2020년 11월 8일

오라클 클라우드 무료 체험하기 - Part2 Web 서버 구축하기

MySql 구축과 동일한 방법으로 웹 서버 구축을 위한 VM 인스턴스를 추가한다. 예상되는 전체 작업 순서는 아래와 같다.


① VM 인스터스 생성 (CentOS 7.x)
② VM 인스턴스 공인 IP 및 방화벽 설정
③ 블록 스토이지 생성
④ 블록 스토이지 와 VM 인스턴스 연결
⑤ WAS/WAS 설치 (nginx, tomcat)
⑥ 웹 프로그램 설치 및 테스트


(인스턴스 생성 및 IP 설정은 이전 게시물 참조 :  오라클 클라우드 무료 체험하기 - Part1 MySql 구축하기)  


블록 스토이지 생성

블록 볼륨(Block Volume) 서비스는 블록 스토리지를 제공하고 관리하는 네트워크 기반 스토리지 서비스이다. VM 인스턴스는 이 블록 스토이지(Block Storage)를 마운트하여 스토리지를 확장하여 사용할 수 있다.  새로운 블록을 생성하고 이를 웹 서버 VM 인스턴스에서 마운트하여 웹 데이터 공간으로 사용할 계획이다. 블록 스토리지를 추가하는 방법은 아래와 같이 3단계가 필요하다.  

① 오라클 클라이우드 콘솔 (Web UI)에서 블록 볼륨 리소스 생성
② 블록 볼륨을 VM 인스턴스에 연결
③ VM 인스턴스에서 블록 볼륨을 파일 시스템으로 마운트



블록은 50GB 크기로 생성했다. 



블록 스토이지 연결

이제 웹 서버 용도로 생성한 VM 인스턴스 에서 생성한 블록을 연결한다.





블록 볼륨과 VM 이 연결되면 "iSCSI 명령 및 정보" 항목을 확인하고 연결을 위한 명령을 복사한다. 


?
1
2
3
4
5
sudo iscsiadm -m node -o new -T iqn.2015-12.com.oracleiaas:b8949530-afa4-4546-a6ff-4b33f67e5a1e -p 169.254.2.2:3260
 
sudo iscsiadm -m node -o update -T iqn.2015-12.com.oracleiaas:b8949530-afa4-4546-a6ff-4b33f67e5a1e -n node.startup -v automatic
 
sudo iscsiadm -m node -T iqn.2015-12.com.oracleiaas:b8949530-afa4-4546-a6ff-4b33f67e5a1e -p 169.254.2.2:3260 -l
SSH 접속 하여 복사한 iSCSI 명령어를 모두 실행하고 lsblk 명령으로 블록 볼륨이 마운트 되어 있는지 확인한다. 아래의 예에서는 sdb 이름의 50GB 디스크를 확인할 수 있다.
?
1
2
3
4
5
6
7
$lsblk
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda      8:0    0 46.6G  0 disk
├─sda1   8:1    0  512M  0 part /boot/efi
├─sda2   8:2    0    8G  0 part [SWAP]
└─sda3   8:3    0 38.1G  0 part /
sdb      8:16   0   50G  0 disk
다음으로 연결된 블록 볼륨을 사용하기 위하여 ext4 형식으로 디스크를 포맷한다. 
$sudo mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$sudo mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb
 
mke2fs 1.42.9 (28-Dec-2013)
/dev/sdb is entire device, not just one partition!
Proceed anyway? (y,n) y
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=256 blocks
3276800 inodes, 13107200 blocks
0 blocks (0.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=2162163712
400 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
    32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
    4096000, 7962624, 11239424
 
Allocating group tables: done                           
Writing inode tables: done                           
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
이제 마운트할 디렉토리를 생성하고 마운트 한다. ( sdb 를 /data 에 마운트하고 권한을 부여한다. )
?
1
2
3
$ sudo mkdir /data
$ sudo mount -o discard,defaults /dev/sdb /data
$ sudo chmod a+w /data

마지막으로 /etc/fstab 파일을 수정하여 부팅과 동시에 마운트 되도록 한다.

