Building a minimal Centos 5.2 Server on a Mac Mini
With the RAOTL forum finally outgrowing it’s humble Mac Mini server (hosted with Mythic Beasts, who I cannot recommend enough – friendly, helpful and speedy with the tech support), I recently had to build a Linux server on a Dell Poweredge R300.
The stuff I learnt during this ordeal I also wanted to put into practice on an old Mac Mini I have had kicking around for the last year or so. It was purchased with the intention of me building it with Mac OS X server and then having it colocated with Mythic Beasts.
There is an excellent Centos 5.2 server guide at Howtoforge.com (a 64bit variant of which I used to build the Dell server), but I wanted to create a minimum install server, i.e. one that only has the stuff necessary to build and run the server and ISPConfig.
I’m using Centos, because it’s basically Red Hat Linux with a fake beard and glasses on, is stable and isn’t quite as bleeding edge as Fedora (which I am led to believe Red Hat is based on).
Step one – preparing the Mac Mini
My Mac Mini is a Core Duo 1.8Ghz with a boot rom version of MM11.0055.B08. According to this guide at ILikeJam, that shouldn’t need Bootcamp to install Linux. Sadly mine did, as I found out the hard way – installed Linux, rebooted, ‘Missing Operating System’ prompt. Tore hair out until it clicked I needed to do it via Bootcamp.
Installing Bootcamp is easy, we’re only basically doing it to get the boot partition that it creates. Ignore the prompt to insert your windows disk and reboot your Mini, holding down ‘C’ as soon as it comes back up again. Don’t let go until you see the Centos screen.
Step two – installing Centos 5.2
After pressing ‘return’, you’ll eventually be presented with a screen asking if you want to check the media. I, living on the edge, elected not to.
After this, it’s straightforward until we get to the partitioning screen. Here. we need to do some ‘advanced storage configuration’. It’s not actually that advanced, but we need to delete all the partitions that exist, bar the boot partition that Bootcamp created. It will be the smallest sized one, but delete all the others. This will get rid of your Mac OS X install, and the partition Bootcamp set aside for Windows.
If I remember rightly I think I cancelled this step, but the deleted partitions remain deleted, leaving you with the Bootcamp boot partition and a shed load of free space (depending on your drive size obviously). You should be returned to the ‘Installation requires partitioning…’ screen. Select the option that allows you to install the default layout on the free space. Click Next.
The network screen is up next and I edited eth0 to have my fixed IP address as well as my (sub) netmask and I turned off IPv6 support (which I will no doubt regret in later years). I also put in my gateway (my routers IP) and my service provider’s (Virgin Media in my case) DNS servers. The hostname should be whatever domain you want to attach to the Mini.
After the date and time configuration, you’ll get to enter a Root password. After this it’s time to sort out the software that actually needs to be installed. Untick all boxes in this list (I think it defaults to Desktop – Gnome). Select ‘Customize now’, and click next.
Now we need to select the packages we need. As I mentioned this is a minimal install, so I unselected everything (everything), bar text editors (and clicked optional packages to make sure Emacs was installed in here as I prefer this to vi, rather than in the main list).
After that, Centos should install, and ask you to reboot.
Step three – building the server
From this point I logged in via ssh as root from my laptop and followed the Howttoforge.com Centos 5.2 guide from step 4. I skipped step 5 as I only have one IP address.
In step 6, the command here doesn’t work (as we’re minimal), so you have to disable SELinux by hand (the sound you hear is the sound of a thousand Linux experts wailing at you disabling this). To do this you need to edit the file at /etc/selinux/config to say the following instead:
...
SELINUX=disabled
...
You’ll then need to reboot.
