Installing VCL 2.5.2

VCL 2.5.2 can be installed using an installation script. All you need to
install VCL is the script. It will download and validate the VCL software
and then install it. The script can be used to install all three parts of
VCL (database, web portal, and management node) on a single system or to
install each part individually on separate systems.

Running the installation script with no arguments will step you through
installing all three parts of VCL.


./vcl-install.sh


Alternatively, any combination of the three parts of VCL can be installed by
passing arguments to the script. If installing the management node part of VCL,
it will also prompt you to agree to the installation of various system level
requirements needed for the code to run. The following are the arguments
available:

   vcl-install.sh [-h|--help] [-d|--database] [-w|--web] [-m|--managementnode]
           [--dbhost <hostname> --dbpass <password>] 
           [--mnhost <hostname>] [--webhost <hostname>]

   -d|--database - install database server components
           --dbpass, --mnhost, --mnip, --webhost, and --adminpass must also be
           specified

   -w|--web - install web server components
           --dbhost and --dbpass must also be specified

   -m|--managementnode - install management node (vcld) components
           --dbhost, --dbpass, and --adminpass must also be specified

   --dbhost <hostname> - hostname of database server (default=localhost)

   --dbpass <password> - password VCL will use for accessing
           database (default=random)

   --mnhost <hostname> - hostname of management node (default=localhost)

   --webhost <hostname> - hostname of web server (default=localhost)

   --adminpass <password> - password for VCL admin user









MANUAL INSTALLATION INSTRUCTIONS

The recommended method of installing VCL is to use the installation script. See
above for additional information. If manual installation is required,
instructions are listed below.

1. Install and Configure Database

   VCL currently supports the use of MySQL or MariaDB as the database.

    A. Install MySQL Server or MariaDB Server

      Install MySQL or MariaDB Server

        yum install mysql-server -y

        or

        yum install mariadb-server -y

      Configure the database daemon to start automatically:

        /sbin/chkconfig --level 345 mysqld on

        or

        /sbin/chkconfig --level 345 mariadb on

      Start the database daemon:

        /sbin/service mysqld start

        or

        /sbin/service mariadb start

      If the iptables firewall is being used and the web server and management
      nodes will be on different machines, port 3306 should be opened up to
      each of those nodes. Add the following to your iptables config and
      restart iptables service.
      Note: Insert your web server and management node IP address in the right
      locations.

        vi /etc/sysconfig/iptables

          Add these rules:

            -A INPUT -m state --state NEW -s <web server IP> -p tcp --dport 3306 -j ACCEPT
            -A INPUT -m state --state NEW -s <management node IP> -p tcp --dport 3306 -j ACCEPT

          Restart iptables:

            service iptables restart

      If the firewalld firewall is being used and the web server and
      management nodes will be on different machines, port 3306 should be
      opened up to each of those nodes. Add the following rules and reload the
      rule set.
      Note: Insert your web server and management node IP address in the right
      locations.

          Add these rules:

            firewall-cmd --zone=public --permanent --add-rich-rule="rule family="ipv4" source address="<web server IP>" service name="mysql" accept"
            firewall-cmd --zone=public --permanent --add-rich-rule="rule family="ipv4" source address="<management node IP>" service name="mysql" accept"

          Restart iptables:

            firewall-cmd --reload

    B. Create the VCL Database

      Run the MySQL command-line client:

        mysql

      Create a database:

        CREATE DATABASE vcl;

      Create a user with SELECT, INSERT, UPDATE, DELETE, and CREATE TEMPORARY
      TABLES privileges on the database you just created (NOTE Use your own
      password):

        GRANT SELECT,INSERT,UPDATE,DELETE,CREATE TEMPORARY TABLES ON vcl.* TO 'vcluser'@'localhost' IDENTIFIED BY 'vcluserpassword';

      Exit the MySQL command-line client

        exit

      Import the vcl.sql file into the database. The vcl.sql file is included in
      the mysql directory within the Apache VCL source code

        mysql vcl < apache-VCL-2.5.2/mysql/vcl.sql

2. Install and Configure the Web Components

   Prerequisites

    VCL database has been installed and configured

   Web Server:

    Apache HTTP Server v2.x with SSL enabled
    PHP 5.x or 7.x

   Required Linux Packages:

    httpd - Apache HTTP Server
    mod_ssl - SSL/TLS module for the Apache HTTP server
    php - The PHP HTML-embedded scripting language

   Required PHP Modules:

    php
    php-gettext
    php-json (required if your PHP version is 5.2 or later)
    php-ldap (if you will be using LDAP authentication)
    php-mysql
    php-openssl
    php-xml
    php-xmlrpc

