Index: openacs-4/packages/acs-core-docs/www/maintenance-web.html =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/maintenance-web.html,v diff -u -r1.14.2.3 -r1.14.2.4 --- openacs-4/packages/acs-core-docs/www/maintenance-web.html 8 Dec 2003 15:41:17 -0000 1.14.2.3 +++ openacs-4/packages/acs-core-docs/www/maintenance-web.html 15 Dec 2003 15:03:47 -0000 1.14.2.4 @@ -8,14 +8,14 @@ creates additional files and directories to track status and log. A daemontools directory is included in the OpenACS tarball at - /var/lib/aolserver/service0/etc/daemontools. To use it, first ill any existing AOLserver instances. As root, link the daemontools directory into the /service directory. Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.

[service0@yourserver etc]$ killall nsd
+        /var/lib/aolserver/service0/etc/daemontools.  To use it, first ill any existing AOLserver instances.  As root, link the daemontools directory into the /service directory.  Daemontools' svscan process checks this directory every five seconds, and will quickly execute run.

[service0 etc]$ killall nsd
 nsd: no process killed
-[service0@yourserver etc]$ exit
+[service0 etc]$ exit
 
-[root@yourserver root]# ln -s /var/lib/aolserver/service0/etc/daemontools/ /service/service0

Verify that AOLserver is running.

[root@yourserver root]# ps -auxw | grep nsd
+[root root]# ln -s /var/lib/aolserver/service0/etc/daemontools/ /service/service0

Verify that AOLserver is running.

[root root]# ps -auxw | grep nsd
 service0   5562 14.2  6.2 22436 15952 ?       S    11:55   0:04 /usr/local/aolserver/bin/nsd -it /var/lib/aolserver/service0/etc/config.tcl -u serve
 root      5582  0.0  0.2  3276  628 pts/0    S    11:55   0:00 grep nsd
-[root@yourserver root]#
  • The user service0 can now control the service service0 with these commands:

    • +[root root]#

  • The user service0 can now control the service service0 with these commands:

  • Install a script to automate the stopping and starting - of AOLserver services via daemontools. You can then restart a service via restart-aolserver service0

    [root@yourserver root]# cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/restart-aolserver-daemontools.txt /usr/local/bin/restart-aolserver
    -[root@yourserver root]# chmod 755 /usr/local/bin/restart-aolserver
    -[root@yourserver root]#
  • + of AOLserver services via daemontools. You can then restart a service via restart-aolserver service0

    [root root]# cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/restart-aolserver-daemontools.txt /usr/local/bin/restart-aolserver
    +[root root]# chmod 755 /usr/local/bin/restart-aolserver
    +[root root]#
  • At this point, these commands will work only for the - root user. Grant permission for the web group to use svc commands on the service0 server.

    [root@yourserver root]# svgroup web /service/service0
    -[root@yourserver root]#
  • Verify that the controls work. You may want to tail -f /var/lib/aolserver/service0/log/service0-error.log in another window, so you can see what happens when you type these commands. + root user. Grant permission for the web group to use svc commands on the service0 server.

    [root root]# svgroup web /service/service0
    +[root root]#
  • Verify that the controls work. You may want to tail -f /var/lib/aolserver/service0/log/service0-error.log in another window, so you can see what happens when you type these commands.

    Most of this information comes from Tom Jackson's AOLserver+Daemontools @@ -89,25 +89,25 @@ have Perl installed and also a symbolic link to it in /usr/local/bin.

    -joeuser:~$ su - 
    +[joeuser ~]$ su - 
     Password: ***********
    -root:~# cp /tmp/restart-aolserver.txt /usr/local/bin/restart-aolserver
    -root:~# chown root.web /usr/local/bin/restart-aolserver
    -root:~# chmod 4750 /usr/local/bin/restart-aolserver
    -root:~# ln -s /usr/bin/perl /usr/local/bin/perl
    -root:~# exit
  • +[root ~]# cp /tmp/restart-aolserver.txt /usr/local/bin/restart-aolserver +[root ~]# chown root.web /usr/local/bin/restart-aolserver +[root ~]# chmod 4750 /usr/local/bin/restart-aolserver +[root ~]# ln -s /usr/bin/perl /usr/local/bin/perl +[root ~]# exit

  • Test the restart-aolserver script. We'll first kill all running servers to clean the slate. Then, we'll start one server and use restart-aolserver to kill it. If it works, then there should be no more servers running. You should see the following lines.

