<![CDATA[centos - theCruskit]]>https://thecruskit.com/Ghost 0.11Tue, 05 May 2020 10:56:02 GMT60<![CDATA[CentOS 7 AMI on AWS has SELinux enabled]]>https://thecruskit.com/centos-7-ami-on-aws-has-se-linux-enabled/d47f5d6a-07cc-4d39-a16f-96ef63c0fa5aTue, 18 Nov 2014 11:55:41 GMTHaving configured a working VagrantFile that could spin up a CentOS 7 image on Digital Ocean, install and configure Ghost + nginx (see cruskit/vagrant-ghost, it should have been a simple matter of adding the AWS Vagrant provider to get the image running on AWS as well...

It was easy enough to add the provider, and provisioning would run without errors, but nginx would return bad gateway errors whenever trying to proxy to Ghost. Checking the nodejs Ghost process, it thought it was up and running ok. Trying to access the Ghost port (2368) however, didn't play so nicely and wouldn't connect.

After a bit a of troubleshooting, it turns out that the AWS CentOS 7 AMI has SELinux (Security Enhanced Linux) enabled, whereas it is disabled in the Digital Ocean image. SELinux has a preconfigured list of HTTP ports that it allows connectivity on and 2368 was not one of these and so it was being blocked.

(To be fair, SELinux being enabled is mentioned in the AMI notes, but I missed it...)

So, to make it work it was necessary to add 2368 to the list of allowed http ports. This can be done via semanage using:

semanage port -a -t http_port_t  -p tcp 2368  

(It would also have been possible to disable SELinux by editing /etc/selinux/config and setting SELINUX=disabled and then performing a reboot, but building a reboot into a vagrant provisioning sequence would be a pain, and for a prod box it would be nice to leave SELinux enabled anyway.)

Some simple commands that can help you trying to troubleshoot an issue like this:

Find out whether SELinux is running and its status:

sestatus  

Find things that SELinux is impacting:

cat /var/log/messages | grep "SELinux"  

List the configured ports in SELinux:

semanage port -l  

produces output (filtered for http) like:

http_port_t   tcp  80, 81, 443, 488, 8008, 8009, 8443, 9000  

If you want further info the following are useful:

]]>
<![CDATA[Automatically applying updates to Centos 7]]>If you are like me, you probably don't log into your system every day and run yum update to check for updates to apply. There is an easy way to keep up to date, though, using yum-cron. yum-cron allows you to configure your system to periodically check for updates and

]]>
https://thecruskit.com/automatically-applying-patches-to-centos-7/bb3a31d5-b39a-420c-b778-9b65555d95a7Mon, 17 Nov 2014 11:50:58 GMTIf you are like me, you probably don't log into your system every day and run yum update to check for updates to apply. There is an easy way to keep up to date, though, using yum-cron. yum-cron allows you to configure your system to periodically check for updates and automatically apply them.

Using yum-cron in Centos 7, you also have the flexibility to specify what level of upgrades you want applied, eg: all updates, security updates, minimal security updates, etc. For stability on your production servers you'll probably only want to go with security updates, but on dev servers where it's not as much of an issue just go with all.

Install with yum -y install yum-cron and then edit the file /etc/yum/yum-cron.conf to set your options. Some of the options you'll want to change (the file is well commented to indicate what the options available are):

update_cmd = security  
download_updates = yes  
apply_updates = yes  

Don't forget to make sure it's started and running:

systemctl restart yum-cron  
systemctl status yum-cron  

There's a good description of how to get going with yum-cron at linuxaria with more details on the configuration options available.

]]>
<![CDATA[Using systemd to manage Ghost & nginx on CentOS 7]]>So, you want to be able to easily stop and start Ghost & nginx on CentOS7? (at least I did when I was setting up this blog...)

Centos 7 uses systemd rather than the older /etc/init.d method of managing services and daemons, so it could be a little

]]>
https://thecruskit.com/using-systemd-to-manage-ghost-nginx-on-centos/ce09b439-e2c0-4549-a4c1-856b22ab07adMon, 17 Nov 2014 10:49:28 GMTSo, you want to be able to easily stop and start Ghost & nginx on CentOS7? (at least I did when I was setting up this blog...)

Centos 7 uses systemd rather than the older /etc/init.d method of managing services and daemons, so it could be a little bit of a change from what you're used to (and a source of a little controversy).

systemd uses service files (unit definitions) that declaratively capture the expected behaviour of an application (eg: how to start/stop, automatic restart behaviour upon failure, etc) as its native method of configuration.

nginx comes with a systemd unit definition (see: /usr/lib/systemd/system/nginx.service), so if you've installed from the standard repos using yum, you should be able to start, stop, restart & check status nginx using the following (as root or via sudo):

systemctl start nginx  
systemctl stop nginx  
systemctl restart nginx  
systemctl status nginx  

If you install Ghost by using the zip file installer then you will need to provide a unit definition for Ghost so it can be managed by systemd. An example of a unit definition is below (change user, group, paths to ghost as appropriate for your installation). Create the unit definition as:

/etc/systemd/system/ghost.service

[Service]
ExecStart=/usr/bin/node /ghost/index.js  
Restart=always  
StandardOutput=syslog  
StandardError=syslog  
SyslogIdentifier=ghost  
User=ghost  
Group=ghost  
Environment=NODE_ENV=production

[Install]
WantedBy=multi-user.target  

Once you've created the ghost.service file you'll be able to manage ghost in the same way as nginx, ie:

systemctl start ghost  
systemctl stop ghost  
systemctl restart ghost  
systemctl status ghost  

Note that having Restart=always set in the unit definition means that if the node.js process running ghost dies for any reason, then systemd will automatically restart it.

For more detailed information on how to use systemd (enabling/disabling services, auditing, logging, etc), some useful references include:

]]>