Hardware and Operating System Setup¶
This document provides detailed instructions on how to install and configure the operating system, apache, mysql, and Ruby (Enterprise edition) used by the Scientist Survey application.
The installation procedure is provided as a recipe of twelve (12) sequential steps, which are numbered. Some steps are optional and marked with the word “optional” next to its number. It is important to follow installation and configuration in the suggested order.
1. Perform a generic installation of SLF 5.x x64 onto your server
a. during the installation select the “Fermi Generic Server Workgroup” option;
b. configure the host name (e.g. survey.fnal.gov) and its static IP address;
c. all remaining settings should be left as default; do not select any additional packages to be installed at this time;
d. update the operating system to latest version of SLF 5.x x64;
NOTE: Detailed upgrade instructions are available at
e. Add a new user and group both called cvdb
groupadd cvdb & useradd -g cvdb cvdb
2.(Optional) Install puppet and related packages using instructions at
This step is typically required for any system supported by the ESO/USS group.
3.Install additional packages: mysql, apache, and ldap client
yum install mysql-server mysql yum install httpd mod_ssl mod_authz_ldap chkconfig httpd on chkconfig mysqld on
4. Install Ruby that comes with SLF5.x
The Scientist Survey application uses the Enterprise version of Ruby, which is build from sources and needs an earlier version of Ruby to compile. Therefore, the version of Ruby that comes with the SLF5.x needs to be installed and uninstalled later (6th step).
yum install ruby ruby-libs
NOTE: two packages are installed (1/2): ruby-1.8.5-19.el5_6.1.x86_64.rpm (2/2): ruby-libs-1.8.5-19.el5_6.1.x86_64.rpm
5. Download and rebuild Ruby Enterprise edition as described on the page below
a. install Linux packages required to build Ruby from sources
yum install readline-devel ncurses-devel glibc-devel autoconf gcc yum install openssl-devel db4-devel byacc gdbm-devel rpm-build gcc-c++ yum install curl-devel httpd-devel apr-util apr-util-devel yum install apr-util-docs
b. download and rebuild Ruby Enterprise edition
wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz gunzip ruby-1.8.7-p72.tar.gz tar -xf ruby-1.8.7-p72.tar rpmbuild --rebuild --define 'dist el5' ruby-enterprise-1.8.7-1.el5.src.rpm
NOTE: Newly build rpms go into the /usr/src/redhat/RPMS/x86_64/ directory
6. Uninstall the old version of Ruby
rpm -e ruby-1.8.5-19.el5_6.1.x86_64 rpm -e ruby-libs-1.8.5-19.el5_6.1.x86_64
7. Install Ruby Enterprise edition
rpm -i /usr/src/redhat/RPMS/x86_64/ruby-enterprise-1.8.7-1.el5.x86_64.rpm rpm -i /usr/src/redhat/RPMS/x86_64/ruby-enterprise-rubygems-1.3.2-1.el5.x86_64.rpm
Important: check versions of Ruby and gem.
[root@survey ~]# ruby --version
ruby 1.8.7 (2009-06-12 patchlevel 174) [x86_64-linux], MBARI 0x6770, Ruby Enterprise Edition 20090928
[root@survey ~]# gem --version
7. Install rake-0.8.7
gem install rake --version 0.8.7
Output: Successfully installed rake-0.8.7 1 gem installed Installing ri documentation for rake-0.8.7... Installing RDoc documentation for rake-0.8.7...
gem install rails --version 2.3.2
Output: Successfully installed activesupport-2.3.2 Successfully installed activerecord-2.3.2 Successfully installed actionpack-2.3.2 Successfully installed actionmailer-2.3.2 Successfully installed activeresource-2.3.2 Successfully installed rails-2.3.2 6 gems installed Installing ri documentation for activesupport-2.3.2... Installing ri documentation for activerecord-2.3.2... Installing ri documentation for actionpack-2.3.2... Installing ri documentation for actionmailer-2.3.2... Installing ri documentation for activeresource-2.3.2... Installing ri documentation for rails-2.3.2... Installing RDoc documentation for activesupport-2.3.2... Installing RDoc documentation for activerecord-2.3.2... Installing RDoc documentation for actionpack-2.3.2... Installing RDoc documentation for actionmailer-2.3.2... Installing RDoc documentation for activeresource-2.3.2... Installing RDoc documentation for rails-2.3.2...
