Setting up Kadira on a Ubuntu 16.04 Server part 1

We at http://www.quantilope.com are heavy meteor user and we love kadira ! We use kadira all the time and we sadly cant use mdg’s galaxy. So we tuck the open source kadira code and patched it a little bit so you can run it easily on your server too! We are planing on releasing docker images some time in the future too. So lets start with setting up the Ubuntu server !

This is a 3 Part series so have a lookout for part 2 and 3 !

This is more a minimal tutorial and not a full tutorial of how to harden your ubuntu server !

Requirments

  • Running MongoDB Instance with at least on replica set.
  • Global installed npm package pick-mongo-primary
  • Installed git

Instaling on Ubuntu Server 16.04

Create a new user

  • Create a new user named kadira
adduser kadira
  • Add kadira to the sudo group to gain root privileges
usermod -aG sudo kadira
  • Check if you can login as that user
su - kadira
  • check if you have root access
sudo ls -la /root
  • Clone the repo
cd ; git clone git@github.com:lampe/kadira-server.git
  • Install ufw
sudo apt-get install ufw
  • Allow openSSH(sshd) in ufw
sudo ufw allow OpenSSH
  • Enable ufw
sudo ufw enable
  • Check the Status
sudo ufw status
  • It should output something like that
Status: active
To                         Action      From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)

Install MongoDB

Add MongoDB Repository

  • Add the key
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv EA312927
  • Add the Repo to the sources
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.2 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-3.2.list
  • Update your packages cache
sudo apt-get update

Install MongoDB

  • Install MongoDB and nano
sudo apt-get install -y mongodb-org nano
  • Create a Unit for systemD
sudo nano /etc/systemd/system/mongodb.service
  • Paste this into the mongodb.service file
[Unit]
Description=High-performance, schema-free document-oriented database
After=network.target
[Service]
User=mongodb
ExecStart=/usr/bin/mongod --quiet --config /etc/mongod.conf
[Install]
WantedBy=multi-user.target
  • enable the replica setup
mongo admin --eval 'rs.initiate({_id: "rs0", members:[{_id : 0, host : "localhost:27017"},]})'
mongo admin --eval 'rs.slaveOk()'

Start MongoDB

  • Start MongoDB
sudo systemctl start mongodb
  • Check the Status
sudo systemctl status mongodb
  • If everything is okay enable mongodb so it will autostart
sudo systemctl enable mongodb

Optimize MonogDB

Disable Transparent Huge Pages

  • Create a init.d file
sudo nano /etc/init.d/disable-transparent-hugepages
  • Paste this into the disable-transparent-hugepages file
#!/bin/bash
### BEGIN INIT INFO
# Provides: disable-transparent-hugepages
# Required-Start: $local_fs
# Required-Stop:
# X-Start-Before: mongod mongodb-mms-automation-agent
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Disable Linux transparent huge pages
# Description: Disable Linux transparent huge pages, to improve
# database performance.
### END INIT INFO
case $1 in
start)
if [ -d /sys/kernel/mm/transparent_hugepage ]; then
thp_path=/sys/kernel/mm/transparent_hugepage
elif [ -d /sys/kernel/mm/redhat_transparent_hugepage ]; then
thp_path=/sys/kernel/mm/redhat_transparent_hugepage
else
return 0
fi
    echo 'never' > ${thp_path}/enabled
echo 'never' > ${thp_path}/defrag
    re='^[0-1]+$'
if [[ $(cat ${thp_path}/khugepaged/defrag) =~ $re ]]
then
# RHEL 7
echo 0 > ${thp_path}/khugepaged/defrag
else
# RHEL 6
echo 'no' > ${thp_path}/khugepaged/defrag
fi
    unset re
unset thp_path
;;
esac
  • Make it executable
sudo chmod 755 /etc/init.d/disable-transparent-hugepages
  • Enable it on boot
sudo update-rc.d disable-transparent-hugepages defaults
  • Reboot the system to apply the changes
sudo reboot now

setup nginx

  • Install nginx
sudo apt-get install nginx
  • Remove the default nginx sites
sudo rm /etc/nginx/sites-enabled/default
  • Create a new Server Block for kadira-ui
sudo nano /etc/nginx/sites-available/kadira
  • Configure nginx to forward to 80 to port 4000 where the kadira-ui runs
server_tokens off; # for security-by-obscurity: stop displaying nginx version
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTP
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
        # pass requests to Meteor
location / {
proxy_pass http://127.0.0.1:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; #for websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
}
}
# HTTPS server
server {
listen 443 default_server ssl http2; # we enable SPDY here
server_name [::]:443 default_server; # this domain must match Common Name (CN) in the SSL certificate
    root html; # irrelevant
index index.html; # irrelevant
    ssl_certificate /etc/nginx/ssl/kadira.pem; # full path to SSL certificate and CA certificate concatenated together
ssl_certificate_key /etc/nginx/ssl/kadira.key; # full path to SSL key
    # performance enhancement for SSL
ssl_stapling on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
    # pass all requests to Meteor
location / {
proxy_pass http://127.0.0.1:4000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
        # this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
  • Enable the new kadira ui
sudo ln -s /etc/nginx/sites-available/kadira /etc/nginx/sites-enabled/
  • Test the nginx config
sudo nginx -t
  • Create a new Server Block for kadira-engine
sudo nano /etc/nginx/sites-available/kadira-engine
  • Configure nginx to forward to 80 to port 4000 wehre the kadira-ui runs
# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# HTTPS server
server {
listen 543 default_server ssl http2; # we enable SPDY here
server_name [::]:543 default_server; # this domain must match Common Name (CN) in the SSL certificate
    root html; # irrelevant
index index.html; # irrelevant
    ssl_certificate /etc/nginx/ssl/kadira.pem; # full path to SSL certificate and CA certificate concatenated together
ssl_certificate_key /etc/nginx/ssl/kadira.key; # full path to SSL key
    # performance enhancement for SSL
ssl_stapling on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
# This works because IE 11 does not present itself as MSIE anymore
if ($http_user_agent ~ "MSIE" ) {
return 303 https://browser-update.org/update.html;
}
    # pass all requests to Meteor
location / {
proxy_pass http://127.0.0.1:11011;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # allow websockets
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP
        # this setting allows the browser to cache the application in a way compatible with Meteor
# on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
# the root path (/) MUST NOT be cached
if ($uri != '/') {
expires 30d;
}
}
}
  • Enable the new kadira-engine
sudo ln -s /etc/nginx/sites-available/kadira-engine /etc/nginx/sites-enabled/
  • Test the nginx config
sudo nginx -t
  • if everything is fine restart nginx
sudo systemctl restart nginx