/runtime-builder

海聯執行環境部屬教學

Primary LanguageShell

How to build runtime environment for overseas

System Requirement

  1. Hardware: any hardware can run ubuntu 18.04
  2. OS: ubuntu 18.04 (Server edition is recommended)
  3. Software:
    1. nginx
    2. php
    3. certbot
    4. mariadb
    5. ghostscript
    6. fail2ban
    7. portsentry
    8. supervisor
    9. rsync
    10. docker
    11. ufw

Hardware Configuration

  1. Storage:
    1. physical: HDD * 8, SSD * 2
      Physical Disk List

    2. virtual (RAID): VD_HDD(HDD * 8), VD_SSD(SSD * 2)
      Virtual Disk List VD_HDD config VD_SSD config

OS Installation Hint

  1. Set language to English to avoid font issues

  2. Set Location to Asia/Taiwan

  3. Set Locale to en_US.UTF-8

  4. Set keyboard to English (US) language setting gif

  5. Check timezone is Asis/Taipei

  6. system install on disk VD_HDD

  7. Install OpenSSH Server in predefined software install predefined software

Software Configuration

Nginx + Certbot

  1. The traditional way

  2. The modern way

  3. Add config below to /etc/crontab for autorenew certificates

    30 2 * * 1 root /usr/bin/certbot renew
    35 2 * * 1 root /etc/init.d/nginx reload
    

PHP

Supervisor

Install for Laravel Queue Worker

Database

  1. MariaDB Audit plugin
    add config below to /etc/mysql/mariadb.conf.d/50-server.cnf
    # for server / query audit
    plugin_load=server_audit=server_audit.so
    
    #
    # * MariaDB Audit Plugin
    #
    # https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-settings/
    #
    # for server / query audit
    
    server_audit_logging=on
    
    # to log all queries, or to log only connect and table changes?
    # https://mariadb.com/kb/en/library/mariadb-audit-plugin-log-settings/#logging-query-events
    server_audit_events=CONNECT,QUERY,TABLE
    
    server_audit_file_path=/var/log/mysql/server_audit.log
    
    # log file size 1G=1000000000
    # now set to 100M
    server_audit_file_rotate_size=100000000
    
    # set to 0 means never rotate (0-999)
    # now set 999, size will be 100M*999=100G
    server_audit_file_rotations=999
    
    # set max logging query length to 10M per query
    server_audit_query_log_limit=10485760
    
  2. fd limit(open files limit)
    1. add config below to /etc/mysql/mariadb.conf.d/50-server.cnf

      #
      # Open File Limit
      #
      open_files_limit = 65535
      
    2. add config below to /etc/security/limits.conf

      mysql            soft    nofile          65535
      mysql            hard    nofile          65535
      
  3. automysqlbackup
    1. apt install automysqlbackup
    2. Review settings in /etc/default/automysqlbackup.
      • DBNAMES
      • BACKUPDIR
      • MDBNAMES
      • DBEXCLUDE

fail2ban

  • apt install fail2ban
  • it's ok to use default settings

portsentry

  1. apt install portsentry
  2. Review settings in /etc/portsentry/portsentry.conf
    • TCP_PORTS / UDP_PORTS
    • ADVANCED_EXCLUDE_TCP / ADVANCED_EXCLUDE_UDP
  3. Make sure settings below are enabled
    • BLOCK_UDP="1" / BLOCK_TCP="1"
    • SCAN_TRIGGER="1" to reduce false alarm
  4. Use better KILL_ROUTE. Find this line and enable to use iptables setting instead of default rule
    KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
    

docker

Disk Mount

  1. make sure VD_SSD is formatted in ext4 disk format
  2. create directory at /mnt/VD_SSD
  3. sudo fdisk -l check what device path is for VD_SSD
  4. blkid (VD_SSD's device path with partition number) to get UUID of VD_SSD's partition
  5. add UUID=(UUID get from previous step) /mnt/VD_SSD ext4 errors=remount-ro 0 1 to /etc/fstab

rsync (SSD -> HDD)

add below to /etc/crontab

*/5 * * * * root rsync --archive --delete --delete-delay --delay-updates /mnt/VD_SSD /data/

ufw (Uncomplicated Firewall)

  1. Ubuntu has built-in ufw. You can use sudo ufw status to check status and rule of ufw.
  2. To make sure your connection after enabling ufw, sudo ufw allow ssh is necessary.
  3. sudo ufw allow 80, sudo ufw allow 443 and any rule you need.
  4. If setting is ready, you can type in sudo ufw enable.

Example Config Files

all examples are in config-examples folder