Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Make sure any of your previously used JBoss Fuse instances are stopped.
- Create a User Account for Red Hat JBoss Fuse
- Red Hat Enterprise Linux allows administrators to create a username and a password associated with a group, similarly to a Windows environment. To achieve this goal,
- Create a User Account
- Open a Terminal window (Applications → System Tools → Terminal) and execute the following command to create a user account whose login is fuse. The password for the student login is student:
- [student@stationX ~]$ sudo adduser -g fuse fuse
- Update the User Password
- In the Terminal window, execute the following command to update the password for this user:
- [student@stationX ~]$ sudo passwd fuse
- Use l0ck3d as the password for this user.
- Note
- This command will raise two Bad password messages (It is based on a dictionary word and It is too simple). You can ignore the message.
- The following message will be presented after updating the password:
- passwd: all authentication tokens updated successfully.
- Install JBoss Fuse Under a Dedicated User Account
- Open a terminal and switch user identity to user fuse:
- [student@stationX ~]$ su – fuse
- Password: l0ck3d
- Extract Red Hat JBoss Fuse from the installation archive:
- [fuse@stationX ~]$ unzip -q /tmp/jboss-fuse-full-6.1.0.GA.zip
- Create the soft link to the directory created to allow simple upgrades:
- [fuse@stationX ~] ln -s ~/jboss-fuse-6.1.0.redhat-379 ~/jboss-fuse-6.1.0.GA
- Configure the User Account for JBoss Fuse
- Using gedit (Applications → Accessories → gedit Text Editor), set the required environment variables to the .bashrc file of user fuse. From the already opened Terminal window, execute the following command:
- [fuse@stationX ~]$ gedit ~/.bashrc
- Add to the end of this file the following environment variables:
- JAVA_HOME=/etc/alternatives/java_sdk_1.7.0
- KARAF_BASE=$HOME/jboss-fuse-6.1.0.GA
- KARAF_DATA=$HOME/instance-root-data
- PATH=$PATH:$KARAF_BASE/bin
- export JAVA_HOME KARAF_BASE KARAF_DATA PATH
- umask 077
- Save the file.
- Note
- These values can be copied and pasted from the /tmp/security-os/bashrc.contents.
- Set Up File System Permissions
- Note
- The following commands can be copied and pasted from the /tmp/security-os/access.
- Enable full access (read, write, and execution) only for the current user to the jboss-fuse-6.1.0.redhat-379 directory and subdirectories:
- [fuse@stationX ~]$ find ./jboss-fuse-6.1.0.redhat-379/ -type d -exec chmod 700 {} \;
- Enable full access (read, write, and execution) to the scripts responsible to start, stop, and manage Red Hat JBoss Fuse:
- [fuse@stationX ~]$ find ./jboss-fuse-6.1.0.redhat-379/ -type f -perm +100 -exec chmod 700 {} \;
- Enable only read and write access to the remaining files and directories:
- [fuse@stationX ~]$ find ./jboss-fuse-6.1.0.redhat-379/ -type f \! -perm +100 -exec chmod 600 {} \;
- Create an instance of the data directory:
- [fuse@stationX ~]$ mkdir -m 700 -p instance-root-data/log/
- Set Up Resource Limits for the Application
- Some system environment variables must be set to limit resources.
- Note
- The following values can be copied and pasted from the /tmp/security-os/bashrc.contents.
- Set Operating System Limits for Fuse
- Using the editor of your choice, create the following modifications to the .bashrc file of user fuse:
- MAX_FD=2048
- export MAX_FD
- Set Up Java Virtual Machine Settings
- Using the editor of your choice, create the following modifications at the end of the .bashrc file of user fuse:
- JAVA_MIN_MEM=256M
- JAVA_MAX_MEM=768M
- JAVA_PERM_MEM=128M
- JAVA_MAX_PERM_MEM=256M
- export JAVA_MIN_MEM JAVA_MAX_MEM JAVA_PERM_MEM JAVA_MAX_PERM_MEM
- Set Up Operating System Resource Limits
- Check the current (soft and hard) operating system resource limits for the fuse user account:
- [fuse@stationX ~]$ ulimit -a -S
- core file size (blocks, -c) 0
- data seg size (kbytes, -d) unlimited
- scheduling priority (-e) 0
- file size (blocks, -f) unlimited
- pending signals (-i) 14865
- max locked memory (kbytes, -l) 64
- max memory size (kbytes, -m) unlimited
- ...
- [fuse@stationX ~]$ ulimit -a -H
- core file size (blocks, -c) unlimited
- data seg size (kbytes, -d) unlimited
- scheduling priority (-e) 0
- file size (blocks, -f) unlimited
- pending signals (-i) 14865
- max locked memory (kbytes, -l) 64
- max memory size (kbytes, -m) unlimited
- ...
- Log out from the fuse user account session.
