 Okay, this is going to be a very, very boring recording, because it's not slides, it's, it's, it's just going to be me at the terminal. Okay, we better get rid of those. Big expert tip. Right, how to list all your containers out so you can get rid of them. You can see Alex ELS does that if you go minus C for columns, right, I can just list the name, name, and they just get names of my containers. I'm going to have all of the fancy ASCII boxes around them. You can say this them in CSV format. And I just get the list of them like that. That's useful, because now I can make a full loop of that. For C in, we're getting into programming now. For C in that list of containers. See, let's just delete it. Okay, that's just a little bit of scripting. Run through all my containers and delete them all. It's slightly quicker for me to write the full loop than it is for me to type Alex delete for each of them. We're back to here. All right, no containers. Okay, so I think Stephen showed you yesterday how you'd start off by, by going jit clone to get these, get these scripts here and you start off by going into .fig and creating yourself a file containers.json, which you just copy off the sample. A little tip, if you're struggling with DNS. I actually discovered this is quite useful to do for demos. If you make a linnode container, then linnode provide you with a, okay, admittedly, slightly, slightly different name on the DNS server already. So if I don't want to waste my calls, I have this thing registered as serveracademy.dhs2.org. But if I keep asking for certificates for serveracademy.dhs2.org, in the end, let's encrypt are going to say I'm making too many requests. And if I make too many requests for the dhs2.org domain, it'll mean that other people who are trying to do serious things will also be, will reach that limit. And then let's encrypt basically bans you for a week from making any more requests. Sometimes it's useful just to use the linnode-provided fully qualified domain name instead of using my own DNS. For demo purposes, this is fine. So basically you take this file and you only want to make three changes in it. You want to change the fully qualified main name, whatever it is, is your main name. Email address, this is just used for the SSL request. Time zone is important. You should set your time zone, partly because it's very disruptive to set it afterwards, right? After your dhs has been running for a while, then you change the time zone, all the logs get a bit confusing. The other thing is quite important to make sure that all your containers are set onto the same time zone. And that's why we put it in there. If you want to know what's a valid time zone to use, they don't always, I'm still running as root here. Time data control commands, you can, one of the things you can do, I think is list time zones. And I can pick where I am, Africa, Accra. These are the time zones that my system knows about. We pick one of those, put it in there, whichever one is suited to your environment. Once you have that config file set up properly, then you can run this and basically it's just going to run through your config file and make the containers. Now, the scripts that do this are, I don't know, a little bit ugly, I suppose. They're a bit fragile. I keep trying to make them more robust and then find other edge cases that cause them to prank again. Anybody who's familiar with Ansible will realize that basically what I've done here is recreate what Ansible does really well anyway. So one of the things I hope to do and shortly of the next couple of weeks is to remove this create container script. I won't remove it, it might still be called a create container script, but instead of working off this config file, we'll instead turn it into an Ansible inventory and create the containers that way. It doesn't make any difference in terms of what you end up being set up. It's just really the scripts to create the stuff in the first place. Having them all in an Ansible inventory does also provide you with some additional maintenance advantages as well. For the moment, this is how it goes. It's good to run this commander's suit because there's a few things it needs to do, like setting firewall rules and the like that it will fail otherwise. The actual setup, depending on your network where you are, if you're on a cloud server should be reasonably quick, takes I think about five minutes. So we can just talk over it while that's happening. It's going to create three base containers. It'll create your reverse proxy container with Apache 2 in it currently. It'll create a database container. I've changed this very, very recently so that it will create a container running Postgres 13. I've discovered that slightly slower setup time is a bit slower Postgres 13. Because it has to get the, it gets the Postgres packages from the official Postgres repository. And for some reason that one seems to be slower. So instead of five minutes, it might be six or seven minutes. We'll see. Now you can do all of this manually, right? In fact, you don't have to follow my scripts at all. The only advantage, I guess, of going through, I've put a lot of time and effort into configuring the machines, particularly with reasonable security in mind. And some of those steps, if you do it manually, you get lazy, you don't, or you don't remember or you make mistakes or whatever it might be. That's not the reason for automating the setup. People always ask for easy setup. So either setup.exe. The point about an easy setup isn't to make it easy for dummies, right? Setup for dummies, anybody can do it. You don't need to know anything. You just run create containers and off you go. That's not the reason for making it easy to do. The reason for making it easy, easy to do is so that you can repeatedly install containers that are set up exactly the way that you've specified them to be. So, and from a security perspective, it stops you from getting to do critical things. It's