?
1
2
$ sudo blkid /dev/sdb
/dev/sdb: UUID="3c50667e-98f3-46f9-acfe-1bc10151696c" TYPE="ext4"
?
1
2
3
$vi /etc/fstab
 
UUID=3c50667e-98f3-46f9-acfe-1bc10151696c /data ext4 discard,defaults,noatime,_netdev 0 2

웹 서버 설치

웹서버는 nginx + tomcat 로 구성하여 설치한다. 가장 최신 open jdk 버전을 설치한다. (14.0.2)
   
?
1
2
3
4
5
6
$sudo yum install java-latest-openjdk-devel.x86_64
 
$java -version
openjdk version "14.0.2" 2020-07-14
OpenJDK Runtime Environment 20.3 (build 14.0.2+12)
OpenJDK 64-Bit Server VM 20.3 (build 14.0.2+12, mixed mode, sharing)
톰켓 설치는 홈페이지를 방문하여 원하는 버전의 다운로드 링크를 복사한 다음 wget 명령을 사용하여 설치 파일을 다운로드한다.
  

http://apache.tt.co.kr/tomcat/tomcat-8/v8.5.58/bin/apache-tomcat-8.5.58.zip 다운로드가 완료되면 압축을 풀고 원하는 위치로 복사한다. (여기에서는 /data 를 사용했다.)
?
1
2
3
$wget http://apache.tt.co.kr/tomcat/tomcat-8/v8.5.58/bin/apache-tomcat-8.5.58.zip
$tar -xzvf apache-tomcat-8.5.58.zip
$mv apache-tomcat-8.5.58.zip /data/
nginx 설치를 위해서는 CentOS 7 EPEL 레파지토리를 추가해야 한다. 다음 명령으로 레파지토리를 추가한다. 
 
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$sudo yum install epel-release
 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.kakao.com
 * epel: ord.mirror.rackspace.com
 * extras: mirror.kakao.com
 * updates: mirror.kakao.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be updated
---> Package epel-release.noarch 0:7-12 will be an update
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=========================================================================================================================================================================================
 Package                                           Arch                                        Version                                   Repository                                 Size
=========================================================================================================================================================================================
Updating:
 epel-release                                      noarch                                      7-12                                      epel                                       15 k
 
Transaction Summary
=========================================================================================================================================================================================
Upgrade  1 Package
 
Total download size: 15 k
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
epel-release-7-12.noarch.rpm                                                                                                                                      |  15 kB  00:00:01    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : epel-release-7-12.noarch                                                                                                                                              1/2
  Cleanup    : epel-release-7-11.noarch                                                                                                                                              2/2
  Verifying  : epel-release-7-12.noarch                                                                                                                                              1/2
  Verifying  : epel-release-7-11.noarch                                                                                                                                              2/2
 
