I've started this installation using a precreated template of Debian 5 (Lenny) minimal, downloaded from: download.openvz.org
I've also followed the next howto from the guru at www.howtoforge.org
Create a container based on the just downloaded template, specifying hostname, IP address, nameserver and give to the root user, a password
vzctl create 1100 --ostemplate debian-5.0-i386-minimal --config vps.custom vzctl set 1100 --hostname ic2.dw.lan --save vzctl set 1100 --ipadd 192.168.0.100 --save vzctl set 1100 --nameserver 192.168.0.22 --save vzctl set 1100 --userpasswd root:your-root-password
This is the configuration file i've used
nano /etc/vz/conf/1100.conf
# Configuration file generated by vzsplit for 16 VEs on HN with total amount of # physical mem 2024 Mb, low memory 872 Mb, swap size 5938 Mb, Max treads 8000 # Resourse commit level 0: # adjusted by kokk: VMGUARPAGES, OOMGUARPAGES, PRIVVMPAGES, DISKSPACE, DISKINODES # Primary parameters NUMPROC="500:500" AVNUMPROC="139:139" NUMTCPSOCK="500:500" NUMOTHERSOCK="500:500" VMGUARPAGES="288M:unlimited" # Secondary parameters OOMGUARPAGES="288M:unlimited" PRIVVMPAGES="512M:1024M" KMEMSIZE="11440947:12585041" TCPSNDBUF="1765649:3813649" TCPRCVBUF="1765649:3813649" OTHERSOCKBUF="882824:2930824" DGRAMRCVBUF="882824:882824" # Auxiliary parameters LOCKEDPAGES="558:558" SHMPAGES="31093:31093" PHYSPAGES="0:unlimited" NUMFILE="4448:4448" NUMFLOCK="444:488" NUMPTY="50:50" NUMSIGINFO="1024:1024" DCACHESIZE="2487425:2562048" NUMIPTENT="125:125" # Disk quota parameters DISKSPACE="20000M:22000M" DISKINODES="200000:220000" QUOTATIME="0" # CPU fair sheduler parameter (OpenVZ consider one 1 GHz PIII Intel processor # to be approximately equivalent to 50000 CPU units) CPUUNITS="50000" CPUS="1" # Host parameters ONBOOT="yes" VE_ROOT="/var/lib/vz/root/$VEID" VE_PRIVATE="/var/lib/vz/private/$VEID" OSTEMPLATE="debian-5.0-i386-minimal" ORIGIN_SAMPLE="vps.16" HOSTNAME="ic2.dw.lan" IP_ADDRESS="192.168.0.100" NAMESERVER="192.168.0.22"
Start the container and enter as root
vzctl start 1100 vzctl enter 1100
Set the correct timezone, choosing the right value (mine is Europe/Rome):
dpkg-reconfigure tzdata
Make sure that your /etc/apt/sources.list contains the right links to the debian repositories, like this
nano /etc/apt/sources.list
## Debian Stable (Lenny) deb http://ftp.it.debian.org/debian/ lenny main contrib non-free deb-src http://ftp.it.debian.org/debian/ lenny main contrib non-free ## security updates deb http://security.debian.org/ lenny/updates main contrib non-free deb-src http://security.debian.org/ lenny/updates main contrib non-free ## this is to always get the newest updates for the ClamAV virus scanner, this ## project publishes releases very often, and sometimes old versions stop working deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free
Update the apt package database and and install updates
apt-get update
One time i have got an error, related to gpg keys, after adjusting the /etc/apt/sources.list, so before proceed, i've done this
apt-get install debian-archive-keyring
Then again, and the problem vanished
apt-get update
Finally, install updates
apt-get -y upgrade
Now we install a few packages that are needed later on. Run into one line:
apt-get install -y binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb4.6-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential
To install BIND9 run:
apt-get install -y bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named, listening only on v4 IP addresses.
nano /etc/default/bind9
# run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-4 -u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc mkdir /var/lib/named/dev mkdir -p /var/lib/named/var/cache/bind mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location, to avoid problems when BIND gets updated in the future:
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and set ownership of the directories:
mknod /var/lib/named/dev/null c 1 3 mknod /var/lib/named/dev/random c 1 8 chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random chown -R bind:bind /var/lib/named/var/* chown -R bind:bind /var/lib/named/etc/bind
Edit /etc/rsyslog.d/bind-chroot.conf adding the appropriate line so that we can still get important messages logged to the system logs:
nano /etc/rsyslog.d/bind-chroot.conf
[...] $AddUnixListenSocket /var/lib/named/dev/log
Restart the logging daemon and BIND, then check /var/log/syslog for errors:
/etc/init.d/rsyslog restart /etc/init.d/bind9 start
In order to install MySQL, we run
apt-get install -y mysql-server mysql-client libmysqlclient15-dev
You will be asked to provide a password for the MySQL user root. This password is valid for root@localhost as well as root@ic2.dw.lan, so we don't have to specify a MySQL root password manually later.