9. Install passenger.
Detailed instructions are at http://www.modrails.com/videos/passenger.mov
a. Install passenger-3.0.9 gem
gem install passenger
Output: Building native extensions. This could take a while... Successfully installed fastthread-1.0.7 Successfully installed daemon_controller-0.2.6 Successfully installed rack-1.3.5 Successfully installed passenger-3.0.9 4 gems installed ... ... ... No definition for rb_queue_marshal_dump Installing RDoc documentation for daemon_controller-0.2.6... Installing RDoc documentation for rack-1.3.5... Installing RDoc documentation for passenger-3.0.9...
c. Install the passenger module for Apache
Output: -------------------------------------------- The Apache 2 module was successfully installed. Please edit your Apache configuration file, and add these lines: LoadModule passenger_module /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.9/ext/apache2/mod_passenger.so PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.9 PassengerRuby /usr/local/bin/ruby After you restart Apache, you are ready to deploy any number of Ruby on Rails applications on Apache, without any further Ruby on Rails-specific configuration!
9. Request SSL cert (for https:// secure access): On the target host, generate a cert request (CSR) with the following command:
openssl req -new -newkey rsa:2048 -nodes -out star_fnal_gov.csr -keyout star_fnal_gov.key -subj "/C=US/ST=Illinois/L=Batavia/O=Fermi National Accelerator Laboratory/OU=CSS-CSI/CN=*.fnal.gov"
This will generate a file name ending in .csr. Forward this file to the Web, Unified Communications, and Collaboration Services group and request a "star cert" for the server (provide the hostname, although the generated cert will not be hostname specific). You will also need to raise a ticket for this, assigned to Web, Unified Communications, and Collaboration Services. That group will mail you the certificate in .zip format.
When you receive it, You need to handle the certs that they send you very carefully. These should not be shared or forwarded, and the directory they are placed in should not be backed up!
Unzip the file, and place the files in a directory that is secure (not world readable) and where the Apache HTTPD process can access it. I used /etc/pki/tls/certs/.
Next, edit the file /etc/httpd/conf.d/ssl.conf and make sure the following lines are specified as below (they might already exist in different places in the file):
SSLCertificateFile /your/path/to/star_fnal_gov.crt SSLCertificateKeyFile /your/path/to/star_fnal_gov.key SSLCertificateChainFile /your/path/to/DigiCertCA.crt
Replace /your/path/to/ with /etc/pki/tls/certs/ if you used my example above.
Restart the httpd process and test https://yourserver.fnal.gov/ to ensure that it displays correctly.
- Note about Step 11: This can be started anytime after the server OS is installed and HTTPD is running. You do not have to wait until Step 10 is complete to start this step.
10. Request Web Exemption for border router through-hole: This allows outside parties to access https://server.fnal.gov . You will need to submit this prior to completion of the server set-up, however the final exemption will not be granted until the final application is available for scanning. Open a ticket, and ask for it to be assigned to the Computer Security Team, with the following information:
SUMMARY: Please assign to Computer Security Team. Need web exemption for ccdss. NOTES: Summary: Web Exemption Request for server.fnal.gov 131.225.XXX.XXX Action: [X] Add this web server [ ] Remove this web server Requestors/Web Server Administrator name: (Your Name) Web server DNS name: server.fnal.gov Web server IP address: 131.225.XXX.XXX Ports required: [X] 80 [X] 443 Is my web server content staged and ready to be accessed?: [ ] Yes [X] No Does this web server send logs to the CST Central Syslog Server?: [ ] Yes [X] No Briefly describe the function of this web service: Scientific Survey web server.
