Difference between revisions of "Research Computing Configuration"
(→HTTPS) |
(→Config) |
||
Line 1,139: | Line 1,139: | ||
*CoBlocks (free) | *CoBlocks (free) | ||
*Advanced Gutenberg (free) | *Advanced Gutenberg (free) | ||
+ | |||
+ | I didn't add Co-Authors Plus (https://wordpress.org/plugins/co-authors-plus/) as it hasn't been tested on the latest version of wordpress. There are other plugins that offer equivalent functionality if I need one later. | ||
Notes: | Notes: |
Revision as of 16:27, 10 September 2020
This page describes the configuration of the two new research computing machines. This configuration runs on our Research Computing Hardware. Note that the configuration of the DIGITS DevBox is on its own page.
Contents
Both machines
Fan Control
Unless you want to go insane from the sound of fans cycling full on and off, you'll want to fix the IPMI fan settings. These are stored in the BIOS but not accessible through the BIOS screens. Instead, you should connect to the boxes by BMC over the network. The BMC IPv4 address is displayed during POST.
To read all about IPMI, see https://www.supermicro.com/products/nfo/IPMI.cfm I also found these helpful:
- https://blog.pcfe.net/hugo/posts/2018-08-14-epyc-ipmi-fans/
- https://calvin.me/quick-how-to-decrease-ipmi-fan-threshold/
Note the that default BMC username and password is ADMIN and ADMIN. You can download the SMCIPMITool (2.21.0_build.181029) and do the following, though I couldn't work out how to send manual configuration instructions using it:
.\SMCIPMITool.exe 192.168.2.80 ADMIN ADMIN ipmi fan .\SMCIPMITool.exe 192.168.2.80 ADMIN ADMIN ipmi fan 0
The trick is to change the thresholds for the fans, especially the lower threshold. On a linux box:
sudo apt-get install ipmitool
- Reset the BMC if you've screwed it up (or if your fans are full on all the time)
- Check that the current mode is optimal (2)
- Take a look at the sensor multiple times to see that the fan is hitting the constraint (run multiple times to coincide with different sound levels)
- Reset the lower thresholds on the fans
- Enjoy a perfectly reasonable fan speed that doesn't fluctuate unduly
ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 raw 0x3c 0x40 ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 raw 0x30 0x45 0x00 ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 sensor ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 sensor thresh FAN3 lower 120 220 320
Note that the thresholds are derived from -20% off 400 (min as per Noctua spec), then same -100, then same -200.
For the ARCTIC F8 PWM, the min is something like 250 at 5v (see https://www.arctic.ac/us_en/arctic-f8-pwm.html). I therefore used 100, 150, 200, which seemed to stabilize the fans nicely at a 300rpm idle on one box and 400rpm on the other.
Note that the BMC IP for mother often turns up on 192.168.2.70. You can see the IP address of the localhost by running:
ipmitool lan print
Bios Settings
Because we want the NVMe drives to be bootable, we need to use (U)EFI for both machines:
- Change CPU1 Slot 1 and 2 to EFI (from Legacy)
- Change Onboard Video OPROM to EFi (from Legacy)
- LAN device to EFI
- Boot to EFI
- Priority to onboard: auto
- Boot install order CD above drive above Shell
This ultimately seems to be a problem for unsigned Nvidia drivers in Linux, which make putting a GPU into the dbase server box a major issue. I tried disabling validation and adding a key to secure boot (not sure that it happened) but nothing I could do would fix the resulting driver issue.
mokutil --disable-validation sudo update-secureboot-policy --new-key sudo update-secureboot-policy --enroll-key
RDP Server
The RDP server runs Windows 2019 Server. It installs directly off the media on to the NVMe drive. Don't worry about the RAID array during the installation, we do that later.
After installation:
- Set computer name
- Storage Pool
- RAID 1 - Mirroring
- Active Directory Controller
- Remote Desktop Connection
- RD Connection Broker
- RD Licensing
- RD Session Host
- RD Vizualization Host
Change password complexity requirements: https://blog.tiga.tech/disable-the-password-complexity-for-active-directory-on-a-domain-controller/
Update
The GPU was removed from the RDP and the chipset drivers from Supermicro were installed (files are in E:/installs/drivers). This addressed all the device issues.
The following software was uninstalled:
- CUDA Development 10.1
- CUDA Documentation 10.1
- CUDA Samples 10.1
- CUDA Visual Studio Integration 10.1
- NVIDIA GeForce Experience 3.18.0.94
- NVIDIA Graphics Driver 419.67
- NVIDIA HD Audio Diver 1.3.38.13
- NVIDIA Nsight Compute v2019.1
- NVIDIA Nsight Systems v2018.3.3
- NVIDIA Nsight Visual Studio Edition
- NVIDIA PhysX System Software 9.12.0218
- NVIDIA Toos Extension SDK
- NVIDIA USBC Driver 1.1.27.831
Dbase Server
The dbase server runs Ubuntu 18.04. You can mostly follow the instructions at https://www.pugetsystems.com/labs/hpc/The-Best-Way-To-Install-Ubuntu-18-04-with-NVIDIA-Drivers-and-any-Desktop-Flavor-1178/
It is important to use the alternative installation iso, not the default cloud based one. However, you can set up the partitions using the standard live CD, which is more user friendly for partitioning.
Partitioning
Partition as:
- 400G NVMe as ext4 and / (create new using whole drive, automatically sets aside 512m for /boot/efi)
- 1.2T as ext4 and /data (do it manually)
- RAID 10 for HDDs, all active then format at ext4 and mount at /bulk (DO NOT PARTITION! Just set up the software RAID and format.)
