Please change the example values below to match your specific environment.
This sequence of steps to install and configure Apache 2 and HAProxy on Ubuntu was derived from a session with a customer. YMMV as always.
Generate the custom frontend and backend definitions for HAProxy, and prepare the cluster for updates to the configuration of the cluster nodes, if you have not done them already:
On a single database node per cluster:
tungsten@db1 shell>tpm generate-haproxy-for-apitungsten@db1 shell>echo 'set policy maintenance' | cctrl
Update the cluster configuration to support the REST APIv2.
On all database nodes:
tungsten@dbN shell>vi /etc/tungsten/tungsten.ini==> Ensure that the rest api settings have been added to the above! tungsten@dbN shell>tpm updatetungsten@dbN shell>tapi ping==> Create the REST API admin user if you did not do so at install time: tungsten@dbN shell>tapi --create --create-user tungsten --create-password secret
AFTER all tpm updates have been completed, return the cluster to AUTOMATIC mode.:
On a single database node per cluster:
tungsten@db1 shell> echo 'set policy automatic' | cctrl
Update the /etc/hosts file to ensure all nodes
are reachable.
On the Dashboard web server host, perform the following steps:
shell>nslookup dashboard.customer.orgshell>sudo vi /etc/hosts==> Ensure this server's hostname exists in the hosts file ==> Ensure that all database nodes exist in the hosts file
Install Apache 2 and all other needed software on the Dashboard web server:
shell#apt updateshell#apt install apache2shell#systemctl start apache2shell#systemctl enable apache2shell#systemctl status apache2shell#apache2 -Vshell#apt install php php-curl libapache2-mod-php jq socat haproxyshell#vi /etc/php/7.4/apache2/php.ini==> enable extension=php_curl by removing the leading semi-colon (;) shell#systemctl restart apache2
In this example, the customer placed the Tungsten Dashboard web root directory onto an NFS mount, so we needed to create that set of directories before installing the Dashboard package:
shell#mkdir -p /nfs/tungsten/html /nfs/tungsten/etc /nfs/tungsten/logsshell#chown -R www-data: /nfs/tungstenshell#chmod -R ug+rw /nfs/tungsten
Create the .htpassword file to provide Basic
Authorization functionality.
shell#htpasswd -c /nfs/tungsten/etc/.htpasswd tungstensecretsecretshell#cat /nfs/tungsten/etc/.htpasswd
Install the Tungsten Dashboard software package from your home directory into the web root directory, on NFS in this case:
shell#cdshell#tar xvzf tungsten-dashboard-1.0.15-13.tar.gzshell#cd tungsten-dashboard-1.0.15-13shell#cp html/config.php.sample html/config.phpshell#cp html/config.json.sample html/config.jsonshell#rsync -a html/ /nfs/tungsten/html/shell#vi /nfs/tungsten/html/config.json==> Update the administrators entry if needed:"administrators":[ tungsten ],==> Update the enableRBAC entry to 1:"enableRBAC":1,
Configure the Dashboard virtualhost in Apache2:
For example Apache 2 conf file entries, please see the above section Section 8.2, “Example: Web Server on Amazon Linux 2”.
shell#less /etc/apache2/envvarsshell#less /etc/apache2/apache2.confshell#vi /etc/apache2/sites-enabled/000-default.conf==> Edit the existing section to add the needed items shell#apachectl configtestshell#systemctl restart apache2shell#systemctl status apache2shell#journalctl -xeshell#cat /var/log/apache2/error.log
Validate that the Dashboard web server host is able to reach all the nodes:
shell> for host in db1 db2 db3 db4 db5 db6; do
ping $host
#telnet $host 8090
/usr/bin/curl -s --insecure --user tungsten:secret 'http://${host}:8090/api/v2/manager/status' | jq .
doneConfigure and test HAProxy:
shell#systemctl enable haproxyshell#systemctl start haproxyshell#systemctl status haproxyshell#vi /etc/haproxy/haproxy.cfgshell#systemctl restart haproxyshell#systemctl status haproxyshell#socat stdio /var/run/haproxy.sock | grep -i statshell>telnet localhost 8201shell>telnet localhost 8202shell>telnet localhost 8203shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8201/api/v2/manager/status' | jq .shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8202/api/v2/manager/status' | jq .shell>/usr/bin/curl -s --insecure --user tungsten:secret 'http://localhost:8203/api/v2/manager/status' | jq .
