tag:blogger.com,1999:blog-57110999730964547292023-11-16T08:56:20.845-08:00untrusted connectionA set of security notes, HOW TOs and choose-your-own-adventures.Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-5711099973096454729.post-29126655901914657272018-01-14T10:30:00.000-08:002018-01-14T11:24:18.702-08:00Redmine, Passenger, and Nginx on Ubuntu 16.04<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Redmine with Passenger and Nginx on Ubuntu 16.04 </span></span><br /><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Just in time for Ubuntu 18, here are Ubuntu 16 instructions for getting Redmine up and running. Though better than on Ubuntu 14, this is still a</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"> maze of twisty little passages, all alike. </span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><br /></span></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Here <span style="font-family: "arial" , "helvetica" , sans-serif;">are</span> flexible instructions to get an up to date, robust, secure installation going. </span></span></span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ubuntu 16.04 LTS - a mature Ubuntu version with long term support </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">MySQL - the database </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ruby - the technology on which Redmine runs, installed using RVM to manage the ruby version and have access to up to date components </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Phusion Passenger<span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">- the application server in which to run Redmine </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Nginx - the web server within which Redmine runs </span></span></span></li>
</ul>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></h3>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">M</span>ySQL Configuration</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Install MySQL. For this step, relying on the Ubuntu packages is fine.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install -y mysql-server libmysqlclient-dev</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Connect to the mysql service (mysql -p) and create the database and provide access to the redmine user:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">mysql -p<span style="font-family: "courier new" , "courier" , monospace;"> -u root</span><br />CREATE DATABASE redmine CHARACTER SET utf8;<br />CREATE USER 'redmine'@'localhost' IDENTIFIED BY '<i>yourpassword</i>';<br />GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">If this is just a test system, move onto the Ruby Installation section. </span> </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">For production systems, a separate data disk should be used rather that storing data on the same partition as the root system. Stop the service and then migrate the data directory. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"> service mysql stop</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Modify the data directory configuration in MySQL: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">#datadir = /var/lib/mysql #old location</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">datadir = /data/mysql # new location</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">On install, MySQL 5.7 automatically initiates the data directory. So this must be moved to the new location.</span> </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo mkdir /data<br />sudo mv /var/lib/mysql/ /data/mysql/</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Update AppArmor, otherwise the mysql process won't start. The MySQL 5.7 and Ubuntu combination have an AppArmor bug that shows when moving the data directory. The error will show in syslog like this: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012262] audit: type=1400 audit(1515780192.392:116): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/proc/8834/status" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=111<br />Jan 12 10:03:12 ubuntu16 kernel: [ 1289.012897] audit: type=1400 audit(1515780192.396:117): apparmor="DENIED" operation="open" profile="/usr/sbin/mysqld" name="/sys/devices/system/node/" pid=8834 comm="mysqld" requested_mask="r" denied_mask="r" fsuid=111 ouid=0</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">To really geek out, this bug has <a href="https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1610765" target="_blank">one of the more sad but funny threads</a> I've read in a long time. They eventually get to the right conclusion and open <a href="https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1658239" target="_blank">two</a> <a href="https://bugs.launchpad.net/ubuntu/+source/mysql-5.7/+bug/1658233" target="_blank">bugs</a>, but getting there is a journey. We will patch it ourselves, because the bugs haven't been actually fixed in the Ubuntu release. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">To update AppArmor:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/apparmor.d/usr.sbin.mysqld</span> </blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">In the "Allow system resource access" section add the following to fix the bug(s): </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/sys/devices/system/node/ r,</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/sys/devices/system/node/** r,</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/proc/** r, </span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">And under the "Allow data dir access" section change the entries from <b><span style="font-family: "courier new" , "courier" , monospace;">/var/lib/mysql/</span></b> to the new directory, <b><span style="font-family: "courier new" , "courier" , monospace;">/data/mysql/</span></b>.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"># Allow data dir access<br /># /var/lib/mysql/ r,<br /># /var/lib/mysql/** rwk,<br />/data/mysql/ r,<br />/data/mysql/** rwk, </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Reload AppArmor<span style="font-family: "arial" , "helvetica" , sans-serif;">:</span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo systemctl reload apparmor</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Restart mysql<span style="font-family: "arial" , "helvetica" , sans-serif;">:</span> </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="font-family: "courier new" , "courier" , monospace;">service mysql start</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The system should start without error if everything has been done correctly. Run the following command to ensure everything looks okay:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;">mysql -p -u redmine</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span> <br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ruby Installation</span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Many methods exist to install Ruby. Unfortunately, the most convenient using apt-get will leave the system many versions behind, which means many plugins for redmine, and parts of redmine itself, will be unsupported. RVM is a tried and true method <span style="font-family: "arial" , "helvetica" , sans-serif;">to </span>provide clean management of ruby versions. </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">For whatever reason, <b>these steps must be run as root</b>:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo su - #get into root<br />apt-add-repository -y ppa:rael-gc/rvm<br />apt-get update<br />apt-get install rvm</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">O</span>nce done, logout and log back in as root.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">exit</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo su - #log out and log back in</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">command curl -sSL https://rvm.io/mpapis.asc | gpg --import -</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvmsudo rvm get stable</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvm requirements</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvm install 2.5.0</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvm use 2.5.0 --default</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Test that the install looks okay. </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">ruby -v<br />ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-linux] </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="font-family: "arial" , "helvetica" , sans-serif;">N</span>ote: once setup, each user of rvm needs to be added to the rvm group. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo usermod -a -G rvm <i>username</i></span><i> </i></span></blockquote>
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Phusion Passenger Installation</span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Again,<span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="font-family: "arial" , "helvetica" , sans-serif;">m</span>any options <span style="font-family: "arial" , "helvetica" , sans-serif;">exist<span style="font-family: "arial" , "helvetica" , sans-serif;"> for <span style="font-family: "arial" , "helvetica" , sans-serif;">application containers</span></span></span>. Phusion has a Passenger<span style="font-family: "arial" , "helvetica" , sans-serif;">-Nginx combo that is str<span style="font-family: "arial" , "helvetica" , sans-serif;">a<span style="font-family: "arial" , "helvetica" , sans-serif;">ight-forward to install and configure. It does not need to be done as root. </span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Detail<span style="font-family: "arial" , "helvetica" , sans-serif;">s of this installation can <span style="font-family: "arial" , "helvetica" , sans-serif;">be found <span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.phusionpassenger.com/library/install/nginx/install/oss/xenial/" target="_blank">on t<span style="font-family: "arial" , "helvetica" , sans-serif;">he Phusion site</span></a>.</span></span></span></span></span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install -y dirmngr gnupg<br />sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7<br />sudo apt-get install -y apt-transport-https ca-certificates<br />sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger xenial main > /etc/apt/sources.list.d/passenger.list'<br />sudo apt-get update<br />sudo apt-get install -y nginx-extras passenger</span> </span></span></span></span></span></span></span></span></span></span></span></span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Nginx Configuration </span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">P<span style="font-family: "arial" , "helvetica" , sans-serif;">assenger configuration with nginx has simplified since previous versions. </span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Enable passenger in the nginx:</span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/nginx/nginx.conf</span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Uncomment the following line: </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">include /etc/nginx/passenger.conf;</span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"></span></span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Restart nginx: </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo service nginx restart</span> </span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> Confirm everything looks correct</span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo /usr/bin/passenger-config validate-install<br />sudo /usr/sbin/passenger-memory-stats </span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The result will be something like this:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Also, confirm the correct location of the correct ruby.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">which passenger-config </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/passenger-config #use this result to perform the next command </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/passenger-config --ruby-command</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The result will be something like this: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/usr/local/rvm/gems/ruby-2.5.0/wrappers/ruby</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Build out the site - assuming http for now.<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span>More configuration will be need<span style="font-family: "arial" , "helvetica" , sans-serif;">ed to SSL-ize the system and lock it down. But <span style="font-family: "arial" , "helvetica" , sans-serif;">for now, this will get things correct and running<span style="font-family: "arial" , "helvetica" , sans-serif;">. </span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.orig<br />sudo vim /etc/nginx/sites-available/default</span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Upda<span style="font-family: "arial" , "helvetica" , sans-serif;">te the root location and add passenger configuration.<span style="font-family: "arial" , "helvetica" , sans-serif;"> The assumption is your redmine root location is also on the /data partition. This directory will be created when we add the redmine account.</span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">root /data/redmine/redmine/public/; #installation location<br />passenger_enabled on; #turn on application container<br />client_max_body_size 10m; # Max attachement size allowed</span> </span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Then to prevent a <span style="font-family: "arial" , "helvetica" , sans-serif;">mess of 404 errors, comment out the location entry<span style="font-family: "arial" , "helvetica" , sans-serif;">. Missing thi<span style="font-family: "arial" , "helvetica" , sans-serif;">s <span style="font-family: "arial" , "helvetica" , sans-serif;">step results in a special level of redmine 404 hell. </span></span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">#location / {<br /> # First attempt to serve request as file, then<br /> # as directory, then fall back to displaying a 404.<br /> #try_files $uri $uri/ =404; <br />#}</span> </span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">No need to restart nginx just yet. T</span>he <span style="font-family: "arial" , "helvetica" , sans-serif;">system <span style="font-family: "arial" , "helvetica" , sans-serif;">is al<span style="font-family: "arial" , "helvetica" , sans-serif;">most ready for redmine<span style="font-family: "arial" , "helvetica" , sans-serif;"> installation. </span></span></span></span></span></span></span></span><br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></h3>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Create the redmine account </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Before doing too much with ruby, create a redmine service account. Note: Ideally the home directory is located where redmine is going to be installed - for production systems this should be on a separate partition. </span><br />
<blockquote>
<span style="font-family: "courier new" , "courier" , monospace;">sudo adduser --system --shell /bin/bash --gecos 'Redmine Administrator' --group --disabled-password --home /data/redmine redmine<span style="font-family: "courier new" , "courier" , monospace;">; </span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo<span style="font-family: "courier new" , "courier" , monospace;"> </span>usermod -a -G rvm redmine</span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Give the account sudo </span><span style="font-family: "arial" , "helvetica" , sans-serif;">privileges </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;">(temporarily)</span></span>.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo visudo </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">redmine ALL=(ALL) NOPASSWD:ALL</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Welcome to dependency-o-rama </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The ruby add-on dependencies next depends (ha ha get it?) on various ruby pieces needed to install ruby components. A minimal list will look something like this: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install -y build-essential imagemagick libmagickwand-dev</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Redmine, remember this was the main point of the article?</span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Whew. Like a hero that doesn't show up until the third reel of a movie, redmine is finally on the scene. Yes, this is just like Batman vs Superman. There is a lot of build up to the main event, and when you get there it is anticlimactic. </span><br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Install the latest redmine</span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>Switch to the redmine user </b>and pull down the latest stable release. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo su - redmine # should result in being in the redmine installation directory</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">wget http://www.redmine.org/releases/redmine-3.4.4.tar.gz <br />tar xvfz redmine-3.4.4.tar.gz<br />ln -s redmine-3.4.4 redmine<br />rm redmine-3.4.4.tar.gz</span></span></blockquote>
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Configure the mysql connection </span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Update the production entry with the account connection information.</span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">cd redmine </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">cp -pR config/database.yml.example config/database.yml</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">vim config/database.yml</span></blockquote>
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Adding gems - truly outrageous! </span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Configure the gems - and avoid doing this as root. As with everything in redmine administration, this should be as that fancy redmine service account: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">gem install bundler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">bundle install --without development test</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If versions and such match these instructions, the bundle install should go clean:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Bundle complete! 31 Gemfile dependencies, 55 gems now installed.<br />Gems in the groups development and test were not installed.<br />Use `bundle show [gemname]` to see where a bundled gem is installed.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If versions are different or new features are needed, some iteration may be needed to build and install the gems. This seems to be a "normal" task for ruby administrators. Apply google-fu and iterate. </span><br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Rake magic </span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Next run the magic rake commands. All magic comes in three. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">bundle exec rake generate_secret_token<br />RAILS_ENV=production bundle exec rake db:migrate<br />RAILS_ENV=production bundle exec rake redmine:load_default_data</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Now everything should be ready to start. This is done by restarting nginx. Monitor the following logs to ensure things start clean: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">tail -f /var/log/nginx/error.log</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">tail -f /data/redmine/redmine/log/production.log</span></blockquote>
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Clean up</span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Congratulations, the redmine site should now be up and available. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Remove sudo privileges from the redmine account. Move the site to HTTPS, ideally using the excellent <a href="https://letsencrypt.org/getting-started/" target="_blank">Let's Encrypt</a> service. <a href="http://www.untrustedconnection.com/2016/05/nginx-https-with-lets-encrypt-and.html" target="_blank">These instructions can be found here.</a>. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Links of interest </span></h3>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>General Redmine installation </b></span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Always a good place to review the latest information on generic Redmine installations.</span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://www.redmine.org/projects/redmine/wiki/RedmineInstall" target="_blank"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">https://www.redmine.org/projects/redmine/wiki/RedmineInstall</span></span></span></a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b> </b></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Using Google Authentication </b></span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">If using Google Apps or Google Auth is of interest with Redmine, a longstanding </span></span>plugin has been brought back to life with a patch. </span></span><br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">The plugin can be found here: </span></span>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://github.com/twinslash/redmine_omniauth_google">https://github.com/twinslash/redmine_omniauth_google</a></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">But in modern ruby and google land, a patch will be needed. The plugin will install just fine, but it will not save any configuration information, nor will it put the google button on the login page without the patch below.</span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><a href="https://github.com/twinslash/redmine_omniauth_google/pull/42"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">https://github.com/twinslash/redmine_omniauth_google/pull/42</span></span></span></a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Though out of date, this article has some pointers on setting up the google side:</span></span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://adminsdiary.wordpress.com/common-installations/redmine-installation-with-google-authentication">https://adminsdiary.wordpress.com/common-installations/redmine-installation-with-google-authentication</a>/</span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Installing RVM </span></span></span></b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://github.com/rvm/ubuntu_rvm" target="_blank">https://github.com/rvm/ubuntu_rvm </a></span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span></span></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Instead of MySQL, consider Aurora</b> </span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">For some of my more recent Redmine installations, I've been using Amazon Aurora. It is cheaper than MySQL on AWS, compatible with MySQL 5.6, backups are taken care of, and even has regional failover built in. Much better than researching AppArmor patches because you want to simply move a data directory. </span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Setting up redmine is the same as above, but instead of doing MySQL, connect to an AWS Aurora instance. (You will still need the MySQL client - </span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">libmysqlclient-dev):</span></span></span></span></span></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connecting.html">https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Aurora.Connecting.html</a></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"> </span></span></span>
Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com12tag:blogger.com,1999:blog-5711099973096454729.post-2594514791409018772017-10-20T13:33:00.001-07:002017-11-06T09:04:52.632-08:00Secure FTP on S3 with Chroot and Google Authenticator<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Secure FTP is really SSH under the covers behaving like an FTP (file transport) service</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">. And instructions exist leveraging S3 as an inexpensive file system backend. But getting SFTP and S3 deployed securely with users isolated took some detective work. Isn't it a odd that secure instructions always take work? </span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Cobbled from multiple sources, here <span style="font-family: "arial" , "helvetica" , sans-serif;">are</span> flexible instructions to get an up to date, robust, secure installation going.</span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">As I've been working a lot in AWS Gov Cloud, these instructions account for this wrinkle.</span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Multi-factor (MFA) client access is included, since this is quickly becoming a standard requirement.</span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">These <span style="font-family: "arial" , "helvetica" , sans-serif;">instructions assume the following;</span> </span></span></span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ubuntu 16.04 LTS with SSH- a mature Ubuntu version with long term support</span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">AWS account with S3 bucket privileges</span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">End users on Windows who need an "easy" secure method to share files</span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">(optional) MFA soft tokens, such as Google Authenticator</span></span></span></li>
</ul>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">One Time Setup</span></span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Patch up the system and install required binaries. </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get update<br />sudo apt-get upgrade<br />init 6<br />sudo apt-get install s3fs #used for mounting S3 filesystem<br />sudo apt-get install libpam-google-authenticator #MFA</span></blockquote>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Optionally enable MFA capability for SSH</span></span></span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><b>Note: </b>It is always a good idea when making SSH changes to leave a separate console open and then test the change. Otherwise it is easy to lose access to the box if a mistake is made. </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/ssh/sshd_config<br />ChallengeResponseAuthentication yes</span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">For now, protect the ubuntu user access by adding these lines to the sshd_config. It can be updated later once everything is complete. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">Match User ubuntu<br /> AuthenticationMethods publickey </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Restart SSH for the change to take effect.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"> </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><span style="font-family: "courier new" , "courier" , monospace;">sudo systemctl restart sshd.service</span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Update the PAM authentication module to use Google Authenticator. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/pam.d/sshd<br />auth required pam_google_authenticator.so nullok</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The <span style="font-family: "courier new" , "courier" , monospace;">nullock flags</span> allows for a user who does not have Google Authenticator set up to be able to log in.</span><br />
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Create and Prepare the Mount Point for the S3 bucket</span></span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">On AWS S3, create a non-public bucket with an account that has API keys - API keys are created in the IAM section of AWS. Using the AWS GUI to create a bucket with owner ACLs (the default) will work just fine.</span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><br /></span></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Create a password file for the S3 file system. </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">sudo vim /etc/passwd-s3fs</span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">The file format is as follows: <b><span style="font-family: "courier new" , "courier" , monospace;">bucketname:accessKeyID:secretKeyID</span></b></span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">And then lock it down. </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo chmod 640 /etc/passwd-s3fs</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Create a mount point that is owned by root. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo mkdir -p /s3/home</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b>A side bar about mounting a Chroot Directory</b> </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In the world of SFTP, using a </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="font-family: "courier new" , "courier" , monospace;">ChrootDirectory </span></b></span>is
necessary to limit file system access to users. Without it, SFTP users will be able to
traverse all over the server file system and download anything a
regular user has read access to, including the <span style="font-family: "courier new" , "courier" , monospace;"><b>passwd </b></span>file.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span> </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Mounting the bucket takes a bit of explanation and is very the much the secret sauce to getting this to work correctly. Most online instructions suggest a simple mount command as the root user or mounting with the <span style="font-family: "courier new" , "courier" , monospace;"><b>allow_other </b></span>flag to allow others to use the mount point.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Both of these options <i><b>will fail</b></i> when using a <b><span style="font-family: "courier new" , "courier" , monospace;">ChrootDirectory</span></b>.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> A look at the man pages explains why:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;"> <b>ChrootDirectory</b> </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">Specifies the pathname of a directory to <a href="https://www.freebsd.org/cgi/man.cgi?query=chroot&sektion=2&apropos=0&manpath=FreeBSD+11.1-RELEASE+and+Ports">chroot(2)</a> to after
authentication. At session startup <a href="https://www.freebsd.org/cgi/man.cgi?query=sshd&sektion=8&apropos=0&manpath=FreeBSD+11.1-RELEASE+and+Ports">sshd(8)</a> checks that all com-
ponents of the pathname are root-owned directories which are not
writable by any other user or group. After the chroot, <a href="https://www.freebsd.org/cgi/man.cgi?query=sshd&sektion=8&apropos=0&manpath=FreeBSD+11.1-RELEASE+and+Ports">sshd(8)</a>
changes the working directory to the user's home directory.</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">When mounting the bucket as the root user, the mount point permissions will be 700. This means only the root user will have access to what is below. Chroot will fail for SFTP users with a <b>permission denied</b> error: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">safely_chroot: stat("/s3/home/"): Permission denied</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">When mounting the bucket </span><span style="font-family: "arial" , "helvetica" , sans-serif;">with the <span style="font-family: "courier new" , "courier" , monospace;"><b>allow_other </b></span>flag, the mount point permissions will be 777. This means the mount point is too permissive. Chroot will fail for SFTP users with a <b>bad ownership</b> error: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">fatal: bad ownership or modes for chroot directory component "/s3/home/"</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The Goldilocks option is a little-known flag known as mount point umask (<b><span style="font-family: "courier new" , "courier" , monospace;">mp_umask</span></b>). This should be set to <b><span style="font-family: "courier new" , "courier" , monospace;">022 </span></b>for ChrootDirectory to work correctly.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.youtube.com/watch?v=79DijItQXMM" target="_blank">You're welcome</a>.</span><br />
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Mounting the S3 Bucket</span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The mounting of the bucket should be tested prior to making it permanent. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo s3fs -o allow_other -o mp_umask=022 bucketname mountPoint</span> </blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">A first check is to confirm the bucket is mounted by running the <span style="font-family: "courier new" , "courier" , monospace;"><b>mount </b></span>command. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><b>s3fs on /s3/home type fuse.s3fs (rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other)</b></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">A second check should be done though because mounting does not mean anything is actually connected. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">ls -l /s3/home </span></blockquote>
<blockquote>
<b><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">ls: cannot access '/s3/home': Transport endpoint is not connected</span></span></b></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The "transport endpoint not connected" usually comes down to two possible issues: </span><br />
<ol>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">the bucket name is not unique </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">the bucket is not in the default location (us-east-1)</span></li>
</ol>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Troubleshooting the s3fs command with the -d and -f flags will help. Specifying the bucket url is always good practice anyway. In GovCloud implementations, it is required. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo s3fs -o allow_other -o mp_umask=022 -o url=http://s3-us-gov-west-1.amazonaws.com (bucketname) (mountPoint</span>) </span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Once the bucket really is mounted, un-mount it and then add an enrry to <span style="font-family: "courier new" , "courier" , monospace;"><b>/etc/fstab</b></span> so it will be mounted at boot. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo fusermount -u /s3/home</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">echo s3fs#(bucketname) (mountPoint) fuse url=http://s3-us-gov-west-1.amazonaws.com,_netdev,rw,nosuid,nodev,</span><b id="docs-internal-guid-bb7b0419-4f0e-c23d-a142-7addf8ddbcc4" style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">use_sse,</span></b><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "courier new" , "courier" , monospace;">mp_umask=022,</span>allow_other 0 0 >> /etc/fstab</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">sudo mount -a</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">With bucket mounted, the system is now ready for SFTP users</span><br />
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Creating New Groups for SFTP Users</span></h3>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Users who need to access the same files should be put into groups. The groups can then be locked down to specific directories on the bucket. Generally, this should be scripted out. But here are the basic steps to get started. </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Create a new group and set up the environment:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo addgroup (groupName)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;"># Create the chroot directory<br />sudo mkdir /s3/home/(groupName)/<br />sudo chmod g+rx /s3/home/(groupName)/<br /><br /># Create the group-writable directory<br />sudo mkdir -p /s3/home/(groupName)/controlled/<br />sudo chmod g+rwx /s3/home/(groupName)/controlled/<br /><br /># Add the full path to the group<br />sudo chgrp -R (groupName) /s3/home/(groupName)/</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Then add that detail to sshd_config so any new SFTP user in that group is locked down to only using SFTP. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">BUCKET_HOME="(mountPoint)"<br />GROUPNAME="(groupName)" </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">cat <</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><EOT</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><eot>></eot></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><eot><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">></span></span> /etc/ssh/sshd_config<br /> # Lock down the new group<br /> Match Group ${GROUPNAME}<br /> # Only allow SFTP and chroot to the required directory.<br /> ForceCommand internal-sftp<br /> ChrootDirectory ${BUCKET_HOME}/${GROUPNAME}/<br /> # Lock down SSH options<br /> PermitTunnel no<br /> AllowAgentForwarding no<br /> AllowTcpForwarding no<br /> X11Forwarding no<br /> EOT </eot></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">And don't forget to restart SSH to catch the change. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">systemctl restart sshd.service</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Add New Users </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Adding new users is straightforward now that everything has been set up. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo adduser --ingroup (groupName) (newUser)</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">passwd (newUser)</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Optionally set the MFA</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo su - (newUser) </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">google-authenticator</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">And note the key for the user.</span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">A successful test should do the following:</span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Allow the user to log into the system via SFTP </span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The user should be directed on the chroot environment and only see the "controlled" folder</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The user should be able to write and read to the "controlled" folder</span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">The user should *not* be able to SSH into the system</span></li>
</ul>
<br />
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><b><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></b></span></span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><b><br /></b></span></span></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-61481529993891136172016-05-17T12:06:00.000-07:002016-05-17T12:07:43.390-07:00Nginx HTTPS with Let's Encrypt and Redmine<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Nginx HTTPS with Let's Encr<span style="font-family: "arial" , "helvetica" , sans-serif;">ypt and Redmine</span></span></span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">These instructions are based on Ubuntu and use the <a href="https://letsencrypt.org/about/" target="_blank">Let's Encrypt</a> <span style="font-family: "arial" , "helvetica" , sans-serif;">Certificate Authority</span>. With Let's Encrypt, self-signed certificates on a public Linux<span style="font-family: "arial" , "helvetica" , sans-serif;"> server should be <a href="https://en.wikipedia.org/wiki/Nakh_architecture" target="_blank"><span style="font-family: "arial" , "helvetica" , sans-serif;">ancient history</span></a></span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">. </span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">These <span style="font-family: "arial" , "helvetica" , sans-serif;">instructions assume the following;</span> </span></span></span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ubuntu 14.04 LTS - a mature Ubuntu version with long term support </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Nginx - the web server within which Redmine runs</span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><span style="font-family: "arial" , "helvetica" , sans-serif;">A running Redmine system. Details of how to setup Redmine on Nginx can be <a href="http://www.untrustedconnection.com/2016/04/redmine-passenger-and-nginx-on-ubuntu.html" target="_blank">found here</a> </span></span></span></span></li>
</ul>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Getting the certificate<span style="font-family: "arial" , "helvetica" , sans-serif;">s from Let's Encr<span style="font-family: "arial" , "helvetica" , sans-serif;">ypt</span></span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">As <span style="font-family: "arial" , "helvetica" , sans-serif;">the Let's Encrypt </span>system has just left beta and is still new, <span style="font-family: "arial" , "helvetica" , sans-serif;">us<span style="font-family: "arial" , "helvetica" , sans-serif;">ing <a href="https://letsencrypt.org/getting-started/" target="_blank">their </a></span></span><a href="https://letsencrypt.org/getting-started/" target="_blank">instructions</a> are best<span style="font-family: "arial" , "helvetica" , sans-serif;">.<span style="font-family: "arial" , "helvetica" , sans-serif;"> For exa<span style="font-family: "arial" , "helvetica" , sans-serif;">mple<span style="font-family: "arial" , "helvetica" , sans-serif;">, </span></span></span>the <b><span style="font-family: "courier new" , "courier" , monospace;">certbot<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></b>c<span style="font-family: "arial" , "helvetica" , sans-serif;">ommand <span style="font-family: "arial" , "helvetica" , sans-serif;">was </span></span>introduced this week, replacing the "old" <b><span style="font-family: "courier new" , "courier" , monospace;">letsencrypt-auto</span></b> <span style="font-family: "arial" , "helvetica" , sans-serif;">command</span>. </span><span style="font-family: "arial" , "helvetica" , sans-serif;">However, here is how things work as of today.</span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">Install git<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> and</span> download the Let's Encr<span style="font-family: "arial" , "helvetica" , sans-serif;">ypt client<span style="font-family: "arial" , "helvetica" , sans-serif;">. <span style="font-family: "arial" , "helvetica" , sans-serif;">On first run<span style="font-family: "arial" , "helvetica" , sans-serif;">, the client will install dependencies and update<span style="font-family: "arial" , "helvetica" , sans-serif;"> itself. </span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">apt-get install git<br />git clone https://github.com/certbot/certbot<br />cd certbot<br /># Running for the first time will install needed dependencies.<br />./certbot-auto --help</span> </span></span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">After everything is installed, the certificate can be <span style="font-family: "arial" , "helvetica" , sans-serif;">requ<span style="font-family: "arial" , "helvetica" , sans-serif;">ested and downloaded all in one step. Bec<span style="font-family: "arial" , "helvetica" , sans-serif;">ause the Let's Encrypt client uses port 80 for veri<span style="font-family: "arial" , "helvetica" , sans-serif;">fication of ownership, a<span style="font-family: "arial" , "helvetica" , sans-serif;">nything r<span style="font-family: "arial" , "helvetica" , sans-serif;">unning on that port needs to be t<span style="font-family: "arial" , "helvetica" , sans-serif;">emporarily </span>turned off -- in this case nginx. </span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">service nginx stop<br />./certbot-auto certonly --standalone -d redmine.yourdomain.com<br />service nginx start</span> </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Note where the certificates are installed. For example:</span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="font-family: "courier new" , "courier" , monospace;">/etc/letsencrypt/live/redmine.yourdomain.com/</span></b></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">As said, these instructions may change a<span style="font-family: "arial" , "helvetica" , sans-serif;">t a<span style="font-family: "arial" , "helvetica" , sans-serif;">ny time. What follows is the standard method for setting up SSL in general for <span style="font-family: "arial" , "helvetica" , sans-serif;">ng</span>inx and Redmine.</span></span></span></span></span></span><b><span style="font-family: "courier new" , "courier" , monospace;"> </span></b></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><b><span style="font-family: "courier new" , "courier" , monospace;"><br /></span></b></span>