Updated:
  epel-release.noarch 0:7-12                                                                                                                                                            
Complete!
이제 nginx 를 설치한다. 
sudo yum install nginx
?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
$sudo yum install nginx
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.kakao.com
 * epel: ord.mirror.rackspace.com
 * extras: mirror.kakao.com
 * updates: mirror.kakao.com
Resolving Dependencies
--> Running transaction check
---> Package nginx.x86_64 1:1.16.1-2.el7 will be installed
--> Processing Dependency: nginx-all-modules = 1:1.16.1-2.el7 for package: 1:nginx-1.16.1-2.el7.x86_64
--> Processing Dependency: nginx-filesystem = 1:1.16.1-2.el7 for package: 1:nginx-1.16.1-2.el7.x86_64
--> Processing Dependency: nginx-filesystem for package: 1:nginx-1.16.1-2.el7.x86_64
--> Processing Dependency: libprofiler.so.0()(64bit) for package: 1:nginx-1.16.1-2.el7.x86_64
--> Running transaction check
---> Package gperftools-libs.x86_64 0:2.6.1-1.el7 will be installed
---> Package nginx-all-modules.noarch 1:1.16.1-2.el7 will be installed
--> Processing Dependency: nginx-mod-http-image-filter = 1:1.16.1-2.el7 for package: 1:nginx-all-modules-1.16.1-2.el7.noarch
--> Processing Dependency: nginx-mod-http-perl = 1:1.16.1-2.el7 for package: 1:nginx-all-modules-1.16.1-2.el7.noarch
--> Processing Dependency: nginx-mod-http-xslt-filter = 1:1.16.1-2.el7 for package: 1:nginx-all-modules-1.16.1-2.el7.noarch
--> Processing Dependency: nginx-mod-mail = 1:1.16.1-2.el7 for package: 1:nginx-all-modules-1.16.1-2.el7.noarch
--> Processing Dependency: nginx-mod-stream = 1:1.16.1-2.el7 for package: 1:nginx-all-modules-1.16.1-2.el7.noarch
---> Package nginx-filesystem.noarch 1:1.16.1-2.el7 will be installed
--> Running transaction check
---> Package nginx-mod-http-image-filter.x86_64 1:1.16.1-2.el7 will be installed
--> Processing Dependency: gd for package: 1:nginx-mod-http-image-filter-1.16.1-2.el7.x86_64
--> Processing Dependency: libgd.so.2()(64bit) for package: 1:nginx-mod-http-image-filter-1.16.1-2.el7.x86_64
---> Package nginx-mod-http-perl.x86_64 1:1.16.1-2.el7 will be installed
---> Package nginx-mod-http-xslt-filter.x86_64 1:1.16.1-2.el7 will be installed
---> Package nginx-mod-mail.x86_64 1:1.16.1-2.el7 will be installed
---> Package nginx-mod-stream.x86_64 1:1.16.1-2.el7 will be installed
--> Running transaction check
---> Package gd.x86_64 0:2.0.35-26.el7 will be installed
--> Processing Dependency: libXpm.so.4()(64bit) for package: gd-2.0.35-26.el7.x86_64
--> Running transaction check
---> Package libXpm.x86_64 0:3.5.12-1.el7 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
=========================================================================================================================================================================================
 Package                                                   Arch                                 Version                                         Repository                          Size
=========================================================================================================================================================================================
Installing:
 nginx                                                     x86_64                               1:1.16.1-2.el7                                  epel                               562 k
Installing for dependencies:
 gd                                                        x86_64                               2.0.35-26.el7                                   base                               146 k
 gperftools-libs                                           x86_64                               2.6.1-1.el7                                     base                               272 k
 libXpm                                                    x86_64                               3.5.12-1.el7                                    base                                55 k
 nginx-all-modules                                         noarch                               1:1.16.1-2.el7                                  epel                                20 k
 nginx-filesystem                                          noarch                               1:1.16.1-2.el7                                  epel                                21 k
 nginx-mod-http-image-filter                               x86_64                               1:1.16.1-2.el7                                  epel                                30 k
 nginx-mod-http-perl                                       x86_64                               1:1.16.1-2.el7                                  epel                                39 k
 nginx-mod-http-xslt-filter                                x86_64                               1:1.16.1-2.el7                                  epel                                29 k
 nginx-mod-mail                                            x86_64                               1:1.16.1-2.el7                                  epel                                57 k
 nginx-mod-stream                                          x86_64                               1:1.16.1-2.el7                                  epel                                85 k
 
Transaction Summary
=========================================================================================================================================================================================
Install  1 Package (+10 Dependent packages)
 
