Research Computing Configuration

From edegan.com
Revision as of 17:33, 13 September 2020 by Ed (talk | contribs) (→‎Wordpress Redux)
Jump to navigation Jump to search

Both machines

Fan Control

Unless you want to go insane from the sound of fans cycling full on and off, you'll want to fix the IPMI fan settings. These are stored in the BIOS but not accessible through the BIOS screens. Instead, you should connect to the boxes by BMC over the network. The BMC IPv4 address is displayed during POST.

To read all about IPMI, see https://www.supermicro.com/products/nfo/IPMI.cfm I also found these helpful:

Note the that default BMC username and password is ADMIN and ADMIN. You can download the SMCIPMITool (2.21.0_build.181029) and do the following, though I couldn't work out how to send manual configuration instructions using it:

.\SMCIPMITool.exe 192.168.2.80 ADMIN ADMIN ipmi fan
.\SMCIPMITool.exe 192.168.2.80 ADMIN ADMIN ipmi fan 0

The trick is to change the thresholds for the fans, especially the lower threshold. On a linux box:

sudo apt-get install ipmitool
  1. Reset the BMC if you've screwed it up (or if your fans are full on all the time)
  2. Check that the current mode is optimal (2)
  3. Take a look at the sensor multiple times to see that the fan is hitting the constraint (run multiple times to coincide with different sound levels)
  4. Reset the lower thresholds on the fans
  5. Enjoy a perfectly reasonable fan speed that doesn't fluctuate unduly
ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 raw 0x3c 0x40
ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 raw 0x30 0x45 0x00
ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 sensor
ipmitool -I lan -U ADMIN -P ADMIN -H 192.168.2.80 sensor thresh FAN3 lower 120 220 320

Note that the thresholds are derived from -20% off 400 (min as per Noctua spec), then same -100, then same -200.

For the ARCTIC F8 PWM, the min is something like 250 at 5v (see https://www.arctic.ac/us_en/arctic-f8-pwm.html). I therefore used 100, 150, 200, which seemed to stabilize the fans nicely at a 300rpm idle on one box and 400rpm on the other.

Note that the BMC IP for mother often turns up on 192.168.2.70. You can see the IP address of the localhost by running:

ipmitool lan print

Bios Settings

Because we want the NVMe drives to be bootable, we need to use (U)EFI for both machines:

  • Change CPU1 Slot 1 and 2 to EFI (from Legacy)
  • Change Onboard Video OPROM to EFi (from Legacy)
  • LAN device to EFI
  • Boot to EFI
  • Priority to onboard: auto
  • Boot install order CD above drive above Shell

This ultimately seems to be a problem for unsigned Nvidia drivers in Linux, which make putting a GPU into the dbase server box a major issue. I tried disabling validation and adding a key to secure boot (not sure that it happened) but nothing I could do would fix the resulting driver issue.

mokutil --disable-validation
sudo update-secureboot-policy --new-key
sudo update-secureboot-policy --enroll-key

RDP Server

The RDP server runs Windows 2019 Server. It installs directly off the media on to the NVMe drive. Don't worry about the RAID array during the installation, we do that later.

After installation:

  • Set computer name
  • Storage Pool
    • RAID 1 - Mirroring
  • Active Directory Controller
  • Remote Desktop Connection
    • RD Connection Broker
    • RD Licensing
    • RD Session Host
    • RD Vizualization Host

Change password complexity requirements: https://blog.tiga.tech/disable-the-password-complexity-for-active-directory-on-a-domain-controller/

Update

The GPU was removed from the RDP and the chipset drivers from Supermicro were installed (files are in E:/installs/drivers). This addressed all the device issues.

The following software was uninstalled:

  • CUDA Development 10.1
  • CUDA Documentation 10.1
  • CUDA Samples 10.1
  • CUDA Visual Studio Integration 10.1
  • NVIDIA GeForce Experience 3.18.0.94
  • NVIDIA Graphics Driver 419.67
  • NVIDIA HD Audio Diver 1.3.38.13
  • NVIDIA Nsight Compute v2019.1
  • NVIDIA Nsight Systems v2018.3.3
  • NVIDIA Nsight Visual Studio Edition
  • NVIDIA PhysX System Software 9.12.0218
  • NVIDIA Toos Extension SDK
  • NVIDIA USBC Driver 1.1.27.831

Dbase Server

The dbase server runs Ubuntu 18.04. You can mostly follow the instructions at https://www.pugetsystems.com/labs/hpc/The-Best-Way-To-Install-Ubuntu-18-04-with-NVIDIA-Drivers-and-any-Desktop-Flavor-1178/

It is important to use the alternative installation iso, not the default cloud based one. However, you can set up the partitions using the standard live CD, which is more user friendly for partitioning.

Partitioning

Partition as:

  • 400G NVMe as ext4 and / (create new using whole drive, automatically sets aside 512m for /boot/efi)
  • 1.2T as ext4 and /data (do it manually)
  • RAID 10 for HDDs, all active then format at ext4 and mount at /bulk (DO NOT PARTITION! Just set up the software RAID and format.)

Standard Packages

Install the following straight from the media:

  • LAMP Server
  • Mail Server
    • Postfix - Internet Site
    • MailName: mother.edegan.com
  • PostgreSQL
  • Samba
  • OpenSSH

Then:

sudo apt-get install tasksel
tasksel
 -> Ubuntu Desktop

A useful apt cheatsheet is: https://www.acpsd.net/site/handlers/filedownload.ashx?moduleinstanceid=53976&dataid=56016&FileName=Ubuntu%20Cheat%20Sheet.pdf

Get the system up to date:

apt-get update
apt-get upgrade

Samba

This guide is helpful: https://linuxconfig.org/how-to-configure-samba-server-share-on-ubuntu-18-04-bionic-beaver-linux

Check samba is running

samba --version

Then fix the conf file:

cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
vi /etc/samba/smb.conf
	workgroup=mothergroup
 	usershare allow guests = no
	;comment [printers] and [print$]
    
	[bulk]
	comment = Bulk RAID Array
	path = /bulk
	browseable = yes
	create mask= 0775
	directory mask = 0775
	read only = no
	guest ok = no

Test the parameters, change the permissions and ownership:

testparm /etc/samba/smb.conf
chmod 770 /bulk
groupadd smbusers
chown :smbusers /bulk

Now add the researcher account, and add it to the samba share

groupadd -g 1001 researcher
useradd -g researcher -G smbusers -s /bin/bash -p 1234 -d /home/researcher -m 
researcher
passwd researcher
	hint: littleamount
smbpasswd -a researcher

Finally restart samba:

systemctl restart smbd
systemctl restart nmbd

Check it works:

smbclient -L localhost
(no root password)

