summaryrefslogtreecommitdiff
path: root/Installation_Guide/en-US/Preparing_the_System.xml
blob: 283bea4d00298fde30280f28e7571ceea843e989 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % BOOK_ENTITIES SYSTEM "Community_Installation_Guide.ent">
%BOOK_ENTITIES;
]>
<chapter id="chap-Community_Installation_Guide-Preparing_the_System">
    <title>Preparing the System</title>
    <para>
        The installation of Kolab requires you prepare the system for installation.
    </para>
    <section id="sect-Community_Installation_Guide-Preparing_the_System-Partitioning">
        <title>Partitioning</title>
        <para>
            When installing the Kolab server, we recommend using LVM when partitioning the system. The following directories could benefit from being on separate logical volumes, leaving about 10% of raw disk space in the volume group unallocated:
        </para>
        <para>
            <itemizedlist>
                <listitem>
                    <para>
                        <filename>/var/lib/mysql/</filename>
                    </para>

                </listitem>
                <listitem>
                    <para>
                        <filename>/var/lib/imap/</filename>
                    </para>

                </listitem>
                <listitem>
                    <para>
                        <filename>/var/spool/imap/</filename>
                    </para>

                </listitem>

            </itemizedlist>

        </para>
        <important>
            <para>
                Partition and/or divide into logical volumes, configure the mount points and mount the filesystems prior to the installation of packages, as packages may deploy files into these directories.
            </para>
            <para>
                Should you decide to partition only after the packages have already been installed, or after the deployment has already been used, first mount the filesystems somewhere else and synchronize the contents over from the original directories over to the new filesystem hierarchy. Please note services should be stopped before doing so, or only corrupt data will be transfered. Remove the original contents of the filesystem after having synchronized, then mount the filesystems under their target mount points.
            </para>

        </important>
        <para>
            For large or multi-domain installations, we suggest moving <filename>/var/lib/imap/</filename> and <filename>/var/spool/imap/</filename> to <filename>/srv/imap/[<replaceable>$domain</replaceable>/]config/</filename> and <filename>/srv/imap/[<replaceable>$domain</replaceable>/]default/</filename> respectively. In allowing <filename>/srv/imap/</filename> to be one separate partition, backup using LVM snapshots is easier. Note that <replaceable>$domain</replaceable> in the aforementioned path is optional, and should only be used when multiple, but separate, isolated IMAP servers are to be started.
        </para>
        <note>
            <para>
                When partitions are mounted under the aforementioned directories, they do not necessarily have the correct filesystem permissions any longer. The following is a list of default permissions.
            </para>
            <para>
                <itemizedlist>
                    <listitem>
                        <para>
                            <literal>drwxr-xr-x. 7 mysql mysql 4096 May 11 15:34 /var/lib/mysql/</literal>
                        </para>

                    </listitem>
                    <listitem>
                        <para>
                            <literal>drwxr-x---. 20 cyrus mail 4096 May 11 17:04 /var/lib/imap/</literal>
                        </para>

                    </listitem>
                    <listitem>
                        <para>
                            <literal>drwx------. 3 cyrus mail 4096 May 11 15:36 /var/spool/imap/</literal>
                        </para>

                    </listitem>

                </itemizedlist>

            </para>

        </note>

    </section>

    <section id="sect-Community_Installation_Guide-Preparing_the_System-SELinux">
        <title>SELinux</title>
        <para>
            Not all components of Kolab Groupware are currently completely compatible with running under SELinux enforcing the targeted policy.
        </para>
        <para>
            Please consider configuring SELinux to be permissive. Please let us know what AVC denials occur so we can work on fixing the issue.
        </para>
        <important>
            <para>
                The Kolab Web Administration Panel currently depends on SELinux not enforcing the targeted policy.
            </para>

        </important>
        <para>
            To view the current mode SELinux operates in, execute the following command:
        </para>
        <para>

<screen># <userinput>sestatus</userinput></screen>

        </para>
        <para>
            To temporarily disable SELinux's enforcement of the targeted policy (without rebooting the system), issue the following command:
        </para>
        <para>

<screen># <userinput>setenforce 0</userinput></screen>

        </para>
        <para>
            To disable SELinux's enforcement of the targeted policy in a manner persistent across system restarts, edit <filename>/etc/selinux/config</filename> and set <literal>SELINUX</literal> to <literal>permissive</literal> rather than <literal>enforcing</literal>. Doing so also changes the <emphasis>Mode from config file:</emphasis> line in the output of <command>sestatus</command>.
        </para>

