General questions

What is Otax and who can use it?

Otax is Aalto University Student Union’s (AYY) Web hotel service for associations in AYY’s association register.

Otax is available for associations in AYY’s association register. You can read more information about association register from

https://yhdistysopas.ayy.fi/?lang=en

Otax is also usable by AYY’s integral groups like sections, specific events etc.

Are there any responsibilities for Otax users?
There are some requirements if you want to use Otax web services:

  • Otax domains must have an administrator, who is reported annually, by the end of March.
  • Any web applications running within the system must be kept up to date.
    • That generally means that you are following any security announcements lists for programs you use.
  • Administrator must know all the people who have access to association’s Otax account.

Associations failing these requirements, will have theire accounts locked and web pages closed.

If you just need basic public website and have any doubts about your association’s ability to have competent administrator in following years, you should check WordPress hosting option.

Acquiring the Otax service
If you want to activate Otax service for your association, please send the following information by email to tietotekniikka@ayy.fi.

  • Association’s full name
  • Association’s abbreviation (used usually for account name)
  • Administrator’s name and contact information (email, phone)
  • Administrator’s RSA public key for login (see Logging in to Otax account below)
  • What web programs you are plannig to run on account if any
  • What domain you would like to have. Association domains are usually <association name or abbreviation>.ayy.fi though custom domains are possible.
Checklist for changing account head administrator

For old administrator:

  1. Check that your current web programs are up to date
  2. Add new administrators RSA public key to account
  3. Explain new administator what programs your account has and how they work

For new administrator:

  1. Check that you can log to your association’s Otax account with your public key
  2. Check current access list to your account from ~/.ssh/authorized_keys and remove or comment out people who do not need access any more
  3. Check your web folder’s content  (~/www-data) and familiarize yourself with it’s content and used programs
  4. Check that your current web programs are up to datehttps://list.ayy.fi/postorius/lists/otax-web-masters.li
  5. Subscribe to security announcement lists for any used web programs (like WordPress, Joomla, MediaWiki, phpBB etc.)
  6. Subscribe to Otax webmasters list: https://list.ayy.fi/postorius/lists/otax-web-masters.list.ayy.fi/
  7. Fill out administrator report form: https://lomake.ayy.fi/it/otax-admin-report/?lang=en

Technical information

What is included in Otax service?

Currently Otax webhotel service includes following:

  • SSH/SCP access to server
    • Personal RSA keys are used for access
    • Server is meant for web sites only so IRC screens, bots etc. are not allowed
  • Support for PHP, Python and Node.js web programs
    • PHP 7.4
    • Python 3.4.2
    • Node.js 8.11.4
  • One MySQL compatible database
    • Current database system is MariaDB 10
    • phpMyAdmin for managing databases
  • 20 GB web space and 20 GB for home directory and database
  • <association>.ayy.fi domain
    • It’s also possible to use own domains, see below
  • SSL support
    • Certificates are genererated by Letsencrypt
Can I run (some web program) on Otax?
Otax supports most CMS, blogs, wikis which use PHP or Python and support MySQL/MariaDB database.

Currently PHP 5.6. and Python 3.4 are supported. Database is MariaDB 10 which is MySQL compatible.

PHP is enabled in vhosts by default, if you want to use Python, please contact AYY’s IT support.

Are there any space limitations for accounts?
Current limits are 20 GB for home folder and database and 20 GB for web root.

You may apply AYY’s IT support for additional space if nesessary, though we recommend using other web services for large video and picture collections.

Logging in to Otax

Association domains do not have passwords. Instead of passwords, the associations authenticate themselves for Otax with RSA keys.

SSH login is restricted to .fi domains.

How do I create the RSA key for accessing Otax?
The user must have the private key on the computer, which is attempting the connection, and the equivalent public key must be found in the file  ~/.ssh/authorized_keys  in the association’s home directory on the Otax server. Users have to create the keys by themselves. The easiest way is to create the keys on the computer which is intended to manage Otax, so the key files do not have to be copied.

The minimum strength for the keys is 2048 bits for RSA.

Creating the key pair with Linux server

You can create the key on Aalto’s general servers, for example, with the command:

ssh-keygen -t rsa –b 2048

The command will ask you where you wish to save the key. The default location ( ~/.ssh ) is good, so just press enter.

