Setting up an image for the www.sapsailing.com web server (For the disposables, scroll to the bottom.)
This is an add-on to the regular EC2 image set-up described here, but leave out the following packages during installation because they are not needed on the webserver:
- libstdc++48.i686 (for Android builds)
- glibc.i686 (for Android builds)
- libzip.i686 (for Android builds)
- telnet
- chrony (ntp is used now instead)
Then carry out these steps:
-
install additional packages:
yum install fail2ban git mod24_perl perl perl-CGI perl-Template-Toolkit perl-HTML-Template perl-CPAN perl-DBD-MySQL \ mod24_ssl php71 php71-mysqlnd mod24-ldap ruby24 ruby24-devel rubygems24 rubygems24-devel icu libicu-devel \ gcc-c++ ncurses-devel geoip-devel perl-autodie docker -
activate NFS by calling
systemctl enable nfs-server; ensure that/var/log/oldand/home/scoresare exposed in/etc/exportsas follows:
rw = read/write allowed nohide = means sub-mounted volumes are included in the parent nfs share no_root_squash = Allows remote root users to act as root on the nfs share/var/log/old 172.31.0.0/16(rw,nohide,no_root_squash) /home/scores 172.31.0.0/16(rw,nohide,no_root_squash) - launch the NFS service once using
service nfs start - run the following command in order to obtain this feature required by Bugzilla:
The libraries end up undercpan install Date::Parse Email::Address Email::Send DBI Geo::IP::PurePerl Math::Random::ISAAC IO::Socket::SSL/root/perl5/lib/perl5. For use by AWStats, read access to this path is required for the Apache web server. In particular, ensure that/roothas read permissions for all. - run the following commands to install missing Perl modules:
Those modules were installed to/usr/bin/perl install-module.pl DateTime::TimeZone /usr/bin/perl install-module.pl Email::Sender /usr/bin/perl install-module.pl GD /usr/bin/perl install-module.pl Chart::Lines /usr/bin/perl install-module.pl Template::Plugin::GD::Image /usr/bin/perl install-module.pl GD::Text /usr/bin/perl install-module.pl GD::Graph /usr/bin/perl install-module.pl PatchReader /usr/bin/perl install-module.pl Authen::Radius /usr/bin/perl install-module.pl JSON::RPC /usr/bin/perl install-module.pl TheSchwartz /usr/bin/perl install-module.pl Daemon::Generic /usr/bin/perl install-module.pl File::MimeInfo::Magic /usr/bin/perl install-module.pl File::Copy::Recursive/root/perl5/lib/perl5but for some reason anySetEnv PERL5LIBdirective in the Apache configuration for the bugzillaVirtualHostsection seemd to remain ignored. Therefore, after installing all modules required, I copied all contents of/root/perl5/lib/perl5to/usr/local/share/perl5to make them found through the@INCvariable. - Ensure that
/root/perl5/lib/perl5is part of thePERL5LIBvariable setting in the AWStats virtual host configuration in/etc/httpd/conf.d/awstats.confas follows:<IfModule mod_env.c> SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins:/root/perl5/lib/perl5 </IfModule> - make sure
/etc/alternatives/rubyand/etc/alternatives/gempoint to/usr/bin/[ruby|gem]2.4 - run the following commands to install gollum and uninstall a too current rack version 2.0.3:
gem install gollum gem uninstall rack Select gem to uninstall: 1. rack-1.6.8 2. rack-2.0.3 3. All versions > 2 You have requested to uninstall the gem: rack-2.0.3 sinatra-2.0.0 depends on rack (~> 2.0) If you remove this gem, these dependencies will not be met. Continue with Uninstall? [yN] y Successfully uninstalled rack-2.0.3 - ensure there are users and groups for
wiki,scores,tracthat match up with their /home directory owners / groups - ensure the Wiki startup script
serve.shconfigured for port 4567 andconfig.ruas well as the entire Gollum installation under /home/wiki are present, as well as theusers.ymlfile - clone
ssh://trac@sapsailing.com/home/trac/gitinto/home/wiki/gitwiki - ensure there is a reasonable
/root/.goaccessfile - Configure goaccess by adjusting
