Here's the status of setting up Frigg, the new Linux box I'm going to use as my main server and primary computer.
Setup
Installed fedora distro with anaconda installer. Installed KDE without any optional packages, and turned off everything else except the administration type stuff.
locate and updatedb
Want to set up iptables, but it's not installed. yum install iptables.
Installation succeeded, it claimed, but the executable isn't found, and locate isn't working. locate never works. Try restarting system. Error is "locate: can not open `/var/lib/mlocate/mlocate.db': No such file or directory"
Still no good, so we do upatedb as root, and now I can use locate. And it turns out iptables is in <path>/sbin</path>
iptables (firewall)
Okay, first of all turn on iptables: /sbin/service iptables start
And install it as a service: /sbin/chkconfig iptables on
Very good tutorial: http://www.howtoforge.com/linux_iptables_sarge
Okay, created a shell script called iptables.sh which just calles /sbin/iptables to create individual rules. To update with these rules, do /sbin/iptables --flush; ./iptables.sh. To save these, do /sbin/service iptables save.
Another good iptables guide, but very detailed and long, at http://www.linuxtopia.org/Linux_Firewall_iptables/x1298.html
Instead of /proc/net/ip_conntrack, try /proc/net/nf_conntrack
Okay, got a pretty decent handle on iptables, and good starting point for firewall. Moving on...
Network sharing
Samba
Want to mount darwin's samba shares. Have to install smbfs. tried yum install smbfs, nothing good. but yum install samba-client worked. And bada-bing! I can mount darwin's samba shares:
mount -t cifs //192.168.2.2/scatch /mnt/net/darwin/scratch
good, now I can start copying the Fedora iso from darwin to frigg. And while I'm waiting...
(http://ubuntuforums.org/showthread.php?t=26438&highlight=mount+smb+boot)
Users and groups
- Add user group "lusers":
/usr/sbin/groupadd lusers - Add shared user:
/usr/sbin/useradd -c "User shares" -s /bin/false shared - Add user for the girl
- Add system group "admin":
/usr/sbin/groupadd -r admin - Add me to lusers and admin:
/usr/sbin/usermod -a -G admin,lusers mearns - Add root to admin group
Configure shared home dir:
chown shared:lusers shared/chmod u-rwx,g+rwxs shared/
Setup shared bin and shell scripts, copied from darwin. Just some helpful shell script and whatever in /home/shared/bin and /home/shared/sh. Added these to path in /etc/bashrc
Create and configure access for /scratch: mkdir /scratch; chown :lusers /scratch; chmod 0777 /scratch
Sudo
Added members of admin group to sudoers:run visudo, then add these lines to the end:
## Allow members of admin group to run all commands as anyone, from anywhere %admin ALL=(ALL) ALL
Save and exit.
Now members of the admin group can sudo to any other user and run any command (from any machine) as that user.
Setup local yum repository
Finally got Fedora core install iso copied from darwin. Copy it to <path>/dist/versions/8/Fedora-8-i386-DVD.iso</path>
So set up automount for it, while I'm here. See if autofs is a daemon: chkconfig --list autofs (it is, runlevel 5 on). Now edit the /etc/auto.master, add the line:
/dist /etc/auto.dist --timeout=300
Then edit auto.dist (new file), and make it:
versions/8/mnt -ro,loop :/dist/versions/8/mnt
restart autofs: service autofs restart
Okay, no good. New side-project getting this to work
Autofs
So far, I can get a samba share to automount if I include the password in the autofs map, and I can get a dvd rom to auto mount. No luck with iso image. Looks like this:
/dist/versions/8/mnt/iso -fstype=iso9660,ro,loop :/dev/sr1 #:/scratch/Fedora-8-i386-DVD.iso /dist/versions/8/mnt/mearns -fstype=cifs,password=PASSWORD ://192.168.2.2/mearns
Logs (cat /var/log/message | grep autofs | less) say /usr/lib/autofs/mount_iso9660.so isn't there, and it's not. Tried installing autofs (updating) with yum, still not there.