Next, ssh-keygen asks for a passphrase, which is entered when using the key. The password should under no circumstances be left blank!

Now the sub-directory of your home directory .ssh should have the files id_rsa.pub (public key) and id_rsa (private key).

Creating the key pair on a home computer (Windows)

These instructions apply to PuTTYgen software. Equivalent features can also be found in other SSH software.

WARNING! Do not create RSA key pair on public computers!

Step 1: Open PuTTYgen.

Step 2: Make sure you select ’SSH-2 RSA’ under the section ”Parameters”. If you can’t see this option, check from the “Key” category in the menu bar instead. Specify the number of bits as 2048 and press ”Generate”.

Step 3: Set a passphrase for the key in the ”Key passphrase” field.

Step 4: Save the public key and the private key with ”Save public key” and ”Save private key” options. Name your key in such a way that it shows your name.

Delivering the key to Otax domain administrator
After creating a key pair, you can submit the public part of the key to the administrator of your Otax domain if your association’s Otax domain already has a person in charge. Otherwise, please send the public part of the key by e-mail to the address tietotekniikka@ayy.fi and ask us to copy the key to your Otax domain.
Managing public keys in Otax
A key created with the command ssh-keygen– on Unix server works as such. A public key created with PuTTYgen programme requires modification. On Linux servers, you can print the right kind of a key with the command:

ssh-keygen –i –f name_public_key

When editing manually, it is often enough to delete comments from the beginning and add  “ssh-rsa”, unless it is already at the beginning of the line.

The key in the correct form looks as follows:

ssh-rsa AAAA….

Please note that the whole key must be on one line, otherwise the key will not work.

When the key is in the correct form, it can be added to the association’s Otax domain by modifying the authorized_keys file of the domain located in .ssh directory.

The lines beginning with the hash tag (#) are comments and the lines beginning with “ssh-rsa” are the public parts of RSA keys. Each ssh-rsa line should be preceded by a comment line that shows at least the following information:

  • the date when the key was added to the file (yyyy-mm-dd)
  • the key owner’s email address
  • the key owner’s name

Therefore, the contents of the ~/.ssh/authorized_keys file can look like this (RSA keys have been shortened in this example)

#2012-12-01;aino.aaltolainen@aalto.fi;Aaltolainen;Aino;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC99lv5GmA5GN…
#2012-12-01;pekka.perus@jotain.fi;Perus;Pekka;
ssh-rsa AAAAB3NzaC1kc3MAAAEBANk/J8dkfAWw4VXVCFniVC…

Using the key pair with PuTTY
With PuTTY (or a similar SSH programme), you can contact Otax by using the private key.

Step 1: Open PuTTY.

Step 2: Choose ”Connection -> SSH -> Auth” in the left tree menu.

Step 3: Click  ”Browse” on the right side of the ”Private key file for authentication” field and select the private section of your public key pair on Otax.

Step 4: In the menu, choose the top entry ”Session”

Step 5: Enter ’otax.ayy.fi’ to ”Host Name” field and add a name for Otax connection to ”Saved Sessions” field. Select ”Save” and after this ”Open”.

Finally, Putty will ask for your username and a password (passphrase). The username is your association’s Otax username and the password is the passphrase that you entered when creating the key pair.

Databases

What database systems are supported?
Otax is currently supporting only MySQL-databases. Current database management system is MariaDB 10 which is MySQL equivalent.

PostgreSQL or other database management systems are not available.

Supported storage engines are InnoDB/XtraDB and MyISAM.

What are my database name and login details?
Login is only available from localhost to default mysql port. Database name is same as your account name.

Login details can be found from your home directory, look for a file starting with mysql.

Creating a new database?
Users are allowed to create databases starting with prefix <username>_ . For example username teekkari could create databases like “teekkari_1”, “teekkari_wordpress” etc.
Managing you database
You can use command line tools or phpMyAdmin for managing you databases.

Please, do NOT install phpMyAdmin client of your own. There is already phpMyAdmin service available locally.

With PuTTY (or a similar SSH programme), you can open a tunnelled SSH connection to phpMyAdmin of Otax. PhpMyAdmin of Otax is in charge of Port 80.

Step 1: Open PuTTY.

