Pilot drupal service setup
Initial system installation
initially installed using a CDB profile.
After initial installation phase following changes are made:
dequattorization
rpm -ivh http://linuxsoft.cern.ch/cern/slc5X/x86_64/SL/yum-conf-5X-6.slc5.cern.noarch.rpm
yum remove ncm\* ccm\* \*spma\*
yum install lcm\*
yum update
Edit
/etc/pam.d/system-auth comment out
pam_listfile entries.
Software installation:
php
Edit
/etc/yum.repos.d/Centos-testing.repo
, insert following into the file:
[c5-testing]
name=CentOS-5 Testing
baseurl=http://dev.centos.org/centos/5/testing/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing
includepkgs=php*
then install php:
yum remove php\*
yum --disablerepo=slc5\* install php-pdo php-pear php-mysql php-mbstring php-common php-gd php php-cli php-xml
(note: removing is due to the fact that by default boxes are preconfigured with unsupported/unmaintained php version)
shibboleth
yum install shibboleth log4shib
(see:
http://cern.ch/linux/scientific5/docs/shibboleth.shtml)
other needed software
install git:
yum install git subversion yum-autoupdate apr-devel.x86_64 apr-util-devel.x86_64
Install http itk / femail / mod_chroot / php-pecl-apc / shibboleth-selinux from:
/afs/cern.ch/project/linux/dev/drupal/RPMS/x86_64
MySQL
yum install mysql mysql-devel mysql-test mysqlreport mysqltuner
Configuration
System
/etc/sysconfig/selinux
SELINUXTYPE=targeted
SELINUX=enforcing
setsebool httpd_can_network_connect_db 1
setsebool httpd_can_network_relay 1
setsebool httpd_enable_homedirs 0
setsebool allow_httpd_sys_script_anon_write 1
/etc/sysconfig/iptables
#### MySQL replication: drupalsrv01, drupalsrv02
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.224.60 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.224.75 --dport 3306 -j ACCEPT
#### MySQL web frontends: drupal03,drupal04,drupal05,drupal06
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.8 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.9 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.11 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.12 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport http -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport https -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT
/sbin/chconfig add iptables
/sbin/service iptables start
Prepare ssh dsa keys for root on 01 and 02 (ssh-keygen -t dsa) and add these to /root/.ssh/authorized_keys on 01 and 02
MySQL
chcon -R system_u:object_r:mysqld_db_t /data01
mkdir /data01/mysql
chown mysql:mysql /data01
Edit
/etc/my.cnf
, add following lines:
# note: drupalsrv01 and drupalsrv02 are running in master-master mode !
[mysqld]
log-bin=mysql-bin
server-id=1 # 2 on 02
port=3306
datadir=/data01/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# note: slave replica set using mysql !
auto_increment_increment= 2
auto_increment_offset = 1 # 2 on 02 to avoid auto-increment collisions
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
Enable the server:
/sbin/chkconfig --levels 345 mysqld on
/sbin/service mysqld start
Setup the database:
# mysql_secure_installation
(Set root password? [Y/n] y , Remove anonymous users? [Y/n] y , Disallow root login remotely? [Y/n] y , Remove test database and access to it? [Y/n] y , Reload privilege tables now? [Y/n] y)
Setup master-master replication:
http://dev.mysql.com/doc/refman/5.0/en/replication-howto.html,
http://www.howtoforge.com/mysql_master_master_replication
Apache
chcon -R root:object_r:httpd_sys_content_t /data02
Edit
/etc/http/conf.d/mod_chroot.conf insert following lines:
PidFile /var/run/httpd.pid
ChrootDir /data02/httpdroot
LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadFile /usr/lib64/shibboleth/adfs.so
LoadFile /usr/lib64/shibboleth/adfs-lite.so
LoadFile /lib64/libnss_dns.so.2
LoadFile /lib64/libresolv.so.2
Edit
/etc/httpd/conf/httpd.conf, comment out lines:
#PidFile run/httpd.pid
Add at the bottom:
TraceEnable Off
Edit
/etc/httpd/conf.d/ssl.conf, add line
Listen 443
Listen 444
SSLCertificateFile /etc/pki/tls/certs/star-20101120.crt
SSLCertificateKeyFile /etc/pki/tls/private/star-20101120.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
(Certificates are to be obtained from webafs server managers !)
Edit
/etc/sysconfig/httpd, insert line
HTTPD=/usr/sbin/httpd.itk
Modify
/etc/init.d/httpd
TBD
chattr +i /etc/init.d/httpd
/sbin/chkconfig --levels 345 httpd on
/sbin/service httpd start
Shibboleth
/sbin/chkconfig --levels 345 shibd on
/sbin/service shibd start
Cron jobs
On master (drupalsrv01), crontab -l:
# druman jobs
# run cron on all sites every 15 minutes
10,25,40,55 * * * * /data02/bin/sites.cron.sh
# run backup on all sites every 12 hours
30 13,1 * * * /data02/bin/backup.cron.sh
On slave (drupalsrv02), crontab -l:
# druman jobs
### uncomment only if drupalsrv02 is the master !
# run cron on all sites every 15 minutes
# 10,25,40,55 * * * * /data02/bin/sites.cron.sh
# run backup on all sites every 12 hours
# 30 13,1 * * * /data02/bin/backup.cron.sh
### comment out if drupalsrv02 becomes master !
5,35 * * * * /data02/bin/mirror_from_01.sh > /var/log/druman/mirror_from_01.log 2>&1
--
JaroslawPolok - 04-Oct-2010