No good, giving up for now.
Come to think of it, there's no good reason to automount an iso: they're the same size as if I just mount the image and copy all of it's files to disk. Then I don't have to mount at all. Interesting.
Configure hostnames
Just add host names for local system to /etc/hosts
yum repo from DVD
Had to install createrepo with yum.
Then just follow yum.
NFS setup
Ok, so I did that, I just shared scratch, and it works fine. I've got the same UID's for my user on both machines, so the username and stuff works fine.
Turn it on as a service: chkconfig --level 2345 nfs on
Samba setup
Had to install it with yum, no problem. Turn it on as a service chkconfig --level 2345 smb on
To add users, make sure to use -a with smbpasswd.
Able to connect to frigg from windows, by IP. Don't have access to any of the folders though, haven't gone all the way through configuration. Not by net bios name though.
Login menu
Quick sidetrip to configure log in menu: In KDE menu, Settings->Login Window. Added "shared" to the Exclude menu on last tab (Users), so shared can't log in. Copied over kallisti apple from darwin, put it in <path>/usr/shared/pixmaps/faces</path>, then created a soft link to it in the same directory, called mearns. This will be my log in image now.
fstab the installation iso
Okay, I gave up on autofs for the iso image, but as I said, it takes the same amount of space whether it's mounted or not, so I'll try it in fstab:
/dist/Fedora-Install-Media-Current.iso /dist/iso iso9660 ro,loop,auto 0 0
Here, I've unlinked /dist/iso and just did mkdir /dist/iso, then soft linked /dist/Fedora-Install-Media-Current.iso to /dist/versions/8/Fedora-8-i386-DVD.iso
Load it with mount -a and it worked fine.
fstab darwin shares
As long as I'm here, I'll configure darwin's shares in fstab. I'm going to do noauto so they aren't automatically mounted at boot, in case the systems down. But it will mean it will make the mount process easier if they're already configured. Samba
Created group sambausers, and added mearns and jenny. Created /root/.darwin.sambapasswd file for credentials.
Used noauto option so they don't automatically try to connect, but when now to mount, I just have to do mount //darwin/shared, for instance, and it knows how to mount it and where.
Trying autofs samba shares, again
http://www.howtoforge.com/accessing_windows_or_samba_shares_using_autofs
Still no good. Posted a question on alt.linux. We'll see.
VNC
Installed VNC. For some reasons, yum isn't working well directly, keeps telling me some stuff is already installed or something, but it's not working. Had to install from pirut, and it worked.
Evince
yum install evince so I can read PDF files.
Printer setup
USB Printer: http://brneurosci.org/linuxsetup51.html
Installed cups, but can't start it as a service:
#> service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
[FAILED]
/usr/sbin/cupsd is read and executable by all. Can run it in user space, no problem, can access setup through localhost:631
Tried adding permissions to /var/log/cups/*, but no good, even with 777.
http://gentoo-wiki.com/HOWTO_Lexmark_Printers And at the very bottom: http://www.linuxquestions.org/questions/linux-hardware-18/help-me-installing-lexmark-z605-printer-211489/
Trying the second link first:
- download the driver tar.gz from lexmark.com, and extract to /usr/local/lexmark-z605-printer
- yum install tcl
- yum install tk
- ln -s libtcl8.4.so libtcl8.3.so
- ln -s libtk8.4.so libtk8.3.so
[root@frigg /usr/local/lexmark-z605-printer]# sh z600cups-1.0-1.gz.sh -keep Creating directory installer Verifying archive integrity...Error in check sums 2427274830 225780837 OK Uncompressing Lexmark Printer Driver z600cups-1.0-1.gz.sh: line 133: ./install: No such file or directory The program returned an error code (127)
Tutorial says the error is ok.
- No good, the installer directory is empty. this blows.
Trying the first link, from gentoo...No good, don't have emerge. Can't find it with yum.