    -joeuser:~$ killall nsd
    +[joeuser ~]$ killall nsd
     nsd: no process killed
    -joeuser:~$ /usr/local/aolserver/bin/nsd-postgres -t ~/var/lib/aolserver/birdnotes/nsd.tcl
    -joeuser:~$ restart-aolserver birdnotes
    +[joeuser ~]$ /usr/local/aolserver/bin/nsd-postgres -t ~/var/lib/aolserver/birdnotes/nsd.tcl
    +[joeuser ~]$ restart-aolserver birdnotes
     Killing 23727 
    -joeuser:~$ killall nsd
    +[joeuser ~]$ killall nsd
     nsd: no process killed

    The number 23727 indicates the process id(s) (PIDs) of the processes being killed. It is important that no processes are killed by the second @@ -118,9 +118,9 @@ script worked, login as root and open /etc/inittab for editing.

    -joeuser:~$ su -
    +[joeuser ~]$ su -
     Password: ************
    -root:~# emacs -nw /etc/inittab
  • +[root ~]# emacs -nw /etc/inittab

  • Copy this line into the bottom of the file as a template, making sure that the first field nss1 is unique. @@ -133,13 +133,13 @@

  • Still as root, enter the following command to re-initialize /etc/inittab.

    -root:~# killall nsd    
    +[root ~]# killall nsd    
     nsd: no process killed
    -root:~# /sbin/init q
  • +[root ~]# /sbin/init q

  • See if it worked by running the restart-aolserver script again.

    -root:~# restart-aolserver birdnotes
    +[root ~]# restart-aolserver birdnotes
     Killing 23750
  • If processes were killed, congratulations, your server is now automated for startup and shutdown. @@ -179,24 +179,24 @@ adds support for the ssl encryption layer. To use it, you must install the software, create or purchase certificates, and configure your OpenACS instance to use it.

    1. Uncomment this line from config.tcl.

      #ns_param   nsopenssl       ${bindir}/nsopenssl.so
      -
    2. Prepare a certificate directory for the service.

      [service0@yourserver etc]$ mkdir /var/lib/aolserver/service0/etc/certs
      -[service0@yourserver etc]$ chmod 700 /var/lib/aolserver/service0/etc/certs
      -[service0@yourserver etc]$ 
      -
      mkdir /var/lib/aolserver/service0/etc/certs
      -chmod 700 /var/lib/aolserver/service0/etc/certs
    3. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

      Use an OpenSSL perl script to generate a certificate and key.

      [service0@yourserver service0]$ cd /var/lib/aolserver/service0/etc/certs
      -[service0@yourserver certs]$ perl /usr/share/ssl/misc/CA -newcert
      +
    4. Prepare a certificate directory for the service.

      [service0 etc]$ mkdir /var/lib/aolserver/service0/etc/certs
      +[service0 etc]$ chmod 700 /var/lib/aolserver/service0/etc/certs
      +[service0 etc]$ 
      +mkdir /var/lib/aolserver/service0/etc/certs
      +chmod 700 /var/lib/aolserver/service0/etc/certs
    5. It takes two files to support an SSL connection. The certificate is the public half of the key pair - the server sends the certificate to browser requesting ssl. The key is the private half of the key pair. In addition, the certificate must be signed by Certificate Authority or browsers will protest. Each web browser ships with a built-in list of acceptable Certificate Authorities (CAs) and their keys. Only a site certificate signed by a known and approved CA will work smoothly. Any other certificate will cause browsers to produce some messages or block the site. Unfortunately, getting a site certificate signed by a CA costs money. In this section, we'll generate an unsigned certificate which will work in most browsers, albeit with pop-up messages.

      Use an OpenSSL perl script to generate a certificate and key.

      [service0 service0]$ cd /var/lib/aolserver/service0/etc/certs
      +[service0 certs]$ perl /usr/share/ssl/misc/CA -newcert
       Using configuration from /usr/share/ssl/openssl.cnf
       Generating a 1024 bit RSA private key
       ...++++++
       .......++++++
       writing new private key to 'newreq.pem'
       Enter PEM pass phrase:

      Enter a pass phrase for the CA certificate. Then, answer the rest of the questions. At the end you should see this:

      Certificate (and private key) is in newreq.pem
      -[service0@yourserver certs]$

      newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.

      [root@yourserver misc]# openssl rsa -in newreq.pem -out keyfile.pem
      +[service0 certs]$

      newreq.pem contains our certificate and private key. The key is protected by a passphrase, which means that we'll have to enter the pass phrase each time the server starts. This is impractical and unnecessary, so we create an unprotected version of the key. Security implication: if anyone gets access to the file keyfile.pem, they effectively own the key as much as you do. Mitigation: don't use this key/cert combo for anything besides providing ssl for the web site.

      [root misc]# openssl rsa -in newreq.pem -out keyfile.pem
       read RSA key
       Enter PEM pass phrase:
       writing RSA key
      -[service0@yourserver certs]$ 

      To create the certificate file, we take the combined file, copy it, and strip out the key.

