Project

General

Profile

Hardware and Operating System Setup

This document provides detailed instructions on how to install and configure the operating system, apache, mysql, and Ruby (Enterprise edition) used by the Scientist Survey application.

The installation procedure is provided as a recipe of twelve (12) sequential steps, which are numbered. Some steps are optional and marked with the word “optional” next to its number. It is important to follow installation and configuration in the suggested order.

1. Perform a generic installation of SLF 5.x x64 onto your server

a. during the installation select the “Fermi Generic Server Workgroup” option;
b. configure the host name (e.g. survey.fnal.gov) and its static IP address;
c. all remaining settings should be left as default; do not select any additional packages to be installed at this time;
d. update the operating system to latest version of SLF 5.x x64;
NOTE: Detailed upgrade instructions are available at

https://fermilinux.fnal.gov/documentation/tips/upgrade-to-latest-slf5x.html

e. Add a new user and group both called cvdb
groupadd cvdb & useradd -g cvdb cvdb

2.(Optional) Install puppet and related packages using instructions at

https://sharepoint.fnal.gov/cd/sites/uss/wiki/Wiki%20Pages/Unix_Linux_Howto_Puppet_Install_Client.aspx

This step is typically required for any system supported by the ESO/USS group.

3.Install additional packages: mysql, apache, and ldap client

Shell command:

yum install mysql-server mysql yum install httpd mod_ssl mod_authz_ldap chkconfig httpd on chkconfig mysqld on

4. Install Ruby that comes with SLF5.x

The Scientist Survey application uses the Enterprise version of Ruby, which is build from sources and needs an earlier version of Ruby to compile. Therefore, the version of Ruby that comes with the SLF5.x needs to be installed and uninstalled later (6th step).

Shell command:

yum install ruby ruby-libs

NOTE: two packages are installed

(1/2): ruby-1.8.5-19.el5_6.1.x86_64.rpm

(2/2): ruby-libs-1.8.5-19.el5_6.1.x86_64.rpm

5. Download and rebuild Ruby Enterprise edition as described on the page below

http://www.cherpec.com/2009/10/ruby-enterprise-edition-1-8-7-source-rpm-for-centos5-rhel5/

a. install Linux packages required to build Ruby from sources

Shell command:



yum install readline-devel ncurses-devel glibc-devel autoconf gcc

yum install openssl-devel db4-devel byacc gdbm-devel rpm-build gcc-c++

yum install curl-devel httpd-devel apr-util apr-util-devel

yum install apr-util-docs

 

b. download and rebuild Ruby Enterprise edition

Shell commands:

wget ftp://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.7-p72.tar.gz gunzip ruby-1.8.7-p72.tar.gz tar -xf ruby-1.8.7-p72.tar rpmbuild --rebuild --define 'dist el5' ruby-enterprise-1.8.7-1.el5.src.rpm

NOTE: Newly build rpms go into the /usr/src/redhat/RPMS/x86_64/ directory

6. Uninstall the old version of Ruby

Shell commands:



rpm -e ruby-1.8.5-19.el5_6.1.x86_64

rpm -e ruby-libs-1.8.5-19.el5_6.1.x86_64

7. Install Ruby Enterprise edition

Shell commands:

rpm -i /usr/src/redhat/RPMS/x86_64/ruby-enterprise-1.8.7-1.el5.x86_64.rpm rpm -i /usr/src/redhat/RPMS/x86_64/ruby-enterprise-rubygems-1.3.2-1.el5.x86_64.rpm

Important: check versions of Ruby and gem.

[root@survey ~]# ruby --version

ruby 1.8.7 (2009-06-12 patchlevel 174) [x86_64-linux], MBARI 0x6770, Ruby Enterprise Edition 20090928

[root@survey ~]# gem --version

1.3.5

7. Install rake-0.8.7

Shell commands:

gem install rake --version 0.8.7

Output:

Successfully installed rake-0.8.7

1 gem installed

Installing ri documentation for rake-0.8.7...

Installing RDoc documentation for rake-0.8.7...

8.install rails-2.3.2

Shell commands:

gem install rails --version 2.3.2

Output:

Successfully installed activesupport-2.3.2

Successfully installed activerecord-2.3.2

Successfully installed actionpack-2.3.2

Successfully installed actionmailer-2.3.2

Successfully installed activeresource-2.3.2

Successfully installed rails-2.3.2

6 gems installed

Installing ri documentation for activesupport-2.3.2...

