Alfresco Non-Root Modifications

This is how you modify an Alfresco installation to run as non-root.

1. Enable IP forwarding:

   echo 1 > /proc/sys/net/ipv4/ip_forward
   

       Also, in the /etc/sysctl.conf, make sure ip forwarding is enabled:
   

   net.ipv4.ip_forward = 1
   

   
   
   
   
   
   
2. Place the following in fileservers-custom.xml:
   

   <config evaluator="string-compare" condition="CIFS Server">
   	<serverEnable enabled="true"/>
   	<tcpipSMB port="1445" platforms="linux"/>
   	<sessionTimeout="30" />
   	<netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux"/>
   </config>
   

   
   
   
   
3. Set up iptables redirects:
   

   iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
   iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
   iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
   iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138
   

   
   
   
   
4. Change ownership on the alfresco.pid file to repos:
   

   chown repos:repos /var/run/alfresco.pid
   

   
   
   
   
5. Make sure the path through /home/www/apache/modules/* is readable/executable by repos
   
   
   
6. Change ownership and permissions on /sbin/mount.cifs to enable mounting CIFS by repos:
   
   

   chown root:repos /sbin/mount.cifs
   chmod 4750 /sbin/mount.cifs
   

   
   
   
   
7. Add the following line to /etc/fstab:

   //localhost/avm  /home/repos/mnt/this-avm	cifs	user,noauto	0 0
   

   
   
   
   
8. In the /etc/security/limits.conf file, add the following lines:

   repos		soft	nofile		8192
   repos		hard	nofile		8192
   

   
   
   
   
   
   For the deployment scripts (for the -mitmods version only):
   
   
   
9. Note that the deploy scripts need to be updated to use the 1445 port for CIFS (since local traffic is not forwarded). Also, the mount point for CIFS needs to be under /home/repos, not /mnt. For whatever reason, we need to use "mount.cifs" directly instead of "mount", which always requires you to be root whether the SUID bit is there or not. Finally, the sharename must be "//localhost/avm" to match the fstab entry. Here are the relevant changes in the script:

   export MOUNT_POINT=~/mnt/this-avm
   # instead of /mnt/this-avm
   
   umount -t cifs //localhost/avm ${MOUNT_POINT}/
   # instead of //${HOSTNAME}/avm
   
   mount.cifs //localhost/avm ${MOUNT_POINT}/ -o port=1445,user=${DEPLOY_ALFRESCO_USER}%${DEPLOY_ALFRESCO_PASSWORD}
   # "mount.cifs" instead of "mount -t cifs"; "localhost" instead of "${HOSTNAME}"; "port=1445" instead of default behavior (445)
   

   
   
   
10.  On the remote (linux) server, identify or create a remote user with write access to the desired deployment destination path.  Ensure that the root account on the Alfresco server can ssh as this user to the remote server without being prompted for a password.  If this is not already set up, you should do the following:
    * On the Alfresco server as *repos*, run "ssh-keygen -t dsa" and accept the default location.  Also, leave the passphrase blank (maybe not the best advice but I want to ensure that the script will not be prompted for a password)
    * Copy the generated public key file (~/.ssh/id_dsa.pub) to the remote server (e.g., "scp ~/.ssh/id_dsa.pub REMOTESERVER:")
    * Log into the remote (assumed linux) server as the remote user.  (If the user doesn't exist, first log in as root and create the account with "adduser USERNAME")
    * If it does not exist, create the remote user's .ssh directory and make sure its permissions are properly set. ("mkdir ~/.ssh" and "chmod 700 ~/.ssh")
    * Append the generated public key file you copied to the end of .ssh/authorized_keys, and make sure its permissions are properly set.  ("cat id_dsa.pub >> ~/.ssh/authorized_keys" and "chmod 600 ~/.ssh/authorized_keys")
    * Remove the generated public key file from the remote server ("rm id_dsa.pub")
    
    Example:

    adduser deploy_bot    ###note, this is the WEB SERVER "deploy_bot" account, not the ALFRESCO "deploy_bot" account |
    mkdir /home/deploy_bot/.ssh; |
    chown deploy_bot /home/deploy_bot/.ssh |
    chmod 700 /home/deploy_bot/.ssh; |
    cat \~/id_dsa.pub >> /home/deploy_bot/.ssh/authorized_keys |
    chown deploy_bot /home/deploy_bot/.ssh/authorized_keys |
    chmod 600 /home/deploy_bot/.ssh/authorized_keys |
    rm \~/id_dsa.pub |
    chmod a+rx /home/www |
    chmod a+rx /home/www/sash-server |
    chmod a+rx /home/www/sash-server/servers/ |
    chmod a+rx /home/www/sash-server/servers/alumni/ |
    chown deploy_bot /home/www/sash-server/servers/alumni/webapps |
    chown deploy_bot /home/www/sash-server/servers/alumni/webapps/ROOT |
    

    * Log out of the remote server
    * Test by logging into the Alfresco server as *repos* and running "ssh -l USERNAME REMOTESERVER".  If you get in as the remote user without being prompted for a password, congratulations.   Note: in this step, accept the host key.  This stores the host key in known_hosts and is actually important, since you don't want the deployment script to be prompted to accept or not accept the host key.