H-Sphere Documentation Sysadmin Guide

 

Preparing Servers for H-Sphere Installation

 

The purpose of this document is to provide comprehensive information on how to prepare Linux and Unix servers for the installation of H-Sphere components by the Positive Software team or by customers themselves. It covers the following topics:

Please also read the following:

Note: We don't install H-Sphere on live servers and we don't take responsibility if your functional services go down during the H-Sphere installation.

 

Supported Operating Systems

Before requesting H-Sphere installation, make sure to install one of the following 32-bit operating systems. We don't support installations on 64-bit architecture OS.

Operating System Supported OS Version Supported by H-Sphere*
Trustix™ Secure Linux Trustix™ Secure Linux 2.2 Since H-Sphere 2.4.2 Patch 4
Trustix™ Secure Enterprise Linux release 2 Since H-Sphere 2.4.1 Patch 1
RedHat Linux 7.2, 7.3 Fresh installs are not performed but existing installations are supported
RedHat Enterprise Linux (WS, ES, AS)
up to 3.0 In all H-Sphere versions since 2.4
4.0 Since H-Sphere 2.4.2 Patch 4
White Box Enterprise Linux 3.0 Since H-Sphere 2.4.2
4 Since H-Sphere 2.4.3 Patch 1
CentOS 3.1, 3.3, 3.4, 3.5 In all H-Sphere versions since 2.4
4 Since H-Sphere 2.4.3 Patch 1
FreeBSD 4.8, 4.9, 4.10 Fresh installs are not performed but existing installations are supported
4.11 ** H-Sphere 2.4.3 RC 2 and up for all servers, including CP server
H-Sphere 2.4.2 - 2.4.3 RC 1 for all servers, except for CP server
5.3 *** H-Sphere 2.4.2 and up for all servers, except for CP server
5.4 *** H-Sphere 2.4.3 Patch 1 and up for all servers, except for CP server

 

WARNING:

* H-Sphere versions before 2.4 are no longer supported! We only perform updates from these versions to the latest stable H-Sphere version.
** Starting with version 2.4.3 RC 2 H-Sphere includes Java 1.4.2 for FreeBSD 4.x. Now CP server can be installed on FreeBSD 4.x.
In H-Sphere versions earlier than 2.4.3 RC 2, we don't recommend installing CP server on FreeBSD 4.x due to some problems with Java 1.3.1 implementation
*** Don't install CP server on FreeBSD 5.x! FreeBSD 5.x does not provide proper support for Java!

You may also want to read a related discussion in our forum.

 

Hardware Requirements

If you are going to install H-Sphere to only one computer, make sure it is at least Pentium III, 500MHz CPU and 512MB RAM. This will allow to host only a small number of customers. Adding SiteStudio will require at least 1000MHz CPU and 1GB RAM.

 

Single-Server and Multi-Server Installation

 

General Considerations

H-Sphere can be installed on one or more servers. The required number of servers and their hardware configuration will largely depend on the number of accounts you are planning to host, Web and mail quotas, traffic load and other related factors.

Here are some general considerations common to H-Sphere server environment:

  1. We recommend installing Control Panel (CP) to a separate server. It is also acceptable to install one DNS server to the CP server box, for example, if you are planning 2-server installation.
  2. You must not install PostgreSQL hosting service on the same box with Control Panel, as the latter requires a separate PostgreSQL server for its system database.
  3. You can have several DNS servers on one box. However, for multiserver H-Sphere installation, you should install each DNS server on a separate box. The best solution is to have two DNS servers on separate boxes. More on DNS servers
  4. We advise installing mail server on the same box with MySQL server, as mail server requires its own MySQL database.
  5. It is reasonable to allocate separate physical servers for the most resource-consuming services. Usually, these are Web and mail servers, but sometimes it may be MySQL and PostgreSQL.

According to these recommendations, the following 4-server installation may be an optimal solution:

  • Server 1: Control Panel (with the system PostgreSQL database);
  • Server 2: Web1 + DNS1;
  • Server 3: Mail + MySQL1 (user DB) + DNS2;
  • Server 4: PostgreSQL (user DB) + MySQL2 (user DB).

Later on, you may add more boxes to your system, as your needs grow:

  • Server 5: Web2;
  • Server 6: Mail2 (with its own MySQL DB);
  • ...

