Tag Archives: setup

tl;dr Instructions for Drupal7 on rpm-based Systems

I threw a few sites up for folks in need the other day, one of them being myself (lots of folks’ businesses were wrecked during the tsunami two months ago). From doing that I realized the Drupal 7 documentation on rpm-based systems is a bit lacking (especially in Japanese). There are a few reasons for this. For one thing, Drupal 6 is still what’s in the Fedora repositories (at least as of F15 — and its orphaned?!?). So the Fedora wiki has basic install instructions for 6, but not 7. The Fedora-ized version also places things in a symlinked area under /usr, which may be more secure, but it confuses new Drupal users about “how to get rid of the example.com/drupal/” problem under Apache. And… lastly, SELinux requires a few adjustments to let httpd and drupal to work well together. Most users’ reaction to the first sign of SELinux issues is to hurriedly turn it off… emphasis on the hurr in “hurriedly” there, because that is stupid.

Even a lot of professional web developers do this, which should drive home the point I’ve made elsewhere of web people != systems people (though systems people might be capable web developers). As of this writing Ubuntu doesn’t even field SELinux by default and their millions of users don’t get chewed up as easily as Windows folks do, but the majority use case for Ubuntu is not (and should not, imo) be server deployment. But why risk it when you have such a powerful security tool right in front of you? For the enterprise I just don’t find it prudent to abandon such a great and easy tool. That’s like choosing to not learn iptables — which some folks have also opted out of as well.

So, without further ado, here is the quick and dirty to get Drupal 7 working on a Fedora/CentOS/RHEL type OS with SELinux intact:

[Please note these instructions assume three things: 1) a completely fresh minimal install, 2) you have control of the server, and 3) you are able to execute commands as root or through sudo. Also note that I have removed foreign language setup from this, as I doubt anyone who reads my blog really needs Japanese but me.]

[root@localhost example.com]# yum install postgresql postgresql-server php-pgsql php-xml \
    php-pear php-devel gcc zlib-devel libcurl-devel make wget httpd php-mbstring
[root@localhost ~]# cd /var/www/html
[root@localhost html]# wget http://ftp.drupal.org/files/projects/drupal-7.0.tar.gz
[root@localhost html]# tar -zxf ./drupal-7.0.tar.gz
[root@localhost html]# mv drupal-7.0 drupal7
[root@localhost html]# cd drupal7
[root@localhost drupal7]# pecl install pecl_http
[root@localhost drupal7]# pecl install uploadprogress
[root@localhost drupal7]# echo extension=http.so > /etc/php.d/php_http.ini
[root@localhost drupal7]# echo extension=uploadprogress.so  >> /etc/php.d/php_http.ini
[root@localhost drupal7]# service postgresql initdb
[root@localhost drupal7]# service postgresql start
[root@localhost drupal7]# chkconfig postgresql on
[root@localhost drupal7]# chkconfig httpd on
[root@localhost drupal7]# setsebool -P httpd_can_network_connect_db=1
[root@localhost drupal7]# setsebool -P httpd_can_sendmail=1
[root@localhost drupal7]# setsebool -P httpd_unified=1
[root@localhost drupal7]# cp sites/default/default.settings.php sites/default/settings.php
[root@localhost drupal7]# chmod 666 sites/default/settings.php
[root@localhost drupal7]# su postgres
bash-4.1$ createuser --pwprompt --encrypted --no-adduser --no-createdb drupal
Enter password for new role:
Enter it again:
Shall the new role be allowed to create more new roles? (y/n) n
bash-4.1$ createdb --encoding=UNICODE --owner=drupal drupaldb
bash-4.1$ exit
[root@localhost drupal7]# cp /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf.original
[root@localhost drupal7]# vi /var/lib/pgsql/data/pg_hba.conf

Add the following line at about line 71 or so, just after the local all all ident line (check first, don’t blindly dump this in with sed because this could all be wrong if you’re running a different version of Postgres or reading this far in the future):

host    drupaldb    drupal    127.0.0.1/32    md5

Remove the Apache and OS identification tags on server-generated error messages (such as the default Apache ### error messages):

[root@localhost drupal7]# vi /etc/httpd/conf/httpd.conf

Replace “ServerTokens OS” with “ServerTokens Prod
Replace “ServerSignature On” with “ServerSignature Off

And since I’m paranoid and use my servers only as servers (and prefer to send logs to a separate logging server), I also change “LogLevel Warn” to “LogLevel Info” and let my parsing scripts do the work of finding the important stuff. That makes forensics a lot easier later on down the road (though more compute intensive).