- [fuse@stationX ~]$ exit
- Using sudo and gedit, create a new operating system limit configuration file in /etc/security/limits.d:
- [student@stationX ~]$ sudo gedit /etc/security/limits.d/fuse.conf
- Add the following content to the file:
- fuse hard core 0 # no core dumps
- fuse hard nofile 2048 # incl. sockets!
- fuse hard rss 1572864 # 1.5 GB (ignored!)
- fuse hard nproc 1024 # incl. threads!
- fuse hard as 3145728 # 3 GB VM max (32-bit)
- fuse hard maxlogins 1 # only one login allowed
- fuse hard priority 0 # run with normal prio
- fuse hard nice -5 # max. nice priority
- fuse hard rtprio 0 # do not allow RTPRIO
- Note
- The contents can be copied and pasted from the /home/student/JB435/labs/security-os/fuse.conf
- Save the file and exit gedit.
- This configuration will allow only a single login for the fuse user.
- Test Operating System Limits
- Open two new Terminal windows and log in as fuse in both windows:
- ssh fuse@localhost
- When using the password l0ck3d
- from two windows–what happens?
- Try logging in as fuse using su - with one established SSH session–what happens? Why?
- Try logging in as fuse using su - from two Terminal windows–what happens? Why?
- Use the ulimit command as user fuse to verify that the limits are set accordingly.
- Log out from this SSH session:
- [fuse@stationX ~]$ exit
- Configure the Container Instance for Operation
- Update Fuse Network Configuration Files
- In a Terminal window, log into the fuse user account:
- [student@stationX ~]$ su - fuse
- Enter the password l0ck3d.
- Open gedit from the fuse login:
- [fuse@stationX ~]$ gedit $KARAF_BASE/etc/org.apache.karaf.shell.cfg
- To enable access using an SSH session from the 127.0.0.1 (localhost) port 11101, change the following lines in this file to:
- sshPort=11101
- sshHost=127.0.0.1
- Save the changes.
- Open gedit from the fuse login:
- [fuse@stationX ~]$ gedit $KARAF_BASE/etc/org.apache.karaf.management.cfg
- To enable remote access for the management console using 127.0.0.1 (localhost) port 11099, change the following lines in this file to:
- rmiRegistryPort = 11099
- rmiRegistryHost = 127.0.0.1
- rmiServerPort = 11444
- Configure the Service
- Start the container and connect to it remotely using SSH:
- Start the JBoss Fuse container in the background.
- [fuse@stationX ~]$ $KARAF_BASE/bin/fuse server > instance-root-data/log/server.out 2>&1 &
- Wait for a couple of seconds to give the instance a chance to fully start. You can check instance startup status in many ways, but one of the simplest ways to verify it is by looking at the last line of the server.out file, which we redirected console output to:
- [fuse@stationX ~]$ tail -n1 instance-root-data/log/server.out
- 100% [========================================================================]
- The output signifies that the container instance has successfully started and is ready to use.
- Verify that the instance is using the preconfigured settings:
- [fuse@stationX ~]$ pgrep -fl org.apache.karaf.main.Main
- It should generate the following output:
- [PID] /etc/alternatives/java_sdk/bin/java -server -Xms256M -Xmx768M -XX:
- +UnlockDiagnosticVMOptions -XX:+UnsyncloadClass -XX:PermSize=128M
- -XX:MaxPermSize=256M -Dcom.sun.management.jmxremote
- -Djava.endorsed.dirs=/etc/alternatives/java_sdk/jre/lib/endorsed:/etc/alternatives/
- java_sdk/lib/endorsed:/home/fuse/jboss-fuse-6.1.0.redhat-379/lib/endorsed
- -Djava.ext.dirs=/etc/alternatives/java_sdk/jre/lib/ext:/etc/alternatives/java_sdk/lib/ext:
- /home/fuse/jboss-fuse-6.1.0.redhat-379/lib/ext
- -Dkaraf.instances=/home/fuse/jboss-fuse-6.1.0.redhat-379/instances
- -Dkaraf.home=/home/fuse/jboss-fuse-6.1.0.redhat-379
- -Dkaraf.base=/home/fuse/jbossfuse- 6.1.0.redhat-379
- -Dkaraf.data=/home/fuse/instance-root-data
- -Djava.io.tmpdir=/home/fuse/instance-root-data/tmp
- -Djava.util.logging.config.file=/home/fuse/jboss-fuse-6.1.0.redhat-379/etc/java.util.logging.properties
- -Dkaraf.startLocalConsole=false
- -Dkaraf.startRemoteShell=true
- -classpath /home/fuse/jboss-fuse-6.1.0.redhat-379/lib/karaf-jaas-boot.jar:
- /home/fuse/jboss-fuse-6.1.0.redhat-379/lib/karaf.jar
- org.apache.karaf.main.Main
- Shut down the fuse instance, executing the following command:
- [fuse@stationX ~]$ $KARAF_BASE/bin/stop
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement