SME Appliance System Admin Guide

1
Software Stack
The SME platform is built using open Internet technologies. The base operating system used s hardened Linux CentOS. HTTPD Apache Server is used for serving http requests and for temporary caching memcached is used. File Metadata is stored using a MySQL database.

The web interface is written in using PHP / HTML / Ajax, and protocol adapters are written using Perl.
By using standard components SME can be adopted and customized to a wide variety of deployments.

A standard firewall friendly protocol HTTPS is used for communicating with the clients.
The basic premises of SME is to act as a cloud gateway and audit, control and encryption point. All the files and data are stored in the provider. The SME platform only keeps the meta data e.g. file name, size (if available), security permissions.

The apache server is stateless and can run on a separate host from the MySQL DB Server. This allows flexibility in deployment topologies for scalability and high availability using proven deployment configurations supported by apache web server (e.g. multiple web servers behind a load balancer) and MySQL DB (replication, data sharding).
2
Components
SME is built as an open modular platform. All the functionality is available via the SME API and major components have hook points to integrate external system .e.g authentication , a new storage provider, payment gateway etc.
Details of the SME API can be found at:

https://storagemadeeasy.com/for_developers/

Protocol Adaptors

At the top of the SME Architecture diagram are protocol adapters The allow to access your data using multiple protocols from any supported storage provider.

Out of the box SME supports:

  • REST/XML and REST/JSON: SME proprietary API. This is used by all the SME tools, is fully documented and can be used to develop custom applications.

  • WebDav/HTTPS: Standard WebDav is protocol especially useful for iOS apps (Pages, Keynote, Numbers) that support WebDav


  • FTP/FTPS: Standard FTP and FTP Secure protocol

Provider Sync Engine

The provider Sync Engine s used to discover new data added to the provider outside of SME. Can run in realtime, scheduled and manual mode.

  • Real-time: new data is checked every time storage provider is accessed. For optimum performance only relevant subset of data is checked for new data.


  • Scheduled: storage provider is accessed at schedule interval.


  • Manual: Administrator initiates a sync

Multi-Site Backup Engine

Used to backup files updated via SME platform to another storage provider for disaster recovery and availability.

Access Control Module

The ACL module is responsible for applying permissions. Every operation is verified by the access control module to ascertain that the user has permission to perform the operation

Audit Manager

The Audit module is used by all components to generate audit records for all file interactions. The granularity of this can be controlled at a per Organization level.

Encryption Engine

The Encryption engine s used to encrypt data before sending to a remote cloud provider. It uses 256 bit encryption to encrypt data at rest. Further details on how this works and security can be referenced in the SME Security white paper.

Payment Gateway

The Payment Gateway enables Integration with external billing system and supports PayPal and Sage.

Custom payment gateways can also be integrated.

Storage Connectors

SME supports more that 40 cloud storage providers including Amazon S3, OpenStack, MS Azure, Google Storage, WebDav and FTP.

Additional providers can be easily developed using a storage providers native API

Protocol Adaptors

The protocol adaptors are the front end adaptors that are additional to the SME API. They enable access from a compatible S3 API, FTP/S, or Secure WebDav.
3
Administration
For these commands you will need to su as root

$ ssh smeconfiguser@appliance IP address

#after login su as root

-bash-3.2$ su - root
Password: 

Security Enhanced Linux (selinux)
selinux is enabled by default.

Check Status of selinx

sestatus

-bash-3.2# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted


Temporarily Disable selinux

You can temporarily disable sexlinux by running the following command.

echo 0 >/selinux/enforce
-bash-3.2# echo 0 >/selinux/enforce
-bash-3.2# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted


`Enable selinux

To enable selinux run the command

 echo 1 >/selinux/enforce
-bash-3.2# echo 1 >/selinux/enforce
-bash-3.2# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 21
Policy from config file:        targeted


Cloud FTP

CloudFTP is an FTP implementation on top of Clouds that do not natively support FTP. Once a Cloud has been added to an account, you can access it from any FTP Client.

Stopping CloudFTP

-bash-3.2# service cloudftp stop
stopping cloud ftp..


Starting CloudFTP

-bash-3.2#service cloudftp start
starting cloud ftp..
/
starting cloud ftps..