Standard Packages
Install the following straight from the media:
- LAMP Server
- Mail Server
- Postfix - Internet Site
- MailName: mother.edegan.com
- PostgreSQL
- Samba
- OpenSSH
Then:
sudo apt-get install tasksel tasksel -> Ubuntu Desktop
A useful apt cheatsheet is: https://www.acpsd.net/site/handlers/filedownload.ashx?moduleinstanceid=53976&dataid=56016&FileName=Ubuntu%20Cheat%20Sheet.pdf
Get the system up to date:
apt-get update apt-get upgrade
Samba
This guide is helpful: https://linuxconfig.org/how-to-configure-samba-server-share-on-ubuntu-18-04-bionic-beaver-linux
Check samba is running
samba --version
Then fix the conf file:
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak vi /etc/samba/smb.conf workgroup=mothergroup usershare allow guests = no ;comment [printers] and [print$] [bulk] comment = Bulk RAID Array path = /bulk browseable = yes create mask= 0775 directory mask = 0775 read only = no guest ok = no
Test the parameters, change the permissions and ownership:
testparm /etc/samba/smb.conf chmod 770 /bulk groupadd smbusers chown :smbusers /bulk
Now add the researcher account, and add it to the samba share
groupadd -g 1001 researcher useradd -g researcher -G smbusers -s /bin/bash -p 1234 -d /home/researcher -m researcher passwd researcher hint: littleamount smbpasswd -a researcher
Finally restart samba:
systemctl restart smbd systemctl restart nmbd
Check it works:
smbclient -L localhost (no root password)
And add users to the samba group:
useradd ed smbusers
PostgreSQL
This guide is helpful: https://linuxconfig.org/install-postgresql-on-ubuntu-18-04-bionic-beaver
Test it!
psql --help ss -nlt postgres is listening on 543
Back up the config file and try a manual launch:
cp /etc/postgresql/10/main/postgresql.conf /etc/postgresql/10/main/postgresql.conf.bak mkdir /data/postgres chown postgres:postgres postgres su postgres cd /usr/lib/postgresql/10/bin ./initdb -D /data/postgres
Now, tune the database server. See https://www.postgresql.org/docs/10/runtime-config-resource.html and https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server
vi /etc/postgresql/10/main/postgresql.conf data_directory = '/data/postgres' #custom 1.2Tb NVME SSD listen_addresses = '*' max_connections = 10 shared_buffers = 128GB huge_pages = try # on, off, or try temp_buffers = 8GB # min 800kB work_mem = 4GB # min 64kB maintenance_work_mem = 64GB # min 1MB max_stack_depth = 6MB max_wal_senders = 5 #MUST SET THIS TO BE LESS THAN max_connections effective_cache_size = 384GB
Now fix the hba.conf file for access rights:
cp /etc/postgresql/10/main/pg_hba.conf /etc/postgresql/10/main/pg_hba.conf.bak vi /etc/postgresql/10/main/pg_hba.conf change local all all peer to local all all trust
Don't do this bit for now: local all postgres peer local all postgres md5
And restart!
service postgresql restart ss -nlt
If postgres isn't listening then it didn't start despite the message at
service postgresql status
Then we note that Postgres bins are in in:
cd /usr/lib/postgresql/10/bin
Check:
cat /etc/init.d/postgresql cat /usr/share/postgresql-common/init.d-functions
To diagnose error do manual start as postgres from /usr/lib/postgresql/10/bin:
pg_ctl -w -D /data/postgres -o '--config-file=/etc/postgresql/10/main/postgresql.conf.new' start
To check it is working:
ss -nlt psql postgres SHOW data_directory; SHOW work_mem;
When it is all ok, you can go back to using
service postgresql restart (it should take a few secs)
Make the researcher user!
createuser --interactive researcher
Add Extensions
Finally, add some extentions
apt-get install postgresql-plperl-10 apt-get install postgresql-plpython-10 apt-get install postgresql-10-plr apt-get install postgresql-10-postgis-2.4 apt-get install postgresql-10-postgis-scripts apt-get install postgis apt-get install postgis-gui
As postgres:
psql template1 CREATE EXTENSION plr; CREATE EXTENSION plperl; CREATE EXTENSION plpythonu
Mediawiki
We had a back off of an old MySQL mediawiki dbase and the contents of the mediawiki directory, and we wanted to restore the old wiki. This is what we did.
Restore the old dbase:
cd /bulk/mcnair/Web/mysqldump dbase is mcnair mysql -h localhost < web_mysqldump_backup_Fri_Aug_24_15_35_47_2018.sql
Connect to MySQL and check what we have:
mysql connect show databases; use mcnair; show tables;
If you need to: systemctl stop mysql systemctl start mysql
Get the old install:
cd home/home/mcnair/Downloads/ tar -xvzf mediawiki-1.26.2.tar.gz
Add php-xml
apt-get install php-xml apachectl restart
We then had to fix the passwords in the dbase:
#Note: change passwords from hints before running mysql SELECT User, Host, Password FROM mysql.user; UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'root'; UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'debian-sys-maint'; UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'mcnair_wp'; FLUSH PRIVILEGES;
At this point, the basics are working, so go to http://192.168.2.92/mediawiki/mw-config/index.php and fill it out as per the old instructions (see Test Web Server Documentation and Web Server Documentation
Now overwrite LocalSettings.php with the old configuration:
cd /home/ed/Downloads/ mv LocalSettings.php /var/www/html/mediawiki/
Fix the requirements for mediawiki
apt-get install php-xml apachectl restart
Allow short URLS, so enable mod-rewrite (if not already enabled)
a2enmod rewrite systemctl restart apache2
Now fix the apache conf file
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.bak vi /etc/apache2/sites-available/000-default.conf Alias /wiki /var/www/html/mediawiki/index.php #Enable the rewrite engine RewriteEngine On #Rewrite / to Main Page RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L] service restart apache2
Now create phpinfo page for debugging
cd /var/www/html vi phpinfo.php <?php echo phpinfo(); ?> #Browse to 192.168.2.92/phpinfo.php Shows Phar is installed and running Shows log is /var/log/apache2
Check pcntl is enabled
php --ri pcntl #Note that some pcntl functions are listed as disabled in phpinfo.php dpkg -s snmp apt-get install snmp
The Big Try
The process is as follows:
- Move the contents of /var/lib/mediawiki to somewhere else
- Move the contents of /bulk/mcnair/Web/www/var/www/html/mediawiki in
- Drop databases
- Restore databases
- Pray
Or more specifically:
mv /var/lib/mediawiki/ /var/lib/firstmediawikitry mkdir /var/lib/mediawiki cp -r /bulk/mcnair/Web/www/var/www/html/mediawiki /var/lib/ #Change password for dbase in LocalSettings.php mysql -p DROP DATABASE mcnair; DROP DATABASE wordpress; cd /bulk/mcnair/Web/mysqldump mysql -p -h localhost < web_mysqldump_backup_Fri_Aug_24_15_35_47_2018.sql apachectl restart
When we did this, we got a blank page! Don't panic.