Step 2: Choose ”Connection -> SSH -> Auth” in the left tree menu.

Step 3: Click  ”Browse” on the right side of the ”Private key file for authentication” field and select the private section of your public key pair on Otax.

Step 4: In the left tree menu, choose ”Connection -> SSH -> Tunnels”.

Step 5: Add 8888 to ”Source Port” field and ’localhost:80’ to ”Destination” field. Click ”Add”.

Step 6: In the menu, choose the top entry ”Session”

Step 7: Enter ’otax.ayy.fi’ to ”Host Name” field and add a name for Otax connection to ”Saved Sessions” field. Select ”Save” and after this ”Open”.

After connecting, phpMyAdmin should be found with a web browser at http://localhost:8888/phpmyadmin/.

Node.js

Using Node.js on Otax
Using Node.js on Otax

The current versions of Node.js available on Otax is v8.11.4, and accompanying it is NPM v 5.6.0. Due to how RHEL works, by default they are only available directly from the path /opt/rh/rh-nodejs8/root/usr/bin/ . In order for it to be more usable we suggest you to apply the following configuration:

 

  1. Create a NPM package directory for your association:

    mkdir ${HOME}/.node

  2. Add Node, NPM and that folder to PATH by including the following rows in your ${HOME}/.zshrc -file:

    PATH="$PATH:/opt/rh/rh-nodejs8/root/usr/bin"
    PATH="$HOME/.node/bin:$PATH"
    NODE_PATH="$HOME/.node/lib/node_modules:$NODE_PATH"

  3. Inform NPM about the new folder by creating a ${HOME}/.npmrc -file with the content:

    prefix = ~/.node

  4. Update the current shell session by running the following command:

    source ${HOME}/.zshrc

  5. Now you should be able to use the node and npm –commands globally on your user account and install NPM packages with the -g argument.
Hosting a webserver with Node.js
In order for your Node.js application to be reachable from the outside via a public url, you need to configure a reverse proxy to route the incoming traffic to a webserver running on a local port. Here we assume that you want your application to be accessible from the url “www.association.fi/service“, and the port your application is running on is “2000“. In order to get ports assigned to your Otax account, please contact tietotekniikka@ayy.fi. You will be assigned specific ports, so you’ll most likely need to change your Node.js apps running ports to match the ones given.

 

  1. Edit (or create) the relevant .htaccess -file (for example ${HOME}/www-data/.htaccess) and prepend it with the following lines:

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^service/$ http://0.0.0.0:2000/ [P,L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule ^service/(.*)$ http://0.0.0.0:2000/$1 [P,L]
    </IfModule>

  2. Now the Node.js app should be reachable via the configured path.
Keeping your Node.js app alive through server restarts
PHP and Python services have their own hurdles on how the applications persist through restarts, but currently there is no automagic way to restart each users’ Node.js applications. The following steps aren’t the only way to implement this, but it is tested to work and should be scalable for running many Node.js applications if needed. Here we assume that your application is named “service” and your association’s username is “association“.

 

  1. Install the PM2 –package (http://pm2.keymetrics.io/) for your account by running the following command:

    npm i –g pm2

  2. Create a configuration file for PM2 to know which applications to keep alive. This file can reside anywhere, although we suggest creating an appropriate folder (for example node_processes/) for storing it.

    mkdir ${HOME}/node_processes
    touch ${HOME}/node_processes/association.config.js

  3. Append the following content to the configuration file:

    module.exports = {
      apps : [{
        name: 'service',
        cwd: '/home/association/www-data/service', // path to service
        script: 'npm -- run start:prod', // command to start service
        instances: 1,
        autorestart: true,
        watch: false,
        max_memory_restart: '1G',
        env: {
          NODE_ENV: 'production' // environment variables
        }
      }],
    };

  4. Create an entry to crontab by adding the following lines (edit by running crontab –e)

    @reboot /opt/rh/rh-nodejs8/root/usr/bin/node /home/association/.node/bin/pm2 resurrect
    */5 * * * * /opt/rh/rh-nodejs8/root/usr/bin/node /home/association/.node/bin/pm2 dump

  5. Start the service using PM2:

    pm2 start ${HOME}/node_processes/association.config.js

  6. Now the Node.js app should automagically restart itself if/when Otax restarts.