|
Size: 5573
Comment:
|
Size: 6345
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
Described by KA on Nov 21st, 2017. |
|
| Line 37: | Line 39: |
| The output of this should look like this {{{ Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1005K 1464M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 889 49872 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 5772K 3236M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 5772K 3236M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 6 1565 97196 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 7 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 8 412 23688 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 9 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 state NEW,ESTABLISHED 10 2884 175K ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 state NEW,ESTABLISHED 11 5767K 3236M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 12 370 15354 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 13 5586K 3192M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited }}} |
|
| Line 43: | Line 63: |
- This command makes the change permanent.'''This command has already been run'''. {{{ iptables-save > /etc/sysconfig/iptables }}} |
|
| Line 45: | Line 71: |
| - Tried a simplest setting as possible. I installed elinks, a text based browser, to test the local access to the web. And the server worked locally but not remotely. It seemed that the ports were not open. | - All apache setting can be found in {{{/etc/httpd}}} . |
| Line 47: | Line 73: |
| - A command "iptables" is the way to make specific ports available. | - The main config file is {{{/etc/httpd/conf/}}} . This takes care the global setting of the web service. |
| Line 49: | Line 75: |
| - This required to specify correct interface name. This could be checked with "ifconfig -a". nodus has two ethernet I/Fs. i.e. enp1s0f0 and enp1s0f1 - Therefore the commands are like the following: |
- {{{/etc/httpd/conf.d/}}} has sub config files. Only ssl.conf was reviewed. This config has the following line. |
| Line 54: | Line 78: |
| iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT |
SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh |
| Line 62: | Line 81: |
| - Check the iptable status. 5 to 0 are the new entries. NOTE that this modification is not permanent yet. We need to run the above commands everytime we reboot the host. | And the corresponding file can be found as {{{/etc/httpd/passphrase.sh}}} . - The actual web site settings are found in {{{/etc/httpd/site-enabled}}} . '''This folder should have symbolic links to the corresponding files in''' {{{site-available}}}. The important files are {{{elog.conf}}} and {{{nodus30889_secure.conf}}} for now. SVN setting should be added later. - SSL Certificates were copied from the old backup. They are located in {{{/etc/httpd/ssl}}}. So each '''https''' sites should have the following directives in each {{{VirtualHost}}}. |
| Line 65: | Line 88: |
| # iptables -vnL INPUT --line Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination> 1 532K 1294M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 62 3808 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 3378K 1896M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 3378K 1896M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 6 8 512 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 7 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 8 5 320 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 9 3378K 1896M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 10 113 4814 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 11 3273K 1869M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited |
SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key |
| Line 80: | Line 91: |
| Line 108: | Line 123: |
| SVN installation {{{ |
|
| Line 109: | Line 126: |
| }}} To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system. '''Dumping''' {{{ cd /home/export/svn sudo svnadmin dump ./ > ../svndump }}} '''Create a new repository''' {{{ cd /home/export sudo mv svn svn_old sudo svnadmin create svn }}} '''Loading''' {{{ cd /home/export sudo svnadmin load ./svn < svndump }}} |
Contents
Described by KA on Nov 21st, 2017.
OLD nodus etc / export
Backup of the old nodus configurations are found in /cvs/cds/caltech/nodus_backup .
Some useful locations:
Old apache configurations
cd /cvs/cds/caltech/nodus_backup/etc/apache2
iptables
We want nodus to make several ports available from Martian and internet. Otherwise, the access to these ports are just rejected. To enable the ports, allow this, we need to run the following commands. 8080: non-secure elog, 8081: secure-elog, 30889: web service
sudo iptables -I INPUT 5 -i enp1s0f0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 6 -i enp1s0f1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 7 -i enp1s0f0 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 8 -i enp1s0f1 -p tcp --dport 30889 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 9 -i enp1s0f0 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT sudo iptables -I INPUT 10 -i enp1s0f1 -p tcp --dport 8081 -m state --state NEW,ESTABLISHED -j ACCEPT
Here we need to specify two ethernet interfaces (enp1s0f0 and enp1s0f1). They could be checked by ifconfig
ifconfig -a
To check the current IPTable setup, the following command is useful
sudo iptables -vnL INPUT --line
The output of this should look like this
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 1005K 1464M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 889 49872 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 5772K 3236M INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 4 5772K 3236M INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 6 1565 97196 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 state NEW,ESTABLISHED 7 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 8 412 23688 ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:30889 state NEW,ESTABLISHED 9 0 0 ACCEPT tcp -- enp1s0f0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 state NEW,ESTABLISHED 10 2884 175K ACCEPT tcp -- enp1s0f1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 state NEW,ESTABLISHED 11 5767K 3236M INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 12 370 15354 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 13 5586K 3192M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
To delete an entry (e.g. #3 in INPUT section)
sudo iptables -D INPUT 3
- This command makes the change permanent.This command has already been run.
iptables-save > /etc/sysconfig/iptables
Apache
- All apache setting can be found in /etc/httpd .
- The main config file is /etc/httpd/conf/ . This takes care the global setting of the web service.
- /etc/httpd/conf.d/ has sub config files. Only ssl.conf was reviewed. This config has the following line.
SSLPassPhraseDialog exec:/etc/httpd/passphrase.sh
And the corresponding file can be found as /etc/httpd/passphrase.sh .
- The actual web site settings are found in /etc/httpd/site-enabled . This folder should have symbolic links to the corresponding files in site-available. The important files are elog.conf and nodus30889_secure.conf for now. SVN setting should be added later.
- SSL Certificates were copied from the old backup. They are located in /etc/httpd/ssl. So each https sites should have the following directives in each VirtualHost.
SSLCertificateFile /etc/httpd/ssl/nodus.ligo.caltech.edu.crt
SSLCertificateKeyFile /etc/httpd/ssl/nodus.ligo.caltech.edu.key- Now I configured non-SSL version of 30889 server. This was done by /etc/httpd/sites-available/nodus30889_nosecure.conf and the symbolic link of it in /etc/httpd/sites-enabled.
- I realized that we need php for dokuwikis. It was installed. Maybe we need more careful configuration of php later. > sudo yum -y install php
- To work with the server daemon, use systemctl command. Currently the server is not running. > sudo systemctl (start|restart|stop|status) httpd
elogd
- The new executable seemed installed at /usr/local/sbin. The setting files are in /export/elog.
- The current (best) elog staring script is /export/elog/startELOGD.sh.
- By disabling 8081 secure elog thing, the elog is running at the port 8080. However, the elogd does not want to use the themes in /export/elog/elog-common no matter how this directory is specified for the resource dir. The only workable setup right now is to speficy the resource directory as Resource dir = /usr/local/elog in /export/elog/elog-common/elogd.cfg
- This is not the perfect solution but this allows us to use the elog. There is no true secure password for the elog, this is OK for today, I guess? We need more investigation on the theme and the SSL version of the elog (i.e. port 8081).
ELOG CFG URL = https://nodus.ligo.caltech.edu:8081/
SVN
SVN installation
sudo yum install subversion
To create a repository from an existing repository: We can't just copy the files. We need to use a dump file created by svnadmin. This can be done for an existing svn repository in the new system.
Dumping
cd /home/export/svn sudo svnadmin dump ./ > ../svndump
Create a new repository
cd /home/export sudo mv svn svn_old sudo svnadmin create svn
Loading
cd /home/export sudo svnadmin load ./svn < svndump
