Setting Up the Servers

March 22, 2011 under The 100% Uptime Challenge

Now on to the fun part: setting up the servers!

I’ve set up 3 new Xen virtual machines, one each in Ireland, the Netherlands and USA. I’ve given them the IPs and hostnames:	Dublin, Ireland	Amsterdam, The Netherlands	Chicago, USA

I started with a CentOS 5 install with just the bare minimum installed: cron, ssh, logrotate and syslog.

Step 1: When setting up a new CentOS server, the first thing I always do is run ‘yum -y update’ to install all the latest updates. As usual there was a newer version of kernel-xen available, so I rebooted to make it active.

Step 2: Create a new SSH key pair and install the public key part on the servers. This way I can disable password authentication, making network logins more secure (just change PasswordAuthentication to no in /etc/ssh/sshd_config). To create your own key pair on Linux or Mac OS X, open a Terminal window and run:

cwik:~ cwik$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/cwik/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/cwik/.ssh/id_rsa.
Your public key has been saved in /Users/cwik/.ssh/
The key fingerprint is:be:8b:40:8c:1b:0e:97:11:bb:13:2d:8d:7e:fa:8c:6a cwik@cwik.local
The key’s randomart image is:

+--[ RSA 2048]----+
|  .              |
|   *             |
|  * o            |
| . O             |
|. O +   S        |
| + B   .         |
|  + .   .        |
| E + . . .       |
|o.. o . o.       |

cwik:~ cwik$ cat .ssh/
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzT4QusU0oYWr+hgL8DY06Q7sief07/J145dnEcdMvC++/5A8Sl79Y+Ux
EqSccmzdvyeAbo8cbY0cOoao2Q== cwik@cwik.local

Now install this on the server (that’s not my real pub key BTW, just one I created for this blog post ;-)

[cwik@us ~]$ mkdir .ssh
[cwik@us ~]$ touch .ssh/authorized_keys
[cwik@us ~]$ chmod 700 .ssh
[cwik@us ~]$ chmod 600 .ssh/authorized_keys
[cwik@us ~]$ echo “ssh-rsa
EqSccmzdvyeAbo8cbY0cOoao2Q==” >> .ssh/authorized_keys

Note the permissions on .ssh and authorized_keys must only allow the owner read privileges. If you omit this step, login will fail and sshd will log a warning to the secure log.

Alright, I can now log in to my servers using key based authentication! Next, repeat this process on each of the 3 servers themselves, so that I can use ssh (and thus scp and rsync over ssh) without entering a password. This is important for a replication configuration, as I’ll be setting up automated cron jobs to do things like keep my webroot in sync. When finished, each of my servers has a authorized_keys file listing my own public key and the public key of each of the other servers (one per line).

Step 3: I want relatively new versions of PHP and MySQL. The versions CentOS 5 ships with are starting to get a little dated, so I’ve elected to install a couple 3rd party yum repositories which contain newer builds. In particular PHP 5.3 (vs. the stock 5.1) and MySQL 5.1 (vs the stock 5.0). Grab the latest installer RPMs for remi and EPEL and install them using rpm -i <filename>.

Step 4: Install all the software I need:

yum –enablerepo remi –enablerepo epel -y install httpd php php-mysql mysql mysql-server rsync iptables named sudo

Step 5: Configure sudo so I can run commands as root as and when needed without having to re-type my password each time. Run ‘visudo’ and add a new line around line 76 where you see the default root definition:

cwik    ALL=(ALL)       NOPASSWD: ALL

Step 6: Install an FTP server on the nominated master. I have chosen (at random) as my master file store. I’ll upload any new files and make changes on this server only. Those changes will then be propagated to and by means of an automated rsync command that will be run on a regular basis via cron. vsftpd is the standard FTP server for CentOS and works great. It supports SSL, but this is not enabled by default, so I’ll set it up:

[cwik@ie ~]$ yum -y install vsftpd
[cwik@ie ~]$ chkconfig vsftpd on
[cwik@ie ~]$ openssl req -x509 -nodes -days 999 -newkey rsa:1024  -keyout /etc/vsftpd/vsftpd.pem  \
    -out /etc/vsftpd/vsftpd.pem
(answer some questions here to generate your self-signed cert)
[cwik@ie ~]$ vi /etc/vsftpd/vsftpd.conf
(add these lines to the bottom):
# Enable SSL Support

# ip_conntrack_ftp doesn't work with encrypted connections. Specify range for passive FTP here.
[cwik@ie ~]$ service vsftpd start

OK, FTP service is running!

Step 7: set up the firewall. Open up /etc/sysconfig/iptables and set up some good firewall rules. Here’s my ruleset that I’m using for this blog. Note that the only open ports are 80 for HTTP, and 53 for DNS. Ports for SSH (I’m running this on the non-standard port 1984) and for FTP and MySQL are restricted to the IPs of my servers only. I’ve also got an exception allowing me to log in via SSH from my laptop. Turn on the firewall with:

chkconfig iptables on
service iptables start

That’s about it for the initial server set up. The next tasks are:

  • Configuring file replication
  • Configuring MySQL and setting up circular replication
  • Editing Apache config to suit
  • Creating a BIND configuration file and DNS zone

Then I’ll finally be ready to copy over my WordPress blog and go live!