System Administration

System Administration information

Random

admin • 2017/03/17

The first encrypted request after Noodle starts can be 3 orders of magnitude slower than normal due to random entropy pool depletion. If your server suffers from this issue (most EC2 servers) you can verify by checking the pool size:

cd /proc/sys/kernel/random/ && cat poolsize entropy_avail

There are at least 3 solutions to a depleted pool:

Hardware

Some hardware includes random generators (like the rdrand CPU flag)

cat /proc/cpuinfo | grep -i rdrand | wc -l

you can enable it's use with

Debian/Ubuntu

apt install rng-tools
systemctl start rng-tools.service
systemctl enable rng-tools.service

Fedora/RedHat

yum install rng-tools
systemctl start rngd.service
systemctl enable rngd.service

urandom

Or if you don't have a hardware generator or you don't trust it you can edit /opt/Noodle/multiserver to use use

-Djava.security.egd=file:///dev/urandom

haveged

Or for higher throughput and lower CPU usage than urandom haveged can be used:

Debian/Ubuntu

apt install haveged
systemctl start haveged.service
systemctl enable haveged.service

Fedora/RedHat

yum install haveged
systemctl start haveged.service
systemctl enable haveged.service

IIS To Tomcat SSL

admin • 2016/09/07

#convert IIS to Tomcat
keytool -importkeystore -srckeystore file.pfx -srcstoretype pkcs12 -destkeystore file.jks -deststoretype JKS
#look up the alias
keytool -storepass 123456 -list -keystore file.jks
# rename the alias for SNI
keytool -storepass 123456 -changealias -keystore file.jks -alias automd5 -destalias domain.tld
#import the root from https://certs.godaddy.com/repository
keytool -storepass 123456 -keystore file.jks -importcert -file gdroot-g2.crt -alias root
#import the chain
keytool -storepass 123456 -keystore file.jks -importcert -file gdig2.crt -alias chain

Apache to Tomcat SSL

admin • 2016/08/26

keytool -storepass 123 -keystore noodle.jks -importcert -file server.crt -alias domain.tld

server.crt can be a pem or der file. Make sure root and intermediate certificates are included for a complete chain.

Official keytool manual

Official openssl manual

CentOS 7.2 install example

admin • 2016/04/26

#Helpers
yum install -y epel-release bc ntp.x86_64 screen tree catdoc id3lib html2text unrtf p7zip-plugins.x86_64  libjpeg-turbo.x86_64 poppler-utils unzip.x86_64 netpbm-progs.x86_64 perl-Image-ExifTool.noarch postgresql-server.x86_64 postgresql-contrib.x86_64;
rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm;
yum install -y ffmpeg;
newcfg (){
	F="$1"
	chown --reference="$F" "$F".new
	chmod --reference="$F" "$F".new
	mv -f "$F".new "$F"
}
 
#PostgreSQL
/usr/bin/postgresql-setup initdb
chkconfig  --level 235 postgresql on
TMP=/var/lib/pgsql/data/pg_hba.conf
cp $TMP $TMP.origonal
cat $TMP | grep -vP "^ *host.*127" > $TMP.new
echo -e "host\tall\tall\t127.0.0.1/32\tpassword" >> $TMP.new
newcfg $TMP
TMP=/var/lib/pgsql/data/postgresql.conf
cp $TMP $TMP.origonal
MT=$(cat /proc/meminfo | grep MemTotal | perl -pe 's/^[^ ]* *([0-9]+) *kB$/$1\/1000/g');
#java+linux=(512+256)
ECS=$(echo "($MT-(512+256))/2" | bc);
SB=$(echo "($MT-(512+256))/4" | bc);
cat $TMP | perl -pe 's/^#?(effective_cache_size)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$ECS'MB$2/g' \
| perl -pe 's/^#?(shared_buffers)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$SB'MB$2/g' \
| perl -pe 's/^#?(max_locks_per_transaction)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 512$2/g' \
| perl -pe 's/^#?(max_connections)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 60$2/g' \
| perl -pe 's/^#?(checkpoint_segments)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30$2/g' \
| perl -pe 's/^#?(log_min_duration_statement)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30000$2/g' \
| perl -pe 's/^#?(log_line_prefix)[ \t]*=[ \t]*[^#]+(#.*)?$/$1 = '\''%m: '\''\t\t$2/g' \
> $TMP.new
newcfg $TMP
service postgresql start
su postgres -c 'cd ~/;/usr/bin/psql -d postgres -U postgres --file /opt/Noodle/init.sql'
 
