DeployCentOS8

Outline

Deploy a Wilton application a clean CentOS Stream 8 instance:

• SSH Access
• Switch to CentOS Stream
• SELinux Kernel Module
• Cockpit Control Panel
• PostgreSQL Database
• PgAdmin 4 Management UI
• Nginx Proxy Server
• Nginx HTTP Basic Auth
• LetsEncrypt Certificates
• Firewall Setup
• Services Cleanup
• Wilton Runtime
• Wilton Application

SSH Access

Add user for server management:

adduser server
passwd server
usermod -aG wheel server

Setup SSH access using key files, disable root access:

su - server
sudo ls
mkdir .ssh
cd .ssh/
vim authorized_keys
> paste keys
chmod 600 authorized_keys
chmod 700 .
sudo vim /etc/ssh/sshd_config
> PermitRootLogin no
> PasswordAuthentication no
sudo systemctl restart sshd

Switch to CentOS Stream

Change installed OS from CentOS 8 to CentOS Stream:

sudo yum update
sudo yum install centos-release-stream
sudo yum swap centos-{linux,stream}-repos
sudo yum distro-sync
cat /etc/centos-release
> CentOS Stream release 8

SELinux Kernel Module

Check, whether SELinux kernel module is disabled (that may be done by server hosting provider) and re-enable it back:

getenforce
> Disabled
sudo yum install selinux-policy-targeted libselinux-utils policycoreutils
sudo grubby --default-kernel
sudo grubby --info /boot/vmlinuz-<version>
sudo grubby --remove-args=selinux --update-kernel /boot/vmlinuz-<version>
sudo reboot
getenforce
> Enforcing

Cockpit Control Panel

Install Cockpit server management tool:

sudo yum install cockpit
sudo systemctl enable cockpit.socket
sudo systemctl start cockpit.socket
sudo systemctl status cockpit.socket

To access it over SSH tunnel, run the following on a local machine:

ssh -L 9090:127.0.0.1:9090 server@<server_ip_address>

Open in a web-browser, use OS user credentials for login:

http://127.0.0.1:9090/

PostgreSQL Database

Install and configure PostgreSQL version 12:

sudo yum update
sudo yum module enable postgresql:12
sudo yum install postgresql-server
sudo postgresql-setup --initdb
sudo systemctl start postgresql
sudo systemctl status postgresql
sudo systemctl enable postgresql
sudo su - postgres
psql -c "ALTER USER postgres WITH PASSWORD 'postgres';"
exit
sudo vim /var/lib/pgsql/data/pg_hba.conf
> change "ident" to "md5"
sudo systemctl restart postgresql
sudo systemctl status postgresql

PgAdmin 4 Management UI

Install and configure PgAdmin 4 DB managenent UI:

sudo yum install epel-release
sudo yum update
sudo yum install python3-pip python3-psycopg2 python3-psutil python3-bcrypt python3-pynacl python3-flask python3-flask-login python3 email-validator python3-flask-sqlalchemy python3-simplejson python3-flask-migrate python3-ldap3 python3-sqlparse 
sudo pip3 install flask-unchained flask-paranoid flask-security sshtunnel flask-gravatar flask-compress
sudo rpm -i https://ftp.postgresql.org/pub/pgadmin/pgadmin4/yum/pgadmin4-redhat-repo-1-1.noarch.rpm
sudo yum install pgadmin4-web
sudo mkdir -p /var/lib/pgadmin4/
sudo mkdir -p /var/log/pgadmin4/
sudo vim /usr/pgadmin4/web/config_local.py
> file will be created, add there the following lines:
> LOG_FILE = '/var/log/pgadmin4/pgadmin4.log'
> SQLITE_PATH = '/var/lib/pgadmin4/pgadmin4.db'
> SESSION_DB_PATH = '/var/lib/pgadmin4/sessions'
> STORAGE_DIR = '/var/lib/pgadmin4/storage'
sudo python3 /usr/pgadmin4/web/setup.py