Installing ri documentation for activerecord-2.3.2...

Installing ri documentation for actionpack-2.3.2...

Installing ri documentation for actionmailer-2.3.2...

Installing ri documentation for activeresource-2.3.2...

Installing ri documentation for rails-2.3.2...

Installing RDoc documentation for activesupport-2.3.2...

Installing RDoc documentation for activerecord-2.3.2...

Installing RDoc documentation for actionpack-2.3.2...

Installing RDoc documentation for actionmailer-2.3.2...

Installing RDoc documentation for activeresource-2.3.2...

Installing RDoc documentation for rails-2.3.2...

9. Install passenger.

Detailed instructions are at http://www.modrails.com/videos/passenger.mov

a. Install passenger-3.0.9 gem

Shell commands:

gem install passenger

Output:

Building native extensions. This could take a while...

Successfully installed fastthread-1.0.7

Successfully installed daemon_controller-0.2.6

Successfully installed rack-1.3.5

Successfully installed passenger-3.0.9

4 gems installed

...

...

...

No definition for rb_queue_marshal_dump

Installing RDoc documentation for daemon_controller-0.2.6...

Installing RDoc documentation for rack-1.3.5...

Installing RDoc documentation for passenger-3.0.9...

c. Install the passenger module for Apache

Shell commands:

passenger-install-apache2-module

Output:

--------------------------------------------

The Apache 2 module was successfully installed.

Please edit your Apache configuration file, and add these lines:

   LoadModule passenger_module /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.9/ext/apache2/mod_passenger.so

   PassengerRoot /usr/local/lib/ruby/gems/1.8/gems/passenger-3.0.9

   PassengerRuby /usr/local/bin/ruby

After you restart Apache, you are ready to deploy any number of Ruby on Rails

applications on Apache, without any further Ruby on Rails-specific

configuration!

9. Request SSL cert (for https:// secure access): On the target host, generate a cert request (CSR) with the following command:

openssl req -new -newkey rsa:2048 -nodes -out star_fnal_gov.csr -keyout star_fnal_gov.key -subj "/C=US/ST=Illinois/L=Batavia/O=Fermi National Accelerator Laboratory/OU=CSS-CSI/CN=*.fnal.gov"

This will generate a file name ending in .csr. Forward this file to the Web, Unified Communications, and Collaboration Services group and request a "star cert" for the server (provide the hostname, although the generated cert will not be hostname specific). You will also need to raise a ticket for this, assigned to Web, Unified Communications, and Collaboration Services. That group will mail you the certificate in .zip format.

When you receive it, You need to handle the certs that they send you very carefully. These should not be shared or forwarded, and the directory they are placed in should not be backed up!

Unzip the file, and place the files in a directory that is secure (not world readable) and where the Apache HTTPD process can access it. I used /etc/pki/tls/certs/.

Next, edit the file /etc/httpd/conf.d/ssl.conf and make sure the following lines are specified as below (they might already exist in different places in the file):

SSLCertificateFile /your/path/to/star_fnal_gov.crt SSLCertificateKeyFile /your/path/to/star_fnal_gov.key SSLCertificateChainFile /your/path/to/DigiCertCA.crt

Replace /your/path/to/ with /etc/pki/tls/certs/ if you used my example above.

Restart the httpd process and test https://yourserver.fnal.gov/ to ensure that it displays correctly.

  • Note about Step 11: This can be started anytime after the server OS is installed and HTTPD is running. You do not have to wait until Step 10 is complete to start this step.

10. Request Web Exemption for border router through-hole: This allows outside parties to access https://server.fnal.gov . You will need to submit this prior to completion of the server set-up, however the final exemption will not be granted until the final application is available for scanning. Open a ticket, and ask for it to be assigned to the Computer Security Team, with the following information:


SUMMARY: Please assign to Computer Security Team. Need web exemption for ccdss.

NOTES: Summary: Web Exemption Request for server.fnal.gov 131.225.XXX.XXX

Action: [X] Add this web server [ ] Remove this web server

Requestors/Web Server Administrator name: (Your Name)

Web server DNS name: server.fnal.gov

Web server IP address: 131.225.XXX.XXX

Ports required: [X] 80 [X] 443

Is my web server content staged and ready to be accessed?: [ ] Yes [X] No

Does this web server send logs to the CST Central Syslog Server?: [ ] Yes [X] No

Briefly describe the function of this web service: Scientific Survey web server.

