Additional Info for Server Admins

Adrian edited this page Jul 3, 2016 · 8 revisions

Basic info

Gamocosm creates droplets running 64 bit Fedora 24 (latest as of 2016 July 3). You can see everything Gamocosm does in app/workers/setup_server_worker.rb. The directory server_setup in the project root contains additional resources used for setting up servers. As of 2015 October 27, it currently only contains zram scripts

Opening ports

firewalld sits on top of iptables and provides a dynamically managed firewall. Many people (myself included) are familiar with iptables, but after quickly getting used to it, I find it much easier to use, for experienced and new techies alike. It was included by default on the Fedora 20 distribution. Fedora 21 does not include an active firewall service by default, so Gamocosm installs firewalld.

Gamocosm opens ports 5000 (Minecraft Server Wrapper), and 25565 (Minecraft) to TCP. It also opens whatever ssh_port under the "Advanced" tab is to TCP the first time you start a server (if you change the SSH port on your server later, you should update this).

  • firewall-cmd --get-zones (supported zones)
  • firewall-cmd --list-all-zones (zones with enabled features)
  • firewall-cmd --get-default-zone
  • firewall-cmd --set-default-zone=<zone>
  • firewall-cmd [--permanent] [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
  • firewall-cmd [--permanent] [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
  • firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol> (query if port and protocol combination enabled in a zone)

When you add --permanent, it does not affect the runtime firewall. The changes will take affect after rebooting. Usually, when adding ports you want to run the command once with and once without --permanent, to make the changes immediate and persistent.

Example

firewall-cmd --add-port=9010/tcp
firewall-cmd --permanent --add-port=9010/tcp

Source: Fedora wiki

Tmux

Tmux is a terminal multiplexer. It is installed by default by Gamocosm. You can use it to have multiple windows in a single SSH session. You can also use it to leave processes running after disconnecting from SSH, and you can reattach the tmux windows later. Read more about it on its project homepage

Changing the SSH port

Gamocosm sets up SSH on port 4022. You can read more about it on this Stack Exchange/Security thread, but in short changing the default SSH port reduces the number of generic hacking attempts

  1. Open up the new ports! See the firewalld instructions above. If you don't open the new ports in the firewall, you won't be able to connect. In Fedora 21 you also have to update SELinux! Run semanage port -a -t ssh_port_t -p tcp <port>. To show the ports SSH is allowed on, run semanage port -l | grep ssh
  2. Edit /etc/ssh/sshd_config. There should be a line Port 4022. Change the number to whatever you want. 22 is the default SSH port
  3. Run (sudo) systemctl restart sshd
  4. Update the "SSH port" under the "Advanced" tab on Gamocosm. Otherwise, Gamocosm won't know how to connect to your server (it uses SSH to perform updates if necessary, and test when a server is ready; sometimes when Digital Ocean says a droplet is active, it's not reachable by the network immediately)
  5. Then next time you try to SSH, use the new port (you won't be disconnected from your existing sessions)

Zram

Zram is a kernel module available since Linux 3.14 (Fedora 22 is on 4.0) which avoids paging to the disk by using a compressed block in RAM. It is often helpful for devices with limited RAM (e.g. Google uses it for both Chrome OS and Android)

There is a systemd service file and helper script based on Ubuntu's zram-config package in server_setup. Gamocosm puts them in /usr/bin/zram-helper and /etc/systemd/system/zram.service (as you can see in app/workers/setup_server_worker.rb). However, Gamocosm only enables zram for servers with less than 4GB of RAM

To enable zram (enabled by default for servers < 4GB), do (sudo) systemctl enable zram (start on boot) and (sudo) systemctl start zram (start right now). To disable zram, do (sudo) systemctl disable zram (don't start on boot) and (sudo) zram-helper stop (stop right now). You can optionally delete the two files above (but it really makes no difference)

The total zram size is half the amount of RAM, and is divided into N devices, where N is the number of processors (this is what Ubuntu does)

Sources: Linux kernel doc on zram, ArchLinux wiki on zram, ArchLinux wiki on systemd, Ubuntu zram-config

Swap file

Gamocosm creates a 1GB swap /swapfile by default. You can create multiple swaps and enable them. Creating a swap (run as root, or with sudo)

fallocate -l 512M /swapfile # create swap file, M for Megabytes, G for Gigabytes
chmod 600 /swapfile # set proper permissions
mkswap /swapfile # format to swap file
swapon /swapfile # activate swap file
echo "/swapfile none swap defaults 0 0" >> /etc/fstab # make permanent, add to fstab

Removing a swap file (run as root, or with sudo)

swapoff /swapfile
rm -f /swapfile
sed -i "/\/swapfile none swap defaults 0 0/d" /etc/fstab # remove line from fstab

Source: ArchLinux wiki