/etc/goaccess.confsuch that it contains the following lines:
Note that the... time-format %H:%M:%S ... date-format %d/%b/%Y ... # NCSA Combined with virtual host name as prefix: log-format %v %h %^[%d:%t %^] "%r" %s %b "%R" "%u"log-formatpiece is slightly different from the regular NCSA Combined Log Format in so far as it adds%vat the beginning which is capturing the virtual host name that our Apache servers are configured to log as the first field in each line. - ensure there is the
/etc/tmux.conffile that maps your hotkeys (Ctrl-a vs. Ctrl-b, for example) - rename the
welcome.conffile of the Apache configuration because it harms directory index presentation:cd /etc/httpd/conf.d mv welcome.conf welcome.conf.org - install bugzilla to
/usr/share/bugzillaand/var/lib/bugzilla - create
/etc/bugzilla/localconfig - install scripts such as
update_authorized_keys_for_landscape_managers_if_changedto/usr/local/bin:lrwxrwxrwx 1 root root 62 Jan 29 2022 awsmfalogon.sh -> /home/wiki/gitwiki/configuration/aws-automation/awsmfalogon.sh -r-xr-xr-x 1 root root 1465 Jan 11 2018 dbilogstrip -r-xr-xr-x 1 root root 6291 Jan 11 2018 dbiprof -r-xr-xr-x 1 root root 5479 Jan 11 2018 dbiproxy -rwxr-xr-x 1 root root 24707072 Jan 16 2022 docker-compose -r-xr-xr-x 1 root root 42043 Jan 11 2018 enc2xs -r-xr-xr-x 1 root root 3065 Jan 11 2018 encguess -rwxr-xr-x 1 root root 640 Jan 11 2018 github-markup -rwxr-xr-x 1 root root 598 Jan 11 2018 gollum -rwxr-xr-x 1 root root 613 Jan 11 2018 htmldiff -rwxr-xr-x 1 root root 610 Jan 11 2018 kramdown -rwxr-xr-x 1 root root 607 Jan 11 2018 ldiff -rwxr-xr-x 1 root root 352 Nov 1 2021 mail-events-on-my -rwxr-xr-x 1 root root 610 Jan 11 2018 mustache -rwxrwxr-x 1 trac trac 18992 Jun 16 2020 netio -rwxr-xr-x 1 root root 610 Jan 11 2018 nokogiri lrwxrwxrwx 1 root root 75 Oct 20 09:00 notify-operators -> /home/wiki/gitwiki/configuration/on-site-scripts/paris2024/notify-operators -r-xr-xr-x 1 root root 8356 Jan 11 2018 piconv -rwxr-xr-x 1 root root 648 Jan 11 2018 posix-spawn-benchmark -rwxr-xr-x 1 root root 590 Jan 11 2018 rackup -rwxr-xr-x 1 root root 596 Jan 11 2018 rougify -rwxr-xr-x 1 root root 616 Jan 11 2018 ruby-prof -rwxr-xr-x 1 root root 640 Jan 11 2018 ruby-prof-check-trace -rwxr-xr-x 1 root root 586 Jan 11 2018 tilt lrwxrwxrwx 1 root root 78 Feb 8 2021 update_authorized_keys_for_landscape_managers -> /home/wiki/gitwiki/configuration/update_authorized_keys_for_landscape_managers lrwxrwxrwx 1 root root 89 Feb 8 2021 update_authorized_keys_for_landscape_managers_if_changed -> /home/wiki/gitwiki/configuration/update_authorized_keys_for_landscape_managers_if_changed - set up
crontabforrootuser (remove the symbolic link to/home/sailing/code/configuration/crontabif that had been created earlier). Note thatconfiguration/crontabscontains a selection of crontab files for different use cases, including theenvironments/crontab-reverse-proxy-instance, which should be pointed to by a symbolic link in /root.0 10 1 * * export PATH=/bin:/usr/bin:/usr/local/bin; mail-events-on-my >/dev/null 2>/dev/null * * * * * export PATH=/bin:/usr/bin:/usr/local/bin; sleep $(( $RANDOM * 60 / 32768 )); update_authorized_keys_for_landscape_managers_if_changed $( cat /root/ssh-key-reader.token ) https://security-service.sapsailing.com /root 2>&1 >>/var/log/sailing.err 0 7 2 * * export PATH=/bin:/usr/bin:/usr/local/bin; docker exec -it registry-registry-1 registry garbage-collect /etc/docker/registry/config.yml - set up crontab for user
wikias a symbolic link to /configuration/crontabs/users/crontab-wiki. - ensure that
/var/log/old/cache/dockermakes it across from any previous installation to the new one; it contains the docker registry contents. See in particular/var/log/old/cache/docker/registry/docker/registry/v2/repositories. -