Add the apache user to the
tungsten group:
shell> sudo usermod -a -G tungsten apache
Create the apache configuration file for the web
service:
shell> sudo vim /etc/httpd/conf.d/z01-tungsten-dashboard.confBe sure to check the configuration and correct it until the configtest passes:
shell> sudo apachectl configtestSelect one of the examples below to populate the web server config file.
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
Header set Access-Control-Allow-Origin *
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
Header set Access-Control-Allow-Origin *
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
Require valid-user
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthUserFile /volumes/data/www/tungsten/etc/.htpasswd
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
shell> sudo yum install -y mod_ldap
<VirtualHost *:80>
ServerName dashboard.yourdomain.com
DocumentRoot /volumes/data/www/tungsten/html
DirectoryIndex index.php
ServerAdmin dashboard.apache.admin@yourdomain.com
ErrorLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/errors.log 86400"
CustomLog "| /usr/sbin/rotatelogs /volumes/data/www/tungsten/logs/access.log 86400" combined
<Directory "/volumes/data/www/tungsten/html">
AllowOverride All
Options +FollowSymLinks +ExecCGI -Indexes
Order allow,deny
Allow from all
#Require all granted
<RequireAll>
AuthType Basic
AuthName "Tungsten Dashboard - RESTRICTED"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap.ad.demo.com:XXX/DC=ad,DC=demo,DC=com?sAMAccountName?sub
AuthLDAPBindDN ldapuser@ad.demo.com
AuthLDAPBindPassword abcdef123456
Require ldap-group CN=DataServicesAdmins,OU=SQL,OU=Groups,OU=London,OU=NewYork,OU=United States,OU=North America,DC=ad,DC=demo,DC=com
Require valid-user
</RequireAll>
</Directory>
</VirtualHost>
Configure start-at-boot and restart the web server:
shell>sudo chkconfig httpd onshell>sudo service httpd restartshell>sudo service httpd status~OR~ shell>sudo systemctl enable httpdshell>sudo systemctl restart httpdshell>sudo systemctl status httpd
Ensure that the WEBROOT/etc/.htpasswd file
contains one or more login/password pairs using the
htpasswd command.
shell> htpasswd -c /volumes/data/www/tungsten/etc/.htpasswd {desiredlogin}
To enable RBAC security, the
$WEBROOT/html/config.json file will need to be
updated with two settings: "enableRBAC": 1 and
"administrators": [], for example:
{
"clusters": {
},
"menus": {
},
"settings": {
"administrators": [ "tungsten","admin","root" ],
"enableRBAC":1
}
}When RBAC is enabled (requires web server Basic Auth to be working fully), there are just two roles currently:
administrator - which gives read-write access
to everything to any valid login listed in the
"administrators":[] option in the config file.
operator - which is read-only and is the role
given to anyone with a valid login. There is NO explicit entry for
"operators" in the config file.
There are additional steps to take when SELinux is enabled.
To check if SELinux is enabled:
shell>getenforceshell>sestatus
These are example extra steps to take if SELinux is enabled:
shell>sudo -ishell>chcon -R -t httpd_sys_rw_content_t /volumes/data/www/tungsten/htmlshell>chcon -R -t httpd_sys_rw_content_t /volumes/data/www/tungsten/logsshell>semanage fcontext -a -t httpd_sys_rw_content_t "/volumes/data/www/tungsten/html(/.*)?"shell>semanage fcontext -a -t httpd_sys_rw_content_t "/volumes/data/www/tungsten/logs(/.*)?"shell>restorecon -Rv /volumes/data/www/tungsten/*shell>semanage port -a -t http_port_t -p tcp 8090shell>setsebool -P httpd_can_network_connect 1shell>systemctl restart httpdshell>systemctl restart php-fpm
Be sure to check in the audit.log for any
denied messages containing http
or php.
Here are two example commands to run to help troubleshoot selinux and httpd:
shell>ausearch -m avc -c httpdshell>grep httpd /var/log/audit/audit.log