Teacher's notes
Teacher's notes for preparing the course website and the USIT web host running RHEL7 for the student's at the start of the semester.
Table of contents
Introduction
USIT has set up a set up virtual machines that shall be used as web hosts for the INF5272 project teams. The service (VMWare) is delivered by USIT's Server and Storage Management Group (virt-drift@usit.uio.no). My main contact has been: Safet Amedov. In addition, for Apache support is handled by www-drift@usit.uio.no.
Each web host has the following properties:
- Red Enterprise Linux 7 (RHEL7).
- SELinux (Security Enhanced Linux)
- 2 GB disk on / partition
- 4 GB disk on /var partition
- 2 GB RAM
- 1 core
I need to install the most of the LAMP-stack:
- OK: gnu/Linux (RHEL7).
- Missing Apache.
- Missing MySQL.
- Missing PHP.
- Missing phpMyAdmin.
Since I recycle the macines each year, there is should be a full LAMP-stack i 2019.
The OS and release-track software is kept up to date by USIT/RedHat.
The 14 virtual servers set up by USIT have the host names on the form
diwXX.uio.no
(where XX is a two digit number
between 00 and 13). Each team is given custody of one such server.
Disk use under /var/www
(as reported by du -h -s .
):
- phpMyAdmin: 23 Mbyte
- Drupal core: 16 Mbyte
Configuration
The configuration files mention in this chapter are in:
~/www_docs/staging2/inf5272/
~/www_docs/staging2/inf5272/vhostfiles/
on ifi.
The right place to define and change environment variables
is ~/.bash_profile
.
Files to copy to each vhost.
httpd.conf
→/etc/httpd/conf/
cptofi
→~/bin/
drupal_cleaninst.sh
→~/bin/
→
Setting up the LAMP stack
The procedure for setting up the LAMP stack is in the chapter for students. Links:
Course web
Checklist for a new semester:
- Notify: Make sure Anonymous and Authenticated are allowed to use Notify.
- Make sure image upload works.
Project groups
Permission to edit the group profile page is handled by Content Access, using "Role based access control settings".
Checklist for a new year:
- To allow project groups to create their own project description pages, give all students (temporary) the "Editor" role.
- Make sure that per content node access control settings are enabled for content of type "Gruppe".
- Assign all group members the role (
gXX
where XX is group number) of asssociated with their group. - Expand "Role based access control settings" for the project description page, and
check the permissions Edit any team content and Edit own team content for
gXX
are set (the latter is redundant, as these nodes should be owned by root). - Adjust the pager for view "Grupper" to only show the groups in use.
- Adjust the filter for view "Student-galleri" to only show the groups in use (Group 0 usually reserved for non-students).
Students are assigned membership in a group by being listed in the field "Medlemmer". The "Student-galleri" view get access to this through a contextual filter and a relation. Only groups with members appear on the "Student-galleri" page. The "Gruppeoversikt" need to show groups that are used for master projects to keep nunbers right.
Prepare the vhost for students
If the user students do not exist on the vhost, create it:
# useradd students # passwd students # cd /etc/httpd/conf # chgrp students httpd.conf # chmod g+w httpd.conf # cd /var/www # chgrp -R students . # chmod -R g+w . # cd /usr/share/drush # chgrp students . # chmod g+w .
To use sudo
, you need to authenticate using the UiO password.
Adding and removing users from vhost
First remove users that shall not have access any more from groups.
One of the following commands in the directory /etc
will
show current membership:
$ grep -e wheel -e students group $ egrep "wheel|students" group
The following will make the user “petter” member of no group.
# usermod -G "" petter
Then to prevent login, remove the user's entry
from /etc/passwd
by editing the file (userdel -r
?).
After removing the user from the login, you may also want to remove
the user's directory under /home
.
The following directories under /home
should not be
removed:
oracle students virtmgmt
To add a user to a vhost, edit the file /etc/passwd
by
adding the user's Ifi username prefixed by the
character +
. Verify that the username is a valid
Ifi username, and is associated with the correct person.
Here is an excerpt from this file, where three users, named “gisle”, “idabraa” and “petter” has been added:
root:x:0:0:root:/root:/bin/bash : mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash +gisle +idabraa +petter
Users that shall have sudo privileges must be placed in wheel. The following command will add the user “petter” as a member of this group, and also add him to the group students.