And add users to the samba group:

useradd ed smbusers

PostgreSQL

This guide is helpful: https://linuxconfig.org/install-postgresql-on-ubuntu-18-04-bionic-beaver

Test it!

psql --help
ss -nlt
	postgres is listening on 543

Back up the config file and try a manual launch:

cp /etc/postgresql/10/main/postgresql.conf /etc/postgresql/10/main/postgresql.conf.bak
mkdir /data/postgres
chown postgres:postgres postgres
su postgres
cd /usr/lib/postgresql/10/bin
./initdb -D /data/postgres

Now, tune the database server. See https://www.postgresql.org/docs/10/runtime-config-resource.html and https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server

vi /etc/postgresql/10/main/postgresql.conf
 data_directory = '/data/postgres' #custom 1.2Tb NVME SSD
 listen_addresses = '*'
 max_connections = 10
 shared_buffers = 128GB 
 huge_pages = try                        # on, off, or try
 temp_buffers = 8GB                      # min 800kB
 work_mem = 4GB                          # min 64kB
 maintenance_work_mem = 64GB             # min 1MB
 max_stack_depth = 6MB
 max_wal_senders = 5   #MUST SET THIS TO BE LESS THAN max_connections
 effective_cache_size = 384GB

Now fix the hba.conf file for access rights:

cp /etc/postgresql/10/main/pg_hba.conf /etc/postgresql/10/main/pg_hba.conf.bak
vi /etc/postgresql/10/main/pg_hba.conf

change
 local all all peer
to 
 local all all trust
Don't do this bit for now:
	 local   all             postgres                   peer 
	 local   all             postgres                   md5

And restart!

service postgresql restart
ss -nlt

If postgres isn't listening then it didn't start despite the message at

service postgresql status

Then we note that Postgres bins are in in:

cd /usr/lib/postgresql/10/bin

Check:

cat /etc/init.d/postgresql
cat /usr/share/postgresql-common/init.d-functions

To diagnose error do manual start as postgres from /usr/lib/postgresql/10/bin:

pg_ctl -w -D /data/postgres -o '--config-file=/etc/postgresql/10/main/postgresql.conf.new' start

To check it is working:

ss -nlt
psql postgres
SHOW data_directory;
SHOW work_mem;

When it is all ok, you can go back to using

service postgresql restart
(it should take a few secs)

Make the researcher user!

createuser --interactive researcher

Add Extensions

Finally, add some extentions

apt-get install postgresql-plperl-10
apt-get install postgresql-plpython-10
apt-get install postgresql-10-plr
apt-get install postgresql-10-postgis-2.4 
apt-get install postgresql-10-postgis-scripts
apt-get install postgis
apt-get install postgis-gui

As postgres:

psql template1
CREATE EXTENSION plr;
CREATE EXTENSION plperl;
CREATE EXTENSION plpythonu

Mediawiki

We had a back off of an old MySQL mediawiki dbase and the contents of the mediawiki directory, and we wanted to restore the old wiki. This is what we did.

Restore the old dbase:

cd /bulk/mcnair/Web/mysqldump 
 dbase is mcnair
mysql -h localhost < web_mysqldump_backup_Fri_Aug_24_15_35_47_2018.sql

Connect to MySQL and check what we have:

mysql
connect
show databases;
use mcnair;
show tables;

If you need to: systemctl stop mysql systemctl start mysql

Get the old install:

cd home/home/mcnair/Downloads/
tar -xvzf mediawiki-1.26.2.tar.gz 

Add php-xml

apt-get install php-xml
apachectl restart

We then had to fix the passwords in the dbase:

#Note: change passwords from hints before running
mysql
SELECT User, Host, Password FROM mysql.user;
UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'root';
UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'debian-sys-maint';
UPDATE mysql.user SET Password = PASSWORD('tsn') WHERE User = 'mcnair_wp';
FLUSH PRIVILEGES;

At this point, the basics are working, so go to http://192.168.2.92/mediawiki/mw-config/index.php and fill it out as per the old instructions (see Test Web Server Documentation and Web Server Documentation

Now overwrite LocalSettings.php with the old configuration:

cd /home/ed/Downloads/
mv LocalSettings.php /var/www/html/mediawiki/

Fix the requirements for mediawiki

apt-get install php-xml
apachectl restart

Allow short URLS, so enable mod-rewrite (if not already enabled)

a2enmod rewrite
systemctl restart apache2

Now fix the apache conf file

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.bak
vi /etc/apache2/sites-available/000-default.conf 
       Alias /wiki /var/www/html/mediawiki/index.php
       #Enable the rewrite engine
       RewriteEngine On
       #Rewrite / to Main Page
       RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L]
service restart apache2

Now create phpinfo page for debugging

cd /var/www/html
vi phpinfo.php
	<?php echo phpinfo(); ?>
	#Browse to 192.168.2.92/phpinfo.php
	Shows Phar is installed and running
	Shows log is /var/log/apache2 

Check pcntl is enabled

php --ri pcntl
#Note that some pcntl functions are listed as disabled in phpinfo.php
dpkg -s snmp
apt-get install snmp

The Big Try

The process is as follows:

  1. Move the contents of /var/lib/mediawiki to somewhere else
  2. Move the contents of /bulk/mcnair/Web/www/var/www/html/mediawiki in
  3. Drop databases
  4. Restore databases
  5. Pray

Or more specifically:

mv /var/lib/mediawiki/ /var/lib/firstmediawikitry
mkdir /var/lib/mediawiki
cp -r /bulk/mcnair/Web/www/var/www/html/mediawiki /var/lib/
#Change password for dbase in LocalSettings.php
mysql -p
DROP DATABASE mcnair;
DROP DATABASE wordpress;
cd /bulk/mcnair/Web/mysqldump 
mysql -p -h localhost < web_mysqldump_backup_Fri_Aug_24_15_35_47_2018.sql
apachectl restart

When we did this, we got a blank page! Don't panic.

cd /var/log/apache2
cat error.log
apt-get install php7.2-mbstring
apachectl restart

Fix LocalSettings.conf again

change domain name, contact detail, etc.
Need to fix mail...
Also left GoogleAnalytics extension loaded for now...
Change enable_semantics IP address

Fix the Infoboxes:

chmod a+x /var/libr/mediawiki/extensions/Scribuntu...
chcon -t httpd_sys_script_exec_t /var/lib/mediawiki/Scribuntu...
mv /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.new
mv /etc/apache2/sites-available/000-default.conf.bak /etc/apache2/sites-available/000-default.conf
apachectl restart
mv /etc/apache2/sites-available/000-default.conf.new /etc/apache2/sites-available/000-default.conf
apachectl restart

We were left with a problem were the page would never finish loading. This turned out to be a problem with the fonts in the Vector skin, which we had previously customized. We tried to fix the problem in the dbase as below but to no avail.

