Starting from scratch with a new CentOS 7 Linode,
I found that iptables is set by default to block (although not reject)
packets to the IMAP and POP3 services.
Rackspace has a good primer
on setting up Dovecot that includes these instructions, but here's the
short answer:
sudo iptables -I INPUT 2 -p tcp --dport 587 -j ACCEPT sudo iptables -I
INPUT 3 -p tcp --dport 110 -j ACCEPT sudo iptables -I INPUT 4 -p tcp
--dport 143 -j ACCEPT sudo iptables -I INPUT 5 -p tcp --dport 993 -j
ACCEPT sudo iptables -I INPUT 6 -p tcp --dport 995 -j ACCEPT sudo
/etc/init.d/iptables save sudo /etc/init.d/iptables restart
That adds a rule to accept the IMAP and POP ports, both the regular and
SSL versions. Then we save the chain table and restart iptables. Now
you should be able to get in: $ telnet myhost.wlindley.com imap Trying
myhost.wlindley.com... Connected to myhost.wlindley.com. Escape
character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
First, you will need the php-mcrypt module which is no longer
provided in RHEL6 or Centos 6. For that, you must install the EPEL
(Extra Packages for Enterprise Linux) library. As root, follow the
instructions here
as follows:
rpm -Uvh
http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm
(Do not use that command verbatim without double-checking the link
above!). Then --
Following the instructions here
but changing the wget to:
wget
http://download.opensuse.org/repositories/server:/eGroupWare/CentOS_6/server:eGroupWare.repo
then, noting capitazliation:
yum install eGroupware
which should say (amongst much other):
Installed: eGroupware.noarch 0:1.8.004.20120613-1.1
The software installs into /usr/share/groupware
I had to edit two parameters in my php.ini file.
Note that with Virtualmin, it is not /etc/php.ini to modify but
rather the one for the domain in which you are running eGroupware. If
your domain is a Virtualmin subdomain, the actual file might be:
/home/maindomain/domains/mydomain.com/etc/php5/php.ini
You can find the exact location by creating a file, let's say foo.php,
within your public_html directory, and having the following contents:
<?php phpinfo(); ?>
Then look for the value of Loaded Configuration File... that is the
php.ini file to edit.
Once you have located the right php.ini file, change:
upload_max_filesize = 16M
and un-commenting and modifying the line:
date.timezone = "America/Phoenix"
...and restart Apache:
sudo service httpd restart
Now, rather than write an Apache alias (which caused me problems with
PHP files being returned as plaintext instead of executable code), I
set a symlink:
ln -s /usr/share/egroupware public_html/egroupware
The RPM install of eGroupware sets a link from
/usr/share/egroupware/header.inc.php to
../../../var/lib/egroupware/header.inc.php ... which should be actually
in /var itself... thus, presumably, avoiding an RPM update from
overwriting your config file. However this may cause problems with
permissions. For me, I created the header.inc.php file but found that
the directory /var/lib/egroupware was set to owner apache with no read
or execute (i.e., list-directory) permissions for anyone else. This did
the trick:
sudo chmod 755 /var/lib/egroupware sudo chmod 644
/var/lib/egroupware/header.inc.php
With that done, direct your web browser to
http://www.yourdomain.com/egroupware and you should see the setup
screen.
Note that you can have multiple domains with the single instance of
egroupware. We could be fancy and call this a "multi-tenant" install.
To do this, remove the "default" domain and add yourdomain.com,
yourdomain2.com, and so on.
Copy the text of the created header.inc.php and paste it into /usr/share/egroupware/header.inc.php
(which is actually /var/lib/egroupweare/header.inc.php).
In your domain's root directory (the one above public_html), create a
directory egw that will contain the files and backup directories:
mkdir egw mkdir egw/files mkdir egw/backup chown youruser:apache -R
egw/
and configure eGroupware to use, for example, /home/maindomain/domains/mydomain.com/files
and /home/maindomain/domains/mydomain.com/backup as its directories.
At that point, you should be up and running!
Loaded Virtualmin onto a Linode running Centos 6. Ran into some
errors when trying to add a domain:
Failed to create virtual server : setquota: Cannot stat() mounted
device /dev/root: No such file or directory setquota: Mountpoint (or
device) / not found or has no quota enabled. setquota: Not all
specified mountpoints are using quota.
