Addi's UNIX Notes

Thursday, 20 March 2014

Install gitlab on CentOS 6.5 / Fedora 19

*** Unfinished / Draft ***

Frustrated by incomplete documentation, wrong tips and hints on multiple boards or blogs and endless trial and errors initiated this page.

I hope this saves some peeps from this

Here it goes... ensure you test your steps.
Hint: The font courier and the bold typeface are commands you should run or check ...
Red Highlights: this can be an error and might cause things to break - watch out ...

ensure your OS CentOS or Fedora is up to date.
I am using CentOS 6.5 and Fedora 19 with MariaDB/MySQL.
run yum update and fix all issues, restart the server if a new Kernel has been installed.check the latest kernel is running with ls /boot | grep vmlinuz and uname -r my two examples are:

CentOS:
addis [~] > ls /boot | grep vmlinuz
vmlinuz-2.6.32-431.3.1.el6.centos.plus.x86_64
vmlinuz-2.6.32-431.el6.x86_64addis [~] > uname -r
2.6.32-431.3.1.el6.centos.plus.x86_64

Fedora:
addis [~] > ls /boot | grep vmlinuz
vmlinuz-0-rescue-addc535f9a442c42bcb0afb2490b80cf
vmlinuz-3.11.10-100.fc18.x86_64
vmlinuz-3.12.7-200.fc19.x86_64
vmlinuz-3.12.8-200.fc19.x86_64addis [~] > uname -r
3.12.7-200.fc19.x86_64

Gotcha: not the last Kernel is running on Fedora --->> reboot and fix it !!!
now we need to add another Repository to the already available yum repos
yum -y install http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

your repository listing should look like this:yum repolist
repo id repo name status
base CentOS-6 - Base 6,367
centosplus CentOS-6 - Plus 24
contrib CentOS-6 - Contrib 0
epel Extra Packages for Enterprise Linux 6 - x86_64 10,397
extras CentOS-6 - Extras 14
mariadb MariaDB 9rpmforge RHEL 6 - RPMforge.net - dag 4,650updates CentOS-6 - Updates 399repolist: 21,860

and:

repo id repo name statusfedora/19/x86_64 Fedora 19 - x86_64 36,253updates/19/x86_64 Fedora 19 - x86_64 - Updates 17,384updates-testing/19/x86_64 Fedora 19 - x86_64 - Test Updates 6,420repolist: 60,057
next add some packages required for the gitlab install and configure.
yum -y install vim-enhanced vim-minimal vim-commonyum -y groupinstall "Development Tools"yum --enablerepo=epel -y install libyaml libyaml-devel readline-devel ncurses-devel gdbm-devel tcl-devel openssl-devel db4-devel libffi-devel wgetyum -y install mysql-connector-odbc mysql-connector-javayum -y install python python-docutils git-coreyum -y install MariaDB-shared MariaDB-server MariaDB-devel MariaDB-compat MariaDB-client
now Versions nee to be checked:
git --version
Gotcha: need to be 1.7.12 or 1.8.4 or newer.
ll /usr/share/java/mysql-connector-java.jar
Gotcha: need to be 5.1.28 or newer.
rpm -q MariaDB-server
Gotcha: need to be 5.5.30 or newer
ruby --version
Gotcha: need to be 2.0 or newer.
first fixes:
there are some strange fixes, well actually these are hacks!
but we have to ensure all works without breaking any dependencies ...

1. git is too old... lets fix it - remove the wrong version and install the correct one!
  Gotcha: do not use yum erase here !!!
rm -rf /usr/bin/git* /usr/libexec/git*
mkdir ~/src; cd ~/src
curl --progress https://git-core.googlecode.com/files/git-1.8.5.2.tar.gz | tar xz
cd git-1.8.5.2/
make prefix=/usr all
  sudo make prefix=/usr install
This installed git where we deleted it - smart!!!

