skyBuilders timeLines GNU/Linux/Apache/PHP/PostgreSQL Installation HOWTO

Interesting links (in no particular order):
RedHat
The GNU Project
The Apache Software Foundation
The Comprehensive Perl Archive Network
PHP Hypertext Preprocessor (documentation)
PostgreSQL (documentation)
Open Secure Shell
The National Institute of Standards and Technology
WebMin

This is the process for configuring a new RedHat 7.3/8.0 installation to become a skyBox capable of running (and developing) skyBuilders timeLines. This process in deprecated in favor of How To Build a skyHost running RedHat 9.0. In order to be capable of this, there are a few required services and utilities:

skyBox3, the machine used for this trial run has specs as follows:

Install RedHat 7.3 or 8.0

Partitioning recommendation:

name recommended (100%) actual (58.5GB) format drive
/ 10% (6GB) 6GB ext3 hda
/boot 50MB 50MB ext3 hda
/swap 2xRAM (1GB) 1GB N/A (linux swap) hdc
/tmp 2GB 2GB ext3 hda
/home 10% (6GB) 11GB ext3 hda
/var 30% (18GB) 23GB ext3 hdc
/usr 20% (12GB) 15GB ext3 hdc

IP Address: 206.253.4.20 NetMask: 255.255.255.224 Gateway: 206.253.4.1

Note: During the install process, in the network configuration section, once the IP and netmask were indicated, the interface filled in two other fields. It suggested .30 as the gateway, and .1 as the name server. Odd.

DNS Servers:
209.87.64.70
209.87.79.232

The choices made during installation are logged in /root/install.log and a kickstart file for the RedHat Anaconda installer is in /root/anaconda-ks.cfg

Add crontab for NIST clock synchronization
(add other things like updating the root hints file and the file db later)
# cd /root
# mkdir scripts
# cd scripts
Download http://jesse.skybuilders.com/scratch/other/misc_linux/miscScripts.tar
# tar -xvf miscScripts.tar
# crontab clockSync.cron
To see current settings, # crontab -l

Enable ssh for all users except root.
SSH lives in /etc/ssh
Edit sshd_config
Find the commented line that reads "# PermitRootLogin off"
Add the following line, "PermitRootLogin on"
Go to the end of the file
After the last line, add a line that reads "AllowUsers   dtd jesse bobdoyle" ("AllowUsers" followed by a tab followed by a space-delimited list of usernames to allow)
Test login

There is an upgrade for openSSH (possibly available from the website), which patches a security hole to which we are not, under our current settings, vulnerable. The ideal version would be 0.9.6e
To report current version:
# rpm -q <rpmname>
To upgrade with verbose and progress bar:
# rpm -Uvh <rpmname>

Possibilities
WebMin? Probably unnecessary.
SFTP? May already be enabled under SSH. Requires research. timeLines File Server would be preferable (with directory- and file-level permissioning for all files (not just skyPages)).

Locate Apache httpd

Set httpd to start on boot
To check the current setting:
# chkconfig httpd --list
To set the service to start on boot:
# chkconfig httpd --level 3456 on

Test http service
Open any browser to skybox3.skybuilders.com
The index page should be the Apache test page

Locate Perl
Perl is not a service - it runs when called.
/usr/bin/perl is Perl itself (this is the path that needs to go in the first line of every file)
Apply settings to each directory that wants to run Perl in sections in httpd.conf (if the default example is used, Perl will try to execute for any file in the directory, not limited by file type)

Test Perl
Download test.pl and/or simpletest.pl into a Perl-enabled directory
direct a browser at the file and check the output

Test PHP
Create a file called test.php in the web root (in this case '/var/www/html/') and put into it one line: ''.
Direct a browser at the file and check the output. It should display a series of tables describing the machine and its php installation (see the php.net docs page on phpInfo() for more info).

