View Source

This is how you modify an Alfresco installation to run as non-root.

Enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Also, in the /etc/sysctl.conf, make sure ip forwarding is enabled:
net.ipv4.ip_forward = 1

Place the following in fileservers-custom.xml:

<config evaluator="string-compare" condition="CIFS Server">
	<serverEnable enabled="true"/>
	<tcpipSMB port="1445" platforms="linux"/>
	<sessionTimeout="30" />
	<netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux"/>
</config>

Set up iptables redirects:

iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-ports 1445
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-ports 1139
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-ports 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-ports 1138

Change ownership on the alfresco.pid file to repos:
chown repos:repos /var/run/alfresco.pid
Make sure the path through /home/www/apache/modules/* is readable/executable by repos
Change ownership and permissions on /sbin/mount.cifs to enable mounting CIFS by repos:
chown root:repos /sbin/mount.cifs chmod 4750 /sbin/mount.cifs

Add the following line to /etc/fstab:

//localhost/avm  /home/repos/mnt/this-avm	cifs	user,noauto	0 0

In the /etc/security/limits.conf file, add the following lines:
repos soft nofile 8192 repos hard nofile 8192
For the deployment scripts (for the -mitmods version only):

Note that the deploy scripts need to be updated to use the 1445 port for CIFS (since local traffic is not forwarded). Also, the mount point for CIFS needs to be under /home/repos, not /mnt. For whatever reason, we need to use "mount.cifs" directly instead of "mount", which always requires you to be root whether the SUID bit is there or not. Finally, the sharename must be "//localhost/avm" to match the fstab entry. Here are the relevant changes in the script:

export MOUNT_POINT=~/mnt/this-avm
# instead of /mnt/this-avm

umount -t cifs //localhost/avm ${MOUNT_POINT}/
# instead of //${HOSTNAME}/avm

mount.cifs //localhost/avm ${MOUNT_POINT}/ -o port=1445,user=${DEPLOY_ALFRESCO_USER}%${DEPLOY_ALFRESCO_PASSWORD}
# "mount.cifs" instead of "mount -t cifs"; "localhost" instead of "${HOSTNAME}"; "port=1445" instead of default behavior (445)

On the remote (linux) server, identify or create a remote user with write access to the desired deployment destination path. Ensure that the root account on the Alfresco server can ssh as this user to the remote server without being prompted for a password. If this is not already set up, you should do the following:
* On the Alfresco server as *repos*, run "ssh-keygen -t dsa" and accept the default location. Also, leave the passphrase blank (maybe not the best advice but I want to ensure that the script will not be prompted for a password)
* Copy the generated public key file (~/.ssh/id_dsa.pub) to the remote server (e.g., "scp ~/.ssh/id_dsa.pub REMOTESERVER:")
* Log into the remote (assumed linux) server as the remote user. (If the user doesn't exist, first log in as root and create the account with "adduser USERNAME")
* If it does not exist, create the remote user's .ssh directory and make sure its permissions are properly set. ("mkdir ~/.ssh" and "chmod 700 ~/.ssh")
* Append the generated public key file you copied to the end of .ssh/authorized_keys, and make sure its permissions are properly set. ("cat id_dsa.pub >> ~/.ssh/authorized_keys" and "chmod 600 ~/.ssh/authorized_keys")
* Remove the generated public key file from the remote server ("rm id_dsa.pub")

Example:

adduser deploy_bot    ###note, this is the WEB SERVER "deploy_bot" account, not the ALFRESCO "deploy_bot" account |
mkdir /home/deploy_bot/.ssh; |
chown deploy_bot /home/deploy_bot/.ssh |
chmod 700 /home/deploy_bot/.ssh; |
cat \~/id_dsa.pub >> /home/deploy_bot/.ssh/authorized_keys |
chown deploy_bot /home/deploy_bot/.ssh/authorized_keys |
chmod 600 /home/deploy_bot/.ssh/authorized_keys |
rm \~/id_dsa.pub |
chmod a+rx /home/www |
chmod a+rx /home/www/sash-server |
chmod a+rx /home/www/sash-server/servers/ |
chmod a+rx /home/www/sash-server/servers/alumni/ |
chown deploy_bot /home/www/sash-server/servers/alumni/webapps |
chown deploy_bot /home/www/sash-server/servers/alumni/webapps/ROOT |

* Log out of the remote server
* Test by logging into the Alfresco server as *repos* and running "ssh -l USERNAME REMOTESERVER". If you get in as the remote user without being prompted for a password, congratulations. Note: in this step, accept the host key. This stores the host key in known_hosts and is actually important, since you don't want the deployment script to be prompted to accept or not accept the host key.