also useful for disaster recovery if you want to get your system back up and running really quickly. If you want to type all of the commands here by hand, it will take you a day to do it instead of five minutes to do it. So, yeah, this looks like it's nearly done. Okay, it's got to make the monitor. So hopefully Stephen ran through this with you yesterday and didn't hit too many issues. You just created your basic infrastructure. Then from there, we can start creating Tomcat containers and running DHS. Before we do that, I guess we need to put the SSL on proxy. That's a step that causes lots of grief. I probably the number one problem I've had with people installing these things in the field. Clemore is probably the one who's had the worst luck with SSL. You've got to be really careful and work methodically, right, to make sure that your system is not hiding behind some kind of firewall. Make sure everything is set up and your web server is available. Before you even attempt to do the SSL, right, make sure your domain is working. And that's what we're going to do now. Let's just have a quick look. Here's my containers, kind of brief word about IP addresses. You could change these, but I don't advise that you do because I might still have a few, a few hard coded indices that need to be fixed. Always run the proxy, zero to monitors running on zero 30, and this grass is running on zero 20. When I make my DHS two instances, I tend to make them the first one on 10, the next one on 11, the next one on 12, the next one on 13, etc. It doesn't really matter what IP addresses you choose for your Tomcat containers, but it's just, it's just a convention, I guess, if I keep them all 10, 11, 12, 13, etc. Then it's very easy for me to see what they are. So you can put your Tomcat containers on any IP address ring. These three you should as far as but to keep them as the ones that we have set here for the moment. Don't get too adventurous changing the IP addresses. Some things might break. Okay, I talked a little bit about, about firewall settings. Have a look in on each of these, on each of these. Let's go into postgres for example. We should see that my postgres should be running on five four three two. Another service running as well on four nine four nine. That's the moon in the node. And if I look at the firewall status firewall should be enabled. On which container and with fairly minimal rules so currently the default setting on my postgres container is you can't reach it at all. The only thing that can reach it is the monitor. Right, so we know it's listening on five four three two, but there's nothing, the firewall currently would block any access to it. So that's deliberate. When we create a new Tomcat container part of the process of creating Tomcat container you see will open up a firewall specifically for that container. Before we do Tomcat containers let's quickly set up the SSL. I need to remember the main name that I'm going to use. Right, at the moment my proxy should be running I should be able to access it but it won't have any SSL on it. Let's go here. And there it is right you're just seeing them. You're going to default page. That's a really important test to do before you try to set up your SSL make sure that you can actually access the proxy container, because part of the process of requesting the certificate involves let's encrypt trying to call back to make sure that you are indeed who you say you are. And if, if it can't reach you it's going to fail to issue the certificate. And if it fails more than five times something like that. Actually I have a page here. You can Google rate limits on let's encrypt it will get you to this page. It will tell you how many times you can try. After that it's going to ban you and you can be stuck for another week before you can get going again. So, yeah, a quick test. Right. Little warning to make sure you've done that test. Now I know that my container is actually reachable. Yes, the reason why it's reachable is because of this part of the script has done this behind your back. The firewall rule, this is running on the host, which says anything coming in on port 80 send it straight through to the proxy. Similarly, anything coming through 443 send it straight through to the proxy 443. That's the reason why, even though my proxy is running in internally there on 192 16802, I'm able to reach it from outside, because my firewall is forwarding the connection. Okay, I'm happy now that proxy is working. What you might find, particularly if you're setting this up on a, on a kind of physical network, maybe in your national data center or whatever it might be, you might find that you're getting blocked by an external firewall. So you want to verify all of those things first before you try to run the SSL setup. Okay, you can do this manually. I've always done it manually until on the weekend I made a little script to make it easy for you. But however you can have a look yourself see what script does, but basically it's just going to go. First of all, it's going to give me a big warning. Right, it's going to tell me all the things that I just told you, right. Don't don't proceed unless you can access it with your browser. If you've checked, we can access it with the browser. So let's go one. I don't know how much people are people's understandings of SSL will vary, but basically what happens here is that we generate the certificate signing request, the certificate signing request is sent off to let's encrypt, let's encrypt verifies the way it verifies to see whether it can access your server. After it's done that, it'll issue you the certificate and you get congratulations notice. And then we do a little bit of reconfiguration on Apache. It looks like I might have. Okay. That's interesting. I have a little error in there. I don't have anybody check this. Is it running. The other thing it should have done is it should have enabled my not available. It's, it's enabled this configuration here, which is the configuration that we need to run the HS to so if I go back to where I was. I reload this page again. It's time it should come back and we get a little lock in the corner there to say that we have a certificate valid certificate. It's issued to this main and it's valid from today for another three months. Okay, there's a whole lot of configuration of the SSL settings in the city which have gone on in the background we can check them well. We're talking I'll just check SSL labs is usually where I go to check. Where's the URL it's this one copy. The idea to test it and give you some ideas about things you might have got wrong. It takes a couple of minutes. Oh, you have too many assessments. 