-
Notifications
You must be signed in to change notification settings - Fork 9
Server Deployment Tomcat
See also:
- the EPIC SW uses Tomcat as a server
- the Handle System server can best be guarded by daemontools
The blank server had @CentOS 6@ installed and a basic collection of @yum@ packages.
Tomcat is the server for the EPIC API SW.
Install these packages with @yum@ from the standard repository:
- @tomcat6-webapps@ (v 6.0.24)
- @tomcat6-docs-webapp@ (not strictly needed)
- @tomcat6-admin-webapps@ (not strictly needed)
daemontools is a package of tools to manage services and is used to watch over the handle system server and over publicfile.
- Download daemontools http://www6.atomicorp.com/channels/atomic/centos/6/i386/RPMS/daemontools-0.76-1.el6.art.i686.rpm and http://www6.atomicorp.com/channels/atomic/centos/6/i386/RPMS/daemontools-doc-0.76-1.el6.art.i686.rpm
- Install these packages with
yum. - As root,
mkdir /service - create
/etc/init/svscan.conf:
start on runlevel [12345] respawn exec /command/svscanboot
- reboot — the service scanner should start running: processes
svscanboot,readproctitleandsvscan.pstree -u init─┬─ : ├─svscanboot─┬─readproctitle │ └─svscan :
Create users for the handle system daemon and logger:
adduser hdladduser hdl-log
Install the handle system software:
- As root,
mkdir /hs - Download Handle software http://www.handle.net/hs-source/hsj-7.0.tar.gz and unpack in
/hsto create/hs/hsj-7.0/
Create a handle server instance:
- Follow installation procedure in
/hs/hsj-7.0/INSTALL.txt
or restore from an instance archive backup:
cd /hs`
cpio -id < .../hs-bup201201031449-instance.cpio
Install as a service under daemontools (see above):
Unpack the service archive (date string may vary):
cd /hs
cpio -id < .../hs-bup201201031449-service.cpio
Test by starting the server in foreground on the command line:
root# service/run Starting handle daemon... + exec -a handled /usr/bin/setuidgid hdl /hs/hsj-7.0/bin/hdl-server /hs/svr_10916 HANDLE.NET Server Software version 7.0 "2012-01-03 16:50:51.052+0100" 25 Rotating log files Enter the passphrase for this server's authentication private key: Note: Your passphrase will be displayed as it is entered
Note that although the output asks for a passphrase, you do not have to supply one.
Input is taken from service/secret/privkey-pass — only readable by root.
Connect the service to deamontools:
ln -s /hs/service /service/handle # as root
Test that the service is up:
svstat /hs/service
publicfile is an extremely simple and secure web server that only presents static files.
It is used to present some information when the EPIC service is down for some reason.
publicfile is not available as a package and must be compiled (and made into a package?).
-
Install gcc (v 4.4.5) to compile
publicfilefrom source. -
Download and unpack http://cr.yp.to/publicfile/publicfile-0.52.tar.gz
-
Patch file
error.h:< extern int errno;
#include <stderr.h>
-
Install in
/usr/local/publicfile/bin(see also: http://cr.yp.to/publicfile/install.html)make make setup check # (this step as root)
publicfile is itself not a server, but reads/writes from/to stdin/stdout.
Use tcpserver
- Install ucspi-tcp (v 0.88).
This package is not present in the default yum repository for CentOS6, but can be downloaded from a CentOS 5 repository and installed manually. - Unpack the prepared
.tgzfile in/var/lib/to create/var/lib/httpd-public - As root,
ln -s /var/lib/httpd-public/httpd /service/httpd - check that the service starts running
/service/httpd/: up (pid 17002) 8 seconds
The external packet filters and/or firewalls must allow the following traffic:
- Incoming to TCP ports http (80), https (443), hdl-srv (2641).
- Incoming to UDP port hdl-srv (2641).
- Outgoing to any TCP and UDP port.
Tomcat should be run as an ordinary, no-privileges user.
This implies that it cannot listen to ports <1024 and by default listens to ports 8080 (http) and 8443 (https).
The following iptables rules will make the service available to the outside world at ports 80 and 443:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443
The normal filter rules must open the hdl-srv ports for TCP and UDP and the redirected ports 8080 and 8443.
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 2641 -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport 2641 -j ACCEPT