SELECT * FROM externallinks WHERE el_id=2599;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Regular.ttf' WHERE el_id = 2720;
UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Regular.ttf' WHERE el_id = 2720;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Italic.ttf' WHERE el_id = 2721;
UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Italic.ttf WHERE el_id = 2721;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Bold.ttf ' WHERE el_id = 2722;
UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-Bold.ttf ' WHERE el_id = 2722;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-BoldItalic.ttf WHERE el_id = 2723;
UPDATE externallinks SET el_index = '192.178.2.92/mediawiki/resources/assets/fonts/OpenSans-BoldItalic.ttf' WHERE el_id = 2723;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/BonvenoCF-Light.otf' WHERE el_id = 2724;
UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/BonvenoCF-Light.otf' WHERE el_id = 2724;
UPDATE externallinks SET el_to = 'http://192.178.2.92/mediawiki/resources/assets/fonts/franklin-gothic-book.ttf' WHERE el_id = 2739;
UPDATE externallinks SET el_index = 'http://192.178.2.92/mediawiki/resources/assets/fonts/franklin-gothic-book.ttf' WHERE el_id = 2739;
UPDATE externallinks SET el_to = 'http://192.178.2.92/wiki/Carried_Interest_Debate' WHERE el_id = 2599;
UPDATE externallinks SET el_index = 'http://192.178.2.92/wiki/Carried_Interest_Debate' WHERE el_id = 2599;

What did work was:

cd /var/www/html/mediawiki/skins
diff -r Vector VectorBackup
cp -r Vector/ VectorFromMcNair
vi /skins/Vector/variables.less

replace all font-family statements with "Linux Libertine", Georgia, Times, sans-serif, serif;

When I rebooted the MySQL database was inaccessible for reasons unknown... I followed this page: https://www.howtoforge.com/setting-changing-resetting-mysql-root-passwords

service mysql stop
mysqld_safe --skip-grant-tables &
mkdir -p /var/run/mysqld
chown mysql:mysql /var/run/mysqld
mysqld_safe --skip-grant-tables &

And then all was good!

Confirm Account

We had some issues with some of the extensions, particularly confirm account. To debug the wiki add this line to LocalSettings.php

$wgShowExceptionDetails = true;

Fix the confirm account, see https://www.mediawiki.org/wiki/Extension:ConfirmAccount#Minimal_settings and add lines to LocalSettings.conf.

apt-get install php7.2-dev 
apt-get install php-pear
pear
pear -version
pear config-get php_dir
	/usr/share/php
phpinfo returns:
	/etc/php/7.2/apache2/php.ini 

Then make check_pear.php as per http://pear.php.net/manual/en/installation.checking.php. It should return bool true

Finally:

php -c /etc/php/7.2/apache2/php.ini -r 'echo get_include_path()."\n";'

.:/usr/share/php

uncomment 
; UNIX: "/path1:/path2"
include_path = ".:/usr/share/php"

See https://www.mediawiki.org/wiki/Manual:$wgSMTP

Wordpress

From Test Web Server Documentation it doesn't look like we had to install anything before we installed Wordpress. The restoration plan is therefore:

  1. Restore the dbase (done already when we restored the mediawiki dbase)
  2. Copy over all of the wordpress files
  3. Create a /blog alias in apache
  4. Check the permissions and pray

So we did:

cd /bulk/mcnair/Web/www/var/www/html
cp -r ./blog/ /var/www/html/blog
cd /var/www/html/blog/

Check Apache2.conf

vi /etc/apache2/apache2.conf
 looks fine

Temporarily force some settings

vi wp-config.php
 define('WP_HOME','http://www.edegan.com/blog');
 define('WP_SITEURL','http://www.edegan.com/blog');
 define('DB_PASSWORD', 'tsn');

Make some changes to the dbase

mysql
connect wordpress;
SELECT ID, user_login, user_pass FROM wp_users;
UPDATE wp_users SET user_pass=MD5('newstrongpassword') WHERE ID = 4;
select * from wp_options where option_name='siteurl';
select * from wp_options where option_name='home';
UPDATE wp_options SET option_value='http://www.edegan.com/blog' WHERE option_name='siteurl';
UPDATE wp_options SET option_value='http://www.edegan.com/blog' WHERE option_name='home';

Now you can comment out the WP_HOME and WP_SITEURL settings in wp-config.php and change them (if you want) from the wp-admin interface: http://www.edegan.com/blog/wp-admin.

The following plugin had to be disabled:

  • Social Share WordPress Plugin - AccessPress Social Share

Finally, fix the permalink issue by setting

vi /etc/apache2/apache2.conf
 AllowOverride All

Then yay!

The whole thing needs updating, a new skin (or at least clean up), and some of the plugins don't work. But the basics are now up and running.

Updating

Go in to the wp-admin interface and hit update. It seemed to work fine!

Run the site-health.php tool: http://www.edegan.com/blog/wp-admin/site-health.php

apt-get install php7.2-gd
apt-get install php7.2-bcmath 
Get and make imagemagick -- see https://www.tutorialspoint.com/articles/how-to-install-imagemagick-on-ubuntu 
 magick -help
apachectl restart

Also, update all of the plugins and remove the one inactive plugin that was causing problems earlier.

Other Web Server

For Google Analytics we linked the domain to dredegan@gmail.com on the Google Dashboard and added the key to LocalSettings.php. See http://edutechwiki.unige.ch/en/Mediawiki_installation#Google_Analytics

We also added write permissions to the images directory for www-data

chown -R www-data images/

Nvidia

The original intention was to install a GPU into the Dbase server, as GPU compute tasks wouldn't interfere (much) with the main operation of the server. The problem seems to be a combination of an unsigned Nvidia driver, Ubuntu 18.04, UEFI, and Secureboot (or not). See https://medium.com/@nolanmudge/installing-an-nvidia-graphics-driver-with-a-ubuntu-14-04-and-up-efi-boot-52725dd6927c

Regardless here are some useful commands:

See what drivers are being used

apt-get install ubuntu-drivers-common
ubuntu-drivers devices
cat /proc/driver/nvidia/version

See the display hardware config

sudo lshw -c display
 If shows *-display UNCLAIMED and no driver associated with it
 https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules

Just try to work out what is going on:

ubuntu-drivers devices
lsmod
lshw -c display
sudo lspci -vk
ls -l /sys/firmware/efi/ 

Try installing CUDA and its driver: https://www.pugetsystems.com/labs/hpc/How-To-Install-CUDA-10-together-with-9-2-on-Ubuntu-18-04-with-support-for-NVIDIA-20XX-Turing-GPUs-1236/ And then: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#post-installation-actions And may: https://xcat-docs.readthedocs.io/en/stable/advanced/gpu/nvidia/verify_cuda_install.html