   A. Install the Required Linux Packages & PHP Modules

      If your web server is running a Red Hat-based OS, the required components
      can be installed with:

        yum install httpd mod_ssl php php-mysql php-xml php-xmlrpc php-ldap -y

      Configure the web server daemon (httpd) to start automatically:

        /sbin/chkconfig --level 345 httpd on

      Start the web server daemon

        /sbin/service httpd start

      If SELinux is enabled, run the following command to allow the web server
      to connect to the database:

        /usr/sbin/setsebool -P httpd_can_network_connect=1

      If the iptables firewall is being used, port 80 and 443 should be opened
      up in the iptables config file:

        vi /etc/sysconfig/iptables

          Add these rules:

            -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
            -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

          Restart iptables

            service iptables restart

      If the firewalld firewall is being used, port 80 and 443 should be opened
      up:

          Add these rules:

            firewall-cmd --zone=public --add-service=http --permanent
            firewall-cmd --zone=public --add-service=https --permanent

          Reload firewalld rules

            firewall-cmd --reload

    B. Install the VCL Frontend Web Code

      Copy the web directory to a location under the web root of your web
      server and navigate to the destination .ht-inc subdirectory:

        cp -ar apache-VCL-2.5.2/web/ /var/www/html/vcl-2.5.2
        ln -s /var/www/html/vcl-2.5.2 /var/www/html/vcl
        cd /var/www/html/vcl/.ht-inc

      If SELinux is enabled, run the following command to set the context of the
      web code to httpd_sys_content_t

        chcon -R -t httpd_sys_content_t /var/www/html/vcl-2.5.2

      Copy secrets-default.php to secrets.php:

        cp secrets-default.php secrets.php

      Edit the secrets.php file:

        vi secrets.php

            Set the following variables to match your database configuration:
                $vclhost
                $vcldb
                $vclusername
                $vclpassword
            Create random passwords for the following variables:
                $cryptkey (generate with "openssl rand 32 | base64")
                $pemkey
            Save the secrets.php file

      Run the genkeys.sh

        ./genkeys.sh

      Copy conf-default.php to conf.php:

        cp conf-default.php conf.php

      Modify conf.php to match your site

        vi conf.php

            Review every entry under "Things in this section must be
            modified/reviewed". Descriptions and pointers for each value are
            included within conf.php.

      Set the owner of the .ht-inc/maintenance and .ht-inc/cryptkey directories
      to the web server user (normally 'apache'):

        chown apache maintenance
        chown apache cryptkey

      If SELinux is enabled, run the following command to allow the web server
      to write to maintenance and cryptkey

        chcon -t httpd_sys_rw_content_t maintenance
        chcon -t httpd_sys_rw_content_t cryptkey

      Open the testsetup.php page in a web browser:

        If you set up your site to be https://my.server.org/vcl/ open
        https://my.server.org/vcl/testsetup.php
        Debug any issues reported by testsetup.php

    C. Log In to the VCL Website

      Open the index.php page in your browser
      (https://my.server.org/vcl/index.php)

         Select Local Account
         Username: admin
         Password: adminVc1passw0rd

      Set the admin user password (DO NOT skip this step):

         Click User Preferences
         Enter the current password: adminVc1passw0rd
         Enter a new password
         Click Submit Changes

    D. Add a Management Node to the Database

      Click the Manage->Management Nodes link

         Select Edit Management Node Profiles
         Click Submit
         Click Add New Management Node
         Fill in these required fields:

            Hostname - The name of the management node server. This value
                    doesn't necessarily need to be a name registered in DNS nor
                    does it need to be the value displayed by the Linux hostname
                    command.  For example, if you are installing all of the VCL
                    components on the same machine you can set this value to
                    localhost.
            IP address - the public IP address of the management node
            SysAdmin Email Address - error emails will be sent to this address
            Install Path - this is the parent directory under which image files
                    will be stored - only required if doing bare metal installs
                    or using VMWare with local disks
            End Node SSH Identity Key Files - enter /etc/vcl/vcl.key unless
                    you know you are using a different SSH identity key file

        Optionally, fill in these fields:

            Address for Shadow Emails - End users are sent various emails about
                    the status of their reservations. If this field is
                    configured, copies of all of those emails will be sent to
                    this address.
            Public NIC configuration method - this defaults to Dynamic DHCP -
                    if DHCP is not available for the public interface of your
                    nodes, you can set this to Static. Then, the IP
                    configuration on the nodes will be manually set using Public
                    Netmask, Public Gateway, Public DNS Server, and the IP
                    address set for the computer under Manage Computers

        Click Add Management Node

        A dialog will pop up informing you to add the management node to a
        group, read it and click Close

        select the allManagementNodes group on the right

            click <-Add
            click Close

3. Install & Configure the Management Node Components

   Prerequisites The following management node installation instructions assume
   the instructions in these previous sections have been completed:

