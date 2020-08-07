Moving from CentOS7 on bare metal to CentOS8 on AWS EC2: Setup Notes

AMI: CentOS 8 Minimal (CentOS 8.2.2004) from (CentOS 8.2.2004) from https://aws.amazon.com

Securty Updates

NNTP

EC2 Instance size:* t3a.nano with 8gb turned out extremely slow, unusable; note 'a' means 'amd'with 20gb turned out responsive, usable; Intel SkyLake chip. Cost $55/yr in us-east-1

NNTP is essentially a free messaging system suitable for public content such as technical support.

Reference: Compile and Install Wendzelnntpd

Documentation: PDF



After Make and Make Install, stop the old server and use 7Zip to archive everything in /var/spool/news/wendzelnntpd Use s3cmd to transfer that archive to an S3 bucket. Then use curl and download the archive to the new server, and extract all files to the same folder.

nntp source: cd /usr/lib64/WendzelNNTPd-OSE/src

nntp config: sudo vi /usr/local/etc/wendzelnntpd.conf

nntp database: /var/spool/news/wendzelnntpd



Make sure that the wendzelnntpd.conf has a listen command for the private network ip of the EC2 instance.



Open port 119 in the AWS Security Group when you want the public to see your newsgroup server.







To run the NNTP server

cd /usr/lib64/WendzelNNTPd-OSE/bin

sudo ./wendzelnntpd -d &

To stop the NNTP server

sudo pkill wendzelnntpd

7Zip

Reference: create-7z-file-from-folder-recursively-in-linux

sudo yum install p7zip

7z a myfolder.7z myfolder/

sudo 7z x myfolder.7z

NB: x means extract and preserve folder structure

S3CMD syntax

sudo yum install s3cmd

sudo s3cmd --configure

s3cmd put nntparchive.7z --config=/root/.s3cfg --preserve --multipart-chunk-size=5 s3://mybucket/abc/2020/

Remember to mark the file public temporarily so you can download it.

s3cmd put /etc/httpd/conf/httpd.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5 s3://mybucket/abc/2020/

s3cmd put /etc/httpd/conf.d/subversion.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5 s3://mybucket/abc/2020/

cd /etc/httpd/conf.d

sudo s3cmd get s3://mybucket/abc/2020/subversion.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5

cd /etc/httpd/conf

sudo mv httpd.conf httpd.original.conf

sudo s3cmd get s3://mybucket/abc/2020/httpd.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5

CURL syntax

curl https://mybucket.../abc/2020/nntparchive.7z -o nntparchive.7z





Subversion "SVN" server install

Reference: subversion-svn-on-centos-8

This installs apache http server plus everything you need to host a subversion server.

sudo dnf install subversion mod_dav_svn

sudo vi /etc/httpd/conf.d/subversion.conf

sudo vi /etc/httpd/conf/httpd.conf

See also https://wiki.centos.org/HowTos/Subversion





svn config files are in /etc/svn-acl* and /etc/svn-auth*





In order to migrate my existing subversion files from CentOS7 to CentOS8, I used 7Zip to archive them on the original server, upload to s3 using s3cmd, then downloaded to the new server and extracted. ( same as done for nntp above ). That worked. I did not need to use svnradmin to dump and restore the subversion repositories. I just copied the files into the same directory locations and it all worked immediately. I did not need to redefine my users and passwords. They kept working.

SVN over HTTPS

Reference: let-s-encrypt-on-centos-8

Follow those instructions to install and run certbot, then test.

On my system, the default self-signed certificate remained active, seemingly due to excess configuration in ssl.conf. It will be obvious if you have this problem because when you test your domain in a browser, you will have a certificate error about a self-signed root certificate being used. You can further verify using grep.

grep -r "IfModule mod_ssl" /etc/httpd

grep -r "SSLCertificateFile" /etc/httpd

grep -r "443" /etc/httpd

The problem turned out to be that the _default_:443 was taking over. Changing _default_ to a specfic domain not needed by the public worked for me.

sudo vi /etc/httpd/conf.d/ssl.conf

Doubtless there is a way to make the LetsEncrypt conf be more important that the default (!!), but that is beyond my knowledge of apache conf.





CentOS Firewall

The AMI did not include the standard firewall daemon. You can rely on the EC2 Security Group or install firewalld.



Reference: using-firewalld-on-centos-8



sudo firewall-cmd --zone=public --add-service=http --permanent

sudo firewall-cmd --zone=public --add-service=https --permanent

sudo firewall-cmd --zone=public --add-port=119/tcp --permanent

sudo firewall-cmd --runtime-to-permanent

sudo firewall-cmd --reload

sudo firewall-cmd --zone=public --list-services

sudo firewall-cmd --zone=public --list-ports

Drawing thanks to Carol VanHook