Diff for "InstallingControlOnCentos6"

You need to install a "minimal install" of CentOS 6.8, using the minimal install CD.

Hostname should be called concare4. Configure Network for DHCP and to "Connect Automatically"

Partition sizes should be as follows (Create Custom Layout):

/        20-50GB, depending on size of drive, format as EXT4
swap     2-32GB, the same size as physical RAM
/u       with the rest of available space (Fill to maximum available size), formatted as EXT4

Make sure you tell us what the root password is set to.

After install is finished it will restart. Turn off firewall and selinux.

chkconfig iptables off
chkconfig ip6tables off

edit /etc/sysconfig/selinux and make sure the SELINUX line is as follows:

SELINUX=disabled

For linode only:

edit /etc/resolv.conf and add:

nameserver 8.8.8.8

Then make the file immutable

chattr +i /etc/resolv.conf

install wget and ppp:

yum install wget ppp openssh-clients

download the following file into the server:

http://customers.creativecomputing.com.au/concare/vpn.tgz

untar the file into /etc/

cd
wget http://customers.creativecomputing.com.au/concare/vpn.tgz
cd /etc
tar xvzf ~/vpn.tgz

then as root, accept the fingerprint:

# ssh 220.233.135.250
The authenticity of host '220.233.135.250 (220.233.135.250)' can't be established.
RSA key fingerprint is f6:f0:5c:21:74:0e:03:db:fc:71:e6:21:63:b5:c0:43.
Are you sure you want to continue connecting (yes/no)?

Type "yes" and cancel the connection (ctrl-c).

Reboot to connect the vpn

Add epel repository:

#rpm -ivh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh https://archives.fedoraproject.org/pub/archive/epel/6/x86_64/epel-release-6-8.noarch.rpm

Download fixed copy of polkit:

cd
wget http://customers.crecom.com.au/concare/polkit-0.96-12.el6.1.x86_64.rpm

use yum to install additional packages

yum groupinstall "Desktop" "General Purpose Desktop" "Print Server" "Web Server" "X Window System" "Internet Browser" "Office Suite and Productivity" "Xfce"

yum install libstdc++.i686 libstdc++ unixODBC.i686 mysql-libs.i686 mysql-libs libcurl-devel.i686 expat.i686 expat glib2.i686 glib2 freetype.i686 libSM.i686 libXrender.i686 fontconfig.i686 libXext-devel.i686 guacd libguac-client-vnc mysql-server tomcat6 system-config-printer libXext.i686 libXext rxvt mpage unix2dos gtk2-devel gtk2-devel.i686 seamonkey ORBit2-devel mlocate fail2ban libgcj.i686 /root/polkit-0.96-12.el6.1.x86_64.rpm

Turn on fail2ban

chkconfig fail2ban on

Load the /u partition:

Download the following tar file: http://customers.creativecomputing.com.au/concare/rel15_u_partition2.tgz

untar it into /u

cd
wget http://customers.creativecomputing.com.au/concare/rel15_u_partition2.tgz
cd /u
tar xvzf ~/rel15_u_partition2.tgz

Add "control" group

groupadd -g 3232 control

install turbovnc:

cd
wget http://customers.creativecomputing.com.au/concare/turbovnc-2.2.5.x86_64.rpm
yum install turbovnc-2.2.5.x86_64.rpm
wget http://customers.creativecomputing.com.au/concare/turbostartup9.tgz
cd /etc
tar xvzf ~/turbostartup9.tgz
cd
wget http://customers.creativecomputing.com.au/concare/vncserver
wget http://customers.creativecomputing.com.au/concare/deletelocks.sh
wget http://customers.creativecomputing.com.au/concare/orbit-cleanup
wget http://customers.creativecomputing.com.au/concare/arial.tgz
mv vncserver /opt/TurboVNC/bin/
mv deletelocks.sh /usr/local/bin/
mv orbit-cleanup /usr/local/sbin/
chmod 755 /opt/TurboVNC/bin/vncserver
cd /
tar xvzf ~/arial.tgz

Edit /etc/X11/xinit/Xclients and add ". /u/cc/usr/commonx11.sh" below the lines for GSESSION and STARTKDE. Note there is a space between "." and "/".

