welcome: please sign in

Revision 4 as of 2005-08-07 04:13:43

Clear message
Edit

InstallationLog

1. 2005/8/6

To state the obvious, I've gotten the almost-latest version of [http://moinmoin.wikiwikiweb.de/ MoinMoin] installed here. I'm using this wiki as an opportunity to test the proposed new scheme for scripts, where every virtual host script request is proxied to use a ~username URL. The benefit of this is that Apache suexec has special support for ~username scripts, which prevents us from needing to give users subdirectories of /var/www. This seems to be working now, with only the annoying problem remaining that MoinMoin uses absolute URLs, reverting to the uglier ~username form. Hopefully I can fix this, and also implement some infrastructure to help us take advantage of the centralized "wiki farm" support in the latest Moins. --AdamChlipala

I've got a proof-of-concept iptables setup running, that will allow us to account for all bandwidth used on a packet level. This is really excellent and fits our idea to run all services under user accounts. --DavorOcelic

2. 2005/8/4

I've installed domtool from [http://hcoop.sf.net/ CVS]. It was remarkably easy to get the basic stuff working. The only changes so far have to do with our switch to Apache 2 from Apache 1.3, which required using a different directive to indicate which user and group suexec should use for a vhost. --AdamChlipala

3. 2005/8/4

I spent time installing bits and pieces here and there, most notably the configuration files tracker (changetrack), tripwire, and other stuff. --DavorOcelic

4. 2005/8/2

I installed disk quotas. By default, each user will have 4 G soft quota, and 5 G hard quota on home directory size. Similarly, each user has a soft number-of-files quota set at 400,000, and hard quota at 500,000. I picked the numbers based on current usage pattern on Abulafia.

Additionally, thanks to grsecurity kernel patch, we now have the ability to restrict socket creation and program execution. By adding users to special groups, we can prevent them from creating server, client or any INET sockets. In the same way, we can allow users to only run files from root-owned directories.

Regardless of grsecurity, I am planing use the standard Unix groups mechanism to restrict use of the development tools (compilers, most notably). Users who will want access to compilers will be added to a special group.

Cron and At services will be disabled by default as well. As usual, people needing them will have to ask for them. --DavorOcelic

5. 2005/8/1

Since we had two disks in the server, and the other one was unused (simply mounted on /backup), I repartitioned it, installed new Debian GNU installation on it (using debootstrap), compiled the kernel, and successfully rebooted into it on the first try!

Then I went to move the installation to /dev/hda, thereby replacing the stock setup we got from InterServer. Evertyhing worked fine, and then I went to set up software RAID-1. I made a minor mistake in lilo.conf, and the server didn't want to boot properly. We filled in a Support Ticked at InterServer's site, and in 2 hours, John Quaglieri booted the system from the CD, fixed lilo.conf and even performed one additional step regarding RAID-1. I was impressed by his support. --DavorOcelic

6. 2005/7/21

Our new server is ready to go at [http://interserver.net/ InterServer].