Setup Apache to run PgAdmin:

sudo yum install policycoreutils-python-utils
sudo chown -R apache:apache /var/lib/pgadmin4
sudo chown -R apache:apache /var/log/pgadmin4
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/lib/pgadmin4(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/pgadmin4(/.*)?"
sudo restorecon -Rv /var/lib/pgadmin4/
sudo restorecon -Rv /var/log/pgadmin4/
sudo setsebool -P httpd_can_network_connect 1
sudo vim /etc/httpd/conf/httpd.conf
> change Listen 80 to 8080
sudo systemctl restart httpd
sudo systemctl enable httpd
sudo systemctl enable httpd

To access it over SSH tunnel, run the following on a local machine:

ssh -L 8080:127.0.0.1:8080 server@<server_ip_address>

Open in a web-browser:

http://127.0.0.1:8080/pgadmin4/

Initial connection setup in web-UI:

Tree -> Add New Server
name: postgres
host: 127.0.0.1
username: postgres
password: postgres
save password: true

Nginx Proxy Server

Install Nginx server to use it as a reverse proxy:

sudo yum install nginx
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx

Typical location configuration in /etc/nginx/nginx.conf:

upstream { 
  server 127.0.0.1:8888; 
  keepalive 64; 
}; 

server { 
    location /myapp/ { 
        proxy_pass http://127.0.0.1:8888;
        proxy_set_header Connection ""; 
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_connect_timeout 500;
    } 
}

Nginx HTTP Basic Auth

Setup HTTP Basic Authentcation for the chosen location:

Create password file:

sudo yum install httpd-tools
sudo htpasswd -c /etc/nginx/myapp.htpasswd myuser

Configure location entry and restart Nginx:

sudo vim /etc/nginx/nginx.conf
> location /myapp/ {
> auth_basic "My Applcation";
> auth_basic_user_file /etc/nginx/myapp.htpasswd;
> ...
> }

sudo systemctl restart nginx
sudo systemctl status nginx

LetsEncrypt Certificates

Install CertBot and configure it to use LetsEncrypt certificates with Nginx:

sudo curl -O https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /usr/local/bin/certbot-auto --nginx

Make sure, that in Nginx configuration only CertBot managed 443 port server is used for location entries:

sudo vim /etc/nginx/nginx.conf
sudo systemctl restart nginx
sudo systemctl status nginx

Make sure, that port 443 is not used by Apache:

sudo vim /etc/httpd/conf.d/ssl.conf
> comment "Listen 443 https" line

Firewall Setup

Setup FirewallD leaving only SSH, HTTP (redirectef to HTTPS by Nginx) and HTTPS open:

sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
sudo firewall-cmd --zone=public --permanent --remove-service dhcpv6-client
sudo firewall-cmd --zone=public --permanent --remove-service cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --list-all

Services Cleanup

Disable services, that can fail to start for no obvious reason:

sudo systemctl disable kdump
sudo systemctl disable NetworkManager-wait-online

Remove services, that can consume too much RAM:

sudo yum remove setroubleshoot-server
sudo yum remove PackageKit

Wilton Runtime

Install Wilton Runtime from COPR reprository:

sudo yum update
sudo yum install dnf-plugins-core
sudo yum copr enable wilton/wilton
sudo yum update
sudo yum install wilton
wilton -v
> <version>
ls /opt/wilton/
> bin  lib  std.wlib

Wilton Application

Deploy Wilton application as a SystemD service under unprivileged user.

Create OS user, it does NOT need password or sudo privileges:

adduser myapp

Create PostgreSQL user and database, in PgAdmin UI:

Tree -> Server -> postgres -> Login/Group Roles -> right click -> Create
name: myapp
password: myapp
privileges: can login
Tree -> Server -> postgres -> Database -> right click -> Create
name: myapp
owner: myapp
Tree -> myapp Server
name: postgres
host: 127.0.0.1
username: myapp
password: myapp
save password: true

If necessary, add Wilton shared JS libraries:

sudo git clone <mylib_url> /opt/wilton/lib/mylib

Clone JS application code:

sudo su - myapp
git clone <myapp_url>
cd myapp

Create database schema in PostgreSQL:

wilton index.js -- -h
wilton index.js -- --re-create-database

Prepare SystemD service descriptor and follow the instructions printed on screen:

wilton index.js -- -h
wilton index.js -- --create-systemd-unit-file
> Service file written ...