USIT web host

by Gisle Hannemyr

This chapter shows how to set up a USIT web host running Red Hat Enterprise Level 8 (RHEL8) with a suitable environment for running the version 8 of the Drupal WCMS.

Table of contents

Introduction

USIT facilitate virtual machines suitable for use as a virtual private server (VPS) to run as a web host.

This chapter describes in detail how to interact with one such virtual machine, including how to set it up to run a standard Drupal installation for use by Titan.

The current configuration for test03 is:

$ lsb_release -a 
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:…
Distributor ID: RedHatEnterprise
Description:    Red Hat Enterprise Linux release 8.3 (Ootpa)
Release:        8.3
Codename:       Ootpa
$ grep MemTotal /proc/meminfo 
MemTotal:        7872516kB
$ df -h
Filesystem                 Size  Used Avail Use% Mounted on
devtmpfs                   3.8G     0  3.8G   0% /dev
tmpfs                      3.8G     0  3.8G   0% /dev/shm
tmpfs                      3.8G  976K  3.8G   1% /run
tmpfs                      3.8G     0  3.8G   0% /sys/fs/cgroup
/dev/mapper/internvg-root  8.0G  122M  7.9G   2% /
/dev/mapper/internvg-usr   4.0G  2.6G  1.5G  64% /usr
/dev/mapper/internvg-opt   2.0G   56M  2.0G   3% /opt
/dev/mapper/internvg-var   8.0G  902M  7.2G  12% /var
/dev/sda1                  507M  331M  177M  66% /boot
/dev/mapper/internvg-tmp   4.0G   61M  4.0G   2% /tmp
tmpfs                      769M     0  769M   0% /run/user/183090
$ free -m
              total        used        free      shared  buff/cache   available
Mem:           7688         576        4175           1        2936        6839
Swap:          4095           0        4095
$ nproc 
2
$ uname -i 
x86_64

This is the disk sizes of the legacy RHEL7 servers:

The memory requirements of composer is on the heavy side so you should make sure that there is at least 4 GB of RAM available.

The Titan Photo archive is large, but XXX

$ mysql --version
mysql  Ver 8.0.20-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))
$ php --version
PHP 7.4.3 (cli) (built: May 26 2020 12:24:22) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies

RHEL8 comes with a new package manager namned “dnf” that can be used to explore AppsStreams, which replaces RHSCL as repository for alterntive versions of packages, which now are called “streams”.

For instance: What versions of php area available in the AppStreams repository?. To answer this question we can run a dedicated subcommand of dnf,  module, and ask information about the php module, by using the list action:

$ sudo dnf module list php
Name         Stream          Profiles                         Summary     
php          7.2 [d]         common [d], devel, minimal       PHP scripting language                                                      
php          7.3             common [d], devel, minimal       PHP scripting language                                                      
php          7.4             common [d], devel, minimal       PHP scripting language                                                      

Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

This tells us that three streams are available. The “[d]” in the second column tells us that version 7.2 will be installed by default.

To find out the default version of a package, use the command info. Examples:

$ dnf info httpd
2.4.37 [2.4.37, U: 2.4.41]
$ dnf info mariadb
10.3.17 [10.3.17]
$ dnf info php
7.2.24 [7.4.6, U: 7.4.3]

In square brackets, the latest version available, “U:” also gives the version that comes with Ubuntu 20.04 LTS.

CLI access to the web server

To learn about how to gain access to the web server's command line interface (CLI). see the section in “Unix notes” about using a terminal emulator.

Check for upgrades

After logging in to the CLI it is recommended that you check that the release you are running is up to date.

You can do this by running the pair of commands shown in the example below:

$ uname -r
4.18.0-240.1.1.el8_3.x86_64
$ sudo grubby --default-kernel
/boot/vmlinuz-4.18.0-240.1.1.el8_3.x86_64

If some part of the release number is different, you should upgrade to the latest version. You do this by rebooting:

$ sudo shutdown -r now

You may have to redo this from time to time to keep your configuration current.

