Provisioning the server
First of all, we need a server to install the software on. There are many hosting providers that offer cheap Linux servers. I have been trying out DigitalOcean, where you can get a nice little server suitable for Oracle XE for as little as USD 10 per month. After you sign up, a new server complete with the operating system installed can be up and running in as little as 50 seconds (!). It is also very easy to scale up (or down) the server according to your needs.
A note on security
Linux security is a big topic in itself. In order to keep this blog post short and sweet, I will describe some security recommendations in a separate blog post. But in general, always use strong passwords (and/or certificates and/or two-factor authentication), never install more components than you need, and always apply the principles of minimal privileges and defense in-depth.
Creating the server
First you need to sign up to DigitalOcean (or another cloud provider of your choice). The sign-up process is quick and painless. I like that you can pay DigitalOcean using PayPal, so you don't need to give them your credit card details.
After signing up, create a new server (called a "droplet" in DigitalOcean's terminology).
When choosing a server size, keep in mind that Oracle XE cannot use more than 1 GB of memory. As we will see later, you can happily run Oracle XE together with Apache, Tomcat and ORDS, all on a 1GB server. (It is tempting to compare that to, say, the minimum requirements for Sharepoint... but let's stay on topic! :-)
You get to choose the physical location of the server. Select a data center that is geographically close to you and your users, as this will obviously reduce data transfer times across the network.
Select the 64-bit version of CentOS 6.5 (while CentOS 7.x is also
available, this is not in widespread use yet, so I'm sticking with the
more well-known version 6.x for now).
Logging in to the new server
When the server is created, you get the "root" password emailed to you, so you can login to the server. The root user on Linux is similar to the local Administrator account in Windows. As we will get back to later, it is actually recommended not to use the root user regularly, and only "become root" (via the "sudo" command or via other users defined as administrators in the "sudoers" file) when necessary. To keep things simple, we'll use the root user for now, but get back to security best practices in a later post.
Logging in to the new server is done via "ssh" (secure shell). If you have a Mac, just open a terminal and type ssh root@server_ip_address and when prompted enter your password to login.
If you have a Windows machine, there is no built-in ssh client, so you need to install some additional software. I recommend pimping up your Windows console window with cmder, a good-looking console emulator (make sure you download the full version of cmder that bundles the "msysgit" suite which includes a bunch of Unix commands, including ssh). Once you have cmder installed, use the same command as for the Mac above to login.
If you managed to login as root, run the command ls -la / and you should see something similar to this:
Congratulations, you now have your very own Linux server to play around with! :-)
Check out these links for more information:
- https://www.digitalocean.com/community/tutorials/how-to-create-your-first-digitalocean-droplet-virtual-server
- https://www.digitalocean.com/community/tutorials/initial-server-setup-with-centos-6
Installing some basic utils
After logging in to the new server for the first time, let's install some basic utilities that we will need later. In CentOS, the "package manager" that you use to download and install software from a standard repository is called "yum". Run the following commands:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #install some basic utils | |
| yum install nano -y | |
| yum install unzip -y | |
| yum install bc -y | |
| yum install wget -y |
The basic utilities include "nano" (a text editor which I prefer over the default "vim" editor; the latter is probably very productive for power users, but a pain in the ass to use unless you remember a series of cryptic commands -- a bit like Linux in general I guess!), as well as "wget" (to get/download files from the Internet using the command line), "unzip" (self-explanatory) and "bc" (a basic calculator).
Setting the server time zone
It's useful to have the server date and time automatically synchronized based on a remote server, so let's set up Network Time Protocol (NTP).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # setup Network Time Protocol (NTP) | |
| # see http://www.uptimemadeeasy.com/networking/setup-ntp-on-centos-linux/ | |
| # check current date/time | |
| date | |
| # setup time zone | |
| mv /etc/localtime /etc/localtime.bkp | |
| cp /usr/share/zoneinfo/Europe/Oslo /etc/localtime | |
| # install NTP | |
| yum install ntp -y | |
| chkconfig ntpd on | |
| cat >> /etc/ntp.conf << EOF | |
| server 0.no.pool.ntp.org | |
| server 1.no.pool.ntp.org | |
| server 2.no.pool.ntp.org | |
| server 3.no.pool.ntp.org | |
| EOF | |
| cat >> /etc/ntp/step-tickers << EOF | |
| 0.no.pool.ntp.org | |
| 1.no.pool.ntp.org | |
| 2.no.pool.ntp.org | |
| 3.no.pool.ntp.org | |
| EOF | |
| service ntpd restart | |
| # wait 5-10 minutes and check current date/time again | |
| date |
Adding swap space
Oracle XE needs a certain amount of swap space (a file where the operating system can "swap" stuff from memory to disk when there is too little physical memory available), so let's set that up.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Oracle XE requires a swap file of at least twice the size of physical memory | |
| # see https://www.digitalocean.com/community/tutorials/how-to-add-swap-on-centos-6 | |
| # check current swap file | |
| swapon -s | |
| # check available space | |
| df | |
| # setup 2GB swap file | |
| dd if=/dev/zero of=/swapfile bs=1024 count=2048k | |
| mkswap /swapfile | |
| swapon /swapfile | |
| # check swap file again | |
| swapon -s | |
| # make the swap file permanent | |
| # see http://blog.allanglesit.com/2012/05/bash-programmatically-add-entries-in-fstab/ | |
| echo "/swapfile swap swap defaults 0 0" >> /etc/fstab | |
| # prevent file from being world-readable | |
| chown root:root /swapfile | |
| chmod 0600 /swapfile |
Setting up the fully qualified domain name (FQDN)
The "hosts" file contains a mapping between IP addresses and domain names. We need to make sure that the server's IP address is mapped to a "fully qualified domain name" (FQDN), otherwise the Oracle XE installation will fail, as described in detail here.