How it works
Found another, seems promising: http://ubuntuforums.org/showthread.php?t=83456&highlight=lexmark
Just the first few steps to create and extract the install.tar.gz:
tar -xvzf CJLZ600LE-CUPS-1.0-1.TAR.gz tail -n +143 z600cups-1.0-1.gz.sh > install.tar.gz tar -xvzf install.tar.gz
...then pick back up with the first tute at the bottom of http://www.linuxquestions.org/questions/linux-hardware-18/help-me-installing-lexmark-z605-printer-211489/: So this is step 6 there:
- rpm -Uvh *rpm
- in /etc/cups/mime.convs: comment out the old version of this line and add in:
image/x-bitmap application/vnd.cups-raster 100 imagetoraster
- service cups stop
- </code>cupsd</code> # to restart
- http://localhost:631/admin?op=find-new-printers
- Just found the printer! Sweet!
- "Add this printer"
- Continue
- Chose Z600 model, then add this printer, and used root name and password. Says it worked!
- Fuck, the testprint failed.
Looks like it may be related to the error message I get when I try to run /usr/lib/cups/filter/rastertoz600, which is supposed to run without errors (obviously):
./rastertoz600: /usr/lib/libstdc++.so.5: version `CXXABI_1.2' not found (required by ./rastertoz600)
Someone online says it sounds like a compat-libstdc++ problem, like maybe it's not installed, so I'm installing all over the development libraries in pirut. Oops, I also linked libstdc++.so.5 from libstdc++.so.6, maybe I need to actually have 5. will try yum install libstdc++5, once pirut is done if that doesn't resolve it.
pirut didn't resolve it, and can't find libstdc++5 with yum. The version of this package is only like 4 something, so not sure where the .so.6 came from, but installed compat-libstdc++. Didn't like it unless I specified the entire thing including version and arch, so to find the latest version, I did yum search compat-libstdc++. Then I used the exact name it reported: compat-libstdc++-33.i386
- Okay, stupid point: that's compat, not compsat, which caused me quite a head ache when I came back and tried again later.
And it worked!
[root@frigg /usr/lib/cups/filter]# ./rastertoz600 ERROR: rastertoz600 job-id user title copies options [file]
At least for running that. Now let's try restarting cups, and trying to print again. Yes! Back into the cups webinterface and print a test page! It prints! Hells yeh! Now I just need to learn how to configure the CUPS server, but no biggy! Awesome!
PHP
- Downloaded latest source from php.net
- set up /usr/local/php/versions/5.2.5, owner is root, group is admin, with g+rwx, so admin users can work it without risking being root.
- Extracted archive there.
- copied mearns_config.sh from darwin, tried to run, bu complains about no cc found in PATH. probably need dev tools for this, obviously. Damnit.
Samba
http://tldp.org/HOWTO/Debian-and-Windows-Shared-Printing/sharing_with_windows.html
/usr/sbin/adduser -r smbprint
Instaled gcc
Installed gcc and gcc-c++, or whatever it's called, with pirut.
Back to PHP
Apparently need apache installed, or else need another option to not build it for apache.
Back to Samba
Uninstalled with yum erase samba. Installed in pirut with Fedora and Fedora updates repos. Installed "samba - 3.0.28-fc8.i386
Also deleted all my config files for it, which was apparently a mistake.
Ok, just went into /etc/samba and touched smb.conf. Now I can use smbpasswd without errors.
Ok, at long last, after actually REINSTALLING FEDORA (that was perhaps a little drastic), I finally found the answer here. It's an SELinux problem which is preventing samba from doing a lot of stuff, which is annoying because that's the whole point of configuring samba: setting it up with the correct amount of security. Except the system-config-security level is different for me (FC8), so I did something like SELinux management from the menu. I just checked all the "allow" thing under the Samba tab in the "boolean" section. Also, I think my permissions are set up wrong in Samba, because I need the directory to be 777 to access it (at least 750 didn't work).
