User:Revansx/meza/enterprise installation walk-through
< User:Revansx | meza
MEZA Installation and Configuration Journal
editNotice - I discovered that my RHEL environment has a security policy that asserts a UMASK setting of 077 to my system. This has causes a lot of trouble with my installation process and "meza deploy .. " commands. I will attempt to draw attention to it in my walk through, but, please know that the FIRST thing I do after logging in to my bash shell through PuTTY is to execute the command "Umask 022" to relax the umask setting while I am working. This has to be done at the beginning of every login. .. just fyi
Pre-Install Notes
edit- Clean RHEL7 system - nothing except what my organization's security team deamed essential
- had to ensure that my RHEL7 box was subscribed to the epel repositories that would find git, etc..
- configured PuTTy to connect to the server and create a text file log of all console activity
- logged in to the server with PuTTy
- cd'd to
/
- ran
#sudo yum list installed
- saved the putty log file for reference
Meza Install
edit- performed MEZA install per: https://www.mediawiki.org/wiki/Meza/Install_on_existing_server
sudo yum install -y git
sudo git clone https://github.com/enterprisemediawiki/meza /opt/meza
sudo bash /opt/meza/src/scripts/getmeza.sh
sudo meza deploy monolith
- used my full system host name referred to here as:
myhostname.mycompany.com
- supplied my own password referred to here as
mypassword
- used my full system host name referred to here as:
- The first time I tried this I did have some issues with the way my systems default "unmask" settings were due to my organizations security requirements, but this was resolved by Meza developers (Thanks James) and the second attempt went perfectly.
- Visited my server in the browser at:
https://myhostname.mycompany.com
- Note: it set *everything* including a self-signed cert, so I got the usual warning from my browser.
- cleared the putty log and re-ran
#sudo yum list installed
and saved it for reference - cleared the putty log and ran
#netstat -plntu
to see what was installed and saved it for reference
SSL Certs
editWorking with my organization to install a *valid* cert purchased by my organization
- Note: discovered that SSL is handled by Meza's load balancer, which is called HAProxy
- Note: keys are at
/opt/conf-meza/secret/monolith/ssl
asmeza.crt
andmeza.key
- my organization uses chain certs (trusted cert -> intermediate cert -> star/wildcard cert
- had my server admin generate the certs on the system and named the wildcard/star cert to meza.cert
- ran
#sudo meza deploy monolith --tags load-balancer
- this is NOT YET WORKING .. the HAProxy doesn't seem to like the cert chain.. deferring this for now
Updating the Logo
edit- cd'd to:
/opt/conf-meza/public/wikis/demo
and changed thelogo.png
file - ran
#sudo meza deploy monolith --tags mediawiki --skip-tags smw-data,search-index
to re-deploy only what was needed to update the landing page
Adding SAML Auth
editusing the instruction here: https://www.mediawiki.org/wiki/Meza/Setup_SAML_authentication
- Step 1: Set secret config
- run
#tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=32 count=1 2>/dev/null;echo
and paste the 32 character output to a scratch pad (notepad or whatever) as the salt code to be used below when needed - run
#tr -c -d '0-9a-zA-Z' </dev/urandom | dd bs=16 count=1 2>/dev/null;echo
and paste the 16 character output to a scratch pad (notepad or whatever) as the adminpassword to be used below when needed - discovered that
/opt/conf-meza/monolith/secret.yml
is encrypted, so the solution is provided to me as: - run
meza_env=monolith
to set the variablemeza_env
tomonolith
(my environment) - then run
sudo ansible-vault edit "/opt/conf-meza/secret/$meza_env/secret.yml" --vault-password-file "/opt/conf-meza/users/meza-ansible/.vault-pass-$meza_env.txt"
which will de-crypt the filesecret.yml
automatically launching it in readable text in the infamous "vi" editor. - Now to edit using the vi editor (vi notes)
- down arrow to the last character of the end of the and type
a
which will put you in "insert" mode and allow you to add new lines. - copy the text from the SAML link above into the secret.yml file at the end (
control-c
to copy it from notepad andright-click
to past it into "vi") - cursor up to the line that reads:
salt: <output of command from above>
and replace the<output of command from above>
with the salt code created above in step 1.1 - cursor down to the line that reads:
adminpassword: <your strong password>
and replace<your strong password>
with the adminpassword created in step 1.2 above - Type
:wq
to save and exit vi - exiting vi from the ansible-vault edit command automatically re-encrypts the file
- you should now be back at the system cli
- down arrow to the last character of the end of the and type
- run
- Step 2: Set public config
- ...
Added more Wikis
edit- added new wikis using
#sudo meza create wiki monolith
- note: was surprised that this did not create any users, but apparently this is normal
- looking in to how to create sysop users.. my hope is to get the SAML e-auth working and have users added automatically by e-auth from my organizations identity provider