Haas PhD Server Configuration

From edegan.com
Jump to navigation Jump to search


Haas PhD Students have two new servers and this page details their configuration.

NOTE THAT THE CONFIGURATION OF POSTGRES2 HAS ITS OWN PAGE

IP Addresses

The servers have been moved to a colo. Their new IP addresses are:

  • phd-wiki: 128.32.204.202
  • phd-postgres2: 128.32.204.203

The domain names wiki.haas.berkeley.edu and postgres.haas.berkeley.edu should be mapped to these IP addresses shortly.

Base configurations

Both servers are running CentOS release 5.5 (cat /etc/*release*), which uses the Yum package manager (yum list installed | more). Both have Gnome on Xwindows available, as well as the following common packages:

  • cpp 4.1.2-48.el5.
  • ftp 0.17-35.el5
  • httpd 2.2.3-43.el5.centos.3
  • iptables 1.3.5-5.3.el5_4.1
  • mysql 5.0.77-4.el5_5.4 (note that this is the client)
  • openssh 4.3p2-41.el5_5.1
  • pam 0.99.6.2-6.el5_5.2
  • perl 4:5.8.8-32.el5_5.2
  • python 2.4.3-27.el5_5.3
  • php 5.1.6-27.el5_5.3
  • samba 3.0.33-3.29.el5_5.1
  • squid 7:2.6.STABLE21-6.el5

Notable additional packages on pgsql are:

  • postgresql.x86_64 8.1.22-1.el5_5.1

Before we start

On Both Machines

Creating Users

Assuming that you have root, you can create user accounts and give them root too. The process is:

First great the users group, checking the last group number:

cat /etc/group
/usr/sbin/groupadd -g 515 username 

Then add the user

/usr/sbin/useradd -g username -G root -s /bin/bash -p xxxx -d /home/username -m username
      where g is the primary group, G is other groups, p sets a password, 
      d declares a home directory and m makes the directory

Change the user's password:

passwd username

And add the user to the sudoers file

echo 'username ALL=(ALL) ALL' >> /etc/sudoers

To delete a user:

/usr/sbin/userdel -r roger 
where r removes the home directory

And to remove their group

/usr/sbin/groupdel username

Mounting bear

It is very useful to mount your R drive

mkdir /mnt/ed
mount -t cifs //bear/ed_egan/ /mnt/ed -o user=haas\\ed_egan

or:
mount -t cifs //bear/ed_egan/ /mnt/ed -o user=ed_egan
(which ever works)

for the inclusion into fstab or other more sophisticated approaches there is a Centos help page.

Package additions/upgrades/removals

On lamp:

  • Upgrade PhP to 5.2.17+
  • Install MySQL (the server)
  • Install Mediawiki
  • Remove ftp

On pgsql:

  • Remove httpd, mysql, ftp, sendmail, inn and other servers we don't need
  • Upgrade python to version 3.1
  • Install TrueCrypt

On the Wiki Server

Upgrading PhP

In order to upgrade PhP (or install a more recent version of MySQL) we will probably need access to a different repository.

You can automatically add the Atomicorp repository using:

wget -q -O - http://www.atomicorp.com/installers/atomic | sh

It has PhP version 5.2.17-1.el5.art and MySQL version 5.1.55-1.el5.art. Also install pgp-mysql.

yum list php   #We were running 5.1.6-27.el5_5.3
yum upgrade php
yum install php-mysql

Install MySQL

Install MySql (and update the client):

yum install mysql mysql-server

Start the server:

/etc/init.d/mysqld start

And make sure it starts automatically on reboot:

/sbin/chkconfig --levels 235 mysqld on

Set a root password for the database:

mysqladmin -u root password cheit

At this point you should configure and test the webserver and PhP, which is discussed below.

Install Mediawiki

There is no good version of mediawiki available from a yum repo. So you should do this manually. It isn't painful. Detailed instructions (you won't need them) are available from:

First change to your home directory (or somewhere 'safe') then

wget http://download.wikimedia.org/mediawiki/1.16/mediawiki-1.16.2.tar.gz

Then untar the package, either using the --owner option or as a non-root user to force extracted file ownernship to be other than 1000

su username
tar xvzf mediawiki-*.tar.gz
sudo su

Now copy the files into the 'right' location and change permissions

mkdir /var/www/html/w
cp -r mediawiki-1.16.2/* /var/www/html/w/
chmod a+w /var/www/html/w/config

Install ImageMagick using Yum:

yum install glib glib2 libpng libjpeg libtiff ghostscript freetype ImageMagick ImageMagick-perl

On Postgres.Haas

Removing Unneeded Servers

Remove the web, mail, news and other unneeded servers. Consider removing MySQL (but leave it for now):

yum groupremove "Web Server"
yum groupremove "Mail Server"
yum groupremove "News Server"