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Set up the certificates </span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Generate a set <span style="font-family: "arial" , "helvetica" , sans-serif;">of </span>DH parameters for the Diffie-Hellman handshake. Please don<span style="font-family: "arial" , "helvetica" , sans-serif;">'t ask what this is for...<span style="font-family: "arial" , "helvetica" , sans-serif;"> just know it is a good thing. </span></span> </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">mkdir /etc/nginx/ssl<br />chmod 700 /etc/nginx/ssl<br />openssl dhparam 2048 -out /etc/nginx/ssl/dh2048.pem</span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span><b>/etc/nginx/sites-available</b></span> create a new file or <span style="font-family: "arial" , "helvetica" , sans-serif;">update</span> the "default" file. <br /> </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Modify the <b><span style="font-family: "courier new" , "courier" , monospace;">listen 443 ssl<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></b>entry. </span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b> </b></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">server_name redmine.yourdomain.com;<br />ssl_dhparam /etc/nginx/ssl/dh2048.pem;<br />ssl_certificate /etc/letsencrypt/live/redmine.yourdomain.com/fullchain.pem;<br />ssl_certificate_key /etc/letsencrypt/live/redmine.yourdomain.com/privkey.pem; </span><b> </b></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><b>NOTE:</b> The ssl_certificate should be set to the<span style="font-family: "courier new" , "courier" , monospace;"><b> fullchain.pem</b></span>, which <span style="font-family: "arial" , "helvetica" , sans-serif;">includes both<span style="font-family: "arial" , "helvetica" , sans-serif;"> the <span style="font-family: "arial" , "helvetica" , sans-serif;">server</span></span></span> certificate and the intermediate CA certificates. Setting this just to the <span style="font-family: "courier new" , "courier" , monospace;"><b>cert.pem</b></span> will work in Chrome, but give a "<b><span style="font-family: "arial" , "helvetica" , sans-serif;">SEC</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">ERROR <span style="font-family: "arial" , "helvetica" , sans-serif;">UNK<span style="font-family: "arial" , "helvetica" , sans-serif;">NOWN</span></span></span> <span style="font-family: "arial" , "helvetica" , sans-serif;">ISSUER</span></b>" error in Firefox. <br /><br />Add the redmine details (same as used for port 80)<span style="font-family: "arial" , "helvetica" , sans-serif;">.</span> </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">root /var/data/redmine/public/;<br />passenger_enabled on;<br />client_max_body_size 10m;</span> </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Comment out or delete any references to 404, if they exist<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">.</span></span></span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">#passenger_spawn_method direct;<br />#location / {<br /># try_files $uri $uri/ =404;<br />#}</span> </span></span></span></span></span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">If <span style="font-family: "arial" , "helvetica" , sans-serif;">this file was new<span style="font-family: "arial" , "helvetica" , sans-serif;">ly created</span>, instead of th<span style="font-family: "arial" , "helvetica" , sans-serif;">e </span>"defa<span style="font-family: "arial" , "helvetica" , sans-serif;">ult" f<span style="font-family: "arial" , "helvetica" , sans-serif;">ile</span>, <span style="font-family: "arial" , "helvetica" , sans-serif;">add a soft link<span style="font-family: "arial" , "helvetica" , sans-serif;"> to the new file in <span style="font-family: "courier new" , "courier" , monospace;"><b>/etc/nginx/sites-enabled</b></span>.</span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span></span></span></span></span></span> </span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Restart nginx and everything should come up on port 443 with a valid certificate.<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span></span></span></span></span></span> </span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span><br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Lock down the SSL installation </span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Now that the site <span style="font-family: "arial" , "helvetica" , sans-serif;">is functional, the configuration should be locked down. </span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></span><span style="font-family: "courier new" , "courier" , monospace;"># limit HTTPS to the most recent protocol<br />ssl_protocols TLSv1.2;<br /># define the list of ciphers used<br />ssl_prefer_server_ciphers on;<br /># this list is always in flux, but the list below works at time of writing<br />ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; <br />#set the cache session, 10 minutes is the minimum<br />ssl_session_cache shared:SSL:10m;</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">In the end, the the file should look something like this:</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span><br />
<br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">server {<br /> listen 443 ssl;<br /> server_name redmine.yourdomain.com;<br /> ssl_dhparam /etc/nginx/easy-rsa/keys/dh2048.pem;<br /> ssl_certificate /etc/letsencrypt/live/redmine.yourdomain.com/fullchain.pem;<br /> ssl_certificate_key<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span>/etc/letsencrypt/live/redmine.yourdomain.com/privkey.pem;<br /> ssl_protocols TLSv1.2;<br /> ssl_prefer_server_ciphers on;<br /> ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;<br /> ssl_session_cache shared:SSL:10m;<br /> root /var/data/redmine/public/;<br /> passenger_enabled on;<br /> client_max_body_size 10m;<br /> #passenger_spawn_method direct;<br /> #location / {<br /> # try_files $uri $uri/ =404;<br /> #}<br />}</span> </span></span></span></blockquote>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">R<span style="font-family: "arial" , "helvetica" , sans-serif;">estart <span style="font-family: "arial" , "helvetica" , sans-serif;">nginx and if d<span style="font-family: "arial" , "helvetica" , sans-serif;">esired, run a <span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.ssllabs.com/ssltest/" target="_blank">certificate</a><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.ssllabs.com/ssltest/" target="_blank"> security t</a><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.ssllabs.com/ssltest/" target="_blank">est</a> against the system. </span></span></span></span></span></span></span></span></span><br />
<br />
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIph6bT3607MCmqNrXZV_vKRYepGuCz458lqfrWYgUDzovDt9T8ov2GKnHwdL_LicjgTsGyantlG3PmK8JihSkdu43kVA2-YkC7zE80rM8OaYwaSn1fxI3gkoeYSF4tniAwbMxBstYYgc/s1600/redmineCert.PNG" imageanchor="1"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIph6bT3607MCmqNrXZV_vKRYepGuCz458lqfrWYgUDzovDt9T8ov2GKnHwdL_LicjgTsGyantlG3PmK8JihSkdu43kVA2-YkC7zE80rM8OaYwaSn1fxI3gkoeYSF4tniAwbMxBstYYgc/s400/redmineCert.PNG" width="400" /></a> </span></span></span></span></span></span></span></span></span></div>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: x-small;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;">F</span>igure: Qualsys <span style="font-family: "arial" , "helvetica" , sans-serif;">scan</span></b></span></span></span></span></span></span></span></span></span></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span></span></span></span> </span></span><br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Automated renewal </span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Bec<span style="font-family: "arial" , "helvetica" , sans-serif;">ause the Let's Encrypt philos<span style="font-family: "arial" , "helvetica" , sans-serif;">ophy is full automation, the certificates <span style="font-family: "arial" , "helvetica" , sans-serif;">need to be renewed <a href="https://letsencrypt.org/2015/11/09/why-90-days.html" target="_blank">every 90 days</a>.<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span>In cron, setup a renewal<span style="font-family: "arial" , "helvetica" , sans-serif;"> jo<span style="font-family: "arial" , "helvetica" , sans-serif;">b</span></span> to be <span style="font-family: "arial" , "helvetica" , sans-serif;">run</span> every week<span style="font-family: "arial" , "helvetica" , sans-serif;">.</span> <span style="font-family: "arial" , "helvetica" , sans-serif;">F</span>or example, at 3:05 AM every Saturday<span style="font-family: "arial" , "helvetica" , sans-serif;">:</span> </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">05 03 * * 6 /yourpath/cert-renew.sh </span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This job needs <span style="font-family: "arial" , "helvetica" , sans-serif;">root <span style="font-family: "arial" , "helvetica" , sans-serif;">privileges</span>. </span>Once the <span style="font-family: "arial" , "helvetica" , sans-serif;">certificate gets into the time window w<span style="font-family: "arial" , "helvetica" , sans-serif;">here it c<span style="font-family: "arial" , "helvetica" , sans-serif;">an b<span style="font-family: "arial" , "helvetica" , sans-serif;">e ren<span style="font-family: "arial" , "helvetica" , sans-serif;">ewed, cron<span style="font-family: "arial" , "helvetica" , sans-serif;"> will do the update <span style="font-family: "arial" , "helvetica" , sans-serif;">"ma<span style="font-family: "arial" , "helvetica" , sans-serif;">gically".</span></span></span></span></span></span></span></span> </span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><b><i>install-path</i></b>/certbot-auto renew --standalone --pre-hook "service nginx stop" --post-hook "service nginx start"</span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">This can be tested by doing a dry-run<span style="font-family: "arial" , "helvetica" , sans-serif;"><i><b>: </b></i></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"><i><b>install-path</b></i>/certbot/certbot-auto renew --dry-run --standalone --pre-hook "service nginx stop" --post-hook "service nginx start" </span><i><b><br /></b></i></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><i><b> </b></i></span> </span></span><br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Links of interest </span></h3>
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Renewal <span style="font-family: "trebuchet ms" , sans-serif;">script for Let's Encrypt</span></span></span></span></h4>
<a href="https://certbot.eff.org/docs/using.html#renewal"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://certbot.eff.org/docs/using.html#renewal</span></a><br />
<br />Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com1tag:blogger.com,1999:blog-5711099973096454729.post-40559257521463436142016-04-20T11:16:00.000-07:002016-08-04T13:19:21.176-07:00Redmine, Passenger, and Nginx on Ubuntu<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Redmine with Passenger and Nginx on Ubuntu</span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br /><span style="font-family: "arial" , "helvetica" , sans-serif;"></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Have to say this should be easier nowadays, but getting Redmine up and running can still be a</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"> maze of twisty little passages, all alike. </span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st"><br /></span></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Trying to decide what is a good option and what is not requires a solid knowledge of Linux AND some mad Google-Fu. Cobbled from multiple sources, here <span style="font-family: "arial" , "helvetica" , sans-serif;">are</span> flexible instructions to get an up to date, robust, secure installation going. </span></span></span><br />
<ul>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ubuntu 14.04 LTS - a mature Ubuntu version with long term support </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">MySQL - the database </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Ruby - the technology on which Redmine runs, installed using RVM to manage the ruby version and have access to up to date components </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;">Phusion Passenger<span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">- the application server in which to run Redmine </span></span></span></li>
<li><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span class="st">Nginx - the web server within which Redmine runs </span></span></span></li>
</ul>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">MySQL Configuration</span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Install MySQL. For this step, relying on the Ubuntu packages is fine.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install -y mysql-server libmysqlclient-dev</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">For production systems, a separate data disk should be used rather that storing it on the same partition as the root system. This can be changed by modifying the data directory configuration in MySQL: </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">/etc/mysql/my.cnf</span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">#datadir = /var/lib/mysql #old location<br />datadir = /data/mysql # new location</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If going down this path, set permissions correctly on your new location: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">chown mysql:mysql /data/mysql<br />chmod 700 /data/mysql</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Update AppArmor, otherwise the mysql process won't start.</span><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/apparmor.d/usr.sbin.mysqld</span> </blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Restart mysql. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="font-family: "courier new" , "courier" , monospace;">service mysql start</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Connect to the mysql service (mysql -p) and create the database and provide access to the redmine user:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">mysql -p<br />CREATE DATABASE redmine CHARACTER SET utf8;<br />CREATE USER 'redmine'@'localhost' IDENTIFIED BY '<i>yourpassword</i>';<br />GRANT ALL PRIVILEGES ON redmine.* TO 'redmine'@'localhost';</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Ruby Installation</span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Many methods exist to install Ruby. Unfortunately, the most convenient using apt-get will leave the system many versions behind, which means many plugins for redmine, and parts of redmine itself, will be unsupported. RVM is a tried and true method and provides clean management of ruby versions. </span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">For whatever reason, these steps seem to work best as root. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo su - </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3<br />curl -sSL https://get.rvm.io | bash -s stable</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">exit </span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Once setup, each user of rvm needs to be added to the rvm group. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo usermod -a -G rvm <i>username</i></span><i> </i></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Logout and log back in to complete the installation. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvm requirements</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Now choose a ruby version. As guidance, a 2.0 or higher is recommended. RVM has pre-compiled versions, which make installation seamless.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">rvm install 2.2.3<br />rvm use 2.2.3 --default</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Then confirm everything looks correct. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">ruby -v<br />ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Phusion Passenger Installation</span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Again,<span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="font-family: "arial" , "helvetica" , sans-serif;">m</span>any options <span style="font-family: "arial" , "helvetica" , sans-serif;">exist<span style="font-family: "arial" , "helvetica" , sans-serif;"> for <span style="font-family: "arial" , "helvetica" , sans-serif;">application containers</span></span></span>. Phusion has a Passenger<span style="font-family: "arial" , "helvetica" , sans-serif;">-Nginx combo that is str<span style="font-family: "arial" , "helvetica" , sans-serif;">a<span style="font-family: "arial" , "helvetica" , sans-serif;">ight-forward to install and configure. </span></span>I<span style="font-family: "arial" , "helvetica" , sans-serif;">t<span style="font-family: "arial" , "helvetica" , sans-serif;"> also installs an old ver<span style="font-family: "arial" , "helvetica" , sans-serif;">sion of ruby, but via configuration the package <span style="font-family: "arial" , "helvetica" , sans-serif;">can be pointed to our mo<span style="font-family: "arial" , "helvetica" , sans-serif;">re recent version. </span></span></span></span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Detail<span style="font-family: "arial" , "helvetica" , sans-serif;">s of this installation can <span style="font-family: "arial" , "helvetica" , sans-serif;">be found <span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://www.phusionpassenger.com/library/install/nginx/install/oss/trusty/" target="_blank">on t<span style="font-family: "arial" , "helvetica" , sans-serif;">he Phusion site</span></a>.</span></span></span></span></span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 561F9B9CAC40B2F7<br />sudo sh -c 'echo deb https://oss-binaries.phusionpassenger.com/apt/passenger trusty main > /etc/apt/sources.list.d/passenger.list'<br />sudo apt-get update<br />sudo apt-get install nginx-extras passenger</span></span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Nginx Configuration </span></span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Nginx has to be <span style="font-family: "arial" , "helvetica" , sans-serif;">pointed to the correct ruby and the correct passenger installation. </span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Ensure </span>passen<span style="font-family: "arial" , "helvetica" , sans-serif;">ger <span style="font-family: "arial" , "helvetica" , sans-serif;">is installed correctly and confirm <span style="font-family: "arial" , "helvetica" , sans-serif;">the correct location. This location will be needed for ngi<span style="font-family: "arial" , "helvetica" , sans-serif;">nx. </span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/passenger-config validate-install<br />passenger-config --root</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The result will be something like this:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Also, confirm the correct location of the correct ruby.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">which passenger-config </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/passenger-config #use this result to perform the next command </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">/usr/bin/passenger-config --ruby-command</span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The result will be something like this: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">/usr/local/rvm/gems/ruby-2.2.3/wrappers/ruby</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Update nginx to point to the correct location. Don't forget semi-colons at the end! </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo vim /etc/nginx/nginx.conf</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;"># passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini; #old entry<br /># passenger_ruby /usr/bin/passenger_free_ruby; #old entry<br />passenger_root /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini;<br />passenger_ruby /usr/local/rvm/gems/ruby-2.2.3/wrappers/ruby;</span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Restart nginx</span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo service nginx restart </span> </span> </span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Enable <span style="font-family: "arial" , "helvetica" , sans-serif;">the www<span style="font-family: "arial" , "helvetica" , sans-serif;"> directory. </span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo mkdir /var/www<br />sudo chown -R www-data:www-data /var/www</span> </span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Build out the site - assuming http for now.<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span>More configuration will be need<span style="font-family: "arial" , "helvetica" , sans-serif;">ed to SSL-ize the system and lock it down. But <span style="font-family: "arial" , "helvetica" , sans-serif;">for now, this will get things correct and running<span style="font-family: "arial" , "helvetica" , sans-serif;">. </span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.orig<br />vim /etc/nginx/sites-available/default</span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span>Upda<span style="font-family: "arial" , "helvetica" , sans-serif;">te the root location and add passenger configuration. </span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">root /data/redmine/redmine/public/; #installation location<br />passenger_enabled on; #turn on application container<br />client_max_body_size 10m; # Max attachement size allowed</span> </span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Then to prevent a <span style="font-family: "arial" , "helvetica" , sans-serif;">mess of 404 errors, comment out the location entry<span style="font-family: "arial" , "helvetica" , sans-serif;">. Missing thi<span style="font-family: "arial" , "helvetica" , sans-serif;">s <span style="font-family: "arial" , "helvetica" , sans-serif;">step results in a special level of redmine 404 hell. </span></span></span></span></span></span></span></span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">#location / {<br /> # First attempt to serve request as file, then<br /> # as directory, then fall back to displaying a 404.<br /> #try_files $uri $uri/ =404; <br />#}</span> </span></span></span></span></span></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span>T</span>he <span style="font-family: "arial" , "helvetica" , sans-serif;">system <span style="font-family: "arial" , "helvetica" , sans-serif;">is al<span style="font-family: "arial" , "helvetica" , sans-serif;">most ready for redmine<span style="font-family: "arial" , "helvetica" , sans-serif;"> installation.</span></span></span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span></span></span></span></span></span> </span><br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Create the redmine account </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Before doing too much with ruby, create a redmine service account. Note: Ideally the home directory located where redmine is going to be installed - for production systems this should be on a separate partition. </span><br />
