Now on to the fun part: setting up the servers!
I’ve set up 3 new Xen virtual machines, one each in Ireland, the Netherlands and USA. I’ve given them the IPs and hostnames:
22.214.171.124 ie.cwik.ch Dublin, Ireland 126.96.36.199 nl.cwik.ch Amsterdam, The Netherlands 188.8.131.52 us.cwik.ch Chicago, USA
I started with a CentOS 5 install with just the bare minimum installed: cron, ssh, logrotate and syslog.
Step 1: When setting up a new CentOS server, the first thing I always do is run ‘yum -y update’ to install all the latest updates. As usual there was a newer version of kernel-xen available, so I rebooted to make it active.
Step 2: Create a new SSH key pair and install the public key part on the servers. This way I can disable password authentication, making network logins more secure (just change PasswordAuthentication to no in /etc/ssh/sshd_config). To create your own key pair on Linux or Mac OS X, open a Terminal window and run:
cwik:~ cwik$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/cwik/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/cwik/.ssh/id_rsa.
Your public key has been saved in /Users/cwik/.ssh/id_rsa.pub.
The key fingerprint is:be:8b:40:8c:1b:0e:97:11:bb:13:2d:8d:7e:fa:8c:6a firstname.lastname@example.org
The key’s randomart image is:
+--[ RSA 2048]----+ | . | | * | | * o | | . O | |. O + S | | + B . | | + . . | | E + . . . | |o.. o . o. | +-----------------+
cwik:~ cwik$ cat .ssh/id_rsa.pub
Now install this on the server (that’s not my real pub key BTW, just one I created for this blog post ;-)
[cwik@us ~]$ mkdir .ssh
[cwik@us ~]$ touch .ssh/authorized_keys
[cwik@us ~]$ chmod 700 .ssh
[cwik@us ~]$ chmod 600 .ssh/authorized_keys
[cwik@us ~]$ echo “ssh-rsa
EqSccmzdvyeAbo8cbY0cOoao2Q==” >> .ssh/authorized_keys
Note the permissions on .ssh and authorized_keys must only allow the owner read privileges. If you omit this step, login will fail and sshd will log a warning to the secure log.
Alright, I can now log in to my servers using key based authentication! Next, repeat this process on each of the 3 servers themselves, so that I can use ssh (and thus scp and rsync over ssh) without entering a password. This is important for a replication configuration, as I’ll be setting up automated cron jobs to do things like keep my webroot in sync. When finished, each of my servers has a authorized_keys file listing my own public key and the public key of each of the other servers (one per line).
Step 3: I want relatively new versions of PHP and MySQL. The versions CentOS 5 ships with are starting to get a little dated, so I’ve elected to install a couple 3rd party yum repositories which contain newer builds. In particular PHP 5.3 (vs. the stock 5.1) and MySQL 5.1 (vs the stock 5.0). Grab the latest installer RPMs for remi and EPEL and install them using rpm -i <filename>.
Step 4: Install all the software I need:
yum –enablerepo remi –enablerepo epel -y install httpd php php-mysql mysql mysql-server rsync iptables named sudo
Step 5: Configure sudo so I can run commands as root as and when needed without having to re-type my password each time. Run ‘visudo’ and add a new line around line 76 where you see the default root definition:
cwik ALL=(ALL) NOPASSWD: ALL
Step 6: Install an FTP server on the nominated master. I have chosen ie.cwik.ch (at random) as my master file store. I’ll upload any new files and make changes on this server only. Those changes will then be propagated to us.cwik.ch and nl.cwik.ch by means of an automated rsync command that will be run on a regular basis via cron. vsftpd is the standard FTP server for CentOS and works great. It supports SSL, but this is not enabled by default, so I’ll set it up:
[cwik@ie ~]$ yum -y install vsftpd [cwik@ie ~]$ chkconfig vsftpd on [cwik@ie ~]$ openssl req -x509 -nodes -days 999 -newkey rsa:1024 -keyout /etc/vsftpd/vsftpd.pem \ -out /etc/vsftpd/vsftpd.pem (answer some questions here to generate your self-signed cert) [cwik@ie ~]$ vi /etc/vsftpd/vsftpd.conf (add these lines to the bottom): # Enable SSL Support ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/vsftpd/vsftpd.pem # ip_conntrack_ftp doesn't work with encrypted connections. Specify range for passive FTP here. pasv_min_port=5600 pasv_max_port=5700 [cwik@ie ~]$ service vsftpd start
OK, FTP service is running!
Step 7: set up the firewall. Open up /etc/sysconfig/iptables and set up some good firewall rules. Here’s my ruleset that I’m using for this blog. Note that the only open ports are 80 for HTTP, and 53 for DNS. Ports for SSH (I’m running this on the non-standard port 1984) and for FTP and MySQL are restricted to the IPs of my servers only. I’ve also got an exception allowing me to log in via SSH from my laptop. Turn on the firewall with:
chkconfig iptables on service iptables start
That’s about it for the initial server set up. The next tasks are:
- Configuring file replication
- Configuring MySQL and setting up circular replication
- Editing Apache config to suit
- Creating a BIND configuration file and DNS zone
Then I’ll finally be ready to copy over my WordPress blog and go live!