And indeed, from a root prompt:
# <strong>quotaon -p -a</strong>
quotaon: Cannot stat() mounted device /dev/root: No such file or directory
group quota on /home (/dev/xvdc) is off
user quota on /home (/dev/xvdc) is off
Hmm, yep, that's the same error. This thread on Virtualmin's forum
was a big clue, here's the first step to resolution:
# <strong>mount</strong>
...
/dev/xvda on / type ext3 (rw,noatime,grpquota,errors=remount-ro,usrquota)
...
Right, so our root / partition is indeed on /dev/xvda so we can
create the missing symbolic link:
# <strong>ln -s /dev/xvda /dev/root</strong>
# <strong>quotaon -a</strong>
quotaon: cannot find /home/aquota.group on /dev/xvdc [/home]
quotaon: cannot find /home/aquota.user on /dev/xvdc [/home]
#
Good, no error message. But things are still not working yet:
# <strong>quotaon /home</strong>
quotaon: cannot find /home/aquota.group on /dev/xvdc [/home]
quotaon: cannot find /home/aquota.user on /dev/xvdc [/home]
Before proceeding, in /etc/fstab please be sure "usrquota" and
"grpquota" are in the options line:
/dev/xvdc /home ext3 grpquota,errors=remount-ro,usrquota,grpquota,noatime,rw 0 1
Now, instead of going thru a dozen cryptic commands, go back to Webmin
(if Virtualmin is up, click Webmin on the top line). Open the System
tab and then Disk Quotas. You should see the /home partition listed,
and it probably says that quotas are not active. Simply hit "Enable
Quotas" and the display should change to:
*Filesystem *
*Type *
*Mounted From *
*Status *
*Action *
/home (users) /home (groups)
Linux Native Filesystem
Xen device C
User and Group Quotas Active
Disable Quotas
...Done!
Ready to move your hosted websites to a new a Virtualmin
+ LAMP
(Linux/Apache/MySQL/Perl-PHP) server on a Linode?
Here's the steps to get everything working smoothly with a minimum of
hassle:
Initial Preparation
First, starting with a freshly provisioned CentOS install, ssh into the
root account. Let's see what we actually have for a distribution:
$ cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel r on an m
First, create regular user accounts for the administrators, and disable
direct root login. We will place these administrators into the 'wheel'
group so they can sudo, and also create a developer group:
# groupadd devel
# useradd -c "Winston Smith" -g devel --groups wheel -m -s /bin/bash wsmith
Use the visudo* *command to edit the /etc/sudoers file,
removing the leading # to un-comment this line:
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
Now, set a password for yourself:
# passwd wsmith
The logout, and ssh back in as wsmith
If you haven't read the Linode Security Basics article,
now's a good time. At the very least, disable root logins by editing
the /etc/ssh/sshd_config file to modify the PermitRootLogin option
as follows:
PermitRootLogin no
Then restart ssh:
$ sudo service sshd restart
I also recommend fail2ban, which should reduce the clutter and risk of
repeated ssh attacks:
$ sudo yum install fail2ban
$ sudo chkconfig --level 23 fail2ban on
$ sudo service fail2ban start
Next, edit /etc/sysconfig/network and change the hostname. If there
is no HOSTNAME line, add one with your desired machine name in your
domain; it should look like:
HOSTNAME=linode1.example.com
That file is read at boot, so you might also want to set the hostname
for the current session:
`
$ sudo hostname linode1.example.com
`
Be sure that your DNS server has an A Record with that exact name,
pointing to your new server.
Install Updates before Virtualmin
Now we will update the base system --
`
$ sudo yum update
`
We haven't installed PHP and MySQL yet, but let's see what versions
will be installed from our currently selected repositories:
$ yum search php
Loaded plugins: fastestmirror
============================================ Matched: php ============================================
php.i686 : PHP scripting language for creating dynamic web sites
php-bcmath.i686 : A module for PHP applications for using the bcmath library
php-cli.i686 : Command-line interface for PHP
php-common.i686 : Common files for PHP
...
$ yum list php
Loaded plugins: fastestmirror
Available Packages
mysql.i686 5.1.52-1.el6_0.1 updates
php.i686 5.3.2-6.el6_0.1 updates
OK, well that's not the latest, but Centos assures us (as of
mid-October 2011) that Centos 6.1 will have updates. Meantime, the
folks at Centos recommend the use of the Continuous Release (CR)
repository, see this article.
