Wednesday, June 24, 2009

SSH and ubuntu

Reminder to self, after not looking at Ubuntu for a while - you need to install ssh server!

apt-get install openssh-server

Monday, September 8, 2008

Configuring svn, trac, SSL under Ubuntu

Been working on setting up subversion, with trac and SSL - currently for evaluation purposes.

I’m not a developer at all, and although I respect that you can build everything from src, prefer not to.

Normally CentOS is the linux distribution I use, but frankly, it’s a hell of a hassle getting the dependancies sorted - quicksilver et al. I do have something running under it, but not especially happy with it. May return to look at it again later.

So, instead I’ve taken a quick look at Ubuntu 8.04 for it - server not desktop edition, so no GUI. In general, the installation and configuration process for this leaves something to be desired. The following *appears* to get it working for me. I’m not claiming it to be optimal or even “correct”. I’m also not looking at configuration of trac and subversion, just getting them installed and available.

The webserver itself (for my purposes) will also require php support, so going to add a bunch more packages for that.

I wish to use SSL to support https

I’m going to place both subversion repositories and trac pages on a seperate disk under a /subversion mount.
/subversion/repos - subversion
/subversion/trac - trac

Subversion repositories will be available as
https://localhost/svnrepos/
Trac as
https://localhost/trac/

Trac is anonymous browsing enabled, authentication required for the login option. Subversion should require login anyway - yes, there’s no point having login required in subversion if you allow anonymous for the “browse source” option in trac - this is a test setup. It’s easy to modify the necessary apache directives to require authentication for all of trac.

Standard http pages may still be served out of the default

Firewall enabled, and SSH, http/https only allowed

# Firewall - I like to work with firewalls on at the start/at all times:
sudo ufw enable
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# check it
sudo ufw status 

# get some packages
sudo apt-get install subversion libapache2-svn apache2 python2.4-pysqlite2 python-clearsilver python-subversion

# get trac and install it
wget http://ftp.edgewall.com/pub/trac/trac-0.10.4.tar.gz
tar -xzf trac-0.10.4.tar.gz
cd trac-0.10.4 
sudo python setup.py install

# get some more php related packages
sudo apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-imagick php5-mcrypt php5-memcache php5-mhash php5-mysql php5-pspell php5-snmp php5-sqlite php5-xmlrpc php5-xsl

# Ensure relevent modules are loaded
sudo a2enmod ssl
sudo a2enmod php5

# Bounce apache after any changes
sudo /etc/init.d/apache2 restart

# I like to test that pages are being served, and .php is supported at this point

# Deal with SSL.
sudo mkdir /etc/apache2/ssl
sudo apt-get install ssl-cert
sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
	follow the text based wizard

As I want access to be via https only for trac and the repositories, ie /svnrepos and /trac, amend /etc/apache2/sites-available/default as follows (following the end of the default VirtualHost directives) :

NameVirtualHost *:443
<VirtualHost *:443>
        
SSLEngine on

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM

ScriptAlias /trac /usr/share/trac/cgi-bin/trac.cgi

<Location "/trac">
        SetEnv  TRAC_ENV_PARENT_DIR "/subversion/trac"
</Location>

<LocationMatch "/trac/[^/]+/login">
        AuthType Basic
        AuthName "Trac"
        AuthUserFile /etc/svn-auth-conf2
        Require valid-user
</LocationMatch>

<Location /svnrepos>
        DAV svn
        SVNParentPath /subversion/repos
        AuthType Basic
        AuthName "Subversion"
        AuthUserFile /etc/svn-auth-conf2
        Require valid-user
</Location>

</VirtualHost>

# /etc/svn-auth-conf2 is the file storing passwords created with 
sudo htpasswd -c -m /etc/svn-auth-conf2 username

I’m doing all my testing under VMware ESXi, so adding a 2nd disk is easier from a resources perspective. See my principles post for my reasons on a 2nd disk - separate system from data. This 2nd disk will appear as a SCSI disk - in my case /dev/sdb.

Use fdisk to create a partition - again, just accepting the defaults, which as a partition will be /dev/sdb1, and format as ext3

# Create mount point - /subversion and my directories /subversion/repos and /subversion/trac
sudo mkdir /subversion
sudo mkdir /subversion/trac /subversion/repos

# Add entry to /etc/fstab to mount on reboot.

# I create my svn repository in /subversion/repos with :
sudo svnadmin create repositoryname
# I set permissions
sudo chown -R www-data.www-data repositoryname

# I create the trac layout with :
sudo trac-admin repositoryname initenv
# And answer the questions posed
# I set permissions with
sudo chown -R www-data.www-data repositoryname

Saturday, September 6, 2008

Some principles

Some principles which I strongly believe in (no particular order). All common sense, nothing new, nothing unique or inspiring. But things I believe in, and apply to any postings given here - now or in the future.

Never run as administrator/root. There’s really no need. Applications that “require” it, are (in my opinion) broken. Much can be done with RunAs. All can be done with sudo. Just because you don’t know how to do something as a non administrator, doesn’t mean it can’t be done.

Separate data from system. Keep data at least on a seperate partition (I never use C: for data in Windows, just system and application installations), and where possible, on a different disk (servers obviously an appropriate RAID level). If you use VMWare or any virtualization, the option for seperate disks makes it trivial. It means recovery is easier and less stressful.

Servers are not workstations. Production servers do a role. They’re not a plaything. They’re not for casual use or browsing the internet etc. That said, Windows Server 2008 is a nice OS on a laptop.

Backups. Just do it. If it’s part of your job, then there isn’t anything more important to do at that time. If at home, do it. Work out what’s best for you, but do it.

Restores. Backups are useless if you can’t restore from them. Sample restores at least once per week.

Patch. OS has become pretty easy and reliable these days. Now all those apps - office, firefox, thunderbird, real player (use an alternative), quicktime (use an alternative), java (ugh), flash, acroread (use foxit) etc etc. Especially if it’s a plugin for a browser. Patch it.

Firewall. Use them. And when something doesn’t work “because of the firewall”, figure out why and a solution, which isn’t “turn off the firewall.”

Documentation. If this stuff is your job, then you document it. All changes. Don’t care that it’s boring. Don’t care that it’s tedious. Don’t care that you have something else you’d rather do. Document.

Testing. In these days of virtualisation, there’s little excuse for not having a test environment for testing those changes before production.