Prior to receiving the exemption, central logging of syslog and httpd will have to be set up:
# yum install zz_use_clogger
Edit the /etc/httpd/conf/httpd.conf file. Since installations may differ, the below is an example using the default out-of-box SLF5 httpd.conf - adjust to your taste:
CustomLog logs/access_log combined ErrorLog logs/error_log
CustomLog "|/usr/bin/tee -a /var/log/httpd/access_log | /usr/bin/logger -thttpd -plocal6.notice" combined Errorlog "|/usr/bin/tee -a /var/log/httpd/error_log | /usr/bin/logger -thttpd -plocal6.err"
Restart HTTPD for changes to take effect. Make arrangements with Security to scan the system when the final content (app & code) is ready to go live. Confirm with security that remote logging is working for this server.
15R Other steps done using root after receiving the system
Thu Oct 13 13:30:46 CDT 2011 -- Required to git clone application from the repository yum --enablerepo=dag install git git.x86_64 0:22.214.171.124-1.el5.rf perl-Git.x86_64 0:126.96.36.199-1.el5.rf Fri Oct 14 13:14:14 CDT 2011 -- Optional -- Used to validate application w/o Apache/Passenger Added the next line to /etc/config/iptables and did: service iptables restart -A RH-Firewall-1-INPUT -p tcp -s 188.8.131.52/255.255.0.0 --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT Purpose: to open the port that Webrick uses. Fri Oct 14 13:26:41 CDT 2011 -- Required [root@survey ~]# yum --enablerepo=fermi-security install \ mysql-server.x86_64 mysql-devel.x86_64 mysql-devel.i386 \ mysql-connector-odbc.x86_64 mysql-bench.x86_64 I was a bit heavy-handed here. I needed to development material to built the Ruby-Mysql interface. Fri Oct 14 13:30:06 CDT 2011 Did gem install mysql Fri Oct 14 13:43:53 CDT 2011 -- Required [root@survey ~]# chkconfig mysqld on [root@survey ~]# chkconfig --list mysqld mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@survey ~]# service mysqld start Initializing MySQL database: Installing MySQL system tables... OK Filling help tables... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER ! To do so, start the server, then issue the following commands: /usr/bin/mysqladmin -u root password 'new-password' /usr/bin/mysqladmin -u root -h survey.fnal.gov password 'new-password' Alternatively you can run: /usr/bin/mysql_secure_installation which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the manual for more instructions. You can start the MySQL daemon with: cd /usr ; /usr/bin/mysqld_safe & You can test the MySQL daemon with mysql-test-run.pl cd mysql-test ; perl mysql-test-run.pl Please report any problems with the /usr/bin/mysqlbug script! The latest information about MySQL is available on the web at http://www.mysql.com Support MySQL by buying support/licenses at http://shop.mysql.com [ OK ] Starting MySQL: [ OK ] [root@survey ~]# Fri Oct 14 13:48:14 CDT 2011 -- Required /usr/bin/mysqladmin -u root password 'MagicAct2011' /usr/bin/mysqladmin -u root -h survey.fnal.gov password 'MagicAct2011' /usr/bin/mysql_secure_installation All were executed. in mysql command line processor: create user cvdb_writer; create database cvdb_prod2011; create database cvdb_test2011; create database cvdb_dev2011; grant all privileges on *.* to 'cvdb_writer'@'%'; Mon Oct 17 10:50:21 CDT 2011 -- Required Adding configuration data for ssl and ldap to /etc/httpd/conf and /etc/httpd/conf/conf.d (itself an added directory). The source for the added files in /etc/httpd/conf/conf.d is oink.fnal.gov. Mon Oct 17 10:53:56 CDT 2011 -- Optional -- desired for this specific task yum install java to avail /usr/bin/keytool to examine the cacerts file. Tue Oct 18 14:58:21 CDT 2011 -- Optional -- Switched to mysql exclusively gem install sqlite3 Failed missing some packages. I will switch the tests to using mysql which already works. Wed Oct 19 14:33:32 CDT 2011 -- Optional -- Switched to mysql exclusively for the sake of completeness: gem install sqlite3-ruby attempted and failed.