cd /var/log/apache2 cat error.log apt-get install php7.2-mbstring apachectl restart
Fix LocalSettings.conf again
change domain name, contact detail, etc. Need to fix mail... Also left GoogleAnalytics extension loaded for now... Change enable_semantics IP address
Fix the Infoboxes:
chmod a+x /var/libr/mediawiki/extensions/Scribuntu... chcon -t httpd_sys_script_exec_t /var/lib/mediawiki/Scribuntu... mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.new mv /etc/apache2/sites-available/000-default.conf.bak /etc/apache2/sites-available/000-default.conf apachectl restart mv /etc/apache2/sites-available/000-default.conf.new /etc/apache2/sites-available/000-default.conf apachectl restart
We were left with a problem were the page would never finish loading. This turned out to be a problem with the fonts in the Vector skin, which we had previously customized. We tried to fix the problem in the dbase as below but to no avail.
SELECT * FROM externallinks WHERE el_id=2599; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Regular.ttf' WHERE el_id = 2720; UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Regular.ttf' WHERE el_id = 2720; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Italic.ttf' WHERE el_id = 2721; UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Italic.ttf WHERE el_id = 2721; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Bold.ttf ' WHERE el_id = 2722; UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Bold.ttf ' WHERE el_id = 2722; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-BoldItalic.ttf WHERE el_id = 2723; UPDATE externallinks SET el_index = '192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-BoldItalic.ttf' WHERE el_id = 2723; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/BonvenoCF-Light.otf' WHERE el_id = 2724; UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/BonvenoCF-Light.otf' WHERE el_id = 2724; UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/franklin-gothic-book.ttf' WHERE el_id = 2739; UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/franklin-gothic-book.ttf' WHERE el_id = 2739; UPDATE externallinks SET el_to = 'http://192.178.2.92/wiki/Carried_Interest_Debate' WHERE el_id = 2599; UPDATE externallinks SET el_index = 'http://192.178.2.92/wiki/Carried_Interest_Debate' WHERE el_id = 2599;
What did work was:
cd /var/www/html/mediawiki/skins diff -r Vector VectorBackup cp -r Vector/ VectorFromMcNair vi /skins/Vector/variables.less
replace all font-family statements with "Linux Libertine", Georgia, Times, sans-serif, serif;
When I rebooted the MySQL database was inaccessible for reasons unknown... I followed this page: https://www.howtoforge.com/setting-changing-resetting-mysql-root-passwords
service mysql stop mysqld_safe --skip-grant-tables & mkdir -p /var/run/mysqld chown mysql:mysql /var/run/mysqld mysqld_safe --skip-grant-tables &
And then all was good!
Confirm Account
We had some issues with some of the extensions, particularly confirm account. To debug the wiki add this line to LocalSettings.php
$wgShowExceptionDetails = true;
Fix the confirm account, see https://www.mediawiki.org/wiki/Extension:ConfirmAccount#Minimal_settings and add lines to LocalSettings.conf.
apt-get install php7.2-dev apt-get install php-pear pear pear -version pear config-get php_dir /usr/share/php phpinfo returns: /etc/php/7.2/apache2/php.ini
Then make check_pear.php as per http://pear.php.net/manual/en/installation.checking.php. It should return bool true
Finally:
php -c /etc/php/7.2/apache2/php.ini -r 'echo get_include_path()."\n";'
.:/usr/share/php
uncomment ; UNIX: "/path1:/path2" include_path = ".:/usr/share/php"
See https://www.mediawiki.org/wiki/Manual:$wgSMTP
Wordpress
From Test Web Server Documentation it doesn't look like we had to install anything before we installed Wordpress. The restoration plan is therefore:
- Restore the dbase (done already when we restored the mediawiki dbase)
- Copy over all of the wordpress files
- Create a /blog alias in apache
- Check the permissions and pray
So we did:
cd /bulk/mcnair/Web/www/var/www/html cp -r ./blog/ /var/www/html/blog cd /var/www/html/blog/
Check Apache2.conf
vi /etc/apache2/apache2.conf looks fine
Temporarily force some settings
vi wp-config.php define('WP_HOME','http://www.edegan.com/blog'); define('WP_SITEURL','http://www.edegan.com/blog'); define('DB_PASSWORD', 'tsn');
Make some changes to the dbase
mysql connect wordpress; SELECT ID, user_login, user_pass FROM wp_users; UPDATE wp_users SET user_pass=MD5('newstrongpassword') WHERE ID = 4; select * from wp_options where option_name='siteurl'; select * from wp_options where option_name='home'; UPDATE wp_options SET option_value='http://www.edegan.com/blog' WHERE option_name='siteurl'; UPDATE wp_options SET option_value='http://www.edegan.com/blog' WHERE option_name='home';
Now you can comment out the WP_HOME and WP_SITEURL settings in wp-config.php and change them (if you want) from the wp-admin interface: http://www.edegan.com/blog/wp-admin.
The following plugin had to be disabled:
- Social Share WordPress Plugin - AccessPress Social Share
Finally, fix the permalink issue by setting
vi /etc/apache2/apache2.conf AllowOverride All
Then yay!
The whole thing needs updating, a new skin (or at least clean up), and some of the plugins don't work. But the basics are now up and running.
Updating
Go in to the wp-admin interface and hit update. It seemed to work fine!
Run the site-health.php tool: http://www.edegan.com/blog/wp-admin/site-health.php
apt-get install php7.2-gd apt-get install php7.2-bcmath Get and make imagemagick -- see https://www.tutorialspoint.com/articles/how-to-install-imagemagick-on-ubuntu magick -help apachectl restart
Also, update all of the plugins and remove the one inactive plugin that was causing problems earlier.
