Forum OpenACS Q&A: Any contributions to a RH HowTo?

I'm not sure a "for dummies" section wants to include information on updating to the most recent kernel.  My feeling is that the best way to build a stable system is to use whatever release (i.e. 6.2 in this case) is deemed most stable and to leave it alone unless you really need to change it.  For instance, I have no compelling need to update my personal web/db server to any 2.4 kernel, even when they've been out and hammered on for a bit longer.  My system's stable and the "if it ain't broke don't fix it" principle applies.

Very useful would be to explain why buying the current RH version and installing it isn't necessarily the thing to do, i.e. we've been telling folks to stick with 6.2 rather than 7.0 (especially) and 7.1 (let others be the guinea pigs).

I gave a presentation on basic Linux security that teaches why and how to disable services, among other things. I need to add a couple slides, then I'll post the link here.

And lastly, this would be great to be contributed to the OpenACS docs. Whatever format you write it in (as long as we can export to HTML). Doing it in DocBook is a plus, but don't get stuck there.

Keeping in mind that OpenACS 4 will support Oracle as well as PG it might be good to include Oracle stuff, too.

Check out http://jordan.fortwayne.com/oracle/ for another handy source of information on how to set up Oracle on RH. Alot of it mirrors what you find in ACS's install guide, but it has a section for Oracle 8.1.7 for Linux.

Since we are discussing HowTos, I want to encourage anyone who is using other platforms (other Linux flavors as well as other Unix variants) to make a HowTo out of the steps it takes to get their site up and running. Even if you are running something other than RH, but the steps are exactly the same and work, it would be great if you let author know what system you are using and that it worked so it can be listed as compatible.

I look forward to the day in the not-too-distant future when I can run a OpenACS dev site on a Mac OS X laptop!

I'll be the guinea pig (or am I?), although not on a production machine. I just installed RH7.1, it was very smooth. This was the first time I got my sound card (SB 128) to work with Linux. All previous attempts had failed me, but now it worked out-of-the-box :)

I will be installing 3.2.5/PG7.1 on RH7.1 this week. I'll post the differences to the RH6.2 install guide later this week (if I am succesful, that is).

I don't use Win2k all that often, though. Maybe I could try installing OpenACS on W2K and see where it dies. Does anyone have experience with that?

The reason why it's easier to get the SB 128 to work with RH 7.1 is because the 2.4 kernel is much better at plug-and-pray devices. For my card, I just do "modprobe sb" and voila'.

My own personal opinion: your average cracker is probably more interested in finding some vulnerable Wintel box to host some clandestine activities and isn't going to try busting into moderately secure box. Crackers going for glory are probably more interested in hacking some government web site or major portal. I'm guessing that by doing the basics and plugging up the most egregious holes, you're probably safer than 95% (maybe more) of all computers on the 'net.

The only worthwhile thing I ever wrote about Linux was basic Red Hat Linux 5.2 installation guide in autumn 1998, but that article is now obsolete and useless.

David, I suggest you work off of Jon Griffin's notes and some of the better security guides now available on the 'net.

I have to disagree with installing RH 6.2. That release is a security flaw waiting to happen. The kernel is really not safe, and most of the packages have major exploits.

If you don't want to compile a kernel yourself you should probably not be hosting your own site, period.

Also, don't use a 2.4.x kernel because there are major files system corruption problems and some minor security issues (mainly NFS).

Use 2.2.19, very stable and all know exploits are gone (of course someone will find more, but the script kiddies won't hit you).

I already read through your "Linux Security & Performance Notes" and they are great.

What I want to do is make it more understandable for people that don't know that much about linux. And I want to start from the very beginning.

I assume that somebody wants to get openacs running and make something real out of it. But he doesn't want to bother around with all the stuff he never heard of and he might not need to run his web service. And out of my own experience it is sometimes hard to know things like make a symbolic link etc. Why not say make a symbolik link which works like this: type in "ln -s ...."

So I will start with:
- Get your RH 6.2 iso file either from a. or b. or c. and install it this way. (I read through the Hitchhickers Guide and will use that to some extent)
- At the end of the day he should have his service with a scalable and secure openacs up and running.

And yes I want to cover the kernel recompile section in it and the performance and security as well...

I will be writing it in docbook. My extra section will be how to write your own doc in DocBook.

I will post my structure on the openacs.org/file-storage soon. It would be great if you could go over it and make some suggestions. What do you think?

I hold it with A. Einstein "Everything should be made as simple as possible, but not simpler."

David

As Jon mentioned, if you can't compile a kernel from the source, you're simply not qualified to be administering a production web server. End of discussion. By the time something like Red Hat Linux ships, there's probably a newer kernel out there, often before the CDs hit the store shelves. If you installed RH 6.2 and your kernel is still 2.2.16 (or whatever it was), you're at risk for a security breach.

Essentially any unpatched Linux distribution is bad. The vulnerabilities for every single unpatched version of any major Linux distribution are very well documented. That's the first thing any script kiddie is going to try.