Make appropriate changes to php.ini
php.ini is in /etc
Here are the lines to look for that show their default values, each followed by the line that should replace it:

  1. memory_limit = 8M
    memory_limit = 16M
  2. magic_quotes_gpc = On
    magic_quotes_gpc = Off
  3. file_uploads = Off
    file_uploads = On
    [This may default to 'On' in other versions of PHP]
  4. SMTP = localhost
    ; SMTP = localhost
  5. sendmail_from = me@localhost.com
    ; sendmail_from = me@localhost.com
  6. ; sendmail_path =
    sendmail_path =
    [in this case "/usr/sbin/sendmail -t -i"]

Set postgresql to start on boot
To check the current setting:
# chkconfig postgresql --list
To set the service to start on boot:
# chkconfig postgresql --level 3456 on
PostgreSQL configuration is in /var/lib/pgsql/data/postgresql.conf

Test pgsql
To make a database (which will be owned by the operating system user who issues the command):
   bash-2.05a$ createdb <dbname>
All user and db management can be done through the PostgreSQL interactive terminal (which accept both SQL statements and Postgres metacommands) called psql (man psql for reference):
bash-2.05a$ psql
which takes you to a prompt which looks like:
=#
To add/manage users:
PGSQL User Management
To create users:
=# CREATE USER
Every db must be VACUUMed at least once every billion transactions with the vacuum command in psql (or risk catastrophic data loss). See Routine Vacuuming.
Host Based Access configuration file is in /var/lib/pgsql/data/pg_hba.conf
A few useful tools.
To list all postgresql users:
skyTemplate=> SELECT * FROM pg_user;
To list all postgresql databases:
skyTemplate=> SELECT * FROM pg_database;
To find out the currently selected database, look at the name in the prompt:
skyTemplate=>

Enable proper logging for pgsql.
In /etc/init.d/postgresql, edit the line that reads:
   su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D #PGDATA -p /usr/bin/postmaster start > /dev/null 2>&1" < /dev/null
Edit it to read:
   su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D #PGDATA -p /usr/bin/postmaster -o '-i' start >> /var/log/pgsql 2>&1" < /dev/null
Save the file and restart postgresql.

Configure pgsql users and databases.
First, the user called 'postgres', who is the superuser for the postgresql service, must have a new, secure password assigned. Next, a file called 'admins' must be created to indicate that the postgres user can connect to any database with a password challenge. Then, other users must be added to pgsql. One user should be defined for each timeLines installation on the machine. Finally, the new database(s) for the timeLines installation(s) must be created.

  1. As root, change the password for user postgres in the operating system:
       # passwd postgres
    This command will now challenge you for the new secure database admin password which should be carefully kept track of, with the usual precautions of length, and a mix of letters, numbers, and symbols.
  2. Start a session as the postgres user:
       # su postgres
    which takes you to a prompt which looks like:
       bash-2.05a$
  3. Connect to template1 as user postgres by using the command psql, which opens the PostgreSQL interactive terminal. (Whenever in the terminal, be sure to expect confirmations of any action; a null response is a sure sign of no action performed.)
       bash-2.05a$ psql template1
  4. Change the password for user 'postgres' by using the 'ALTER USER' command. Be sure to surround the password with single quotes/apostrophes as shown. The terminal should confirm by replying 'ALTER USER'. When using the following example, <newpassword> should be replaced with the new, secure password.
       template1=# ALTER USER postgres WITH PASSWORD '<newpassword>';
  5. Exit psql.
       template1=# \q
  6. Exit postgres user session.
       bash-2.05a$ exit
  7. Initially, PostgreSQL allows anyone from the local machine to connect to the databases without a password challenge, so as to allow the administrator to set the password for the postgres user. Once that has been done, access to the databases must be securely restricted. This is controlled from the file /var/lib/pgsql/data/pg_hba.conf. Make the following edits to this file: Now create a file in the same directory called 'admins'. Write into this file one word, the name of the database admin user, 'postgres' (excluding the single quotes/apostrophes in this case). These configuration changes will only be applied the next time the service is restarted.
  8. Restart the postgresql service.
       # service postgresql restart
  9. All user management should be done as the user postgres.
       # su postgres
    Create a new db user. This new user should correspond to the site that db will be supporting. For example, our test site is called "app.skybuilders.com". The corresponding username should be "app_skybuilders_com". This should also be the name of the database. Permissioning allows users other than the admin user "postgres" to connect only to "template1" and the database with the same name as the user.
    To make users (outside psql) as user postgres:
       bash-2.05a$ createuser <options> <username>
    In this case:
       bash-2.05a$ createuser -d -P -A app_skybuilders_com
    -d = allowed to create databases
    -P = prompt for a password
    -A = not allowed to create users
    The password for the new user will now be prompted for. This should be another equally secure password, preferably different from the postgres user password, especially if there will be multiple timeLines installations on this machine. This password will be required by the timeLines installation script later in order to initialize the database and enable the application.
    The password will be challenged for a second time for confirmation.
    Finally the postgres admin password will be asked for, to authorize the new user.
    The new user has now been created!
    (man createuser for details, dropuser to delete users, and ALTER USER from inside psql to change settings for a user)
  10. Connect to template1 as the new db user. You will be challanged for the new user's password. (Notice that the terminal prompt ends with a ">" rather than a "#", to show that you are not a superuser (postgres).)
       # psql template1 <username>
  11. Create the databse for this user, name with the new user's username. Ownership of the new database is automatically assigned to its creator. The terminal should respond "CREATE DATABASE".
       template1=# CREATE DATABASE <username>;
    In this case:
       template1=# CREATE DATABASE app_skybuilders_com;
  12. Connect to the new database. This will confirm its existence. The terminal should respond "You are now connected to database <dbname>."
       template1=> \c <dbname>;
  13. The database for this timeLines installation has now been created!
  14. Repeat user and database creation for each timeLines installation on the machine.
  15. PostgreSQL users and databases are now configured.