Try installing the bundled cuda toolkit

apt-get install nvidia-cuda-toolkit
apt-get install cuda-samples-7-0 -y
cd /usr/local/cuda-7.0/samples
make

Try installing the bundled nvidia driver

sudo apt install nvidia-driver-415

Purge nvidia drivers and add the experimental repo

apt-get purge nvidia*
sudo add-apt-repository ppa:graphics-drivers

Get the latest driver from Nvidia and make it

wget http://us.download.nvidia.com/XFree86/Linux-x86_64/418.43/NVIDIA-Linux-x86_64-418.43.run
apt-get install gcc
apt-get install make
sh NVIDIA-Linux-x86_64-418.43.run
cat /var/log/nvidia-installer.log

View system logs:

journalctl -xb

Remove nouveau if being used (https://help.ubuntu.com/community/BinaryDriverHowto/Nvidia)

sudo ubuntu-drivers devices
sudo apt-get --purge remove xserver-xorg-video-nouveau
nvidia-xconfig

Add a secure boot key

sudo update-secureboot-policy --new-key
sudo update-secureboot-policy --enroll-key

Disable/enable secureboot:

mokutil --disable-validation
 create 8-12 char password (same as ed's)
 Reboot and disable secureboot
mokutil --enable-validation

Other

pdftk

I installed pdftk and configured it as follows:

snap install pdftk
ln -s /snap/pdftk/current/usr/bin/pdftk /usr/bin/pdftk

Its man page (kinda) is here: https://www.pdflabs.com/docs/pdftk-man-page/

But generally you want to do use it combine files:

pdftk *.pdf cat output newfile.pdf
pdftk a.pdf b.pdf cat output newfile.pdf

If you want to reduce a file that has large images in it, then the following sometimes works:

pdf2ps 1.pdf 1.ps
ps2pdf -dPDFSETTINGS=/screen -dDownsampleColorImages=true -dColorImageResolution=144 -dColorImageDownsampleType=/Bicubic 1.ps 1.pdf

To do

Mobile Front End

It seems that the Extension:MobileFrontend isn't working properly.

Does php have mbstring support?

First check the apache version:

apache2 -v
 Server version: Apache/2.4.29 (Ubuntu)
 Server built:   2018-10-10T18:59:25

And the php version:

php -v
 PHP 7.2.17-0ubuntu0.18.04.1 (cli) (built: Apr 18 2019 14:12:38) ( NTS )
 Copyright (c) 1997-2018 The PHP Group
 Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
   with Zend OPcache v7.2.17-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies

Try just installing it:

apt-get install php7.2-mbstring

This failed because of an issue with dpkg. I rebooted and then:

dpkg --configure -a
apt --fix-broken install

Then it installed but threw a notice about a modified configuration file. The differences were too large to show. I kept the old file (/etc/php/7.2/apache2/php.ini) for comparison to the new one (/usr/lib/php/7.2/php.ini-production).

In the old file, uncomment the mbstring extension and exif (after it) too, then reload the config and check it worked:

service apache2 reload
php -i | grep mbstring

So everything seems fine (the extension it is listed as loaded in Special:Version), but the interface still has obvious issues.

Check the skin

From Special:Version

MediaWiki	1.26.2
PHP	7.2.24-0ubuntu0.18.04.2 (apache2handler)
MySQL	5.7.25-0ubuntu0.18.04.2
Lua	5.1.5

Vector is the only installed skin.

And it looks like my version of mediawiki is too old to support Minerva Neue

Upgrade mediawiki

Essentially, follow instructions in Manual:Upgrading:

Backup

I just moved everything to a different directory, backed off the dbase, and started again.

cd /var/lib
mv mediawiki mediawikibackup26082020
mysqldump --user=root --password=password  > dbase.sql

New Install

Get a new version, put it in /var/lib/mediawiki (leaving the old shortcuts pointing there), then copy in the files.

wget https://releases.wikimedia.org/mediawiki/1.34/mediawiki-1.34.2.tar.gz
tar -xvzf mediawiki-1.34.2.tar.gz 
mv mediawiki-1.34.2 mediawiki
rm mediawiki-1.34.2.tar.gz
cp mediawiki26082020/LocalSettings.php mediawiki/LocalSettings.php
cp -a mediawiki26082020/images/ mediawiki/
  Note: you don't need to change permissions because we used -a. This also copied the .htaccess file. Everything should be ok...
cp /var/lib/mediawiki26082020/resources/assets/EdEganDotCotWikiGreenTab.png /var/lib/mediawiki/resources/assets/
 Note: that's my wiki logo
cp /var/lib/mediawiki26082020/favicon.ico /var/lib/mediawiki/favicon.ico
 Note: that the favicon!
cd /var/lib/mediawiki/maintenance/
php update.php

Retrieve and configure extensions

Get the bulk of them...

mkdir installs
cd installs

wget https://extdist.wmflabs.org/dist/extensions/LabeledSectionTransclusion-REL1_34-4aa6bfa.tar.gz
tar -xzf LabeledSectionTransclusion-REL1_34-4aa6bfa.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/MobileFrontend-REL1_34-6a8ef84.tar.gz
tar -xzf MobileFrontend-REL1_34-6a8ef84.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/ImportUsers-REL1_34-2f1a670.tar.gz
tar -xzf ImportUsers-REL1_34-2f1a670.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/Scribunto-REL1_34-f7bc2e3.tar.gz
tar -xzf Scribunto-REL1_34-f7bc2e3.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/googleAnalytics-REL1_34-6441403.tar.gz
tar -xzf googleAnalytics-REL1_34-6441403.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/MultiUpload-REL1_34-e018c1d.tar.gz
tar -xzf MultiUpload-REL1_34-e018c1d.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/UserMerge-REL1_34-3517022.tar.gz
tar -xzf UserMerge-REL1_34-3517022.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/skins/MinervaNeue-REL1_34-ba11b7b.tar.gz
tar -xzf MinervaNeue-REL1_34-ba11b7b.tar.gz -C /var/lib/mediawiki/skins

wget https://extdist.wmflabs.org/dist/extensions/ConfirmAccount-REL1_34-3ffa446.tar.gz
tar -xzf ConfirmAccount-REL1_34-3ffa446.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/MassEditRegex-REL1_34-d3570f1.tar.gz
tar -xzf MassEditRegex-REL1_34-d3570f1.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/DataTransfer-REL1_34-1fc1c61.tar.gz
tar -xzf DataTransfer-REL1_34-1fc1c61.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/extensions/HTMLets-REL1_34-a8227c3.tar.gz
tar -xzf HTMLets-REL1_34-a8227c3.tar.gz -C /var/lib/mediawiki/extensions

wget https://extdist.wmflabs.org/dist/skins/MinervaNeue-REL1_34-ba11b7b.tar.gz
tar -xzf MinervaNeue-REL1_34-ba11b7b.tar.gz -C /var/lib/mediawiki/skins

wget https://extdist.wmflabs.org/dist/extensions/GeoData-REL1_34-8a52fa4.tar.gz
tar -xzf GeoData-REL1_34-8a52fa4.tar.gz -C /var/lib/mediawiki/extensions

