Jonathan's blog

This blog, and my other blogs, used to run on a rather old server: two 1GHz Pentium III processors, 1GB memory and 2 x 18GB SCSI hard drives. I host with Ridgeon Network, which is owned by my friend Chris. I help him out with some networking stuff from time to time so he loaned me this spare server for personal use.

A few weeks back one of the hard drives failed. Service continued as normal but it was an acute reminder that the server was getting old.

Recently Chris bought a powerful server for use as a VMWare ESXi hypervisor, along with a large iSCSI SAN to host all the disk images, and powerful shared MySQL database server. As he was moving lots of his servers from physical boxes to virtual machines, I decided to do likewise.

So this website, and my other sites, are now hosted on a CentOS virtual machine, with their databases on a separate CentOS database server. Given that the load average on the old P3 wasn’t very high I wasn’t expecting a noticeable improvement in performance. But how wrong I was! The site is noticeably faster to load and navigate, and in particular the WordPress management interface is miles faster.

All in all, I’m happy with the new platform. To anyone else considering replacing old servers with a virtualised infrastructure, I say go for it. You’ll save tons of electricity, take up less rack space, pave the way for later expansion (by adding more hypervisors or more disks to the SAN) and have better manageability and backupabilitiy.

Today a friend (from a Windows background – still a friend?! ) asked me how to go about setting up a LAMP (Linux, Apache, MySQL & PHP) server. I wrote him a few notes, not only on how to configure the LAMP stack, but also on how to configure a Linux system properly from scratch, and how to do so securely. There are millions of guides out there that explain how to serve web pages with Apache, but not many of them explain the basics of setting up a secure system too.

I’ve edited these notes slightly to make them suitable for a wider audience, but in essence it’s the same stuff. Hope it’s useful!

OS installation

I recommend using CentOS. It doesn’t really matter whether you choose 32-bit (i386) or 64-bit (x86_64) but use ideally use 64-bit unless there’s a reason not to.

Boot from the CD or DVD of your choice. It doesn’t matter whether you use the full DVD, or the network install CD.

Choose the text-based installer from the boot prompt by typing linux text. The text installer doesn’t install as much extra rubbish as the GUI installer.

In most cases the default options are good enough. One option you should change is to use an NTP time server. This is especially important with virtual machines, since they suffer badly from clock drift.

Choose a strong root password. You will only need it once again. After that, you won’t even even need it for logging on, so there is no need to pick anything memorable. In fact, you are best off choosing a long, random string of mixed-case letters and numbers.

When it comes to choosing packages, deselect as many of the groups as possible. We will add the packages we need individually later on.

Let the installer run its course, and reboot.

Users and passwords

Upon first boot, log in as root using the password you picked before. Now create new user accounts and set passwords:

useradd yourusername
passwd yourusername

Now for setting sudo access. This is like “run as admin” on Windows. Type visudo. In the text file that opens, read down to the line that says

root    ALL=(ALL)       ALL

Duplicate it twice by pressing yyp. Go into insert mode by pressing i and change the username root to your username. When you are done, hit Esc and type :wq to save and exit. Gotta love vi commands

To disable remote root login via ssh, edit the file /etc/ssh/sshd_config using your favourite editor. If you don’t already have a favourite editor, use vi.

Find the line:

#PermitRootLogin yes

and uncomment it and change the value to no:

PermitRootLogin no

Restart the ssh daemon by doing

sudo /sbin/service sshd restart

From now on you can gain root access by using the sudo command, and you won’t need to log in as root again. Log out now by typing exit and re-login as your own user. Forget the root password forever.

Installing packages

First we add a couple of third-party software repositories that have useful stuff.

sudo rpm -Uvh http://download1.rpmfusion.org/free/el/updates/testing/5/i386/rpmfusion-free-release-5-0.1.noarch.rpm http://download1.rpmfusion.org/nonfree/el/updates/testing/5/i386/rpmfusion-nonfree-release-5-0.1.noarch.rpm

Let’s get rid of the stuff we don’t want or need. There are no doubt more than things that can be removed than I’ve listed here, but they can be removed later.

sudo yum remove bluez* pcsc*

Update the system so you’re sure that that latest versions of all software are installed.

sudo yum update

Now we can install the stuff we want for LAMP!

sudo yum install httpd mysql-server php php-mysql

If you are wanting to use any PHP modules/libraries they can be installed here too, such as the commonly-used graphics library gd.

Services

Let’s start the two daemons for Apache and MySQL, and tell them to start on boot.

sudo /sbin/service httpd start
sudo /sbin/service mysqld start
sudo /sbin/chkconfig httpd on
sudo /sbin/chkconfig mysqld on

Apache in its default state will run out of the box. MySQL just needs a root password setting.

mysqladmin -u root password NEWPASSWORD

From now on it’s advisable to GRANT access to specific users on specific databases/tables. Go read about MySQL users.

Firewall

Let’s assume you want HTTP on port 80 open to the world. Open /etc/sysconfig/iptables for editing, and add this line.

-A RH-INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Save and close, and run this to make the changes live.

sudo /sbin/service iptables restart

Editing configs

The main config file for Apache is at /etc/httpd/conf/httpd.conf. It doesn’t need any changes for basic operation, but if you edit it you need to restart the httpd service to pick up the changes.

