Samba can wait, I need CVS more

CVS is more important to me right now than Samba, so Samba can wait.

The first step was to install cvs, then I created a 'dev' group for use by developers and added myself to that group. Here are the commands:

13 sudo apt-get -u install cvs
16 sudo groupadd -r dev
17 sudo usermod -a -G dev devuser

The install properly created an initialized cvs repository where recommended by the Filesystem Hierarchy Standard at /srv/cvs.
I then copied over all the modules in my old cvs repository on my old server with this kind of command for each module:

cd /srv/cvs
sudo scp -r devuser@oldserver:/var/cvsroot/project .

Ths cvs install had made the user:group of the files in the cvs directory root:src. I'm not thrilled about root user, but I'll leave it for now. The src group means nothing to me, so i will change it to dev with:

sudo chown -R :dev /srv/cvs

Next, I have to get pserver working so I can access cvs from my development computer. To do this, xinetd must be installed as follows:

sudo apt-get install xinetd

Then create the file /etc/xinetd.d/cvspserver with the following content:

service cvspserver
{
port = 2401
socket_type = stream
protocol = tcp
user = root
wait = no
type = UNLISTED
server = /usr/bin/cvs
server_args = -f --allow-root /srv/cvs pserver
disable = no
}

Then do the following to restart the pserver:

sudo /etc/init.d/xinetd restart

You can confirm that pserver is running with:

sudo netstat -anp --tcp --udp

and look for the line where xinetd is listening on port 2401.
Make sure all your directories in the cvs directory have the following type of permissions and ownership:

drwxrwsr-x 3 root dev 4096 2010-05-03 23:55 CVSROOT

The group permissions must be readable, writable and have the 's' for set group id, and the group must be dev, otherwise, lock file setting might fail and developers may not be able to access files in the cvs repository.

More info on setting up CVS can be found at http://doc.ubuntu.com/ubuntu/serverguide/C/cvs-server.html

Next? Setting up Apache.

Server Installed

Installed the server! I always hate the disk partitioning part. It never seems intuitive to me what to do. I selected the LAMP, OpenSSH, PostgreSQL, print and Samba servers to be installed. The first order of business after the install was to set a static ip address. This was done by editing the file /etc/network/interfaces and changing the following line from

iface eth0 inet dhcp

to

iface eth0 inet static
address 192.168.1.30
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

After, reboot with a

sudo reboot

Now I can do all my work by ssh. Next, Samba setup.

New servers to setup

Now that the latest LTS (Long term support) Ubuntu has been released, and my needs have changed, I'm re-architecting my computer network. I will have 2 servers: one to run my intranet with networked drives, web server, cvs server, printing services for starters; and the other will be on the internet, and only provide a web server running a web application where sensitive financial data is at risk and security is most important.

The first step is to download the latest iso files and burn them to cd. I'm also being thorough and checking MD5s and the whole thing. All the info is found at BurningIsoHowto.

Next will be the installation of of the intranet server.

Checkout my app

I want an easy way to checkout and update my app. Here is how I did it. On my intranet server, I ran the following command:

ssh -R 2401:localhost:2401 user@myServer.com

This does an ssh login to my external server ( which I will call myServer.com ) and sets up a reverse tunnel. Then, I can check out my app from my intranet server through the reverse tunnel from my ssh session on my external server. Which I did as follows:

227 cd /usr/local/share
232 sudo mkdir myApp
234 cd myApp
236 sudo cvs -d :pserver:user@localhost:/var/cvsroot login
237 sudo cvs -d :pserver:user@localhost:/var/cvsroot co myApp
241 sudo cvs -d :pserver:user@localhost:/var/cvsroot up -d

In the future, I just have to do like line 241 to update my app.

Next, setting up apache and my certificates.

CVS installed and running

I got CVS installed and running, created a repository and a module for etc, added some apache configuration files, made a configuration change and committed the change to CVS.