If you want MySQL to listen on all interfaces, and not just localhost, edit /etc/mysql/my.cnf and add a comment in front of the line that begin with bind-address, like this
nano /etc/mysql/my.cnf
[...] # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. #bind-address = 127.0.0.1 [...]
Then restart MySQL
/etc/init.d/mysql restart
To check that networking is enabled. Run
netstat -tap | grep mysql
The output should look like this
root@ic2:/# netstat -tap | grep mysql tcp 0 0 *:mysql *:* LISTEN 6612/mysqld root@ic2:/#
In order to install Postfix with SMTP-AUTH and TLS do the following steps:
apt-get install -y postfix libsasl2-2 sasl2-bin libsasl2-modules procmail
You will be asked two questions. Answer as follows:
Then run
dpkg-reconfigure postfix
Again, you'll be asked some questions:
Next, do this:
postconf -e 'smtpd_sasl_local_domain =' postconf -e 'smtpd_sasl_auth_enable = yes' postconf -e 'smtpd_sasl_security_options = noanonymous' postconf -e 'broken_sasl_auth_clients = yes' postconf -e 'smtpd_sasl_authenticated_header = yes' postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' postconf -e 'inet_interfaces = all' echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
Afterwards we create the certificates for TLS:
mkdir /etc/postfix/ssl cd /etc/postfix/ssl/ openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
You need to enter a password and remember it, then:
chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr
You need to answer the following questions
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Again you need to enter a password and remember it. Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):
postconf -e 'myhostname = ic2.dw.lan' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key' postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt' postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom'
The file /etc/postfix/main.cf should now look like this:
cat /etc/postfix/main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version # Debian specific: Specifying a file name will cause the first # line of that file to be used as the name. The Debian default # is /etc/mailname. #myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) biff = no # appending .domain is the MUA's job. append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings #delay_warning_time = 4h readme_directory = no # TLS parameters smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_use_tls = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. myhostname = ic2.dw.lan alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = ic2.dw.lan, localhost.dw.lan, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4 smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:
mkdir -p /var/spool/postfix/var/run/saslauthd
Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS=”-c -m /var/run/saslauthd” to OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd -r”:
# # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="pam" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" #OPTIONS="-c -m /var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):
adduser postfix sasl
Now restart Postfix and start saslauthd:
/etc/init.d/postfix restart /etc/init.d/saslauthd start
To see if SMTP-AUTH and TLS work properly now run the following command:
telnet localhost 25
After you have established the connection to your Postfix mail server type:
ehlo localhost
If you see these 2 lines everything is fine.
250-STARTTLS 250-AUTH LOGIN PLAIN
The output on my system looks like this:
ic2:/etc/postfix/ssl# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 ic2.dw.lan ESMTP Postfix (Debian/GNU) ehlo localhost 250-ic2.dw.lan 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host. ic2:/etc/postfix/ssl#
To return to the system's shell type
quit
Run this to install Courier-IMAP/Courier-IMAP-SSL (for IMAPs on port 993) and Courier-POP3/Courier-POP3-SSL (for POP3s on port 995):
apt-get install -y courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0
You will be asked two questions:
During the installation, the SSL certificates for IMAP-SSL and POP3-SSL are created with the hostname localhost. To change this to the correct hostname (ic2.dw.lan in this tutorial), delete the certificates…
cd /etc/courier rm -f /etc/courier/imapd.pem rm -f /etc/courier/pop3d.pem
… and modify the following two files; replace CN=localhost with CN=ic2.dw.lan (you can also modify the other values, if necessary):
vi /etc/courier/imapd.cnf
[...] CN=ic2.dw.lan [...]
vi /etc/courier/pop3d.cnf
[...] CN=ic2.dw.lan [...]
Then recreate the certificates and restart Courier-IMAP-SSL and Courier-POP3-SSL:
mkimapdcert mkpop3dcert /etc/init.d/courier-imap-ssl restart /etc/init.d/courier-pop-ssl restart
Now we install Apache as follows
apt-get -y install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert
Next install PHP5, Ruby, and Python (all three as Apache modules):
apt-get -y install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-suhosin php5-tidy php5-xcache php5-xmlrpc php5-xsl
Next we edit /etc/apache2/mods-available/dir.conf and change the DirectoryIndex line
nano /etc/apache2/mods-available/dir.conf
<IfModule mod_dir.c> # DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm DirectoryIndex index.php index.html index.htm index.cgi </IfModule>
Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):
a2enmod ssl a2enmod rewrite a2enmod suexec a2enmod include
We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files, you will be prompted to download the .rb file. The same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types …
nano /etc/mime.types
[...] #application/x-ruby rb [...]