Add the following lines to your httpd.conf file if you are running multiple websites on a single server (on a single IP address that is hosting multiple domain names):

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin admin@example.com
    DocumentRoot /var/www/html/drupal7
    ServerName example.com
    ErrorLog logs/example.com-error_log
</VirtualHost>

<VirtualHost *:80>
    ServerName anothersite.example.com
    DocumentRoot /var/www/html/anothersite.example.com
</VirtualHost>

If you are not running virtual servers, or if you are running them in /home/user/public_html or whatever, adjust the way the file is written.

Now input iptable rules necessary to open port 80 for web traffic from outside, and allow httpd to access Postgres:

[root@localhost drupal7]# iptables -vI INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
[root@localhost drupal7]# iptables -vI INPUT -m state --state NEW -m udp -p udp --dport 5353 -j ACCEPT

Now point a browser at the server and do your Drupal installation setup. Once you’re done there reset the permissions on sites/default/settings.php and remove the last iptables rule:

[root@localhost drupal7]# chmod 644 sites/default/settings.php
[root@localhost drupal7]# iptables -vD INPUT -m state --state NEW -m udp -p udp --dport 5353 -j ACCEPT

If everything went correctly you should be able to use Drupal 7 with SELinux in Enforcing mode, with your iptables intact aside from however you remote login for administration (SSH, if you use it, if you don’t, then close off port 22 and do chkconfig sshd off as well).

The next time you reboot you will notice you can still log in to your shell, but you can’t access the website with a browser. That is because the iptables rule fell off (they don’t persist unless you tell them do). Once everything works the way it should, commit the iptable rule that is letting port 80 stay open:

iptables-save > /etc/sysconfig/iptables

And while we’re messing with security… let’s go ahead and turn off a php feature that the cracker wannabes have recently learned about: allow_url_fopen.

[root@localhost drupal7]# vi /etc/php.ini

Replace “allow_url_fopen On” with “allow_url_fopen Off

It is very unlikely that you will need all_url_fopen to be active, as very few modules use it (there is a Drupal-sepecific alternative to this, so it seems). Of course, if your site breaks it would be good to check if you actually did need this, but otherwise I’d leave it turned off until things go wrong.

Now we need to restart Apache:

[root@localhost drupal7]# apachectl restart

Given that the biggest fans of tutorials such as these are the sort of folks who would never spend the time to research the meaning of all this themselves and given that you wouldn’t be reading this if you already knew how to do the above in the first place, I must remind you to head to your favorite search engine and do searches for things like “hardening sshd”, “hardening httpd”, “turning off root login”, “using public key encryption with sshd” and anything else that might strike your fancy (protip: read as much as you can about SELinux and iptables).

New Laptop Set-up: Prepare for Battle Against HP, MS and Yahoo!

Once again Microsoft has pissed me off. That’s no shock on its own, but they had help this time from an unexpected accomplice: Yahoo.

Usually, I like Yahoo. I’ve liked Yahoo for a while and have been a long-time customer, both as a user of free stuff and as a paying customer. So far everything has worked out well, and I have maintained that Yahoo was an improvement on the web, though their general internetness is a little shallow (nice messaging server access, nothing else that isn’t “web”, which I regard as extremely lacking in vision).

Now it seems that the war between Microsoft and Yahoo over the web is over, and since MSN/evil-restrictive-empire-of-toadies-and-affiliates has driven business away, Yahoo has become the dominant web portal. This opened up space for a new player, which turned out to be Google, which is sad in a way, since Lycos or Excite or AltaVista could have been really cool. Google has some scary visions of how the future “should” be which invade my privacy. I’m afraid Google will eventually abuse their position — probably on accident at first — thinking they have some higher calling to preserve freedom or love or something silly like that and end up becoming the thought police as a result. Considering that life (and us with it) is just a collection of anti-entropic bubbles, control of information at some level becomes control over life. And that’s not even science fiction.

