Virtualmin and Centos 6 on a Linode

Tags:

Ready to move your hosted websites to a new a Virtualmin + LAMP (Linux/Apache/MySQL/Perl-PHP) server on a Linode? Here's the steps to get everything working smoothly with a minimum of hassle:

Initial Preparation

First, starting with a freshly provisioned CentOS install, ssh into the root account. Let's see what we actually have for a distribution:

$ cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel r on an m

First, create regular user accounts for the administrators, and disable direct root login. We will place these administrators into the 'wheel' group so they can sudo, and also create a developer group:

# groupadd devel
# useradd -c "Winston Smith" -g devel --groups wheel -m -s /bin/bash wsmith

Use the visudo* *command to edit the /etc/sudoers file, removing the leading # to un-comment this line:

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

Now, set a password for yourself:

# passwd wsmith

The logout, and ssh back in as wsmith

If you haven't read the Linode Security Basics article, now's a good time. At the very least, disable root logins by editing the /etc/ssh/sshd_config file to modify the PermitRootLogin option as follows:

PermitRootLogin no

Then restart ssh:

$ sudo service sshd restart

I also recommend fail2ban, which should reduce the clutter and risk of repeated ssh attacks:

$ sudo yum install fail2ban
$ sudo chkconfig --level 23 fail2ban on
$ sudo service fail2ban start

Next, edit /etc/sysconfig/network and change the hostname. If there is no HOSTNAME line, add one with your desired machine name in your domain; it should look like:

HOSTNAME=linode1.example.com

That file is read at boot, so you might also want to set the hostname for the current session:

`

$ sudo hostname linode1.example.com `

Be sure that your DNS server has an A Record with that exact name, pointing to your new server.

Install Updates before Virtualmin

Now we will update the base system --

`

$ sudo yum update `

We haven't installed PHP and MySQL yet, but let's see what versions will be installed from our currently selected repositories:

$ yum search php
Loaded plugins: fastestmirror
============================================ Matched: php ============================================
php.i686 : PHP scripting language for creating dynamic web sites
php-bcmath.i686 : A module for PHP applications for using the bcmath library
php-cli.i686 : Command-line interface for PHP
php-common.i686 : Common files for PHP
...
$ yum list php
Loaded plugins: fastestmirror
Available Packages
mysql.i686             5.1.52-1.el6_0.1    updates
php.i686               5.3.2-6.el6_0.1     updates

OK, well that's not the latest, but Centos assures us (as of mid-October 2011) that Centos 6.1 will have updates. Meantime, the folks at Centos recommend the use of the Continuous Release (CR) repository, see this article.

$ sudo yum install centos-release-cr
$ sudo yum update

That installed, on my system, 144 new and updated packages. Now let's see what that will do for us in terms of PHP and MySQL:

$ yum list php mysql
Loaded plugins: fastestmirror
...
Available Packages
mysql.i686              5.1.52-1.el6_0.1   updates
php.i686                5.3.3-3.el6        cr

Ah, a nice fresh version of PHP. Before going much further, I find it convenient to also install the console version of emacs for editing, and the 'screen' package for multi-virtual-screen remote administration:

`

$ sudo yum install emacs-nox screen `

Load Virtualmin

Download the install.sh script from http://www.virtualmin.com/download.html into /usr/src ... and then execute it:

`

$ sudo bash # cd /usr/src # wget http://software.virtualmin.com/gpl/scripts/install.sh

sh install.sh

`

That may take some time indeed! Eventually you should see:

INFO - Updating SpamAssassin rules...
INFO - Rule updates done
[root@linode1 src]#

Once it completes, login, as root, to your new virtualmin configuration at your linode's address: https://linode1.example.com:10000 .. and then read the next part of this article.

Useful Tools

sudo yum install emacs-nox screen

For PHP with Graphics support

sudo yum install gd php-gd ImageMagick ImageMagick-devel php-devel httpd-devel
sudo pecl install imagick
<em>(and, as root) </em>echo "extension=imagick.so" > /etc/php.d/imagick.ini
sudo apachectl graceful

The php-devel module is required for loading ImageMagick into PHP; without it, you will get phpize: command not found. Note that the pecl command above actually compiles some code, so you need the gcc compilers and the various development modules.

Webmin and fail2ban

If you ever use Webmin to edit your firewall rules, you should be sure to do this last step. It's also handy if you lock yourself out of your secure shell, to be able to do a one-time reset of fail2ban's rules from the webmin interface.

Login to Webmin. Under Networking, on the “Linux Firewall” main page, click Module Config in the upper-left of the pane. On the configuration page, in the “Configurable options” section, look for the line “Command to run after applying configuration.” Click the button next to the text box on that line, and in the text box enter service fail2ban restart and then click the Save button at the bottom of the page. Now, whenever you click “Apply Configuration” on the Firewall rule page, it will automatically restart fail2ban.