Do the semantic mediawiki install and config. Last time, we installed Semantic Mediawiki using composer, which is the preferred method. See Web_Server_Documentation.

cd installs
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === '8a6138e2a05a8c28539c9f0fb361159823655d7ad2deecb371b04a83966c61223adc522b0189079e3e9e277cd72b8897') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;"
php composer-setup.php --install-dir=/usr/local/bin --filename=composer
#php -r "unlink('composer-setup.php');"
vi composer.local.json
 {
     "require": {
         "mediawiki/semantic-media-wiki": "~3.1",
         "mediawiki/semantic-result-formats": "~3.1"
     }
 }
composer update --no-dev
Add line to LocalSettings.php
 enableSemantics('192.168.2.92');
php maintenance/update.php
cd ../extensions/
#https://www.mediawiki.org/wiki/Extension:Page_Forms
git clone https://gerrit.wikimedia.org/r/mediawiki/extensions/PageForms.git
 add to LocalSettings.php

ConfirmAccount Bug

Installing ConfirmAccount gave an error whenever there was an account request.

Warning: file_exists(): Unable to find the wrapper "mwstore" - did you forget to enable it when you configured PHP? in /../w/extensions/ConfirmAccount/backend/ConfirmAccount.class.php on line 29

This seemed to be a registered bug - see https://phabricator.wikimedia.org/T219859. It appears to happen as a consequence of the file_exists call, and is just a warning. It doesn't affect functionality. So I put an @ in front of the file_exists call, which is poor practice but it worked just fine.

Line 29:  if ( $path && @file_exists( $path ) ) {

Other Config

Check pre-reqs are good for Scribuntu.

php -r 'echo "pcre: " . ( extension_loaded( "pcre" ) ? PCRE_VERSION : "no" ) . "\n";'
php -r 'echo "mbstring: " . ( extension_loaded( "mbstring" ) ? "yes" : "no" ) . "\n";'

Fix some permissions:

chmod a+x extensions/Scribunto/includes/engines/LuaStandalone/binaries/lua5_1_5_linux_64_generic/lua
chmod a+x extensions/SyntaxHighlight_GeSHi/pygments/pygmentize

Tune up php and Apache2:

vi /etc/php/7.2/apache2/php.ini
 change upload_max_filesize to 4M
 
vi /etc/apache2/apache2.conf
  <Directory /var/www/wiki/images>
         Options -Indexes
  </Directory>
 
service apache2 restart

Also, add Special:MultiUpload|Upload multiple files to http://www.edegan.com/wiki/MediaWiki:Sidebar

MathML

I tried various methods to get MathML to work and always failed. It looks like the community bet on Mathoid working out, but there's been no development on it for 5 months now, and it looks dead. The good news, if that MathJax works just fine right out of the box:

git clone https://github.com/jmnote/SimpleMathJax.git
wfLoadExtension( 'SimpleMathJax' );
$wgSmjInlineMath = [ [ "$", "$" ], [ "\\(", "\\)" ] ];
 Note: the last line lets you demark math with LaTeX-like syntax.

PDFEmbed

PDFEmbed was the extension that I never knew that I always wanted!

git clone https://gitlab.com/HydraWiki/extensions/PDFEmbed.git
wfLoadExtension( 'PDFEmbed' );

SemanticACL

IntraACL (http://wiki.4intra.net/IntraACL) doesn't work with Mediawiki 1.34, so it's out. I also wasn't wild about its patch-based approach.

This time around I went with SemanticACL for access control. It's in beta but its actively maintained and its approach is simple, sane, and harnesses the power of what's already there. No hooks, no patches, no blah... just an extension that does what you want out of the box.

The only other real contender was Extension:AccessControl, which is stable. However, its approach just isn't as clean, and the author's request for funds to translate his documentation from Czech to English didn't endear me.

Useful Links for SemanticACL:

wget https://extdist.wmflabs.org/dist/extensions/SemanticACL-REL1_34-01ae8be.tar.gz
tar -xzf SemanticACL-REL1_34-01ae8be.tar.gz -C /var/lib/mediawiki/extensions

In LocalSettings.php (for m1.34):

require_once "$IP/extensions/SemanticACL/SemanticACL.php";

To configure security on a page (https://www.mediawiki.org/wiki/Extension:Semantic_ACL#Example)

[[Visible to::whitelist]]
 [[Visible to group::team]]
  
 [[Editable by::whitelist]]
 [[Editable by user::User:whoever]]  
  

or equivalently (but silently):

{{#set: Visible to=whitelist|Visible to group::team}}

BibTeX

The BibTeX extension doesn't work anymore. Though it never really worked, so it's not much of a loss. I should probably build a replacement but I don't have the time right now.

Change the Dbase

I tried 'rename' the dbase, creating a dedicated dbase user that has access to just the wiki's dbase, and resetting its password.

in /bulk/backups:

mysqldump --password olddbase > mediawiki.sql
mysql -u olduser -p 
 CREATE DATABASE wiki;
mysql -u olduser -p wiki < mediawiki.sql
mysql -u olduser -p 
 CREATE USER 'wiki'@'localhost' IDENTIFIED BY 'password';
 GRANT ALL PRIVILEGES ON wiki.* TO 'wiki'@'localhost';
 FLUSH PRIVILEGES;

This led to two different errors. First, the cloned database didn't seem to support Semantic Mediawiki somehow. And second, the new user didn't seem to work. This was true even if I gave them rights on the olddbase. So I abandoned the attempt.

Clean up the attempt:

mysql -u olduser -p 
 DROP DATABASE wiki;
 DROP USER 'wiki'@'localhost';

I did put an .htaccess file in /var/lib/mediawiki to restrict access to LocalSettings.php, though I expect that this is redundant.