Other Web Server
For Google Analytics we linked the domain to dredegan@gmail.com on the Google Dashboard and added the key to LocalSettings.php. See http://edutechwiki.unige.ch/en/Mediawiki_installation#Google_Analytics
We also added write permissions to the images directory for www-data
chown -R www-data images/
Nvidia
The original intention was to install a GPU into the Dbase server, as GPU compute tasks wouldn't interfere (much) with the main operation of the server. The problem seems to be a combination of an unsigned Nvidia driver, Ubuntu 18.04, UEFI, and Secureboot (or not). See https://medium.com/@nolanmudge/installing-an-nvidia-graphics-driver-with-a-ubuntu-14-04-and-up-efi-boot-52725dd6927c
Regardless here are some useful commands:
See what drivers are being used
apt-get install ubuntu-drivers-common ubuntu-drivers devices cat /proc/driver/nvidia/version
See the display hardware config
sudo lshw -c display If shows *-display UNCLAIMED and no driver associated with it https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules
Just try to work out what is going on:
ubuntu-drivers devices lsmod lshw -c display sudo lspci -vk ls -l /sys/firmware/efi/
Try installing CUDA and its driver: https://www.pugetsystems.com/labs/hpc/How-To-Install-CUDA-10-together-with-9-2-on-Ubuntu-18-04-with-support-for-NVIDIA-20XX-Turing-GPUs-1236/ And then: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#post-installation-actions And may: https://xcat-docs.readthedocs.io/en/stable/advanced/gpu/nvidia/verify_cuda_install.html
Try installing the bundled cuda toolkit
apt-get install nvidia-cuda-toolkit apt-get install cuda-samples-7-0 -y cd /usr/local/cuda-7.0/samples make
Try installing the bundled nvidia driver
sudo apt install nvidia-driver-415
Purge nvidia drivers and add the experimental repo
apt-get purge nvidia* sudo add-apt-repository ppa:graphics-drivers
Get the latest driver from Nvidia and make it
wget http://us.download.nvidia.com/XFree86/Linux-x86_64/418.43/NVIDIA-Linux-x86_64-418.43.run apt-get install gcc apt-get install make sh NVIDIA-Linux-x86_64-418.43.run cat /var/log/nvidia-installer.log
View system logs:
journalctl -xb
Remove nouveau if being used (https://help.ubuntu.com/community/BinaryDriverHowto/Nvidia)
sudo ubuntu-drivers devices sudo apt-get --purge remove xserver-xorg-video-nouveau nvidia-xconfig
Add a secure boot key
sudo update-secureboot-policy --new-key sudo update-secureboot-policy --enroll-key
Disable/enable secureboot:
mokutil --disable-validation create 8-12 char password (same as ed's) Reboot and disable secureboot mokutil --enable-validation
Other
pdftk
I installed pdftk and configured it as follows:
snap install pdftk ln -s /snap/pdftk/current/usr/bin/pdftk /usr/bin/pdftk
Its man page (kinda) is here: https://www.pdflabs.com/docs/pdftk-man-page/
But generally you want to do use it combine files:
pdftk *.pdf cat output newfile.pdf pdftk a.pdf b.pdf cat output newfile.pdf
If you want to reduce a file that has large images in it, then the following sometimes works:
pdf2ps 1.pdf 1.ps ps2pdf -dPDFSETTINGS=/screen -dDownsampleColorImages=true -dColorImageResolution=144 -dColorImageDownsampleType=/Bicubic 1.ps 1.pdf
To do
- VNC!
- ImageMagick and uploads -- test
- Math extension later...
- Set up and configure Postfix mail server (https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-on-ubuntu-18-04)
- Fix [[<haloacl-inclusion-denied>|Terms of Service]] on sign up page...
Mobile Front End
It seems that the Extension:MobileFrontend isn't working properly.
Does php have mbstring support?
First check the apache version:
apache2 -v Server version: Apache/2.4.29 (Ubuntu) Server built: 2018-10-10T18:59:25
And the php version:
php -v PHP 7.2.17-0ubuntu0.18.04.1 (cli) (built: Apr 18 2019 14:12:38) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.2.17-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies
Try just installing it:
apt-get install php7.2-mbstring
This failed because of an issue with dpkg. I rebooted and then:
dpkg --configure -a apt --fix-broken install
Then it installed but threw a notice about a modified configuration file. The differences were too large to show. I kept the old file (/etc/php/7.2/apache2/php.ini) for comparison to the new one (/usr/lib/php/7.2/php.ini-production).
In the old file, uncomment the mbstring extension and exif (after it) too, then reload the config and check it worked:
service apache2 reload php -i | grep mbstring
So everything seems fine (the extension it is listed as loaded in Special:Version), but the interface still has obvious issues.
Check the skin
From Special:Version
MediaWiki 1.26.2 PHP 7.2.24-0ubuntu0.18.04.2 (apache2handler) MySQL 5.7.25-0ubuntu0.18.04.2 Lua 5.1.5
Vector is the only installed skin.
And it looks like my version of mediawiki is too old to support Minerva Neue
Upgrade mediawiki
Essentially, follow instructions in Manual:Upgrading:
Backup
I just moved everything to a different directory, backed off the dbase, and started again.
cd /var/lib mv mediawiki mediawikibackup26082020 mysqldump --user=root --password=password > dbase.sql
New Install
Get a new version, put it in /var/lib/mediawiki (leaving the old shortcuts pointing there), then copy in the files.
wget https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz tar -xvzf mediawiki-1.34.2.tar.gz mv mediawiki-1.34.2 mediawiki rm mediawiki-1.34.2.tar.gz cp mediawiki26082020/LocalSettings.php mediawiki/LocalSettings.php cp -a mediawiki26082020/images/ mediawiki/ Note: you don't need to change permissions because we used -a. This also copied the .htaccess file. Everything should be ok... cp /var/lib/mediawiki26082020/resources/assets/EdEganDotCotWikiGreenTab.png /var/lib/mediawiki/resources/assets/ Note: that's my wiki logo cp /var/lib/mediawiki26082020/favicon.ico /var/lib/mediawiki/favicon.ico Note: that the favicon! cd /var/lib/mediawiki/maintenance/ php update.php
Retrieve and configure extensions
Get the bulk of them...