#java (get an updated url from java.sun.com)
cd /opt
wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz
tar -zxf jre.tar.gz
rm -f jre.tar.gz
 
#Noodle (first take note of your available ram and java location)
wget somewhere/Noodle.tar.gz
tar -zxf ./Noodle.tar.gz
cd ./Noodle
./configure
cp noodle.daemon /etc/init.d/noodle
chkconfig --add noodle
chkconfig --levels 235 noodle on
service noodle start

#Helpers yum install -y epel-release bc ntp.x86_64 screen tree catdoc id3lib html2text unrtf p7zip-plugins.x86_64 libjpeg-turbo.x86_64 poppler-utils unzip.x86_64 netpbm-progs.x86_64 perl-Image-ExifTool.noarch postgresql-server.x86_64 postgresql-contrib.x86_64; rpm -Uvh http://li.nux.ro/download/nux/dextop/el7/x86_64/nux-dextop-release-0-5.el7.nux.noarch.rpm; yum install -y ffmpeg; newcfg (){ F="$1" chown --reference="$F" "$F".new chmod --reference="$F" "$F".new mv -f "$F".new "$F" }#PostgreSQL /usr/bin/postgresql-setup initdb chkconfig --level 235 postgresql on TMP=/var/lib/pgsql/data/pg_hba.conf cp $TMP $TMP.origonal cat $TMP | grep -vP "^ *host.*127" > $TMP.new echo -e "host\tall\tall\t127.0.0.1/32\tpassword" >> $TMP.new newcfg $TMP TMP=/var/lib/pgsql/data/postgresql.conf cp $TMP $TMP.origonal MT=$(cat /proc/meminfo | grep MemTotal | perl -pe 's/^[^ ]* *([0-9]+) *kB$/$1\/1000/g'); #java+linux=(512+256) ECS=$(echo "($MT-(512+256))/2" | bc); SB=$(echo "($MT-(512+256))/4" | bc); cat $TMP | perl -pe 's/^#?(effective_cache_size)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$ECS'MB$2/g' \ | perl -pe 's/^#?(shared_buffers)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = '$SB'MB$2/g' \ | perl -pe 's/^#?(max_locks_per_transaction)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 512$2/g' \ | perl -pe 's/^#?(max_connections)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 60$2/g' \ | perl -pe 's/^#?(checkpoint_segments)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30$2/g' \ | perl -pe 's/^#?(log_min_duration_statement)[ \t]*=[ \t]*[^ \t]+([ \t].*)?$/$1 = 30000$2/g' \ | perl -pe 's/^#?(log_line_prefix)[ \t]*=[ \t]*[^#]+(#.*)?$/$1 = '\''%m: '\''\t\t$2/g' \ > $TMP.new newcfg $TMP service postgresql start su postgres -c 'cd ~/;/usr/bin/psql -d postgres -U postgres --file /opt/Noodle/init.sql'#java (get an updated url from java.sun.com) cd /opt wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz tar -zxf jre.tar.gz rm -f jre.tar.gz#Noodle (first take note of your available ram and java location) wget somewhere/Noodle.tar.gz tar -zxf ./Noodle.tar.gz cd ./Noodle ./configure cp noodle.daemon /etc/init.d/noodle chkconfig --add noodle chkconfig --levels 235 noodle on service noodle start

CentOS 6.7 install example

admin • 2016/04/26

(see also latest version howto and version notes)

ssh root@my.server.tld
 
###########################################################
##postgres
yum install postgresql postgresql-server postgresql-server postgresql-contrib
chkconfig --level 235 postgresql on
service postgresql start
vim /var/lib/pgsql/data/pg_hba.conf
#    127.0.0.1/32 password
vim /var/lib/pgsql/data/postgresql.conf
#    maintenance_work_mem=128000
#    autovacuum = on
service postgresql restart
su postgres
pgsql -U postgres
CREATE LANGAUGE plpgsql;
CREATE DATABASE noodledb WITH ENCODING = 'UNICODE';
create user noodleuser with superuser password 'some long password';
GRANT ALL PRIVILEGES ON DATABASE noodledb to noodleuser;
\q
exit
 