 

Sample 1/2/3-Server Configurations

Below are sample 1/2/3-server H-Sphere installations with preferable partitioning schemes outlined.

One Server Installation Two Server Installation Three Server Installation

Single-server installation includes Control Panel, DNS, Web, mail, and MySQL services. The PostgreSQL hosting service isn't included because of the H-Sphere system PostgreSQL database.

Make sure you have at least two IPs available, because some features (like OpenSRS) require at least two DNS servers. More on Single DNS

Examples:

40GB HDD:

/ root partition (/etc, /tmp, /root) - 1-3 GB
/usr - 3-5 GB
/var - 5-7 GB for mail and MySQL files
/hsphere (or /home - see HDD Partitioning) - the remaining disk space for H-Sphere installation and Web hosting.

80GB HDD:

/ root partition (/etc, /tmp, /root) - 2-6 GB
/usr - 6-10 GB
/var - 10-15 GB for mail and MySQL files
/hsphere (or /home - see HDD Partitioning) - the remaining disk space for H-Sphere installation and Web hosting.

120+ GB HDD:

/ root partition (/etc, /tmp, /root) - 3-10 GB
/usr - 10-20 GB
/var - 15-30 GB for mail and MySQL files
/hsphere (or /home - see HDD Partitioning) - the remaining disk space for H-Sphere installation and Web hosting.

The more users you are planning to have, the more disk space is required. If you want to have SiteStudio, it will also be installed onto this partition. However, this will require at least 512 RAM and a 500MHz processor.

In addition, you can create a separate mail partition for the H-Sphere mail system. Its size will depend on your mail quotas for users and the number of mailboxes.

Consider the following partitioning scheme for the two-server configuration:

1) Control Panel + DNS2:

The partitioning requirements are similar to those for one server installation. This box will have the H-Sphere control panel, the system database, DNS server, and SiteStudio (optional).

2) Web + Mail + MySQL + PostgreSQL + DNS1:

/ - 1-3 GB
/usr -3-5 GB
/var - 5-7 GB for mail and MySQL files.
/hsphere - takes the rest of the space for Web content and is the biggest partition.

Consider the following partitioning scheme for a three-server configuration:

1) Control Panel

The partitioning requirements are the similar to those for the one server installation. This box will have the H-Sphere control panel, the system database, and SiteStudio (optional).

2) Web + DNS2:

/ - 1-3 GB
/usr - 3-5 GB
/var -3-5 GB
/hsphere - takes the rest of the space and is the biggest partition.

3) Mail + DNS1 + MySQL + PostgreSQL:

/ - 1-3 GB
/usr - 3-5 GB
/var - takes the rest of the space for mail and MySQL files.

 

HDD Partitioning

H-Sphere is installed to the /hsphere directory. It can be located on any partition, preferably other than root, and a symlink to this directory is created:

# mkdir -p /home/hsphere
# ln -s /home/hsphere /hsphere
# chmod 755 /home/hsphere

 

Note that for FreeBSD 5.3 a separate partition must be dedicated to H-Sphere. Otherwise, you are likely to experience problems with installation of the H-Sphere packages:

# mkdir -p /hsphere
# chmod 755 /hsphere

The ideal solution (and the only possible one for FreeBSD 5.3) is to dedicate a partition solely to H-Sphere files and mount it as /hsphere. As the result, you should have at least two partitions, / and /home. Having only one partition can cause certain problems. For instance, if disk quota gets damaged, you cannot repair it without server reboot and fsck check in the single user mode.

There are no more requirements to partitioning the servers, just make sure there is enough disk space to store user and other H-Sphere data.

 

Required Components and Configuration

Prior to the installation, make sure your server has the following:

OpenSSH

  1. Install OpenSSH package on each H-Sphere box. You can use standard RPMs under Linux or packages under FreeBSD. Usually, the standard Linux and FreeBSD installations contain the OpenSSH package, you can use it without any restrictions. However, we recommend to update the package to the last version. SSH keys need to be configured under the cpanel user.
  2. To enable Permit Root Login, open file /etc/ssh/sshd_config and uncomment the line:
    PermitRootLogin yes
    Make sure PermitRootLogin is set to yes. Then restart SSH:
    /etc/rc.d/init.d/sshd restart
  3. Make sure that the .ssh directory has permissions 700 and the authorized_keys and authorized_keys2 files have permissions 600.
  4. Enable the OpenSSH daemon start at server startup.
  5. Start the OpenSSH daemon.