Create the ccc user and start up its vnc session

adduser -m ccc
passwd ccc
initctl start turbo VNC=5

Add the following line to ~ccc/.vnc/xstartup.turbovnc right after the first 2 "unset" lines

xhost +

Install pdftk

cd
wget http://customers.creativecomputing.com.au/concare/pdftk
mv pdftk /usr/bin/
chmod 755 /usr/bin/pdftk

Install guacamole:

chkconfig guacd on
cd
wget http://apache.org/dyn/closer.cgi\?action=download\&filename=guacamole/0.9.13-incubating/binary/guacamole-0.9.13-incubating.war
mv ~/guacamole-0.9.13-incubating.war /var/lib/tomcat6/webapps/guacamole.war
wget http://customers.creativecomputing.com.au/concare/guacdb3.sql
chkconfig mysqld on
service mysqld start
mysql < ~/guacdb3.sql
chkconfig tomcat6 on

Restart once more. guacadmin password is gu4c4dm1n

Try logging into guacamole on "http://<ip address>:8080/guacamole/" and connect to the pre configured "ccc" session. If you see a menu on top, go to System->log out ccc, then say "Log out" to the dialog box that comes up. This will close the session and start it over. If the screen has been locked out and screen saver has activated, forcibly restart the vnc session:

initctl stop turbo VNC=5

wait a few seconds, then:

initctl start turbo VNC=5

Install cups-cloudprint:

cd
wget http://customers.creativecomputing.com.au/concare/cups.tgz
cd /etc
tar xvzf ~/cups.tgz
yum install cupscloudprint
service cups restart

Prior to running the following, please make sure you have a cloudprint account set up with Google and have at least one A4 printer there. This link will give you some more idea about Google cloud print: https://www.google.com/cloudprint/learn/printers.html . It is advisable that you create a Google account just for the sole purpose of printing and not use a pre-existing one.

The following command will initiate setting up cups cloudprint. (This will ask you to enter a URL into a browser and log in to your Google cloud print account) /usr/share/cloudprint-cups/setupcloudprint.py

For now, only add the account and do not add any printers just yet.

Set up chroot sftp

In /etc/ssh/sshd_config change the following near the bottom:

#Subsystem    sftp    /usr/libexec/openssh/sftp-server
Subsystem     sftp    internal-sftp
Match Group sftpusers
        ChrootDirectory /sftp/%u
        ForceCommand internal-sftp

Add a new group sftpusers and create a chroot subdirectory

groupadd -g 3255 sftpusers
mkdir /sftp/

Restart sshd if you want to use it straight away

service sshd restart

Set up OpenVPN

Install the OpenVPN package

yum install openvpn easy-rsa
cd /usr/share/easy-rsa/3.0
cp /usr/share/doc/easy-rsa-3.0.3/vars.example ./vars

Edit the file "vars" and change the items near the end (this is just an example, you can use your real location details):

set_var EASYRSA_KEY_SIZE        4096
set_var EASYRSA_CRL_DAYS        3650
set_var EASYRSA_DIGEST          "sha512"

build the certificate authority (just accept all the defaults and say yes to sign the certificate and commit):

./easyrsa init-pki
./easyrsa build-ca nopass

It will ask you for your Common name, this is just for display, but better if you put the hostname (or customer company)

./easyrsa gen-req server nopass
./easyrsa sign-req server server
./easyrsa gen-crl
openssl dhparam -out ./pki/dh4096.pem 4096

This will generate a secure key, it usually takes a long time.

openvpn --genkey --secret ./pki/ta.key
wget http://customers.creativecomputing.com.au/concare/server.conf
mv server.conf /etc/openvpn/
chkconfig openvpn on
mkdir /var/log/openvpn
service openvpn start

Reset the vnc password for ccc (vnc session number 5) to control. Do not set a view-only password.

/opt/TurboVNC/bin/vncpasswd ~ccc/.vnc/passwd

At this point the OS is installed and a very rudimentary version of Control (based on what's installed in the original test VM) is now installed in the system. The following instructions are for adding sessions and printers which I will do a live demo for.

To Add a new session:

This section moved to Installing Control

For users of previous release (upgrade):

populate:

/u/cc/usr/vncusers.sh

based on the lines that start with v in:

/etc/inittab

take a copy of the untarer.sh and lockdown.tgz:

cd
wget http://customers.creativecomputing.com.au/concare/lockdown.tgz
wget http://customers.creativecomputing.com.au/concare/untarer.sh
chmod 755 untarer.sh

Get a list of users from inittab:

cat /etc/inittab|grep ^v|cut -d: -f4| cut -d\- -f2|xargs

run untarer.sh using the output of the above as parameters

./untarer.sh <paste-output-of-above-command>

you can skip over users that you dont think need a vnc session in the new release.

