Pilot drupal service setup

Initial system installation

initially installed using a CDB profile.
After initial installation phase following changes are made:

dequattorization

rpm -ivh http://linuxsoft.cern.ch/cern/slc5X/x86_64/SL/yum-conf-5X-6.slc5.cern.noarch.rpm
yum remove ncm\* ccm\* \*spma\*
yum install lcm\* 
yum update

Edit /etc/pam.d/system-auth comment out pam_listfile entries.

Software installation:

php

Edit /etc/yum.repos.d/Centos-testing.repo, insert following into the file:

[c5-testing]
name=CentOS-5 Testing
baseurl=http://dev.centos.org/centos/5/testing/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://dev.centos.org/centos/RPM-GPG-KEY-CentOS-testing
includepkgs=php* 

then install php:

yum remove php\*
yum  --disablerepo=slc5\*  install php-pdo php-pear php-mysql php-mbstring php-common php-gd php php-cli php-xml

(note: removing is due to the fact that by default boxes are preconfigured with unsupported/unmaintained php version)

shibboleth

yum install shibboleth log4shib

(see: http://cern.ch/linux/scientific5/docs/shibboleth.shtml)

other needed software

install git:

yum install git subversion yum-autoupdate apr-devel.x86_64 apr-util-devel.x86_64

Install http itk / femail / mod_chroot / php-pecl-apc / shibboleth-selinux from:

/afs/cern.ch/project/linux/dev/drupal/RPMS/x86_64

MySQL

yum install mysql mysql-devel mysql-test mysqlreport mysqltuner

Configuration

System

/etc/sysconfig/selinux

SELINUXTYPE=targeted
SELINUX=enforcing

setsebool httpd_can_network_connect_db 1
setsebool httpd_can_network_relay 1
setsebool httpd_enable_homedirs 0
setsebool allow_httpd_sys_script_anon_write 1

/etc/sysconfig/iptables

#### MySQL replication: drupalsrv01, drupalsrv02
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.224.60 --dport 3306 -j ACCEPT 
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.224.75 --dport 3306 -j ACCEPT
#### MySQL web frontends: drupal03,drupal04,drupal05,drupal06
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.8 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.9 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.11 --dport 3306 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -s 128.142.172.12 --dport 3306 -j ACCEPT

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport http -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport https -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 444 -j ACCEPT

/sbin/chconfig add iptables /sbin/service iptables start

Prepare ssh dsa keys for root on 01 and 02 (ssh-keygen -t dsa) and add these to /root/.ssh/authorized_keys on 01 and 02

MySQL

chcon -R system_u:object_r:mysqld_db_t /data01
mkdir /data01/mysql
chown mysql:mysql /data01

Edit /etc/my.cnf, add following lines:

# note: drupalsrv01 and drupalsrv02 are running in master-master mode !
[mysqld]
log-bin=mysql-bin
server-id=1                  # 2 on 02  
port=3306
datadir=/data01/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql

# note: slave replica set using mysql !
auto_increment_increment= 2             
auto_increment_offset   = 1                 # 2 on 02 to avoid auto-increment  collisions 

[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid

Enable the server:

/sbin/chkconfig --levels 345 mysqld on
/sbin/service mysqld start

Setup the database:

# mysql_secure_installation

(Set root password? [Y/n] y , Remove anonymous users? [Y/n] y , Disallow root login remotely? [Y/n] y , Remove test database and access to it? [Y/n] y , Reload privilege tables now? [Y/n] y)

Setup master-master replication: http://dev.mysql.com/doc/refman/5.0/en/replication-howto.html, http://www.howtoforge.com/mysql_master_master_replication

Apache

chcon -R root:object_r:httpd_sys_content_t /data02

Edit /etc/http/conf.d/mod_chroot.conf insert following lines:

PidFile  /var/run/httpd.pid
ChrootDir /data02/httpdroot
LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard

LoadFile /usr/lib64/shibboleth/adfs.so
LoadFile /usr/lib64/shibboleth/adfs-lite.so

LoadFile /lib64/libnss_dns.so.2
LoadFile /lib64/libresolv.so.2

Edit /etc/httpd/conf/httpd.conf, comment out lines:

#PidFile run/httpd.pid

Add at the bottom:

TraceEnable Off

Edit /etc/httpd/conf.d/ssl.conf, add line

Listen 443
Listen 444

SSLCertificateFile /etc/pki/tls/certs/star-20101120.crt
SSLCertificateKeyFile /etc/pki/tls/private/star-20101120.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt

(Certificates are to be obtained from webafs server managers !)

Edit /etc/sysconfig/httpd, insert line

HTTPD=/usr/sbin/httpd.itk

Modify /etc/init.d/httpd

TBD

chattr +i /etc/init.d/httpd

/sbin/chkconfig --levels 345 httpd on
/sbin/service httpd start

Shibboleth

/sbin/chkconfig --levels 345 shibd on
/sbin/service shibd start

Cron jobs

On master (drupalsrv01), crontab -l:

# druman jobs

# run cron on all sites every 15 minutes
10,25,40,55 * * * * /data02/bin/sites.cron.sh

# run backup on all sites every 12 hours
30 13,1 * * * /data02/bin/backup.cron.sh

On slave (drupalsrv02), crontab -l:

# druman jobs

### uncomment only if drupalsrv02 is the master !
# run cron on all sites every 15 minutes
# 10,25,40,55 * * * * /data02/bin/sites.cron.sh

# run backup on all sites every 12 hours
# 30 13,1 * * * /data02/bin/backup.cron.sh

### comment out if drupalsrv02 becomes master !
5,35 * * * * /data02/bin/mirror_from_01.sh > /var/log/druman/mirror_from_01.log 2>&1

-- JaroslawPolok - 04-Oct-2010