After the reboot, I then turned off some of the stuff that we have running:
for i in gpm haldaemon ip6tables lmv2-monitor mcstrans messagebus netfs restorecond xfs do chkconfig $i off;done
In step 7 after doing the update, there are a few other things that need to be installed along with the bits listed in the guide and you also may have a problem installing ncftp (it will be listed in the output of the install as not found). To get ncftp to install we must install a new repro, adding the following to the end of /etc/yum.conf:
[ kbs-CentOS-Testing]
name=CentOS.Karan.Org-ELS - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el5/extras/testing/i386/RPMS/
We then need to import the appropriate key:
rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
Once that’s done we can go ahead and install the extra stuff:
yum install fetchmail wget bzip2 unzip zip nmap openssl lynx fileutils ncftp gcc gcc-c++ flex procmail mlocate man sudo zlib-devel openssl-devel telnet make postgresql-devel expect which cron
Make sure you run the following, as you wont be able to use the ‘locate’ command until you do:
updatedb
You can also remove the old Kernal (as the kernal gets updated in via the ‘yum update’ command). Only do this if you have two kernals listed when executing the following:
rpm -qa | grep kern
If you see two (not including kernal headers), remove the old version with:
yum remove kernal-2.x.x.x.x.x.xxx
The rest of the guide can now be followed as is, from step 8. Make sure you get the latest version of ProFTP in step 13 – at time of writing it was 1.3.2, so obviously I had to replace the 1.3.1 with 1.3.2 in the commands. You’ll also get an error when trying to disable sendmail in step 11 because it’s not installed.
Step four – Installing ISPConfig
This is easy, you just need to follow the guide on the ISPConfig website. I installed v2.x as the current RC of v3 only has experimental Centos support.
Step five – open the neccesary ports
If you’ve been a bit eager, no doubt you’ve tried, and failed, to access your box via it’s local IP address in a browser. The reason it fails is because though iptables is allowing ssh connections it’s not allowing connections on port 80 (apache) or port 81 (ISPconfig). To fix that we add the following to the iptables rules:
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 81 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
This will be wiped if we reboot now, so one last command:
/etc/init.d/iptables save
And that’s your lot. You should now see the apache welcome page if you type in the local IP in your browser, as well as the ISPConfig login page if you do the same but as https connection on port 81 (https://x.x.x.x:81).
Well actually that’s not quite it…
Step six – ensuring the Mac reboots on loss of power
It appears this used to require some sort of special kernal build which I don’t fully understand (yet), but I solved this by adding the following line at the bottom of /etc/rc.d/rc.local:
setpci -s 0:1f.0 0xa4.b=0
You can do a really dirty test of this by yanking the power cord out your Mini, and then plugging it in. Alternatively (and a lot safer), is to shutdown the Mini with:
shutdown -h now
Unplug it from its powersource, then plug it back in again. The Mini should reboot of it’s own volition.
And that’s i… no wait, there’s one more one more thing (ooh I’m so Steve Jobs)
Step seven – stop Root login via SSH
Apparently Root login is a bit of a security hole. So we need to create a normal user but make sure they are added to the sudoers file.
Firstly we create the user:
adduser [insert your username here]
passws [username used above]
You’ll be prompted for a password and then asked to repeat it. You’ll also be told off if it’s a bad password. It’s upto you whether you chose to ignore this warning.
It’s really really important to chose a user here that will not clash with any user you create via ISPConfig. I learnt this my favourite way – the hard way. It will cause you no end of headaches if you do and could also end up meaning you can’t log in via ssh.
Now that we have the user set up, we need to add them to the sudoers file. To do this we type
visudo
Scroll through the file until you reach a line that says:
root ALL=(ALL) ALL
Press ‘i’ to insert (I hate vi, even though this is obviously designed to stop you borking your files), and add the user we just created below the ‘root’ line:
root ALL=(ALL) ALL
[user we just created] ALL=(ALL) ALL
Save this change by pressing ‘esc’, then typing ‘:wq’ and then pressing ‘return’. By the way, if you do fuck that up, pressing ‘esc’ and then type ‘:q’, followed by ‘return’ will quit without saving.
Next we need to disable root login. To do this we edit /etc/ssh/sshd_config. Make sure that the following line is enabled (in mine it already was):
Protocol 2
Now find PermitRootLogin, uncomment it and change it to ‘no’:
PermitRootLogin no
Now reboot and try loggin in with root. Your password should be constantly rejected. You should be able to login with your newly created user though.
The last step here is to enable this user to use all the commands root can (even though you’ll need to prefix them with ‘sudo’). So we add paths to our ‘.bash_profile’:
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local:$HOME/bin
Now the our user will be able to use commands such as ‘shutdown’ which is a wee bit important.
That really is it. Or is it?
There is nothing more to do on the software side of things with the Mini setup now. To get this to boot without a monitor though you will need to create a dongle to go into the Mini’s monitor port. There are various guides to doing this around, including step 23 to 27 of the iLikeJam guide.
Me? I just got an old DVI to VGA adaptor (the one where it’s a single unit with no cable) and shoved a paperclip in to sockets 2 and 7. Works like a (lucky) charm.