXC Container - 20 or 40 GB HDD, 2 GB RAM, 1 GB swap, 2 CPU, Debian 8.5

  • Create CT: debian 8.5 lxc template, 2 cpu limit, 20 gb (or 40 gb) hdd, 2048 mb ram, 1024 mb swap
    • cessupport and ecet have 40 gb hdd; others 20 gb
  • enable fuse container (see http://myatus.com/p/quick-note-fuse-inside-proxmox-lxc-container/):
    echo $'lxc.autodev: 1\nlxc.hook.autodev: sh -c "mknod -m 0666 ${LXC_ROOTFS_MOUNT}/dev/fuse c 10 229"' >> /etc/pve/lxc/###.conf
  • use console:
    adduser tdobes
    adduser tdobes adm
    adduser tdobes systemd-journal

    …now you can ssh in

  • mkdir -p /etc/systemd/system/ssh.socket.d
    echo '[Socket]' > /etc/systemd/system/ssh.socket.d/port-2222.conf
    echo 'ListenStream=2222' >> /etc/systemd/system/ssh.socket.d/port-2222.conf
    systemctl daemon-reload && systemctl restart ssh.socket
  • sed -i -e 's/"syntax on/syntax on/g' -e 's/"set background=dark/set background=dark/g' -e 's/"set showcmd/set showcmd/g' -e 's/"set showmatch/set showmatch/g' -e 's/"set ignorecase/set ignorecase/g' -e 's/"set smartcase/set smartcase/g' -e 's/"set incsearch/set incsearch/g' -e 's/"set autowrite/set autowrite/g' -e 's/"set hidden/set hidden/g' -e 's/"set mouse=a/set mouse=nic/g' /etc/vim/vimrc
  • vi /etc/vim/vimrc # – and uncomment autocmd block for jumping to last position
  • aptitude update && aptitude forget-new && aptitude --without-recommends install sshfs
  • on ecet-cisco: aptitude install apache2
  • on all except ecet-cisco:
    • aptitude install apache2 php5-fpm
    • a2enmod proxy_fcgi
    • echo 'ProxyPassMatch ^/(.*\.php(/.*)?)$ unix:/var/run/php5-fpm.sock|fcgi://127.0.0.1/var/www/html/ disablereuse=off' > /etc/apache2/mods-enabled/proxy-php5-fpm.conf # note: apache docs talk about enablereuse=on, but apparently that was added in 2.4.11 and jessie is on 2.4.10; supposedly this does the same thing? # does not pass through special characters (e.g. spaces) properly
    • # This apache 2.4/php-fpm configuration works properly with paths including spaces (unlike the deleted one above). See https://wiki.archlinux.org/index.php/Apache_HTTP_Server#Using_php-fpm_and_mod_proxy_fcgi and comments on http://php.net/manual/en/features.http-auth.php about SetEnvIf line
      echo '<FilesMatch \.php$>' > /etc/apache2/mods-enabled/proxy-php5-fpm.conf
      echo '  SetHandler "proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost/"' >> /etc/apache2/mods-enabled/proxy-php5-fpm.conf
      echo '  SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0' >> /etc/apache2/mods-enabled/proxy-php5-fpm.conf # gets apache to pass http auth credentials to PHP
      echo '</FilesMatch>' >> /etc/apache2/mods-enabled/proxy-php5-fpm.conf
      echo '<Proxy "fcgi://localhost/" disablereuse=off max=10>' >> /etc/apache2/mods-enabled/proxy-php5-fpm.conf
      echo '</Proxy>' >> /etc/apache2/mods-enabled/proxy-php5-fpm.conf
    • a2enmod userdir
    • a2enmod ssl
    • a2ensite default-ssl
    • mv /etc/apache2/sites-enabled/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf
    • a2enmod rewrite
  • sed -i -e 's/^ServerTokens OS$/#ServerTokens OS/g' -e 's/#ServerTokens Full/#ServerTokens Full\nServerTokens Prod/g' /etc/apache2/conf-enabled/security.conf # security paranoia for audit
  • systemctl restart apache2
  • rm /var/www/html/index.html
  • aptitude install ca-certificates
  • # on all except ecet-cisco: Let's Encrypt – see https://github.com/lukas2511/dehydrated
    echo 'deb http://ftp.us.debian.org/debian/ jessie-backports main' > /etc/apt/sources.list.d/backports.list
    echo 'deb-src http://ftp.us.debian.org/debian/ jessie-backports main' >> /etc/apt/sources.list.d/backports.list
    aptitude update && aptitude forget-new && aptitude install dehydrated-apache2
    