Removing packages

To remove a package that is installed globally, that you no longer neeed, and purge its configuration files, you may use these commands:

$ sudo yum remove package
$ sudo yum --purge remove package
$ sudo yum autoremove  package
$ sudo yum --purge autoremove package

The first pair of commands will remove the package and purge its configuration files if it was directly installed with apt. The second pair of commands will do the same if it was installed as ab dependency, and is no longer needed.

Source: Access Redhat.

Set locale

See: TecMint: How to Fix “Failed to set locale, defaulting to C.UTF-8” in CentOS 8.

$ sudo localectl set-locale LANG=en_US.UTF-8
$ sudo dnf install langpacks-en glibc-all-langpacks -y
[RHEL7]

Check locale:

$ locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

If the locale for LC_ALL is not set, edit the file /etc/environment and put the following at the end:

…
LC_ALL="en_US.UTF-8"

You will need to log off and on again for the setting to take effect.

Install essentials

Install emacs without the X11 libraries:

$ sudo yum install emacs-nox

$ sudo dnf install gcc
https://linuxconfig.org/how-to-install-gcc-compiler-in-redhat-linux-8

Install and enable Apache

noteMake sure you always install Apache before PHP.

First, check if Apache web server daemon (httpd) is already installed on the USIT web host:

$ which httpd
/usr/bin/which no httpd in (…)

If it is not installed, then install it (otherwise, skip this step):

$ sudo dnf install httpd
…
Complete!
$ which httpd
/usr/sbin/httpd

Then make sure that the webroot exists (the web server will not srart without it). To simplyfy initial testing, put a file named index.html in the webroot that outputs some message when visited.

If your web server is set up with SELinux, you may also need to use this command to make the webroot and the files below it readable by the web server:

$ sudo chcon -R -t httpd_sys_content_t html/

Out of the box, Apache is not set up to restart at when the system is rebooted, and it is not running. To remedy this use the following commands:

$ sudo systemctl enable httpd
Created symlink /etc/systemd/system/multi-user.target.wants/httpd.service \
? /usr/lib/systemd/system/httpd.service.
$ sudo systemctl start httpd

-

$ sudo apachectl configtest
After doing this, visit the URL of your site with a browser. It should now display whatever there is at the default webroot, which is /var/www/html/.

After you've started httpd the first time, you need to restart it if you change httpd.conf. Always test the configuration after making changes, to make sure there are no syntax errors.

$ sudo apachectl configtest
$ sudo service httpd restart

If you're unable to access the web server at this point (to see the default Apache screen), and instead see some message from your browser that typically tells you that the server takes too long to respond, the problem may be that port 80 is blocked by the firewall. You can use the following command to check the status of the firewall setting:

$ sudo iptables-save | grep 80
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

If line shown above is part of the output from the command, port 80 is not blocked by the firewall. If you the output is empty just some text that is unrelated to port 80, the firewall is set up to disable http access. If so, change firewall rules to enable port 80/tcp, and reload the firewall:

$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
success
$ sudo firewall-cmd --reload
success

To check active zones:

$ sudo firewall-cmd --get-active-zones
backup
  sources: 129.240.2.160/27 2001:700:100:8200::/64
public
  interfaces: ens192

This response indicates that the firewall only allow connections from the public on an intercface known as ens192.

Manage Apache

Now that the web server is up and running, we can go over some basic management commands.

To display the status of your web server, you can type:

$ apachectl status

To stop your web server, you can type:

$ sudo apachectl stop

To start the web server when it is stopped, type:

$ sudo apachectl start

To stop and then start the service again, type:

$ sudo apachectl restart

If you are simply making configuration changes, Apache can often reload without dropping connections. To do this, you can use one of these commands:

$ sudo service httpd graceful
$ sudo apachectl graceful

Check configuration (both are equivalent).

$ sudo service httpd configtest
$ sudo apachectl configtest

Enable site example.com.

https://serverfault.com/questions/548212/how-to-a2ensite-and-a2dissite 
$ x sudo a2ensite example.com

Disable site example.com.