mkdir installs cd installs wget https://extdist.wmflabs.org/dist/extensions/LabeledSectionTransclusion-REL1_34-4aa6bfa.tar.gz tar -xzf LabeledSectionTransclusion-REL1_34-4aa6bfa.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/MobileFrontend-REL1_34-6a8ef84.tar.gz tar -xzf MobileFrontend-REL1_34-6a8ef84.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/ImportUsers-REL1_34-2f1a670.tar.gz tar -xzf ImportUsers-REL1_34-2f1a670.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_34-f7bc2e3.tar.gz tar -xzf Scribunto-REL1_34-f7bc2e3.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/googleAnalytics-REL1_34-6441403.tar.gz tar -xzf googleAnalytics-REL1_34-6441403.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/MultiUpload-REL1_34-e018c1d.tar.gz tar -xzf MultiUpload-REL1_34-e018c1d.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_34-3517022.tar.gz tar -xzf UserMerge-REL1_34-3517022.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/skins/MinervaNeue-REL1_34-ba11b7b.tar.gz tar -xzf MinervaNeue-REL1_34-ba11b7b.tar.gz -C /var/lib/mediawiki/skins wget https://extdist.wmflabs.org/dist/extensions/ConfirmAccount-REL1_34-3ffa446.tar.gz tar -xzf ConfirmAccount-REL1_34-3ffa446.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/MassEditRegex-REL1_34-d3570f1.tar.gz tar -xzf MassEditRegex-REL1_34-d3570f1.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/DataTransfer-REL1_34-1fc1c61.tar.gz tar -xzf DataTransfer-REL1_34-1fc1c61.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/extensions/HTMLets-REL1_34-a8227c3.tar.gz tar -xzf HTMLets-REL1_34-a8227c3.tar.gz -C /var/lib/mediawiki/extensions wget https://extdist.wmflabs.org/dist/skins/MinervaNeue-REL1_34-ba11b7b.tar.gz tar -xzf MinervaNeue-REL1_34-ba11b7b.tar.gz -C /var/lib/mediawiki/skins wget https://extdist.wmflabs.org/dist/extensions/GeoData-REL1_34-8a52fa4.tar.gz tar -xzf GeoData-REL1_34-8a52fa4.tar.gz -C /var/lib/mediawiki/extensions
Do the semantic mediawiki install and config. Last time, we installed Semantic Mediawiki using composer, which is the preferred method. See Web_Server_Documentation.
cd installs php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php -r "if (hash_file('sha384', 'composer-setup.php') === '8a6138e2a05a8c28539c9f0fb361159823655d7ad2deecb371b04a83966c61223adc522b0189079e3e9e277cd72b8897') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" php composer-setup.php --install-dir=/usr/local/bin --filename=composer #php -r "unlink('composer-setup.php');" vi composer.local.json { "require": { "mediawiki/semantic-media-wiki": "~3.1", "mediawiki/semantic-result-formats": "~3.1" } } composer update --no-dev Add line to LocalSettings.php enableSemantics('192.168.2.92'); php maintenance/update.php cd ../extensions/ #https://www.mediawiki.org/wiki/Extension:Page_Forms git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms.git add to LocalSettings.php
ConfirmAccount Bug
Installing ConfirmAccount gave an error whenever there was an account request.
Warning: file_exists(): Unable to find the wrapper "mwstore" - did you forget to enable it when you configured PHP? in /../w/extensions/ConfirmAccount/backend/ConfirmAccount.class.php on line 29
This seemed to be a registered bug - see https://phabricator.wikimedia.org/T219859. It appears to happen as a consequence of the file_exists call, and is just a warning. It doesn't affect functionality. So I put an @ in front of the file_exists call, which is poor practice but it worked just fine.
Line 29: if ( $path && @file_exists( $path ) ) {
Other Config
Check pre-reqs are good for Scribuntu.
php -r 'echo "pcre: " . ( extension_loaded( "pcre" ) ? PCRE_VERSION : "no" ) . "\n";' php -r 'echo "mbstring: " . ( extension_loaded( "mbstring" ) ? "yes" : "no" ) . "\n";'
Fix some permissions:
chmod a+x extensions/Scribunto/includes/engines/LuaStandalone/binaries/lua5_1_5_linux_64_generic/lua chmod a+x extensions/SyntaxHighlight_GeSHi/pygments/pygmentize
Tune up php and Apache2:
vi /etc/php/7.2/apache2/php.ini change upload_max_filesize to 4M vi /etc/apache2/apache2.conf <Directory /var/www/wiki/images> Options -Indexes </Directory> service apache2 restart
Also, add Special:MultiUpload|Upload multiple files to http://www.edegan.com/wiki/MediaWiki:Sidebar
MathML
I tried various methods to get MathML to work and always failed. It looks like the community bet on Mathoid working out, but there's been no development on it for 5 months now, and it looks dead. The good news, if that MathJax works just fine right out of the box:
git clone https://github.com/jmnote/SimpleMathJax.git wfLoadExtension( 'SimpleMathJax' ); $wgSmjInlineMath = [ [ "$", "$" ], [ "\\(", "\\)" ] ]; Note: the last line lets you demark math with LaTeX-like syntax.
PDFEmbed
PDFEmbed was the extension that I never knew that I always wanted!
git clone https://gitlab.com/HydraWiki/extensions/PDFEmbed.git wfLoadExtension( 'PDFEmbed' );
SemanticACL
IntraACL (http://wiki.4intra.net/IntraACL) doesn't work with Mediawiki 1.34, so it's out. I also wasn't wild about its patch-based approach.
This time around I went with SemanticACL for access control. It's in beta but its actively maintained and its approach is simple, sane, and harnesses the power of what's already there. No hooks, no patches, no blah... just an extension that does what you want out of the box.
