Building Elastix 4 via RPM Repo

Dashrender

Not how.wow... Damn autocorrect

Dashrender

@scottalanmiller said:

@Dashrender said:

How, that is a lot of power for your provider.

how is it not? People expect certain functionalities, not having them puts a provider at a big disadvantage. And having rapidly built systems is huge. And reliable performance. If you let people install from ISO you get a performance mess.

I understand not allowing own ISO, but allowing the hosted root reset, that seems crazy.

scottalanmiller

@Dashrender said:

Not how.wow... Damn autocorrect

Oh, that changes a lot.

scottalanmiller

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

How, that is a lot of power for your provider.

how is it not? People expect certain functionalities, not having them puts a provider at a big disadvantage. And having rapidly built systems is huge. And reliable performance. If you let people install from ISO you get a performance mess.

I understand not allowing own ISO, but allowing the hosted root reset, that seems crazy.

Physical access ALWAYS means the ability to reset. No exception. But this allows it to be easy, automated and available to the customer. It's a pretty important feature. Imagine a hosted system where you are barred from doing a password reset like you would on a local one. That would be almost impossible for anyone not in a pure DevOps world to manage.

Dashrender

@scottalanmiller said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

How, that is a lot of power for your provider.

how is it not? People expect certain functionalities, not having them puts a provider at a big disadvantage. And having rapidly built systems is huge. And reliable performance. If you let people install from ISO you get a performance mess.

I understand not allowing own ISO, but allowing the hosted root reset, that seems crazy.

Physical access ALWAYS means the ability to reset. No exception. But this allows it to be easy, automated and available to the customer. It's a pretty important feature. Imagine a hosted system where you are barred from doing a password reset like you would on a local one. That would be almost impossible for anyone not in a pure DevOps world to manage.

Physical sure, where you not implying they could do it with some kernal mod? Maybe I misunderstood.

scottalanmiller

@Dashrender said:

Physical sure, where you not implying they could do it with some kernal mod? Maybe I misunderstood.

Kernel mod is pretty dramatic. It's just an app normally.

scottalanmiller

@Dashrender said:

Physical sure, where you not implying they could do it with some kernal mod? Maybe I misunderstood.

So the important thing is that you have given up no security, just enabled a feature that benefits you.

BigfootNetworks

Hi There.
Not sure if this is entirely related but I've installed Elastix 4 onto a Centos 7 Digital Ocean droplet.
I've got to the point where I need to start the elastix-firstboot. but I can't find how to do it?
Any ideas?
If I need to create a new thread, let me know.
thanks

scottalanmiller

@BigfootNetworks said:

Hi There.
Not sure if this is entirely related but I've installed Elastix 4 onto a Centos 7 Digital Ocean droplet.
I've got to the point where I need to start the elastix-firstboot. but I can't find how to do it?
Any ideas?
If I need to create a new thread, let me know.
thanks

We are using Digital Ocean, too. The script at the top specifically worked on DO and installs elastix-firstboot as it goes, there shouldn't be any manual intervention.

Did you get any errors? What version of the ISO are you working from?

dom

So I just used your script to install on Centos 7 on Azure. I do get the prompt for MySQL and Freepbx passwords at the end. However after the reboot my sudoers file has been overwritten (WTF?) essentially locking me out as a root user. Now I can't open the httpd ports or even start httpd. Bummer. Anyone else experiencing this on other VM services. I use azure because I have a free account and its just for testing. Maybe if I start fresh and open the ports before the install -will that work? But still left with the problem of root access blown away!

travisdh1

@dom I don't see anything in that script that would make changes to the /etc/sudoers file. Could it be something wacky with Azure?

scottalanmiller

@travisdh1 said:

@dom I don't see anything in that script that would make changes to the /etc/sudoers file. Could it be something wacky with Azure?

It's not my script, it doesn't touch that. However, Elastix has a track record of modifying /etc/sudoers with their RPM packages. So if you rely on /etc/sudoers, you must keep it updated after any yum run. Just part of the nature of Elastix.

scottalanmiller

@dom said:

Maybe if I start fresh and open the ports before the install -will that work? But still left with the problem of root access blown away!

Yes, open ports and enable root access directly prior to installation. CentOS is root on by default, you'll need to run that way for Elastix or make custom accommodations for their RPMs.

dom

BTW Im quite new to linux.

I tried another install a few days back and it was after installing this /root/rpmbuild/RPMS/noarch/elastix-firstboot-3.0.0-6.noarch.rpm
is when my sudoers files was overwritten - its not your script.

So how do I do this? "So if you rely on /etc/sudoers, you must keep it updated after any yum run". LINUX noob...sorry guys

scottalanmiller

@dom said:

BTW Im quite new to linux.

Welcome to the dark side

We have cookies, of course.

scottalanmiller

@dom said:

So how do I do this? "So if you rely on /etc/sudoers, you must keep it updated after any yum run". LINUX noob...sorry guys

If you are new to Linux, I would not use sudoers for this one specific workload. Generally, yes, sudoers is great. This will cause you no end of pain on Elastix, it's worth skipping.

If you want to be reasonably secure without sudoers you can do this...

• Set a password (long and complex) for the root user.
• Create non-root users for you to log in as.
• Always log in as your non-root user.
• Access root with this command:
  • su - which will ask you for that root password before letting you access root
• You can also block root access via SSH and only allow your user(s) accounts to access over SSH

Ideal? No, not at all. Does it work? Yes, and it is more secure that tons of normal installs and more secure than CentOS / RHEL defaults.

scottalanmiller

Additionally, you can make your user accounts access via keys instead of passwords for another layer of protection.

scottalanmiller

So what if you want to fix the suders problem?

Try this...

• Fix sudoers and test it. Make sure that it does what you want.
• Copy the /etc/sudoers file to /etc/sudoers.custommaster
• Make a cron job that runs every fifteen minutes that does this...
  • cp /etc/sudoers.custommaster /etc/sudoers

Not great, but it replaces suders four times and hour (more if you want) so if you lose access, you wait a few minutes and it puts it back.

Tools like Ansible and Chef would handle this too, but that is was more complex.

scottalanmiller

As a general point, Azure isn't ideal for Linux. It's expensive and unnecessarily complex and limited. It's not bad, but as a new Linux user it is certainly worth considering another platform.

I mostly use Rackspace and Digital Ocean for Linux VMs. Vultr is pretty good, too. AWS is good, but very hard to use.

JaredBusch

@scottalanmiller said:

As a general point, Azure isn't ideal for Linux. It's expensive and unnecessarily complex and limited. It's not bad, but as a new Linux user it is certainly worth considering another platform.

I mostly use Rackspace and Digital Ocean for Linux VMs. Vultr is pretty good, too. AWS is good, but very hard to use.

He has free space and is using it for testing/lab. there is nothing wrong with Linux under Azure any more than there is under any other hosted provider.