Disk Quota

Enable the disk quota feature on each H-Sphere web server. There is no need to enable it on other servers. To enable disk quota:

  1. Log in as root.
  2. Insert the usrquota directive (userquota for FreeBSD) into the /etc/fstab file for the corresponding partition.
    On Linux, it must look similar to this:
    LABEL=/hsphere   /hsphere   ext2   defaults,usrquota   1 1
    On FreeBSD, it must look similar to this:
    LABEL=/hsphere   /hsphere ufs rw,userquota 2 2
  3. Execute the following commands:
    quotaoff /partition_with_userquota_enabled
    mount -o remount /partition_with_userquota_enabled (Linux only, skip this line with FreeBSD)
    rm -rf /partition_with_userquota_enabled/aquota.user /partition_with_userquota_enabled/quota.user
    quotacheck -mufv /partition_with_userquota_enabled(Linux)
    quotacheck -guv /partition_with_userquota_enabled(FreeBSD)
    quotaon /partition_with_userquota_enabled
    [-] If quotacheck returns the error: quotacheck: Cannot get quotafile name for /dev/xxx
    Do the following:
    1) # touch /partition_with_userquota_enabled/aquota.user
    2) # quotacheck -m /partition_with_userquota_enabled
    and ignore the message:
    "quotacheck: WARNING - Quotafile /partition_with_userquota_enabled/aquota.user was probably truncated. Can't save quota settings..."
    3) quotaon /partition_with_userquota_enabled
  4. FreeBSD web server installations: Enable disk quota in the kernel configuration. Also, in /etc/default/rc.conf set:
    enable_quotas="YES"

Root Partitions: we don't recommend enabling the disk quota feature on root partitions. Use other partitions for this! Therefore, we advise not to place H-Sphere files on the root partition.

Quotacheck: quota versions can have some differences on different OSs. You may need to execute the quotacheck command with some additional parameters. Please read the command manual before performing this action.

Ports (Firewall Configuration)

In your firewall settings, open the following ports in both directions and specify the connection type - tcp or udp or both.
We need that firewall be configured by our customers.

[-] Pix firewall note
Pix firewall doesn't work correctly with H-Sphere and SiteStudio, because it doesn't allow servers within one H-Sphere cluster to communicate by external IPs, which is critical for both products.

Port Usage CP Server Web Server Mail Server DNS Server MySQL Server PGSQL Server Real Server Windows Server MS SQL Server
20 FTP-DATA tcp tcp           tcp  
21 FTP tcp tcp           tcp  
22 SSH tcp tcp tcp tcp tcp tcp tcp    
25 SMTP     tcp         tcp  
53 DNS udp udp udp tcp and udp * udp udp udp udp udp
80 HTTP   tcp tcp       tcp tcp tcp
110 POP     tcp            
143 IMAP     tcp            
443 HTTPS tcp tcp           tcp  
587 submission     tcp            
873 RSYNC tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers tcp between H-Sphere servers
953 RNDC       tcp and udp*          
1433 MS SQL               tcp tcp
1922 IMAGEMAKER tcp for localhost only                
3306 MySQL         tcp     tcp  
3389 Terminal Service               tcp tcp
5432 Postgres           tcp   tcp  
5631 pcAnywhere               tcp (optional) tcp (optional)
8007 Apache JServ (not used in HS 2.4 and up) tcp for localhost only                
8009 Tomcat tcp                
8080 HTTP tcp                
8443 SSL tcp                
55000 OpenSRS tcp (if used)                
10125 SOAP**

SOAP (hide)

SOAP (Simple Object Access Protocol) serves data communication between Control panel and Windows servers.

tcp between H-Sphere servers             tcp tcp

* For highest security, open:
  - udp permanently;
  - tcp worldwide during H-Sphere installation and post-installation tests;
  - tcp between H-Sphere DNS servers permanently.

Note: In the above table, all ports should be opened for external connections unless specified otherwise (for example, "tcp between H-Sphere servers").

DNS Server Notes:

1. Port 953 (rndc) should be open for localhost only if your DNS server is using BIND 9.x.

2. If your DNS server is using BIND 8.x, it can be upgraded to run with H-Sphere, but old domains would still have to be managed by hand. Please agree your DNS server upgrade with our installation team.
* As of now we don't provide support for Reverse DNS configuration.

 

Perl

H-Sphere installation script is written in Perl, therefore Perl is required on each box. To check if Perl is installed, run:

perl -V

Make

Make sure the make utility is installed on every box. To check if make is installed, run:

make -v

Command-Line URL Download Utility (wget or fetch)

H-Sphere installation script requires the command-line URL download utility, wget for Linux, fetch for FreeBSD.

compat3x package

On FreeBSD 4.X servers, make sure to have the compat3x package installed for compatibility with 3.x. To diagnose if your compat3x is missing, run:

/stand/sysinstall

and then go to Configure -> Distributions

 

SELinux Must Be Off

Before H-Sphere installation, make sure SELinux is off on your Linux servers (RedHat Enterprise Linux 4 and up, Trustix Secure Linux 2.2 and up).

To check SELinux status, run:

sestatus

To disable SELinux, set the following option in /etc/selinux/config:

SELINUX=disabled

This will turn off SELinux after reboot. To disable SELinux immediately, type:

setenforce 0




Now that you have prepared the servers, you can proceed to H-Sphere installation or request installation by Psoft.

 

Remove Impeding Packages

Uninstall the following standard packages that come with OS installation, together with their dependencies. H-Sphere installation package will set up replaced packages.

Linux FreeBSD
Apache (RH all versions):
rpm -e `rpm -qa|grep -i httpd`

PgSQL, MySQL (RH all versions):
rpm -e `rpm -qa|grep -i sql`

JAVA, JDK, JRE (RH all versions):
rpm -e `rpm -qa|grep -i java`
rpm -e `rpm -qa|grep -i jdk`
rpm -e `rpm -qa|grep -i jre`

Kaffe (RH 7.1, 7.2):
rpm -e `rpm -qa|grep -i kaffe`

JAKARTA (RH ES, WS, AS):
rpm -e `rpm -qa|grep -i jakarta`

BIND (RH all versions):
rpm -e `rpm -qa|grep -i bind|grep -v ypb`

Rsync (RH all versions):
rpm -e --quiet `rpm -qa|grep -i rsync`


Other RPMs (only RH ES, WS, AS):
ispell/aspell/pspell:
rpm -e `rpm -qa|grep -i spell`

After the RPMs have been removed, run:
rpm --rebuilddb
Apache:
pkg_delete `pkg_info|grep -i apache`

PgSQL, MySQL:
pkg_delete `pkg_info|grep -i sql`

JAVA, JDK, JRE:
pkg_delete `pkg_info|grep -i java`
pkg_delete `pkg_info|grep -i jdk`
pkg_delete `pkg_info|grep -i jre`

BIND:
pkg_delete `pkg_info|grep -i bind|grep -v ypb`

Rsync:
pkg_delete `pkg_info|grep -i rsync`

Gettext:
pkg_delete `pkg_info|grep -i gettext`




User comments
dynamicnet
Jun 20,
http://www.dynamicnet.net/customer/h-sphere/security/ has had instructions for turning off direct root access for over three years now. Intructions exist for CentOS, FreeBSD, and RedHat Linux.
cdevidal
Apr 30,
The SSH installation instructions tell us to allow root logins. The installer then preshares a key so the HSphere program can log in via SSH and perform tasks as root or whatever.

The problem is, allowing root logins is as you probably know insecure. Someone can hammer SSH and *perhaps* brute force the root password.

I have good news!

After install, I edited /etc/ssh/sshd_config and set "PermitRootLogin" to "without-password" rather than "yes." What this gem of an option means is the only way you can log in as root via SSH is with a preshared key. The name of the option is misleading; I wish it were called "with-key" or something like that...

I've been using this method successfully on our HSphere install for almost 2 years with zero issues. Logwatch shows that PLENTY of people and worms have been trying to hammer root via SSH but we've had zero root breakins.
Add comment


Home   Products   Services   Partners   Support   News   Contact   Forum
© 2020 psoft.net
All rights reserved.