The only other real contender was Extension:AccessControl, which is stable. However, its approach just isn't as clean, and the author's request for funds to translate his documentation from Czech to English didn't endear me.
Useful Links for SemanticACL:
- https://www.mediawiki.org/wiki/Manual:User_rights#List_of_groups
- https://www.mediawiki.org/wiki/Category:Page_specific_user_rights_extensions
- https://www.mediawiki.org/wiki/Extension:Semantic_ACL
- https://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions
wget https://extdist.wmflabs.org/dist/extensions/SemanticACL-REL1_34-01ae8be.tar.gz tar -xzf SemanticACL-REL1_34-01ae8be.tar.gz -C /var/lib/mediawiki/extensions
In LocalSettings.php (for m1.34):
require_once "$IP/extensions/SemanticACL/SemanticACL.php";
To configure security on a page (https://www.mediawiki.org/wiki/Extension:Semantic_ACL#Example)
[[Visible to::whitelist]] [[Visible to group::team]] [[Editable by::whitelist]] [[Editable by user::User:whoever]]
or equivalently (but silently):
{{#set: Visible to=whitelist|Visible to group::team}}
BibTeX
The BibTeX extension doesn't work anymore. Though it never really worked, so it's not much of a loss. I should probably build a replacement but I don't have the time right now.
Update Linux
Get the system up to date:
apt-get update apt-get upgrade
During the upgrade I chose:
- keep the local smb.conf
- keep the local grub (new version in /tmp/grub.l1gqsHmubw)
There were dependcy problem and other warnings during the process. It finished with:
Errors were encountered while processing: keyboard-configuration xserver-xorg-core xserver-xorg-input-wacom console-setup-linux console-setup ubuntu-minimal E: Sub-process /usr/bin/dpkg returned an error code (1) W: Operation was interrupted before it could finish
I rebooted the server. It came up ok and everything seemed fine (I'm doing this over terminal), but it is still claiming that there are updates. The issue might be related to a known Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/console-setup/+bug/1770482. The solution(s) might be [1]:
Look at the keyboard config file:
cat /etc/default/keyboard # KEYBOARD CONFIGURATION FILE # Consult the keyboard(5) manual page. XKBMODEL="pc105" XKBLAYOUT="us" XKBVARIANT="" XKBOPTIONS=""
Remove and reinstall the keyboard-configuration:
apt-get remove keyboard-configuration apt-get install keyboard-configuration Note that this launches a screen where the only options are Afghani variants... so cancel it! DEBIAN_FRONTEND=noninteractive apt-get install keyboard-configuration This ran and changed the keyboard layout file to the default: # KEYBOARD CONFIGURATION FILE # Consult the keyboard(5) manual page. XKBMODEL="pc105" XKBLAYOUT="us,af" XKBVARIANT="," XKBOPTIONS="grp_led:scroll" vi /etc/default/keyboard I manually removed the af option and the commas, essentially reverting the file (I like a scroll light). cd /usr/share/X11/xkb/symbols ln -s us en This was the other solution offered. I was missing an en option, so that might be it. apt-get install keyboard-configuration Now it says that there is nothing to do, which is promising.
Try the update again:
apt-get update && apt-get upgrade Nothing happened and everything seems fine... shutdown -r now
On boot, the box reports:
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-45-generic x86_64) ... 36 packages can be updated. 30 updates are security updates.
Running apt-get upgrade gives:
The following packages have been kept back: fwupd fwupdate fwupdate-signed libfwup1 libgl1-mesa-dri libreoffice-avmedia-backend-gstreamer libreoffice-base-core libreoffice-calc libreoffice-core libreoffice-draw libreoffice-gnome libreoffice-gtk3 libreoffice-impress libreoffice-math libreoffice-ogltrans libreoffice-writer libxatracker2 linux-generic linux-headers-generic linux-image-generic netplan.io python3-software-properties python3-uno software-properties-common software-properties-gtk 0 upgraded, 0 newly installed, 0 to remove and 25 not upgraded.
The latest LTS version (at the time of writing) is 20.04.1 (see https://wiki.ubuntu.com/Releases). So I could do an:
apt-get dist-upgrade
But I should really do a full backup and everything first, so that isn't going to happen today.
Reviewing Wordpress
Overview
Rather than trying to update wordpress, I think it best to install the latest version and use the old dbase. This will likely cause problems with images... but we made several suboptimal choices when we built the last version, including using a non-standard theme and customizing it in a way that prevented updates.
There's a useful wordpress article on the basics of the approach, albeit from a hosted install perspective: https://www.wpbeginner.com/wp-tutorials/how-to-restore-a-wordpress-site-with-just-database-backup/
The main install instructions are: https://wordpress.org/support/article/how-to-install-wordpress/
For theme customization beyond that done in the interface, or through a plugin (like Code Snippets [2], wordpress says the best approach is to create a child theme [3].
Choosing the theme (https://wordpress.org/themes/ and https://wordpress.com/themes) is a major decision. This time I want a much more standard theme, that has better plugin and widget support, is responsive and gives a good mobile interface. I also don't want to pay but will have to trade that off against doing customization to make it look distinct.
It seems that Twenty Fifteen has the most active installs, but all the Twenty series, which are default themes made by wordpress are wildly popular. It might be worth using Twenty Twenty, as it is the most recent and takes advantage of the block editor (Twenty Nineteen does too but gets mediocre reviews), and I like the look of Twenty Fourteen.
Outside of the defaults, OceanWP is eCommerce oriented but looks good and is very popular. Neve sits between OceanWP and GeneratePress, which has a more magazine/news focus, and all three take advantage of the new block editor (Gutenberg), which was introduced in WPv5 (initial release in 2018).
Pre-install
Check PHP and MySQL. I need PHP >=7.3 and MySQL >=5.6 but:
php --version PHP 7.2.24-0ubuntu0.18.04.6 (cli) (built: May 26 2020 13:09:11) ( NTS ) mysql --version mysql Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using EditLine wrapper
I might be able to upgrade my version of PhP without upgrading Ubuntu (see https://linuxize.com/post/how-to-install-php-on-ubuntu-18-04/). However, it is probably a good idea to just fix everything...