Total download size: 1.3 M
Installed size: 4.0 M
Is this ok [y/d/N]: y
Downloading packages:
(1/11): gd-2.0.35-26.el7.x86_64.rpm                                                                                                                               | 146 kB  00:00:00    
(2/11): libXpm-3.5.12-1.el7.x86_64.rpm                                                                                                                            |  55 kB  00:00:00    
(3/11): gperftools-libs-2.6.1-1.el7.x86_64.rpm                                                                                                                    | 272 kB  00:00:00    
(4/11): nginx-1.16.1-2.el7.x86_64.rpm                                                                                                                             | 562 kB  00:00:01    
(5/11): nginx-all-modules-1.16.1-2.el7.noarch.rpm                                                                                                                 |  20 kB  00:00:00    
(6/11): nginx-filesystem-1.16.1-2.el7.noarch.rpm                                                                                                                  |  21 kB  00:00:00    
(7/11): nginx-mod-http-image-filter-1.16.1-2.el7.x86_64.rpm                                                                                                       |  30 kB  00:00:00    
(8/11): nginx-mod-http-perl-1.16.1-2.el7.x86_64.rpm                                                                                                               |  39 kB  00:00:00    
(9/11): nginx-mod-http-xslt-filter-1.16.1-2.el7.x86_64.rpm                                                                                                        |  29 kB  00:00:00    
(10/11): nginx-mod-mail-1.16.1-2.el7.x86_64.rpm                                                                                                                   |  57 kB  00:00:00    
(11/11): nginx-mod-stream-1.16.1-2.el7.x86_64.rpm                                                                                                                 |  85 kB  00:00:00    
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                    383 kB/s | 1.3 MB  00:00:03    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : gperftools-libs-2.6.1-1.el7.x86_64                                                                                                                                   1/11
  Installing : 1:nginx-filesystem-1.16.1-2.el7.noarch                                                                                                                               2/11
  Installing : libXpm-3.5.12-1.el7.x86_64                                                                                                                                           3/11
  Installing : gd-2.0.35-26.el7.x86_64                                                                                                                                              4/11
  Installing : 1:nginx-mod-stream-1.16.1-2.el7.x86_64                                                                                                                               5/11
  Installing : 1:nginx-mod-http-xslt-filter-1.16.1-2.el7.x86_64                                                                                                                     6/11
  Installing : 1:nginx-mod-http-perl-1.16.1-2.el7.x86_64                                                                                                                            7/11
  Installing : 1:nginx-mod-mail-1.16.1-2.el7.x86_64                                                                                                                                 8/11
  Installing : 1:nginx-1.16.1-2.el7.x86_64                                                                                                                                          9/11
  Installing : 1:nginx-mod-http-image-filter-1.16.1-2.el7.x86_64                                                                                                                   10/11
  Installing : 1:nginx-all-modules-1.16.1-2.el7.noarch                                                                                                                             11/11
  Verifying  : libXpm-3.5.12-1.el7.x86_64                                                                                                                                           1/11
  Verifying  : 1:nginx-mod-stream-1.16.1-2.el7.x86_64                                                                                                                               2/11
  Verifying  : 1:nginx-filesystem-1.16.1-2.el7.noarch                                                                                                                               3/11
  Verifying  : 1:nginx-all-modules-1.16.1-2.el7.noarch                                                                                                                              4/11
  Verifying  : gperftools-libs-2.6.1-1.el7.x86_64                                                                                                                                   5/11
  Verifying  : 1:nginx-mod-http-image-filter-1.16.1-2.el7.x86_64                                                                                                                    6/11
  Verifying  : gd-2.0.35-26.el7.x86_64                                                                                                                                              7/11
  Verifying  : 1:nginx-mod-http-xslt-filter-1.16.1-2.el7.x86_64                                                                                                                     8/11
  Verifying  : 1:nginx-mod-http-perl-1.16.1-2.el7.x86_64                                                                                                                            9/11
  Verifying  : 1:nginx-mod-mail-1.16.1-2.el7.x86_64                                                                                                                                10/11
  Verifying  : 1:nginx-1.16.1-2.el7.x86_64                                                                                                                                         11/11
 