<blockquote>
<span style="font-family: "courier new" , "courier" , monospace;">sudo adduser --system --shell /bin/bash --gecos 'Redmine Administrator' --group --disabled-password --home /data/redmine redmine<span style="font-family: "courier new" , "courier" , monospace;">; </span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">sudo<span style="font-family: "courier new" , "courier" , monospace;"> </span>usermod -a -G rvm redmine</span></span></span><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> Give the account sudo </span><span style="font-family: "arial" , "helvetica" , sans-serif;">privileges </span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"></span><span style="font-family: "arial" , "helvetica" , sans-serif;">(temporarily)</span></span>.</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo visudo </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">redmine ALL=(ALL) NOPASSWD:ALL</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Welcome to dependency-o-rama </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The ruby add-on dependencies next depends (ha ha get it?) on various ruby pieces needed to install ruby components. A minimal list will look something like this: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo apt-get install -y build-essential imagemagick libmagickwand-dev</span></blockquote>
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Redmine, remember this was the main point of the article?</span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Whew. Like a hero that doesn't show up until reel 3, redmine is finally on the scene. </span><br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Install the latest</span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Switch to the redmine user and pull down the latest stable release. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">sudo su - redmine # should result in being in the redmine installation directory</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "courier new" , "courier" , monospace;">wget http://www.redmine.org/releases/redmine-3.2.1.tar.gz <br />tar xvfz redmine-3.2.1.tar.gz<br />ln -s redmine-3.2.1 redmine<br />rm redmine-3.2.1.tar.gz</span></span></blockquote>
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Configure the mysql connection </span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Update the production entry with the account connection information.</span></span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">cd redmine </span><br />
<span style="font-family: "courier new" , "courier" , monospace;">cp -pR config/database.yml.example config/database.yml</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">vim config/database.yml</span></blockquote>
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Adding gems - truly outrageous! </span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Configure the gems - and avoid doing this as root. As with everything in redmine administration, this should be as that fancy redmine service account: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">gem install bundler</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">bundle install --without development test</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If versions and such match these instructions, the bundle install should go clean:</span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">Bundle complete! 30 Gemfile dependencies, 54 gems now installed.<br />Gems in the groups development and test were not installed.<br />Use `bundle show [gemname]` to see where a bundled gem is installed.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If versions are different or new features are needed, some iteration may be needed to build and install the gems. This seems to be a "normal" task for ruby administrators. Apply google-fu and iterate. </span><br />
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Rake magic </span></span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Next run the magic rake commands. All magic comes in three. </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">bundle exec rake generate_secret_token<br />RAILS_ENV=production bundle exec rake db:migrate<br />RAILS_ENV=production bundle exec rake redmine:load_default_data</span></blockquote>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Now everything should be ready to start. This is done by restarting nginx. Monitor the following logs to ensure things start clean: </span><br />
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">tail -f /var/log/nginx/error.log</span><br />
<span style="font-family: "courier new" , "courier" , monospace;">tail -f /data/redmine/redmine/log/production.log</span></blockquote>
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Clean up</span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Congratulations, the redmine site should now be up and available. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Remove sudo privileges from the redmine account. Move the site to SSL, ideally using the excellent <a href="https://letsencrypt.org/getting-started/" target="_blank">Let's Encrypt</a> service. <a href="http://www.untrustedconnection.com/2016/05/nginx-https-with-lets-encrypt-and.html" target="_blank">These instructions can be found here.</a>. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Links of interest </span></h3>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Plenty of chatter and individual parts here to help troubleshoot and see where much of this has been culled. Enjoy. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Ways to install ruby on Ubuntu </span></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="http://stackoverflow.com/questions/26595620/how-to-install-ruby-2-1-4-on-ubuntu-14-04">http://stackoverflow.com/questions/26595620/how-to-install-ruby-2-1-4-on-ubuntu-14-04</a><br /><a href="https://gorails.com/setup/ubuntu/14.04">https://gorails.com/setup/ubuntu/14.04</a><br /><a href="https://www.digitalocean.com/community/tutorials/how-to-install-rails-and-nginx-with-passenger-on-ubuntu">https://www.digitalocean.com/community/tutorials/how-to-install-rails-and-nginx-with-passenger-on-ubuntu</a><br /><a href="http://stackoverflow.com/questions/5201689/rmagick-gem-install-cant-find-magick-config">http://stackoverflow.com/questions/5201689/rmagick-gem-install-cant-find-magick-config</a></span><br />
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Ways to install Nginx and Passenger</span></span></h4>
<a href="https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-passenger-and-nginx-on-ubuntu-14-04"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.digitalocean.com/community/tutorials/how-to-deploy-a-rails-app-with-passenger-and-nginx-on-ubuntu-14-04</span></a><br />
<a href="http://www.redmine.org/projects/redmine/wiki/HowTo_configure_Nginx_to_run_Redmine"><span style="font-family: "arial" , "helvetica" , sans-serif;">http://www.redmine.org/projects/redmine/wiki/HowTo_configure_Nginx_to_run_Redmine</span></a><br />
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Troubleshooting Passenger installations </span></span></h4>
<a href="https://www.blogger.com/goog_344700742"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.phusionpassenger.com/library/config/nginx/reference/#passenger_root<br />https://www.phusionpassenger.com/library/admin/nginx/troubleshooting/ruby/</span></a><br />
<a href="https://www.phusionpassenger.com/library/config/nginx/reference/#setting_correct_passenger_ruby_value"><span style="font-family: "arial" , "helvetica" , sans-serif;">https://www.phusionpassenger.com/library/config/nginx/reference/#setting_correct_passenger_ruby_value</span></a><br />
<br />
<h4>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Ways to install Redmine </span></span></h4>
<h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span></h4>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="http://www.redmine.org/projects/redmine/wiki/HowTos">http://www.redmine.org/projects/redmine/wiki/HowTos</a><br /><a href="http://www.redmine.org/projects/redmine/wiki/RedmineInstall#fn0">http://www.redmine.org/projects/redmine/wiki/RedmineInstall#fn0</a><br /><a href="https://blog.rudeotter.com/install-redmine-with-nginx-puma-and-mariadbmysql-on-ubuntu-14-04/">https://blog.rudeotter.com/install-redmine-with-nginx-puma-and-mariadbmysql-on-ubuntu-14-04/</a><br /><a href="http://www.redminecrm.com/boards/4/topics/448-installing-redmine-2-2-passenger-nginx-rvm-on-ubuntu-12-04">http://www.redminecrm.com/boards/4/topics/448-installing-redmine-2-2-passenger-nginx-rvm-on-ubuntu-12-04</a><br /><a href="https://nidomiro.de/2015/03/installing-redmine-3-0-on-clean-ubuntu-14-04/">https://nidomiro.de/2015/03/installing-redmine-3-0-on-clean-ubuntu-14-04/</a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_30x_on_Ubuntu_1404_with_Apache2_Phusion_Passenger_MySQL_Subversion_and_Git_%28Gitolite%29#Installing-Ruby">http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_30x_on_Ubuntu_1404_with_Apache2_Phusion_Passenger_MySQL_Subversion_and_Git_%28Gitolite%29#Installing-Ruby</a></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"> </span><br />
<br />
<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com4tag:blogger.com,1999:blog-5711099973096454729.post-49803593707249500042013-06-28T12:26:00.000-07:002013-06-28T12:26:50.492-07:00Samurai Notes<div itemprop="name">
<br /></div>
<div itemprop="name">
<br /></div>
<h4 itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">Samurai Web Test Framework</span></h4>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">The <a href="http://samurai.inguardians.com/" target="_blank">Samurai Web Test Framework</a> is an excellent starting place to learn the intricacies of security testing of web-based systems. </span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">Because of the nature of the content on the system, it is locked down in various ways to remain walled off. </span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">Here are notes on how to gain remote access to the system. </span></div>
<div itemprop="name">
<br /></div>
<h4 itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">SSH Access </span></h4>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">The remote ssh sessions will be refused with the message “no hostkey alg”. </span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></div>
<div itemprop="name">
<span style="font-family: Arial,Helvetica,sans-serif;">On Samurai, run the following commands:</span></div>
<div itemprop="name">
<br /></div>
<div itemprop="name">
<span style="font-family: "Courier New",Courier,monospace;"><code># ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key<br />
# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key</code> </span></div>
Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-54552583529931663522013-06-24T14:50:00.001-07:002013-06-24T16:04:01.384-07:00Dual factor SSH: Google Authenticator, SElinux, and CentOS<h4>
<span style="font-family: Arial,Helvetica,sans-serif;"> </span></h4>
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Intro </span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Dual factor authentication often requires the purchase of RSA tokens or some similar physical piece of hardware. Even the much touted Yubikey cost $25 a unit. Google Authenticator is quickly becoming one of the new standards for implementing a dual factor solution using a smart phone instead of a purchased token. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">The<a href="http://code.google.com/p/google-authenticator/wiki/PamModuleInstructions" target="_blank"> </a></span><span style="font-family: Arial,Helvetica,sans-serif;"><a href="http://code.google.com/p/google-authenticator/wiki/PamModuleInstructions" target="_blank"><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator </span>PAM</a> allows time-based dual factor authentication on a Linux machine. The installation is documented on the </span><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator wiki in a couple of lines, but little is said about implementation with SE Linux enabled. Most other blogs simply state, "Turn off SE Linux", which seems less than ideal. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Here is an end to end set up for </span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator on Cent OS 6.4. </span></span></span> </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Installation - Method 1 (via RPM)</span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>Easy, but not recommended. </i></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Enable the <a href="http://fedoraproject.org/wiki/EPEL" target="_blank">EPEL </a>repository, if not already enabled. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">For example: </span><br />
<br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"># wget http://mirror.symnds.com/distributions/fedora-epel/6/i386/epel-release-6-8.noarch.rpm</span></span><br />
<span style="font-size: small;"><span style="font-family: "Courier New",Courier,monospace;"># yum localinstall epel-release-6-8.noarch.rpm</span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Then install via yum. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"># yum install google-authenticator</span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">The downside of this is the RPM is most likely not the most up to date.</span><br />
<br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Installation - Method 2 (via make) </span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;"><i>Not so difficult and recommended.</i> </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Make sure you have pam-devel (<span style="font-family: "Courier New",Courier,monospace;">yum install pam-devel</span>) installed. Then clone latest from Google. </span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"># git clone https://code.google.com/p/google-authenticator/</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Change into the build directory. </span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"># cd google-authenticator/libpam/ </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Then do the build. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"># make && make install</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"> </span> </span><br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Basic Server Set up </span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Two places have to be modified, the sshd configuration file and the PAM configuration file. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">In <span style="font-family: "Courier New",Courier,monospace;">/etc/ssh/sshd_config <span style="font-family: Arial, Helvetica, sans-serif;">ensure the setting match below</span></span>: </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">PasswordAuthentication yes </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">ChallengeResponseAuthentication yes<br />#ChallengeResponseAuthentication no</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">UsePAM yes </span></span></blockquote>
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">In the PAM file <span style="font-family: "Courier New",Courier,monospace;">/etc/pam.d/sshd</span>, a new line will need to be added at the top: </span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">auth required pam_google_authenticator.so</span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Restart the sshd daemon: </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"># service sshd restart</span> </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">That is it for the server. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">If, however, SELinux is enabled, additional configuration is needed (see below). Otherwise, an error like this will appear in /var/log/secure: </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<blockquote class="tr_bq">
<span style="font-family: "Courier New",Courier,monospace;">Failed to update secret file "/home/${USER}/.google_authenticator"</span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;">error: PAM: Cannot make/remove an entry for the specified session</span></span></blockquote>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Basic User Set Up </span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;">First, install the <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en" target="_blank">Google Authenticator</a> on your mobile phone. </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Next, on the Linux system run the </span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator command: </span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><br /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"># google-authenticator</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">Read and answer the yes/no questions. After setup, the user will have a .google_authenticator file in the home directory. </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">The command will also create a URL and/or a QR code. With Google Authenticator on your mobile phone, capture the QR. It will create a new account automatically.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT_-EjkkPtNRwqrWuYWXVBG4rHafx3ytyIxQxcygDJiBWG7dmM7MGES8uAeqTpV4yiOoZWQY2oM1Ksdi7Xp-qqrZSQB_WfCs2WCwHZQP4MfIxkBM2U2b_0cKlh0m0mDLUDJq4zy63hvho/s1600/qrcode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjT_-EjkkPtNRwqrWuYWXVBG4rHafx3ytyIxQxcygDJiBWG7dmM7MGES8uAeqTpV4yiOoZWQY2oM1Ksdi7Xp-qqrZSQB_WfCs2WCwHZQP4MfIxkBM2U2b_0cKlh0m0mDLUDJq4zy63hvho/s200/qrcode.png" title="QR Code" width="200" /></a></div>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">This has to be done for each user. </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Advanced Setup for SELinux</span></h4>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator</span></span> and its incompatibility with SELinux is known. But there is <a href="https://bugzilla.redhat.com/show_bug.cgi?id=754978" target="_blank">little agreement </a>on
how to fix it. Some recommendations include compiling and rolling new SE
policies. Others recommend disabling SELinux. But there is a straight
forward workaround. </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;">First, in the PAM file <span style="font-family: "Courier New",Courier,monospace;">/etc/pam.d/sshd</span>, modify the pam_google_authenticator line: </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: "Courier New",Courier,monospace;">auth required pam_google_authenticator.so nullok secret=/home/${USER}/.ssh/.google_authenticator</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;">This does several things. First "nullock" tells PAM to accept null if the user does not have the </span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">Google Authenticator configured. In other words, users who don't have dual-factor configured can still log in. Next, the "secret= ..." gives PAM access to the needed key file, even with SELinux installed, just as it does for key-based SSH sessions. </span></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><br />Second, move the </span></span></span><span style="font-family: "Courier New",Courier,monospace;">.google_authenticator<span style="font-family: Arial,Helvetica,sans-serif;"> </span></span><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">to the .ssh folder for the user -- it may need to be created. It is best to do this as the user.</span></span></span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"># mkdir /home/${USER}/.ssh </span><br />