So on to my story. I bought a new computer the other day, an HP dv6000 laptop. It looks cool, has an AMD 64×2 Turion II in it and some other nifty little things, and its way cheap. I brought it home. I started it up and Vista took over.

Ouch.

Vista sucks. Everything on it bothers the crap out of you until you register things with Big Brother. HP has a “Welcome to HP” screen which would not allow me to access my new system until I told HP all my dirty inner secrets, has a way over-loaded “maintenance” center that makes everything else (including me) wait on it, and generally drove me nuts (and drove me to kill all processes running, and delete and uninstall everything labeled hp_*).

I once everything that betrayed by privacy or annoyed me was dead, I decided to access my wireless router and see how well that would work out. Good news, I can download at well over 3 full real megs per second across the wireless network, bad news, Vista has a lot of annoying little crashes. Vista itself never quite died all the way, but Internet Explorer sure did — a lot — including the first time I tried to run it. So tried different messaging systems, Symantec Antivirus and the Windows Updater that is supposed to update my system to save it from annoying crashes. Again, through it all, Vista itself never quite crashed all the way — but once my system finally was updated I had to make it crash (i.e. reboot) to make the updates take effect. Yes, that’s right, Windows still cannot perform a kernel thread transition or dynamic service restarts in 2007. Didn’t Erlang have the ability to update code in place in the 80’s?

I rebooted. It took forever first to shutdown, and then forever to start up again. I mean forever. Over 10 minutes to shutdown is just ridiculous. Since I had so much time I started thinking about the small print on the screen that said something to the effect of “Your system may become unresponsive during this period. If so, you will need to restart the system.” This sounds an awful lot like a customer-friendly way of saying “we expect this process will probably crash”.

This annoyed me. When it started up (finally) I checked the system stats. As I suspected, everything runs clunky because I have only 512mb of RAM (which shouldn’t cause this sort of behavior, though) and the big kicker — the version of VIsta that MS allows to be pre-installed by vendors is only 32 bit and single-core! Why would you sell such a crap setup? Single-core 32-bit is a far cry from dual-core 64-bit, particularly the single-core business. I could find no apparent motive for this stupid configuration, either — there isn’t even a “pay us more to make your computer actually work” icon anywhere (don’t laugh, it a ploy Microsoft has used with select OEMs in the past).

I tried to install WoW also, because I suck at life, and it runs slower than molasses. Screw this.

So that brings me to my final attempt to bring sanity to the world (and the way I found I could download over 3 real megs per second if there is no bottleneck in the way). I downloaded the DVD image for the new Fedora Core 7 release in a few minutes and installed that over Vista because it sucked.

Everything works just fine out and the system humms along at a ridiculous processing pace. I still need more RAM to do things I like such as large image manipulation or really big compiling, but overall its a massive improvement. And WoW runs just fine under WINE, though that’s not exactly a method I would recommend to anyone who is going to be the main tank for an endgame guild — not that I’ve experienced any problems at all, but I’ll have to play this way a bit more before I’m confident that WoW won’t crash under any circumstances.

Where does Yahoo fall in here? They left evidence of their new (and still semi-secret) pact with MS all over my browser. I had a Yahoo toolbar annoyingly preinstalled on my IE. I also had a pre-installed Symantec toolbar that shows status buttons all the time, along with a few other toolbars I never wanted — actually, about the top 1/3 of Internet Explorer was goddam toolbars, not content I was trying to read! All that crap and still no mouse gestures that I’m addicted to from using Opera. Mouse gestures isn’t a Yahoo problem, of course, but while I’m bitching about IE, its worth mentioning that they have the gall to bring up a huge new “Welcome to tabbed browsing” window that fills the whole screen the first time you open a new tab up. Thanks, jackass, I already knew what tabbed browsing was, been using it for years on good browsers (read as “anything not IE”) and I see through the attempt here to claim that as a Microsoft idea.

This was a relentlessly irritating experience. That’s just sad — setting up my new HP laptop forced me to work against the combined powers of HP, MS and Yahoo. I thought the point was to make the customer happy, not ready to kill. Thank goodness there are better alternatives like Fedora that can make it all worthwhile in the end. By the way, HP did a good job on the hardware, even if their software is a big sweaty dump.