$ x sudo a2dissite example.com

Enable Apache mod_rewrite

Before we start httpd, we need to make some changes to its configuration.

First, we need to allow overrides from the .htaccess file Drupal is going to create upon installation in order to have clean URLs with Drupal. To facilitate this, navigate to /etc/httpd/conf and edit the file named httpd.conf with your favourite text editor (e.g. vim, emacs or ed).

After pulling the file into the editor, locate the directory block that configures the webroot. This is the directory where our Drupal website is going to be installed. On the USIT web host, which is running RHEL8, the default webroot is /var/www/html, and we're not going to change it.

Locate the following block of text:

# Further relax access to the default document root:                                                           
<Directory /var/www/html>
        […]
        AllowOverride None
        […]
</Directory>

And change the AllowOverride directive to:

# Further relax access to the default document root:                                                           
<Directory /var/www/html>
        […]
        AllowOverride All
        […]
</Directory>

Make sure you're changing it in the right place. It must be the directive located inside the block configuring the webroot directory (called “default document root” by Apache).

We also need to protect some files that may exist from being viewed by a web client. For instance, the file CHANGELOG.txt that is installed along with Drupal will reveal what version of Drupal the site is running. An attacker may use a robot that look at this file to locate sites running a version that is vulnerable to certain exploits. A backup file is often saved when a file is edited. Some text editors (e.g. emacs make backup copies automatically, appending a ~ (tilde) to the end of the file name. Unless these files are protected, an attacker may probe for settings.php~ and learn your database credentials. Place the following in httpd.conf. It should be located right after the <Files "\.ht*"> block that prevents .htaccess and .htpasswd from being viewed by web clients.

<Files ~ "CHANGELOG\.txt">
  Order allow,deny
  Deny from all
</Files>

<Files ~ "~">
  Order allow,deny
  Deny from all
</Files>

Troubleshooting

The Apache logs for RHEL8 is located in the directory: /var/log/httpd/

Install MariaDB

First, check if mysql is already installed:

$ which mysql
/usr/bin/which no mysql in (…)

If it is not installed, then install it (otherwise, skip this step):

To install MariaDB on RHEL8, use dnf, the RHEL8 package manager.

First, update the system before you begin installation of MariaDB on RHEL 8.

$ sudo dnf -y upgrade

Then install MariaDB.

$ sudo dnf install mariadb-server
…
Is this OK [y/N]: y
…
Complete!
$

Check version:

$ mysql --version
mysql  Ver 15.1 Distrib 10.3.27-MariaDB, for Linux (x86_64) using readline 5.1

To install MariaDB on RHEL7, use yum, the RHEL7 package manager:

$ sudo yum install mariadb-server mariadb-libs
…
Is this OK [y/d/N]: y
…
Complete!
$

Enabling utf8mb4

To allow for large indexes (required for 4 byte utf-8 characters), MySQL must be set up with the following settings in /etc/my.cnf:

# Enable utf8mb
[client]
default-character-set=utf8mb4

[mysqld]
innodb_large_prefix=true
innodb_file_format=barracuda
innodb_file_per_table=true
character-set-server=utf8mb4

Check if this change has been done. If it has not, it is recommended to do it.

[Not default on RHEL8 - not sure if it is needed.]

The following two commands will re-activate the db-server at boot, and start the MariaDB service.

$ sudo systemctl enable mariadb
Created symlink /etc/systemd/system/mysql.service ? /usr/lib/systemd/system/ma…
Created symlink /etc/systemd/system/mysqld.service ? /usr/lib/systemd/system/m…
Created symlink /etc/systemd/system/multi-user.target.wants/mariadb.service ? …
$ sudo systemctl start mariadb

Check status:

$ sudo systemctl status mariadb

The following script will set the root password for MariaDB, disallow remote login, and remove the anonymous user and the test database. If you just have installed MariaDB the root password will be blank.

$ sudo mysql_secure_installation

If you change the configuration for MariaDB, you need to restart to make the changes take effect:

$ sudo systemctl restart mariadb

(Sources: CertDepot and SharadChhetri.com.)