<span style="font-family: "Courier New",Courier,monospace;"># mv /home/${USER}/.google_authenticator /home/${USER}/.ssh/.google_authenticator</span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">Restart the sshd daemon: </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: "Courier New",Courier,monospace;"># service sshd restart</span> </span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;">That is it for the SELinux. </span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<br />
<h4>
<span style="font-family: Arial,Helvetica,sans-serif;">Expected Behavior</span></h4>
<ul>
<li><span style="font-family: Arial,Helvetica,sans-serif;">Users with dual factor configured will need a verification code and a password. </span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;">Users with no dual factor configured will only need a password. </span></li>
<li><span style="font-family: Arial,Helvetica,sans-serif;">This configuration will not work with key-based ssh configurations. They will bypass the dual factor process. </span></li>
</ul>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><br /></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com1tag:blogger.com,1999:blog-5711099973096454729.post-56981071380322803602012-12-28T10:18:00.000-08:002012-12-28T10:24:43.615-08:00LVM Quickstart - Creating a Volume<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Add the device and then perform an FDISK. </div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">fdisk /dev/sdb</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
For an LVM partition, select "8e" when creating the partition in FDISK. </div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Assign the disk partition to the physical volume: </div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">pvcreate /dev/sdb1</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Next create the volume group. Physical volumes are assigned to the volume group. </div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">vgcreate vg_websvc /dev/sdb1</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Once that is done, logical volumes can be created. This is what will actually hold the file system. Logical volumes are assigned to a volume group.</div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">lvcreate --name lv_websvc --size 10G vg_websvc</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Now it is possible to create the file system. </div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">mkfs.ext4 /dev/vg_ijet/lv_websvc</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
And then either manually mount the file system: </div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">mkdir /websvc</span></div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">mount /dev/vg_websvc/lv_websvc /websvc</span></div>
<div style="-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: Arial, Helvetica, FreeSans, sans-serif; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.33333396911621px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
Or set it to automatically mount via /etc/fstab:</div>
<div style="background-color: white; color: black; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 17.3333px; margin-bottom: 10px; orphans: 2; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<span style="font-family: "Courier New",Courier,monospace;">/dev/mapper/vg_websvc-lv_websvc /websvc ext4 defaults 1 2</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"><span style="font-family: Arial,Helvetica,sans-serif;">Much more detailed information can be found here: </span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"><a href="http://www.howtoforge.com/linux_lvm" rel="nofollow" target="_blank">http://www.howtoforge.com/linux_lvm </a></span></div>
Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-85832536205918559972011-10-14T15:40:00.000-07:002011-10-14T15:47:08.317-07:00Using CentOS to update RHELIf you are ever in this terrible conundrum, I am sorry. I make no promises, either in legality or in functionality. But here is how to shift a RHEL box that won’t update to a CentOS yum repository that will. <br />
<br />
Here is how the problem begins:<br />
<blockquote><span style="font-family: 'Courier New';"># yum update subversion <br />
Loading "rhnplugin" plugin <br />
Loading "security" plugin <br />
This system is not registered with RHN. <br />
RHN support will be disabled. <br />
Skipping security plugin, no data <br />
Setting up Update Process <br />
Could not find update match for svn <br />
No Packages marked for Update <br />
</span></blockquote>This means what it says. RHEL support has expired. The workaround involves pointing the RHEL server to the CentOS repository. <br />
<br />
In the /etc/yum.repos.d/ folder create a new file called CentOS-Base.repo. If you have one already, great. Here is what you need in the file:<br />
<blockquote><span style="font-family: 'Courier New';">[base] <br />
name=CentOS-$releasever - Base <br />
#mirrorlist=</span><a href="http://mirrorlist.centos.org/?release="><span style="font-family: 'Courier New';">http://mirrorlist.centos.org/?release=</span></a><span style="font-family: 'Courier New';">$releasever&arch=$basearch&repo=os <br />
#baseurl=</span><a href="http://mirror.centos.org/centos/"><span style="font-family: 'Courier New';">http://mirror.centos.org/centos/</span></a><span style="font-family: 'Courier New';">$releasever/os/$basearch/ <br />
baseurl=</span><a href="http://mirror.centos.org/centos/5/os/"><span style="font-family: 'Courier New';">http://mirror.centos.org/centos/5/os/</span></a><span style="font-family: 'Courier New';">$basearch/ <br />
gpgcheck=1 <br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5</span><br />
<span style="font-family: 'Courier New';">#released updates <br />
[updates] <br />
name=CentOS-$releasever - Updates <br />
#mirrorlist=</span><a href="http://mirrorlist.centos.org/?release="><span style="font-family: 'Courier New';">http://mirrorlist.centos.org/?release=</span></a><span style="font-family: 'Courier New';">$releasever&arch=$basearch&repo=updates <br />
#baseurl=</span><a href="http://mirror.centos.org/centos/"><span style="font-family: 'Courier New';">http://mirror.centos.org/centos/</span></a><span style="font-family: 'Courier New';">$releasever/updates/$basearch/ <br />
baseurl=</span><a href="http://mirror.centos.org/centos/5/os/"><span style="font-family: 'Courier New';">http://mirror.centos.org/centos/5/os/</span></a><span style="font-family: 'Courier New';">$basearch/ <br />
gpgcheck=1 <br />
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5</span></blockquote><br />
Notice what has been commented out of a standard CentOS-Base.repos file. Without these comments, an error will be thrown:<br />
<blockquote><span style="font-family: 'Courier New';">YumRepo Warning: not using ftp, http[s], or file for repos, skipping - 5Server is not a valid release or hasnt been released yet <br />
</span></blockquote>So, comment out the mirrorlist and correct the baseurl to match what actually is out at CentOS. <br />
Once that is done, install the CentOS repository key:<br />
<blockquote><span style="font-family: 'Courier New';"># rpm --import </span><a href="http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5"><span style="font-family: 'Courier New';">http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5</span></a></blockquote>After this, subversion (or whatever) should install in a breeze.Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-35742037132286025122011-06-28T09:54:00.000-07:002011-06-28T09:54:11.317-07:00MD Quickstart–md raidEasy software raid using MD (multiple device driver). <br />
MD just seems more intuitive than the LVM that comes with a click click CentOS installation. Here are the steps for creating a md device. <br />
<h5>1. Create the virtual drive </h5>First create the disks, whether in AWS or on ESX. Four seems to be a magic number. <br />
<blockquote><span style="font-family: Courier New;">mdadm --create /dev/md0 --chunk=256 --level 0 --raid-devices=4 /dev/sdl /dev/sdm /dev/sdn /dev/sdo</span></blockquote>In AWS, the device is easy to know because it is set when the disk is attached to the system.<br />
<br />
In ESX, at adding a disk to SCSI 1:0 will likely start at sdb and would look something like this: <br />
<blockquote> <span style="font-family: Courier New;">mdadm --create /dev/md0 --chunk=256 --level 5 --raid-devices=4 /dev/sdb /dev/sdc /dev/sdd /dev/sde</span></blockquote>MD RAID level 0 has excellent performance on AWS (and ESX as well). I’ve seen garnering 15 percent performance boost in Hudson build environments on AWS. However, RAID 0 cannot be expanded, so upsizing (adding a disk) will require a forklift migration.<br />
<br />
Finally format the drive. If using xfs, that package may need to be installed. <br />
<blockquote><span style="font-family: Courier New;">yum install xfsprogs</span></blockquote><blockquote><span style="font-family: Courier New;">mkfs.xfs /dev/md0</span></blockquote><h5>2. Ensure the device will start at boot</h5>Create a <span style="font-family: Courier New;"><b>/etc/mdadm.conf</b></span> file with the following line: <br />
<blockquote><span style="font-family: Courier New;">DEVICE partitions</span></blockquote>Then add the device md information with the following command:<br />
<blockquote><span style="font-family: Courier New;">mdadm --detail --scan | tee -a /etc/mdadm.conf</span></blockquote><h5>3. Wire up the drive so it will be there after reboot </h5>In <span style="font-family: Courier New;"><b>/etc/fstab</b></span>, add the device to the mount point, in this case <span style="font-family: Courier New;"><b>/data</b></span>: <br />
<blockquote><span style="font-family: Courier New;">/dev/md0 /data xfs noatime,nodiratime,allocsize=512m 0 0</span></blockquote>Running the command <span style="font-family: Courier New;"><b>mount -a</b></span> should mount the drive without any errors. <br />
<h5>4. Check the drive</h5>Two commands will help check status of the drive.<br />
<br />
<span style="font-family: Courier New;"><b>mdadm --detail /dev/md0</b></span> will show the RAID health of the drive. <br />
<span style="font-family: Courier New;"><b>df –h</b></span> will show the operating system’s view of the drive.Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-36499555562996258902011-05-14T16:25:00.000-07:002011-05-14T16:25:56.667-07:00A secure, consistent SVN mirror<h3>Using svnsync, ssh+svn, and post-commit hooks</h3><br />
Many svn mirror implementations take the hammer approach by running a cron job every minute to poll for changes. Bang, bang, bang and any change is pushed to a mirror via svnsync. But do you really want cron pounding away at subversion all the time and pulling changes out like a rusty nail?<br />
<br />
Hammers and mirrors do not work well together. <br />
<br />
The more elegant approach is to set up post-commit hooks. These capture every change as it happens. Unfortunately getting this to work is frustrating. Many administrators can’t get the post-commit to do anything at all; the post-commit “never runs” with no hint of failure and no logged errors. <br />
<br />
Post-commit configuration usually fails due to permission problems. Each ssh+svn user comes in as themselves when a commit is being made, but that user often does not have permissions to a) run the post-commit hook and/or b) run commands in the post-commit script.<br />
<br />
So here is how to both set up the mirror and set up the permissions so that post-commit can run.<br />
This installation assumes CentOS/Redhat/AWS platforms and an already working svn repository where users access via ssh+svn. <br />
<h2>Set up the svn mirror (aka target)</h2><b>On the target system</b>, create a user that will have exclusive write access to the mirror, traditionally this username is svnsync. <br />
<blockquote><span style="font-family: Courier New;">useradd svnsync</span></blockquote>As the svnsync user, replicate the file system location of the original subversion repository. Then create the blank repository. <br />
<blockquote><span style="font-family: Courier New;">svnadmin create --fs-type=fsfs /repos/svn/myrepos</span></blockquote>Normally when creating an SSH subversion repository, it is necessary to adjust the umask to 002 and create a group that will have write access. But in this case, only this user will have write privileges, so there is no need to create a subversion group, nor to adjust umask.<br />
<br />
Then, if not already done, generate the ssh keys needed for the svnsync user to access the blank repository via SSH. For added security, add the following string to lock down the public key:<br />
<blockquote><span style="font-family: Courier New;">no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/usr/bin/svnserve -t --tunnel-user=svnsync" </span></blockquote><b>On the source system</b>, add the svnsync user and the private SSH key. This user will read from the source and push changes to the target. <br />
<br />
If a bit paranoid, a secondary check can be put on the<b> target repository</b> which ensures only the svnsync user can make a change in the form of a pre-revision change hook. This will prevent a non-SSH user from accidentally making commits. <br />
<blockquote><span style="font-family: Courier New;">cp -p pre-revprop-change.tmpl pre-revprop-change</span></blockquote>Adjust the script to ensure only the svnsync user can effect a revision** change: <br />
<blockquote><span style="font-family: Courier New;">USER="$3"</span><br />
<span style="font-family: Courier New;">if [ "$USER" = "svnsync" ]</span><br />
<span style="font-family: Courier New;">then exit 0 </span><br />
<span style="font-family: Courier New;">fi</span><br />
<span style="font-family: Courier New;">echo "Error: only the svnsync user can make changes" >&2</span><br />
<span style="font-family: Courier New;">exit 1</span></blockquote>Then enable the script: <span style="font-family: Courier New;">chmod 755 pre-revprop-change</span><br />
<h2>Populate the mirror</h2>Now the mirror is ready to be initialized and synchronized (a two step process). <b>On the source system</b> first initialize the mirror, which locks the target to the source repository. The init flag uses the <destination> <source> format:<br />
<blockquote><span style="font-family: Courier New;">svnsync init –username svnsync \ </span><span style="font-family: Courier New;">svn+ssh://svnsync@<mirror_server>/repos/svn/myrepos \ file:///repos/svn/myrepos</span></blockquote>If this fails with the error “<b><span style="font-family: Courier New;">svnsync: Session is rooted</span></b>”, double-check the SSH key. It likely has the repository path in the key: <span style="font-family: Courier New;"><b>-r /repos/svn/myrepos</b></span>. Remove this to generate a successful initialization.<br />
<br />
The target is now locked to the source. Time to push the repository data. On the source svn server, synchronize the data: <br />
<blockquote><span style="font-family: Courier New;">svnsync synchronize --username svnsync \ svn+ssh://svnsync@<mirror_server>/repos/svn/myrepos</span></blockquote>This may take some time, depending on the number of revisions in the repository and whether the mirror is on the local LAN or remote, such as on Amazon Web Services.<br />
<br />
Congratulations, the source repository now has a read-only mirror. <br />
<br />
However, maybe the network went down or something else happened during the first sync and now the re-sync attempt produces this error:<br />
<blockquote><span style="font-family: Courier New; font-size: x-small;"><b>Failed to get lock on destination repos</b></span></blockquote>Run the <b><span style="font-family: Courier New;">propdel</span></b> command to remove the lock and restart the sync:<br />
<blockquote><span style="font-family: Courier New;">svn propdel svn:sync-lock --revprop -r 0 \ svn+ssh://svnsync@<mirror_server>/repos/svn/myrepos/</span></blockquote>That should allow the sync to pick up where it stopped before. <br />
<h2>Automate the mirror </h2>Here is where the magic comes in. When a user makes a commit to the source repository via SSH, that process has the permissions of that user, not as root or some svn service. Unfortunately, the mirror only accepts writes from the svnsync user, not from everyone. This is where sudo comes in to solve the problem. <br />
<h5>1. Set up SUDO privileges</h5><b>On the source server</b>, for SSH+SVN access, every user is already a member of a OS group that has read-write access to the repository. These group members must be given the ability to a) become the synsync user and b) run a single command. Fire up visudo and add this line:<br />
<blockquote><span style="font-family: Courier New;">%svngroup ALL=(svnsync) NOPASSWD: /usr/bin/svnsync</span></blockquote>This allows all members of the svngroup <span style="font-family: Courier New;"><b>(%svngroup</b></span>) the ability to switch to the svnsync user (<b><span style="font-family: Courier New;">ALL=(svnsync)</span></b>) without a password prompt (<b><span style="font-family: Courier New;">NOPASSWD</span></b>) and run a single command (<b><span style="font-family: Courier New;">/usr/bin/svnsync</span></b>). <br />
<br />
Of course, users won’t be doing this manually. They won’t even know they have this “privilege”. If the SSH keys are locked down properly, users can’t log onto the subversion server, much less execute sudo commands remotely. <br />
<br />
Instead, what this sudo change does is give the post-commit hook scripts the ability to push any changes to the mirror as the svnsync user.<br />
<h5>2. Set up the post-commit scripts</h5>Post-commit scripting is well documented, but without the sudo setup and sudo commands in the script, the post-commit scripts will not execute in a SSH+SVN environment.<br />
<br />
<b>On the source server</b>, in the hooks folder, copy post-commit.tmpl and post-revprop-change.tmpl scripts:<br />
<blockquote><span style="font-family: Courier New;">cp –p post-commit.tmpl post-commit</span><br />
<span style="font-family: Courier New;">cp –p post-revprop-change.tmpl post-revprop-change</span></blockquote>Add the svnsync commands to the post-commit script: <br />
<blockquote><span style="font-family: Courier New;">REPOS="$1"</span><br />
<span style="font-family: Courier New;">REV="$2"</span><br />
<span style="font-family: Courier New;">sudo -H -u svnsync /usr/bin/svnsync sync --non-interactive –-username svnsync svn+ssh://svnsync@<mirror_server>/repos/svn/myrepos &</span> <br />
<span style="font-family: Courier New;">exit 0</span></blockquote>And also a slight variant to the post-revprop-change script:<br />
<blockquote><span style="font-family: Courier New;">REPOS="$1"</span><br />
<span style="font-family: Courier New;">REV="$2"</span><br />
<span style="font-family: Courier New;">USER="$3"</span><br />
<span style="font-family: Courier New;">PROPNAME="$4"</span><br />
<span style="font-family: Courier New;">ACTION="$5"</span><br />
<span style="font-family: Courier New;">sudo -H -u svnsync /usr/bin/svnsync sync --non-interactive --username svnsync copy-revprops svn+ssh://svnsync@<mirror_server>/repos/svn/myrepos "$REV" & </span><br />
<span style="font-family: Courier New;">exit 0</span></blockquote>If desired, something like <span style="font-family: Courier New;"><b>>> /tmp/mirror-commit.log 2>&1</b></span> can be added in front of the ampersand so the mirror commits can be monitored. <br />
<br />
Finally, enable the scripts with a <span style="font-family: Courier New;"><b>chmod 755</b></span>. <br />
<br />
Congratulations. You now have an elegant, automated svn mirror!Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com1tag:blogger.com,1999:blog-5711099973096454729.post-79366623179279337642011-05-06T11:38:00.000-07:002011-05-06T11:44:46.368-07:00Quick JIRA install with MySQL backendThings are much better than the bad early JIRA 4 days of doing a tomcat installation, fixing memory leaks, and tweaking JVM settings. But having a robust MySQL backend on a separate system is still needed, especially with a SQL-query intense GreenHopper add-on.<br />
<br />
This installation assumes CentOS/Redhat type platforms with no GUI overhead. <br />
<h2>MySQL 5.5 is easier than 5.0</h2>MySQL 5.5 already uses innodb as the default engine. Binary row locking is also supported. Both of these are needed on JIRA. MySQL 5.5 also takes more advantage of multicore systems, if you have one. <br />
<br />
Create the JIRA database:<br />
<blockquote><span style="font-family: Courier New;">mysql> create database jiradb character set utf8;</span></blockquote>Create the JIRA db service account and grant privileges with one command:<br />
<blockquote><span style="font-family: Courier New;">mysql> </span><span style="font-family: Courier New;">GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER,INDEX on</span><br />
<span style="font-family: Courier New;">-> jiradb.* TO 'jirauser'@'localhost' IDENTIFIED BY '<password>';</span><br />
<span style="font-family: Courier New;">mysql> flush privileges;</span></blockquote>Generally, the MySQL backend is a separate server, so permissions to both the service account and the JIRA system need to be granted:<br />
<blockquote><span style="font-family: Courier New;">mysql> update user set Host='%' where user='jirauser';</span><br />
<span style="font-family: Courier New;">mysql> update db set host=’<JIRA server> where db='jiradb';</span></blockquote>Test the connection from the JIRA server to ensure everything is setup correctly, otherwise, JIRA will not launch cleanly: <br />
<blockquote><span style="font-family: Courier New;"># mysql –h <MySQL Server> -u jirauser -p jiradb</span><br />
<span style="font-family: Courier New;">Enter password:</span><br />
<span style="font-family: Courier New;">Welcome to the MySQL monitor. Commands end with ; or \g. <br />
Your MySQL connection id is 4526 <br />