Installed:
  nginx.x86_64 1:1.16.1-2.el7                                                                                                                                                           
 
Dependency Installed:
  gd.x86_64 0:2.0.35-26.el7               gperftools-libs.x86_64 0:2.6.1-1.el7               libXpm.x86_64 0:3.5.12-1.el7               nginx-all-modules.noarch 1:1.16.1-2.el7         
  nginx-filesystem.noarch 1:1.16.1-2.el7  nginx-mod-http-image-filter.x86_64 1:1.16.1-2.el7  nginx-mod-http-perl.x86_64 1:1.16.1-2.el7  nginx-mod-http-xslt-filter.x86_64 1:1.16.1-2.el7
  nginx-mod-mail.x86_64 1:1.16.1-2.el7    nginx-mod-stream.x86_64 1:1.16.1-2.el7           
 
Complete!
설치가 완료되면 아래와 같이 http, https 포트에 대한 방화벽을 오픈한다.
?
1
2
3
#sudo firewall-cmd --zone=public --permanent --add-service=http
#sudo firewall-cmd --zone=public --permanent --add-service=https
#sudo firewall-cmd --reload 

참고로 nginx 의 웹 루트는 /data/www 로 변경하였고 톰켓의 웹 프로그램은 /data/webapps/ 로 변경하였다. 이제 nginx 를 시작한다. 
sudo systemctl start nginx

웹 브라우져를 통하여 사이트를 접속하니 퍼미션 오류가 기다리고 있었다. 먼저 보안 관련 이슈를 확인하기 위하여 /var/log/audit/audit.log 로그를 확인했고 아래의 보안 이슈를 확인하게 되었다.
?
1
2
3
type=AVC msg=audit(1601820483.230:3808): avc:  denied  { read } for  pid=4741 comm="nginx" name="index.html" dev="sdb" ino=2359732 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1601820483.230:3808): arch=c000003e syscall=2 success=no exit=-13 a0=5571a0b1bc1a a1=800 a2=0 a3=55719f96d110 items=0 ppid=4740 pid=4741 auid=4294967295 uid=994 gid=992 euid=994 suid=994 fsuid=994 egid=992 sgid=992 fsgid=992 tty=(none) ses=4294967295 comm="nginx" exe="/usr/sbin/nginx" subj=system_u:system_r:httpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1601820483.230:3808): proctitle=6E67696E783A20776F726B65722070726F63657373
audit2why 명령을 사용하여 원인을 확인해 본다. 보다 정확한 원인 및 조치방법을 알기위하여 웹 검색 결과 SELinux 보안이 이슈의 원인인 것으로 확인 할 수 있었다.
?
1
2
3
4
5
6
7
8
9
$sudo grep 1601820483.230:3808 /var/log/audit/audit.log | audit2why
 
    Was caused by:
        Missing type enforcement (TE) allow rule.
 
        You can use audit2allow to generate a loadable module to allow this access.
  
$semanage fcontext -a -t httpd_sys_content_t /usr/share/nginx/html/studio(/.*)?
$restorecon -Rv /www

❶ 톰켓과 프록시 연결시 오류는 → (13: Permission denied) while connecting to upstream:[nginx] 아래 명령을 통하여 해결 할 수 있었다.
?
1
setsebool -P httpd_can_network_connect

❷ /data/www 경로에 대한 접근 권한 오류는 아래와 같은 명령을 통하여 해결 할 수 있었다.
?
1
$chcon -Rt httpd_sys_content_t /data/www


익숙한 httpd 를 사용하지 않은 것은 클라우드 서버의 성능을 고려하여 적은 자원을 사용한다고 알려진 nginx 를 사용하게 되었는데 nginx 설치는 처음이라 보안 관련 이슈를 해결하는 과정에서 많은 시간을 소요하였다. 


참고자료

작성자: 시간:
라벨: , , , , , , ,

댓글 없음:

댓글 쓰기

피드 구독하기: 댓글 (Atom)