General questions
What is Otax and who can use it?
Otax is Aalto University Student Union’s (AYY) Web hotel service for associations in AYY’s association register.
Otax is available for associations in AYY’s association register. You can read more information about association register from
https://yhdistysopas.ayy.fi/?lang=en
Otax is also usable by AYY’s integral groups like sections, specific events etc.
Are there any responsibilities for Otax users?
- Otax domains must have an administrator, who is reported annually, by the end of March.
- Form for adming report can be found from https://lomake.ayy.fi/it/otax-admin-report/?lang=en
- Any web applications running within the system must be kept up to date.
- That generally means that you are following any security announcements lists for programs you use.
- Administrator must know all the people who have access to association’s Otax account.
Associations failing these requirements, will have theire accounts locked and web pages closed.
If you just need basic public website and have any doubts about your association’s ability to have competent administrator in following years, you should check WordPress hosting option.
Acquiring the Otax service
- Association’s full name
- Association’s abbreviation (used usually for account name)
- Administrator’s name and contact information (email, phone)
- Administrator’s RSA public key for login (see Logging in to Otax account below)
- What web programs you are plannig to run on account if any
- What domain you would like to have. Association domains are usually <association name or abbreviation>.ayy.fi though custom domains are possible.
Checklist for changing account head administrator
For old administrator:
- Check that your current web programs are up to date
- Add new administrators RSA public key to account
- Explain new administator what programs your account has and how they work
For new administrator:
- Check that you can log to your association’s Otax account with your public key
- Check current access list to your account from ~/.ssh/authorized_keys and remove or comment out people who do not need access any more
- Check your web folder’s content (~/www-data) and familiarize yourself with it’s content and used programs
- Check that your current web programs are up to datehttps://list.ayy.fi/postorius/lists/otax-web-masters.li
- Subscribe to security announcement lists for any used web programs (like WordPress, Joomla, MediaWiki, phpBB etc.)
- Subscribe to Otax webmasters list: https://list.ayy.fi/postorius/lists/otax-web-masters.list.ayy.fi/
- Fill out administrator report form: https://lomake.ayy.fi/it/otax-admin-report/?lang=en
Technical information
What is included in Otax service?
Currently Otax webhotel service includes following:
- SSH/SCP access to server
- Personal RSA keys are used for access
- Server is meant for web sites only so IRC screens, bots etc. are not allowed
- Support for PHP, Python and Node.js web programs
- PHP 7.4
- Python 3.4.2
- Node.js 8.11.4
- One MySQL compatible database
- Current database system is MariaDB 10
- phpMyAdmin for managing databases
- 20 GB web space and 20 GB for home directory and database
- <association>.ayy.fi domain
- It’s also possible to use own domains, see below
- SSL support
- Certificates are genererated by Letsencrypt
Can I run (some web program) on Otax?
Currently PHP 5.6. and Python 3.4 are supported. Database is MariaDB 10 which is MySQL compatible.
PHP is enabled in vhosts by default, if you want to use Python, please contact AYY’s IT support.
Are there any space limitations for accounts?
You may apply AYY’s IT support for additional space if nesessary, though we recommend using other web services for large video and picture collections.
Logging in to Otax
Association domains do not have passwords. Instead of passwords, the associations authenticate themselves for Otax with RSA keys.
SSH login is restricted to .fi domains.
How do I create the RSA key for accessing Otax?
The minimum strength for the keys is 2048 bits for RSA.
Creating the key pair with Linux server
You can create the key on Aalto’s general servers, for example, with the command:
ssh-keygen -t rsa –b 2048
The command will ask you where you wish to save the key. The default location ( ~/.ssh ) is good, so just press enter.
Next, ssh-keygen asks for a passphrase, which is entered when using the key. The password should under no circumstances be left blank!
Now the sub-directory of your home directory .ssh should have the files id_rsa.pub (public key) and id_rsa (private key).
Creating the key pair on a home computer (Windows)
These instructions apply to PuTTYgen software. Equivalent features can also be found in other SSH software.
WARNING! Do not create RSA key pair on public computers!
Step 1: Open PuTTYgen.
Step 2: Make sure you select ’SSH-2 RSA’ under the section ”Parameters”. If you can’t see this option, check from the “Key” category in the menu bar instead. Specify the number of bits as 2048 and press ”Generate”.
Step 3: Set a passphrase for the key in the ”Key passphrase” field.
Step 4: Save the public key and the private key with ”Save public key” and ”Save private key” options. Name your key in such a way that it shows your name.
Delivering the key to Otax domain administrator
Managing public keys in Otax
ssh-keygen –i –f name_public_key
When editing manually, it is often enough to delete comments from the beginning and add “ssh-rsa”, unless it is already at the beginning of the line.
The key in the correct form looks as follows:
ssh-rsa AAAA….
Please note that the whole key must be on one line, otherwise the key will not work.
When the key is in the correct form, it can be added to the association’s Otax domain by modifying the authorized_keys file of the domain located in .ssh directory.