<files LocalSettings.php>
order allow,deny
deny from all
</files>

Update Linux

Get the system up to date:

apt-get update
apt-get upgrade

During the upgrade I chose:

  • keep the local smb.conf
  • keep the local grub (new version in /tmp/grub.l1gqsHmubw)

There were dependcy problem and other warnings during the process. It finished with:

Errors were encountered while processing:
 keyboard-configuration
 xserver-xorg-core
 xserver-xorg-input-wacom
 console-setup-linux
 console-setup
 ubuntu-minimal
E: Sub-process /usr/bin/dpkg returned an error code (1)
W: Operation was interrupted before it could finish

I rebooted the server. It came up ok and everything seemed fine (I'm doing this over terminal), but it is still claiming that there are updates. The issue might be related to a known Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/console-setup/+bug/1770482. The solution(s) might be [1]:

Look at the keyboard config file:

cat /etc/default/keyboard
 # KEYBOARD CONFIGURATION FILE
 # Consult the keyboard(5) manual page.
 XKBMODEL="pc105"
 XKBLAYOUT="us"
 XKBVARIANT=""
 XKBOPTIONS=""

Remove and reinstall the keyboard-configuration:

apt-get remove keyboard-configuration
apt-get install keyboard-configuration 
 Note that this launches a screen where the only options are Afghani variants... so cancel it!
DEBIAN_FRONTEND=noninteractive apt-get install keyboard-configuration
 This ran and changed the keyboard layout file to the default:
  # KEYBOARD CONFIGURATION FILE
  # Consult the keyboard(5) manual page.
  XKBMODEL="pc105"
  XKBLAYOUT="us,af"
  XKBVARIANT=","
  XKBOPTIONS="grp_led:scroll"
vi /etc/default/keyboard
 I manually removed the af option and the commas, essentially reverting the file (I like a scroll light). 
cd /usr/share/X11/xkb/symbols
ln -s us en
 This was the other solution offered. I was missing an en option, so that might be it.
apt-get install keyboard-configuration
 Now it says that there is nothing to do, which is promising. 

Try the update again:

apt-get update && apt-get upgrade
 Nothing happened and everything seems fine...
shutdown -r now

On boot, the box reports:

Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-45-generic x86_64)
...
36 packages can be updated.
30 updates are security updates.

Running apt-get upgrade gives:

The following packages have been kept back:
 fwupd fwupdate fwupdate-signed libfwup1 libgl1-mesa-dri libreoffice-avmedia-backend-gstreamer libreoffice-base-core
 libreoffice-calc libreoffice-core libreoffice-draw libreoffice-gnome libreoffice-gtk3 libreoffice-impress libreoffice-math
 libreoffice-ogltrans libreoffice-writer libxatracker2 linux-generic linux-headers-generic linux-image-generic netplan.io
 python3-software-properties python3-uno software-properties-common software-properties-gtk
0 upgraded, 0 newly installed, 0 to remove and 25 not upgraded.

The latest LTS version (at the time of writing) is 20.04.1 (see https://wiki.ubuntu.com/Releases). So I could do an:

apt-get dist-upgrade

But I should really do a full backup and everything first, so that isn't going to happen today.

Reviewing Wordpress

Overview

Rather than trying to update wordpress, I think it best to install the latest version and use the old dbase. This will likely cause problems with images... but we made several suboptimal choices when we built the last version, including using a non-standard theme and customizing it in a way that prevented updates.

There's a useful wordpress article on the basics of the approach, albeit from a hosted install perspective: https://www.wpbeginner.com/wp-tutorials/how-to-restore-a-wordpress-site-with-just-database-backup/

The main install instructions are: https://wordpress.org/support/article/how-to-install-wordpress/

For theme customization beyond that done in the interface, or through a plugin (like Code Snippets [2], wordpress says the best approach is to create a child theme [3].

Choosing the theme (https://wordpress.org/themes/ and https://wordpress.com/themes) is a major decision. This time I want a much more standard theme, that has better plugin and widget support, is responsive and gives a good mobile interface. I also don't want to pay but will have to trade that off against doing customization to make it look distinct.

It seems that Twenty Fifteen has the most active installs, but all the Twenty series, which are default themes made by wordpress are wildly popular. It might be worth using Twenty Twenty, as it is the most recent and takes advantage of the block editor (Twenty Nineteen does too but gets mediocre reviews), and I like the look of Twenty Fourteen.

Outside of the defaults, OceanWP is eCommerce oriented but looks good and is very popular. Neve sits between OceanWP and GeneratePress, which has a more magazine/news focus, and all three take advantage of the new block editor (Gutenberg), which was introduced in WPv5 (initial release in 2018).

Pre-install

Check PHP and MySQL. I need PHP >=7.3 and MySQL >=5.6 but:

php --version
 PHP 7.2.24-0ubuntu0.18.04.6 (cli) (built: May 26 2020 13:09:11) ( NTS )
mysql --version
 mysql  Ver 14.14 Distrib 5.7.31, for Linux (x86_64) using  EditLine wrapper

I might be able to upgrade my version of PhP without upgrading Ubuntu (see https://linuxize.com/post/how-to-install-php-on-ubuntu-18-04/). However, it is probably a good idea to just fix everything...

Upgrading Linux

So it turns out that I shouldn't have done that last update... I do have an Xwindows Server on the box, running Gnome, and now I can't log in using the GUI on the box itself (it loops back to the login screen). This box doesn't contain the GPUs, just the database server, so the GUI isn't key, but it would be nice to have it working again. Hopefully, an upgrade will fix that, as well as other issues.

Backing off

First, mount the USB drive. Find what's mounted and what the dev is:

mount -t ext4
 (or just mount for everything)
ls -l /dev/disk/by-id/usb*
 (or fdisk -l or lsblk)
mkdir -p /media/usb
mount /dev/sda1 /media/usb

Back up the databases:

psql postgres
 /l
As researcher and in /bulk/backups/
 mv lbo_Fc.dump lbo_Fc.dump.org
 pg_dump -Fc allpatentsprocessed > allpatentsprocessed_Fc.dump
 pg_dump -Fc accelerators > accelerators_Fc.dump
 pg_dump -Fc grants > grants_Fc.dump
 pg_dump -Fc incubators > incubators_Fc.dump
 pg_dump -Fc lbo > lbo_Fc.dump
 pg_dump -Fc stockmarket > stockmarket_Fc.dump
 pg_dump -Fc crunchbase3 > crunchbase3_Fc.dump
 pg_dump -Fc vcdb20h1 > vcdb20h1_Fc.dump
 pg_dump -Fc vcdb4 > vcdb4_Fc.dump
mysql -u root -p
 SHOW DATABASES;
 \q
 mysqldump --databases --password mcnair > mcnair.sql
 mysqldump --databases --password wordpress > wordpress.sql
 mysqldump --password mcnair > mediawiki.sql

Do the file transfers

mkdir /media/usb/mother-2020-08-09
mkdir /media/usb/mother-2020-08-09/bulk
rsync -av --progress --exclude="mcnair" /bulk/ /media/usb/mother-2020-08-09/bulk/
mkdir /media/usb/mother-2020-08-09/html
rsync -av --progress /var/www/html/ /media/usb/mother-2020-08-09/html/

Finally:

umount /media/usb

Do the upgrade

Run:

apt update 
apt upgrade
apt dist-upgrade
apt autoremove
do-release-upgrade
 if no release found because you are too early, add the -d to allow development (it will still install LTS if that's available)
 do-release-upgrade -d

This failed on the first attempt. So I did:

grep ERROR /var/log/dist-upgrade/main.log
grep BROKEN /var/log/dist-upgrade/apt.log
apt-get remove postgresql-10-postgis-2.4

Then:

 do-release-upgrade -d
  I selected some choices (keep smd.conf, don't notify me of whatever, etc.)
  I let it replace postgres10 but it still gave me an "Obsolete Major Version" warning on postgres (I said ok).