Enable remote connections

The database server should now be running. Test that you have access to MySQL as the database root user:

$ mysql -u root -p
Enter password:
…
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec.)

MariaDB [(none)]> exit
Bye
$

The current configuration differ from Ubuntu bu not allowing passwordless access, even if the Unix user has root access.

If you plan to use the database from a remote server, you need to permit connections through the firewall. First, check on the database server what services may got through the firewall:

$ sudo firewall-cmd --list-services
cockpit dhcpv6-client ssh

If the service named “mysql” is not listed, enable it and then check:

$ sudo firewall-cmd --permanent --add-service=mysql
success
$ sudo firewall-cmd --reload
success
$ sudo firewall-cmd --list-all
public (default, active)
  interfaces: eno16780032
  sources: 
  services: cockpit dhcpv6-client mysql ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

To test if you're able to access the database over the Internet, you may use the following (provided the database user is named “db-user”, your webiste is on “example.com” and the database host is named “db-example.com”): 

$ mysql -u db-suser -p -h db-example.com
Enter password:
ERROR 1130 (HY000): Host 'example.com' is not allowed to connect to this MariaDB server

The default is that when a user is added, he/she will only may only have been added with localhost access (which is recommended). You can check this using the following command:

MariaDB [(none)]> SELECT host FROM mysql.user WHERE user='db-user';
+-----------+
| host      |
+-----------+
| localhost |
+-----------+
1 row in set (0.000 sec)

If only “localhost” is listed, you will not be able to use the database from a remote host.

[This is the current configuration of “titan-db-prod01.uio.no”.

MariaDB [(none)]> SELECT host FROM mysql.user WHERE user='drupal8';
+------+
| host |
+------+
| %    |
+------+
1 row in set (0.00 sec)

Is this the best? It allows connection from anywhere.]

To allow remote connections, add a wildcard:

MariaDB [(none)]> CREATE USER 'db-user'@'%' IDENTIFIED BY 'password';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON *.* TO 'db-user'@'%' WITH GRANT OPTION;
MariaDB [(none)]> FLUSH PRIVILEGES;
+-----------+
| host      |
+-----------+
| %         |
| localhost |
+-----------+
2 rows in set (0.000 sec)

Source SO: Host 'xxx.xx.xxx.xxx' is not allowed to connect to this MySQL server.

Change SELinux booleans

The USIT host is running SELinux (Security-Enhanced Linux) that provides more fine-grained access controls for Gnu/Linux. To see all available booleans on your system which can be changed by you, use one of these commands:

$ getsebool -a
$ semanage boolean -l

One of the default security policy settings is that the httpd process shall not be allowed to send email. This means that despite a mail transfer agent (postfix) already running on the USIT host, the httpd process is not allowed to send email.

You change the policy for sending mail with the following pair of commands:

$ sudo setsebool httpd_can_sendmail 1
$ sudo setsebool -P httpd_can_sendmail 1

Note that the first command of the pair changes it instantly, the second changes the boot-time default setting so that the new policy survives reboots.

In case the database or some other service is present on another server, you may also have to relax the policy on network connections for the web server:

$ sudo setsebool httpd_can_network_connect 1
$ sudo setsebool -P httpd_can_network_connect 1

See alsoThis flag controls the permission to connect on all sockets. There is also a more fine grained version available (httpd_can_network_connect_db) that only allows connection to known database sockets. For a discussion about this, see this blog post by Dan Walsh.

You can check enforcement status for SELinux with the following command:

$ getenforce
Enforcing

To debug SELinux-problems, you can toggle enforcement status with the following commands:

$ sudo setenforce 0
$ getenforce
Permissive
$ sudo setenforce 1
Enforcing

You may also want to see the section about SELinux in the chapter about working with files.

Install PHP and extensions

First, test if PHP is installed:

$ which php
/usr/bin/which no php in (…)

If it is not found, you need to install it.