Upgrading Linux
So it turns out that I shouldn't have done that last update... I do have an Xwindows Server on the box, running Gnome, and now I can't log in using the GUI on the box itself (it loops back to the login screen). This box doesn't contain the GPUs, just the database server, so the GUI isn't key, but it would be nice to have it working again. Hopefully, an upgrade will fix that, as well as other issues.
Backing off
First, mount the USB drive. Find what's mounted and what the dev is:
mount -t ext4 (or just mount for everything) ls -l /dev/disk/by-id/usb* (or fdisk -l or lsblk) mkdir -p /media/usb mount /dev/sda1 /media/usb
Back up the databases:
psql postgres /l As researcher and in /bulk/backups/ mv lbo_Fc.dump lbo_Fc.dump.org pg_dump -Fc allpatentsprocessed > allpatentsprocessed_Fc.dump pg_dump -Fc accelerators > accelerators_Fc.dump pg_dump -Fc grants > grants_Fc.dump pg_dump -Fc incubators > incubators_Fc.dump pg_dump -Fc lbo > lbo_Fc.dump pg_dump -Fc stockmarket > stockmarket_Fc.dump pg_dump -Fc crunchbase3 > crunchbase3_Fc.dump pg_dump -Fc vcdb20h1 > vcdb20h1_Fc.dump pg_dump -Fc vcdb4 > vcdb4_Fc.dump mysql -u root -p SHOW DATABASES; \q mysqldump --databases --password mcnair > mcnair.sql mysqldump --databases --password wordpress > wordpress.sql mysqldump --password mcnair > mediawiki.sql
Do the file transfers
mkdir /media/usb/mother-2020-08-09 mkdir /media/usb/mother-2020-08-09/bulk rsync -av --progress --exclude="mcnair" /bulk/ /media/usb/mother-2020-08-09/bulk/ mkdir /media/usb/mother-2020-08-09/html rsync -av --progress /var/www/html/ /media/usb/mother-2020-08-09/html/
Finally:
umount /media/usb
Do the upgrade
Run:
apt update apt upgrade apt dist-upgrade apt autoremove
do-release-upgrade if no release found because you are too early, add the -d to allow development (it will still install LTS if that's available) do-release-upgrade -d
This failed on the first attempt. So I did:
grep ERROR /var/log/dist-upgrade/main.log grep BROKEN /var/log/dist-upgrade/apt.log apt-get remove postgresql-10-postgis-2.4
Then:
do-release-upgrade -d I selected some choices (keep smd.conf, don't notify me of whatever, etc.) I let it replace postgres10 but it still gave me an "Obsolete Major Version" warning on postgres (I said ok).
Address the upgrade issues
The first casualty of the upgrade was the networking configuration. You'd think that developers would have figured that one out, as remote upgrades would leave boxes DOA until someone could get physical access. Nevertheless, the fix is straight forward.
The old ifup and down and eth0 etc. interface system is gone now, taking its config with it. To get the networking back:
ifconfig Outdated now, I think, but it still shows what's up... ip -a This will get you the names of the interfaces etc. I already had a .yaml under a different interface name that set up DHCP, so I used it as a template for the interface that I wanted up that way cp /etc/network/01-netcfg.yaml /etc/network/99_config.yaml vi /etc/network/99_config.yaml change the interface name to eno0 netplan apply
Now everything looks good for a foundation - apache2 is working, SSH is working, but I need to do a minor config fix for the wiki.
apt-get install php-mbstring apachectl restart
And the wiki comes back up but with a error notice. The issue seems to be with PHP 7.4, and it looks like it affects both mediawiki and wordpress, though wordpress might have fixed it. Regardless, it is possible to install 7.3 as well, as use that with apache2.
add-apt-repository ppa:ondrej/php apt-get update apt-get install php7.3 apt-get install php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-mysql php7.3-mbstring php7.3-zip php7.3-fpm php7.3-intl php7.3-simplexml Note we may need to fix some config again as it said: Creating config file /etc/php/7.3/apache2/php.ini a2dismod php7.4 a2enmod php7.3 I ignored the following notices for now: NOTICE: To enable PHP 7.3 FPM in Apache2 do: NOTICE: a2enmod proxy_fcgi setenvif NOTICE: a2enconf php7.3-fpm systemctl restart apache2 update-alternatives --set php /usr/bin/php7.3 update-alternatives --set phar /usr/bin/phar7.3 update-alternatives --set phar.phar /usr/bin/phar.phar7.3 update-alternatives --set phpize /usr/bin/phpize7.3 update-alternatives --set php-config /usr/bin/php-config7.3 error: no alternatives for php-config (ignored for now)
And the wiki now seems happy!
I also checked postgres and everything seemed ok:
su researcher psql vcdb4 \l They are all there \dx All my extensions report back.
Other Fixes
Remove redundant user accounts:
cat /etc/passwd userdel -r username
I need to get Xwindows set up again. My best guess as to the cause of this issue is leftover Nvidia drivers from my attempts to install the GPUs on this box went bad in an earlier apt-get upgrade but I can't see them listed:
dpkg -l | grep nvidia-driver
There is a .Xauthority file, and an .ICEauthority file, in /home/ed and both are owned by ed:ed. The former is empty (0 bytes) and the latter has some non-UTF8 (I think?) characters in it. I'm not sure if either is an issue.