</span></blockquote><blockquote></blockquote><h2>JIRA standalone</h2>Download the JIRA standalone file and “install” it by extracting to your data partition. <br />
<h5>1. Build out the JIRA environment</h5>Download the latest JAVA JRE from <strike>Sun</strike> Oracle. For CentOS/Redhat, this is best done with the rpm binary. Do NOT use the <span style="font-family: Courier New;">yum install java</span>. JIRA does not play nice with openjdk. Uninstall it if it is there. <br />
Set JAVA_HOME as needed, for example in <span style="font-family: Courier New;"><b>/etc/environment</b></span>: <br />
<blockquote><span style="font-family: Courier New;">JAVA_HOME=/usr/java/latest</span></blockquote>Download the latest mysql-connector-java-5.x.x-bin.jar and put it in the lib folder of the installation. If there is an older connector already there, rename to something like mysql-connector-java-5.x.x-bin.jar.OLD. <br />
<br />
Create the JIRA home directory (different from the JIRA installation directory). Adjust the <b><span style="font-family: Courier New;">jira-application.properties</span></b> file to reflect JIRA home. <br />
<br />
If needed for security, create a JIRA service account (different from the MySQL JIRA service account) and set permissions so that use can access the JIRA installation and home directories:<br />
<blockquote><span style="font-family: Courier New;">/usr/sbin/useradd --create-home --home-dir /usr/local/jira --shell /bin/bash jira</span></blockquote><h5>2. Connect JIRA to the database</h5>The database connection properties need to be adjusted in two locations. The <span style="font-family: Courier New;"><b>conf/server.xml</b></span> must be adjusted: <br />
<blockquote><span style="font-family: Courier New;">com.mysql.jdbc.Driver</span><br />
<span style="font-family: Courier New;">driverClassName="com.mysql.jdbc.Driver"</span><br />
<span style="font-family: Courier New;">url="jdbc:mysql://<MySQL_Server>/jiradb?useUnicode=true&amp;characterEncoding=UTF8"</span></blockquote>Because of potential connectivity issues, add this line to configuration file: <br />
<blockquote><span style="font-family: Courier New;">validationQuery="select 1"</span></blockquote>And the <b>atlassian-jira/WEB-INF/classes/entityengine.xml</b> needs a change as well:<br />
<blockquote><span style="font-family: Courier New;"><datasource name="defaultDS" field-type-name="mysql"</span></blockquote>Delete the <span style="font-family: Courier New;">schema-name="PUBLIC"</span> line. <br />
<h5>3. Enable SSL on JIRA (recommended)</h5>To avoid passwords going out in the clear, SSL-ize JIRA. This is done easily and quickly with self-generated certificates. However, paid, officially recognized certificates will work as well. <br />
<br />
To self-generate certificates, run the command: <br />
<blockquote><span style="font-family: Courier New;">$JAVA_HOME/bin/keytool -genkey -alias JIRA_server -keyalg RSA</span></blockquote>and follow the prompts. “Your name” is actually the fully qualified domain name of the server. Remember the keystore password that is set so JIRA (tomcat) can access the keystore. <br />
<br />
In <span style="font-family: Courier New;">conf/server.xml</span>, uncomment the <span style="font-family: Courier New;"><Connector port="8443"…/></span> section. If the keystore password is not the JAVA default of ‘changeit’, then add it to the connector:<br />
<blockquote><span style="font-family: Courier New;">keystorePass="<password>"</span></blockquote>Also, if the keystore is not the JAVA default (either <span style="font-family: Courier New;"><b>$HOME/.keystore</b></span> or <b><span style="font-family: Courier New;">$JAVA_HOME/lib/security/cacerts</span></b>, this needs to be added to the connector. <br />
<h2>Starting JIRA </h2>JIRA should now be ready for startup. Be sure to <span style="font-family: Courier New;">tail –f logs/catalina.out</span> and watch for errors during startup. <br />
<h2>SSL errors</h2>If using a self-generated certificate, plugins and IDEs will not trust the certificate that JIRA is using for encryption. <br />
<br />
The error, however, will likely be cryptic: <br />
<blockquote><i>Failed to read servers response: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target</i></blockquote>To remedy this, the client must have the certificate added to their JAVA keystore. <br />
<br />
On the server, export the public certificate and make it generally available:<br />
<blockquote><span style="font-family: Courier New;">$JAVA_HOME/bin/keytool -export –alias <JIRA_Server_Name> -rfc -file jira_server.crt</span></blockquote>Then any client system can import it into their JAVA keystore. If it is a user, that is usually <b><span style="font-family: Courier New;">$HOME/.keystore</span></b>. If it is a system, such as Fisheye or Confluence integrated into JIRA, it will be the global store: <span style="font-family: Courier New;"><b>$JAVA_HOME/lib/security/cacerts</b></span><br />
<br />
The command is this: <br />
<blockquote><span style="font-family: Courier New;">$JAVA_HOME/bin/keytool -import –alias <JIRA_Server> -file jira_server.crt -keystore $JAVA_HOME/lib/security/cacerts</span></blockquote>If a server service, the service will need to restarted before the trust will come into effect.Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-15053175346861436222010-07-12T15:55:00.000-07:002010-07-12T15:55:31.095-07:00Extend/Grow a ext4 LVM volume<div style="font-family: Arial,Helvetica,sans-serif;">To extend a LVM volume that holds a ext4 filesystem can be tricky, as many tools only can process ext2 and ext3. But with the correct tools, this is straightforward. </div><div style="font-family: Arial,Helvetica,sans-serif;"><br />
</div><div style="font-family: Arial,Helvetica,sans-serif;"><span style="font-family: Arial,Helvetica,sans-serif;">Ensure </span>e4fsprogs is installed. </div><div style="font-family: Arial,Helvetica,sans-serif;"><br />
</div><div style="font-family: Arial,Helvetica,sans-serif;">Unmount the volume to be expaneded: </div><div style="font-family: Arial,Helvetica,sans-serif;"><div style="font-family: "Courier New",Courier,monospace;">umount /websvc</div><br />
Extend the volume:<br />
<span style="font-family: "Courier New",Courier,monospace;">lvextend -L+10G /dev/mapper/VolGroup01-LogVol01</span><br />
<br />
The option +10G extends the volume 10 GB. Another method would be to give a TOTAL desired size:<br />
<div style="font-family: "Courier New",Courier,monospace;">lvextend -L30G /dev/mapper/VolGroup01-LogVol01</div><br />
Run a file system check:<br />
<div style="font-family: "Courier New",Courier,monospace;">e4fsck -f /dev/mapper/VolGroup01-LogVol01</div><br />
Then extend the filesystem:<br />
<span style="font-family: "Courier New",Courier,monospace;">resize4fs /dev/mapper/VolGroup01-LogVol01</span><br />
<br />
That is it. <br />
<br />
</div>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com1tag:blogger.com,1999:blog-5711099973096454729.post-90549727790528361292010-06-16T07:55:00.000-07:002010-06-16T09:19:01.599-07:00lvm and ext4During OS install, allow the new partition to be created by LVM, for example /websvc<br />
<br />
This filesystem will be ext3. Note the Volume group and logical volume (VolGroup01-LogVol01)<br />
<br />
<div style="font-family: "Courier New",Courier,monospace;">yum install e4fsprogs</div><br />
<div style="font-family: "Courier New",Courier,monospace;">umount /websvc</div><br />
<span style="font-family: "Courier New",Courier,monospace;">mkfs.ext4 /dev/mapper/VolGroup01-LogVol01</span> -- this will wipe out everything on the filesystem and transform it to ext4<br />
<br />
when complete, do a test mount: <br />
<div style="font-family: "Courier New",Courier,monospace;">mount -t ext4 /dev/mapper/VolGroup01-LogVol01 /websvc</div><br />
<span style="font-family: "Courier New",Courier,monospace;">df -T</span> will show which file type is running.<br />
<br />
last step is to modify /etc/fstab: change the ext3 entry to ext4 for this filesystem.Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-83139291400196722742009-11-03T15:39:00.001-08:002009-11-05T21:29:37.495-08:00Top 5 Free Laptop Security Programs<span style=";font-family:arial;font-size:85%;" >The internet is a scary place. You can't trust anyone!<br />What can a regular person do to help protect themselves? Luckily free, high quality applications can help make the internets a safer place. </span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >Physical Security</span><br /><span style=";font-family:arial;font-size:85%;" ><a href="http://www.truecrypt.org/">Truecrypt</a> is a whole disk encryption solution.<a href="http://www.truecrypt.org/news"> Version 6.3</a> just came out. If you lose your laptop, or have a break in and your computer is stolen, Truecrypt will protect your valuable data from compromise. Unlike BitLocker, this solution is not limited to deluxe Windows machines. And unlike other solutions, such as PGP Whole Disk, it does not cost $150 a seat. </span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >Surfing Privacy</span><br /><span style=";font-family:arial;font-size:85%;" >All modern browsers have a privacy option, which basically protects your history from others who may use your computer. But it does not protect websites from tracking you and your clicks. Firefox has <a href="https://addons.mozilla.org/en-US/firefox/browse/type:1/cat:12">add-ons</a> that make it more difficult for websites and web services to track what you do.<br /><br /><a href="https://addons.mozilla.org/en-US/firefox/addon/1865">Ad Block Plus</a> will block ads from loading and also prevent advertisers from dropping cookies in your browser cache. Your browsing will be faster, cleaner, and more private.<br /><br /><a href="https://addons.mozilla.org/en-US/firefox/addon/6623">Better Privacy</a> will delete so called "super-cookies", also known as Local Shared Objects. These super-cookies are dropped via flash objects. Your browser does NOT delete them, even in privacy mode, and so many sites -- Google is one -- love to drop cookies here, as they rarely get cleared and most people do not even know exist! </span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >Email Intergrity and confidentiality</span><br /><span style=";font-family:arial;font-size:85%;" ><a href="http://www.gpg4win.org/">Gpg4win</a> is a key-based email system. Share your public key and people can use it to send you encrypted mail. Keep your private key secure, as it is the only way to decrypt what people send you. GPG4win has just released a new version, but 1.1.3 is the latest that works with Outlook. Like all PGP solutions, it does both encryption and digital signing.</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >Availability</span><br /><span style=";font-family:arial;font-size:85%;" ><a href="http://www.areca-backup.org/documentation.php">Areca Backup</a> is a powerful, Java-based backup solution. It can be as powerful as an Enterprise solution, with multiple differentials, incrementals, and merged backups. It can be as simple as running a full backup with a single click. It can be automated with Windows Task Scheduler or non-Windows cron. Restoring is easy as well, and again, can be as complex as pulling specific version of a file or as simple as an entire one-click recovery.<br /><br />Best of all, it can run over FTP or secure FTP as a remote solution.<br /><br />These five simple applications, free for use, can go a long way to protecting your data and privacy.<br /><br />And though they are free, don't forget these are very active projects, and donations are always accepted!</span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-88587377876055921722009-09-21T11:18:00.001-07:002009-11-05T20:16:04.234-08:00When nslookup and ping work, but server still looks downNslookup works, ping does not<br /><br /><span style=";font-family:arial;font-size:85%;" >Many network issues can be isolated when pinging by IP address works, but nslookup does not. This points to a name resolution issue. But what about when<br /></span><ul><li><span style=";font-family:arial;font-size:85%;" >pinging by IP works</span></li></ul><ul><li><span style=";font-family:arial;font-size:85%;" ><span style="font-weight: bold;font-family:courier new;font-size:85%;" >nslookup</span> works</span></li></ul><ul style="font-weight: bold;"><li><span style=";font-family:arial;font-size:85%;" >pinging by name does NOT work!</span></li></ul><span style=";font-family:arial;font-size:85%;" ><br />Background: The secure network has access to the corporate network, but the corporate network does not have access to the secure network. This connection is managed by a standard firewall maintaining state tables.<br /><br />The problem: Users on the secure network, however, are reporting that servers on the corporate network disappear and reappear randomly during the day.<br /><br />So make a guess:<br />a) the firewall is occasionally getting overwhelmed<br />b) Windows DNS on the secure network is having issues<br />c) Windows DNS on the corporate network is having issues<br />d) Bad switch or other physical issue<br />e) Secure active directory or corporate active directory is uncooperative<br />f) None of the above<br /><br />The corporate mail server, always up, was the system people most noticed disappearing and reappearing during the day. So, when Outlook lost connectivity, the troubleshooting begins.<br /><br />Curiously, when doing nslookup, everything would look okay: </span><br /><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>nslookup<br />Default Server: dns1.secure.net<br />Address: 10.1.1.1<br /><br />> mail.yourdomain.com<br />Server: dns1.secure.net<br />Address: 10.1.1.1<br /><br />Name: mail.yourdomain.com<br />Address: 10.0.6.1</span><br /><br /><span style=";font-family:arial;font-size:85%;" >But doing a ping would result in this:</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>ping mail.yourdomain.com<br /><br />Ping request could not find host mail.yourdomain.com. Please check the name and try again.</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Yet more curious: </span><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>ping 10.0.6.1<br />Pinging mail.yourdomain.com [10.0.6.1] with 32 bytes of data:<br />Reply from 10.0.6.1: bytes=32 time=376ms TTL=124<br />Reply from 10.0.6.1: bytes=32 time=182ms TTL=124<br />Reply from 10.0.6.1: bytes=32 time=484ms TTL=124<br />Reply from 10.0.6.1: bytes=32 time=340ms TTL=124<br /><br />Ping statistics for 10.0.6.1:<br /> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),<br />Approximate round trip times in milli-seconds:<br /> Minimum = 182ms, Maximum = 484ms, Average = 345ms</span><br /><br /><span style=";font-family:arial;font-size:85%;" >This would seem to eliminate an overworked firewall. Pinging by IP worked, so the connectivity was there. This also would seem to eliminate a physical layer issue.<br /><br />But also, nslookup worked, so name resolution was working as well. What the heck?<br /><br />The error logs of dns1.secure.net did not show any errors. The corporate network forwarder was set to dns12.yourdomain.com and dns14.yourdomain.com. Perhaps the issue was with one of these systems. The idea being, dns1.secure.net would forward the request, but one of these would not be able to reply for whatever reason.<br /><br />Unfortunately, neither dns12 nor dns14 showed any issues. And furthermore, no one was reporting connection issues on the corporate network.<br /><br />After a while, I gave up and tried to run a backup of my laptop to backup.publicdomain.com, which has an intranet address and an external for those not in . But I could not connect.<br /><br />Again, nslookup looked fine: </span><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>nslookup<br />Default Server: dns1.secure.net<br />Address: 10.1.1.1<br /><br />> backup.publicdomain.com<br />Server: dns1.secure.net<br />Address: 10.1.1.1<br /><br />Name: backup.publicdomain.com<br />Address: 10.8.1.4</span><br /><br /><span style=";font-family:arial;font-size:85%;" >But ping gave me a different answer this time: </span><br /><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>ping backup.publicdomain.com<br /><br />Pinging backup.publicdomain.com [public IP] with 32 bytes of data<br />Request timed out.<br />Request timed out.</span><br /><br /><span style=";font-family:arial;font-size:85%;" >I realized it was doing a recursive lookup, but from where? That is when I remember there are two DNS servers on the secure network: </span><br /><br /><span style=";font-family:courier new;font-size:85%;" >C:\Windows\system32>nslookup<br />Default Server: dns1.secure.net<br />Address: 10.1.1.1<br /><br /><span style="color: rgb(255, 0, 0);">> server 10.1.1.2</span><br />Default Server: dns2.secure.net<br />Address: 10.1.1.2<br /><br />> backup.publicdomain.com<br />Server: dns2.secure.net<br />Address: 10.1.1.2<br /><br /><span style="color: rgb(255, 0, 0);">Non-authoritative answer:</span><br />Name: backup.publicdomain.com<br />Address: PUBLIC IP</span><br /><br /><span style=";font-family:arial;font-size:85%;" >A recursive lookup! Meaning dns2 did NOT know the company's external domain. How about the internal domain?</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >> mail.yourdomain.com<br />Server: dns2.secure.net<br />Address: 10.1.1.2<br /><br />*** dns2.secure.net can't find mail.yourdomain.com: Non-existent domain<br />> owa.yourdomain.com<br />Server: dns2.secure.net<br />Address: 10.1.1.2<br /><br />*** dns2.secure.net can't find owa.yourdomain.com: Non-existent domain</span><br /><br /><span style=";font-family:arial;font-size:85%;" >In other words, 10.1.1.2 did not have the forwarders set up. And at some point, the client TCP/IP stack had switched dns2 for DNS, EVEN THOUGH NSLOOKUP WENT TO dns1!!!<br /><br />I have since added all of the forwarders so they match. Since then, I have not had any connectivity issues. Problem solved. And why were the forwarders not set up in the first place? The dns server had recently been rebuilt from scratch and the during the rebuild, the forwarders were forgotten.</span><br /><span style="font-weight: bold;font-family:arial;font-size:85%;" ><br />Answer: b) Windows DNS on the secure network is having issues</span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-38672227397246210642009-09-16T08:03:00.000-07:002009-09-26T09:35:13.352-07:00Dell Bluetooth on Windows 7<span style=";font-family:arial;font-size:85%;" >A lot of issues have popped up concerning the Dell laptop Bluetooth module on Windows 7. Some laptops, such as the D630, seem to work out of the box. Others, such as the D620, do not. Some people blame Dell for not rolling out new drivers, other blame Microsoft for not pushing fresh drivers through Windows Update.<br /><br />Many fix-it ideas are floating out there, but a simple approach has worked for me: <br /><br />Go to the Dell site and install the Windows XP 64-bit drivers for your particular model - you ARE running 64-bit, aren't you? This should get things functional. But you may still notice timeout and sync issues.<br /> <br />To solve this, go to Device Manager. Open the Properties for the Dell Wireless 3x0 Bluetooth Module. On the Power Management tab, uncheck </span><span style=";font-family:courier new;font-size:85%;" >"Allow the computer to turn off this device to save power"</span><br /><br /><span style=";font-family:arial;font-size:85%;" >That should get you production ready until Dell (or Microsoft) rolls out fresh drivers for these modules. </span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-54997115322685075592009-08-10T07:30:00.001-07:002009-08-12T20:53:41.035-07:00Areca Backup on 64-bit Windows<span style=";font-family:arial;font-size:85%;" ><a href="http://www.areca-backup.org/">Areca </a>is an excellent open source cross platform backup utility. Combine it with an FTPS server and you have a secure, available anywhere backup system. In other words, your own free cloud backup solution.<br /><br />However, Areca <a href="http://www.areca-backup.org/documentation.php#tocHelp11">does not officially support 64-bit operating systems</a>. This does NOT mean, however, that you can not run Areca on a 64-bit system.<br /><br />First, even with 64-bit Java runtime installed, Areca will not see that java is there.<br />The solution is to install the x86 version of Java.<br /><br />Next, when launching, you will get the dreaded </span><span style=";font-family:courier new;font-size:85%;" >"msvcr71.dll not found"</span><span style=";font-family:arial;font-size:85%;" > error.<br /><br />The solution is to do a search for the mscr71.dll on your system. It is there, especially if you have Office installed. If you can't find it, you need to enable "Show system files" in the folder and search properties.<br /><br />Copy this file into </span><span style=";font-family:courier new;font-size:85%;" >C:\Windows\SysWOW64</span><span style=";font-family:arial;font-size:85%;" > and everything should work.<br /><br />I hope one day the Areca folks will create a 64-bit build. But until then, this is an easy work around to enable 32-bit Areca on your system.<br /></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com5tag:blogger.com,1999:blog-5711099973096454729.post-48288887678023639522009-08-04T10:11:00.001-07:002009-08-04T15:42:33.840-07:00Dual factor OpenVPN with Active Directory and Certificate Services (sample configs)<span style=";font-family:arial;font-size:85%;" >This is a server and client sample that compliment each other and would need to be modified to fit your environment. It will support dual factor (AD+Certificate) VPN.<br /><br /></span><span style="font-weight: bold;font-family:arial;font-size:100%;" >Sample server.conf configuration</span><br /><span style=";font-family:courier new;font-size:85%;" ><br /># This file is for the server side #<br /># of a many-clients <-> one-server #<br /># OpenVPN configuration. <br /><br /># Which local IP address should OpenVPN<br /># listen on? (optional)<br />local a.b.c.d<br /># Which TCP/UDP port should OpenVPN listen on?