By default, RHEL8 installs PHP version 7.2 This version is too old for Drupal 8. It was released in November 2013 and EOL was November 2020. While Red Hat still supports this version by backporting security-patches (but no new features), it is no longer officially supported. The versions of PHP that receives official security support are now (December 2020) 7.2, 7.3, 7.4 and 8.0.

The recommended PHP version requirements for Drupal are:

Install PHP 7.4 from AppStreams

To install PHP 7.4 on RHEL8 and make it available to the CLI and the web server, do the following:

$ sudo yum module install php:7.4

Sources LinuxSysadmins.com: Using AppStream with yum in RHEL8, LinuxTechi: How to Install PHP 7.4 on RHEL 8.

Configure php-fpm

Traditionally, mod_php has been used to make PHP available to Apache. Using this method, PHP will run under the Apavhe process, which carries penalties in therms security, stability and performance. Using php-fpm (“PHP FastCGI Process Manager”) will execute PHP as separate processes that communicates with the Apache web server through a local socket.

While installing PHP on RHEL8, php-fpm is also installed as its dependency, it will be treated as FastCGI Server. You say use these commands to start and enable FPM service:

$ sudo systemctl start php-fpm
$ sudo systemctl enable php-fpm

You may check the status php-fpm using the following commands:

$ sudo systemctl status php-fpm

To make Apache able to connect to the FastCGI server, add a configuration file to the Apache conf.d directory. The file used for Titan 2 originates from USIT and is named php-fpm-usit.conf. It should not require any modifications to the default RHEL8 Apache configuration.

Install additional packages

For performance opcache is strongly recommended:

$ sudo dnf install php-opcache

The following packages are required to install Drupal [check]. To install, use the following commands. After each command, you will be asked whether it is OK to install. You should answer y to these questions. However, defer doing this until you know they are needed.

$ sudo dnf install php-gd
$ sudo dnf install php-mysqlnd

The following packages may be used by Drupal. To install, use the following commands.

$ sudo dnf install php-xmlrpc
$ sudo dnf install php-devel

Finalize PHP installation

After installing PHP you need to restart httpd and php-fpm to make Apache aware of the changes. Check status after restarting.

$ sudo service httpd restart
$ sudo systemctl restart php-fpm
$ sudo service httpd status

Install phpMyAdmin

The PHP program phpMyAdmin is an open source tool that lets a database administrator interact with a MySQL or MariaDB database using of a standard web browser. It supports a wide range of SQL operations, including data base management, inspecting and altering tables, fields, relations, indexes, users, permissions, etc. It also lets you directly execute any SQL statement.

To install phpMyAdmin on RHEL8 (e.g.: USIT web host), do:

$ sudo yum install phpmyadmin

This will install phpMyAdmin in the directory /usr/share/phpMyAdmin, and you should be able to access it on the path /phpmyadmin, just below the site root.

However, if you have SeLinux enabled, you must also set its security context of this directory and its contents to grant access to the web server process. You do this as follows:

$  cd /usr/share/
$  sudo chcon -R -t httpd_sys_content_t phpMyAdmin

This gives the web server read-access to the files that constitute phpMyAdmin.

noteSince phpMyAdmin provides direct access to the database, along with powerful commands to manipulate its content, it may also be a security risk. An out of date phpMyAdmin installation may contain well-known security vulnerabilities. As with all management software that can be accessed from the web, it is important to keep the installation current with all security releases. You should not install phpMyAdmin on a production site, and for defence in depth, you should restrict access to the IP-addresses belonging to PCes in your organization on a staging site.

If web access be managed by the module mod_authz_core.c access is restricted by default. The default configuration only allows localhost to login on phpMyAdmin. You will get permission denied if you try to access phpMyAdmin from your PC over the web.

To allow remote accces, in the section for mod_authz_core.c (Apache 2.4) in /etc/httpd/conf.d/phpMyAdmin.conf, replace the lines:

Require ip 127.0.0.1
Require ip ::1

with something like one of the following lines:

Require all granted
Require ip 192.0.2.0.12
The first allows connections from all. The second only allows connections from the PC with the specific IP (use the IP of your own personal computer, not the IP in the example – to learn the public IP-adress of the PC your browser runs on, visit WhatIsMyIPAddress.com).