Oh, the error I was getting before the SELinux fix was tree connect failed: NT_STATUS_BAD_NETWORK_NAME
Printing
Okay, I'm not sure if there was some other stuff in here I did to get this to work, but it works now, I can print from all three machines: Fedora 6 remotely, Fedora 8 local (USB), and Windows XP home (remote). It seems the key line was use client driver = yes under the [printers] section. The error message was in the title bar of the window printer quese window: Access denied, unable to connect. Adding that line made it go away, and let me print. All I did with this configuration is right-click on the printer (right in the top level of the server) and choose "Connect...", install the driver, and that's that.
Currently the smb.conf file is:
[global]
netbios name = frigg
workgroup = Mshome
load printers = yes
printing = cups
printcap name = cups
security = share
guest account = smbprint
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writeable = no
printable = yes
printer admin = mearns
use client driver = yes
mearns is both a local user and the windows XP user name, not sure which one matters. Okay, turns out didn't need the printer admin option anyway, so cool.
I've got chmod 777 on /var/spool/samba.
Apache
Download apache src, configure, make, and make install.
http://www.modssl.org/example/ (didn't work, wrong version of apache)
OpenSSL
http://www.devside.net/guides/linux/openssl
But now I want SSL, so I download openssl from ftp://ftp.openssl.org/source/openssl-0.9.8g.tar.gz, unpack, ./config:
./config \ --prefix=/usr/local/openssl/current/installed \ shared zlib-dynamic enable-camellia
Then make depend, make test, which failed because of zlib-dynamic. Removed it from configure, and reran the config, then make clean, then make depend and make test. Still failing, can't find -lssl
Try yum install openssl-devel, and rerun make test.
Okay, that worked, so I'll try adding zlib-dynamic again. Cool, it passed. no make install. And done!
Back to Apache
Configure, make
make gives an error about "apr_os_uuid_get", had to yum remove apr, and add --with-included-apr to configure, to have apache auto build a pre-packaged version of apr.
Nope, still didn't help it. Trying yum install apr-util. v 1.2.10-2 for utils and 1.2.11-2
Also, I noticed that having lines commented out in a multi-line thing in a script is bad.
Started with instruction from apache: http://httpd.apache.org/docs/2.2/install.html
cd srclib/apr ./configure --prefix=/usr/local/apr-httpd/ make make install # Build and install apr-util 1.2 cd ../apr-util ./configure --prefix=/usr/local/apr-util-httpd/ --with-apr=/usr/local/apr-httpd/ make make install
note that the make for apr, it was really short, only like 3 or 4 lines, seemed to be fine.
but the last make install gives a problem like "cannot install `libaprutil-1.la' to a directory not ending in <some directory>"
Found here that make clean, make, make install works, and it does.
Continue with those instructions using configure script:
./configure \ --prefix=/usr/local/apache/current/installed \ --enable-ssl \ --with-ssl=/usr/local/openssl/current/installed \ --with-apr=/usr/local/apr-httpd/ \ --with-apr-util=/usr/local/apr-util-httpd/
configure is fine, still can't pass make. Try make clean, then make. No good.
Okay, yum remove both apr and apr-util. Now yum install both. why? I don't know. Wierd, configure (below), then make clean, make, and make install. And it worked. Ok. Cool.
./configure \ --prefix=/usr/local/apache/versions/2.2.6/installed/ \ --enable-ssl \ --with-ssl=/usr/local/openssl/current/installed/
Okay, but it's not installed as a service, have to fix that later. Also, when I tried to run /usr/local/apache/current/installed/bin/httpd (the one I just installed), it gives errors saying it can't find the libraries for ssl, and then crypto. So just did a softlink called /lib/libssl.so.0.9.8 (the thing it was looking for), pointing to libssl.so.0.9.8b, and likewise with libcrypto.
Configure HTTPS
- http://www.crazysquirrel.com/computing/debian/apache-mod_ssl.jspx
- http://www.devside.net/guides/linux/apache-ssl-deflate
- http://www.linuxjava.net/howto/webapp/
Okay, got a key, certificate, and csr file. Edited httpd.conf, stopped, and started, and it doesn't work. Cant connect as http or https. remove the stuff from httpd.conf, restart, and it's fine.
