1. UABgrid Projects
  2. Disable Default Services
  3. Configure Network
  4. Additional Configurations
  5. Web site configuration
  6. Shibboleth SP Configuration
  7. Test the service
  8. Adding dev.uabgrid
  9. Set up Trac
    1. Trac References
  10. MTA Configuration
  11. Set Up Access to Subversion
  12. Provision Projects

UABgrid Projects

This service is for hosting project resources for VOs and the dev site itself for uabgrid. It's built on a Debian base and will host trac/svn resources for VOs. The basic install was chosen with a web server and standard system configuration option.

Disable Default Services

This step is only required when the "standard system" option was chosen for the install. There are several services running that are not needed at all and some not during the initial roll out.

Turn off the ident (port 113) service: 

cd /etc
patch -b inetd.conf << EOF
29c29
< ident         stream  tcp     wait    identd  /usr/sbin/identd        identd
---
> #ident                stream  tcp     wait    identd  /usr/sbin/identd        identd
EOF
/etc/init.d/openbsd-inetd force-reload

Turn off the services we don't need (smtp) and won't use for now (nfs): 

/etc/init.d/portmap stop
/etc/init.d/nfs-common stop
/etc/init.d/exim4 stop
update-rc.d -f exim4 remove
update-rc.d -f portmap remove
update-rc.d -f nfs-common remove

These steps ensure a much more limited system service exposure to just port 80 and port 22.

Configure Network

Change the network interface config in /etc/network/interfaces 

auto eth0
iface eth0 inet static
 address 138.26.125.65
 gateway 138.26.1.1
 netmask 255.255.0.0
 network 138.26.0.0
 broadcast 138.26.255.255

Additional Configurations

Follow the resolv.conf, ntp, and shibboleth config notes for the uabgrid-ca

Web site configuration

Creating projects.uabgrid and dev.uabgrid from the vhost template: 

sed -e 's/_IPADDR_/138.26.125.65/' \
    -e 's/_FQDN_/projects.uabgrid.uab.edu/' \
    -e 's/_SHORTNAME_/projects.uabgrid/' \
    new-service-site > projects.uabgrid
sed -e 's/_IPADDR_/138.26.125.64/' \
    -e 's/_FQDN_/dev.uabgrid.uab.edu/' \
    -e 's/_SHORTNAME_/dev.uabgrid/' \
    new-service-site > dev.uabgrid

Make the vhost dirs 

mkdir -p /srv/www/projects.uabgrid
mkdir -p /srv/www/dev.uabgrid
touch /srv/www/projects.uabgrid/index.html
touch /srv/www/dev.uabgrid/index.html

Enable the vhosts 

a2ensite projects.uabgrid
a2ensite dev.uabgrid
a2dissite default

Shibboleth SP Configuration

shibboleth.xml customization: 

sed -e 's/_FQDN_/projects.uabgrid.uab.edu/' -e 's/_EMAIL_/jpr@uab.edu/' \
  shibboleth.xml.template > shibboleth.xml

metadata update: 

sed -e 's/_FQDN_/projects.uabgrid.uab.edu/' -e 's/_EMAIL_/jpr@uab.edu/' sp-metadata.xml.template

Test the service

https://projects.uabgrid.uab.edu/secure/phpinfo.php

Adding dev.uabgrid

This simply requires added ACS entries to the UABgrid metadata and making sure that the network interface alias is defined. 

                        <AssertionConsumerService index="1" isDefault="false"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:browser-post"
                                Location="https://dev.uabgrid.uab.edu/Shibboleth.sso/SAML/POST"/>
                        <AssertionConsumerService index="2" isDefault="true"
                                Binding="urn:oasis:names:tc:SAML:1.0:profiles:artifact-01"
                                Location="https://dev.uabgrid.uab.edu/Shibboleth.sso/SAML/Artifact"/>

/etc/network/interfaces 

auto eth0:1
iface eth0:1 inet static
 address 138.26.125.64
 netmask 255.255.0.0

Start the interface 

ifup eth0:1

https://dev.uabgrid.uab.edu/secure/phpinfo.php

Set up Trac

Debian4 includes a packaged 10.3.x release of Trac. The latest trac is 10.4, but this package is a good source for at least installing all the dependencies of the 10.x line. Since it's close to the lastest stable, we'll used it unless there is cause not to. 

apt-get install trac

The /usr/share/doc/trac/README.Debain has some helpful information for how things are set up by default. Their aproache is the CGI route with the cgi naming exposed, which is not the way we want to go. The executable should be hidden. Most of this hiding is done via rewrite rules, so they just need to be duplicated appropriately.

Trac References

* Rewrite Config

MTA Configuration

In order to efficiently support the notification services of trac we need to configure messaging support for this host. The http://trac.edgewall.org/wiki/TracNotification docs are good and healthy to re-read to understand the flexibility of the SMTP configuration.

Because a base debian install comes with Exim4 MTA, the dpkg-reconfigure exim4-config command was used to just set up existing Exim4 rather than move to Sendmail. The debian exim4 instructions were sufficient to set this up. Chose to split configuration mainly to make it easer to learn about (and potentially modify) the config of exim4. The Internet site config option was chosen. Concern over opening up projects.uabgrid to accepting mail for anything or opening unintended services for exploit proved unfounded because the option allows choosing which interfaces to listen on with the default being just localhost, which is sufficient and secure. Also, if no hosts are specified in the domain config then local mail delivery is off. Left that setting blank. DNS is full service and the local mail format was standard mbox. This configuration can be reviewed in /etc/exim4/update-exim4.conf.conf which looks like this: 

dc_eximconfig_configtype='internet'
dc_other_hostnames=''
dc_local_interfaces='127.0.0.1'
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

The Debian exim4 wiki may also be helpful.

The email CC notification was tested and it comes through. Trac logging was used to verify MTA processing on projects.uabgrid.

Set Up Access to Subversion

For the time being, WebDav?-based access to the repositories on projects.uabgrid is not enabled. This requires traditional access via ssh. Note: This process needs to be replaced with webdav.

To configure access accounts need to be established on projects.uabgrid for the authorized users. 

for user in ppreddy pavgi vladk
do
   useradd -m -c "$user@uab.edu" $user
done

Enable blazerid authn for this host. Create the file /etc/authn_ldap.conf: 

ssl start_tls
ssl on

uri ldaps://ldap.uab.edu/

base ou=people,dc=uab,dc=edu

tls_cacertfile /etc/ssl/certs/ca-certificates.crt

Note: tls_cacertdir /etc/ssl/certs would seem more ideal because of the cleaner management of certificates but a bug seems to cause enumeration delays, see ticket:19.

Configure PAM to support ldap authn: 

apt-get install libpam-ldap
cd /etc/pam.d
patch -l common-auth << EOF
10c10,11
< auth  required   pam_unix.so nullok_secure
---
> auth  sufficient      pam_unix.so nullok_secure
> auth    sufficient      pam_ldap.so use_first_pass config=/etc/auth_ldap.conf
EOF

Create a new group for the authorized users so they can have be given access to the repository files. 

groupadd atlab
cd /srv/svn/projects.uabgrid
chgrp -R atlab gpir-sge/
find gpir-sge/ -perm /u+w -exec chmod g+w {} \;

Add the users to the new authorization group.

Provision Projects

Provisioning projects resources is a operating process that occurs whenever a collaboration group creates a project. The steps for setting up a project are being documented as part of the UABgrid provisioning project.