    </section>

    <section id="sect-Community_Installation_Guide-Preparing_the_System-System_Firewall">
        <title>System Firewall</title>
        <para>
            Kolab Groupware deliberately does not touch any firewall settings, perhaps wrongly assuming you know best. Before you continue, you should verify your firewall allows the standard ports used with Kolab Groupware. These ports include:
        </para>
        <para>
            <itemizedlist>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_25_tcp">
                        <title>Port 25, tcp</title>
                        <para>
                            Used to receive emails.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_80_tcp">
                        <title>Port 80, tcp</title>
                        <para>
                            Used for web interfaces.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_110_tcp">
                        <title>Port 110, tcp</title>
                        <para>
                            Used for POP.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_143_tcp">
                        <title>Port 143, tcp</title>
                        <para>
                            Used for web IMAP.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_389_tcp">
                        <title>Port 389, tcp</title>
                        <para>
                            Used for LDAP directory services.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_443_tcp">
                        <title>Port 443, tcp</title>
                        <para>
                            Used for secure web interfaces.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_465_tcp">
                        <title>Port 465, tcp</title>
                        <para>
                            Used for secure mail transmission.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_587_tcp">
                        <title>Port 587, tcp</title>
                        <para>
                            Used for secure mail submission.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_636_tcp">
                        <title>Port 636, tcp</title>
                        <para>
                            Used for secure LDAP directory services.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_993_tcp">
                        <title>Port 993, tcp</title>
                        <para>
                            Used for secure IMAP.
                        </para>

                    </formalpara>

                </listitem>
                <listitem>
                    <formalpara id="form-Community_Installation_Guide-System_Firewall-Port_995_tcp">
                        <title>Port 995, tcp</title>
                        <para>
                            Used for secure POP.
                        </para>

                    </formalpara>

                </listitem>

            </itemizedlist>

        </para>
        <para>
            Summarizing these changes into <filename>/etc/sysconfig/iptables</filename>, working off of an original, default installation of Centos 6, this file would look as follows:
        </para>
        <para>

<screen># Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT</screen>

        </para>
        <para>
            After changing <filename>/etc/sysconfig/iptables</filename>, execute a service restart:
        </para>
        <para>

<screen># <userinput>service iptables restart</userinput></screen>

        </para>

    </section>

    <section id="sect-Community_Installation_Guide-Preparing_the_System-System_Users">
        <title>System Users</title>
        <para>
            <orderedlist>
                <listitem>
                    <para>
                        No user or group with IDs 412, 413 or 414 may exist on the system prior to the installation of Kolab.
                    </para>

                </listitem>
                <listitem>
                    <para>
                        No user or group with the names <literal>kolab</literal>, <literal>kolab-n</literal> or <literal>kolab-r</literal> may exist on the system prior to the installation of Kolab.
                    </para>

                </listitem>

            </orderedlist>

        </para>

    </section>

    <section id="sect-Community_Installation_Guide-Preparing_the_System-The_System_Hostname_and_FQDN">
        <title>The System Hostname and FQDN</title>
        <para>
            The setup procedure of Kolab Groupware also requires that the Fully Qualified Domain Name (FQDN) for the system resolves back to the system. If the FQDN does not resolve back to the system itself, the Kolab Groupware server components will refer to the system by the configured or detected FQDN, but will fail to communicate with one another.
        </para>
        <para>
            Should the FQDN of the system (found with <command>hostname -f</command>) be, for example, <emphasis>kolab.example.org</emphasis>, then <emphasis>kolab.example.org</emphasis> should resolve to the IP address configured on one of the network interfaces not the loopback interface, and the IP address configured on said network interface should have a reverse DNS entry resulting in at least <emphasis>kolab.example.org</emphasis>
        </para>
        <example id="exam-Community_Installation_Guide-The_System_Hostname_and_FQDN-Example_Network_and_DNS_Configuration">
            <title>Example Network and DNS Configuration</title>
            <para>
                The following lists an example network and DNS configuration for a Kolab Groupware server.
            </para>
            <para>

<screen># <userinput>hostname -f</userinput>
kolab.example.org
# <userinput>ping -c 1 kolab.example.org</userinput>
PING kolab.example.org (192.168.122.40) 56(84) bytes of data.
64 bytes from kolab.example.org (192.168.122.40): icmp_seq=1 ttl=64 time=0.014 ms

--- kolab.example.org ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.014/0.014/0.014/0.000 ms
# <userinput>ip addr sh eth0</userinput>
2: eth0: &lt;BROADCAST,MULTICAST,UP,LOWER_UP&gt; mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:72:10:83 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.40/24 brd 192.168.122.255 scope global eth0
    inet6 fe80::5054:ff:fe72:1083/64 scope link
    valid_lft forever preferred_lft forever</screen>

            </para>

        </example>

    </section>

    <section id="sect-Community_Installation_Guide-Preparing_the_System-LXC_Containers">
        <title>LXC Containers</title>
        <para>
            LXC containers ("chroots on steroids") need <filename>/dev/shm/</filename> mounted read/write for user accounts.
        </para>
        <para>
            The permissions on <filename>/dev/shm/</filename> need to be as follows:
        </para>
        <para>

<screen># <userinput>ls -ld /dev/shm/</userinput>
drwxrwxrwt 2 root root        40 2012-11-20 20:34 shm</screen>

        </para>
        <para>
            To make sure the permissions are correct even after a reboot, make sure <filename>/etc/fstab</filename> contains a line similar to the following:
        </para>
        <para>

<screen>none /dev/shm tmpfs rw,nosuid,nodev,noexec 0 0</screen>

        </para>

    </section>


</chapter>