Cups doesn't start on Fedora

Tags:

For some reason, on Fedora 15, CUPS wasn't starting on bootup. Print jobs were just being silently dropped. I tried this:

$ **lpq** lpq: Unable to connect to server.

Hmm... That's not right.

$ **sudo service cups start** Redirecting to /bin/systemctl start cups.service

Oh... they changed the administration command for some reason. I couldn't find anywhere in the menus (or the discombubulated, disorganized mess that substitutes for menus in Gnome 3) a GUI for selecting startup services. Didn't we have that back in RedHat 4? Anyway... a little digging uncovers that the simple service command, inexplicably, has been replaced by the more jargon-laden systemctl command, so the 'new' way is now:

$ **sudo systemctl start cups.service**

OK that got it going. lpq sees CUPS and print jobs actually print. Now to change it permanently:

$ <strong>sudo chkconfig --list</strong>

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

iscsi 0:off 1:off 2:off 3:on 4:on 5:on 6:off
iscsid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
livesys 0:off 1:off 2:off 3:on 4:on 5:on 6:off
livesys-late 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sandbox 0:off 1:off 2:off 3:off 4:off 5:on 6:off
svnserve 0:off 1:off 2:off 3:off 4:off 5:off 6:off

Another frustration. This functionality is now rolled into the systemctl command. Perhaps that's nicer, but where's the GUI interface for this? I guess I could use webmin, but gosh it seems Gnome should have one.

Here's what it reports:

$ **systemctl status cups.service** cups.service - CUPS Printing Service Loaded: loaded (/lib/systemd/system/cups.service; disabled) Active: active (running) since Thu, 20 Oct 2011 08:19:58 -0700; 7min ago Main PID: 16104 (cupsd) CGroup: name=systemd:/system/cups.service └ 16104 /usr/sbin/cupsd -f

OK, it's disabled at startup. here goes:

$ **sudo systemctl enable cups.service** ln -s '/lib/systemd/system/cups.service' '/etc/systemd/system/printer.target.wants/cups.service' ln -s '/lib/systemd/system/cups.socket' '/etc/systemd/system/sockets.target.wants/cups.socket' ln -s '/lib/systemd/system/cups.path' '/etc/systemd/system/multi-user.target.wants/cups.path' $

Ah, there we go.

Please, Fedora and Gnome -- where's the GUI administration tools for this?

Roundcube date format

Tags:

By default, Roundcube displays dates like 24.09.2011 -- nonsensical to U.S. standards (the ninth day of the 24th month?). We want to use ISO 8601 standard dates like 2011-09-24.

Fortunately, this turns out to be simple. The hardest part is finding the main.inc.php for your particular Roundcube installation. If you have used Virtualmin's script installers, it will probably be /home/yourdomain/public_html/roundcube/config/main.inc.php ... your mileage may vary.

Only one line has to e changed, from :

$rcmail_config['date_long'] = 'd.m.Y H:i';

to:

$rcmail_config['date_long'] = 'Y-m-d H:i';

I have not yet found a way to change from 24-hour to 12-hour am/pm times, though.

Fix: Spamassassin won't start

Tags:

On my Virtualmin console today, I see that the SpamAssassin filter is stopped. Not to mention, my inbox is full of spam. The problem seems to have started when I updated the SpamAssassin filter.

Clicking the start button results only in:

Failed to start service : The SpamAssassin filter server could not be started

Trying to run

# /etc/init.d/spamassassin start

merely gives the cryptic message:

Starting spamd: child process [3518] exited or timed out without signaling production of a PID file: exit 255 at /usr/bin/spamd line 2642.

The solution, it turns out, is discovered by running spamassassin manually:

config: no rules were found! Do you need to run 'sa-update'?

Unfortunately, the bug reported here seems still not to be fixed as of August 2011. In particular, the error report from one of the internal scripts is not properly passed through to the user.

Fortunately, the solution is simple. As root:

# sa-update

and then you should be able to start SpamAssassin without error.

Getting Flash to work under Chromium on Fedora

Tags:

I had already downloaded and installed Flash for Firefox, following these instructions but could not get it to work as a plugin on Chromium.

Success is yours when you type "about:plugins" into the location bar of Chromium and the Flash player appears.

Fortunately, it turned out to be pretty simple to just link Firefox's plugin into Chromium: As root, do this:

cd /usr/lib64/chromium-browser/plugins/
ln -s /usr/lib64/mozilla/plugins-wrapped/nswrapper_32_64.libflashplayer.so .