-
Notifications
You must be signed in to change notification settings - Fork 0
DeployCentOS8
Deploy a Wilton application a clean CentOS Stream 8 instance:
- SSH Access
- Switch to CentOS Stream
- SELinux Kernel Module
- Cockpit Control Panel
- PostgreSQL Database
- PgAdmin 4 Management UI
- Nginx Proxy Server
- Nginx HTTP Basic Auth
- LetsEncrypt Certificates
- Firewall Setup
- Services Cleanup
- Wilton Runtime
- Wilton Application
Add user for server management:
adduser server
passwd server
usermod -aG wheel server
Setup SSH access using key files, disable root access:
su - server
sudo ls
mkdir .ssh
cd .ssh/
vim authorized_keys
> paste keys
chmod 600 authorized_keys
chmod 700 .
sudo vim /etc/ssh/sshd_config
> PermitRootLogin no
> PasswordAuthentication no
sudo systemctl restart sshd
Change installed OS from CentOS 8 to CentOS Stream:
sudo yum update
sudo yum install centos-release-stream
sudo yum swap centos-{linux,stream}-repos
sudo yum distro-sync
cat /etc/centos-release
> CentOS Stream release 8
Check, whether SELinux kernel module is disabled (that may be done by server hosting provider) and re-enable it back:
getenforce
> Disabled
sudo yum install selinux-policy-targeted libselinux-utils policycoreutils
sudo grubby --default-kernel
sudo grubby --info /boot/vmlinuz-<version>
sudo grubby --remove-args=selinux --update-kernel /boot/vmlinuz-<version>
sudo reboot
getenforce
> Enforcing
Install Cockpit server management tool:
sudo yum install cockpit
sudo systemctl enable cockpit.socket
sudo systemctl start cockpit.socket
sudo systemctl status cockpit.socket
To access it over SSH tunnel, run the following on a local machine:
ssh -L 9090:127.0.0.1:9090 server@<server_ip_address>
Open in a web-browser, use OS user credentials for login:
http://127.0.0.1:9090/
Install and configure PostgreSQL version 12:
sudo yum update
sudo yum module enable postgresql:12
sudo yum install postgresql-server
sudo postgresql-setup --initdb
sudo systemctl start postgresql
sudo systemctl status postgresql
sudo systemctl enable postgresql
sudo su - postgres
psql -c "ALTER USER postgres WITH PASSWORD 'postgres';"
exit
sudo vim /var/lib/pgsql/data/pg_hba.conf
> change "ident" to "md5"
sudo systemctl restart postgresql
sudo systemctl status postgresql
Install and configure PgAdmin 4 DB managenent UI:
sudo yum install epel-release
sudo yum update
sudo yum install python3-pip python3-psycopg2 python3-psutil python3-bcrypt python3-pynacl python3-flask python3-flask-login python3 email-validator python3-flask-sqlalchemy python3-simplejson python3-flask-migrate python3-ldap3 python3-sqlparse
sudo pip3 install flask-unchained flask-paranoid flask-security sshtunnel flask-gravatar flask-compress
sudo rpm -i https://ftp.postgresql.org/pub/pgadmin/pgadmin4/yum/pgadmin4-redhat-repo-1-1.noarch.rpm
sudo yum install pgadmin4-web
sudo mkdir -p /var/lib/pgadmin4/
sudo mkdir -p /var/log/pgadmin4/
sudo vim /usr/pgadmin4/web/config_local.py
> file will be created, add there the following lines:
> LOG_FILE = '/var/log/pgadmin4/pgadmin4.log'
> SQLITE_PATH = '/var/lib/pgadmin4/pgadmin4.db'
> SESSION_DB_PATH = '/var/lib/pgadmin4/sessions'
> STORAGE_DIR = '/var/lib/pgadmin4/storage'
sudo python3 /usr/pgadmin4/web/setup.py
Setup Apache to run PgAdmin:
sudo yum install policycoreutils-python-utils
sudo chown -R apache:apache /var/lib/pgadmin4
sudo chown -R apache:apache /var/log/pgadmin4
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/lib/pgadmin4(/.*)?"
sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/log/pgadmin4(/.*)?"