###########################################################
##java (get an updated url from java.sun.com)
cd /opt
wget 'http://javadl.oracle.com/webapps/download/AutoDL?BundleId=207765' -O jre.tar.gz
tar -zxf jre.tar.gz
rm -f jre.tar.gz
 
###########################################################
##7z
#    you can use yum-priorities and rpmforge or you can do it from source
yum install p7zip p7zip-plugins
#    you might need to make a link from 7z to 7z[ar] for "which 7z" to work
 
###########################################################
##Noodle
wget somewhere/Noodle.tar.gz
tar -xvvf ./Noodle.tar.gz
cd ./noodle
#      take note of your available ram and java location
./configure

Ubuntu 16.04 install example

admin • 2016/04/19

sudo -i
apt update
apt -y upgrade
apt -y dist-upgrade
apt install -y postgresql-contrib tree p7zip-full sysstat catdoc antiword html2text unrtf libid3-tools ffmpeg openjdk-8-jre poppler-utils unzip
cd /opt
tar -xf ./Noodle.tar.gz
cd ./Noodle
su postgres -c 'cd ~/;psql --file /opt/Noodle/init.sql'
./configure
mv noodle.daemon /etc/init.d/noodle
update-rc.d noodle defaults
service noodle start

Ubuntu 14.04 install example

admin • 2016/04/19

(see also howto get a new version of PGSQL )

sudo -i
apt-get install -y postgresql-9.3 postgresql-contrib-9.3 default-jre p7zip-full screen
cd /opt
tar -xf ./Noodle.tar.gz
cd ./Noodle
echo "host all all 127.0.0.1/32 password" >> /etc/postgresql/9.3/main/pg_hba.conf
service postgres start
su postgres -c 'cd ~/;psql --file /opt/Noodle/init.sql'
./configure
mv noodle.daemon /etc/init.d/noodle
service noodle start
update-rc.d noodle defaults

Strong Encryption

admin • 2015/07/28

Stronger SSL Encryption can be achieved by doing the following:

Upgrade your operating system
Upgrade Java
Upgrade Noodle
Get Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8
Limit Ciphers
- multiserver.conf
  - Connection.CM_1.Ciphers[] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  - For less security but more compatibility add ,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
Limit Protocols
- multiserver.conf
  - Connection.CM_1.Protocols[] = TLSv1.2
Add a CAA record to your DNS.

The available ciphers and protocols are listed on http://DOMAIN.TLD/Check.po?admin=now
Test at ssllabs.

Java

admin • 2015/07/03

Windows

Updating Java on can require a Windows restart
It is more likely to work properly with the offline installer.

Make sure Noodle is not running if/while you uninstall old java versions.
Noodle Service restart required.

Spam

admin • 2015/04/27

How to prevent emails (memo, reminder, auto-notification, notification, subscription ) from Noodle from being marked as spam:

If you are hosted by Vialect and are using mail.vialect.net in the SMTP settings half of it is already taken care of;

If using SPF add our mail server.
- Lin
  dig sub.domain.tld TXT | grep spf
  dig sub.domain.tld TXT | grep spf
- Win
  nslookup -type=TXT sub.domain.tld | findstr spf
  nslookup -type=TXT sub.domain.tld | findstr spf
If using Google mail client add a filter (to add a tag) for anything with your Noodle domain name in it.

If hosting Noodle on your own server or using your own SMTP server, additionally;

Whitelist the Noodle server (Postfix, Spamassassin, Exchange)
Use authentication in the Noodle setting
- [user:pass@]domain.tld[:port][,protocol]
  [user:pass@]domain.tld[:port][,protocol]

Another option is to use something like noreply@vialect.com in the "Send system emails from" system setting.

Noodle Help Site

Helping you use your Noodle

System Administration

Random

Hardware

Debian/Ubuntu

Fedora/RedHat

urandom

haveged

Debian/Ubuntu

Fedora/RedHat

IIS To Tomcat SSL

Apache to Tomcat SSL

CentOS 7.2 install example

CentOS 6.7 install example

Ubuntu 16.04 install example

Ubuntu 14.04 install example

Strong Encryption

Java

Spam