Address the upgrade issues

The first casualty of the upgrade was the networking configuration. You'd think that developers would have figured that one out, as remote upgrades would leave boxes DOA until someone could get physical access. Nevertheless, the fix is straight forward.

The old ifup and down and eth0 etc. interface system is gone now, taking its config with it. To get the networking back:

ifconfig
 Outdated now, I think, but it still shows what's up...
ip -a
 This will get you the names of the interfaces etc.
 I already had a .yaml under a different interface name that set up DHCP, so I used it as a template for the interface that I wanted up that way
cp /etc/network/01-netcfg.yaml /etc/network/99_config.yaml
vi /etc/network/99_config.yaml
 change the interface name to eno0 
netplan apply

Now everything looks good for a foundation - apache2 is working, SSH is working, but I need to do a minor config fix for the wiki.

apt-get install php-mbstring
apachectl restart

And the wiki comes back up but with a error notice. The issue seems to be with PHP 7.4, and it looks like it affects both mediawiki and wordpress, though wordpress might have fixed it. Regardless, it is possible to install 7.3 as well, as use that with apache2.

add-apt-repository ppa:ondrej/php
apt-get update
apt-get install php7.3
apt-get install php7.3-cli php7.3-common php7.3-json php7.3-opcache php7.3-mysql php7.3-mbstring  php7.3-zip php7.3-fpm php7.3-intl php7.3-simplexml
 Note we may need to fix some config again as it said: Creating config file /etc/php/7.3/apache2/php.ini
a2dismod php7.4
a2enmod php7.3
 I ignored the following notices for now:
  NOTICE: To enable PHP 7.3 FPM in Apache2 do:
  NOTICE: a2enmod proxy_fcgi setenvif
  NOTICE: a2enconf php7.3-fpm
systemctl restart apache2
update-alternatives --set php /usr/bin/php7.3
update-alternatives --set phar /usr/bin/phar7.3
update-alternatives --set phar.phar /usr/bin/phar.phar7.3
update-alternatives --set phpize /usr/bin/phpize7.3
update-alternatives --set php-config /usr/bin/php-config7.3
error: no alternatives for php-config (ignored for now)

And the wiki now seems happy!

I also checked postgres and everything seemed ok:

su researcher
psql vcdb4
\l
 They are all there
\dx
 All my extensions report back.

Other Fixes

Remove redundant user accounts:

cat /etc/passwd
userdel -r username

I need to get Xwindows set up again. My best guess as to the cause of this issue is leftover Nvidia drivers from my attempts to install the GPUs on this box went bad in an earlier apt-get upgrade but I can't see them listed:

dpkg -l | grep nvidia-driver

There is a .Xauthority file, and an .ICEauthority file, in /home/ed and both are owned by ed:ed. The former is empty (0 bytes) and the latter has some non-UTF8 (I think?) characters in it. I'm not sure if either is an issue.

I didn't see xserver-xorg-video-nouvea in the package list or any video driver module, so I installed nouveau:

dpkg -l
lsmod | more
apt install xserver-xorg-video-nouveau
 I'm not sure if I should be fixing my boot image or not...
shutdown -r now
lsmod | more

After doing this the login would give a local desktop but neither the keyboard nor mouse worked. I tried uninstalling and reinstalled the keyboard-configuration again.

apt-get remove keyboard-configuration
apt-get install keyboard-configuration  
shutdown -r now

But that just put me back where I was: with a login loop problem. So I tried switching to lightdm:

apt-get install lightdm

And it worked even before a reboot. After a reboot, I had a different login screen but the actual desktop looked the same. The .Xauthority file is now 51 bytes big and I suddenly have a .xsession-errors, which contains a list of environment settings taking place... However, the machine then silently crashed that night and again the following morning. I couldn't find a specific cause in the logs but there did seem to be a number X and GNOME problems:

journalctl -b -1
journalctl --since "1 hour ago"

I ran an update from the GUI, which may have helped. However, there was a warning about an issue with a screensaver the first time that I loaded lightdm, and the crashes seemed to happen sometime after a clean boot. So I uninstalled lightdm, and installed gdm (which failed as installed already) and rebooted but got no GUI. Then I uninstalled and reinstalled gdm and everything seems fine now.

apt-get remove lightdm
apt-get remove gdm3
apt-get install gdm3

Incidentally, I left a clock running in a terminal so that I could see when the box went down if it crashed again. The clock code is:

while [ 1 ] ; do echo -en "$(date +%T)\r" ; sleep 1; done

Important Moves

I kept the old versions of mediawiki and wordpress and moved them to /bulk/retired (using yyymmdd dates)

mv /var/lib/mediawiki26082020 /bulk/retired/
mv /bulk/retired/mediawiki26082020 /bulk/retired/mediawiki20200826
mv /var/www/html/blog20200809 /bulk/retired/

Wordpress Redux

Install

First, move the old folder to a new name, so that it is there for backup and then get the new install and unpack it.

cd /bulk/installs
wget https://wordpress.org/latest.tar.gz
mv /var/www/html/blog /var/www/html/blog20200809
tar -xzf latest.tar.gz -C /var/www/html/
cd /var/www/html/
mv wordpress/ blog/
chown -R www-data:www-data blog

Put an .htaccess file in that folder to restrict access while we work:

vi blog/.htaccess
 <RequireAny>
 Require ip 192.168.2.1
 </RequireAny>

Set up

Then set up the dbase by editing wp-config.php (it's easiest to modify the sample).

cp blog/wp-config-sample.php blog/wp-config.php
vi blog/wp-config.php
 Note get some keys from: https://api.wordpress.org/secret-key/1.1/salt/

Then the backend works - go to http://www.edegan.com/blog/wp-admin! However the health check shows a missing required module and two missing recommended modules. Fix that:

apt-get install php7.3-gd
apt-get install php7.3-curl
apt-get install php7.3-imagick
apachectl restart

Ironically, it then recommends that I upgrade to PHP7.4... but that would just give issues for mediawiki. On the other hand, everything is now green and just 4 groups of recommendations remain.

Config

See Wordpress Blog Site (Tool) for the McNair Center's build.

