Server Setup

(Difference between revisions)
Jump to: navigation, search
(Permissions for Web Accessible Files)
(Forum Setup)
Line 184: Line 184:
#Navigate to your folder in your web browser (for us,
#Navigate to your folder in your web browser (for us,
#Click on the Install tab and make sure you have all of the pre-reqs.  Click Start-Install
#Click on the Install tab and make sure you have all of the pre-reqs.  Click Start-Install
##Chances are, you'll find that the cache, files, and store folder are all unwritable.  Those folders need to be owned by php and writable.
#Fill in the database information.  Example:
#Fill in the database information.  Example:
##Database Type: MySQL
##Database Type: MySQL
Line 194: Line 195:
#Click on next step.  Hopefully your stuff worked with the test connection.  Proceed and conquer.
#Click on next step.  Hopefully your stuff worked with the test connection.  Proceed and conquer.
#Put in the Forum Administrator's information (This can be changed later if need be)
#Put in the Forum Administrator's information (This can be changed later if need be)
#Continue Proceeding and Conquering!
#At some point, if you're using restrictive permissions, you'll be asked to download and upload a config.php file.  Do so, and make sure it has restrictive permissions.
#Delete the folder "install" in your forum directory
#Delete the folder "install" in your forum directory
#Enjoy your new forum!  Don't kiss it too much.
#Enjoy your new forum!  Don't kiss it too much.

Revision as of 23:19, 29 April 2013

This page documents setting up the servers running TICC's wiki, forum, and InkSurvey.


Preliminaries (Definitions/Notes/etc.)


The KVM switch in the server room at Mines is an APC KVM switch (I have no idea of the model and it doesn't matter). To switch to the server on the KVM console, do the following:

  1. Press and hold the Num Lock key.
  2. Press and release the '-' key on the number pad.
  3. Release the Num Lock key.

This should bring up a prompt so you can type in the number of the server. Oldticc's happened to be number 11.




Installed Packages

Name Package Name Reason
Apache Web Server httpd
Open SSL openssl mod_ssl Provide SSL support on Apache
Postfix Mail Server postfix
PHP php53 php53-mysql php53-common php53-cli php53-pdo php53-gd
SSH Server openssh Remote administration
Simple Network Management Protocol (SNMP) net-snmp
MySQL mysql
Perl perl Needed by Clonezilla
Perl Modules perl-Digest-SHA1 Needed by Clonezilla
Patch patch Merge diff changes with this program

Other programs

yum install sudo wget make mlocate nano zip unzip man

Configuration File Changes

Repos & Priorities

We are using yum-priorities (sometimes known as yum-priorities-plugin depending on the version). Configuring it involves editing the repo files in /etc/yum.repos.d. In those files, you'll need to add the line priority=N (where N is a number between 1 and 99) to the repos that are enabled.

Some[1] have said this is a heavy-handed solution for something not so simple. We have found that if you're careful and don't just blindly update things, you should be pretty good.

EPEL & Remi

We also enable two other repos, for packages not found in base, or updated versions of those packages. The first is Extra Packages for Enterprise Linux (EPEL) and the other is Les RPM de Remi (Remi). You can enable these by running

rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

Note that enabling this without priorities can end badly, as it does have different versions of other base packages. In other words, be sure you know what you are doing before you blindly update with packages from this repo. Otherwise, a safer method is to only update packages that you know should be in the repo:

sudo yum update mysql --disablerepo=* --enablerepo=remi

This ensures that a wayward update doesn't break your system.

Configuration Notes

All web accessible files should be put in /var/www/html/ and should be owned by the user nginx and the group web. If it has a password or anything that we do not want to be publicly accessible, then it should be put into /var/www/configs/ and should be owned by php, the user and the group. This will prevent our wonderfully awesome passwords from being thrown out to the world in the event of a web server screwing us over.


Adding groups and modifying group permissions

There are two groups that we want to make, TICC and TICCAdmins. TICCAdmins has sudoers access, TICC does not. Adding groups is just a matter of running

groupadd <groupname>

This will create a group named "groupname" and can now be used by Linux. The next step is to ensure that the group that we want to have sudo abilities does. To do this, we will add the line


to the bottom of the /etc/sudoers file.

Adding users

useradd <username> -m -G TICCAdmins,TICC

The above will add a user, create the user's home directory, add them to the group TICCAdmins as default, and also add them to the group TICC. Note that this must be run with sudoer privileges or as root and this will create a sudoer user.

Next, run
passwd <usernname>
to activate the password on the account. su to that person's account, now that you've made it, and run
echo 'export PATH=$PATH:/usr/sbin' >> $HOME/.bash_profile
This will add the sbin commands to your path, which is a requirement for sudoers. Otherwise this probably does not need to be done.

Running the next set will mean you won't have to log off and on, which, if you're creating the account for someone, is probably unnecessary.

