Additional Info for Server Admins - Gamocosm/Gamocosm GitHub Wiki
Gamocosm creates droplets running 64 bit Fedora 27 (latest as of 2018 Feb 19).
You can see everything Gamocosm does in app/workers/setup_server_worker.rb
.
The directory server_setup
in the project root contains additional resources used for setting up servers.
As of 2018 Feb 19, it currently only contains zram scripts
It's stored as a snapshot in your Digital Ocean dashboard, which is free to store and restore.
firewalld
sits on top of iptables
and provides a dynamically managed firewall.
Many people (myself included) are familiar with iptables
, but after quickly getting used to it, I find it much easier to use, for experienced and new techies alike.
It was included by default on the Fedora 20 distribution.
Fedora 21 does not include an active firewall service by default, so Gamocosm installs firewalld
.
Gamocosm opens ports 5000 (Minecraft Server Wrapper), and 25565 (Minecraft) to TCP.
It also opens whatever ssh_port
under the "Advanced" tab is to TCP the first time you start a server (if you change the SSH port on your server later, you should update this).
-
firewall-cmd --get-zones
(supported zones) -
firewall-cmd --list-all-zones
(zones with enabled features) firewall-cmd --get-default-zone
firewall-cmd --set-default-zone=<zone>
firewall-cmd [--permanent] [--zone=<zone>] --add-port=<port>[-<port>]/<protocol>
firewall-cmd [--permanent] [--zone=<zone>] --remove-port=<port>[-<port>]/<protocol>
-
firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]/<protocol>
(query if port and protocol combination enabled in a zone)
When you add --permanent
, it does not affect the runtime firewall.
The changes will take affect after rebooting.
Usually, when adding ports you want to run the command once with and once without --permanent
, to make the changes immediate and persistent.
firewall-cmd --add-port=9010/tcp
firewall-cmd --permanent --add-port=9010/tcp
Source: Fedora wiki
Check that a port is open/accessible from the "outside" by doing telnet <IP> <port>
from your local computer or another server.
You should see "Connection refused", "No route to host", or if it works something like:
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.5
You can do this for any port you have a service listening on (the last line would only show for the SSH service/port).
To quit, hit Ctrl
+ ]
which should bring you to a telnet >
prompt, and then you can type quit
and hit enter/return (mashing control-c and enter will usually work too).
Tmux is a terminal multiplexer. It is installed by default by Gamocosm. You can use it to have multiple windows in a single SSH session. You can also use it to leave processes running after disconnecting from SSH, and you can reattach the tmux windows later. Read more about it on its project homepage
Gamocosm sets up SSH on port 4022. You can read more about it on this Stack Exchange/Security thread, but in short changing the default SSH port reduces the number of generic hacking attempts
-
Open up the new ports! See the
firewalld
instructions above. If you don't open the new ports in the firewall, you won't be able to connect. In Fedora 21 you also have to update SELinux! Runsemanage port -a -t ssh_port_t -p tcp <port>
. To show the ports SSH is allowed on, runsemanage port -l | grep ssh
- Edit
/etc/ssh/sshd_config
. There should be a linePort 4022
. Change the number to whatever you want. 22 is the default SSH port - Run
(sudo) systemctl restart sshd
- Update the "SSH port" under the "Advanced" tab on Gamocosm. Otherwise, Gamocosm won't know how to connect to your server (it uses SSH to perform updates if necessary, and test when a server is ready; sometimes when Digital Ocean says a droplet is active, it's not reachable by the network immediately)
- Then next time you try to SSH, use the new port (you won't be disconnected from your existing sessions)
Zram is a kernel module available since Linux 3.14 (Fedora 22 is on 4.0) which avoids paging to the disk by using a compressed block in RAM. It is often helpful for devices with limited RAM (e.g. Google uses it for both Chrome OS and Android)
There is a systemd service file and helper script based on Ubuntu's zram-config
package in server_setup
.
Gamocosm puts them in /usr/bin/zram-helper
and /etc/systemd/system/zram.service
(as you can see in app/workers/setup_server_worker.rb
).
However, Gamocosm only enables zram for servers with less than 4GB of RAM
To enable zram (enabled by default for servers < 4GB), do (sudo) systemctl enable zram
(start on boot) and (sudo) systemctl start zram
(start right now).
To disable zram, do (sudo) systemctl disable zram
(don't start on boot) and (sudo) zram-helper stop
(stop right now).
You can optionally delete the two files above (but it really makes no difference)
The total zram size is half the amount of RAM, and is divided into N
devices, where N
is the number of processors (this is what Ubuntu does)
Sources: Linux kernel doc on zram, ArchLinux wiki on zram, ArchLinux wiki on systemd, Ubuntu zram-config
Gamocosm creates a 1GB swap /swapfile
by default.
You can create multiple swaps and enable them.
Creating a swap (run as root, or with sudo)
fallocate -l 512M /swapfile # create swap file, M for Megabytes, G for Gigabytes
chmod 600 /swapfile # set proper permissions
mkswap /swapfile # format to swap file
swapon /swapfile # activate swap file
echo "/swapfile none swap defaults 0 0" >> /etc/fstab # make permanent, add to fstab
Removing a swap file (run as root, or with sudo)
swapoff /swapfile
rm -f /swapfile
sed -i "/\/swapfile none swap defaults 0 0/d" /etc/fstab # remove line from fstab
Source: ArchLinux wiki