As best as I understand, the guys at Openwall don't even bother releasing their patch until a particular version of the kernel is "safe" (they are conservative): http://www.openwall.com/linux

David, I've mentioned several times that what I write is geared toward people who understand *nix. If I need to type in "a symbolic link (a.k.a. "cloning") is accomplished by typing ln -s ..." then I've mimicked the other 400 page Linux books out there to no avail.

You cannot run a secure and reliable service with the Macintosh "click the continue button to continue" method. Anyone who can recompile their Linux kernel will not need explanation on how to create a symbolic link in a *nix operating system. If you need explanation on how to read a man page, how to use chkconfig to turn off a service, how to check for services that might not be using chkconfig, then you don't understand *nix.

Nothing wrong with that (I was there once myself), but do not expect to be qualified to sysadmin a production web server. Come back in a couple of years.

...you said "dump sendmail" Well this is another thing I want to cover. How to get Webmail with qmail up and running. From the beginning to the end...

David, I don't know anything about webmail, but qmail can be installed following the directions included with the source. Annoyingly, you have to jump from one document to another, but qmail can be installed and tested next to a working sendmail system before pulling the plug. While I don't care for the qmail documentation much, I can't say that I could write anything better.

As for webmail, just remember, security flaws, security flaws, security flaws. Thats right, javascript is evil. Also, you may wish to nix qmail in favor of just using Courier (which uses Maildirs).

By the way. I have written my first DocBook on "HowTo write a DocBook" today. It is really not that tough. Could I post it somewhere on openacs

Ehrm, /file-storage ?

I've used Linux since 1992 and Red Hat since 4.x.  RH 6.2 + updates
works fine.  What I do for myself and for clients is to build
CD-Rs with the updated RPMs already present.  I tend to be very
wary of Red Hat .0 releases, so I stayed away from RH 7.0.

Now 7.1 is out and I expect to be creating OpenACS and AOLserver RPMs
for it shortly.  IMO it is still too new to be run on a production
machine connected to the global Internet.  But in a few weeks, when
the early adopters have found the first set of obvious issues and
updated RPMs are issued for them, it will probably be time for
migration to RH 7.1.

Meanwhile, I am looking at creating an RH 6.2 CD which has all
RH-supplied updates and PG 7.1 and AOLserver and OpenACS.  This should
make installing a working OpenACS 3.2.5 box fairly quick. I had not
intended to make that ISO image public, but if there is interest,
I might be persuaded to do so.

Eventually I'll probably build similar customized RH 7.1 CDs, once I
have more experience with and confidence in that distribution.

Knowing how to recompile a kernel is good.  Not having to, because
the one on your install CD is current and has the OpenWall patches
applied already, is probably better still, for many sysadmins.

Overall, I suspect that "For Dummies" and keeping a "professional site
running" may be somewhat awkward things to put together.  So I would
suggest either creating a CD so that newcomers can do the installation
easily, or else write the document for those with some existing
Unix/Linux experience.

Right now if you wrote your "OS for OpenACS" HOWTO based around RH 6.2
it would become old quickly.  But if you wrote based on RH 7.1 you
would have essentially zero experience base to write it from.  If you
try to be generic to cover both, my guess is the HOWTO will become too
generic for the "Dummies" (your chosen term not mine!) who are your
intended readership.

What is the "answer"?  Personal opinion: I think I'd write for RH 6.2
for now, but be prepared to rewrite for RH 7.1 in a couple of months
time.

I don't like the expression for Dummies and I don't know why I used it either. Well, what I wanted to do, is to write a documentation that is very easy to understand and covers every aspect that you need to look at in order to run a "professional" web site. I heard Don saying:

"Depends on the subject matter, but a lot of installation stuff is just a matter of learning a bunch of magic incantations and once learnt, anyone can do them." This was said in a kernel recompile context for raising shared memory!!!

You are right that this is awkward, but I believe that it is a good way for somebody "quite" new to the material, to realize what it needs to build a site that scales with some perspective. On the other hand I want to show exactly which steps to follow, because it is always more relaxing to know what you typed in than to know that you installed an rpm - on my side at least.

If you want to contribute somehow let me know 😊

But I think that your rpms are a great idea too. Especially for people that want to get going very quickly...

I completly agree, whatever form the final documentation takes it should have general comments enabled so people can post inline comments regarding steps that don't work and workarounds. This has always been a problem at aD. Good luck.

http://www.securityfocus.com/templates/forum_message.html?forum=2&head=5418&id=5418

I just scanned it briefly and it looks okay, but I already installed qmail so there's no way for me to check the accuracy of the individual steps.

David, There is a real good newbie Linux install doc @ Orchard Labs

Using RPM's work great but you don't really get to know how things actually work until you have gone through the installs and ironing out the bugs.(I.E Myself.) I guess Sean is right a newbie DOC is not bad but I think going through a UNIX admin book and really learning UNIX (*nix) would prove more benefitial in the long run.