. $HOME/.bash_profile
echo $PATH

Configuring your Firewall

SELinux is what you're going to be using, if you're following any of this. Just go ahead and install system-config-firewall. It will save you a lot of time and banging of the head against the table. There are other measures you can take later, but I'm going to avoid putting some of that here so you don't have more info than we need to give.

Installing and Configuring MySQL & phpMyAdmin

Note that the more up-to-date version of MySQL can be found in the Remi[2] repo. This is a preferable version, as it seems that the MySQL in base is at least a major CentOS revision old and a few minor revisions of MySQL behind (as of this writing, base had 5.1.x and Remi had 5.5.x). Check above for enabling that repo. Ensure that it's started by running:

sudo service mysqld start

You can check that it's running by using any of the various process commands.

After it's running, change the root password by running

mysqladmin -u root password

This will prompt you for a new password without having to enter it using plaintext. This only works in versions 5.5.3 and above!

Configuring Nginx

The diff should take care of the configuration of nginx, but if it does not, then the steps to set it up are listed below.

  1. Make sure that there is a FastCGI server setup.
    1. Our current setup uses php-fpm and a script to launch it.
  2. Make sure that Nginx is passing the php pages to the FastCGI server.
    1. fastcgi_pass
    2. For some reason that has not been explained to me, the $document_root variable in Nginx's configuration is hard-coded to a value. This variable should not be used as we do not use the Nginx default location. Therefore, your Nginx configuration should be passing the script name using the following line.
fastcgi_param SCRIPT_NAME PATH_TO_WEB_ROOT/$fastcgi_script_name

Configuring gitweb

Setting up the Wiki

  1. Download the Mediawiki installation. Current stable release is 1.18.1.
  2. We are using a different permission set. The folder requires
    chown nginx:web wiki/ -R
  3. Browse to http://serveraddress/wiki/installation/folder/
  4. Click the "set up the wiki" link to start installation.
  5. Choose your language.
  6. The next page lists what Mediawiki has found out about your server. The following warnings were found on ours, followed by why we could ignore them.
    1. Warning: SQLite is compiled without the FTS3 module, search features will be unavailable on this backend.
      • We ignored this because we are not using SQLite for our backend. We simply use MySQL.
    2. Warning: Could not find eAccelerator, APC, XCache or WinCache. Object caching is not enabled.
      • This would speed up our installation, but is something we do not care to bother with at the moment.
    3. Warning: The intl PECL extension is not available to handle Unicode normalization, falling back to slow pure-PHP implementation.
      • Right now, we do not run a high enough traffic site to warrant my bothering with this for too long. At some point in the future, I may look into this, but for now, I'm ignoring it.
  7. Read the terms, accept them, and move on to database setup.
  8. On this page, we set it up as:
    1. Database host: localhost
    2. Database name: wiki
    3. Database table prefix: left blank
    4. Database username and password: We set these to something that made sense to us.
  9. On the next page for web access, we left it the same as the account created last page.
  10. We set the Storage Engine to InnoDB and the encoding to Binary.
  11. Name your wiki (ours is Physiki), leave the project namespace the same, and set up your initial Administrator account. Don't forget to set the e-mail.
  12. We then chose to keep going with configuration. On the next page, we chose to do "Account Creation Required," and "GNU Free Documentation License 1.3 or Later," although this comes down to personal preference or the needs of your site.
  13. We set the return e-mail address to
  14. We chose to install the extensions "Nuke," "ConfirmEdit," and "WikiEditor" right now, as those are three that we intend to use and this makes our jobs easier.
  15. File uploads is disabled for us for a moment until we change it through settings files. We did not enable the instant commons option since we do not use it.
  16. Click continue and then continue again to install.
  17. The installation will then download "LocalSettings.php" to your computer, which you then need to upload to your root wiki directory.

Forum Setup

I'm going to assume you've already done a few things:

  • Created a database server
  • Created a database for the forum on the server (I'll call ours "forum")
  • Installed and configured a working web server, with php
  1. Navigate to your web folder on your server
  2. wget, or current release.
  3. Unzip the folder to your web directory.
    • If you wish, you can change the phpbb folder name to something like "forum"
  4. Change the permissions on the folder (for us), according to the guidelines listed at the bottom of this page.
  5. Navigate to your folder in your web browser (for us,
  6. Click on the Install tab and make sure you have all of the pre-reqs. Click Start-Install
    1. Chances are, you'll find that the cache, files, and store folder are all unwritable. Those folders need to be owned by php and writable.
  7. Fill in the database information. Example:
    1. Database Type: MySQL
    2. Database Server Hostname: localhost
    3. Database Server Port: blank
    4. Database Name: forum
    5. Database Username: forum
    6. Database Password: *****
    7. Prefix for tables...: phpbb_ (It seems that in the newest version, you cannot leave this blank.)
  8. Click on next step. Hopefully your stuff worked with the test connection. Proceed and conquer.
  9. Put in the Forum Administrator's information (This can be changed later if need be)
  10. At some point, if you're using restrictive permissions, you'll be asked to download and upload a config.php file. Do so, and make sure it has restrictive permissions.
  11. Delete the folder "install" in your forum directory
  12. Enjoy your new forum! Don't kiss it too much.