Using www.edegan.com/blog/wp-admin I configured the blog as follows:

  • Select Twenty Twenty as the theme
  • Add the permalink code to the .htaccess file, so that the URLs will work with postnames
  • Copy over images to wp-content/uploads (use cp -a to maintain permissions)
  • Change the site name to https (after fixing the https setup, see below)

Install plugins:

  • Yoast SEO
  • Wordfence Security
  • Disable Comments
  • Site Kit by Google (set up once live!)
  • Pixabay

I also added:

  • CoBlocks (free)
  • Advanced Gutenberg (free)
  • Otter

I didn't add Co-Authors Plus (https://wordpress.org/plugins/co-authors-plus/) as it hasn't been tested on the latest version of wordpress. There are other plugins that offer equivalent functionality if I need one later.

Other plugins I might want are:

  • Revive Old Post (share with twitter)
  • Optimole (optimize images)
  • WP Rocket (implement cache)

Notes:

Other things

I hardened the wordpress installation: https://wordpress.org/support/article/hardening-wordpress/

This included:

  • Fixing file ownership: For fully hardened, change ownership of everything to root, except wflogs, uploads and themes in wp-content, which should be owned by www-data. However, then you won't be able to install plugins etc. A compromise is -R www-data:www-data for blog and then root:root for .htaccess.
  • Check file permissions: Everything is 644, except wp-content which is 755
  • Checking dbase rights and setting new passwords.
  • Changing passwords on old accounts (with posts, so the accounts shouldn't be deleted) to random strong strings.
  • Fixing up .htaccess file to impose restrictions
  • Install Sucuri
  • Enable more logging

Checking user rights in the dbase and changing their password:

mysql -user=root -p
use wordpress
SELECT User FROM mysql.user;
SHOW GRANTS FOR 'username'@'localhost';
SET PASSWORD FOR 'username'@'localhost'='newpassword';
 (Note that this shouldn't be logged in clear on the server, but might be on a client. Delete .mysql_history at the end of your session.)

.htaccess in wp-includes:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress

The #BEGIN WordPress tag is redundant as the file is 644 root.

Add the following to .htaccess in the wordpress dir:

<files wp-config.php>
order allow,deny
deny from all
</files>

Once I'm all done with the theme etc., I can uncomment the following from wp-config.php

define('DISALLOW_FILE_EDIT', true);

HTTPS

To set up HTTPS using Let's Encrypt, see https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-20-04/

Install it and make some directories...

apt update
apt install certbot
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
 takes ~20 secs
mkdir -p /var/lib/letsencrypt/.well-known
chgrp www-data /var/lib/letsencrypt
chmod g+s /var/lib/letsencrypt

Set up the config files

vi /etc/apache2/conf-available/letsencrypt.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>
vi /etc/apache2/conf-available/ssl-params.conf
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA- CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" 

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"  

Header always set Strict-Transport-Security "max-age=63072000"

Enable some apache2 mods!

a2enmod ssl
a2enmod headers
a2enconf letsencrypt
a2enconf ssl-params
sudo a2enmod http2
systemctl reload apache2

Run certbot!

certbot certonly --agree-tos --email ed@edegan.com --webroot -w /var/lib/letsencrypt/ -d edegan.com -d www.edegan.com
Note that I needed an @ entry in my A record for edegan.com pointed to my IP address to get the main challenge to succeed.

Then set up a new apache2 config file (in /etc/apache):

mv sites-available/000-default.conf sites-available/000-default.conf.bak
vi sites-available/edegan.com.conf
 <VirtualHost *:80>
       ServerName www.edegan.com
       ServerAdmin ed@edegan.com
       Redirect permanent / https://www.edegan.com/
</VirtualHost>
 
<VirtualHost *:443>
       ServerName www.edegan.com
       Protocols h2 http/1.1
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       SSLEngine On
       SSLCertificateFile /etc/letsencrypt/live/edegan.com/fullchain.pem
       SSLCertificateKeyFile /etc/letsencrypt/live/edegan.com/privkey.pem
       # Other Apache Configuration
       Alias /wiki /var/www/html/mediawiki/index.php
       RewriteEngine On
       RewriteRule ^/*$ %{DOCUMENT_ROOT}/mediawiki/index.php [L]
</VirtualHost>
ln -s sites-available/edegan.com.conf sites-enabled/edegan.com.conf
systemctl reload apache2

Test it by going to https://www.ssllabs.com/ssltest/

Finally, edit /etc/cron.d/certbot and append the following to the last line (after -renew):

--renew-hook "systemctl reload apache2"
certbot renew --dry-run
 Tests the renewal!

PDFEmbed Issue

Enabling and requiring HTTPS causes an issue with PDFEmbed on mediawiki, where you get a blank frame. The PDF is still there, other images load fine, but the PDF frame won't render the PDF. The problem is actually that the PDF is served with HTTP and the rest of the page is served with HTTPS, and Chrome (and perhaps other browsers) don't render the insecure content as a consequence (see [4] for a description of the symptoms, but not the solution.).

The solution is to edit mediawiki/extensions/PDFEmbed/PDFEmbed.hooks.php. For me it was line 103 that previously said:

'src' => $file->getFullUrl().'#page='.$page,

I changed this line to:

'src' => preg_replace("/^http:/i", "https:", $file->getFullUrl()).'#page='.$page,

This is mentioned in a comment on a topic page, though presumably for an earlier version: https://www.mediawiki.org/wiki/Topic:Syxow0why4c0cvvm

Install VSFTPD

With the security restrictions on wordpress, I now need an FTP server to get files for themes, plugins, etc. I like VSFTPD, as its simple, secure, and has a nice standalone config. Old documentation on an earlier install on the old Wordpress Blog Site (Tool) page. Instructions are here: https://linuxconfig.org/how-to-setup-ftp-server-on-ubuntu-20-04-focal-fossa-linux

apt-get install vsftpd
cp /etc/vsftpd.conf /etc/vsftpd.conf_orig
vi /etc/vsftpd.conf
 #Change the following
 write_enable=YES
 local_umask=022
 ssl_enable=YES
 #Add the following (forces ssl)
 allow_anon_ssl=NO
 force_local_data_ssl=YES
 force_local_logins_ssl=YES
 ssl_tlsv1=YES
 ssl_sslv2=YES
 ssl_sslv3=YES

/etc/init.d/vsftpd restart

Then add a user and set it up:

useradd -m blog
passwd blog
usermod -a -G www-data blog
usermod -d /var/www/html/blog blog

Test it:

ftp 127.0.0.1
sftp 127.0.0.1

See also:

Old machines

For the configuration of the servers built for the McNair Center, see the old Center IT page or the pages below:

Some of this information is still useful!

In addition, at UC Berkeley, Ed designed and built three machines - two postgresql database servers and a wiki server. The documentation is here: