Wednesday, June 24, 2009
SSH and ubuntu
Reminder to self, after not looking at Ubuntu for a while - you need to install ssh server!
apt-get install openssh-server
Monday, September 8, 2008
Configuring svn, trac, SSL under Ubuntu
Been working on setting up subversion, with trac and SSL - currently for evaluation purposes.
I’m not a developer at all, and although I respect that you can build everything from src, prefer not to.
Normally CentOS is the linux distribution I use, but frankly, it’s a hell of a hassle getting the dependancies sorted - quicksilver et al. I do have something running under it, but not especially happy with it. May return to look at it again later.
So, instead I’ve taken a quick look at Ubuntu 8.04 for it - server not desktop edition, so no GUI. In general, the installation and configuration process for this leaves something to be desired. The following *appears* to get it working for me. I’m not claiming it to be optimal or even “correct”. I’m also not looking at configuration of trac and subversion, just getting them installed and available.
The webserver itself (for my purposes) will also require php support, so going to add a bunch more packages for that.
I wish to use SSL to support https
I’m going to place both subversion repositories and trac pages on a seperate disk under a /subversion mount.
/subversion/repos - subversion
/subversion/trac - trac
Subversion repositories will be available as
https://localhost/svnrepos/
Trac as
https://localhost/trac/
Trac is anonymous browsing enabled, authentication required for the login option. Subversion should require login anyway - yes, there’s no point having login required in subversion if you allow anonymous for the “browse source” option in trac - this is a test setup. It’s easy to modify the necessary apache directives to require authentication for all of trac.
Standard http pages may still be served out of the default
Firewall enabled, and SSH, http/https only allowed
# Firewall - I like to work with firewalls on at the start/at all times: sudo ufw enable sudo ufw allow 22/tcp sudo ufw allow 80/tcp sudo ufw allow 443/tcp # check it sudo ufw status # get some packages sudo apt-get install subversion libapache2-svn apache2 python2.4-pysqlite2 python-clearsilver python-subversion # get trac and install it wget http://ftp.edgewall.com/pub/trac/trac-0.10.4.tar.gz tar -xzf trac-0.10.4.tar.gz cd trac-0.10.4 sudo python setup.py install # get some more php related packages sudo apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-imagick php5-mcrypt php5-memcache php5-mhash php5-mysql php5-pspell php5-snmp php5-sqlite php5-xmlrpc php5-xsl # Ensure relevent modules are loaded sudo a2enmod ssl sudo a2enmod php5 # Bounce apache after any changes sudo /etc/init.d/apache2 restart # I like to test that pages are being served, and .php is supported at this point # Deal with SSL. sudo mkdir /etc/apache2/ssl sudo apt-get install ssl-cert sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem follow the text based wizard
As I want access to be via https only for trac and the repositories, ie /svnrepos and /trac, amend /etc/apache2/sites-available/default as follows (following the end of the default VirtualHost directives) :
NameVirtualHost *:443 <VirtualHost *:443> SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLCertificateFile /etc/apache2/ssl/apache.pem SSLProtocol all SSLCipherSuite HIGH:MEDIUM ScriptAlias /trac /usr/share/trac/cgi-bin/trac.cgi <Location "/trac"> SetEnv TRAC_ENV_PARENT_DIR "/subversion/trac" </Location> <LocationMatch "/trac/[^/]+/login"> AuthType Basic AuthName "Trac" AuthUserFile /etc/svn-auth-conf2 Require valid-user </LocationMatch> <Location /svnrepos> DAV svn SVNParentPath /subversion/repos AuthType Basic AuthName "Subversion" AuthUserFile /etc/svn-auth-conf2 Require valid-user </Location> </VirtualHost> # /etc/svn-auth-conf2 is the file storing passwords created with sudo htpasswd -c -m /etc/svn-auth-conf2 username
I’m doing all my testing under VMware ESXi, so adding a 2nd disk is easier from a resources perspective. See my principles post for my reasons on a 2nd disk - separate system from data. This 2nd disk will appear as a SCSI disk - in my case /dev/sdb.
Use fdisk to create a partition - again, just accepting the defaults, which as a partition will be /dev/sdb1, and format as ext3
# Create mount point - /subversion and my directories /subversion/repos and /subversion/trac sudo mkdir /subversion sudo mkdir /subversion/trac /subversion/repos # Add entry to /etc/fstab to mount on reboot. # I create my svn repository in /subversion/repos with : sudo svnadmin create repositoryname # I set permissions sudo chown -R www-data.www-data repositoryname # I create the trac layout with : sudo trac-admin repositoryname initenv # And answer the questions posed # I set permissions with sudo chown -R www-data.www-data repositoryname
Saturday, September 6, 2008
Some principles
Some principles which I strongly believe in (no particular order). All common sense, nothing new, nothing unique or inspiring. But things I believe in, and apply to any postings given here - now or in the future.
Never run as administrator/root. There’s really no need. Applications that “require” it, are (in my opinion) broken. Much can be done with RunAs. All can be done with sudo. Just because you don’t know how to do something as a non administrator, doesn’t mean it can’t be done.
Separate data from system. Keep data at least on a seperate partition (I never use C: for data in Windows, just system and application installations), and where possible, on a different disk (servers obviously an appropriate RAID level). If you use VMWare or any virtualization, the option for seperate disks makes it trivial. It means recovery is easier and less stressful.
Servers are not workstations. Production servers do a role. They’re not a plaything. They’re not for casual use or browsing the internet etc. That said, Windows Server 2008 is a nice OS on a laptop.
Backups. Just do it. If it’s part of your job, then there isn’t anything more important to do at that time. If at home, do it. Work out what’s best for you, but do it.
Restores. Backups are useless if you can’t restore from them. Sample restores at least once per week.
Patch. OS has become pretty easy and reliable these days. Now all those apps - office, firefox, thunderbird, real player (use an alternative), quicktime (use an alternative), java (ugh), flash, acroread (use foxit) etc etc. Especially if it’s a plugin for a browser. Patch it.
Firewall. Use them. And when something doesn’t work “because of the firewall”, figure out why and a solution, which isn’t “turn off the firewall.”
Documentation. If this stuff is your job, then you document it. All changes. Don’t care that it’s boring. Don’t care that it’s tedious. Don’t care that you have something else you’d rather do. Document.
Testing. In these days of virtualisation, there’s little excuse for not having a test environment for testing those changes before production.