      [service0@yourserver certs]$ cp newreq.pem certfile.pem
      -[root@yourserver misc]# emacs certfile.pem

      Strip out the section that looks like

      -----BEGIN RSA PRIVATE KEY-----
      +[service0 certs]$ 

      To create the certificate file, we take the combined file, copy it, and strip out the key.

      [service0 certs]$ cp newreq.pem certfile.pem
      +[root misc]# emacs certfile.pem

      Strip out the section that looks like

      -----BEGIN RSA PRIVATE KEY-----
       Proc-Type: 4,ENCRYPTED
       DEK-Info: DES-EDE3-CBC,F3EDE7CA1B404997
       S/Sd2MYA0JVmQuIt5bYowXR1KYKDka1d3DUgtoVTiFepIRUrMkZlCli08mWVjE6T
      @@ -206,31 +206,31 @@
             performs DNS lookup, and outputs HTML reports.  Analog should
             already be
             installed.  A modified configuration file is included in
      -      the OpenACS tarball.

      1. [root@yourserver src]# su - service0
        -[service0@yourserver service0]$ cd /var/lib/aolserver/service0
        -[service0@yourserver service0]$ cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg
        -[service0@yourserver service0]$ mkdir www/log
        -[service0@yourserver service0]$ cp -r /usr/share/analog-5.31/images www/log/
        -[service0@yourserver service0]$ 
        
        +      the OpenACS tarball.

        1. [root src]# su - service0
          +[service0 service0]$ cd /var/lib/aolserver/service0
          +[service0 service0]$ cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg
          +[service0 service0]$ mkdir www/log
          +[service0 service0]$ cp -r /usr/share/analog-5.31/images www/log/
          +[service0 service0]$ 
           su - service0
           cd /var/lib/aolserver/service0
           cp /var/lib/aolserver/service0/packages/acs-core-docs/www/files/analog.cfg.txt etc/analog.cfg
           mkdir www/log
          -cp -r /usr/share/analog-5.31/images www/log/

        Edit +cp -r /usr/share/analog-5.31/images www/log/

        Edit /var/lib/aolserver/service0/etc/analog.cfg and change the variable in HOSTNAME "[my organisation]" to reflect your website title. If you don't want the traffic log to be publicly visible, change OUTFILE /var/lib/aolserver/service0/www/log/traffic.html to use a private -directory.

      2. Run it.

        [service0@yourserver service0]$ /usr/share/analog-5.31/analog -G -g/var/lib/aolserver/service0/etc/analog.cfg
        +directory.

      3. Run it.

        [service0 service0]$ /usr/share/analog-5.31/analog -G -g/var/lib/aolserver/service0/etc/analog.cfg
         /usr/share/analog-5.31/analog: analog version 5.31/Unix
         /usr/share/analog-5.31/analog: Warning F: Failed to open DNS input file
           /home/service0/dnscache: ignoring it
           (For help on all errors and warnings, see docs/errors.html)
         /usr/share/analog-5.31/analog: Warning R: Turning off empty Search Word Report
        -[service0@yourserver service0]$

        Verify that it works by browing to http://yourserver.test:8000/log/traffic.html

      4. Automate this by creating a file in - /etc/cron.daily.

        [service0@yourserver service0]$ exit
        +[service0 service0]$

        Verify that it works by browing to http://yourserver.test:8000/log/traffic.html

      5. Automate this by creating a file in + /etc/cron.daily.

        [service0 service0]$ exit
         logout
         
        -[root@yourserver root]# emacs /etc/cron.daily/analog

        Put this into the file:

        #!/bin/sh
        +[root root]# emacs /etc/cron.daily/analog

        Put this into the file:

        #!/bin/sh
         
        -/usr/share/analog-5.31/analog -G -g/var/lib/aolserver/service0/etc/analog.cfg
        [root@yourserver root]# chmod 755 /etc/cron.daily/analog

        Test it by running the script.

        [root@yourserver root]# sh /etc/cron.daily/analog

        Browse to http://yourserver.test/log/traffic.html

    External uptime validation

    The OpenACS uptime site can monitor your site and send you an email whenever your site fails to respond. If you test the url http://yourserver.test/SYSTEM/dbtest.tcl, you should get back the string success.

    ($Id$)
    View comments on this page at openacs.org
    +/usr/share/analog-5.31/analog -G -g/var/lib/aolserver/service0/etc/analog.cfg
    [root root]# chmod 755 /etc/cron.daily/analog

    Test it by running the script.

    [root root]# sh /etc/cron.daily/analog

    Browse to http://yourserver.test/log/traffic.html

    External uptime validation

    The OpenACS uptime site can monitor your site and send you an email whenever your site fails to respond. If you test the url http://yourserver.test/SYSTEM/dbtest.tcl, you should get back the string success.

    ($Id$)
    View comments on this page at openacs.org