Install and Configure PostgreSQL

To install Postgres with the PLs (Procedural Languages) do:

yum install postgresql postgresql-server postgresql-pl postgresql-libs

Start the service with:

/sbin/chkconfig postgresql on
/sbin/service postgresql start

Add the following to /etc/sysconfig/iptables to allow access through the firewall:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.66.0/24 --dport 5432 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.67.0/24 --dport 5432 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.74.0/24 --dport 5432 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.136.0.0/23 --dport 5432 -j ACCEPT

Restart the IPtables so the changes take effect:

service iptables restart

Now create some users on the database server:

su postgres
createuser root
createuser -P ed_egan
exit

Check the version of Postgres and Perl installed:

psql -c "select version();" template1
 PostgreSQL 8.1.23
perl -v
 v5.8.8

Now add the perl PL to the standard template so that all new databases will be perl enabled:

createlang plperl template1

Check the specs on the machine for the configuration:

cat /proc/meminfo
 MemTotal:      8181356 kB
cat /proc/cpuinfo
 2 x Quad core CPUs 
 cache size: 2048 KB
 model name: Intel(R) Xeon(TM) CPU 2.80GHz

Review the performance tuning section on the Working with PostgreSQL page, and possibly on the official quick guide page and make the following changes to /var/lib/pgsql/data/postgresql.conf:

listen_addresses = '*'
port = 5432

checkpoint_segments=32
   This is equivalent to every 512Mb

shared_buffers = 786432	
  #1gig = 1073741824 => 131072 * 8 * 1024, currently trying 6gig
  The recommendation is to use around 10-15% of RAM, 
  but for a single user db something higher seems better
  This is in 8K blocks

work_mem = 2097152
  #In KB, so 1024 * 512=> 524288 = 512Mb, 
  Note that this might be a little too high for aggresively stacked queries
  But this seems to be the bite point for performance.  

maintenance_work_mem = 262144
  #786432 => 6 * 1073741824 => 6 * 131072 * 8 * 1024
  This is how much VACUUM will use - it doesn't make a huge difference

effective_cache_size = 1835008
  #In 8k blocks. This is the maximum memory that postgres will allocate.
  It is currently set to 14Gb.

Alter /var/lib/pgsql/data/pg_hba.conf to include the lines (under IPv4):

host    all         all         128.32.74.0/24        md5
host    all         all         128.32.66.0/24        md5
host    all         all         128.32.67.0/24        md5
host    all         all         10.136.0.0/23         md5

Note that this will use encrypted database passwords, and that all accounts must have non-null passwords (i.e. be created with createuser -P username)

And restart Postgres:

/sbin/service postgresql restart

Upgrade Python?

Find out which version of Python is currently installed:

yum list python       #lists version 2.4.3-27.el5_5.3

There are tarballs of version 3.2 available from Python.org's download area, but it seems too recent to have got rpm/yum support as yet.

Configuration

For both servers:

  • Mount bear
  • Configure Iptables

For lamp:

  • Configure Apache
  • Configure Mediawiki
  • Add Mediawiki extensions
  • Create new folder structure

For pgsql:

  • Configure Postgre

On the Wiki Server

Configure Apache

Edit the main config file:

vi /etc/httpd/conf/httpd.conf
...
ServerName 128.32.66.164:80
...

To start Apache (to restart use 'restart'):

/etc/init.d/httpd start

To set Apache to start at boot:

/sbin/chkconfig --levels 235 httpd on

First, confirm your IP address:

/sbin/ifconfig

Configure IP Tables

For lamp we need a hole for port 80 for the webserver. For pgsql we need a hole for our clientware. General documentation is available in iptables from Centos

Check that iptables is running:

/sbin/lsmod | grep ip_tables

Backup the old rules:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak

Add a hole (or two):

vi /etc/sysconfig/iptables
...
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.66.0/24 --dport 80 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.67.0/24 --dport 80 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 128.32.74.0/24 --dport 80 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 10.136.0.0/23 --dport 80 -j ACCEPT
...

Restart the service:

/etc/init.d/iptables restart

Test the webserver and PhP

Browse to http://128.32.66.164/ you should see the test page. Write the following text file to /var/www/html/Test.php:

<?php
  phpinfo();
?>

Browse to http://128.32.66.164/Test.php and you should see the PhP version page.

Configure MediaWiki

Browse to http://128.32.66.164/w/config/index.php, and set the following setting:

WikiName: HaasPhDWiki
Contact: kimg@haas.berkeley.edu
Admin password and dbase password: cheit
All other settings as default (you do have superuser on the dbase so tick that box)

Now move the LocalSettings.php file, change the permissions, and remove the config directory.

cp config/LocalSettings.php LocalSettings.php
chmod 600 LocalSettings.php
chown apache LocalSettings.php
mkdir /mnt/ed/configbak
cp -r ./config /mnt/ed/configbak/
rm -rf ./config

You can now view your Wiki at http://128.32.66.164/w/index.php

We will now do the extensions and fine detail configuration.