2. java-connector too old - get the newer connector
cd /tmp
wget http://ftp.jaist.ac.jp/pub/mysql/Downloads/Connector-J/mysql-connector-java-5.1.28.tar.gz
cd /usr/share/java
rm /usr/share/java/mysql-connector-java.jar
tar xfz /tmp/mysql-connector-java-5.1.28.tar.gz
ln -s mysql-connector-java-5.1.28/mysql-connector-java-5.1.28-bin.jar mysql-connector-java.jar

3. MySQL / MariaDB too old
get the latest yum updates from epel or tes/ting.

4. update ruby
  mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
  wget http://cache.ruby-lang.org/pub/ruby/2.0/ruby-2.0.0-p353.tar.gz -P rpmbuild/SOURCES
  wget https://raw.github.com/hansode/ruby-2.0.0-r pm/master/ruby200.spec -P rpmbuild/SPECS
rpmbuild -bb rpmbuild/SPECS/ruby200.spec
rpm -Uvh rpmbuild/RPMS/x86_64/ruby-2.0.0p353-2.el6.x86_64.rpm
ruby -v
gem -v
Create the git user:
adduser --system --shell /sbin/nologin --comment 'GitLab' --create-home --home-dir /var/lib/git git
Install GitLab-Shell.
cd /var/lib/git
sudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-shell.git -b v1.8.0
cd gitlab-shell
sudo -u git -H cp config.yml.example config.yml
edit the config.yml and replace domain with a proper domain
sudo -u git -H /usr/local/bin/ruby ./bin/install
Create the database.
log into MySQL (on localhost or on db-server)
CREATE USER 'git'@'localhost(remote host)' IDENTIFIED BY 'supersecret';
CREATE DATABASE IF NOT EXISTS `gitlab_db` DEFAULT CHARACTER SET `utf8` COLLATE `utf8_unicode_ci`;
GRANT SELECT, LOCK TABLES, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER ON `gitlab_db`.* TO 'git'@'localhost (or other hostname)';

Test the MySQL connection.
Install GitLab
cd /var/lib/gitsudo -u git -H git clone https://gitlab.com/gitlab-org/gitlab-ce.git -b 6-6-stable gitlab
sudo -u git -H cp config/gitlab.yml.example config/gitlab.yml
edit config/gitlab.yml and configure the
domain properly
data path to where you want the repositories to live (i.e. /data/repos)

sudo chown -R git log/
sudo chown -R git tmp/
sudo chmod -R u+rwX log/
sudo chmod -R u+rwX tmp/
sudo -u git -H mkdir /home/git/gitlab-satellites
sudo -u git -H mkdir tmp/pids/
sudo -u git -H mkdir tmp/sockets/
sudo chmod -R u+rwX tmp/pids/
sudo chmod -R u+rwX tmp/sockets/
sudo -u git -H mkdir public/uploads
sudo chmod -R u+rwX public/uploads

sudo -u git -H cp config/unicorn.rb.example config/unicorn.rb
edit config/unicorn.rb to amend the server/memory settings if required.

sudo -u git -H cp config/initializers/rack_attack.rb.example config/initializers/rack_attack.rb

sudo -u git -H git config --global user.name "GitLab"
sudo -u git -H git config --global user.email "gitlab@localhost" (set to admin email)
sudo -u git -H git config --global core.autocrlf input
now add the database to gitlab
sudo -u git -H cp config/database.yml.mysql config/database.yml
edit the config/database.yml file with the connection details

install the gems for MySQL
sudo -u git -H /usr/local/bin/bundle install --deployment --without development test postgres aws

populate the database
sudo -u git -H bundle exec rake gitlab:setup RAILS_ENV=production
enter "Yes" when prompted.
configure the init script and enable Git.
wget -O /etc/init.d/gitlab https://gitlab.com/gitlab-org/gitlabrecipes/raw/master/init/sysvinit/centos/gitlab-unicorn
chmod +x /etc/init.d/gitlabchkconfig --add gitlabchkconfig gitlab on
check - start - set-up assets
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production
service gitlab start
sudo -u git -H bundle exec rake assets:precompile RAILS_ENV=production
add apache or nginx

Wednesday, 12 February 2014

A no-frills Mail Server running on Cent-OS / Fedora

preliminaries

update your OS with
yum -y update
fix all errors, if any and in case of kernel updates you need to run
shutdown -r now ( or later if someone else is using the box )
erase to good `ol sendmail and if it is installed for some reason exim with
yum -y erase sendmail exim
install Postfix the Mail Transfer Agent, Dovecot the Mail Delivery Agent and Clamav the Virus checker to protect or Windows community. We start with these two
yum -y install postfix dovecot
Spam could be a worry if we open the mail delivery to the server to the world. Since we only accept mail from white-listed senders we don't need to worry.

configuration

configure Postfix
cd /etc/postfix
fix the aliases file
create a my_networks file
create a body_checks file
create a header_checks file
set-up the main.cf file
set-up the master.cf file
now check the configs with
postfix check
then, if everything is fixed run
service postfix start
configure dovecot
cd /etc/dovecot
change the settings in dovecot.conf
cd conf.d
adjust all required *.conf files to suit
start dovecot and check the mail logs
service dovecot start
next set-up mail users, in our case for gitlab, jira and confluence and a postmaster account
add the users, ideally with the same id(s) as on other servers
create passwords for the mail set-up within the application
create home directories and set-up the Maildir within.
test the mail delivery to the postmaster account
and next test the out-going mail too
now you are ready to add the mail box details to the application and ensure to fully test the configuration. Once fully tested and working you can forget the passwords as changing passwords is a manual process on server and application.
as everything is working with the basics we add the Virus checking and the SSL certificates.
First we install and configure the Virus checker tools with
yum -y install clamav clamav-data clamav-filesystem clamav-lib clamav-server clamav-update clamsmtp
The configuration is needed for regular updates and Postfix integration
set-up the clamd.server config
set-up the freshclam.conf file
set-up the camsmtp.conf file
add the filter to the postfix main.cf and master.cf
now get the first clam database with
/bin/freshclam --verbose
service clamd.server start
service clamsmtp start
postfix stop
postfix start
re-test mail sending and receiving via the virus checker and watch
tail -f /var/log/maillog
fix any errors
lastly we can add the optional SSL certificates for sending and downloading email in non-clear text.
create the certs and place the into /etc/postfix/ssl
then add the certs and smtpd setting into the mail.cf and the dovecot configs
then restart postfix and dovecot and re-test the mail send/receive
service dovecote restart
postfix stop
postfix start
tail -f /var/log/maillog
fix any errors
When the SSL certs are installed and show no errors, the application(s) need to be changed to pop3 over SSL and send with TLS/SSL. It should just work or else more fixing.
Lastly inform users where send mail to and how to use the mail functionality in the application.

Tuesday, 4 February 2014

UNIX Servers and Secure Access

Nobody has access until explicitly granted.
A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
Port monitoring and IP blocking tool will be installed for suspected mis-use.
All insecure or plain text tools are not available for use.
These include telnet, ftp, rsh, rexec etc.
The open ports on any server are locked down to a bare minimum.
22 - ssh for remote access and data transfer
25 - mail server
80 - standard web server
443 - secure web server
3306 - data base access with ssl/ssh
other ports only on demand.
Security on the open ports.
3306 - only open to other database and backup servers
443 - open to the world, but monitored
80 - open to the world, but monitored
25 - open only for outgoing mail as standard
if incoming mail is required (Jira) open, but monitored22 - open for approved staff and configured for certificate only (see below)
other ports will be added if opened.
Where possible, http will be redirected to https.
A virus filter to protect the Windows users will be in place for servers with mail and upload access.
Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
Root log-in is locked down and replaced with sudo access after SSH connection.
No user will have access to the ROOT password.
User access is granted via a 2048bit SSH key.
No password log-in is available.
After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
The public key has to be registered on the server before access can happen.
The user cannot change the access credential or the protected SSH certificate.
Every server access, successful or fail, will be logged in a audit file.
Every sudo command is audited.
Every web site access will be logged and presented in a daily report.
Server and data backup will be in place and stored in a secure location.

Wednesday, 14 March 2007

Solaris 9 - mounting a dvd

DVDs on Solaris 9 do not necessarily work.

Patch your box with 111649-04 and try again

or

just do it the old command line way:

/etc/init.d/volmgt stop
mount -F hsfs -o ro /dev/dsk/c<n>t<n>d<n>s0 /cdrom
cd /cdrom
ls -al

all good stuff

Enjoy.

Thursday, 22 February 2007

HOWTO - ssh-agent in a script

Howto use secure shell in a script without having to type in the passphrase.

It is not too complicated. Just add the following in you script (well similar):
This program has to echo out the password, so hide it in your .ssh directory. That is a secure place.

suggested filename: $HOME/.ssh/.passwd_type
chmod 700 $HOME/.ssh/.passwd_type

type could stand for rsa, dsa, ssh or whatever you like if you need to identify different passphrases.

The final bit would look like this:

#!/bin/bash
SSH_ASKPASS="${HOME}/.ssh/.passwd_type"
DISPLAY=localhost:0
export DISPLAY SSH_ASKPASS

eval `ssh-agent 1>/dev/null`
ssh-add $HOME/.ssh/.id_type 2>/dev/null

# And now your SSH/SFTP commands should work here straight through. ie.:
ssh @uname -a
---end snipplet---

now you run your program:
program
and it will return:
SunOS 5.10 Generic_118833-36 sun4u sparc SUNW,Ultra-5_10 Solaris

enjoy.

Addi