UiOIn the RHEL7 setup used at UiO (with php-fpm and PHP ver. 7.3.11), web access is not managed by mod_authz_core.c. The default RHEL7 configuration (running PHP ver. 5.4.16) use mod_authz_core.c for access control and will require that remote access restrictions are configured as well. This is described below.

If you've upgraded PHP from 7.2 to PHP 7.4 (as described above) the aliases in phpMyAdmin.conf will not let you access phpMyAdmin. Instead, use a symbolic link from your webroot. This link name will provide the default path:

$ cd /var/www/html
$ ln -s /usr/share/phpMyAdmin/ phpmyadmin

However, it is not a good idea to use this specific link name since it is heavily targeted by bots and hackers. Instead, we should decide on our own link name. It should be easy to remember, but not easy to guess. It shouldn't indicate the purpose of the URL location. For example, we could use nothingtoseehere.

Sources: ServerFault,
StackOverflow,
no-matching-directoryindex.
DigitalOcean.

After changing the web server configuration, restart to make the changes effective.

$ sudo apachectl graceful

The default configuration gives phpMyAdmin access to the database server running on localhost. You may add additional database servers to the server section of config.inc.php to access remote database servers using phpMyAdmin. E.g.:

$i++;
$cfg['Servers'][$i]['host'] = 'example.com';
$i++;
$cfg['Servers'][$i]['host'] = '123.123.123.123';

You can now access the web interface of phpMyAdminby by visiting your server's domain name or public IP address followed by /phpmyadmin (e.g. https://example.org/phpmyadmin). You will see a log in prompt (unless you are using a PC whose IP is blocked by the web server configuration.

To autheticate users and to grant access to the database, phpMyAdmin allows four different authentication methods:

  1. cookie – Prompts for MySQL credentials using its own authentication scheme (default if using dbconfig-common).
  2. http – Prompts for MySQL credentials using HTTP basic authentication.
  3. signon – Uses an external (SSO) application for authentication via a prepared PHP script.
  4. config – MySQL username and password stored in clear text in the configuration file.

The config method should only be used if the if the server running phpMyAdmin is placed behind a firewall in a secure environment, or some other authentication (such as an Apache .htaccess) is used to limit access. Otherwise, it is not only dangerous because the MySQL username and password stored in clear text, but also because it does not password-protect phpMyAdmin or the database. Anyone who can access the correct URL is logged directly in and can manipulate the database.

noteFor some distributions (not the default distribution for RHEL7) of MySQL and MariaDB the default security model requires sudo for dbuser root to log in (i.e. phpMyAdmin will not be able to log in as root). Workarounds are discussed on StackOverflow, but it is safer to keep the default security model.

[TBA: How to prolong the phpMyAdmin session time.]

For information about using phpMyadmin. see the chapter about tools for developers.

See alsoFor more information about phpMyAdmin, including official documentation, user maintained wiki pages and third party tutorials, see phpMyAdmin.net. This site also functions as a portal to various support channels, such as the help forum and mailing lists. Click on the “Support” tab to see an overview of support channels.

Install composer

You also need composer, the PHP package manager. Check if it is already installed:

$ which composer
/usr/bin/which no composer in (…)

If it is not installed, then you may install it on standard RHEL system :

$ curl -sS https://getcomposer.org/installer | php
…
Use it: php composer.phar
$ sudo mv composer.phar /usr/local/sbin/composer

Provided the selfupdate command is available, the following forces install of the most recent version of the ver. 1 branch and ver. 2 branch respictively:

$ composer selfupdate --1
$ composer selfupdate --2

Composer should not be owned by root. After installing change ownership of the executable file to an ordinary user.

Sources: Install Composer on Redhat. and Is it safe to run Composer as root?