Change the following settings in LocalSettings.php

$wgEnableUploads       = true; #Changed by Ed
$wgUseTeX           = true; #Changed by Ed
$wgLogo             = "/icons/wiki_logo.gif";
$wgArticlePath = "/wiki/$1";
$wgUsePathInfo = true;
$wgFavicon = "$wgScriptPath/favicon.ico";
$wgGroupPermissions['*']['edit'] = false; #Stops editing without an account, globally


Change the permissions on the images directory:

chmod a+w /var/www/html/w/images

Add the info for the side bar (this might be restored from a backup):

Edit (or create):  
http://wiki.haas.berkeley.edu/wiki/MediaWiki:Sidebar

* navigation
** mainpage|mainpage-description
** research_computing |Research Computing
** portal-url|Community
** currentevents-url|currentevents
** recentchanges-url|recentchanges
** randompage-url|randompage
** helppage|help
* Group Pages
** accounting|Accounting
** bpp|BPP
** finance|Finance
** management_of_organizations|Management of Organizations
** marketing|Marketing
** operations_and_it_management|Operations and IT Management
** real_estate|Real Estate
* SEARCH
* TOOLBOX
* LANGUAGES


And populate the wiki using the Special:Import page. Note that you can get a list of all pages on a wiki using the API:

http://wiki.haas.berkeley.edu/w/api.php?action=query&list=allpages&aplimit=500

Mount the Backup Directory:

mkdir /mnt/wiki
mount -t cifs //bear.haas.berkeley.edu/wiki/bulk/backup /mnt/wiki/ -o user=haas\\wiki

Mount the Images Directory:

mv /var/www/html/w/images /var/www/html/w/imagesorg
mkdir images
mount -t cifs //bear.haas.berkeley.edu/wiki/bulk/media /var/www/html/w/images -o user=haas\\wiki
mkdir /var/www/html/w/image/tmp

Change the max_upload_filesize to 8M in php.ini:

vi php.ini
#edit max_upload_filesize variable

Restart the webserver:

/etc/init.d/httpd restart


Do the extensions:

Simple security Get it from: http://www.mediawiki.org/wiki/Extension:Simple_Security

tar -xzf /mnt/ed/HaasWiki/SimpleSecurity-MW1.16-r62389.tar.gz -C /var/www/html/w/extensions

UserMerge Get it from: http://www.mediawiki.org/wiki/Extension:UserMerge

tar -xzf /mnt/ed/HaasWiki/UserMerge-MW1.16-r66255.tar.gz -C /var/www/html/w/extensions

RenameUser Get it from: http://www.mediawiki.org/wiki/Extension:Rename_user

tar -xzf /mnt/ed/HaasWiki/Renameuser-MW1.16-r66255.tar.gz -C /var/www/html/w/extensions

ImportUsers Get it from: http://www.mediawiki.org/wiki/Extension:ImportUsers

tar -xzf /mnt/ed/HaasWiki/ImportUsers-MW1.16-r62790.tar.gz -C /var/www/html/w/extensions

UserRightsList Get it from: http://www.mediawiki.org/wiki/Extension:UserRightsList

tar -xzf /mnt/ed/HaasWiki/UserRightsList.0.52.tgz -C /var/www/html/w/extensions

MultipleUpload Get it from: http://www.mediawiki.org/wiki/Extension:MultiUpload

tar -xzf /mnt/ed/HaasWiki/MultiUpload-MW1.16-r78542.tar.gz -C /var/www/html/w/extensions


Add to LocalSettings.php

#SimpleSecurity
$wgSecurityUseDBHook = true; # Add this to enable the experimental DB hook for stronger security
include_once("{$IP}/extensions/SimpleSecurity/SimpleSecurity.php");
# All other SimpleSecurity directives MUST be specified after the include or the defaults will override them.
$wgSecurityRenderInfo = true;
$wgSecurityAllowUnreadableLinks = false;
$wgPageRestrictions['Category:Servers']['read'] = 'sysop';
$wgSecurityExtraGroups = array(
   'students' => 'Students',
   'faculty' => 'Faculty,
   'staff' => 'Staff',
);
 
#UserMerge
require_once( "$IP/extensions/UserMerge/UserMerge.php" );
$wgGroupPermissions['bureaucrat']['usermerge'] = true;

#RenameUser
require_once("$IP/extensions/Renameuser/Renameuser.php");

#ImportUsers
require_once("$IP/extensions/ImportUsers/SpecialImportUsers.php");

#UserRightsList
require_once("$IP/extensions/UserRightsList/UserRightsList.php");

#MultipleUpload
require_once("$IP/extensions/MultiUpload/SpecialMultipleUpload.php");
$wgMaxUploadFiles=10;