Versions Compared

Old Version 23

changes.mady.by.user Joseph A Calzaretta

Saved on

compared with

New Version 24

changes.mady.by.user Brian F Knoll

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • On the Alfresco server as root, run "ssh-keygen -t dsa" and accept the default location.  Also, leave the passphrase blank (maybe not the best advice but I want to ensure that the script will not be prompted for a password)
  • Copy the generated public key file (~/.ssh/id_dsa.pub) to the remote server (e.g., "scp ~/.ssh/id_dsa.pub REMOTESERVER:")
  • Log into the remote (assumed linux) server as the remote user.  (If the user doesn't exist, first log in as root and create the account with "adduser USERNAME")
  • Code Block
    If it does not exist, create the remote user's .ssh directory and make sure its permissions are properly set. ("mkdir \~/.ssh" and "chmod 700 \~/.ssh") 
  • Append the generated public key file you copied to the end of .ssh/authorized_keys, and make sure its permissions are properly set.  ("cat id_dsa.pub >> ~/.ssh/authorized_keys" and "chmod 600 ~/.ssh/authorized_keys")
  • Remove the generated public key file from the remote server ("rm id_dsa.pub")

Example:

Code Block
 adduser deploy_bot    ###note, this is the WEB SERVER "deploy_bot" account, not the ALFRESCO "deploy_bot" account
 mkdir /home/deploy_bot/.ssh;
 chown deploy_bot /home/deploy_bot/.ssh
 chmod 700 /home/deploy_bot/.ssh;
 cat ~/id_dsa.pub >> /home/deploy_bot/.ssh/authorized_keys
 chown deploy_bot /home/deploy_bot/.ssh/authorized_keys
 chmod 600 /home/deploy_bot/.ssh/authorized_keys
 rm ~/id_dsa.pub
 chmod a+rx /home/www
 chmod a+rx /home/www/sash-server
 chmod a+rx /home/www/sash-server/servers/
 chmod a+rx /home/www/sash-server/servers/alumni/
 chown deploy_bot /home/www/sash-server/servers/alumni/webapps
 chown deploy_bot /home/www/sash-server/servers/alumni/webapps/ROOT
Code Block
 
  • Log out of the remote server
  • Test by logging into the Alfresco server as root and running "ssh -l USERNAME REMOTESERVER".  If you get in as the remote user without being prompted for a password, congratulations.   Note: in this step, accept the host key.  This stores the host key in known_hosts and is actually important, since you don't want the deployment script to be prompted to accept or not accept the host key.

...

  11d. Edit $ALF_EXT/web-client-config-custom.xml and change the <deployment> element to include the deployment command(s)

Code Block
    <commands>
...
         <command name="deploy-to-someplace" program="bash">
                       <param>-c</param>
                       <param>${ALF_HOME}/deploy/deploy-to-someplace.sh</param>
                   </command>
...
         </commands>

...

17 Create any other admin user accounts from step 12.

HOW TO MAKE ALFRESCO RUN AS NON-ROOT

1.      Enable IP forwarding

2.      In fileservers-custom.xml:

   <config evaluator="string-compare" condition="CIFS Server">
          <serverEnable enabled="true"/>
     <tcpipSMB port="1445" platforms="linux"/>
     <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux"/>
    </config>

3.      Set up iptables redirects:

iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138

4.      chown repos:repos /var/run/alfresco.pid

5.      Make sure the path through /home/www/apache/modules/* is readable/executable by repos

6.      /sbin/mount.cifs should be root:repos, SUID, and o-rwx

7.      In /etc/fstab:

//localhost/avm  /home/repos/mnt/this-avm       cifs    user,noauto     0 0

8.      chown root:repos /sbin/mount.cifs

9.      chmod u+s,o-rwx /sbin/mount.cifs