Installing InkSurvey

  1. Run
    git clone
    This should create a folder called InkSurvey on in the directory.
  2. cd into the InkSurvey directory, then run
    git clone
  3. Open up your browser and go to http://servername/InkSurvey/survey.php and fill in the fields.
    1. Admin E-mail:
    2. MySQL Database Server: localhost
    3. Database Name: survey
    4. Database user: survey
    5. Database pass: *****
    6. For server name, on our test server we used the IP.
    7. For "Web Directory," we filled in /var/www/html/
    8. For "Web Sub-Directory," we used InkSurvey
  4. Hit Configure Installation

Installing Cacti

  1. Use yum to install RRDTool. There are WAY TOO MANY dependencies to do this by hand. Only attempt if you have a week to kill. Seriously, just don't do it!
  2. Navigate to your web directory and wget the latest version of Cacti
  3. Untar and gunzip and rename the folder created to cacti (or symbolicly link it)
  4. Set up permissions on the cacti folder
  5. Edit your cacti/includes/config.php file to work with your database server
  6. Put the sql template in your database (mysql cacti < cacti/cacti.sql)
  7. Access <server>/cacti/
  8. Follow the simple setup, then cackle maniacally when it works

Configuring and Installing Tomcat

This assumes that you already have nginx installed and that you intend to use your server as both a front for other web pages and as a java-serving server. This also assumes you are running CentOS (in this case, 6.3).

  1. First, install a Java JDK. We used 1.7.

Extra Notes

Making Bootable Media with a Kickstart file

mkisofs -o /home/fedora-kickstart.iso -b isolinux/isolinux.bin -c isolinux/ -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V “Fedora” .

Boot the right kernel (used for Kickstart)

Tip on this from CentOS wiki

Execute the following commands to get a copy of the installation kernel onto the server.

cd /boot/install

Modify Grub (version < 1.99) to include the following menu item.

The commands included assume that the default OS is installed on the first partition of sda and that there is a boot partition. If there is not a boot partition, you will need to add "/boot" to the file paths that start with "/install". If the OS is not installed on the first partition of sda, you will need to modify the root line.

If, at any time, these instructions do not make sense, stop and make sure you understand what you are doing, as failure to do so will result in permanent data and hair loss.

title Install CentOS
    root (hd0,0)
    kernel /install/vmlinuz ks= ip=<ipaddr> netmask=<netmask> gw=<gateway>  dns=<dns server> ksdevice=<KickstartInterface>
    initrd /install/initrd.img

The menu items are a zero indexed array, and if you want the above menu item to be the default selected item, you will need to set the DEFAULT= line to be the zero-indexed location of this menu item. You need to pass the kernel the location of the kickstart file. You may also need to configure the system to recognize your static IP Address, mask, gateway, etc.

For Grub (version >= 1.99) Create a file called 06_CentOS in /etc/grub.d/, make it executable, and put the following content in it.

exec tail -n +3 $0
# This file provides an easy way to add custom menu entries.  Simply type the
# menu entries you want to add after this comment.  Be careful not to change
# the 'exec tail' line above.
menuentry "CentOSKickstart" {
    set root=(hd0,1)
    linux   /install/vmlinuz ks= ip=<ipaddr> netmask=<netmask> gw=<gateway>  dns=<dns server> ksdevice=<KickstartInterface>
    initrd  /install/initrd.img

Note that this file has the first partition set as (hd0,1) rather than (hd0,0), as was used for older versions of GRUB.

You then need to run

sudo update-grub

This will modify the /boot/grub/grub.cfg file using the new values found in the file you just created. Verify that the changes were added to the file.

Also check that the DEFAULT value in /etc/default/grub points to the zero-number number of your menu entry, in the /boot/grub/grub.cfg file. If that does not make sense, stop.

Changing Hashing Algorithm

authconfig --passalgo=sha512 --update

This will require everyone to re-enter their password when they login to have it hashed with the new algorithm.

ssh-ing into the iLOM

Configuring GRUB for Serial Port usage

Permissions Setup

Permissions for Web Accessible Files

For web accessible files, the files and folders should be owned by nginx:web. For executable files, such as php files, their permissions should be 550. For files that only need to be read, such as html files, their permissions should be 440. For all folders in web accessible locations, the permissions should be 551.

To effect these

sudo chown -R nginx:web <web root folder>
sudo chmod -R 550 <web root folder>
sudo chmod 551 $(find <web root folder> -type d)

Then, for php files, they need to be owned by php.

sudo chown php:php $(find <web root folder> -name '*.php')
sudo chown php:php $(find <web root folder> -name '*.php5')

External Links

Personal tools