Red Box
Create your own reliable cloud server.
Hardware
- Use a metal box and paint it in your favorite color. (I used an old storage controller)
- Hobbycolor plate that resists to at least 75 C
- Raspberry pi 3
- Micro SD card (I used 16GB but you can use any size >= 4GB)
- USB hub with an external power jack
- Usb to sata adapters
- Disk drives
- Network cable + network wall socket
- Wires + power input jack
- Bolts recovered from old computer's serial or vga port
- Usb ports recovered from old computer
Raspberry pi is attached to the hobbycolor plate with bolts from vga port.
Disks are attached with regular bolts on the back.
Wiring
- Power input jack connects to both recovered usb ports.
First usb (behind all the wires in front left) is used as a power source, only red and black wires are used and connected to the power input jack. First usb cable in this port provides power for the pi, the second usb cable provides power to the USB hub.
Second usb (the one in the back - useful for connecting additional devices) has red and black connected directly to the power input, while the white and green of each port is connected to an usb cable recovered from some old mouse (the white ones directly connected to pi)
- Lan cable connects the external network wall socket to the raspberry pi LAN port.
- Disks are connected via usb to sata adapters to the external powered USB hub (bigger capacity disks require more power and we do not want to make pi unstable) , which is connected in one of the pi ports.
Software
- Install the Operating System
Use Centos 7 for arm for higher security. (http://mirror.centos.org/altarch/7/isos/armhfp/); tested: CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi3.img.xz, tutorial here: https://wiki.centos.org/SpecialInterestGroup/AltA...
Put the image on the micro sd card from you Linux computer (for windows check: https://www.raspberrypi.org/documentation/install...
xzcat CentOS-Userland-7-armv7hl-Minimal-1611-RaspberryPi3.img.xz | sudo dd of=$/path/to/sd/card status=progress bs=4M
root password : centos
use nmtui to configure network and set a static ip address
- Setup the disks
Create one partition on each disk (is better to be a little smaller than the entire disk - let's say 1GB smaller - different disks of the same capacity - ex: wd vs toshiba - have different sizes :) ). This way you will be safe if you need to replace one of the disks
Create a btrfs raid 1 filesystem on your disks
mkfs.btrfs -d raid1 -m raid1 /dev/sda1 /dev/sdb1
btrfs filesystem label /dev/sda1 rpi3
Mount the filesystem using autofs (prevents non booting of pi if something goes wrong with the disks)
yum install -y autofs
append the fllowing to /etc/auto.master:
/- /etc/auto.ext-usb --timeout=300
Create /etc/auto.ext-usb with the content:
/srv -fstype=auto,compress=lzo,noatime :/dev/disk/by-label/rpi3
service autofs restart
ls /srv, df -h, confirm that it is mounted
- Install owncloud
Prerequisites (apache, php, mariadb):
yum install -y httpd;yum install -y mod_ssl; yum install -y mariadb-server; yum install -y php*
Install owncloud 9 which is compatible with php54 that comes with centos7, a good tutorial for that:
http://download.owncloud.org/download/repositories...
After owncloud is up and running, move data dir from the default location to the new drives (/srv)
service httpd stop
edit /var/www/html/owncloud/config/config.php and make this change:
'datadirectory' => '/srv/owncloud/data',
mkdir /srv/owncloud; mv /var/www/html/owncloud/data /srv/owncloud && chown -R apache:apache /srv/owncloud/data/
service httpd start
You can install owncloud desktop client on linux / windows and for phones I use foldersync
- Enable and configure SELinux
(working version is: selinux-policy-3.13.1-166.el7.5.noarch, selinux-policy-targeted-3.13.1-166.el7.5.noarch)
make sure you are not updating that policy (in /etc/yum.conf append: exclude = selinux-policy*)
restorecon -Rv /
/boot/cmdline.txt should contain: selinux=1 security=selinux enforcing=1
/etc/sysconfig/selinux should contain: SELINUX=enforcing and SELINUXTYPE=targeted
reboot
Make the following settings after reboot:
yum install -y policycoreutils-python
semange fcontext -a -t httpd_sys_rw_content_t /srv/owncloud(/.*)?
setsebool -P httpd_builtin_scripting=1; setsebool -P httpd_can_network_connect=1; setsebool -P httpd_enable_cgi=1; setsebool -P httpd_graceful_shutdown=1
if you encounter any issues put sd card into another computer and modify cmdline.txt to have: selinux=0
- Secure your box
Change root password
Create yourself a user (adduser -s /bin/bash "me") and set a strong password ( passwd "me")
configure sshd to listen on another port and do NOT allow root logins
In /etc/ssh/sshd_config, set Port
(let's say 2222), PermitRootLogin no
Tell SELinux and firewalld about yout intentions:
semanage port -a -t ssh_port_t -p tcp 2222
service firewalld start && systemctl enable firewalld.service
firewall-cmd --permanent --add-port 2222/tcp
firewall-cmd --reload
service sshd restart
- Make it public
On your internet router forward this ports to your static ip set in first step: 80, 443, 2222.
Setup DDNS on your router so you can access your box from anywhere.
- Fine tuning
Set apache to 5 procs as memory is low:
/etc/httpd/conf.modules.d/00-mpm.conf
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
StartServers 5
MinSpareServers 5
MaxSpareServers 5
ServerLimit 5
MaxClients 5
MaxRequestsPerChild 3000
service httpd restart
Setup cron to weekly scrub the disks and make a snapshot each night (in /etc/crontab)
01 02 * * 6 root btrfs scrub start /srv
01 01 * * * root /usr/sbin/btrfs subvolume snapshot -r /srv /srv/@$(printf "\%s" $(/bin/date +\%d\%b\%Y-\%k-\%M))
check from time to time the volume with: btrfs dev stats /srv
Use watchdog to automatically reset if it becomes unresponsive (raspberry pi3 has a hardware one):
yum install -y watchdog
/etc/watchdog.conf
watchdog-device = /dev/watchdog
watchdog-timeout = 15
interval = 1
logtick = 1 log-dir = /var/log/watchdog
realtime = yes
priority = 1
service watchdog start && systemctl enable watchdog.service