<br />port 443<br /><br /># TCP or UDP server?<br />proto tcp<br /><br /># "dev tap" will create an ethernet tunnel.<br />dev tap0<br /><br /># OpenVPN can use a PKCS #12 formatted key file<br /># (see "pkcs12" directive in man page).<br />pkcs12 /etc/openvpn/easy-rsa/keys/openvpnServer.pfx<br /><br />#Allows for AD authentication<br />plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login<br /><br /># Diffie hellman parameters.<br />dh /etc/openvpn/easy-rsa/keys/dh1024.pem<br /><br /># Maintain a record of client <-> virtual IP address<br /># associations in this file.<br />ifconfig-pool-persist ipp.txt<br /><br /># Configure server mode for ethernet bridging.<br />server-bridge 10.X.X.X 10.X.X.255 10.X.1.1 10.X.1.100<br /><br /># Push routes to the client to allow it<br /># to reach other private subnets behind<br /># the server.<br />push "route 10.X.X.X 255.X.X.X 10.X.X.1"<br /><br /># Certain Windows-specific network settings<br /># can be pushed to clients, such as DNS<br /># or WINS server addresses.<br />push "dhcp-option WINS 10.X.X.X"<br />push "dhcp-option DNS 10.X.X.X"<br /><br /># Uncomment this directive to allow different<br /># clients to be able to "see" each other.<br />client-to-client<br /><br /># The keepalive directive causes ping-like<br /># messages to be sent back and forth over<br /># the link<br />keepalive 10 120<br /><br /># For extra security beyond that provided<br /># by SSL/TLS, create an "HMAC firewall"<br /># to help block DoS attacks and UDP port flooding.<br />tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0<br /><br /># Enable compression on the VPN link.<br />comp-lzo<br /><br /># The maximum number of concurrently connected<br /># clients we want to allow.<br />max-clients 50<br /><br /># It's a good idea to reduce the OpenVPN<br /># daemon's privileges after initialization.<br />user nobody<br />group nobody<br /><br /># The persist options will try to avoid<br /># accessing certain resources on restart<br />persist-key<br />persist-tun<br /><br /># Use log or log-append to override this default.<br />log-append openvpn.log<br /><br /># Set the appropriate level of log<br /># file verbosity.<br />verb 3<br /><br /># Silence repeating messages. At most 20<br /># sequential messages of the same message<br /># category will be output to the log.<br />mute 20</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >Sample client.ovpn configuration file</span><br /><br /><span style=";font-family:courier new;font-size:85%;" ># client file has a .ovpn extension #<br />client<br />dev tap<br />proto tcp<br />#</span><span style=";font-family:courier new;font-size:85%;" >***********************************#</span><span style=";font-family:courier new;font-size:85%;" > remote server<br />remote openvpn.yourdomain.com 443<br />#</span><span style=";font-family:courier new;font-size:85%;" >***********************************#</span><br /><span style=";font-family:courier new;font-size:85%;" >resolv-retry infinite<br />nobind<br />persist-key<br />persist-tun<br />tls-auth "C:\\Program Files\\OpenVPN\\config\\ta.key" 1<br />ca "C:\\Program Files\\OpenVPN\\config\\CA.cer"<br /> #<br /> # #<br />#***********************************#<br />#Change the name here to your CERT *#<br />#***********************************#<br />cryptoapicert "SUBJ:CLIENT.YOURDOMAIN.COM"<br />#***********************************#<br /> #<br /> # #<br />auth-user-pass<br />comp-lzo<br />verb 3<br />route-method exe<br />route-delay 2</span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-76564173997498209252009-08-03T07:56:00.000-07:002009-08-04T15:32:09.164-07:00Dual factor OpenVPN with Active Directory and Certificate Services (Part 4 of 4)<span style="font-weight: bold;font-family:arial;font-size:100%;" >4. Client Installation</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Client installation involves three basic steps:<br />1. Get a certificate that identifies the client computer, if this is not already done.<br />2. Install the OpenVPN package, preferably one pre-packaged with all the configuration files:<br /> a ta.key,<br /> a CA certificate,<br /> a configuration file.<br />3. Change a single line in the <a href="http://www.untrustedconnection.com/2009/08/dual-factor-openvpn-with-active_04.html">OpenVPN configuration file</a> to match the client machine name.</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >4.1 Getting a certificate</span><br /><span style=";font-family:arial;font-size:85%;" >If this is not handled by Group Policy, a certificate can be gotten manually, assuming you have a <a href="http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx">PKI in house</a> already.<br />Before starting, the machine must be a domain member and on the network.<br /><br />Go to Start > run > and type </span><span style=";font-family:courier new;font-size:85%;" >mmc</span><br /><span style=";font-family:arial;font-size:85%;" >Add "Certificates" snap-in (Computer account).<br />Open the "Personal" folder; Right Click > All Tasks > Request New Certificate.<br />Select "Computer" as the type of request<br />Select <enroll> <enroll> and you are done</enroll></enroll></span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >4.2 Install the OpenVPN executable</span><br /><span style=";font-family:arial;font-size:85%;" >Install with defaults.<br />During install, you may get a warning about an unsigned driver. This is normal. Click "CONTINUE".</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >4.3 Configure the client</span><br /><span style=";font-family:arial;font-size:85%;" >Open the C:\Program Files\OpenVPN\config folder; Open the ovpn file. At the cryptoapicert line, change the "MACHINENAME" to the name of the client machine, i.e. YOURCLIENT.YOURDOMAIN.COM</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >cryptoapicert "SUBJ:YOURCLIENT.YOURDOMAIN.COM"</span><br /><br /><span style=";font-family:arial;font-size:85%;" >VISTA/Win7: The shortcut should be set to run as Administrator.<br /><br />You are ready to go.<br /></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-17951855194754767042009-07-31T10:08:00.001-07:002009-08-04T15:38:18.711-07:00Dual factor OpenVPN with Active Directory and Certificate Services (Part 3 of 4)<span style="font-weight: bold;font-family:arial;font-size:100%;" >3 Building OpenVPN</span><br /><span style=";font-family:arial;font-size:85%;" >It is possible to build from scratch, but here are the instructions for using RPM packages. LZO is the compression library package to boost OpenVPN's performance.<br /><br />Specifically, these are the packages:<br />lzo2-2.02-3.el5.rf.i386.rpm<br />lzo2-devel-2.02-3.el5.rf.i386.rpm (optional)<br />openvpn-2.0.9-1.el5.rf.i386.rpm</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >3.1 Build and install the bridge.</span><br /><span style=";font-family:arial;font-size:85%;" >The bridge consists of bridge-utils and sysfsutils. This example has an older version.</span><br /><br /><span style=";font-family:courier new;font-size:85%;" ># yum install bridge-utils:<br />(1/2): sysfsutils-1.3.0-1 100% |=========================| 64 kB 00:01<br />(2/2): bridge-utils-1.0.6 100% |=========================| 27 kB 00:00<br />Running Transaction Test<br />Finished Transaction Test<br />Transaction Test Succeeded<br />Running Transaction<br />Installing: sysfsutils ######################### [1/2]<br />Installing: bridge-utils ######################### [2/2]<br />Installed: bridge-utils.i386 0:1.0.6-1.2<br />Dependency Installed: sysfsutils.i386 0:1.3.0-1.2.1<br />Complete!</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >3.2 Install OpenVPN</span><br /><span style=";font-family:arial;font-size:85%;" >The LZO libraries are found at<a href="http://www.oberhumer.com/opensource/lzo/download/"> http://www.oberhumer.com/opensource/lzo/</a>. Or you can search for them on <a href="http://www.rpmfind.net/linux/rpm2html/search.php?query=lzo&submit=Search+...">RPMfind</a>. LZO is used for data compression. The OpenVPN version 2.0.9 is a bit old, but it is widely supported and is the latest stable. The RC candidates can be explored in future deployments.<br /><br />Installation is simple:</span><br /><span style=";font-family:courier new;font-size:85%;" ># rpm -ivh lzo-2.02-2.el5.1.i386.rpm<br /># rpm -ivh openvpn-2.0.9-1.el5.rf.i386.rpm<br /># pwd<br />/usr/share/doc/openvpn-2.0.9<br /># cp -pR * /etc/openvpn</span><br /><br /><span style=";font-family:arial;font-size:85%;" >That is it. You are done – but for one thing, disable OpenVPN in <span style="font-family:courier new;">ntsysv</span>. We will use a script to start it, because we need the bridge up before OpenVPN.</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >3.3 Create the PKI infrastructure</span><br /><span style=";font-family:arial;font-size:85%;" >You should already have Active Directory Certificates Services up and running. You will have a total of three keys/certificates at the end:<br />• an identification certificate from the CA<br />• a D-H key, used for TLS/SSL encryption<br />• a TA.key, which prevents untrusted clients from even connecting to the system</span><br /><br /><span style=";font-family:arial;font-size:100%;" >3.3.1 Get the identification certificate</span><br /><span style=";font-family:arial;font-size:85%;" >Go to https://yourdomain/certsrv/<br />Select the ComputerALL Template<br />"Name" is the name of the machine, not your name…<br />INCLUDE ALL CERTIFICATES = check (this package must include the CA path and certificate)<br />ENABLE STRONG PROTECTION = no check<br />Get the PFX file and move it on the vpn server. Use MOVE, not COPY. We do not want multiple copies of this file.<br />If you do not want to enter a password every time you start OpenVPN, then do not include a password on the PFX file.<br /><br />On the OpenVPN box:</span><br /><span style=";font-family:courier new;font-size:85%;" ># pwd<br />/etc/openvpn/easy-rsa<br /># mkdir keys<br /># chmod 700 keys<br /># mv [source] openvpnServer.pfx<br /># chmod 600 openvpnServer.pfx</span><br /><br /><span style=";font-family:arial;font-size:100%;" >3.3.2 Generate the DH key</span><br /><span style=";font-family:arial;font-size:85%;" >Edit the vars file to generate the DH key in the easy-rsa folder. Keep the key length at 1024.</span><br /><span style=";font-family:courier new;font-size:85%;" >export KEY_COUNTRY=YOURCOUNTRY<br />export KEY_PROVINCE=YOURSTATE<br />export KEY_CITY=YOURCITY<br />export KEY_ORG="YOURGROUP"<br />export KEY_EMAIL="noreply@yourdomain.com"</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Then build the key.</span><br /><span style=";font-family:courier new;font-size:85%;" ># . ./vars # . ./build-dh</span><br /><br /><span style=";font-family:arial;font-size:100%;" >3.3.3 TA key generation</span><br /><span style=";font-family:arial;font-size:85%;" >Create the ta key for added security. It is optional, but the causes OpenVPN to drop any <a href="http://openvpn.net/index.php/open-source/documentation/howto.html#security">connection handshake</a> attempt that does not have the ta key.</span><br /><span style=";font-family:courier new;font-size:85%;" ># pwd<br />/etc/openvpn/easy-rsa/keys<br /># openvpn --genkey --secret ta.key # ls dh1024.pem ta.key openvpnServer.pfx</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >3.4 Create the bridge</span><br /><span style=";font-family:arial;font-size:85%;" >The bridge scripts can be found in the sample-scripts folder. The bridge is what will be used so full access is possible for clients.</span><br /><br /><span style=";font-family:courier new;font-size:85%;" ># cp -p bridge-start bridge-stop /etc<br /># chmod 700 bridge-start bridge-stop<br /># vi /etc/bridge-start<br />## Define physical ethernet interface to be bridged<br />## with TAP interface(s) above.<br />eth="eth0"<br />eth_ip="</span><span style=";font-family:courier new;font-size:85%;" >10.X.X.X</span><span style=";font-family:courier new;font-size:85%;" >"<br />eth_netmask="255.0.0.0"<br />eth_broadcast="10.X.X.255"</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Then start the bridge.</span><br /><span style=";font-family:courier new;font-size:85%;" ># /etc/bridge-start</span><br /><span style=";font-family:arial;font-size:85%;" ><br />If everything is working it should look like this, with a br0 and a tap0 – the tap does NOT have an ip address, everything else should:</span><br /><span style=";font-family:courier new;font-size:85%;" ># ifconfig<br />br0 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:F2<br /> inet addr:10.X.X.X Bcast:10.X.X.255 Mask:255.0.0.0<br /> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br /><br />eth0 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:F2<br /> inet addr:10.</span><span style=";font-family:courier new;font-size:85%;" >X.X.X</span><span style=";font-family:courier new;font-size:85%;" > Bcast:</span><span style=";font-family:courier new;font-size:85%;" >10.X.X.255 Mask:255.0.0.0</span><span style=";font-family:courier new;font-size:85%;" ><br /> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<br /><br />eth1 Link encap:Ethernet HWaddr 00:0C:29:1F:F7:FC<br /> inet addr:1.X.X.X Bcast:1.X.X.255 Mask:255.255.255.0<br /> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br /><br />lo Link encap:Local Loopback<br /> inet addr:127.0.0.1 Mask:255.0.0.0<br /> UP LOOPBACK RUNNING MTU:16436 Metric:1<br /><br />tap0 Link encap:Ethernet HWaddr 7A:DD:C3:66:AA:2C<br /> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1<br /> </span><br /><span style=";font-family:arial;font-size:85%;" >You also have to add these to allow traffic. They will work, even if iptables is off.</span><br /><br /><span style=";font-family:courier new;font-size:85%;" ># iptables -A INPUT -i tap0 -j ACCEPT<br /># iptables -A INPUT -i br0 -j ACCEPT<br /># iptables -A FORWARD -i br0 -j ACCEPT</span><br /><br /><span style="font-weight: bold;font-family:arial;font-size:100%;" >3.5 Starting at boot</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Now, set it all up to start automatically. You likely will need to add a route command so the VPN is available on the inside network from areas other than the subnet.</span><br /><br /><span style=";font-family:courier new;font-size:85%;" >#</span><span style=";font-family:courier new;font-size:85%;" > pwd<br />#/etc/rc.d/rc3.d</span><span style=";font-family:courier new;font-size:85%;" ><br /># vi S99local<br />/etc/bridge-start<br />service openvpn start<br />route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.X.X.X</span><br /><br /><span style=";font-family:arial;font-size:85%;" >Then get the <a href="http://www.untrustedconnection.com/2009/08/dual-factor-openvpn-with-active_04.html">server.conf file configured</a>.<br />Make sure this line is in there:<br /></span><span style=";font-family:courier new;font-size:85%;" >plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login</span><br /><span style=";font-family:arial;font-size:85%;" ><br />Details of what should be in the conf file can be found by looking at a sample.<br /><br />Then start the openvpn service:</span><br /><span style=";font-family:courier new;font-size:85%;" >service openvpn start</span><br /><span style=";font-family:arial;font-size:85%;" >If there is a FAILURE to start, check the openvpn.log to see what is going on. I find <span style="font-family:courier new;">tail –f</span> in a separate window is very handy, as it is a live look at the log file.<br /><br /><span style="font-family:courier new;">vi /etc/sysconfig/network</span> and set the gateway to the outside address.<br /><br />Next, we will <a href="http://www.untrustedconnection.com/2009/08/dual-factor-openvpn-with-active.html">set up the client</a>. </span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-45202474774833120142009-07-30T22:04:00.001-07:002009-08-04T15:37:29.769-07:00Dual factor OpenVPN with Active Directory and Certificate Services (Part 2 of 4)<span style=";font-family:arial;font-size:85%;" ><br /><span style="font-size:100%;"><span style="font-weight: bold;">2 Building Active Directory Integration</span></span><br />Joining this box to the active directory (AD) domain is the first part of our two-factor authentication. <span style="font-weight: bold;font-family:courier new;" >Authconfig-tui </span>should have done most of this, but double-check your files. It is good to know what is what in case you need to trouble-shoot. And if you are using a different distro, you may still need to do this manually.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">2.1 Setting Name services</span></span><br />Point the machine to <span style="font-weight: bold;font-family:courier new;" >winbind </span>services. <span style="font-style: italic;">Authconfig-tui should have made all these changes.</span><br /><br /><span style="font-size:100%;">2.1.1 Modify /etc/nsswich.conf</span><br /><span style="font-family:courier new;"># vi /etc/nsswitch.conf</span><br /><span style="font-family:courier new;">passwd: files winbind</span><br /><span style="font-family:courier new;">shadow: files winbind</span><br /><span style="font-family:courier new;">group: files winbind</span><br /><span style="font-family:courier new;"></span><br /><span style="font-size:100%;">2.1.2 Modify /etc/hosts</span><br />Add the AD controller to /etc/hosts. <span style="font-style: italic;">This is optional and not done by </span></span><span style="font-style: italic;font-family:arial;font-size:85%;" >authconfig-tui</span><span style=";font-family:arial;font-size:85%;" ><span style="font-style: italic;">.</span><br /><span style="font-family:courier new;"># vi /etc/hosts</span><br /><span style="font-family:courier new;">127.0.0.1 openvpn.yourdomain.com localhost.localdomain localhost</span><br /><span style="font-family:courier new;">192.168.1.1 DOMAINCONTROLLER.YOURDOMAIN.COM DOMAINCONTROLLER<br /></span><br /><span style="font-size:100%;">2.1.3 Set Kerberos authentication</span><span style="font-weight: bold;font-size:100%;" ><br /></span>Authenticating is locked through the kb5 settings. <span style="font-style: italic;">Authconfig-tui should have made all these changes.</span><br />These changes are made in <span style="font-weight: bold;font-family:courier new;" >/etc/krb5.conf</span><br /><br /><span style="font-family:courier new;"> # less krb5.conf<br />[logging]<br />default = FILE:/var/log/krb5libs.log<br />kdc = FILE:/var/log/krb5kdc.log<br />admin_server = FILE:/var/log/kadmind.log<br />[libdefaults]<br />default_realm = YOURDOMAIN.COM<br />dns_lookup_realm = false<br />dns_lookup_kdc = false<br />ticket_lifetime = 24h<br />forwardable = yes<br />[realms]<br />YOURDOMAIN.COM = {<br />kdc = DOMAINCONTROLLER.</span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">YOURDOMAIN.COM</span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">:88<br />}<br />[domain_realm]<br />.yourdomain.com = </span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">YOURDOMAIN.COM</span></span><br /><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">yourdomain.com = </span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">YOURDOMAIN.COM</span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;"><br />[kdc]<br />profile = /var/kerberos/krb5kdc/kdc.conf<br />[appdefaults]<br />pam = {<br />debug = false<br />ticket_lifetime = 36000<br />renew_lifetime = 36000<br />forwardable = true<br />krb4_convert = false<br />} </span><br /><br /><span style="font-size:100%;"><span style="font-family:arial;">2.1.4 Samba adjustments</span></span><br /></span><span style="font-family:arial;"><span style="font-size:85%;">Don’t forget smb.conf! /etc/samba/smb.conf will need some adjustments. Basically adding the last three lines will prevent the VPN server from trying to become the master SMB browser. Changing winbind default domain to “true” means users do not have to type “YOURDOMAIN” when they logon.</span><br /><span style=";font-family:courier new;font-size:85%;" ><br /># vi /etc/samba/smb.conf<br />workgroup = YOURDOMAIN<br /> password server = DOMAINCONTROLLER.</span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">YOURDOMAIN.COM</span></span><br /><span style="font-family:arial;"><span style=";font-family:courier new;font-size:85%;" > realm = </span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;">YOURDOMAIN.COM</span></span><br /><span style="font-family:arial;"><span style=";font-family:courier new;font-size:85%;" > security = ads<br /> idmap uid = 16777216-33554431<br /> idmap gid = 16777216-33554431<br /> template shell = /sbin/nologin<br /> winbind use default domain = true<br /> winbind offline logon = false<br />domain master = no<br />local master = no<br />preferred master = no<br /></span><span style=";font-family:arial;font-size:85%;" ><span style="font-weight: bold;font-size:100%;" ><br />2.2 About services… </span><br />To check if a service is running in CentOS/Redhat distros:<br /><span style="font-family:courier new;">service <servicename> <servicename> status</servicename></servicename></span><br /><br />Starting a service:<br /><span style="font-family:courier new;">service <servicename> start</servicename></span><br /><br />Stopping a service:<br /><span style="font-family:courier new;">service <servicename> stop</servicename></span><br /><br />Have a service start automatically at boot:<br />1. Open the <span style="font-family:courier new;">ntsysv </span>program:<br /><span style="font-family:courier new;"># ntsysv</span><br />2. Find your service in the list and press space to enable it. Services marked with a * will start automatically at boot.<br /><br /><span style="font-weight: bold;font-size:100%;" >2.3 Join the machine to the Active Directory Domain<br /></span>Start the<span style="font-family:courier new;"> smb nmb</span> services:<br /><span style="font-family:courier new;"># service smb start</span><br />Check your clock. If needed, start the ntp daemon:<br /><span style="font-family:courier new;"># vi /etc/ntp.conf </span></span><span style=";font-family:arial;font-size:85%;" >to point to a different ntp server set.