This is an old revision of the document!
Table of Contents
Romulus Server Setup
This page describes the setup of the main OICE server, Romulus, including details of all important services.
Summary
| IP address | 131.188.231.217 |
| FQDN | romulus.oice.uni-erlangen.de |
| Location | OICE, Room 071.13 00 025 |
| Chassis | Mid Tower |
| CPU | Intel Xeon CPU E5-2407 @ 2.2 GHz |
| RAM | 16 GiB |
| HDDs | 2x 600 GiB in RAID 1 |
| OS | Ubuntu 14.04.4 LTS (GNU/Linux) |
| Misc Info | 5903 GiB of iSCSI storage (remus) |
Services
The following table lists the services provided by romulus and the location of the relevant configuration files.
| Service | Configuration Files/Folder |
|---|---|
| Apache2 (web server) | /etc/apache2 |
| GOsa² | /etc/gosa, mainly /etc/gosa.conf |
| DokuWiki | /etc/dokuwiki |
| OpenLDAP | cn=config and /etc/ldap |
| OpenSSH | /etc/ssh |
| OMERO | /usr/local/share/omero/OMERO.server/etc |
| OMERO.figure | /usr/local/share/omero/OMERO.server/lib/python/omeroweb/figure |
| iSCSI Initiator | /etc/iscsi |
Storage
romulus has its root directory / mounted on a 600 GiB RAID 1 array at /dev/sda. Addtionally, a 5.9 TiB RAID 6 array on remus (192.168.231.218) consisting of 12 Seagate Cheetah ST3600057SS (600 GB, 15000 rpm) is connected via Ethernet and iSCSI at /dev/sdb and mounted on /srv.
The iSCSI connected mount point /srv holds the managed repository of OMERO and thus all uploaded image files and files attached to OMERO images/projects/datasets. Additionally, /srv holds part of the regularly taken system and storage backup for synchronization with rheasilvia.
LDAP Server
romulus runs an OpenLDAP server used for storing all OICE wide user accounts and group memberships. For this server, the RFC 2307bis was implemented and a modified nis-scheme was used to allow for GroupOfNames and PosixGroup in a single entry. The LDAP configuration files were adapted accordingly (cf. https://www.heinlein-support.de/blog/howto/ldap-und-unix-gruppen/ (german) and https://tools.ietf.org/html/draft-howard-rfc2307bis-02)
OpenLDAP is configured largely inside its own directory structure instead of using the traditional configuration files inside /etc. Permissions where chosen as restrictively as possible while still allowing external authentication requests where necessary. Please refer to https://help.ubuntu.com/lts/serverguide/openldap-server.html for a starter on how to configure OpenLDAP on Ubuntu LTS 14.04.4.
Firewall
Ubuntu LTS comes with an effective and easily configurable firewall, termed “uncomplicated firewall” (ufw) (cf. https://help.ubuntu.com/lts/serverguide/firewall.html). It has been restrictively configured to allow only necessary incoming connections. In February 2016, the configuration was as follows:
| To | Action | From |
|---|---|---|
| 22 | ALLOW | Anywhere |
| 80 | ALLOW | Anywhere |
| 443 | ALLOW | Anywhere |
| 4080 | ALLOW | Anywhere |
| 4064 | ALLOW | Anywhere |
| 4063 | ALLOW | Anywhere |
| Samba | ALLOW | 192.168.231.192/27 |
| Samba | ALLOW | 131.188.231.192/27 |
| Samba | ALLOW | 46.128.231.126 |
| Samba | ALLOW | 10.11.234.0/24 |
| Samba | ALLOW | 131.188.175.188 |
| Samba | ALLOW | 131.188.170.139 |
| 636 | ALLOW | 134.213.137.186 |
| 636 | ALLOW | 54.77.60.9 |
| 1194/udp | ALLOW | Anywhere |
| 192.168.231.192/27 3389 | ALLOW | Anywhere |
| Samba | ALLOW | 141.67.104.103 |
| 5001/tcp | ALLOW | 192.168.231.216 |
where the application “Samba” is defined as ports Ports: 137,138/udp and 139,445/tcp (needed for CIFS and PDC authentication). The IP 134.213.137.186 on port 636/tcp is needed for the Stratocore PPMS system to authenticate the logins with the LDAP server on romulus. 52.31.192.143 on port 636 is needed as a backup in case the normal Stratocore server is not functioning.
Web Server
OMERO, the DokuWiki platform and GOsa² all run on an Apache 2.4.7 web server. All configuration files have been adapted to the syntax necessary for Apache servers >= 2.4 (e.g. require all granted instead of Allow from all, etc.), which was necessary since most examples for web services are still tailored to Apache 2.2.
/etc/apache2/sites-available contains configuration files for GOsa² and for OMERO/DokuWiki. The latter two are combined inside omero-ssl.conf, since they both run on romulus.oice.uni-erlangen.de. The GOsa² service can be reached via its own domain name gosa.oice.uni-erlangen.de and is consequently configured in its own configuration file gosa-ssl.conf
Backup
For backup purposes, there is an extra storage server rheasilvia, currently on IP 192.168.231.216. It features 29 TiB of HDD space contained on a RAID 6 array consisting of 8 Hewlett Packard 8 TB 7200 rpm disks.
Encrypted and compressed backups are currently (February 2016) transferred every night via the application “duplicity” (uses rsync and gpg internally, see https://help.ubuntu.com/community/DuplicityBackupHowto). Additionally, rsync is used to synchronize a directory with snapshots of various other backups (such as the LDAP directory) contained in /srv/backups/settings.
A slightly abbreviated version (without the error messages) of the current (February 2016) backup cronjob is listed as follows:
AGES=0,1,2,3,4,5,6,7,14,30,60,182,365,730 # *** OMERO database and setting files, ldap directory, system setting files 00 3 * * * omero /usr/local/scripts/backuplocal-omero 10 3 * * * root /usr/local/scripts/backuplocal-ldap 30 3 * * * root /usr/local/scripts/backuplocal-system 40 3 * * * backup /usr/local/scripts/thinout-backups $AGES 45 3 * * * root /usr/local/scripts/backupremote-settings # *** Users' home directories, the OICE network share, the OMERO data repository and the wiki # Incremental backup most of the time 00 4 2-31 * * root /usr/local/scripts/backupremote-home 20 4 2-31 * * root /usr/local/scripts/backupremote-oiceshare 40 4 2-31 * * root /usr/local/scripts/backupremote-omerodata 00 5 2-31 * * root /usr/local/scripts/backupremote-wiki # Full back up in regular intervals 00 4 1 * * root /usr/local/scripts/backupremote-home full 20 4 1 * * root /usr/local/scripts/backupremote-oiceshare full 40 4 1 * * root /usr/local/scripts/backupremote-omerodata full 00 5 1 * * root /usr/local/scripts/backupremote-wiki full
This will start the backup process at 3 a.m. every night. All custom scripts, which are internally documented as well, including the ones used for backups are residing in /usr/local/scripts. The purpose of the backup scripts is as follows:
| Script | Purpose |
|---|---|
backuplocal-omero | Creates a snapshot of the OMERO PosgreSQL database and the OMERO etc directory |
backuplocal-ldap | Creates a snapshot of the LDAP directory (user accounts) |
backuplocal-system | Creates a snapshot of the servers /etc and /usr/local/scripts directories |
thinout-backups | Used the python script purge-files to reduce all snapshots to a list that corresponds to ages (in days) as listed in the $AGES variable |
backupremote-setting | Synchronizes the thinned out snapshot directory /srv/backups/settings with its counterpart on rheasilvia |