# usermod -a -G wheel,students petter
Note that this command will fail if the username is not a valid Ifi username.
Important files
The file with all users:
/etc/passwd
You need to edit /etc/passwd
to add and remove users.
The following two files should not bed edited directly:
/etc/group
/etc/gshadow
File names ending with a dash (-
) or tilde
(~
) are just backups created when these are edited by
useradd, groupadd (dash) or emacs (tilde).
CFEngine
USIT uses CFEngine to monitor and manage the servers they supply. The default policy is for a user to have a single home directory across all UiO servers.
To have local home directories, USIT must add the
role homedir_override
for these servers.
SELinux
The USIT RHEL7 hosts are running SELinux (Security-Enhanced Linux) that provides more fine-grained access controls for Gnu/Linux. You may see the current mode of enforcement using one of these commands:
$ sestatus $ sestatus | grep mode
To toggle the mode from enforcing
to permissive
and back again, use:
# setenforce 0 # setenforce 1
If you encounter permission denied problems that cannot be explained by Gnu/Linux mode bits, SELinux is the main suspect. You may verify that SELinux is responsible by toggling enforcement to permissive and see if that setting gives access.
Some of the permissions managed by SELunux are controlled by boolean flags. To see all available booleans on your system which can be changed by you, use one of these commands:
$ getsebool -a $ semanage boolean -l
Typical permission problems caused by SELinux are files not being written or read though the web server has permissions; communications operations such as sending mail or attempting XMLRPC operations failing, although firewall permissions are OK, etc. There is a user contributed document at Drupal.org: SELinux may cause mysterious permission problems that gives more information about these problems.
To allow apache (httpd) to write to the public file area, do the following:
# chcon -R -t httpd_sys_content_rw_t /var/www/html/sites/default/files/
Remote aministration of vhost
USIT VCenter (needs Flash, so use Chrome).
Repos
To see what externals repos are subscribed:
# yum repolist
To update packages from subscribed repos:
# yum update
More about the Red Hat Subscription Manager.
Resetting Drupal to a clean install
For a new semester in INF5272, rather than cleaning out everything,
I reset the virtual host to a clean and empty install with the
following script. The directory /var/www/html
do not
need to exist.
$ sudo /home/gisle/bin/drupal_cleaninst.sh teamnumber password
The teamnumber is always two digits (e.g. 01
for team number 1).
The password to put as third argument is the Drupal db user password.
- root pw for MariaDB is g…XX; db is drupal@drupal7
- drupal pw for MariaDB is in
~/configfiles/settings.php
(and in sites spreadsheet). - Drupal user #1 is “root”; pw is set by
drupal_cleaninst.sh
.
This cleans out everything in the file system, including themes, modules, libraries and the upload area. The projects Devel and Security review are also installed. Open user registration is turned off.
Check the following on the new site:
- Check the status report.
- Make sure image upload works.
The web host should now be set up and ready for use.
The script that install Drupal sets me up as user #1. I am also the root user of the MySQL databases.
Students should register on Drupal-sites with -adm
suffixed to their username, and I promote the first student of each
team to Administrator in a timely fashion. He/she then
promotes his/her teammates.
Deleting db
Provided the database holding your Drupal installation is named “drupal7”, this sequence of commands delete the Drupal db:
$ mysql -u root -p Enter password: mysql> DROP DATEBASE drupal7; Query OK, 89 rows affected (1.21 sec) mysql> quit Bye
This will leave the Drupal core files and your sites directory intact, but the database, holding your content and your configuration will be gone. This is usually what you want to start rebuilding a corrupted site from scratch.
You can then go ahead and create an empty database for Drupal. Use the following script:
$ ./createdb.sh drupal7 drupal password Enter password:
The password to put as third argument is the Drupal db user password (recorded in spreadsheet, in the column “user pw”). The password asked for on the next line is the MySql root password (recorded in spreadsheet, in the column “root pw”).
Troubleshooting
Outgoing email from the machines go via smtp.uio.no
.
If it does not allow relaying to non-uio addresses from the vhost in
question, the mail will bounce with the message:
relay not permitted (in reply to RCPT TO command)
To fix this, contact postmaster@usit.uio.no
and
request the vhost is permitted to send email to external
recipients.
Final word
[TBA]
Last update: 2015-05-05 [gh].