    VCL 2.5.2 Database Installation
    VCL 2.5.2 Web Code Installation

   Supported Operating Systems:

   The VCL management node daemon (vcld) has been developed to run on an
   operating system based on Red Hat Enterprise Linux (RHEL). It has been tested
   on the following:

    Red Hat Enterprise Linux 6.x
    Red Hat Enterprise Linux 7.x
    CentOS 6.x
    CentOS 7.x

   Required Linux Packages:

   The VCL management node daemon (vcld) requires the following Linux packages
   and Perl modules in order to run (see step 2 below for installation
   instructions).

    expat-devel - Libraries and include files to develop XML applications with
                  expat
    gcc - Various compilers (C, C++, Objective-C, Java, ...)
    krb5-devel - Development files needed to compile Kerberos 5 programs
    krb5-libs - The shared libraries used by Kerberos 5
    libxml2-devel - Libraries, includes, etc. to develop XML and HTML
                    applications
    make - GNU make utility to maintain groups of programs
    mysql/mariadb - Includes libraries for connecting to mysql/mariadb
    nmap - Network exploration tool and security scanner
    openssh - The OpenSSH implementation of SSH protocol versions 1 and 2
    openssl-devel - Files for development of applications which will use OpenSSL
    perl - The Perl programming language
    xmlsec1-openssl - OpenSSL crypto plugin for XML Security Library

   Required Perl Modules:

   The VCL management node daemon (vcld) is written in Perl and has been tested
   on Perl 5.10 and 5.16. The following Perl modules available from CPAN are
   also required (see step B below for installation instructions):

    Crypt::CBC - implementation of the cryptographic cipher block chaining mode
    Crypt::OpenSSL::RSA - RSA encoding and decoding, using the openSSL libraries
    Crypt::Rijndael - Crypt::CBC compliant Rijndael encryption module
    DBD::MySQL - MySQL driver for the Perl5 Database Interface (DBI)
    DBI - Generic Database Interface
    Digest::SHA1 - NIST SHA message digest algorithm
    Exception::Class::Base - base class for exception objects
    Frontier::Client - issue Frontier XML RPC requests to a server
    HTTP::Headers - class encapsulating HTTP Message headers
    IO::String - emulate file interface for in-core strings
    JSON - JavaScript Object Notation
    LWP::UserAgent - class implementing a web user agent
    Mail::Mailer - Simple mail agent interface
    Net::Jabber - Jabber perl library
    Net::Netmask - parse, manipulate and lookup IP network blocks
    Net::Ping::External - Cross-platform Perl interface to "ping" utilities
    Net::SSH::Expect - a wrapper to the ssh executable that is available in
                       system's PATH
    Object::InsideOut - Comprehensive inside-out object support
    RPC::XML::Client - XML-RPC client class
    Text::CSV_XS - comma-separated values manipulation routines
    XML::Simple - API for simple XML files
    YAML - YAML Ain't Markup Language

   A. Install the VCL Management Node Code - Perl Daemon

      Copy the managementnode directory to the location where you want it to
      reside (typically /usr/local):

        cp -ar apache-VCL-2.5.2/managementnode /usr/local/vcl-2.5.2
        ln -s /usr/local/vcl-2.5.2 /usr/local/vcl

   B. Install the Required Linux Packages & Perl Modules

      Run the install_perl_libs.pl script located in the bin directory:

        perl /usr/local/vcl/bin/install_perl_libs.pl

      The last line of the install_perl_libs.pl script output should be:

      COMPLETE: installed all components

      Note: The script will hang or terminate if it encounters a problem. If
      this occurs, you will need to troubleshoot the problem by looking at the
      output.

      The install_perl_libs.pl script included in the VCL distribution will
      attempt to download and install the required Linux packages and Perl
      modules. It uses the yum utility to install the required Linux packages.
      The required Perl modules are available from CPAN - The Comprehensive Perl
      Archive Network. The install_perl_libs.pl script attempts to download and
      install the required Perl modules by using the CPAN.pm module which is
      included with most Perl distributions.

      The yum utility should exist on any modern Red Hat-based Linux
      distribution (Red Hat, CentOS, Fedora, etc). If yum isn't available on
      your management node OS, you will need to download and install the
      required Linux packages manually or by using another package management
      utility. After installing the required Linux packages, attempt to run the
      install_perl_libs.pl script again.

