How-To Sketch

CentOS8 on AWS EC2 for SVN, NNTP
Ann Lynnworth Aug 2020
ServerTech Setup How-To Sketch
article image

Moving from CentOS7 on bare metal to CentOS8 on AWS EC2: Setup Notes


AMI: CentOS 8 Minimal(CentOS 8.2.2004) from https://aws.amazon.com

EC2 Instance size:
* t3a.nano with 8gb turned out extremely slow, unusable; note 'a' means 'amd'
* t3.nano with 20gb turned out responsive, usable; Intel SkyLake chip. Cost $55/yr in us-east-1

Security Updates

centos-8-update-installed-packages-for-security

NNTP

NNTP is essentially a free messaging system suitable for public content such as technical support.

Reference: Compile and Install Wendzelnntpd

Documentation: PDF

After Make and Make Install, stop the old server and use 7Zip to archive everything in /var/spool/news/wendzelnntpd. Use s3cmd to transfer that archive to an S3 bucket. Then use curl and download the archive to the new server, and extract all files to the same folder.

nntp source: cd /usr/lib64/WendzelNNTPd-OSE/src
nntp config:  sudo vi  /usr/local/etc/wendzelnntpd.conf
nntp database:  /var/spool/news/wendzelnntpd

Make sure that the wendzelnntpd.conf has a listen command for the private network ip of the EC2 instance.

Open port 119 in the AWS Security Group when you want the public to see your newsgroup server.


To run the NNTP server

cd /usr/lib64/WendzelNNTPd-OSE/bin
sudo ./wendzelnntpd -d &

To stop the NNTP server

sudo pkill wendzelnntpd

7Zip

Reference: create-7z-file-from-folder-recursively-in-linux

sudo yum install p7zip
7z a myfolder.7z myfolder/
sudo 7z x myfolder.7z

NB: x means extract and preserve folder structure


S3CMD syntax

sudo yum install s3cmd
sudo s3cmd --configure
s3cmd put nntparchive.7z --config=/root/.s3cfg --preserve --multipart-chunk-size=5  s3://mybucket/abc/2020/

Remember to mark the file public temporarily so you can download it.

s3cmd put /etc/httpd/conf/httpd.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5  s3://mybucket/abc/2020/
s3cmd put /etc/httpd/conf.d/subversion.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5  s3://mybucket/abc/2020/
cd /etc/httpd/conf.d
sudo s3cmd get s3://mybucket/abc/2020/subversion.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5
cd /etc/httpd/conf
sudo mv httpd.conf httpd.original.conf
sudo s3cmd get s3://mybucket/abc/2020/httpd.conf --config=/root/.s3cfg --preserve --multipart-chunk-size=5

CURL syntax

curl https://mybucket.../abc/2020/nntparchive.7z -o nntparchive.7z

Subversion "SVN" server install

Use this as your basic reference: subversion-svn-on-centos-8

This installs apache http server plus everything you need to host a subversion server.

sudo dnf install subversion mod_dav_svn
sudo vi /etc/httpd/conf.d/subversion.conf
sudo vi /etc/httpd/conf/httpd.conf

See also https://wiki.centos.org/HowTos/Subversion

svn config files are in /etc/svn-acl* and /etc/svn-auth*

In order to migrate my existing subversion files from CentOS7 to CentOS8, I used 7Zip to archive them on the original server, upload to s3 using s3cmd, then downloaded to the new server and extracted. (same as done for nntp above). That worked. I did not need to use svnradmin to dump and restore the subversion repositories. I just copied the files into the same directory locations and it all worked immediately. I did not need to redefine my users and passwords. They kept working.

sudo systemctl restart httpd
sudo systemctl status httpd.service

SVN over HTTPS

Reference: let-s-encrypt-on-centos-8

Follow those instructions to install and run certbot, then test.

On my system, the default self-signed certificate remained active, seemingly due to excess configuration in ssl.conf. It will be obvious if you have this problem because when you test your domain in a browser, you will have a certificate error about a self-signed root certificate being used. You can further verify using grep.

grep -r "IfModule mod_ssl" /etc/httpd
grep -r "SSLCertificateFile" /etc/httpd
grep -r "443" /etc/httpd

The problem turned out to be that the _default_:443 was taking over. Changing _default_ to a specfic domain not needed by the public worked for me.

sudo vi /etc/httpd/conf.d/ssl.conf

Doubtless there is a way to make the LetsEncrypt conf be more important that the default (!!), but that is beyond my knowledge of apache conf.


When SVNRDUMP fails

I was unable to get svnrdump to work on my centos server. In the end, I transferred my .dump files to the target centos machine, and then used svn admin load to restore the full history from backup.

svn admin load
sudo svnadmin load /var/svn/restored < repos-backup

For info about pre-revprop-change, see what-is-a-pre-revprop-change-hook-in-svn-and-how-do-i-create-it


SVN Troubleshooting

After using svnadmin to load a repo, there will be additional files and those may need their ownership changed.

sudo chown -R apache.apache /var/www/svn-custom/myrepo

If you continue to have permission errors such as "Commit failed (details follow): Can't move 'var/www/svn-custom/myrepo/db/txn-protorevs/3592-2rs.rev' to '/var/www/svn-custom/myrepo/db/revs/3/3593': Permission denied" when doing svn commit, use the solution provided by this excellent reference: 

chcon -R -t httpd_sys_rw_content_t /var/www/svn-custom/myrepo

CentOS Firewall

The AMI did not include the standard firewall daemon. You can rely on the EC2 Security Group or install firewalld.

Reference: using-firewalld-on-centos-8

sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --zone=public --add-port=119/tcp --permanent
sudo firewall-cmd --runtime-to-permanent
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-services
sudo firewall-cmd --zone=public --list-ports
Article Keywords:
apache AWS CentOS8 EC2 NNTP s3cmd svn

Company publishing this blog in 2022: HREF Tools Corp. based in Wilmington, Delaware USA Privacy