UiONote that this will not work on the Titan staging server, as it is on a UiO kategory 3 network Instead download the progran on an open machine (e.g. do20.roztr.org) and copy it via an Ifi login machine to the Titan server.

Install drush

To help with administration of a Drupal site, there exists a Gnu/Linux command line shell and scripting interface for Drupal (written in PHP, and executed from the CLI) named drush.

First, check if it is already installed:

$ which drush
/usr/bin/which no drush in (…)

If it is not installed, then install it (otherwise, skip this step):

The easiest way to install drush is to clone the project's GitHub repo into /usr/share. After cloning, set up a symbolic link that puts the executable drush in your $PATH. Example:

$ sudo cd /usr/share
$ sudo git clone https://github.com/drush-ops/drush.git drush
$ sudo ln -s /usr/share/drush/drush /usr/bin/drush

noteSome years ago, the recommended procedure for installing drush was to pull it from the PHP Extension and Application Repository (PEAR). This is now deprecated. There is a lot of outdated installation descriptions on the web that rely on the command pear. These will no longer work.

By default, cloning the GitHub repository gives you the head of the latest branch under development. This is bleeding edge and probable quite unstable. It is recommended that you visit the project's README.md on GitHub to determine the recommend stable release and use that.

For instance, if the stable release is “8.1.8”, the following CLI commands in the directory you cloned drush into will set this version as the active one on your site:

$ cd drush
$ sudo git checkout 8.1.8

After checking out a stable version, there may still be unresolved dependencies. All dependencies are listed in a file named composer.json in the drush repository, and you can resolve these by running composer:

$ composer install

To test that drush is properly installed, you can use the following command to display what version of drush you're running:

$ drush --version
 Drush Version : 8.1.8

If you get a meaningful response like the one shown, this means that the CLI drush command is in your $PATH and working. However, if you get PHP Parse errors like those reproduced below, drush is out of sync with the PHP interpreter.

PHP Parse error: syntax error, unexpected '[' in phar://…/output.inc …
PHP Parse error: syntax error, unexpected 'class' T_CLASS, expecting …

For example, if you're using version 8 of drush with PHP version 5.3.3, you'll discover that drush 8 makes use the PHP short array syntax, which was introduced in PHP version 5.4.5, so you get an error.

To fix this, you may upgrade PHP to match what drush requires, or switch to an version of drush compatible with your version of PHP.

There is more about using drush other chapters. Please see the chapters about Drupal 7 and Drupal 9+.

Install additional software

Some of the tools described in this section may already be installed as part of the standard distribution you're using. Always check if the software is already installed before trying to install.

Install xauth

To use Xterm over ssh, install xauth.

$ sudo yum install xorg-x11-xauth

This will install xauth and the required libraries. Now, if the terminal on your PC is capable of running X.11 (e.g. XtermX-Win 32) you can set up a remote Xterm from your PC using ssh as follows:

$ ssh -X username@example.net

To have a Xterm connection configured in X-Win 32, use the following command:

/usr/X11R6/bin/xauth merge -; /usr/bin/xterm -ls
xwin_32_config1.png

Install Node.js

Node.js is a lightweight and powerful JavaScript run-time environment platform which is based on Chrome's JavaScript engine and it is used to create scalable network applications. It is required by WebKit 

$ sudo dnf module list nodejs
Updating Subscription Management repositories.
…
$ sudo dnf install nodejs

It contains npm, a package manager for JavaScript (including Node.js).

Check version, and update. The commands are:

$ npm --version
6.14.11
$ npm update

The update command is silent if there is nothing to update.

Install git

First, check if git is already installed:

$ which git
/usr/bin/which no git in (…)

If it is not installed, then install it (otherwise, skip this step):

To install git, use yum, the Red Hat package manager:

$ sudo yum install git

Install bower

Bower a package manager. Check if it is already installed:

$ which bower
/usr/bin/which no bower in (…)

If it is not installed, then install it (otherwise, skip this step):

To install bower, use npm:

$ sudo npm install -g bower
$ bower -v
1.8.0
$ bower update

Install CSS pre-processors

Some theme projects (e.g. Bootstrap and Zen) may require you to use a CSS pre-processor.