12 assessments in progress. That doesn't make sense. That's lying. Maybe it's because it's on a lindoed. Maybe lindoed lindoed. I've got too many assessments in progress. If I set it up as server Academy idea we can try it again later. I did check it over the weekend and SSL labs comes back and gives us an A plus for the certificate to tell me what you want to see. Okay, we're going to talk a little bit more about the Tom cat. They did probably in our session next week so I don't want to go into a lot of detail yet. Let's just jump straight to the next thing you want to do is to install. Service scripts. You can see I've run this before it's got a few things. And then we can start running it to specific. Create an instance create an instance. If I just do that and give me some options. Let's create an instance called HMIS it's common enough one can be specific about the IP address. Or I think it should as a default if I don't specify it might have more than one postgres container. But let's also specify the postgres container just to be sure. And that's what's it's going to do is going to make me a database. I'm going to talk about making a database of databases in the next session. And it's going to create me a Ubuntu based container again. It's going to put Tomcat on it. And the Ubuntu security settings on Tomcat are really very, very good. And one of the things that I've done with I tried to do with most of them I think I'm saying yesterday. I've gone through the CIS security checklists for things like Tomcat and there's so many things to set up in terms of file permissions and the like, which. Yeah, I don't know the Ubuntu installation does a much better job than certainly any of the dockers that I've seen. I could probably roll my own, but I like the I like the setup that Ubuntu has done on it. We've made a few extras, made a few extra settings I'll actually show you that in a bit but let's let's get a DHS up and running on it first. If you want to deploy a war file, I usually just go to PHIS, download, find us a war file. Let's go with the latest and greatest. Public health warning by the way, if you're working with a production instance, don't run this 235.1 war file, it's got some issues with it. There is a new release, which is due out this week, which fixes a lot of things. So my advice to you is to stick around with 234 until this new release comes out. When I deploy a war file, I'm going to play a link. That's what the minus L is. My war file from there and deploy it to what do they call my instance, HMIS I think. That didn't look like it deployed. Is this what Gerald was talking about the other day? That doesn't look like it deployed it. I'm going to introduce a bug. I'll load the war file. It's meant to do this. It unzipped it. I didn't see any of that. I just got downloaded the war file. Not getting a, it's because of this. No, it's past all of that. It was this. It always happens when you're being recorded. Did Steven have a problem with this yesterday? No, Bob, yesterday I didn't have a problem. I think I used the pseudo and was able to deploy. Unless you modified something. Yeah, but yesterday it worked well using pseudo. I shouldn't have to. I don't think. Let's try it. I like this action straight away. What have I done? What have I done? It always works. What have I done? I think maybe it's deployed to a very, very simple script. I did a bit more help text on here. Wasn't there before? I wonder if that's causing you a problem. Because we get as far as here. In our instance, get as far as there. I wonder if it's this exit. It's trying to be clever. I think it's exit. This is being triggered, right? Yeah, maybe I probably made that mistake yesterday afternoon. When I got locked out. I was sitting here at home, didn't know what to do. Started making a few fixes and that obviously wasn't a fix. That broke it. Okay, there's our HMIS container. It says that it's running. I've got a very useful command. Looking at the logs minus F means to follow the log on HMIS. We should see it coming up. There's our DHS to starting. I'm going to advise you strongly that you use this DHS to log view command rather than trawling around looking for Catalina dot out because it's got a lot of this DHS. We just quit for the moment. The Tomcat on Ubuntu is using the journal, the system journal for logging, right? And the system journal gives you lots of one of the nice options. I mean minus F as you've seen is just to follow the log. That'd be like tail minus F Catalina dot out. You can also say just show me all the logs for today. And it'll show me today's log. You can also say show me the logs upside down. Sometimes you want to see what happened more recently first rather than what happened ages ago. It'll show you the log upside down so you can see the service started up and this is what happened before the service started up. We'll have that opportunity, I think, to talk about logging and logging command later. It's a very flexible way of looking at your logs. If you're looking for something that happened that's at 1045 today, you can isolate time periods. It's the kind of thing it's a little bit trickier to do with. You can say show me everything that's happened since 1045 until 1046. So you can