ConoHaサーバ移行ログ

LL DiverでConoHaの¥3,000分のクーポンを貰ったのでDigitalOceanで動かしているサーバを一部移行した作業ログ。

OSインストール

  • VPS追加から追加
  • 追加したVPSの設定完了メール確認後、OS再インストール(Debian 7 64bit)
  • 作業ユーザはインストール時に作成
  • パーティションは/dataを切っておく
  • パッケージは以下の通り

f:id:i2bs:20140825012255p:plain

必要なパッケージのインストール

Nginx/Redis/MariaDB/Ruby/Rails等で使うパッケージ等をインストール。

apt-get update
apt-get -y install vim gcc g++ make git libreadline-dev libyaml-dev libssl-dev libpcre3 libpcre3-dev zlib1g zlib1g-dev libncurses5-dev libaio-dev sudo curl iptables iptables-persistent

エディタの変更

デフォルトがnanoなのでvimに変更。

update-alternatives --config editor

sudoの設定

groupadd -g 3000 developer
gpasswd -a work_user developer
visudo
23c23
< %sudo ALL=(ALL:ALL) ALL
---
> %developer  ALL=NOPASSWD:ALL

sshの設定

.sshディレクトリの作成

su - work_user
mkdir -p ~/.ssh

public keyのupload

scp ~/path/to/id_rsa.pub work_user@xxx.xxx.xxx.xxx:~/.ssh/authorized_keys

権限を変更しておく

su - work_user
chmod 700 ~/.ssh
chmod 400 ~/.ssh/authorized_keys

ssh serverの設定変更と再起動

vi /etc/ssh/sshd_config
/etc/init.d/ssh restart
5c5
< Port 22
---
> Port 10022
27c27
< PermitRootLogin yes
---
> PermitRootLogin no
51c51
< #PasswordAuthentication yes
---
> PasswordAuthentication no
71a72,73
>
> ClientAliveInterval 15

iptables

vi /etc/iptables/rules.v4
/etc/init.d/iptables-persistent restart
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 10022 -j ACCEPT

# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

Ruby

git clone https://github.com/sstephenson/rbenv.git /usr/local/rbenv
git clone https://github.com/sstephenson/ruby-build.git /usr/local/ruby-build
cd /usr/local/ruby-build
./install.sh
vi /etc/bash.bashrc
56a57,61
> if [ -d /usr/local/rbenv ]; then
>   export PATH=/usr/local/rbenv/bin
>   eval "$(rbenv init -)"
> fi
>
bash -l
rbenv install -l
rbenv install 2.1.2
rbenv global 2.1.2
gem i bundler
rbenv rehash

Nginx

ユーザ追加

groupadd -g 2001 nginx
useradd -u 2001 -g nginx -s `which nologin` -d /usr/local/nginx nginx

Nginxインストール

cd /usr/local/src
wget -c http://nginx.org/download/nginx-1.6.1.tar.gz
tar zxvf nginx-1.6.1.tar.gz
cd nginx-1.6.1
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_gzip_static_module --with-http_stub_status_module
make && make install

Nginx設定

mkdir /usr/local/nginx/conf/conf.d
mkdir /usr/local/nginx/vhosts
mv -i /usr/local/nginx/conf/nginx.conf{,.`date +%Y%m%d`}
cp -pi ~/backup/nginx.conf /usr/local/nginx/conf/nginx.conf # 旧サーバから持ってくる
touch /etc/init.d/nginx
chmod 755 /etc/init.d/nginx
vi /etc/init.d/nginx
#!/bin/bash

# Nginx start stop script
#
# Debian
### BEGIN INIT INFO
# Provides:          nginx
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start and stop Nginx daemon
# Description:       start and stop Nginx daemon
### END INIT INFO
#
# CentOS
# chkconfig: 345 99 1
# description: Nginx start stop script
# processname: nginx

SERVER_ROOT=/usr/local/nginx
NGINX=$SERVER_ROOT/sbin/nginx
PIDFILE=$SERVER_ROOT/logs/nginx.pid