   C. Configure vcld.conf

      Create the /etc/vcl directory:

        mkdir /etc/vcl

      Copy the stock vcld.conf file to /etc/vcl:

        cp /usr/local/vcl/etc/vcl/vcld.conf /etc/vcl

      Edit /etc/vcl/vcld.conf:

        vi /etc/vcl/vcld.conf

      The following lines must be configured in order to start the VCL daemon
      (vcld) and allow it to check in to the database:

            FQDN - the fully qualified name of the management node, this should
                   match the name that was configured for the management node
                   in the database
            server - the IP address or FQDN of the database server
            LockerWrtUser - database user account with write privileges
            wrtPass - database user password
            xmlrpc_pass - password for xmlrpc api from vcld to the web interface
                   (can be long). This will be used later to sync the database
                   vclsystem user account
            xmlrpc_url - URL for xmlrpc api
                   https://my.server.org/vcl/index.php?mode=xmlrpccall

      Save the vcld.conf file

   D. Configure the SSH Client

      The SSH client on the management node should be configured to prevent SSH
      processes spawned by the root user to the computers it controls from
      hanging because of missing or different entries in the known_hosts file.

      Edit the ssh_config file:

        vi /etc/ssh/ssh_config

      Set the following parameters:

        UserKnownHostsFile /dev/null
        StrictHostKeyChecking no

      Note: If you do not want these settings applied universally on the
      management node the SSH configuration can also be configured to only apply
      these settings to certain hosts or only for the root user. Consult the SSH
      documentation for more information.

   E. Install and Start the VCL Daemon (vcld) Service

      Steps for systemd - use these steps if your system is using systemd

          Copy the vcld service script to /usr/lib/systemd/system

            cp /usr/local/vcl/etc/systemd/system/vcld.service /usr/lib/systemd/system

          Create a vcld config file in /etc/sysconfig

            echo "OPTIONS='-v -conf=/etc/vcl/vcld.conf'" > /etc/sysconfig/vcld

          If using SELinux, set the correct user and context:

            chcon -u system_u -t systemd_unit_file_t /usr/lib/systemd/system/vcld.service

          Enable vcld.service

            systemctl enable vcld.service

          Start the vcld service:

            systemctl start vcld.service

          Check the vcld service by monitoring the vcld.log file:

            tail -f /var/log/vcld.log

      Steps for SystemV - use these steps if your system is using SystemV
      (scripts located in /etc/init.d)

          Copy the vcld service script to /etc/init.d and name it vcld:

            cp /usr/local/vcl/bin/S99vcld.linux /etc/init.d/vcld

          Add the vcld service using chkconfig:

            /sbin/chkconfig --add vcld

          Configure the vcld service to automatically run at runtime levels 3-5:

            /sbin/chkconfig --level 345 vcld on

          Start the vcld service:

            /sbin/service vcld start

          Check the vcld service by monitoring the vcld.log file:

            tail -f /var/log/vcld.log

      You should see the following being added to the log file every few seconds
      if the management node is checking in with the database:

        2017-07-13 13:23:45|25494|vcld:main(167)|lastcheckin time updated for management node 1: 2017-07-13 13:23:45

   F. Set the vclsystem account password for xmlrpc api

      Using the vcld -setup tool, set the vclsystem account. This is needed to
      properly use the block allocation features.

        /usr/local/vcl/bin/vcld --setup

      Select the options listed below to set the password. When prompted paste
      or type the password from xmlrpc_pass variable in the vcld.conf file and
      hit enter.

        Select 5. Set Local VCL User Account Password
        Select 2. vclsystem
        Enter the password you set for xmlrpc_pass in /etc/vcl/vcld.conf

      After setting the password for the vclsystem user, test that RPC-XML
      Access works correctly by selecting

        2: Test RPC-XML Access

        "SUCCESS: RPC-XML access is configured correctly" should be displayed
        followed by a long list of available XMLRPC functions

   G. Install & Configure the DHCP Service

      DHCP service is needed for the private network to provide address to
      provisioned machines.

      Install dhcp if it is not already installed:

        yum install dhcp -y

      Configure the dhcpd service to automatically start at runlevels 3-5:

        /sbin/chkconfig dhcpd on

      Configure the dhcpd.conf file.

        vi /etc/dhcpd.conf
        -or-
        vi /etc/dhcp/dhcpd.conf

      Configure your dhcpd.conf file according to your network configuration.
      The contents of the dhcpd.conf file will vary based on how your network is
      configured. Below is an example of a basic dhcpd.conf file:

        ddns-update-style none;
        shared-network eth0 {
            subnet 10.100.0.0 netmask 255.255.255.0 {
                     ignore unknown-clients;
            }
        }

        You will add host definitions to the dhcpd.conf file after you add
        computers to VCL using the website. The website allows you to select a
        set of computers for which to generate dhcpd.conf information, which can
        be copied and pasted into the dhcpd.conf file.

      Start the dhcpd service:

        /sbin/service dhcpd start
