Navigation :

GUI Node Installation

Overall Installation Steps

The high-level steps for installing and configuring the N2SIP administrative GUI are:

Determine the server(s) that will supply the GUI logical component, bearing in mind the supported operating systems and minimum server requirements.
Ensure the installation pre-requisites are met.
Install the GUI package.
Perform any required post-installation steps.
Update the administrative GUI configuration as desired.
Optionally, apply the recommended Apache security configuration.

Installation Pre-requisites

OS-specific Setup

Refer to the specific Red Hat or Debian instructions for any pre-requisites as required.

Apache 2

Apache 2 must be installed prior to installing the N2SIP GUI package. The package to install will depend on your OS type:

RHEL 8	Other RPM-based Systems	DEB-based Systems
`sudo dnf install httpd`	`sudo yum install httpd`	`sudo apt-get install apache2`

The N2SIP GUI package expects that the relevant Apache 2 configuration directory exists. Again, this varies depending on your OS type:

RPM-based Systems	DEB-based Systems
`/etc/httpd`	`/etc/apache2`

Finally, the apachectl program must exist (it is installed as part of the Apache 2 package) and Apache must be running.

Installation Steps

Follow the appropriate installation steps depending on your installation sources.

From N-Squared Repository

Execute the instructions specific to your operating system:

RHEL 8	Other RPM-based Systems	DEB-based Systems
`sudo dnf install n2sip-gui`	`sudo yum install n2sip-gui`	`sudo apt-get install n2sip-gui`

As Manual Installation

Transfer the provided package file to the target node, then follow the instructions specific to your operating system.

Execute (adjusting as appropriate for package location and version details) the following:

RPM-based Systems	DEB-based Systems
`sudo rpm -Uvh /path/to/n2sip-gui-M.m.p-b.noarch.rpm`	`sudo dpkg -i /path/to/n2sip-gui_M.m.p-b_all.deb`

Post-Installation Steps

Default Application

After installation, there is no default behaviour for Apache to automatically navigate to the N2SIP GUI when a site root request is received.

To set the N2SIP GUI as the default application, edit the appropriate file for your OS type:

RPM-based Systems	DEB-based Systems
`/etc/httpd/n2srp-gui.conf`	`/etc/apache2/n2srp-gui.conf`

Add the following line to the top of the file:

RedirectMatch ^/$ /n2srp

Restart Apache to apply the change:

apachectl restart

Firewall

The firewall (if any) on the GUI node must be updated to allow:

Inbound user requests on the listening Apache port(s).

The exact commands to do this will depend both on the firewall on your platform and also which port(s) are in use. For example, to allow the default Apache ports when using firewalld, the commands might be:

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
service firewalld restart

SELinux

If SELinux is in use, Apache must be allowed to read and execute back-end code and initiate proxy connections. To enable this, execute:

sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_read_user_content 1

If SELinux is used, Apache also requires special permissions in order to execute outbound system calls in order to sync and update the various SRP nodes it manages.

Create the first SELinux policy for this:

cd /var/tmp/
cat <<EOF > httpd_icmp.te
module httpd_icmp 1.0;
    
require {
        type httpd_t;
        class capability { setuid net_raw };
        class netlink_socket create;
        class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability { setuid net_raw };
allow httpd_t self:netlink_socket create;
allow httpd_t self:rawip_socket { getopt create setopt write read };
EOF

Verify and compile the policy:

cd /var/tmp/
checkmodule -M -m -o httpd_icmp.mod httpd_icmp.te
semodule_package -o httpd_icmp.pp -m httpd_icmp.mod
semodule -i httpd_icmp.pp

Create the second required SELinux policy:

cd /var/tmp/
cat <<EOF > httpd_file.te
module httpd_file 1.0;

require {
        type httpd_t;
        type var_lib_t;
        class file write;
}

#============= httpd_t ==============

#!!!! WARNING 'httpd_t' is not allowed to write or create to var_lib_t.  Change the label to httpd_var_lib_t.
allow httpd_t var_lib_t:file write;
EOF

Compile and install the SELinux policy:

cd /var/tmp/
checkmodule -M -m -o httpd_file.mod httpd_file.te
semodule_package -o httpd_file.pp -m httpd_file.mod
semodule -i httpd_file.pp

Create the third SELinux policy:

cd /var/tmp/
cat <<EOF > httpd_unlink.te
module httpd_unlink 1.0;

require {
        type httpd_t;
        type var_lib_t;
        class file unlink;
		class dir rmdir;
}

#============= httpd_t ==============
allow httpd_t var_lib_t:file unlink;
allow httpd_t var_lib_t:dir rmdir;
EOF

`` Compile and install the SELinux policy:

cd /var/tmp/
checkmodule -M -m -o httpd_unlink.mod httpd_unlink.te
semodule_package -o httpd_unlink.pp -m httpd_unlink.mod
semodule -i httpd_unlink.pp

Non-Standard File Directories

If the standard directories generated under /var/lib/n2srp are not used, their replacements must be created and updated before use.

When using file-base synchronisation, the following paths are required:

mkdir -p /path/to/n2srp/resources/working
mkdir /path/to/n2srp/resources/holding
mkdir /path/to/n2srp/resources/snapshots
mkdir /path/to/n2srp/resources/undo
mkdir /path/to/n2srp/sessions
chown -R apache:apache /path/to/n2srp

When using database synchronisation, the following paths are required:

mkdir -p /path/to/n2srp/resources/working
mkdir /path/to/n2srp/resources/holding
mkdir /path/to/n2srp/sessions
chown -R apache:apache /path/to/n2srp

If SELinux is in use, the SELinux permissions must also be updated:

semanage fcontext -a -t var_lib_t "/path/to/n2srp(/.*)?"
restorecon -Rv /path/to/n2srp

Synchronisation

When using database synchronisation, all data required for SRP service nodes is copied to the service nodes via built-in PostgreSQL replication.

When using file-based synchronisation, the N2SRP GUI in the N2SIP package requires the ability to connect via rsync to the managed SRP servers. The exact method of doing this will differ from site to site. Assuming that passwordless SSH is used with a newly-generated key, the following steps may be used.

Note that this assumes the default library directory of /var/lib/n2srp. If this is altered as described in Non-Standard File Directories, update these instructions accordingly.

Allow Apache to connect out to external SRP servers:

mkdir /var/lib/n2srp/.ssh
chown apache:apache /var/lib/n2srp/.ssh
ln -s /var/lib/n2srp/.ssh /usr/share/httpd/

Generate SSH keys to authorize Apache across all SRP nodes:

mkdir /var/lib/n2srp/etc
cd /var/lib/n2srp/etc
ssh-keygen -t rsa -f /var/lib/n2srp/etc/primarysrp_id_rsa
chown -R apache:apache /var/lib/n2srp/etc

The generated key will have to be copied to all SRP servers that use the N2SIP runtime and the host keys stored on the GUI node. For example:

for srp in srp1 srp2 srp3 ; do scp /var/lib/n2srp/etc/primarysrp_id_rsa.pub user@srp1:.ssh/. ; done