The Elliquiy LAMP Stack: General Configuration

[Vekseid]

The Elliquiy LAMP Stack

1: Introduction and Overview
2: General Configuration
3: General Security
4: IPTables configuration
5: Postfix configuration
6: ntp configuration
7: Apache compilation and configuration
8: MySQL compilation and configuration
9: PHP compilation and configuration
10: Conclusion and future plans

General Configuration

Anything that didn't fit elsewhere got thrown into this document. It mostly covers disk partitioning and random little nuisances.

My partitions are roughly set up as follows:
1: 256MB on /boot
2: 4gb on swap
3: 36gb on /
4: 192gp on /var

I use a swap partition for a couple of reasons. For one, a swap is essentially required if I ever set overcommit_memory to 2. For two, it's relatively safe for Linux to swap out a few megs of little-used programs - in fact we did not experience thrashing until about 30% of the swap was used - though the system was about to collapse at that point.

In general I never make many partitions - I mount /tmp as nodev,nosuid tmpfs and symlink /var/tmp to /tmp (don't symlink /dev/shm). In addition, except for boot my ext3 partitions are mounted noatime - writing an access time on every single read is simply retarded. I don't use data=writeback however, as I discovered that mixed read-write performance is actually better with a fully journaled filesystem - and we are doing a lot of that. Setting the /tmp partition noexec is something I perform later, because update and install scripts like to execute from /tmp. Very frustrating. Since Debian Lenny is now 'stable', however, this is less of an issue.

I make /var its own partition out of prudence. It is 90% of what we care about, after all.

Code Select Expand


# /etc/fstab: static file system information.
#
# <file system> <mount point>   <type>  <options>                 <dump>  <pass>
proc            /proc           proc    defaults                  0       0
/dev/sda1       /               ext3    noatime,errors=remount-ro 0       1
/dev/sda2       /boot           ext3    defaults                  0       2
/dev/sda3       /var            ext3    rw,noatime                0       2
/dev/sda4       none            swap    sw                        0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto           0       0
tmpfs           /tmp            tmpfs   rw,nosuid,nodev,context=system_u:object_r:tmp_t:s0           0       0


The ,context=system_u:object_r:tmp_t:s0 is for SELinux and letting the system handle a tmpfs partition - drop it if you don't want to try tackling that dragon. SELinux may be a future chapter.

If you have multiple RAIDs, you will probably want to place the database (/var/lib/mysql) on a separate RAID. On a particularly active database server, you would want the binlogs (/var/log/mysql) on their own RAID also. If the machine isn't handling the database, splitting out logging functions would be a good choice : )

Since my host only installed etch, my first order of business was to upgrade the server to Lenny.

Code Select Expand


# /etc/apt/sources.list
deb http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb-src http://ftp.us.debian.org/debian/ lenny main contrib non-free
deb http://security.debian.org/ lenny/updates main contrib non-free
deb-src http://security.debian.org/ lenny/updates main contrib non-free
deb http://volatile.debian.org/debian-volatile lenny/volatile main contrib non-free


This list probably seems a bit redundant but the default is frequently to source from 'testing' or 'stable' or 'oldstable' rather than a specific version. This causes upgrades to suprise people every two years or so, because contrary to rumor, it does occasionally happen. The debian security team does not support the testing distribution immediately after release. While moving to Squeeze sometime this summer may be tempting, I kind of like how rare updates to stable are after putting up with testing for several months.

We will use the source distributions later to create dedicated compiles, particularly for the AMP part of our LAMP setup. apt-get update and apt-get dist-upgrade later, I now have a functioning Lenny system.

Note: VPS software - Virtuozzo at least - does not always take to Lenny very kindly. Don't upgrade your Debian VPS to Lenny unless you know your host is capable of supporting it. Obviously, Ubiquity Hosting is, else I would not be talking about them since they originally hosted our VPS.

After a reboot (to use the new kernel) I use aptitude to clear out all of the old etch junk that I no longer have any use for - old libraries, outdated programs, etc.

Some random annoyances to take care of:

1) dpkg-reconfigure locales - make sure I'm working with standard en_US.8859-1 here. I like my pretty borders but at the same time I want to give as little help as possible to anyone who actually manages to break in (I also use debconf-english >_>). More seriously though, single-byte locales are faster when performing text routines and I like to grep my logs (that sounds dirty...)
2) /etc/environment and /etc/default/locale both need to be set to LANG="en_US" - else logs can get whiny.
3) Add blacklist snd-pcsp to /etc/modprobe.d/blacklist to get rid of the pc speaker error - not like I'm around to hear it anyway! This is probably a bit hardware dependent and I think it only affects the AMD64 distribution.
4) Add MAILTO="" to /etc/crontab to stop some annoying crontab e-mails.

Only the first item has any real performance implications, the other three reduce log/mail hits : )

/etc/network/interfaces

When I first got root on the machine, not all of the ips assigned were configured. The format for adding additional ips to an interface is:

Code Select Expand


auto eth0:0
iface eth0:0 inet static
        address 1.0.0.3
        netmask 255.255.255.248
        gateway 1.0.0.1

auto eth0:1
iface eth0:1 inet static
        address 1.0.0.4
        netmask 255.255.255.248
        gateway 1.0.0.1

auto eth0:2
iface eth0:2 inet static
        address 1.0.0.5
        netmask 255.255.255.248
        gateway 1.0.0.1


eth0:0 stores the second ip, eth0:1 the third, and so on.