Install the timeLines application

  1. Create a directory alongside the default web root (in this case "/var/www/html/") using the fully qualified domain name of the new site (in this case "/var/www/app.skybuilders.com"). Move into the new directory.
  2. Download the installation archive file from the skyBuilders.com downloads page.
  3. Decompress the installation archive into the the new site directory. All necessary application server pages, directories, and image files will now be in place in a directory called "timelines".
  4. Permissions must be set on the application directory. Create a group called "skyApp", if it has not yet been created. This will be the group that gives anonymous and administrator access to all timelines application sites.
       # /usr/sbin/groupadd skyApp
  5. Add users to this group. The apache user (in this case "apache") must be added so that requests to the web server will have permission to operate on the site. Other users that may need to be added to this group are any non-root administrators of the machine or the site, or any users who require ftp or sftp access (though any users who require different perissioning from the web users should be permissioned separately).
       # /usr/sbin/usermod -G skyApp apache
       # /usr/sbin/usermod -G skyApp dtd
  6. Change the group setting for the site directory (recursively, for all the files and directories below it).
       # cd /var/www
       # chown -R :skyApp app.skybuilders.com
  7. Set permissions for the site directory (recursively, for all the files and directories below it).
       # chmod -R 775 app.skybuilders.com
  8. Restart the web server httpd.
       # service httpd restart

Enable virtual servers under apache.
In /etc/httpd/conf/httpd.conf, add these lines to the virtual servers section (substituting the appropriate machine name and domain name), waith an extra VirtualHost section for each timeLines installation:

   NameVirtualHost *

   <VirtualHost *>
     ServerName skybox3.skybuilders.com
     DocumentRoot /var/www/html
     AddType application/x-httpd-php .php .php4 .php3 .phtml .html .xml
   </VirtualHost>

Note: Apache 2.0.40-8 (RedHat 8.0 distribution) does not currently support the IP wildcard, '*' in the example above. This version requires IP numbers to entered directly into the httpd.conf entries for NameVirtualHost and VirtualHost entries.

Save the file and restart httpd.

Run the timeLines installation script.
This script will build the new database's schema and populate it with initial data. Open a timeLines-compatible browser (Mozilla > 1.1, Netscape > 4.0, IE > 4) and navigate to the following URL (where <domain name> is the domain name of your new site):
   http://<domain name>/timelines/
timeLines will now challenge for the database password for the new site (as set in the section Configure pgsql users and databases).