</span><br /><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;"># service ntpd restart</span><br /><br />You cannot join the domain if your time is too far off. Without ntp, if your time drifts later, you will not be able to authenticate users.<br /><br />This machine is now ready to be joined to AD. I prefer the command, instead of authconfig-tui, because errors appear right there, as does confirmation.<br /><span style="font-family:courier new;"># net ads join -U domain-admin<domain-admin></domain-admin></span><br /><span style="font-family:courier new;">domain-admin's password:</span><br /><span style="font-family:courier new;">Using short domain name -- YOURDOMAIN</span><br /><span style="font-family:courier new;">Joined 'openvpn to realm 'YOURDOMAIN.COM'</span><br /><br />Once this is done, confirmation can be made in AD itself.<br /><br />This machine is then moved to the appropriate AD OU.<br /><br />Start winbind:<br /><span style="font-family:courier new;"># service winbind start</span><br /><br />You can run some checks to make sure all is working. If it is not, you should stop and troubleshoot.<br />Test 1: Get a list of all the users in the domain:<span style="font-family:courier new;"><br /># wbinfo -u</span><br />Test 2: Get a list of groups in the domain:<br /><span style="font-family:courier new;"># wbinfo -g</span><br /><br />If those lists do not have domain users and domain groups, then something is not working. Again, you should stop and troubleshoot. NOTE: if this command appears to hang that likely means it <span style="font-weight: bold; font-style: italic;">IS</span> working. Give it time, it is pulling all of the AD info, which is a lot of data.<br /><br />Some other tests:<br />Get a kerberos ticket with kinit and a domain user.<br /><span style="font-family:courier new;"># kinit <user></user></span><br />Type the password for the user and check with klist<br /><span style="font-family:courier new;"># klist</span><br />You should see information about tickets being issued.<br /><br /><span style="font-weight: bold;font-size:100%;" >2.4 Autostart the services</span><br />If everything is working, set smb and winbind to autostart by using the <span style="font-family:courier new;">ntsysv </span>command.<br /><br /><span style="font-weight: bold;font-size:100%;" >2.5 PAM Configuration</span><br />In the old days I had to do extensive PAM modifications to get things working. PAM is the main authentication module. OpenVPN will plug into this for authentication. But now this seems unnecessary.<br /><br />Congratulations! Your now have a Linux box that knows about Active Directory. <a href="http://www.untrustedconnection.com/2009/07/dual-factor-openvpn-with-active_31.html">Next is installing and configuring OpenVPN</a>.<br /></span><br /><br /></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-27121016819477849662009-07-29T10:14:00.000-07:002009-08-04T15:36:55.501-07:00Dual factor OpenVPN with Active Directory and Certificate Services (Part 1 of 4)<span style=";font-family:arial;font-size:85%;" ><span style="font-weight: bold;font-size:100%;" >0. Overview</span><br /><a href="http://openvpn.net/index.php/open-source.html">OpenVPN</a> integrates well with Active Directory and Active Directory Certificate Services, providing a low-cost, dual factor VPN solution for Windows clients. Dual factor OpenVPN with Active Directory and Certificate Services<br /><br />This HOWTO uses CentOS 5.3, the latest “stable” OpenVPN package 2.0.9, and assumes you already have AD and Certificate Services running. </span><span style=";font-family:arial;font-size:85%;" >This VPN configuration is a <a href="http://openvpn.net/index.php/open-source/faq.html#bridge1">bridge</a>, meaning users have full TCP/IP access to the internal network once connected.</span><br /><br /><span style=";font-family:arial;font-size:85%;" >We will cover configuration in four main parts:<br /><span style="font-weight: bold;">Part 1 - Base OS install</span></span><br /><span style=";font-family:arial;font-size:85%;" ><span style="font-weight: bold;"><a href="http://www.untrustedconnection.com/2009/07/dual-factor-openvpn-with-active.html">Part 2 - AD Integration</a><br /><a href="http://www.untrustedconnection.com/2009/07/dual-factor-openvpn-with-active_31.html">Part 3 - OpenVPN installation</a><br /><a href="http://www.untrustedconnection.com/2009/08/dual-factor-openvpn-with-active.html">Part 4 - Client Setup</a><br /><br /></span><span style="font-weight: bold;"><a href="http://www.untrustedconnection.com/2009/08/dual-factor-openvpn-with-active_04.html">Sample configurations</a> will be included as a fifth part.<br /><br /></span><span style="font-size:100%;"><span style="font-weight: bold;">1 Base OS Setup</span></span></span><span style=";font-family:arial;font-size:85%;" ><br />The goal is to make this appliance light. But for ease sake, not every package has been removed. This is a tight box, but not ultra-light. This box has no GUI, it is command line only. Knowledge of <span style="font-weight: bold;font-family:courier new;" >vi </span>is recommended.<br /><br />If you really need step-by-step screen shots, I may add later.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">1.1 Base Configuration:</span></span><br />This machine needs two NICs. The drives are mirrored.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">1.2 Networking</span></span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-size:100%;"> </span><br />Two NICs are configured for different networks…disable ipv6 because it is not needed. The default gateway should be your EXTERNAL nic’s gateway. DNS should be your INTERNAL DNS address.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">1.3 Disk format</span> </span><br />Disk does not need to be more than about 5GB. Split off <span style="font-family:courier new;">/var</span> so that logs to not clobber the VPN. Not seen here is the <span style="font-family:courier new;">/boot</span> partiion which is about 100MB.<br /><br /><span style="font-weight: bold;font-size:100%;" >1.4 Packages</span><br />This build is based on CentOS 5.3, which is Redhat Enterprise 5.3 upstream.<br />The packages installed initially include<br /><span style="font-family:courier new;"><span style="font-weight: bold;">Applications </span>> Editors (vi enhanced)<br /></span><span style="font-family:courier new;"><span style="font-weight: bold;">Servers </span>> Windows File Server<br /></span><span style="font-family:courier new;"><span style="font-weight: bold;">Base </span>> Admin Tools (not needed)</span> <span style="font-family:courier new;"> <br /> > Base (took out wireless tools, ypbind, Bluetooth, infrared references)</span> <span style="font-family:courier new;"> <br /> > System Tools (take out Bluetooth, vnc references)</span> <span style="font-weight: bold;font-family:courier new;" ><br />CentOS Extras</span> <span style="font-family:courier new;"> > Yum Utilities<br /></span> <span style="font-family:courier new;"><br /><span style="font-family:arial;">Additional packages will be needed </span></span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-family:courier new;"><span style="font-family:arial;">for OpenVPN, but will be added later:</span></span><span style="font-family:courier new;"> bridge-utils, samba-common, pam-devel</span><br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">1.5 After the reboot</span> </span><br />After the reboot, <span style="font-weight: bold;font-family:courier new;" >setup </span>will run, which appears as a blue-red text box.<br /><br /></span><span style=";font-family:arial;font-size:85%;" >Firewall > Disable SELinux and allow port 443 inbound (SSH already allowed). Later, we will make additional firewall changes.<br /><br />System Services > disable <span style="font-weight: bold;font-family:courier new;" >cups, Blu</span></span><span style=";font-family:arial;font-size:85%;" ><span style="font-weight: bold;font-family:courier new;" >etooth, pcscd, winbind</span> (winbind we’ll start later). Enable <span style="font-weight: bold;font-family:courier new;" >ntpd</span>.<br /><br />Authentication<br /></span><span style=";font-family:arial;font-size:85%;" >In the olden days, my (in)experience, <span style="font-family:courier new;">authconfig-tui</span> often created a mess, and so I would edit each file needed for the system to use <span style="font-family:courier new;">winbind </span>before being joined to the domain. But now, authconfig-tui does a decent job -- though some adjustment will still be needed. </span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd0haDARfsqZY7wzFVpaxOZpQUjqK5DvZfkzramypJm0OH2ADu-qjWSRyvdXLxWcHlVpEnw76VnPfftjM0rKouEmhuBqhJTyEFv7lUt3_dBeOFXyhrw-Y1nnBO96Idf8_QxgVRIhh_3sw/s1600-h/1authconfig-tui.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 178px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd0haDARfsqZY7wzFVpaxOZpQUjqK5DvZfkzramypJm0OH2ADu-qjWSRyvdXLxWcHlVpEnw76VnPfftjM0rKouEmhuBqhJTyEFv7lUt3_dBeOFXyhrw-Y1nnBO96Idf8_QxgVRIhh_3sw/s320/1authconfig-tui.png" alt="" id="BLOGGER_PHOTO_ID_5364682584465460194" border="0" /></a><br /><div style="text-align: center;"><span style=";font-family:arial;font-size:85%;" >Exhibit 1: authconfig-tui -- windbind should be selected</span><br /></div><span style=";font-family:arial;font-size:85%;" ><br /><br /></span><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM1RRmhLroeETBkYIqV3hgQhUhym4jUSpyjDkQApQhR-KKBjSnqw6LxUWIxmoZJynY8ILQy5S8bckfVRwJHgjcb1ICoKIVGP4I_MXJxEIjr__l0b5kMpMD_iFuBIx9QwyEo2fyAoofJ4A/s1600-h/2adminServer.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 153px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM1RRmhLroeETBkYIqV3hgQhUhym4jUSpyjDkQApQhR-KKBjSnqw6LxUWIxmoZJynY8ILQy5S8bckfVRwJHgjcb1ICoKIVGP4I_MXJxEIjr__l0b5kMpMD_iFuBIx9QwyEo2fyAoofJ4A/s320/2adminServer.png" alt="" id="BLOGGER_PHOTO_ID_5364684102370036978" border="0" /></a><span style=";font-family:arial;font-size:85%;" ><span style=";font-family:arial;font-size:85%;" >Exhibit 2: Admin Server is optional. Enter your domain's info.</span></span><br /></div><span style=";font-family:arial;font-size:85%;" ><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2pA8L7lwmPGqD0_jsbVsDRgtTxXo9g1e0B6hq5JfWCcKYq1-FFGcLI5z3UgRJxr75UTXJYYB6eQMQFx4y-BRWpzsCzFrnrfrW3l-yBcg2E7XHv7W_2X83j65nebMFrBzOTI4Lf3-oPbY/s1600-h/3dontjoindomain.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 183px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2pA8L7lwmPGqD0_jsbVsDRgtTxXo9g1e0B6hq5JfWCcKYq1-FFGcLI5z3UgRJxr75UTXJYYB6eQMQFx4y-BRWpzsCzFrnrfrW3l-yBcg2E7XHv7W_2X83j65nebMFrBzOTI4Lf3-oPbY/s320/3dontjoindomain.png" alt="" id="BLOGGER_PHOTO_ID_5364684252694036210" border="0" /></a><br /><div style="text-align: center;"><span style=";font-family:arial;font-size:85%;" ><span style=";font-family:arial;font-size:85%;" >Exhibit 3: winbind will be adjusted later</span></span>. <span style=";font-family:arial;font-size:85%;" ><br />Do NOT join to the domain yet. Chances are your clock-skew will not allow it.</span><br /></div><span style=";font-family:arial;font-size:85%;" ><br />When done, close this out. You can g</span><span style=";font-family:arial;font-size:85%;" >et to this page at any time by typing <span style="font-weight: bold;font-family:courier new;" >setup</span>.</span><br /><span style=";font-family:arial;font-size:85%;" ><br /></span><span style=";font-family:arial;font-size:85%;" >Install pam-devel + bridge-utils + samba-common (no 's' at the end):<br /><span style="font-weight: bold;font-family:courier new;" ># yum install pam-devel bridge-utils samba-common</span><br /></span><br /><span style=";font-family:arial;font-size:85%;" >Reboot again. You are now done with OS installation. Next, we will <a href="http://www.untrustedconnection.com/2009/07/dual-factor-openvpn-with-active.html">join the system to the domain</a>. </span><br /><span style=";font-family:arial;font-size:85%;" ><span style=";font-family:arial;font-size:85%;" ><ok><br /></ok></span></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-26722831851870397012009-01-02T15:59:00.000-08:002009-07-29T10:58:12.599-07:00OpenVPN Adapter Issue<span style="font-family:arial;"><span style="font-size:85%;">I have only seen this once with a Windows OpenVPN client that could not connect.</span><br /><span style="font-size:85%;"><br /><span style="font-family: courier new;">CreateFile failed on TAP device: \\.\Global\{E..}/tap</span><br /><br /></span><span style="font-family:courier new;"><span style="font-size:85%;">All TAP-Win32 adapters on this system are currently in use.</span><br /><span style="font-size:85%;"><br /></span></span></span><span style="font-size:85%;"><span style="font-family:arial;">The solution is to disable and re-enable the adapter in the Network Connections control panel. </span></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com0tag:blogger.com,1999:blog-5711099973096454729.post-61229145628397645242008-12-30T21:29:00.000-08:002009-07-29T10:12:18.092-07:00The Mysterious Failed Backup Job<span style="font-size:85%;"><span style="font-family:arial;">"Tape labeling is not working" A quick look shows it is more serious: </span></span><span style="font-size:85%;"><span style="font-family:arial;">The certified-compliant-Mission-critical-Tape-backup? FAIL<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:arial;">So, the tape drive is connected to the fiber card, the fiber card is connected to the server, the server is running the backup software Legato -- a Windows port of Legato at that.<br /><br />So make a guess:<br />a) the Legato application - a Windows port of a UNIX application<br />b) a random Windows patch<br />c) the 3+ year old server<br />d) the fiber card<br />e) the $15000 tape robot<br />f) the drives in the robot<br />g) none of the above<br /><br />Whenever a tape labeling happens, this mysterious error appears in Legato...<br /><br /><span style="font-family:courier new;">check_cdi_infop and cdi_open failed</span><br /><br /><br />Try <a href="http://www.google.com/search?q=check_cdi_infop+and+cdi_open+failed">Googling </a>that. Yes, that is right, it IS cold out there in Legato land. I breifly consider calling Dell tech. But I know a "server specialist" will blame the tape robot, the "storage specialist" will blame the application, and the Dell Legato specialists -- let me get out the genie lamp.<br /><br />Let's get ready to grind it out:</span></span><span style="font-size:85%;"><span style="font-family:arial;"><br /><br />- Google does not help, so now I have to actually look at the Legato logs.</span></span><span style="font-size:85%;"><span style="font-family:arial;"><br />- Instead of looking at the logs, I Google some more.</span></span><span style="font-size:85%;"><span style="font-family:arial;"><br />- Okay, no help at all. So, now I have to check the logs.<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:arial;">FINDING #1: In the logs, the errors are only happening on one of the two drives.<br /></span></span><span style="font-size:85%;"><span style="font-family:arial;">COROLLARY: The application can't be the issue, as everything works on one of the drives. So, I do not have to rub the lamp really really hard after all. Goodbye </span></span><span style="font-size:85%;"><span style="font-family:arial;"> Dell Legato specialist, it is as if you never existed! </span></span><br /><br /><span style="font-size:85%;"><span style="font-family:arial;">- So, if it is hardware, to the <a href="http://technet.microsoft.com/en-us/library/cc757231.aspx">eventvwr</a> we go.<br />- Lovely event viewer, so full of... nothing.<br />- Check device manager out of quiet desperation, as device manager </span></span><span style="font-size:85%;"><span style="font-family:arial;">ALWAYS </span></span><span style="font-size:85%;"><span style="font-family:arial;">reports </span></span><span style="font-size:85%;"><span style="font-family:arial;">a device as working, no matter what.<br />- But hold on...<br /><br />FINDING #2?: There is a beautiful, glorious yellow dot and exclamation point on a PCI bus. <detail> Could it be that device manager is actually telling me something?<br /><br />Unfortunately, a reboot clears it out. And now EVERYTHING is working, both drives, the labeling, t</detail></span></span><span style="font-size:85%;"><span style="font-family:arial;">he certified-compliant-Mission-critical-Tape-backup</span></span><span style="font-size:85%;"><span style="font-family:arial;">. Until...<br /><br />The next hefty backup job and FAIL.</span></span><span style="font-size:85%;"><span style="font-family:arial;"><error></error></span></span><span style="font-size:85%;"><span style="font-family:arial;"><br /><br />Once again the tape drive gets <a href="http://www.crunkenergydrink.com/">crunked</a> and<br /><br />FINDING #2: </span></span><span style="font-size:85%;"><span style="font-family:arial;"> the yellow dot and </span></span><span style="font-size:85%;"><span style="font-family:arial;">exclamation point appear in <a href="http://www.annoyances.org/exec/show/article01-420">device manager</a>.<br /></span></span><span style="font-size:85%;"><span style="font-family:arial;">COROLLARY: </span></span><span style="font-size:85%;"><span style="font-family:arial;">Nothing like a intermittent error on a mission critical server.<br /><br />TO REVIEW: Could be tape drive, robot, fiber card, server, or mysterious Windows patch. Could not be the application.<br /><br />- Troubleshoot the </span></span><span style="font-size:85%;"><span style="font-family:arial;">yellow dot and exclamation point. But no success. The specific error <a href="http://support.microsoft.com/kb/310123">code 12</a> yields nothing.<br />- Reboot again. I mean really why not?<br />- During BIOS post, this appears:<br /><br />FINDING #3: <span style="font-family:courier new;">PCI initialization error</span><br /></span></span><span style="font-size:85%;"><span style="font-family:arial;">COROLLARY:</span></span><span style="font-size:85%;"><span style="font-family:arial;"> An error in the server BIOS eliminates </span></span><span style="font-size:85%;"><span style="font-family:arial;">the "storage specialist". The Windows patch is not to be blamed, and the robot has not yet noticed the server is alive. It must be the hardware on the server: either the PCI bridge or the motherboard.<br /><br />- A call to Dell, and the Dell rep reasonably decides to send out the PCI bridge, being that it is much cheaper than a server motherboard.<br />- I take the delivery Parts Only, no Dell tech needed -- cause I walk like that. Well, actually, it is because Dell gunked the extended warranty, and I had no choice, unless I waited a couple of days for the sales department to confirm to service that I did have an extended warranty<br />- I replaced the PCI bridge and discover the answer is <span style="font-weight: bold;"><br /><br /></span><span style="font-weight: bold;">C)"</span></span></span><span style="font-size:85%;"><span style="font-family:arial;"><span style="font-weight: bold;">the 3+ year old server".</span><br /></span></span><span style="font-size:85%;"><span style="font-family:arial;"><br /></span></span>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com1tag:blogger.com,1999:blog-5711099973096454729.post-55713054654076605542008-10-19T20:25:00.000-07:002009-07-27T13:13:33.251-07:00Nagios Client on Server Core 2008<span style=";font-family:arial;font-size:100%;" >Getting Nagios client to run on Server 2008 core isn't too difficult. But it doesn't seem to be posted anywhere yet. Maybe I'll try to submit it to the Nagios Wiki. </span><span style="font-size:85%;"><br /></span> <!--[endif]--><p class="MsoNormal"><span style=";font-family:arial;font-size:85%;" >Copy NSClient++-x64-0.3.5.zip to C:_data and unzipped. I edited the .ini file. Then I ran the following commands: </span><span style="font-weight: bold;"><br /><br /></span><span style=";font-family:courier new;font-size:85%;" >C:\nagios\NSClient++-x64-0.3.5>NSClient++.exe /install</span></p><p class="MsoNormal"><span style=";font-family:courier new;font-size:85%;" >NSClient++.cpp(193) Service installed!</span><span style=";font-family:courier new;font-size:85%;" ><br /></span></p><p class="MsoNormal"><span style=";font-family:courier new;font-size:85%;" >C:\</span><span style=";font-family:courier new;font-size:85%;" >nagios</span><span style=";font-family:courier new;font-size:85%;" >\NSClient++-x64-0.3.5>NSClient++ /start</span><span style=";font-family:courier new;font-size:85%;" ><br /></span></p><p class="MsoNormal"><span style=";font-family:courier new;font-size:85%;" >Starting NSClientpp</span><span style=";font-family:courier new;font-size:85%;" ><br /></span></p><p class="MsoNormal"><span style=";font-family:courier new;font-size:85%;" >C:\_data\NSClient++-x64-0.3.5> netsh firewall set icmpsetting 8</span><span style=";font-family:courier new;font-size:85%;" ><br /></span></p><p class="MsoNormal"><span style=";font-family:courier new;font-size:85%;" >C:\</span><span style=";font-family:courier new;font-size:85%;" >nagios</span><span style=";font-family:courier new;font-size:85%;" >\NSClient++-x64-0.3.5>netsh firewall add allowedprogram "C:\_data\NSClient++-x64-0.3.5\NSClient++.exe" "NSClientListener" ENABLE</span><span style="font-weight: bold;"><br /><br /></span>Here is a good site for firewall configuration on the command line: <a href="http://support.microsoft.com/kb/947709">http://support.microsoft.com/kb/947709</a><br /><br /><b><span style=";font-family:";" ><o:p></o:p></span></b></p> <p class="MsoNormal"><span style=";font-family:";font-size:11;" ><o:p> </o:p></span></p>Andrew Hoschhttp://www.blogger.com/profile/12207061134715113029noreply@blogger.com2