A pre-processor brings nested rules, variables, mixins, selector inheritance, and more to CSS. Compiling stylesheets written in either less (not an acronym) or sass (Syntactically Awesome StyleSheets) generates standard CSS and makes stylesheets easier to organize and maintain.

A common tools for working with less are lessc. This can be installed by means of the npm (a package manager for Node.js libraries). The following gets lessc in place:

$ sudo npm install -g less
$ lessc --version
lessc 2.6.0 (Less Compiler) [JavaScript]

If you already have less, but want to update to the latest version, do this:

$ sudo npm update -g less
$ lessc --version
lessc 3.9.0 (Less Compiler) [JavaScript]

An alternative to less is sass, which in turn depends on Compass. This is a Ruby-based CSS authoring tool. IMHO, it is badly bloated – I strongly recommend that you choose less. However if you want to use zen-grids and some other frameworks, you will need it. Here's how to install:

To install Compass, you'll need Ruby. If it is not already installed you can probably install it from the from the Redhat repo.

After installing, check that Ruby is available:

$ sudo ruby -v
ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-linux]
#

After Ruby is installed, you'll have access to the gem command. This command allows you to interact with RubyGems, which is what software packages are know as in the Ruby community.

To install Sass, Compass and Zen-Grids (a responsive grid system using sass) use the following commands:

$ sudo gem install sass
$ sudo gem install compass
$ sudo gem install zen-grids

Environment

The system wide environment is set up /etc/profile. But it is not a good idea to change it, because it will be overwritten whenever Red Hat publishes an update for this file.

When using RHEL8, you change the environment by writing and enabling small shell scripts in /etc/profile.d.

Example: To add to the $PATH environment variable, you use pathmunge. This is a shell function (defined in /etc/profile) to add a directory to the $PATH. It will add the specified directory only if:

  1. it the path exists; and
  2. it is not already in the $PATH.

It can add the directory either at the beginning of the $PATH (default) or at the end of the $PATH.

To add /usr/local/bin to the end of the path for root, first create a file to hold the shell script in /etc/profile.d. Name it (for example) mypaths.sh, with the following contents:

pathmunge /usr/local/bin after

Then make it executable:

$ sudo chmod u+x mypaths.sh

Titan: Downloading software

UiOThe USIT staging host for Titan is on a so-called “kategori 3" network. Machines belonging to this category cannot connect to the world outside UiO, but “software-proxy.uio.no” can be set up with allowlists to get software from external repositories. See Nett-kategorier for servere for a detailed description.

I've requested allowlisting of the following, including subdomains:

https://packagist.org/
https://packages.drupal.org/
https://github.com/

To use the proxy, set the following environment variables in .bash_profile:

export HTTPS_PROXY=http://software-proxy.uio.no:3128
export HTTP_PROXY=http://software-proxy.uio.no:3128

Troubleshooting

Below the most common problems that may show up on a clean install are listed, whit some suggestions for how to resolve them.

Full var-partition

First, check the situation and identify what uses the space:

$ sudo df -h
Filesystem                 Size  Used Avail Use% Mounted on
…
/dev/mapper/internvg-var   4.0G  4.0G    0K 100% /var
…
$ sudo du -ks /var/* | sort -nr | head
1642376 /var/cache
524404  /var/lib
390332  /var/log
144636  /var/www
96468   /var/opt
92380   /var/cfengine
880     /var/files
56      /var/spool
16      /var/nivlheim
12      /var/db

Here is the steps I currently take:

  1. Clean out /var/cache/yum (see below).
  2. Delete the subdirectories in /var/log/journal (not the directory).
Better: https://unix.stackexchange.com/questions/139513/how-to-clear-journalctl

This list should be expanded:

To clean out /var/cache/yum, do: 

$ sudo yum clean packages
$ sudo yum clean metadata

Sources:

Final word

Your web host should now be ready for installation of Drupal.

Last update: 2020-12-08 [gh].