So, to make sure we have a fully qualified domain name in our hosts file, run nano /etc/hosts and put in a line with your IP address and your server name.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # sample /etc/hosts file | |
| # see http://unix.stackexchange.com/questions/13046/format-of-etc-hosts-on-linux-different-from-windows | |
| # IPv4 | |
| 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 | |
| # IPv6 | |
| ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 | |
| # put your IP address and your hostname and aliases below | |
| 1.2.3.4 myserver.mydomain.example myserver |
Setting up a firewall
We should only allow access to the server on the ports that we need. For a typical web server, this will be ports 80 and/or 443 (for HTTP and/or HTTPS), and port 22 (for SSH). Actually, you should change the default SSH port from 22 to some other random number, but we will get back to that later when we talk about hardening the server.
Tim Hall has written an excellent article about the Linux firewall, known as "iptables". Rather than repeat what Tim has already explained, I suggest you read his article, and then copy the following and save it as firewall.sh in the /root folder of your server. Then make the file executable by running chmod u+x /root/firewall.sh and then type ./root/firewall.sh to run the script.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # see http://oracle-base.com/articles/linux/linux-firewall.php | |
| # Set the default policies to allow everything while we set up new rules | |
| # Prevents cutting yourself off when running from remote SSH | |
| iptables -P INPUT ACCEPT | |
| iptables -P FORWARD ACCEPT | |
| iptables -P OUTPUT ACCEPT | |
| # Flush any existing rules, leaving just the defaults | |
| iptables -F | |
| # Open port 22 for incoming SSH connections | |
| iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
| # Open port 80 for incoming HTTP requests | |
| iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
| # Open port 443 for incoming HTTPS requests | |
| iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
| # open port 8080 for Oracle XDB/EPG (uncomment if required) | |
| #iptables -A INPUT -p tcp --dport 8080 -j ACCEPT | |
| # open port 1521 for SQL*Net (uncomment if required) | |
| # NOTE: this is not needed for a web server, but can be useful for a dev environment | |
| # replace 1.2.3.4 with your own client IP address | |
| #iptables -A INPUT -p tcp --dport 1521 -s 1.2.3.4 -j ACCEPT | |
| # *** Put any additions to the INPUT chain here | |
| # | |
| # *** End of additions to INPUT chain | |
| # accept any localhost (loopback) calls | |
| iptables -A INPUT -i lo -j ACCEPT | |
| # allow any existing connection to remain | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # reset the default policies to stop all incoming and forward requests | |
| iptables -P INPUT DROP | |
| iptables -P FORWARD DROP | |
| # accept any outbound requests from this server | |
| iptables -P OUTPUT ACCEPT | |
| # save the settings | |
| service iptables save | |
| # display the settings | |
| iptables -L -v --line-numbers |
Uploading Oracle software to the server
As the final part of preparing to install Oracle XE, ORDS and Apex on the server, we need to upload the different installation files to the server, so we can run them there.
Lets create a folder on the server where we can put the installation files:
mkdir -p /u01/download
The -p flag makes it possible to create two (or more) folders with a single command.
Why is the root folder called "u01"? Turns out this is a naming convention for Oracle software that goes way back. Linux folder names don't always make much sense, but I guess "u01" is as good as any.
And I guess there is an argument to be made for the sub-folder to be called "upload", as we will copy, or upload, stuff into it, but because it holds installation files that we would normally download directly to the server, I have called it "download".
The thing is, when downloading stuff from Oracle, you generally have to click an "Accept License Agreement" radio button and also login with an OTN account to actually get access to the file you wish to download. If it wasn't for this, the "wget" command could be used from the command line on the server to download the files directly to the server. As things stand, I find it best to download the desired software using a regular web browser on the client computer (ie my laptop) and then use the "scp" (secure copy) command to upload the files to the server.
So, go download the following software to your local computer:
- Oracle Express Edition (XE) 11g for Linux x64
- Java JDK 1.7 for Linux x64
- Oracle Rest Data Services (ORDS) 2.0.10
- Oracle Application Express (Apex) 5.0
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # copy files from client to server | |
| # assumes you have downloaded everything into an "install" folder | |
| # adjust SSH port number, file paths, server/host name and version numbers as appropriate | |
| cd /users/yourname/install/oracle | |
| scp -P 22 oracle-xe-11.2.0-1.0.x86_64.rpm.zip root@server-name-or-ip:/u01/download/ | |
| scp -P 22 apex_5.0.1_en.zip root@server-name-or-ip:/u01/download/ | |
| scp -P 22 jdk-7u79-linux-x64.rpm root@server-name-or-ip:/u01/download/ | |
| scp -P 22 ords.2.0.10.289.08.09.zip root@server-name-or-ip:/u01/download/ |
You should now have the installers for the various Oracle applications sitting in the /u01/download folder on the server.
Next Steps
Finally, we are now ready to install the Oracle software! This will be covered in part two of this series of blog posts.
4 comments:
Do you have a Referral Link for Digital Ocean?
@Tim: Here's my referral link: https://www.digitalocean.com/?refcode=1f756ef086c3
- Morten
You forgot to add "." or "source" in "type /root/firewall.sh to run the script". It can be confusing preson who learn linux from this post.
Great tutorial anyway.
@kmlsch: Thanks for the feedback, I've updated the article.
- Morten
Post a Comment