    # NO LONGER NEEDED:
    # see https://github.com/lukas2511/letsencrypt.sh/commit/afabfff06e2dece1772ed788ac41ca0d297ab49b
    # sed -i -e 's|https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf|https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf|g' /usr/bin/letsencrypt.sh
    
    # if desired: temporarily use staging server for testing:
    # echo 'CA="https://acme-staging.api.letsencrypt.org/directory"' > /etc/dehydrated/conf.d/staging.sh
    
    echo '#!/bin/sh' > /usr/local/sbin/hook_apache-dehydrated
    echo >> /usr/local/sbin/hook_apache-dehydrated
    echo 'case "$1" in' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "deploy_challenge")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "clean_challenge")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "deploy_cert")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    echo "hook reloading apache2..."' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    # reload apache2' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    systemctl reload apache2' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit $?' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  "unchanged_cert")' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 0' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo '  *)' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    echo "unrecognized hook: $1"' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    exit 1' >> /usr/local/sbin/hook_apache-dehydrated
    echo '    ;;' >> /usr/local/sbin/hook_apache-dehydrated
    echo 'esac' >> /usr/local/sbin/hook_apache-dehydrated
    chmod +x /usr/local/sbin/hook_apache-dehydrated
    echo 'HOOK=/usr/local/sbin/hook_apache-dehydrated' > /etc/dehydrated/conf.d/hook_apache.sh
    
    DOMAIN=ecet # change servername as needed
    echo "$DOMAIN.pnw.edu $DOMAIN.purduecal.edu" > /etc/dehydrated/domains.txt
    sed -i -e $"s|^\t\tSSLCertificateFile\t/etc/ssl/certs/ssl-cert-snakeoil.pem$|\t\t#SSLCertificateFile\t/etc/ssl/certs/ssl-cert-snakeoil.pem\\n\t\tSSLCertificateFile /var/lib/dehydrated/certs/$DOMAIN.pnw.edu/fullchain.pem|g" -e $"s|^\t\tSSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key$|\t\t#SSLCertificateKeyFile\t/etc/ssl/private/ssl-cert-snakeoil.key\\n\t\tSSLCertificateKeyFile /var/lib/dehydrated/certs/$DOMAIN.pnw.edu/privkey.pem|g" /etc/apache2/sites-enabled/000-default-ssl.conf
    
    dehydrated -c
    
    # if using staging server to test, verify that server has appropriate key, then rerun on production system:
    # rm /etc/dehydrated/conf.d/staging.sh
    # rm -r /var/lib/dehydrated/private_key.* /var/lib/dehydrated/certs
    # dehydrated -c
    
    echo '1 7,19 * * * root dehydrated -c' > /etc/cron.d/letsencrypt
  • on cessupport, eshop:
    • aptitude install postgresql postgresql-client php5-pgsql
    • su -c "createuser -d -P -r -s tdobes" postgres
  • on math, ecet, ecet445:
    • aptitude install mariadb-server mariadb-client php5-mysqlnd
    • mysql -p
      (enter root password)
      CREATE USER tdobes@localhost IDENTIFIED BY '***PASSWORD***';
      GRANT ALL PRIVILEGES ON *.* TO tdobes@localhost WITH GRANT OPTION;
      \q
      rm ~/.mysql_history
  • on chemphys and math: aptitude install emacs-nox tcsh git
  • on cessupport, chemphys, math, eshop, ecet445: aptitude install tmux
  • on math, chemphys, ecet445: aptitude install build-essential
  • on cessupport: aptitude install whois
  • migrate /etc/ssh/ssh_host_key*
  • migrate accounts (/etc/passwd, /etc/shadow, /etc/group, /etc/gshadow)
  • migrate homes:
    rsync -ai 205.215.68.old:/home/ /root/oldhome
    mv /root/oldhome/tdobes /home/tdobes/old
    mv /root/oldhome/username /home/
  • update /etc/motd
  • migrate drupal on eshop:
    rsync -ai 205.215.68.107:/var/www/ /var/www/html/
    rm /var/www/html/index.lighttpd.html
    ssh tdobes@205.215.68.107 "pg_dumpall" > pg.sql
    psql -d postgres < pg.sql
    