I didn't see xserver-xorg-video-nouvea in the package list or any video driver module, so I installed nouveau:
dpkg -l lsmod | more apt install xserver-xorg-video-nouveau I'm not sure if I should be fixing my boot image or not... shutdown -r now lsmod | more
After doing this the login would give a local desktop but neither the keyboard nor mouse worked. I tried uninstalling and reinstalled the keyboard-configuration again.
apt-get remove keyboard-configuration apt-get install keyboard-configuration shutdown -r now
But that just put me back where I was: with a login loop problem. So I tried switching to lightdm:
apt-get install lightdm
And it worked even before a reboot. After a reboot, I had a different login screen but the actual desktop looked the same. The .Xauthority file is now 51 bytes big and I suddenly have a .xsession-errors, which contains a list of environment settings taking place... However, the machine then silently crashed that night and again the following morning. I couldn't find a specific cause in the logs but there did seem to be a number X and GNOME problems:
journalctl -b -1 journalctl --since "1 hour ago"
I ran an update from the GUI, which may have helped. However, there was a warning about an issue with a screensaver the first time that I loaded lightdm, and the crashes seemed to happen sometime after a clean boot. So I uninstalled lightdm, and installed gdm (which failed as installed already) and rebooted but got no GUI. Then I uninstalled and reinstalled gdm and everything seems fine now.
apt-get remove lightdm apt-get remove gdm3 apt-get install gdm3
Incidentally, I left a clock running in a terminal so that I could see when the box went down if it crashed again. The clock code is:
while [ 1 ] ; do echo -en "$(date +%T)\r" ; sleep 1; done
Important Moves
I kept the old versions of mediawiki and wordpress and moved them to /bulk/retired (using yyymmdd dates)
mv /var/lib/mediawiki26082020 /bulk/retired/ mv /bulk/retired/mediawiki26082020 /bulk/retired/mediawiki20200826 mv /var/www/html/blog20200809 /bulk/retired/
Wordpress Redux
Install
First, move the old folder to a new name, so that it is there for backup and then get the new install and unpack it.
cd /bulk/installs wget https://wordpress.org/latest.tar.gz mv /var/www/html/blog /var/www/html/blog20200809 tar -xzf latest.tar.gz -C /var/www/html/ cd /var/www/html/ mv wordpress/ blog/ chown -R www-data:www-data blog
Put an .htaccess file in that folder to restrict access while we work:
vi blog/.htaccess <RequireAny> Require ip 192.168.2.1 </RequireAny>
Set up
Then set up the dbase by editing wp-config.php (it's easiest to modify the sample).
cp blog/wp-config-sample.php blog/wp-config.php vi blog/wp-config.php Note get some keys from: https://api.wordpress.org/secret-key/1.1/salt/
Then the backend works - go to http://www.edegan.com/blog/wp-admin! However the health check shows a missing required module and two missing recommended modules. Fix that:
apt-get install php7.3-gd apt-get install php7.3-curl apt-get install php7.3-imagick apachectl restart
Ironically, it then recommends that I upgrade to PHP7.4... but that would just give issues for mediawiki. On the other hand, everything is now green and just 4 groups of recommendations remain.
Config
See [Wordpress Blog Site (Tool)] for the McNair Center's build.
Using www.edegan.com/blog/wp-admin I configured the blog as follows:
- Select Twenty Twenty as the theme
- Add the permalink code to the .htaccess file, so that the URLs will work with postnames
- Copy over images to wp-content/uploads (use cp -a to maintain permissions)
Install plugins:
- Yoast SEO
- Wordfence Security
- Disable Comments
- Site Kit by Google (set up once live!)
- Pixabay
I also added:
- CoBlocks (free)
- Advanced Gutenberg (free)
I didn't add Co-Authors Plus (https://wordpress.org/plugins/co-authors-plus/) as it hasn't been tested on the latest version of wordpress. There are other plugins that offer equivalent functionality if I need one later.
Notes:
- Twitter embedding: https://www.wpbeginner.com/wp-tutorials/how-to-display-recent-tweets-in-wordpress-with-twitter-widgets/
Other things
I should harden the wordpress installation: https://wordpress.org/support/article/hardening-wordpress/
HTTPS
To set up HTTPS using Let's Encrypt, see https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-20-04/
Install it and make some directories...
apt update apt install certbot openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 takes ~20 secs mkdir -p /var/lib/letsencrypt/.well-known chgrp www-data /var/lib/letsencrypt chmod g+s /var/lib/letsencrypt
Set up the config files
vi /etc/apache2/conf-available/letsencrypt.conf Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/" <Directory "/var/lib/letsencrypt/"> AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory>
vi /etc/apache2/conf-available/ssl-params.conf SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 SSLHonorCipherOrder off SSLSessionTickets off SSLUseStapling On SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" Header always set Strict-Transport-Security "max-age=63072000"
Enable some apache2 mods!
a2enmod ssl a2enmod headers a2enconf letsencrypt a2enconf ssl-params sudo a2enmod http2 systemctl reload apache2
Run certbot!
certbot certonly --agree-tos --email ed@edegan.com --webroot -w /var/lib/letsencrypt/ -d edegan.com -d www.edegan.com Note that I needed an @ entry in my A record for edegan.com pointed to my IP address to get the main challenge to succeed.
Then set up a new apache2 config file (in /etc/apache):
mv sites-available/000-default.conf sites-available/000-default.conf.bak vi sites-available/edegan.com.conf <VirtualHost *:80> ServerName www.edegan.com ServerAdmin ed@edegan.com Redirect permanent / https://www.edegan.com/ </VirtualHost> <VirtualHost *:443> ServerName www.edegan.com Protocols h2 http/1.1 DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine On SSLCertificateFile /etc/letsencrypt/live/edegan.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/edegan.com/privkey.pem # Other Apache Configuration Alias /wiki /var/www/html/mediawiki/index.php RewriteEngine On RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L] </VirtualHost> ln -s sites-available/edegan.com.conf sites-enabled/edegan.com.conf systemctl reload apache2
Test it by going to https://www.ssllabs.com/ssltest/
Finally, edit /etc/cron.d/certbot and append the following to the last line (after -renew):
--renew-hook "systemctl reload apache2" certbot renew --dry-run Tests the renewal!
Old machines
For the configuration of the servers built for the McNair Center, see the old Center IT page or the pages below:
- Database Server Documentation
- RDP Documentation
- Test Web Server Documentation
- Web Server Documentation
Some of this information is still useful!
In addition, at UC Berkeley, Ed designed and built three machines - two postgresql database servers and a wiki server. The documentation is here:
- Haas PhD Server Configuration
- Posgres Server Configuration -- documents the build of postgres2