Prior to receiving the exemption, central logging of syslog and httpd will have to be set up:

# yum install zz_use_clogger

Edit the /etc/httpd/conf/httpd.conf file. Since installations may differ, the below is an example using the default out-of-box SLF5 httpd.conf - adjust to your taste:

Change:

CustomLog logs/access_log combined ErrorLog logs/error_log

To:

CustomLog "|/usr/bin/tee -a /var/log/httpd/access_log | /usr/bin/logger -thttpd -plocal6.notice" combined Errorlog "|/usr/bin/tee -a /var/log/httpd/error_log | /usr/bin/logger -thttpd -plocal6.err"

Restart HTTPD for changes to take effect. Make arrangements with Security to scan the system when the final content (app & code) is ready to go live. Confirm with security that remote logging is working for this server.

15R Other steps done using root after receiving the system


Thu Oct 13 13:30:46 CDT 2011 -- Required to git clone application from the repository

yum --enablerepo=dag install git

git.x86_64 0:1.7.6.1-1.el5.rf

perl-Git.x86_64 0:1.7.6.1-1.el5.rf

Fri Oct 14 13:14:14 CDT 2011 -- Optional -- Used to validate application w/o Apache/Passenger

Added the next line to /etc/config/iptables and did: service iptables restart

-A RH-Firewall-1-INPUT -p tcp -s 131.225.0.0/255.255.0.0 --dport 3000 -m state --state NEW,ESTABLISHED -j ACCEPT

Purpose: to open the port that Webrick uses.

Fri Oct 14 13:26:41 CDT 2011 -- Required

[root@survey ~]# yum --enablerepo=fermi-security install \

mysql-server.x86_64 mysql-devel.x86_64 mysql-devel.i386 \

mysql-connector-odbc.x86_64 mysql-bench.x86_64

I was a bit heavy-handed here. I needed to development material to

built the Ruby-Mysql interface.

Fri Oct 14 13:30:06 CDT 2011

Did gem install mysql

Fri Oct 14 13:43:53 CDT 2011 -- Required

[root@survey ~]# chkconfig mysqld on

[root@survey ~]# chkconfig --list mysqld

mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[root@survey ~]# service mysqld start

Initializing MySQL database: Installing MySQL system tables...

OK

Filling help tables...

OK

To start mysqld at boot time you have to copy

support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !

To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'

/usr/bin/mysqladmin -u root -h survey.fnal.gov password 'new-password'

Alternatively you can run:

/usr/bin/mysql_secure_installation

which will also give you the option of removing the test

databases and anonymous user created by default. This is

strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:

cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl

cd mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

The latest information about MySQL is available on the web at

  http://www.mysql.com

Support MySQL by buying support/licenses at http://shop.mysql.com

[ OK ]

Starting MySQL: [ OK ]

[root@survey ~]#

Fri Oct 14 13:48:14 CDT 2011 -- Required

/usr/bin/mysqladmin -u root password 'MagicAct2011'

/usr/bin/mysqladmin -u root -h survey.fnal.gov password 'MagicAct2011'

/usr/bin/mysql_secure_installation

All were executed.

in mysql command line processor:

create user cvdb_writer;

create database cvdb_prod2011;

create database cvdb_test2011;

create database cvdb_dev2011;

grant all privileges on *.* to 'cvdb_writer'@'%';

Mon Oct 17 10:50:21 CDT 2011 -- Required

Adding configuration data for ssl and ldap to /etc/httpd/conf and

/etc/httpd/conf/conf.d (itself an added directory). The source for

the added files in /etc/httpd/conf/conf.d is oink.fnal.gov.

Mon Oct 17 10:53:56 CDT 2011 -- Optional -- desired for this specific task

yum install java to avail /usr/bin/keytool to examine the cacerts file.

Tue Oct 18 14:58:21 CDT 2011 -- Optional -- Switched to mysql exclusively

gem install sqlite3

Failed missing some packages.

I will switch the tests to using mysql which already works.

Wed Oct 19 14:33:32 CDT 2011 -- Optional -- Switched to mysql exclusively

for the sake of completeness: gem install sqlite3-ruby

attempted and failed.