[ -x $NGINX ] || exit 1

if ! $NGINX -t > /dev/null 2>&1 ; then
    echo "Syntax error! Please confirm the config file."
    exit 1
fi

do_start() {
    if [ -f $PIDFILE ] ; then
        if ps -p `cat $PIDFILE` > /dev/null 2>&1 ; then
            echo "Nginx is already running..."
            exit 1
        fi
    fi
    $NGINX || echo "Failed to start Nginx."
}

do_stop() {
    if [ ! -f $PIDFILE ] ; then
        echo "Nginx is not running."
        exit 1
    fi
    if ps -p `cat $PIDFILE` > /dev/null 2>&1 ; then
        kill -QUIT `cat $PIDFILE` || echo "Failed to stop Nginx."
    else
        echo "Nginx is not running."
        exit 1
    fi
}

do_graceful() {
    if [ ! -f $PIDFILE ] ; then
        echo "Nginx is not running."
        exit 1
    fi
    if ps -p `cat $PIDFILE` > /dev/null 2>&1 ; then
        kill -HUP `cat $PIDFILE` || echo "Failed to graceful Nginx."
    else
        echo "Nginx is not running."
        exit 1
    fi
}

case $1 in
    start)
        do_start;;
    stop)
        do_stop;;
    restart)
        do_stop
        sleep 2
        do_start;;
    graceful)
        do_graceful;;
    *)
        echo "Usage: nginx [start|stop|restart|graceful]"
        exit 1;;
esac

exit 0

VirtualHost

mkdir -p /usr/local/nginx/vhosts/example.com/{html,logs,ssl.crt,ssl.key}
cp -pi ~/backup/example.com.conf /usr/local/nginx/conf/conf.d/example.com.conf # 旧サーバから持ってくる
cp -pi ~/backup/server.chained.crt /usr/local/nginx/vhosts/example.com/ssl.crt/. # 旧サーバから持ってくる
cp -pi ~/backup/server.key /usr/local/nginx/vhosts/example.com/ssl.key/. # 旧サーバから持ってくる

Redis

cd /usr/local/src/
wget -c http://download.redis.io/releases/redis-2.8.13.tar.gz
tar zxvf redis-2.8.13.tar.gz
cd redis-2.8.13
make && make install
mkdir -p /data/redis/dump
mkdir /var/log/redis
ln -s /data/redis /usr/local/redis
cp -pi redis.conf /usr/local/redis/.
cp -pi ~/backup/redis.conf /usr/local/redis/redis.conf # 旧サーバから持ってくる

MariaDB

ユーザ作成

groupadd -g 2008 mysql
useradd -u 2008 -g mysql -d /home/mysql -m -s /bin/bash mysql

インストール

cd /usr/local/src
wget -c https://downloads.mariadb.org/interstitial/mariadb-10.0.12/bintar-centos5-amd64/mariadb-10.0.12-linux-x86_64.tar.gz/from/http://ftp.yz.yamagata-u.ac.jp/pub/dbms/mariadb -O mariadb-10.0.12-linux-x86_64.tar.gz
tar zxvf mariadb-10.0.12-linux-x86_64.tar.gz
mv -i mariadb-10.0.12-linux-x86_64 /data/.
ln -s /data/mariadb-10.0.12-linux-x86_64 /usr/local/mysql

初期化

cd /usr/local/mysql
scripts/mysql_install_db --user=mysql
chown -R root .
chown -R mysql data

設定

cp -pi ~/backup/my.cnf /etc/my.cnf
echo 'export PATH=$PATH:/usr/local/mysql/bin' >> /etc/bash.bashrc
bash -l
/etc/init.d/mysql start
mysql_secure_installation
echo /usr/local/mysql/lib > /etc/ld.so.conf.d/mariadb.conf
ldconfig

App

mkdir -p /data/rails
ln -s /data/rails /usr/local/rails
cd /usr/local/rails
git clone git@bitbucket.org:user/repo.git