Set up a Printer:

These instructions are mostly just an outline.

If using a printer that will be hooked up to a windows PC, We will need to make sure that the windows printer driver is installed and a test page can be printed.

If using cloudprint, a google account should be created solely for printing.

If using cloud print (A4 printers):

On native cloudprint printer

set up cloudprint on device (this is device specific)

https://support.google.com/cloudprint/answer/1686197?hl=en

On classic printer

set up cloudprint on attached windows PC and Chrome.

https://support.google.com/cloudprint/answer/1686197?hl=en

for both of the above: set up cups-cloudprint using python script

/usr/share/cloudprint-cups/setupcloudprint.py

If direct printing (40 column thermal receipt printers and label printers)

set up openvpn account on the server:

cd /usr/share/easy-rsa/3.0
./easyrsa gen-req <session name> nopass

Then we sign our own request:

./easyrsa sign-req client <session name>

If signing the request fails, check the file /usr/share/easy-rsa/3.0/index.txt and make sure you have not used this common name before. If you have and you are sure you want to reuse it, erase the line from the above file

It will then ask you a series of questions, similar to the ones asked when you built the server key. You should only need to answer the "Common Name" field and "Confirm request details:"

In the pki directory under current a configuration file <session_name>.ovpn similar to openvpn.conf must be created.

# Configuration for connecting into Creative computing internal network
tls-client
dev tap
proto udp
remote <server_hostname> 1194
resolv-retry infinite
nobind
ifconfig <assigned_IP> 255.255.255.0
ca ca.crt
cert <session_name>.crt
key <session_name>.key
verb 3
mute 10
cipher AES-256-CBC
auth SHA512
tls-auth ta.key 1
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384

Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files)

cd pki
zip -j <session_name>.zip <session_name>.ovpn private/<session_name>.key issued/<session_name>.crt dh4096.pem ca.crt ta.key

Load into client machine. An external method may be needed to load the OpenVPN files into the client computer.

Use the latest stable installer (whether 32 bit or 64 bit) from the following:

https://openvpn.net/index.php/open-source/downloads.html

Unzip all the files into the config directory under where OpenVPN is installed (Usually C:\Program Files\OpenVPN\config). Create a shortcut to OpenVPN on the desktop if the installer has not done so.

set up windows driver and make sure test page works.

turn on Unix printing for windows and make sure it auto starts the service.

use system-config-printer to set up cups

At this point, you have a cups printer, either to a cloud printer device, or a direct printing device.

run printer management from inside Control:

prnaad (as end user)

cloud print printer use "graphics" printing, the rest choose appropriate printer model.

Go to Control "terminal details" screen to set up printers.

yum install sendmail

chkconfig --levels 235 sendmail on

chmod 755 -R /etc/mail

service sendmail restart

update all the binaries to the latest:

From SAM:

rsync -avzk --delete /u/ccstandard/ root@<server IP>:/u/ccstandard/

ssh to the server.

cd /u/ccr.15/
rsync -av /u/ccstandard/ ./

Copy the <standard company> to <company name>

chmod a+w -R /u/ccr.15/<company> /u/ccr.15/adm

./contrl =>put address and phone

/u/cc/std/localbin/brarep

Setting up CRON

ln -s /u/cc /cc
crontab -e

* * * * * /u/cc/binl/auto_postal > /u/cc/LOG/auto_postal.out 2>&1
0 1 * * * /u/cc/binl/post_sum > /u/cc/LOG/post_sum.out 2>&1
0 1 1 * * /u/cc/binl/auto_eom > /u/cc/LOG/auto_eom.out 2>&1
su -
<enter root password>
crontab -e
1 2 * * * /usr/local/sbin/orbit-cleanup > /cc/LOG/orbit-cleanup.out 2>&1
30 1 * * * /u/cc/binl/initda > /u/cc/LOG/initda.out

be sure to modify $CCDIR/binl/auto_eom with the correct CCDIR so that it will run for the correct company (specially if you have custom CCDIR)

Setting up printers

system-config-printer
prnaad

Makesure /u/cc/std/ have the qtsdk-2010.05/ thing

and "qtx11-4.7.0 -> qtsdk-2010.05/" is placed in /u/cc/std/

cp /u/ccdev/binl/email_pdf to the new server as well.

If using postfix (no reason other than if already set up before)

increase default message size limit:

postconf -e message_size_limit=102400000
postconf -e mailbox_size_limit=819200000