sysadmin

Step-by-step: Set up an NFS share

Published in: 

This article assumes you have NFS and portmap installed on your server already. I think a lot of distros come that way, but some of the links below the instructions mention installation steps if you need it. If you need to install for Redhat or Centos just do:
yum install nfs-utils nfs4-acl-tools portmap

I. First, setup the NFS server

(note: in the steps below 192.168.0.2 is the nfs client, and 192.168.0.3 is the nfs server)
1. mkdir /home/fileshare
2. Add this to /etc/exports on NFS server:
home/fileshare 10.181.229.183(rw,sync)
3. Add this to /etc/hosts.allow on NSF server
portmap: 192.168.0.2/255.255.255.255
portmap: 192.168.0.3/255.255.255.255
4. Check to make sure portmap is running correctly by doing:
/sbin/service portmap status
...check /var/log/messages for any error that might occur
5. Start nfs and portmap:
/etc/init.d/portmap
/etc/init.d/nfs
6. Make entry for the ip gets added to APF or else connection will timeout:
apf -a 192.168.0.2
7. Make sure services start on boot:
chkconfig nfs on
chkconfig portmap on

SPECIAL NOTES
1. If portsentry is on the server, make sure that it doesn't get in the way when trying to start portmap. If this an issue, comment out everywhere where '111' appears in /etc/portsentry/portsentry.conf (111 is the port that portmap uses) and stop and stop portsentry to reload (/etc/init.d/portsentry stop, /etc/init.d/portsentry start)
2. add ip of client server to /etc/portsentry/portsentry.ignore

II. Second, setup NFS client

1. Make shared directory on client
mkdir /home/fileshare
2. Add to /etc/fstab on client so will get mounted on reboot
192.168.0.3:/home/fileshare /home/fileshare nfs rw,hard,intr 0 0
3. Start portmap:
/etc/init.d/portmap
4. Make entry for the ip gets added to APF or else connection will timeout:
apf -a 192.168.0.3
5. Mount with:
mount -a
6. Make sure portmap starts on boot:
chkconfig portmap on


Other articles
http://linuxwave.blogspot.com/2008/08/nfs-howto-for-centos-5.html
http://rootit.org/2008/07/nfs-shares-on-centos/
http://www.johnandcailin.com/blog/john/scaling-drupal-step-one-dedicated-data-server
http://www.eth0.us/nfs-crash-course
11 August, 2009

Provisioning and install script for a speedy Drupal workflow

I made this script and the database backup, dump, and SVN commit script because I was determined to spend as little time as possible doing sysadmin while setting up dev and staging sites, so that I could spend as much time as possible developing (e.g., the fun stuff). With one command the script can:

  • 'svn up' a version controlled database, and upload it to your database
  • Run queries against database to set preferred site defaults
  • 'svn up' site docroot
  • Copy over fresh "files" directory from another site (e.g., production). Note, not a good option if you have your "files" directory version controlled.
  • Set owner:group file permissions on all site files

How to
The script should go in non-public, secure directory, which is somewhere below the site doc root. I haven't tried running it with permissions less than sudo, though it may be possible. Invoke by doing:

sh path/to/provision_and_install.sh

Download
provision_and_install.sh.zip

28 March, 2009

Database backup, dump, and SVN commit script for Drupal workflow

Published in: 

This script is useful for keeping a database within reach of an 'svn up' anywhere it needs to be deployed (e.g., dev and staging sites). In addition to creating a database dump, it also svn commits the database. I use it in conjuction with this provisioning / install script, but it can be used on its own.

How to
The script should go in non-public, secure directory, which is somewhere below the site doc root. I haven't tried running it with permissions less than sudo, though it may be possible. Invoke by doing:

sh path/to/dump_and_checkin.sh

It has logging and verbose output for confirmation of it's operations on the command line.

Future possiblities includes doing something like this to cut down on the size of the diffs committed, but since haven't gotten a chance to test that in a prodcution environment, am sticking with with plain-and-simple in order to guarantee integrity of the SQL file.

Download
dump_commit.sh.zip

dump_commit_w_perms.sh.zip (dump and commit, plus update file permissions, a feature not related to backup - simply for maintenance reasons. I use this one myself, but use the other script if this feature is not wanted or needed)

28 March, 2009

Advanced server/spam bot blocking

Published in: 

As promised in an earlier article about blocking server spam, here are some advanced tips on shutting the door to these resource leeches:

#1: Non-existent urls getting hammered:
This is can be a major problem, one which I believe has been at least somewhat cured in Drupal 6, but for Drupal 5 and below a request to a non-existent page such as http://yoururl.com/node/vote/ does not trigger a 404 page as you might expect. Instead the entire front page loads up. Annoying enough as it is, but when combined with a confused/malicious bot that continually hammers the non-existent url, the resource load can be enough to weigh heavily even on dedicated server, let alone a shared-hosting account. [note: there is an update in the comments below with more specific information about the versions of Drupal which are affected by this problem]

What to do about it:
Certainly putting any paths you see that are getting hit this way in your robots.txt file is a good idea, but that does not always solve the problem. Sometimes more drastic measures are needed. Below is snippet from an actual .htaccess file that has on several cured malbot instances that were causing significant server slowdowns - feel free to use and append yours appropriately (be sure you do not have a line break before the [OR] if you copy this - and also be sure your last line does not have an [OR]):

### Forbid access to bot-beaten non-pages
RewriteCond %{REQUEST_URI} ^/node/forward($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/blog/comment($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/blog/node/forward($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/blog/blog($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/storylink/forward($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/node/blog($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/_vti_bin/404.html($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/categories/node($|/.*$) [OR]
RewriteCond %{REQUEST_URI} ^/node/accessories($|/.*$)
RewriteRule .* - [F,L]

#2: Have an IP? Awesome. Now keep bots from even reaching apache
If there is anything good that can be said about server malbots, as compared to their comment spamming cousins, it's that typically a server-spamming bot will have a static ip address instead of a (dreaded) dynamic one. This makes banning it much easier, of course.

16 October, 2007
Subscribe to RSS - sysadmin