Apache HTTP Server

Start HTTP Server

service httpd start 

Stop HTTP Server

service httpd stop 

HTTPD Logs

Httpd server logs are located at /etc/httpd/logs

HTTPD Configuration

HTTPD server configuration files are located in the following 2 directories

/etc/httpd/conf
/etc/httpd/conf.d

MySQL Database

Start MySQL

-bash-3.2# service mysqld start
Starting MySQL:                                            [  OK  ]


Stop MySQL

-bash-3.2# service mysqld stop
Stopping MySQL:                                            [  OK  ]
-bash-3.2


MySQL Data Files
/var/lib/mysql

MySQL Configuration
/etc/my.cnf

Backup MySQL Database

You can backup the meta-data database using the following command
mysqldump -p  smestorage >smestorage.sql

Memcached

Start Memcached

-bash-3.2# service memcached start
Starting memcached:                                        [  OK  ]


Stop Memcached

 -bash-3.2# service memcached stop
Stopping memcached:                                        [  OK  ]


Memcached Config File
/etc/sysconfig/memcached

FTP Server

Start FTP Server

-bash-3.2# service vsftpd start
Starting vsftpd for vsftpd:                                [  OK  ]


Stop FTP Server

-bash-3.2# service vsftpd stop
Shutting down vsftpd:                                      [  OK  ]


FTP Server Configuration
/etc/vsftpd

Application Log Location

The SME appliacation logs are located at
/var/www/smestorage/sitelogs

A brief description below

* allmails.txt all sent mails to address and subject are logged here
* errorlogs.txt Any application error is logged here
* errorlogs_trace.txt Contains full trace of errors in errorlogs.txt
* logits.txt All general application logging
4
Monitoring
You can use any tool that support monitoring CentOS 5.8.

We recommend monitoring the following parameters
Base OS

vmstat 
 Procs
       r: The number of processes waiting for run time.
       b: The number of processes in uninterruptible sleep.

   Memory
       swpd: the amount of virtual memory used.
       free: the amount of idle memory.
       active: the amount of active memory. 

   Swap
       si: Amount of memory swapped in from disk (/s).
       so: Amount of memory swapped to disk (/s).

   IO
       bi: Blocks received from a block device (blocks/s).
       bo: Blocks sent to a block device (blocks/s).

   CPU
       us: Time spent running non-kernel code. (user time, including nice time)
       sy: Time spent running kernel code. (system time)
       id: Time spent idle. 
       st: Time stolen from a virtual machine.

       
Disk Space

-bash-3.2# df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
                      18187836   2903080  14345956  17% /
/dev/sda1               101086     20047     75820  21% /boot
tmpfs                   512468         0    512468   0% /dev/shm


Apache WebServer

You can monitor the status of apache webserver by calling the following URL. Note this URL is protected and you can only access it from local IP 127.0.0.1

-bash-3.2# curl http://127.0.0.1/server-status/?auto
BusyWorkers: 1
IdleWorkers: 49
Scoreboard: _______________W_________......................................._________________________.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................


MySQL

Number of connections

SHOW STATUS LIKE "Connections

Network Usage

Monitor the network traffic using your monitoring system. Or you can get the information from

 cat /proc/net/dev

Total Number of Processes

ps -e|sed 1d|wc -l

Recipes

Increasing Disk Space

To increase the disk space please follow the instructions at the following vmware kb article

Attaching a new Disk to The Appliance

To add a new disk to the appliance please follow the instructions at the following vmware kb article

Using a New Disk as Local Storage

The appliance is already configured with an FTP server listening on ip address 127.0.0.1 and port 2001.

  • Add a new user with user home directory located on the newly attached disk mounted at /newdisk

-bash-3.2# adduser  -b /newdisk  -s /sbin/nologin localstorage
#change the password
-bash-3.2# passwd localstorage


  • Set home directory context for /newdisk/localstorage

chcon -R -t user_home_dir_t  /newdisk/localstorage

  • Now you can add the a FTP provider to your SME account using the credentials

    • - account login:localstorage
    • - account password: the password you entered for localstorage user
    • - server host:ftp://127.0.0.1
    • - server port:2001
    • - server home directory:/

Production CheckList

  • [ ] SSL certificate Installed
  • [ ]Once you have installed SSL certificates enable https only in the configuration
  • [ ] Only have inbound port 443 open. If you are using CloudFTP then also open port 21 and 990
  • [ ] Permanent IP address Configured
  • [ ] DNS Names Configured. Make sure webdav DNS is configured as webdav<DomaninName> e.g. if domain name is sme.yourdomain.com then webdav url should be webdavsme.yourdomain.com.
  • [ ] Passwords changed for default users
  • [ ] The date and time is set correctly in the appliance and not drifting.

    Back to Wiki Index