look at a time period in your log. You need to say which DHS instance I want to look at. It'll show me just that one minute's worth of log from 1045 through to 1046, hopefully. That's the last thing that happened. So it seems like it started up. It seems like it's running. Let's see if we can find it. Where did I go to it here? So each instance, once you create an instance, it'll appear like that all day. There we go. With its own name after the URL. Now, obviously, in a production environment, you probably don't want to see the actual landing page every time, like this. Like this. That looked very amateur. There are two approaches people tend to do on it. One is they just customized page, particularly places which are running quite a lot of DHS to instances to make like a little menu here with a little bit of background or whatever you want. Different systems are. You can do that. You can customize this page or you can just decide which of your Tomcat instances you want to appear as the default. I've got a little line. You just need to comment out to do that. Let's just do that one last thing. I'm going to lead the installation alone. So. Quick health warning. I introduced a bug into DHS to long view yesterday afternoon when I was offline. I'm going to fix that in the next five minutes. But let's first of all, it's that extra exit in there that I didn't want to see. If I go into my property. And I go into. No. Somewhere down here. There we go. I've got a rewrite rule that's committed out. Sometimes it's something that people really want to do. Rewrite everything that comes to the roots. Make that instead go to my. To my S. I'll get rid of the landing page because every time I try to get to the landing page instead, it's going to send me there. Let's just reload it. Generally with Apache also with engine X. When you make these configuration settings, it's not usually necessary to restart the server. Just need to reload it. Let's go back here. If I load to URL again, it should just redirect me. Yeah. Okay, so the Apache landing page is gone. So as I people take one of two approaches. They're either going to do that or they're going to create a custom landing page for it. Well, we're at it. We can't. It's not going to allow me, is it? Yeah, that's a shame. I really wanted to show you that we got an A plus on that. I'd have to put it back to server academy. Okay. Let's. Lessies. That's. Basically the. Kind of installation and setup process. What we're going to go on to be talking about over the coming sessions and over the coming weeks is now what you do with it. Right. How you maintain it. One of the things to consider. What kind of extra things you might need to do. But to actually just get up and running. That's what's involved. I did. To show you a little bit of firewall rules. I'll just do that. If we look at our. Instance. Instance. This is our. Instance is running there now. You'll see that. We are allowing access to the Tomcat that's running all 8080. We're allowing it from the proxy. And we're also allowing it. In fact, from the host machine reason for allowing it from the host is just sometimes you want to do curls and W get some things from the host. It's just convenient. But otherwise. If I create two containers, they won't be able to access the 8080 on each of them. The only thing that can really access your 8080 is your proxy. Similarly, if we look in the database. I'll talk about a lot of databases. Next. You can see that we've got a firewall rule now, which will allow. Access. The database from that container. Has to be able to get through the firewall. So make a rule for it. But in addition to that. You know that. Generally the. Missions on postgres. Access controls are set in here. You see, we've got a little line in here, which says that the HMIS user. Is allowed to access the HMIS database. If he's coming from this particular IP address. And we've MD5, which is providing a username and password. As happens with our JDBC connector. So yeah, all these little things, you know, if you're doing them manually. It's quite hard, but if you're doing it automatically, you can set up fairly tight security rules between your containers. Okay. That's a second run through. Set up. And the reason why the second run run through is slightly different to yesterday is because I made a supposed fix yesterday, which I now need to fix again. And that I see Gerald has been complaining. That the LSD, the DHS to deploy war doesn't work. Sorry, Gerald. You've just found the same problem I've been having as well. I'll see you in the afternoon. I'll fix it again. I'll say the next couple of minutes. If there's any other questions on installation. Has anything been in slack while I was talking? No, we see the issue. Yes, Gerald. Yes, you were not going mad. You were absolutely right. Sorry about that. Just as a, as a general, but I don't have more to ask me this once before have long term. Once you've got everything installed. I need to share my screen again. Just going to do this for two minutes. Once you have everything installed. Yeah. It's a good idea. This is why I'm going to ask you to do in a short time. It's a good idea to regularly just do a. It's up to date. Because one of the things that I mean, like in this case that I'm going to make that a regular fixes to or improvements to. We'll include, in fact, the Unix man pages, which are coming. That script is sitting here. It's in there, right under the service script. In a couple of minutes after I fixed it, I will commit it to JIT hub. You just need to just run JIT pool again. And it's going to update your service scripts. And then you just need to run this again. That'll make sure that you always have the most current version of the service scripts. It won't overwrite settings that you've already made. Right. It will do. It will overwrite the service scripts with the latest versions. And I think I'm going to fix that in the next five or 10 minutes during the break.