Here are all the commands I executed to accomplish this:

69 sudo apt-get -u install cvs
70 sudo netstat -anp --tcp --udp
74 sudo mkdir /root/cvsroot
77 sudo chmod 700 /root/cvsroot
79 sudo cvs -d /root/cvsroot init
87 sudo mkdir /root/cvsroot/etc
88 sudo cvs -d /root/cvsroot checkout etc
92 sudo cp -R etc/CVS /etc/CVS
98 sudo cvs add apache2
99 cd apache2/
107 sudo cvs -d /root/cvsroot add -kb apache2.conf
108 sudo cvs -d /root/cvsroot add -kb envvars
109 sudo cvs -d /root/cvsroot add -kb httpd.conf
110 sudo cvs -d /root/cvsroot add -kb ports.conf
112 sudo cvs -d /root/cvsroot add sites-available/
115 sudo cvs -d /root/cvsroot add -kb sites-available/default
116 sudo cvs -d /root/cvsroot add -kb sites-available/default-ssl
117 sudo cvs -d /root/cvsroot commit -m "initial apache revision"
119 sudo vi sites-available/default
121 sudo /etc/init.d/apache2 force-reload
166 cd sites-available/
167 sudo cvs -d /root/cvsroot commit -m "remove access to doc and cgi directories"

It looks like installing CVS also installs pserver, whcih I do not want running. The netstat at line 70 showed that no port was opened by pserver.

I created the cvs repository in /root because I wanted to make sure it was not visible. Doing the chmod at line 77 is not likely needed. Lower directories in cvsroot that are world read cannot be seen without sudo.

CVS is problematic in that it doesn't allow for easy adding of an existing directory structure to a repository without disturbing the original directory structure. I got around this be creating the etc module in CVS, then checking out the empty module in my home directory, and then moving the ~/etc/CVS directory to /etc ( lines 87, 88 and 92 respectively ). With this, files in etc can be added to the repository without affecting them at all.

The next thing I did was add the apache configuration files to the repository. Do not add the /etc/apache2/conf.d directory or files to the repository. This is because apache will try to load the files in the CVS subdirectory as configuration files. This would fail and cause apache not to start up.

I changed the sites-available/default file to not make the cgi and doc directories available through apache. I don't need these, so I don't want them. The file now looks as follows:


ServerAdmin webmaster@localhost

DocumentRoot /var/www

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all


ErrorLog /var/log/apache2/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog /var/log/apache2/access.log combined



Sorry, the tags above don't show up properly. I will try to fix this later.

The next task for me is to use cvs to get my php web app from my intranet server, get ssl working and get my site up and running.

My very own server

I am setting up a server to run a php web app to hold sensitive information. As such, I want to setup up a secure server and have lots to learn along the way. I want to blog about this process for 2 reasons: to write down what I learn so I can find it again when I need it, and to share what I learn with others in case it might be useful.

I have installed ubuntu 9.04 server on a second hand P4 box I got for $70 at a local computer recycler. I have in the past used an old laptop to run an intranet server only available inside my home, but it is getting hard to maintain because it is so old and very much underpowered. This P4 box is small and quiet. I now want to see what is it's power consumption is compared to my old laptop. If it's reasonable, I will replace my intranet server with one of those P4 boxes too.

A bit about the php web app I want to run. It will be dealing with sensitive financial information, so only secure encoded connections will be allowed. At first, only mysql will be used to store data, but I eventually want to get the app working with postgresql, so both servers will be running. I will not be handling email through this server, for the time being anyways.

I have learned a few things since setting up the server. First, you can get a list of open ports with the command

sudo netstat -anp --tcp --udp

I get the following output:

tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2179/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2448/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2328/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 27823/postgres
tcp6 0 0 :::22 :::* LISTEN 2328/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 27823/postgres
udp 0 0 0.0.0.0:68 0.0.0.0:* 2289/dhclient3
udp6 0 0 ::1:56146 ::1:56146 ESTABLISHED 27823/postgres

Ill have to turn off the mysql and postgres ports and find out what the dhclient3 is all about.

The next thing I learned was how to get security updates. The command sudo apt-get update is used to update the local list of packages. This does not install anything but should be run before any of the following commands are run to make sure the list of available packages are up to date.

To install updates use sudo apt-get -u upgrade. Some upgrades need to run sudo apt-get -u dist-upgrade. I am not sure of the difference between the two. More info can be found at ATP Howto.

The next thing I want to accomplish is to install cvs to track changes to configuration files in the etc directory.