Web Server Maintenance
This article is still under construction. Expect it to change frequently until this notice is removed. |
This document describes the process of setting up Fedora Core 6 on pediastrum.eeb.uconn.edu, which serves as a backup for the current EEB departmental web server, hydrodictyon.eeb.uconn.edu. Two machines are maintained so that if one goes belly-up in the middle of a semester, the department is not without a web server for more than a few minutes. In the following, "hydrodictyon" will refer to the current web server (hydrodictyon.eeb.uconn.edu, IP 137.99.88.31) and "pediastrum" will be the backup (pediastrum.eeb.uconn.edu, IP 137.99.88.47).
Contents
Notation used in this document
Passwords
The passwords and passphrases used for various things are stored separately for security reasons. Thus, if you see something like this in this document:
# mysql -u root -p<mysql root password> mysql
you should replace the string <mysql root password> with the actual password. For example, if the password was abcdef, then you would type this:
# mysql -u root -pabcdef mysql
Prompts
When entering a Linux command, either you will need to be root user or not. If you do not need to be root user, I start the line with the standard unix dollar sign prompt $, like this:
$ /usr/bin/md5sum httpd-2.2.3.tar.gz
If you DO need to be superuser (i.e. root user) to execute the command, I start the line with the standard superuser pound sign prompt #, like this:
# /sbin/shutdown -r now
Just be aware of these prompts and don't actually type the $ or #
Creating files
Often, I create files using the cat command:
$ cat - > doofus.txt blah, blah, blah, etc. <Ctrl-d>
In this case, cat takes its input from the console (the hypen) and redirects its output to the new file (in this case doofus.txt). After the first line, everything typed in at the console until the Ctrl and d keys are pressed simultaneously (this is what is meant by <Ctrl-d> above) becomes part of the file. So, please do not type the <Ctrl-d> in these cases!
Creating installation CDs
Download the six Fedora Core ISO images
FC-6-i386-disc1.iso |
FC-6-i386-disc2.iso |
FC-6-i386-disc3.iso |
FC-6-i386-disc4.iso |
FC-6-i386-disc5.iso |
FC-6-i386-rescuecd.iso |
from Red Hat's mirror site
http://fedora.omnispring.com/core/6/i386/iso/
and burn each of them separately to a CD. I used my CD burner's "burn image" option to create the CDs (if you simply copy the ISO files to blank CDs, the CDs will not be bootable). In Nero, click on "Copy and Backup" icon (2nd from right), then "Burn Image to Disc" (not the usual "Data" and "Make Data Disc").
Installer Selections
Choose the defaults except as noted below.
Clean installation
- Choose "Install Fedora Core" (not "Upgrade an existing installation")
- Choose "Remove all partitions on selected drives and create default layout"
- Here is the default layout:
Device Mount Point Type Size(MB) Start End LVM Volume Groups VolGroup00 152480 LovVol00 / ext3 151968 LogVol01 swap 512 Hard Drives /dev/hda1 /boot ext3 102 1 13 /dev/hda2 VolGroup00 LVM PV 152523 14 19457
- Keep default selection: The GRUB boot loader will be installed on /dev/hda. No boot loader password was chosen
Network Devices
- Set the hostname manually to pediastrum.eeb.uconn.edu
- Uncheck "Configure using DHCP"
- Keep default (checked) "Activate on boot"
Time Zone
- Choose "America/New York, Eastern Time"
- Leave "System clock uses UTC" unchecked
Root password
- Entered <root password>
Software choices
- Unchecked "Office and Productivity"
- Checked "Software Development"
- Left default (unchecked) "Web server"
- Left default "Customize later" selected
First reboot
- Installation started at 2:02pm, ended at 2:36pm
- Removed last CD, then allowed machine to reboot.
Firewall
- SSH only trusted service (this is the default)
SELinux
Make these changes now and you won't have to do it later:
- Choose System | Administration | Security Level and Firewall | Modify SELinux Policy | HTTPD Service, and check "Unify HTTPD to communicate with the terminal. Needed for handling certificates"
- Choose System | Administration | Security Level and Firewall | Modify SELinux Policy, Memory Protection, then check "Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t" to avoid getting this error when trying to do an SVN import:
svn: error while loading shared libraries: /usr/local/lib/libsvn_ra_dav-1.so.0: cannot restore segment prot after reloc: Permission denied
Network Time Protocol
- Set to use Network Time Protocol for clock synchronization. These NTP servers were listed already:
137.99.23.130 137.99.25.14 netreg.uconn.edu
Sound
- Sound card could not automatically be detected, so skipped
Tweaks
System | Administration | Network
- Select eth0, then choose Edit (button), Statically set IP addresses (radio button)
IP Address: 137.99.88.47 Netmask: 255.255.254.0 Gateway: 137.99.88.1
- Select eth0, then choose DNS tab:
Primary DNS: 137.99.25.14 Secondary DNS: 137.99.15.64
/etc/resolv.conf
Check /etc/resolv.conf to make sure it contains the lines
nameserver 137.99.25.14 nameserver 137.99.15.64
Passwordless access via ssh
Upload public key (kenzie.pub) to $HOME/.ssh directory from laptop using (commercial) SSH client
% cd .ssh % ssh-keygen -i -f kenzie.pub >> authorized_keys % chmod 600 authorized_keys % cd % chmod 700 .ssh
Default run level
Edit (as root) the /etc/inittab file to change the default run level from 5 to 3
Make default shell tcsh
Change default shell to tcsh with command
/usr/sbin/usermod -s /bin/tcsh plewis
Setting up .tcshrc
Create (or edit) .tcshrc file, adding these lines
% cd % cat - > .tcshrc set prompt = "%m [%/] \!% " alias www="cd /var/www/html" alias tiv="cd /opt/tivoli/tsm/client/ba/bin" <Ctrl-D> % chmod 644 .tcshrc
Setting up root's .bashrc
Edit /root/.bashrc and add these lines
alias tiv='cd /opt/tivoli/tsm/client/ba/bin' alias www='cd /var/www/html' alias relax='/usr/sbin/setenforce 0' alias enforce='/usr/sbin/setenforce 1' alias apache='/usr/local/apache2/bin/apachectl' alias toapache='cd /usr/local/apache2' export PATH=/sbin:/usr/sbin:$PATH
Update the database used by locate
Run /usr/bin/updatedb as root
Cron job to synchronize time
Have had to do this in the past, but this time NTP was set up during the install process. In /etc/ntp.conf, add
server uconn.edu
and then create /etc/cron.weekly/resettime as follows:
# cd /etc/cron.weekly # cat - > resettime ntpd -q <Ctrl-d> # chmod +x resettime
If yum fails
If yum does not work and you get messages like this:
[root@pediastrum plewis]# yum install lynx Loading "installonlyn" plugin Setting up Install Process Setting up repositories Could not retrieve mirrorlist http://mirrors.fedoraproject.org/mirrorlist?repo=core-6&arch=i386 error was [Errno 4] IOError: <urlopen error (-3, 'Temporary failure in name resolution')> Error: Cannot find a valid baseurl for repo: core
the problem is most likely that UConn NetReg is getting in the way. Try logging into the GUI, start a browser, and see if you can visit an outside web page. If the problem is not UConn NetReg, then as a last ditch effort, you might try uncommenting the baseurl line in the
/etc/yum.repos.d/fedora-core.repo file
More coming later...