    echo '<Directory /var/www/html/>' > /etc/apache2/sites-enabled/drupal.conf
    cat /var/www/html/.htaccess >> /etc/apache2/sites-enabled/drupal.conf
    echo '</Directory>' >> /etc/apache2/sites-enabled/drupal.conf
    
    
    # Hacks for old Drupal 5 install:
    sed -i -e 's/E_ALL ^ E_NOTICE/E_ALL ^ E_NOTICE ^ E_DEPRECATED/g' /var/www/html/includes/common.inc
    
    edit /var/www/html/common/tablesort.inc and add this to the beginning of tablesort_cell():
      if (isset($header[$i]) && is_string($header[$i])) {
        $header[$i] = array('data' => $header[$i]);
      }
    
    sed -i -e 's/function profile_user($type, &$edit, &$user, $category = NULL) {/function profile_user($type, $edit, $user, $category = NULL) {/g' /var/www/html/modules/profile/profile.module
    
    echo 'mbstring.http_input="pass"' > /etc/php5/fpm/conf.d/drupal-mbstring.ini
    echo 'mbstring.http_output="pass"' >> /etc/php5/fpm/conf.d/drupal-mbstring.ini
  • redirect to CES page on engineering:
    echo '<?php' > /var/www/html/index.php
    echo "header('Location: http://academics.pnw.edu/engineering-sciences', TRUE, 301);" >> /var/www/html/index.php
    echo 'exit;' >> /var/www/html/index.php
  • TODO: Migrate content, ssh keys for engineering
  • TODO: Migrate content for ecet445 (need to physically reset ecetvs1)
  • TODO: Migrate content for ecet (where available)
  • TODO: Logins on engineering, NFS storage mounts
  • TODO: math (133 → 105), cessupport (130 → 100)
  • TODO: Restricted shell accounts for SFTP/SCP access and password changes (rush or rssh) on engineering
  • TODO: database migration on math
  • TODO: Can we do winbind auth for user accounts? (testing on engineering)
    • aptitude install libnss-winbind libpam-winbind winbind samba
    • mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
    • create new smb.conf:
      [global]
        security = ADS
        workgroup = CES
        realm = CES.PNW.EDU
      
        wins server = 205.215.127.205
        dns proxy = no
      
        local master = no
        lm announce = no
      
        log file = /var/log/samba/%m.log
        log level = 1
      
        # disable print server
        load printers = no
        show add printer wizard = no
        disable spoolss = yes
      
        # hack for trusted domains - see https://bugzilla.samba.org/show_bug.cgi?id=11830
        winbind sealed pipes = false
        require strong key = false
        winbind sealed pipes: CES = true
        require strong key: CES = true
      
        # performance tweaks
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
        use sendfile = yes
      
        idmap config * : backend = tdb
        idmap config * : range = 10000-29999
        idmap config CES : backend = rid
        idmap config CES : range = 30000-99999
        idmap config PNW : backend  = rid
        idmap config PNW : range = 1000000-6999999
    • net ads join -U Administrator
    • systemctl restart smbd nmbd winbind
    • sed -i -e 's/^passwd:         compat$/passwd:         compat winbind/g' -e 's/^group:          compat$/group:          compat winbind/g' /etc/nsswitch.conf
  • Tomcat on Math
    • aptitude install tomcat8 tomcat8-admin libapache2-mod-jk
    • add roles (manager-gui and admin) and user (tdobes) to /etc/tomcat8/tomcat-users.xml
    • edit /etc/tomcat8/web.xml: comment out Connector on port 8080, uncomment AJP Connector and add address=“127.0.0.1” parameter
      • add to end of <Host> block:
                <!-- UserDir code... docs at:
                     http://tomcat.apache.org/tomcat-8.0-doc/config/host.html#User_Web_Applications -->
                <Listener className="org.apache.catalina.startup.UserConfig"
                          directoryName="public_html"
                          userClass="org.apache.catalina.startup.PasswdUserDatabase"/>
    • create /etc/apache2/conf-enabled/tomcat.conf:
      <VirtualHost *:80>
        # send all requests ending in .jsp to ajp13_worker
        JkMount /*.jsp ajp13_worker
        # send all requests ending in .jspx to ajp13_worker
        JkMount /*.jspx ajp13_worker
        # send all requests ending /servlet to ajp13_worker
        JkMount /*/servlet/ ajp13_worker
      </VirtualHost>
      
      <IfModule mod_ssl.c>
        <VirtualHost _default_:443>
          # send all requests ending in .jsp to ajp13_worker
          JkMount /*.jsp ajp13_worker
          # send all requests ending in .jspx to ajp13_worker
          JkMount /*.jspx ajp13_worker
          # send all requests ending /servlet to ajp13_worker
          JkMount /*/servlet/ ajp13_worker
        </VirtualHost>
      </IfModule>
    • aptitude install libmysql-java && ln -s ../../java/mysql.jar /usr/share/tomcat8/lib/
    • systemctl restart tomcat8 apache2
  • TODO: Subversion on Math
    aptitude install subversion viewvc
    
    # add redirect from websvn to viewvc
  • Done: ecet-cisco, eshop, chemphys

Failed ideas:

  • Using sssd-ad for login to Active Directory accounts
    • aptitude (interactive) install sssd-ad, but deselect sssd metapackage
    • aptitude install krb5-user ldap-utils
      • set realm as CES.PNW.EDU
    • mv /etc/krb5.conf /etc/krb5.conf.orig
    • create /etc/krb5.conf:
      [logging]
       default = FILE:/var/log/krb5libs.log
      
      [libdefaults]
       default_realm = CES.PNW.EDU
       dns_lookup_realm = true
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
       rdns = false
    • aptitude install samba
    • mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
    • create /etc/samba/smb.conf:
      [global]
        security = ADS
        workgroup = CES
        realm = CES.PNW.EDU
        kerberos method = secrets and keytab
      
        wins server = 205.215.127.205
        dns proxy = no
      
        local master = no
        lm announce = no
      
        log file = /var/log/samba/%m.log
        log level = 1
      
        # disable print server
        load printers = no
        show add printer wizard = no
        disable spoolss = yes
      
        # performance tweaks
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
        use sendfile = yes
    • kinit Administrator
    • net ads join -k
    • create /etc/sssd/sssd.conf:
      [sssd]
      config_file_version = 2
      domains = ces.pnw.edu
      services = nss, pam
      
      [domain/ces.pnw.edu]
      id_provider = ad
      auth_provider = ad
      access_provider = ad
      
      default_shell = /bin/bash
      fallback_homedir = /home/%d/%u
      override_homedir = /home/%d/%u
    • chmod 0600 /etc/sssd/sssd.conf
    • FAIL – THIS DOES NOT WORK WITH TRUSTS. See https://fedorahosted.org/sssd/ticket/2078
  • Winbind using system kerberos:
    • in /etc/samba/smb.conf: kerberos method = system keytab
    • aptitude install krb5-user ldap-utils
    • set realm as CES.PNW.EDU
    • mv /etc/krb5.conf /etc/krb5.conf.orig
    • create /etc/krb5.conf:
      [logging]
       default = FILE:/var/log/krb5libs.log
      
      [libdefaults]
       default_realm = CES.PNW.EDU
       dns_lookup_realm = true
       dns_lookup_kdc = true
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
       rdns = false
    • join to domain:
      • kinit Administrator
      • net ads join -k
computer/department_servers.txt · Last modified: 2017/05/08 18:09 by tdobes
Recent changes RSS feed Driven by DokuWiki Valid XHTML 1.0 Valid CSS