$ sudo yum install centos-release-cr
$ sudo yum update
That installed, on my system, 144 new and updated packages. Now let's
see what that will do for us in terms of PHP and MySQL:
$ yum list php mysql
Loaded plugins: fastestmirror
...
Available Packages
mysql.i686 5.1.52-1.el6_0.1 updates
php.i686 5.3.3-3.el6 cr
Ah, a nice fresh version of PHP. Before going much further, I find it
convenient to also install the console version of emacs for editing,
and the 'screen' package for multi-virtual-screen remote
administration:
`
$ sudo yum install emacs-nox screen
`
Load Virtualmin
Download the install.sh script from http://www.virtualmin.com/download.html
into /usr/src ... and then execute it:
`
$ sudo bash # cd /usr/src # wget
http://software.virtualmin.com/gpl/scripts/install.sh
sh install.sh
`
That may take some time indeed! Eventually you should see:
INFO - Updating SpamAssassin rules...
INFO - Rule updates done
[root@linode1 src]#
Once it completes, login, as root, to your new virtualmin configuration
at your linode's address: https://linode1.example.com:10000 .. and then
read the next part of this article.
Useful Tools
sudo yum install emacs-nox screen
For PHP with Graphics support
sudo yum install gd php-gd ImageMagick ImageMagick-devel php-devel httpd-devel
sudo pecl install imagick
<em>(and, as root) </em>echo "extension=imagick.so" > /etc/php.d/imagick.ini
sudo apachectl graceful
The php-devel module is required for loading ImageMagick into PHP;
without it, you will get phpize: command not found. Note that the
pecl command above actually compiles some code, so you need the gcc
compilers and the various development modules.
Webmin and fail2ban
If you ever use Webmin to edit your firewall rules, you should be sure
to do this last step. It's also handy if you lock yourself out of your
secure shell, to be able to do a one-time reset of fail2ban's rules
from the webmin interface.
Login to Webmin. Under Networking, on the “Linux Firewall” main page,
click Module Config in the upper-left of the pane. On the configuration
page, in the “Configurable options” section, look for the line “Command
to run after applying configuration.” Click the button next to the text
box on that line, and in the text box enter service fail2ban restart
and then click the Save button at the bottom of the page. Now, whenever
you click “Apply Configuration” on the Firewall rule page, it will
automatically restart fail2ban.
Interacting with modern Subversion repositories requires a modern
copy. Centos 5.5, and other previous versions however, have rather old
copies. My server reported (typed text underlined) --
# <span style="text-decoration: underline;">rpm -qa|grep subversion</span>
subversion-1.4.2-4.el5_3.1
The first step is to disable the yum-priorities plugin, if you are
using it. If it exists, edit the file /etc/yum/pluginconf.d/priorities.conf
and set enabled=0 -- you may want to change it back after you are
done here.
Now let's see which subversion we have installed.
<code> $ rpm -qa|grep subversion
subversion-1.4.2-4.el5_3.1
</code>
Ah, right. Version 1.4.2 ... We want at least 1.5.
Install the rpmforge repository, following the CentOS instructions.
There are the commands I used, you will want to verify the latest
version.
# <span style="text-decoration: underline;">wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el5.rf.i386.rpm</span>
# <span style="text-decoration: underline;">rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt</span>
# <span style="text-decoration: underline;">rpm -K rpmforge-release-0.5.2-2.el5.rf.*.rpm</span>
# <span style="text-decoration: underline;">rpm -i rpmforge-release-0.5.2-2.el5.rf.*.rpm</span>
RPMs that overwrite base CentOS modules have been removed from the main
rpmforge repository, and put into the rpmforge-extras repository.
Unfortunately that is disabled by default, and it is less than obvious
how to enable it. The setting is in /etc/yum.repos.d/rpmforge.repo
... Look for this stanza and change the enabled line:
[rpmforge-extras]
name = RHEL $releasever - RPMforge.net - extras
baseurl = http://apt.sw.be/redhat/el5/en/$basearch/extras
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge-extras
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge-extras
<strong>enabled = 1</strong>
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
After this, you can just do a regular yum update or you can manually
do just the one:
<pre style="padding-left: 30px;"><code>$ yum --enablerepo=rpmforge check-update subversion
subversion </code>subversion-1.6.15-0.1.el5.rfx<code> rpmforge
</code>