I have a question about using SuSE Linux for the WeBWorK installation. On Monday during class I mentioned SuSe and it was suggested to turn off selinux. My IT department is in the process of setting up a VM with SLES12 on a big university computer. I passed along the note about selinux, and they responded with the following quote: (note: MathWWK is the proposed name of the server)
"Using SLES12, can the software run if selinux is active? We need to know what, if any, firewall port exceptions need to be made for access between the MathWWK vm and the firewall.
Do you have any information on what firewall ports need to be opened for a new VM in order to support WebWork? The network group, who will be deciding on the ip address and subnet for the VM, need to know this before they will give us an IP address."
Could you give me some advice on how I should respond to this?
Thanks so much,
Corey Irving
In reply to corey irving
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by Jason Aubrey -Hi Corey,
In principle the software can run with selinux enabled, but your IT people will need to figure that out. We *always* and *strongly* recommend people turn it off. It shouldn't be incompatible with webwork, but it's so complicated to configure correctly that none of us have figured out how to do it. If they know how to configure it and want to support that, then we'd love to know how to configure it correctly. But, if you do have selinux enabled and something goes wrong, it will be very hard for us to help figure out the problem. Also, we won't be able to help you install it with SELinux enabled since it creates a lot of rules around permissions that we don't understand. Ports needed are http(s), ssh, mail, ldap. Https needs to allow out-going connections for git updates.
Hope this helps,
Jason
In reply to Jason Aubrey
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by corey irving -
My IT dept. requests specific port numbers/directions to be opened. Ports 443, 22, and the dns and ldap ports are already working for the system, requests for additional ports will need to go through the approval process. ARe there other ports that need to be opened?
In reply to corey irving
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by Jason Aubrey -
Hi Corey,
I'd need a little more detail to say for sure, but it sounds like things should work fine with what you've described. For example, it's not clear from this whether or not the machine can make outgoing https connections or just accept incoming https connections. It will need to be able to make outgoing https connections to download software from git. Also, no mention is made here about smtp mail ports.
Regarding the request for specific port numbers and instructions, I'm a bit flummoxed by this one. Firstly, every firewall configuration tool I know of allows the user to specify the service to be opened rather than the port. That's because usually people keep services bound to their standard ports. You always *can* specify ports to be opened, but it's easier just to specify the services. You might want to specify the ports if you're binding a service to a nonstandard port, but absent that situation there's no reason to insist on port numbers over services. Secondly, it's hard to give specific instructions for configuring the firewall without knowing what tool they are using to configure it, and there are a lot of tools out there. Here's an iptables configuration script I wrote:
https://github.com/openwebwork/ww_install/blob/master/extra/iptables_rules.sh
They can run that and then do something like
/sbin/service iptables save
to save the configuration. I say 'something like' because I don't know if your linux distribution interacts with services in this way. Honestly, since they are the IT people, I feel like they should know how to configure the firewall given our description of the services we need. (I do specify ports rather than services in that script, so maybe that will satisfy them.) But, again, back to my first point - it sounds like things should be (mostly) fine. If you have access to the server now, you could try cloning webwork into your home directory from the command line. If you can do that then you'll be all set for installation. We can test the other stuff once we have webwork up and running.
Hope this helps,
Jason
I'd need a little more detail to say for sure, but it sounds like things should work fine with what you've described. For example, it's not clear from this whether or not the machine can make outgoing https connections or just accept incoming https connections. It will need to be able to make outgoing https connections to download software from git. Also, no mention is made here about smtp mail ports.
Regarding the request for specific port numbers and instructions, I'm a bit flummoxed by this one. Firstly, every firewall configuration tool I know of allows the user to specify the service to be opened rather than the port. That's because usually people keep services bound to their standard ports. You always *can* specify ports to be opened, but it's easier just to specify the services. You might want to specify the ports if you're binding a service to a nonstandard port, but absent that situation there's no reason to insist on port numbers over services. Secondly, it's hard to give specific instructions for configuring the firewall without knowing what tool they are using to configure it, and there are a lot of tools out there. Here's an iptables configuration script I wrote:
https://github.com/openwebwork/ww_install/blob/master/extra/iptables_rules.sh
They can run that and then do something like
/sbin/service iptables save
to save the configuration. I say 'something like' because I don't know if your linux distribution interacts with services in this way. Honestly, since they are the IT people, I feel like they should know how to configure the firewall given our description of the services we need. (I do specify ports rather than services in that script, so maybe that will satisfy them.) But, again, back to my first point - it sounds like things should be (mostly) fine. If you have access to the server now, you could try cloning webwork into your home directory from the command line. If you can do that then you'll be all set for installation. We can test the other stuff once we have webwork up and running.
Hope this helps,
Jason
In reply to Jason Aubrey
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by corey irving -
Thanks Jason,
I do have access to the server and I'm interested in trying the "cloning". Can you link me to some instructions on how to do that?
Thanks.
I do have access to the server and I'm interested in trying the "cloning". Can you link me to some instructions on how to do that?
Thanks.
In reply to corey irving
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by Jason Aubrey -
Hi Corey,
In your home directory just do
but actually now that I think about it that might fail simply because git isn't installed. But try it and if it says git isn't installed then try
Jason
In your home directory just do
git clone https://github.com/openwebwork/webwork2.gitbut actually now that I think about it that might fail simply because git isn't installed. But try it and if it says git isn't installed then try
wget --no-check-certificate https://raw.github.com/aubreyja/ww_install/master/install_webwork.sh
Before and then after running those commands do ls to list the contents of the directory. If either of those commands successfully download something new to your home directory then we're in good shape. Jason
In reply to Jason Aubrey
Re: SuSE linux questions for WWK installation/Ports/Firewall..
by Michael Gage -
Also see slide 17 of
https://drive.google.com/drive/folders/0B6WDPDeJDzt5fjl5SHFuc0l2U21VMk1uYk1KZ0xFbUw0aktsanpPWFBXTGZzekFqRjJyd0E
(the first lecture)
and slide 2 of
https://docs.google.com/document/d/1dXqShlLpi6tzzGE04wx23KRRNEQ4CkSuMsmjxTznbLc (the second lecture)