Okay, checked PREFIX/installed/logs/error_log, and getting an error: undefined symbol: SSL_CTX_sess_set_new_cb, which makes sense why it works when there's no SSLEngine on. Okay, it turns out this is something added in release e of OpenSSL [1], and even though I built g successfully, I also built and installed b. So I opened /usr/local/openssl/versions/0.9.8g/src and copied the two libs (ssl and crypto) into /lib, then add Listen 443 to httpd.conf, restart apache, and connect with https: protocol, and it works! Note, I probably should have gone to versions/0.9.8.g/installed/lib, instead of src, but whatever. It worked.
So I've got HTTPS working. So now I uncomment the Include conf/extra/httpd-ssl.conf directive in httpd.conf, remove all the other stuff about SSL in the main conf file there, and make all my changes in PREFIX/installed/conf/extras/httpd-ssl.conf (name may be different). So in the maiun httpd.conf, I'm listening on port 80, for normal connections, and in httpd-ssl.conf, I'm on 443 for https connections. Now I'm basically just using the default config file here (for ssl, that is), which creates a virtual host for port 443, and turns on the HTTPS engine and all good stuff.
Apache as service
Okay, so I had to copy this from my other server, and unfortunately it was last night and I didn't record it as I was doing it, so I hope this is really what I did to get apache running as a server. First, copy PREFIX/installed/bin/apachectl to /etc/init.d/httpd. Now edit the file (in /etc/init.d), and add these lines for chkconfig to play nice (immediately after the #!/bin/sh header line)
# # httpd Startup script for the Custom built Apache HTTP Server # # chkconfig: 2345 85 15 # description: Apache is a World Wide Web server. It is used to serve \ # HTML files and CGI. # processname: httpd # config: /usr/local/apache/current/installed/conf/httpd.conf # config: /etc/sysconfig/httpd # pidfile: /var/run/httpd.pid
You'll of course want to change the location of the config file (first config: directive) to match your location. Most of this should be fairly self explanatory with more information availabel from man 8 chkconfig, under the section "RUNLEVEL FILES". Basically, the chkconfig: directive tells three things: first, which runlevels it should be turned on for, and then second and third are start-stop priorities. PID file just tells the location of the process-id file the service should use.
So with that file in place, you should be able to do /sbin/chkconfig --list httpd, and it should complain about something, but not that it couldn't find the file. It should also mention something about --add, so do that: /sbin/chkconfig --add httpd, and that should do it. You can hopefully now start stop restart the httpd daemon with the /sbin/service command.
Apache user
Ok, from somewhere, I already have an apache user and group. Just to be a little more inclusive, I'm also going to create a group called www with /usr/sbin/groupadd www, and then append apache to it with /usr/sbin/usermod -a -G www apache. That's so, for instance, I can create files that only members of the www group can access, which will include apache and any other users meant to have access to the server files.
Now I go back into httpd.conf, and change the User and Group directives both to apache.
Configuring for PHP
Okay, so I setup php (see Installing PHP) as a module for apache, now I have to get apache to recognize php files when it sees them, and use php to eval them. Apparently, all that's required for this (as far as I know, anyway, and it seems to work for me) is to add these lines to your httpd.conf file:
LoadModule php5_module modules/libphp5.so AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
Note that they may already be there, or at least LoadModule php5_module might be there, and you probably don't want to include it twice, so make sure to grep for it before adding it. To test, just go to your document root (probably htdocs in your installation dir, if you haven't changed it, verify by checking the DocumentRoot directive in the httpd.conf file), and create a file called phpinfo.php, and inside, make it this:
<?php phpinfo(); ?>
Now browse to that file on your server (you'll have needed to restart the server after editing the httpd.conf file, of course), and you should see a bunch of tables describing your php installation. Basically, you just shouldn't see the actual text content of the file, because that means apache didn't know to pass it off to php.
Further configuration of apache
Okay, here's just some of my general setup information and notes.
ServerAdmin webadmin@bmearns.net, which I'll have to actually set up a mail server with that account but, whatever. Was planning to anyway.
ServerName bmearns.net, naturally
DocumentRoot "/var/www", this is where I like to keep my web server. When I get more harddrives and/or start running out of room, I'll mount another drive there. But at anyrate, webserver files can change a lot, so it's kind of nice to have it in /var. I think /var/www is a pretty common location for DocumentRoot. Of course, I have to create this folder, so I just (as root) mkdir /var/www, chown root:web /var/www, and chmod 2770 /var/www. Lastly, add any users you like to group www so they can edit. You'll probably need to restart your session before the group permissions take effect for users recently added to the group.
Accessing stuff
Can't access any files with the document root changed. Need to Order Allow then Deny for document root dir. Hmm, it even says that in the httpd.conf file.
Installing modules with apxs
There's some modules that I try to load in my config file, and apparently I never built them. Which is annoying,but I can add them on with apxs:
apache/installed/bin/apxs -i -a -c ../../src/modules/aaa/mod_auth_digest.c
For example.
Auth
I'm going to configure auth. Probably should've done this before bring the server up. Oops.
http://httpd.apache.org/docs/2.2/howto/auth.html
Inside <Directory />, changed AllowOverride None to AllowOverride AuthConfig, so I can configure auth in .htaccess files. First things first, don't let anyone (not even me), access the admin files from the web:
<Directory /var/www/admin> Order deny,allow Deny from all </Directory>
Already have my password file.
Server-status
Add this to make (extended) server-status available from localhost (127.0.0.1) and everything on the local network (192.168.*.*)
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from 127.0.0.1
Allow from 192.168
Deny from all
</Location>
Virtual hosts
Okay, so I did (what I consider to be) some pretty cool stuff with my Virtual Hosts.
So first of all, I want to make sure that when anyone goes to my "professional" website (http://brianpmearns.com), they actually get there, even if they're using an old browser, or some other reason, not sending the Host header. Therefore, my first virtual host is for that site, which is specified in the ServerName directive in side the vhost. I also have ServerAlias setup to allow any prefix to the domain name, and the alternate domain, bpmearns.com (with any or no prefix). Basically that means if they send a Host header that matches any of those patterns, it will stop looking through the rest of the vhosts, and automatically use this one. Also, since it's the first one, if it can't find any matching vhosts (like if no Host directive is sent), it will use this one.
So next up, I've got a special mini virtual host used as an alternate to the SSL secured server for the "main" server. The idea is, for bmearns.net, I can go to secure.bmearns.net, and automatically get bounced to the corresponding page on https://bmearns.net. The virtual host looks like this:
<VirtualHost *:80>
ServerName secure.bmearns.net
DocumentRoot /var/www/content/secure/
RewriteEngine on
RewriteRule ^(.*)$ /index.php?host=bmearns.net [L,QSA]
</VirtualHost>
So basically, I rewrite every access to go to index.php, which looks like this:
<?php header("Location: https://".$_GET["host"].$_SERVER["REQUEST_URI"]); ?>
Which simply redirects the client to the https server, with the given host (past in from the rewrite rule in the virtual host), and the requested page. So when I get around to it, I'll set another one of these up for, say secure.brianpmearns.com, and just change the host parameter in the rewrite rule.
After that, I've got the "main" server (even though it's not really the default vhost), which is the one serving this site here. So I've got the virtual host on all ip addresses port 80, as normal, with server name bmearns.net, and aliases to accept all prefixes of bmearns.net. Of course, this one comes up after the secure virtual host, so host name secure.bmearns.net will not get this far.
In addition to being a virtual host on 80, I also want it on 8081, which I used to access it from behind my router, where the host name is some local name. In otherwords, if I want to access my server from behind the router, I have to do it by either the local ip address (like 192.168...) or the local host name (frigg). Since these Host names are kind of wierd, I access my virtual hosts from behind the router by specifying a specific port.
Proxy
Okay, to get mod_proxy compiled and loaded, you need to include proxy_utils.c, so just:
sudo ./apxs -i -a -c ../../src/modules/proxy/mod_proxy.c ../../src/modules/proxy/proxy_util.c