sudo restorecon -Rv /var/lib/pgadmin4/
sudo restorecon -Rv /var/log/pgadmin4/
sudo setsebool -P httpd_can_network_connect 1
sudo vim /etc/httpd/conf/httpd.conf
> change Listen 80 to 8080
sudo systemctl restart httpd
sudo systemctl enable httpd
sudo systemctl enable httpd
To access it over SSH tunnel, run the following on a local machine:
ssh -L 8080:127.0.0.1:8080 server@<server_ip_address>
Open in a web-browser:
http://127.0.0.1:8080/pgadmin4/
Initial connection setup in web-UI:
Tree -> Add New Server
name: postgres
host: 127.0.0.1
username: postgres
password: postgres
save password: true
Install Nginx server to use it as a reverse proxy:
sudo yum install nginx
sudo systemctl enable nginx
sudo systemctl start nginx
sudo systemctl status nginx
Typical location configuration in /etc/nginx/nginx.conf
:
upstream {
server 127.0.0.1:8888;
keepalive 64;
};
server {
location /myapp/ {
proxy_pass http://127.0.0.1:8888;
proxy_set_header Connection "";
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 500;
}
}
Setup HTTP Basic Authentcation for the chosen location
:
Create password file:
sudo yum install httpd-tools
sudo htpasswd -c /etc/nginx/myapp.htpasswd myuser
Configure location
entry and restart Nginx:
sudo vim /etc/nginx/nginx.conf
> location /myapp/ {
> auth_basic "My Applcation";
> auth_basic_user_file /etc/nginx/myapp.htpasswd;
> ...
> }
sudo systemctl restart nginx
sudo systemctl status nginx
Install CertBot and configure it to use LetsEncrypt certificates with Nginx:
sudo curl -O https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
chmod 0755 /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto
sudo /usr/local/bin/certbot-auto --nginx
Make sure, that in Nginx configuration only CertBot managed 443
port server
is used for location
entries:
sudo vim /etc/nginx/nginx.conf
sudo systemctl restart nginx
sudo systemctl status nginx
Make sure, that port 443
is not used by Apache:
sudo vim /etc/httpd/conf.d/ssl.conf
> comment "Listen 443 https" line
Setup FirewallD leaving only SSH, HTTP (redirectef to HTTPS by Nginx) and HTTPS open:
sudo firewall-cmd --zone=public --permanent --add-service=http
sudo firewall-cmd --zone=public --permanent --add-service=https
sudo firewall-cmd --zone=public --permanent --remove-service dhcpv6-client
sudo firewall-cmd --zone=public --permanent --remove-service cockpit
sudo firewall-cmd --reload
sudo firewall-cmd --permanent --list-all
Disable services, that can fail to start for no obvious reason:
sudo systemctl disable kdump
sudo systemctl disable NetworkManager-wait-online
Remove services, that can consume too much RAM:
sudo yum remove setroubleshoot-server
sudo yum remove PackageKit
Install Wilton Runtime from COPR reprository:
sudo yum update
sudo yum install dnf-plugins-core
sudo yum copr enable wilton/wilton
sudo yum update
sudo yum install wilton
wilton -v
> <version>
ls /opt/wilton/
> bin lib std.wlib
Deploy Wilton application as a SystemD service under unprivileged user.
Create OS user, it does NOT need password or sudo
privileges:
adduser myapp
Create PostgreSQL user and database, in PgAdmin UI:
Tree -> Server -> postgres -> Login/Group Roles -> right click -> Create
name: myapp
password: myapp
privileges: can login
Tree -> Server -> postgres -> Database -> right click -> Create
name: myapp
owner: myapp
Tree -> myapp Server
name: postgres
host: 127.0.0.1
username: myapp
password: myapp
save password: true
If necessary, add Wilton shared JS libraries:
sudo git clone <mylib_url> /opt/wilton/lib/mylib
Clone JS application code:
sudo su - myapp
git clone <myapp_url>
cd myapp
Create database schema in PostgreSQL:
wilton index.js -- -h
wilton index.js -- --re-create-database
Prepare SystemD service descriptor and follow the instructions printed on screen:
wilton index.js -- -h
wilton index.js -- --create-systemd-unit-file
> Service file written ...