Now .rb files will be executed and displayed in the browser, just like .rbx files. Next we are going to disable PHP. Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it. In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.
To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:
nano /etc/mime.types
[...] #application/x-httpd-php phtml pht php #application/x-httpd-php-source phps #application/x-httpd-php3 php3 #application/x-httpd-php3-preprocessed php3p #application/x-httpd-php4 php4 [...]
Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:
nano /etc/apache2/mods-enabled/php5.conf
<IfModule mod_php5.c> # AddType application/x-httpd-php .php .phtml .php3 # AddType application/x-httpd-php-source .phps </IfModule>
Then restart Apache:
/etc/init.d/apache2 restart
A note on Suhosin
So that you don't spend 14 hours confused and frustrated like me, be sure that you are NOT submitting forms with lots of data (e.g. 100 form items–yes, I know they're huge by design) when using this setup. Suhosin won't allow that, and submits may FAIL SILENTLY.
after playing with standard php.ini POST settings for WAY too long, /var/log/apache2/error.log was the clue that solved this problem…
ALERT - configured POST variable limit exceeded - dropped variable 'field_agreement[0][value]' (attacker '192.168.10.13', file '/var/www/drupal/index.php'), referer: https://server.mycompany.com/node/add/agreement
The solution is simple, set these values:
nano /etc/php5/conf.d/suhosin.ini
[...] suhosin.post.max_vars = 1000 suhosin.request.max_vars = 1000 [...]
In order to install Proftpd, run
apt-get -y install proftpd ucf
You will be asked a question:
For security reasons add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):
nano /etc/proftpd/proftpd.conf
[...] DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready."
ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink:
ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf
Then restart Proftpd:
/etc/init.d/proftpd restart
To install webalizer, just run
apt-get -y install webalizer
Then open /etc/webalizer/webalizer.conf and change the line starting with Incremental, like this
[...] Incremental yes [...]
Run
apt-get -y install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl libnetaddr-ip-perl libarchive-tar-perl
A note on SuExec
If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run
/usr/lib/apache2/suexec -V
and the output should look like this:
root@ic2:~# /usr/lib/apache2/suexec -V -D AP_DOC_ROOT="/var/www" -D AP_GID_MIN=100 -D AP_HTTPD_USER="www-data" -D AP_LOG_EXEC="/var/log/apache2/suexec.log" -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin" -D AP_UID_MIN=100 -D AP_USERDIR_SUFFIX="public_html" root@ic2:~#
Unpack the ISPConfig-archive and change to the directory install_ispconfig:
tar xvfz ISPConfig*.tar.gz cd install_ispconfig
In this directory please check the file dist.txt and see if the values given there suit to your Linux installation (they should be suitable for standard installations). If you change any values please be sure not to change the format of the file.
Important: Be sure to have installed gcc, flex and all the other tools neded for compiling sources before you run ./setup! You also need to install the MySQL header files which normally come in a package called mysql-devel, mysql-dev, libmysql-devel or something similar. Otherwise PHP5 will not compile, and the installation of ISPConfig stops!
Workaround to get it to work on debian lenny:
Go to compile_apps, unpack openssl-0.9.7m.tar.gz, edit Configure and Makefile and change all instances of ”-m486” to ”-mtune=i486”. To repack the folder run:
tar -pczf openssl-0.9.7m.tar.gz openssl-0.9.7m
Remove the unpacked directory. Make sure you do this before running ./setup on any upgrades in the future until this is fixed in ./setup package.
Then start the setup-script from there:
./setup
The installer will now compile an Apache with PHP5 that will run on port 81 and is needed by the ISPConfig system itself. It will not interfere with your existing Apache installation so you can go on unworried.
When the ISPConfig Apache is built, a custom SSL certificate is built. Therefore you are asked a few questions. You can accept the default values, or you can enter new values there, this does not matter:
In step 7 (“Encrypting RSA private key of CA with a pass phrase for security [ca.key]”) and step 8 (“Encrypting RSA private key of SERVER with a pass phrase for security [server.key]”) of the certificate creation process you are asked if you want to encrypt the respective key now. Choose n there because otherwise you will always be asked for a password whenever you want to restart the ISPConfig system which means it cannot be restarted without human interaction!
If the compilation fails, the setup is stopped and all compiled files are removed. From the error message you get you should be able to see the reason for the failure (in most cases a package (like the MySQL header files) is missing). Try to solve the problem and the re-run ./setup.