install docker registry so that the following containers are up and running:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cd8086eb6361 joxit/docker-registry-ui:latest "/docker-entrypoint.…" 6 months ago Up 6 months 0.0.0.0:5000->80/tcp, :::5000->80/tcp registry-ui-1 bcf1e278ecd7 registry:latest "/entrypoint.sh /etc…" 6 months ago Up 6 months 5000/tcp, 0.0.0.0:5001->5001/tcp, :::5001->5001/tcp registry-registry-1 - ensure that
https://git.sapsailing.com/gitdelivers the git content, with password credentials defined in/etc/httpd/conf/passwd.git. Sasa Zivkov (sasa.zivkov@sap.com) has been our point of contact of the SAP Gerrit group helping us with replicating our Git repository to the SAP-internal git.wdf.sap.corp one. - comment
lbmethod_heartbeat_modulein /etc/httpd/conf.modules.d/00-proxy.conf because we don't need this sort of load balancing across origin servers and it causes a warning message in error_log - install awstats to
/usr/share/awstats, establish/etc/httpd/conf/passwd.awstats, establish a configuration under/etc/awstats, establish AWStats data directory under/var/lib/awstatsand create /etc/cron.weekly/awstats as follows:#!/bin/bash su -l -c '/usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" >>/var/log/awstats-cron.out 2>>/var/log/awstats-cron.err' #exec /usr/share/awstats/tools/awstats_updateall.pl now -configdir="/etc/awstats" -awstatsprog="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" >>/var/log/awstats-cron.out 2>>/var/log/awstats-cron.err exit 0 - Follow the mail setup instructions
- Install gollum Wiki
- Copy git contents of ssh://trac@sapsailing.com/home/trac/git to /home/trac/git
- Ensure there is a /home/scores directory with subdirectories
barbados,kiwo,sailwave,scores,velum, andxrrftp. - Check that the sail-insight.com website is hosted correctly (See here)
- Establish the Apache web server configuration, in particular ensure that the SSL certificates are in place (see here) and the following files are set up:
/etc/httpd/conf/httpd.conf,/etc/httpd/conf/passwd.awstats,/etc/httpd/conf/passwd.git, and/etc/httpd/conf/conf.d/*.conf. - Update the hostname in
/etc/sysconfig/network:HOSTNAME=analytics-webserver - Run
chkconfig sendmail off; chkconfig postfix onto make sure that the postfix mail server is the one that will be launched during boot - Reboot the system, among other things for the hostname change to take effect, and in addition to see whether all services start properly
- configure fail2ban by editing
/etc/fail2ban/jail.conf, entering reasonable e-mail configuration for thessh-iptablesfilter as follows:[ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=axel.uhl@sap.com, sender=fail2ban@sapsailing.com] logpath = /var/log/secure maxretry = 5 - Ensure that fail2ban will be started automatically when the instance starts:
chkconfig --level 23 fail2ban onand start it right away withservice fail2ban start. You can see which filters are active usingservice fail2ban status. - Ensure you have EC2 / EBS snapshot backups for the volumes by tagging them as follows:
WeeklySailingInfrastructureBackup=Yesfor/var/www/static,/var/log,/var/log/oldand/var/log/old/cache,DailySailingBackup=Yesfor/home.
Basic setup for disposable reverse proxy instance
From a fresh Amazon Linux 2023 instance (HVM), run the configuration/environments_scripts/reverse_proxy/setup-disposable-reverse-proxy.sh script, passing the IP address of the instance and the ssh-key-reader.token (needed for accessing the landscape without mfa).
The script sets up nfs/nvme mounts, installs/updates httpd + software for scripts, sets up the httpd, sets up crontabs and copies files (via theconfiguration\environments_scripts\build-crontab-and-cp-files), enables service units, makes the ssh connections more resilient, sets up logrotation, configures fail2ban and alters postfix to enable mail sending.
Read Also
Check out the details in amazon-ec2 on the disposables and central: namely the target group healthcheck and shared httpd configuration Git repo. Also, look over the key_vault and the build_crontab_and_setup_files detailed there.