Skip to content

How to set up a new server

To request a new (virtual) server, create a new issue on Aston TOPdesk and send in a copy of the ITS Server Request Form. If the new server needs to be accessible from outside the aston.ac.uk domain, be sure to say so on the form.

Each Beautiful Canoe server should have internal access to:

  • ICMP, SSH, TCP, UDP, HTTP, HTTPS , LDAP, SMTP, Nagios on ports: 22, 80, 443, 389, 25, 5666
  • Local LDAP server
  • Local SMTP server
  • bc-monitor.campus.aston.ac.uk for Nagios
  • ssh from/to Beautiful Canoe staff machines

and external access to:

Once a new server comes online, there are a number of tasks that need to be carried out to set it up, and automate a number of common administration tasks. Some of these are common to all servers, and some are only relevant to servers that run live web applications.

Basic server administration

There are a number of basic tasks that need to be carried out on all servers, regardless of their purpose.

Find out what external IP address the server has

On the server, run:

$ curl https://ipinfo.io/ip
134.151.22.7
$

and make sure that the IP address is written into the Beautiful Canoe Server Map.

Set up Postfix

Postfix is a mail server for UNIX operating systems. Follow the Postfix howto to set it up on the new server, so that automated services can email the administrator.

Ensure the output of cron is read

cron automatically runs scheduled tasks and it is important that the server administrator is made aware of any errors that occur during the execution of cron jobs. Edit /etc/crontab (or /etc/anacrontab on some operating systems), and add this line:

MAILTO=tech@beautifulcanoe.com

For this to work, Postfix must already be working.

Use cron job to apply OS updates

Operating system updates (particularly security updated) should be applied automatically.

On Ubuntu servers, add a new file /etc/cron.daily/apt-get-upgrade with this contents:

#!/bin/sh

export DEBIAN_FRONTEND=noninteractive

apt-get -qq -o=Dpkg::Use-Pty=0 update
apt-get -qq -o=Dpkg::Use-Pty=0 upgrade
apt-get -qq -o=Dpkg::Use-Pty=0 autoclean

export DEBIAN_FRONTEND=dialog

then make it executable:

chmod +x apt-get-upgrade

On CentOS servers, add a file called /etc/cron.daily/0yum-daily.cron with this contents:

#!/bin/bash

# Only run if this flag is set. The flag is created by the yum-cron init
# script when the service is started -- this allows one to use chkconfig and
# the standard "service stop|start" commands to enable or disable yum-cron.
if [[ ! -f /var/lock/subsys/yum-cron ]]; then
  exit 0
fi

# Action!
exec /usr/sbin/yum-cron

and make the file executable:

chmod +x 0yum-daily.cron

Use NTP to set time/date

Network time protocol ensures that a server keeps the correct date and time. To set up NTP on Ubuntu, do the following:

sudo apt-get install ntpdate
sudo ntpdate ntp.aston.ac.uk
sudo timedatectl set-ntp off  # Turn off default Ubuntu time configuration
sudo apt-get install ntp
sudo service ntp restart

Use NRPE to monitor their health

At Beautiful Canoe, we use Nagios to monitor our servers. Follow the NPRE howto to set Nagios up on the new server, and add it to the front-end of the monitoring tool.

Ensure that Aston users can log in with campus credentials

First, try connecting to the Aston LDAP server with the ldapsearch tool of the ldap-utils package. Details on how to do this are not listed here, but please see the sysadmin-resources section of the Beautiful Canoe Leadership wiki.

If ldapsearch can retrieves Antonio's information, then the next bit is to enable the LDAP module for the Pluggable Authentication Module (PAM) system. The specific steps change depending on your version of Ubuntu. This Ubuntu Community Wiki page has more details.

Particularly, we need to install these packages to get started:

sudo apt-get install ldap-auth-client nslcd libnss-ldapd

The package configuration script will ask for several things:

  • A URL;
  • a base DN;
  • an LDAP version (use v3);
  • whether the local root should be the database admin (it should not);
  • whether the LDAP server requires login (it does);
  • a username for an unprivileged database user, and
  • a password.

these can also be found in sysadmin-resources section of the Beautiful Canoe Leadership wiki.

Check that ldap is NOT listed in the /etc/nsswitch.conf file. We only want to accept users that are manually added to the system.

You should now be able to SSH into the server with your Aston credentials.

Creating new admin users

As a minimum, both @snim2 and @a.garcia-dominguez should be admin users of every Beautiful Canoe server.

For each new users, create a home directory and set their shell. The default shell is /bin/sh, but unless the user has asked for a specific shell /bin/bash should be used:

sudo useradd -m -s /bin/bash USERNAME

In Ubuntu, the sudoers group is called sudo. You can add the user to that group with:

sudo usermod -a -G sudo USERNAME

At this point, the new user should be able to SSH into the server with their normal Aston credentials.

Copy over ssh keys

Usually, when you log into a new server with ssh you will need to enter a password. You can avoid this by copying the ssh key from your development machine to the server:

ssh-copy-id USER@SERVER.campus.aston.ac.uk

Serving web applications

To prepare a server to serve a live website, a number of other steps need to be taken. These are:

You should also add any external URLs to the Beautiful Canoe SSL validator, which runs every night as a GitLab pipeline. To do this, create a pull request to change the validate_ssl.py file in the cron-scripts directory of the sysadmin-resources repository in the Beautiful Canoe Leadership group.