The lines beginning with the hash tag (#) are comments and the lines beginning with “ssh-rsa” are the public parts of RSA keys. Each ssh-rsa line should be preceded by a comment line that shows at least the following information:
- the date when the key was added to the file (yyyy-mm-dd)
- the key owner’s email address
- the key owner’s name
Therefore, the contents of the ~/.ssh/authorized_keys file can look like this (RSA keys have been shortened in this example)
#2012-12-01;aino.aaltolainen@aalto.fi;Aaltolainen;Aino;
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC99lv5GmA5GN…
#2012-12-01;pekka.perus@jotain.fi;Perus;Pekka;
ssh-rsa AAAAB3NzaC1kc3MAAAEBANk/J8dkfAWw4VXVCFniVC…
Using the key pair with PuTTY
Step 1: Open PuTTY.
Step 2: Choose ”Connection -> SSH -> Auth” in the left tree menu.
Step 3: Click ”Browse” on the right side of the ”Private key file for authentication” field and select the private section of your public key pair on Otax.
Step 4: In the menu, choose the top entry ”Session”
Step 5: Enter ’otax.ayy.fi’ to ”Host Name” field and add a name for Otax connection to ”Saved Sessions” field. Select ”Save” and after this ”Open”.
Finally, Putty will ask for your username and a password (passphrase). The username is your association’s Otax username and the password is the passphrase that you entered when creating the key pair.
Databases
What database systems are supported?
PostgreSQL or other database management systems are not available.
Supported storage engines are InnoDB/XtraDB and MyISAM.
What are my database name and login details?
Login details can be found from your home directory, look for a file starting with mysql.
Creating a new database?
Managing you database
Please, do NOT install phpMyAdmin client of your own. There is already phpMyAdmin service available locally.
With PuTTY (or a similar SSH programme), you can open a tunnelled SSH connection to phpMyAdmin of Otax. PhpMyAdmin of Otax is in charge of Port 80.
Step 1: Open PuTTY.
Step 2: Choose ”Connection -> SSH -> Auth” in the left tree menu.
Step 3: Click ”Browse” on the right side of the ”Private key file for authentication” field and select the private section of your public key pair on Otax.
Step 4: In the left tree menu, choose ”Connection -> SSH -> Tunnels”.
Step 5: Add 8888 to ”Source Port” field and ’localhost:80’ to ”Destination” field. Click ”Add”.
Step 6: In the menu, choose the top entry ”Session”
Step 7: Enter ’otax.ayy.fi’ to ”Host Name” field and add a name for Otax connection to ”Saved Sessions” field. Select ”Save” and after this ”Open”.
After connecting, phpMyAdmin should be found with a web browser at http://localhost:8888/phpmyadmin/.
Node.js
Using Node.js on Otax
The current versions of Node.js available on Otax is v8.11.4, and accompanying it is NPM v 5.6.0. Due to how RHEL works, by default they are only available directly from the path /opt/rh/rh-nodejs8/root/usr/bin/
. In order for it to be more usable we suggest you to apply the following configuration:
- Create a NPM package directory for your association:
mkdir ${HOME}/.node
- Add Node, NPM and that folder to
PATH
by including the following rows in your${HOME}/.zshrc
-file:PATH="$PATH:/opt/rh/rh-nodejs8/root/usr/bin"
PATH="$HOME/.node/bin:$PATH"
NODE_PATH="$HOME/.node/lib/node_modules:$NODE_PATH"
- Inform NPM about the new folder by creating a
${HOME}/.npmrc
-file with the content:prefix = ~/.node
- Update the current shell session by running the following command:
source ${HOME}/.zshrc
- Now you should be able to use the
node
andnpm
–commands globally on your user account and install NPM packages with the-g
argument.
Hosting a webserver with Node.js
- Edit (or create) the relevant
.htaccess
-file (for example${HOME}/www-data/.htaccess
) and prepend it with the following lines:<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^service/$ http://0.0.0.0:2000/ [P,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^service/(.*)$ http://0.0.0.0:2000/$1 [P,L]
</IfModule>
- Now the Node.js app should be reachable via the configured path.
Keeping your Node.js app alive through server restarts
- Install the PM2 –package (http://pm2.keymetrics.io/) for your account by running the following command:
npm i –g pm2
- Create a configuration file for PM2 to know which applications to keep alive. This file can reside anywhere, although we suggest creating an appropriate folder (for example
node_processes/
) for storing it.mkdir ${HOME}/node_processes
touch ${HOME}/node_processes/association.config.js
- Append the following content to the configuration file:
module.exports = {
apps : [{
name: 'service',
cwd: '/home/association/www-data/service', // path to service
script: 'npm -- run start:prod', // command to start service
instances: 1,
autorestart: true,
watch: false,
max_memory_restart: '1G',
env: {
NODE_ENV: 'production' // environment variables
}
}],
}; - Create an entry to
crontab
by adding the following lines (edit by runningcrontab –e
)@reboot /opt/rh/rh-nodejs8/root/usr/bin/node /home/association/.node/bin/pm2 resurrect
*/5 * * * * /opt/rh/rh-nodejs8/root/usr/bin/node /home/association/.node/bin/pm2 dump
- Start the service using PM2:
pm2 start ${HOME}/node_processes/association.config.js
- Now the Node.js app should automagically restart itself if/when Otax restarts.