Difference between revisions of "SAC:Standard System Setup"

From OSGeo
Jump to: navigation, search
m (Disable SELinux)
(Fail2ban)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Enable LDAP =
+
This document pertains how to setup a new VM at [[OSL|OSU OSL]]. 
  
As per [[SAC:Setup LDAP Authentication]] instructions using authconfig.
+
= Request a new VM =
 +
 
 +
A support request should be made to OSU OSL support ''after'' discussion and agreement within SAC.
 +
Details will be needed on the disk space, memory and the machine on which it should be established.  See [[SAC Service Status]] to get a sense of the machines available and what is already running on them.  The support request should be made to support at osuosl.org.
 +
 
 +
= Base VM =
 +
 
 +
New VMs are made by cloning the "Base VM", and reconfiguring the memory and disk space.  The
 +
Base VM is not normally running, but when it is it will be at base.osgeo.osuosl.org.  When policy changes are made on how the base system should be configured for all VMs, they should also be applied to this base VM.
 +
 
 +
= First Login =
 +
 
 +
New VMs will only allow root logins by [[SAC:Primary Administrators|SAC Primary Administrators]] with the correct ssh keys setup, but they should also support regular LDAP logins for anyone in the "sac" shell group with sudo access preconfigured for primary administrators.
 +
 
 +
= Enable LDAP =
  
Also need to update /etc/sudoers file like this:
+
See [[SAC:LDAP]] for information on how the OSGeo LDAP server works.
  
(need to work out how to use LDAP Admin group to identify access to sudoers file)
+
By default new VMs should support login by members of the [https://www.osgeo.org/cgi-bin/auth/ldap_shell.py?group=sac "SAC" LDAP Shell] group.  Allowed groups can be changed primarily
 +
by editing the /etc/ldap/ldap.conf file and modifying the line that looks like:
  
= YUM Update =  
+
  pam_groupdn cn=sac,ou=Shell,dc=osgeo,dc=org
  
  sudo yum check-update
+
The "cn" value can be changed to other LDAP shell groups. Currently this includes "telascience" which is a very broad set of OSGeo folks suitable for shared project servers, or the "qgis" group used only on the qgis server now.
sudo yum --exclude=dlm-kernel --exclude=cman-kernel --exclude=gnbd-kernel --exclude=GFS-kernel update
+
  
= Enable auto-home-dir creation =
+
For very secure servers (like the "secure" server) we would likely want to disable LDAP access.  I'm not exactly sure how to do that.
  
Add the following line to /etc/pam.d/login and /etc/pam.d/sshd:
+
Note that proper functioning of LDAP service also depends on having the proper SSL certificates installed as described in [[SAC:SSLCert]]. Normally this should be setup on the base vm, and copied to new VMs.  
  
  session    required    pam_mkhomedir.so skel=/etc/skel umask=0022
+
= Setting up Backups =
  
= Mount /home from NFS =
+
... to be added ...
  
Add the following to /etc/fstab:
+
= Enabling munin =
  
  bucket:/export/home    /mnt/home              nfs    intr
+
... to be added ...
  
Then wipe, and link /home to /mnt/home after ensuring there is nothing of value in /home.
+
= File System Layout =
  
  mount /mnt/home
+
We typically try to put OSGeo stuff under a /osgeo directory broken down by project or service.
  rm -rf /home
+
  ln -s /mnt/home /home
+
  
= Disable SELinux =  
+
= Recommended Options =
 +
== Fail2ban ==
  
On some systems it may be desired to disable SELinux. This
+
A tool to prevent excessive scanning for user/passwords in the system, for preventing brute force ssh logins, for catching nasty Apache requests and the like.
can be accomplished by:
+
  
* Editing /etc/selinux/config and changing SELINUX=enforcing to SELINUX=disabled.
+
See [[SAC:fail2ban]]
* execute "sudo /usr/sbin/setenforce 0"
+
  
 +
== Awstats ==
 +
See ? page on server usage tracking.
 
[[Category:Infrastructure]]
 
[[Category:Infrastructure]]

Latest revision as of 02:25, 4 May 2016

This document pertains how to setup a new VM at OSU OSL.

Request a new VM

A support request should be made to OSU OSL support after discussion and agreement within SAC. Details will be needed on the disk space, memory and the machine on which it should be established. See SAC Service Status to get a sense of the machines available and what is already running on them. The support request should be made to support at osuosl.org.

Base VM

New VMs are made by cloning the "Base VM", and reconfiguring the memory and disk space. The Base VM is not normally running, but when it is it will be at base.osgeo.osuosl.org. When policy changes are made on how the base system should be configured for all VMs, they should also be applied to this base VM.

First Login

New VMs will only allow root logins by SAC Primary Administrators with the correct ssh keys setup, but they should also support regular LDAP logins for anyone in the "sac" shell group with sudo access preconfigured for primary administrators.

Enable LDAP

See SAC:LDAP for information on how the OSGeo LDAP server works.

By default new VMs should support login by members of the "SAC" LDAP Shell group. Allowed groups can be changed primarily by editing the /etc/ldap/ldap.conf file and modifying the line that looks like:

 pam_groupdn cn=sac,ou=Shell,dc=osgeo,dc=org

The "cn" value can be changed to other LDAP shell groups. Currently this includes "telascience" which is a very broad set of OSGeo folks suitable for shared project servers, or the "qgis" group used only on the qgis server now.

For very secure servers (like the "secure" server) we would likely want to disable LDAP access. I'm not exactly sure how to do that.

Note that proper functioning of LDAP service also depends on having the proper SSL certificates installed as described in SAC:SSLCert. Normally this should be setup on the base vm, and copied to new VMs.

Setting up Backups

... to be added ...

Enabling munin

... to be added ...

File System Layout

We typically try to put OSGeo stuff under a /osgeo directory broken down by project or service.

Recommended Options

Fail2ban

A tool to prevent excessive scanning for user/passwords in the system, for preventing brute force ssh logins, for catching nasty Apache requests and the like.

See SAC:fail2ban

Awstats

See ? page on server usage tracking.