If you get serious with web publishing from a LAMP platform, you will probably want to read about name-based virtual hosts.

Adding content

In its basic configuration, you should add PHP scripts, HTML pages and other content like images and stylesheets to /var/www/html/. You do not need to restart the daemon for it to pick up new content.

When debugging pages, you will probably find it handy to refer to the error log, at /var/log/httpd/error_log.

Tip: Open two SSH windows to the server – one for editing stuff, and the other for watching the log scroll by as events occur. Use Ctrl-C to break out of it. Do this:

sudo tail -f /var/log/httpd/error_log

Today I encountered a problem in my FreeRADIUS setup. Usernames can be sent to my RADIUS servers as a simple username (e.g. jonathan) or with a realm prepended (e.g. DOMAIN\jonathan).

When a username with a realm gets sent to a RADIUS authentication server that is doing MSCHAP, the domain is automatically stripped and you never notice. But when it gets sent to an accounting server (clearly no MSCHAP) there is no stripping or escaping done automatically.

This caught me out.

Users were authenticating on my network successfully. DOMAIN\rachel and DOMAIN\thomas were happily authenticated against the domain controllers and gained access to the wireless. But when they started sending accounting packets, the \r and \t portions of their usernames were sent to the database unquoted, where they were interpreted as a Unix newline and a tabspace respectively.

Eeek!

I didn’t notice until I saw that MySQL had converted these \r and \t characters to the hex equivalents. Where my accounting table should have contained rachel, it actually contained DOMAIN=0Dachel.

Yikes!

I fixed this by creating a local proxy realm. At the end of my proxy.conf, I added these lines:

realm DOMAIN {
}

Obviously substituting DOMAIN for the real name of my domain.

Then in the preacct section of my virtual server I added the module ntdomain to populate the variable %{Stripped-User-Name} with the domain part of the username that was originally in %{User-Name}.

Now, looking at the top of whichever dialup.conf suits your database architecture, make sure the following line is uncommented:

sql_user_name = "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}"

…and that all other definitions of sql_user_name are commented.

Once you’ve done this, your accounting detail logs will contain username likes DOMAIN\\username (with an escaped backslash) and your database table will simply have username.

Yesterday at work I had the need to create a federated table in MySQL. I read about the federated engine and thought I had it sussed. I noted:

Beginning with MySQL 5.1.26, the FEDERATED storage engine is not enabled by default in the running server; to enable FEDERATED, you must start the MySQL server binary using the --federated option.

Turns out it’s also possible simply to add the line federated in the [mysqld] section of /etc/my.cnf

The version of MySQL currently installed on my CentOS box was an older one (5.0.45) but I added this line anyway. The server refused to start. It quickly became clear that the MySQL binary packaged with CentOS was not compiled with the federated engine.

Fedora is currently packaging MySQL 5.1.37 but it seems that this too is lacking the federated engine. That’s annoying – I had wanted to install a version of MySQL from some yum repo or other, so I don’t have to keep upgrading the package every time a new version is released.

Perhaps the lack of federated support is a Red Hat (and derivatives) issue. I downloaded the rpm from MySQL directly, and installed it. Guess what – no federated engine compiled in.

So I downloaded the source tarball. I explicitly configured it with the federated engine, like so:

./configure --with-plugins=federated

And then I built and installed it. Nothing worked properly out of the box, and I was annoyed to find that the make install command doesn’t do half of the things I would normally expect it to do. I found this information and followed the steps to get it working. I had to steal and tweak the /etc/init.d/mysqld script from a different box which was running the bog-standard CentOS package.

Woohoo! The federated engine was finally available.

mysql> show engines;
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| Engine     | Support | Comment                                                        | Transactions | XA   | Savepoints |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
| InnoDB     | YES     | Supports transactions, row-level locking, and foreign keys     | YES          | YES  | YES        |
| MRG_MYISAM | YES     | Collection of identical MyISAM tables                          | NO           | NO   | NO         |
| BLACKHOLE  | YES     | /dev/null storage engine (anything you write to it disappears) | NO           | NO   | NO         |
| CSV        | YES     | CSV storage engine                                             | NO           | NO   | NO         |
| MEMORY     | YES     | Hash based, stored in memory, useful for temporary tables      | NO           | NO   | NO         |
| FEDERATED  | YES     | Federated MySQL storage engine                                 | NO           | NO   | NO         |
| ARCHIVE    | YES     | Archive storage engine                                         | NO           | NO   | NO         |
| MyISAM     | DEFAULT | Default engine as of MySQL 3.23 with great performance         | NO           | NO   | NO         |
+------------+---------+----------------------------------------------------------------+--------------+------+------------+
8 rows in set (0.00 sec)

But I can’t understand why none of the binary builds of MySQL include it. Fair enough that isn’t enabled by default in the running server – it’s no problem to add a line to my.cnf on a standard CentOS box. But it is a nuisance to have to build from source. It doesn’t break anything to have it enabled in a build, even if unused.

Of course CentOS won’t change the way they build their packages until Red Hat does. So I’m doing what I can, and I have filed a feature request with Fedora in the hope that in the next major release, there will be a version of MySQL built with the federated engine.