On Sat, May 2, 2020 at 11:53 PM Zer0Cool <[email protected]> wrote:
> Thanks again for your very detailed and helpful response. I overthink
> EVERYTHING, its just who I am...but I also want to make the script as well
> put together as I can and looking at my current RHEL/CentOS 7.x script,
> there is a ton of room for improvement based on what I am learning/doing
> now.
>
>
The world needs people like that, else the details would get overlooked :-).
> 1 more questions. Given we are on the same page re: dirs, what permissions
> do you assign to them (owner/group and file permissions)? I dont mean the
> services, for those I have a guac user and a tomcat user, I just mean the
> dirs/files.
>
>
I usually create a user called guacamole and a group called guacamole, and
set ownership of the following directories to that user account:
- /etc/guacamole (or wherever GUACAMOLE_HOME is)
- /opt/tomcat
I usually leave /opt/guac (where guacd is installed) with root ownership,
since there's nothing that the user running guacd need write access to in
there. Changing ownership on the entire tomcat directory is probably not
the best practice - the reality is that the user probably only needs write
access to the logs directory (/opt/tomcat/logs) and the webapps directory
(/opt/tomcat/webapps). I should probably improve security a little there
by leaving everything else as root.root :-).
> I have probably put ~10hours into the RHEL/CentOS 8.x script since my last
> reply here. I have found myself essentially doing what you describe in your
> last reply to me. In large part thanks to your input, but also after
> reading
> tomcat, guacamole and other documentation.
>
> /opt/guacamole for guacamole server
> /etc/guacamole as its the default GUACAMOLE_HOME
> /etc/guacamole/{lib, extensions} for JDBC driver and extensions
> /opt/tomcat for tomcat
> /opt/tomcat/webapps for guacamole.war (guac client)
>
> Without going too in depth, I actually intend to use /opt/guacamole and
> /opt/tomcat as symlinks to /opt/guac-version and /opt/tomcat-version to
> potentially making updating easier in the future.
>
>
This makes sense, and is relatively common practice when you look at how
other software vendors/packagers do it. I'm not usually terribly worried
about tracking particular versions like that, so I don't, but, again,
that's just my practice/habit.
> My script sets up Nginx and configures it for SSL, etc. I am pretty
> comfortable in that regard.
>
> Was just a bit of a shock (but a good learning experience) going from
> Tomcat
> installed from a rpm via yum to having to unpack the tar.gz and set it
> up/configure it properly.
>
> I am very excited to get my script working on RHEL/CentOS 8.x. I have
> trimmed out a lot of "fat" already, which should make updating it,
> following
> it (when I look at parts long after I write them) and expanding on it much
> easier. IN doing so I am hoping after I get it working, I can focus on
> adding features to it, not wrestling with the untidy parts of it (since I
> hope to clean them up).
>
> Its actually going so well, that despite my original plan to stop working
> on
> the 7.x version of the script and focus on a separate 8.x version...I might
> actually be able to use a single script for both without a ton of extra
> logic/work like I expected it to be. Not saying thats what I will do, but
> at
> least considering it now.
>
> My 8.x script is in a private repo now. Once I have it running and am
> comfortable its decently reliable I plan to move it to a public github repo
> and share it with others like I do the 7.x version. At that time I will
> surely post back to the mailing list to let people now about it.
>
> So many Thanks to you, I hope to "pass it forward" so to speak.
>
>
Very nice - we appreciate your involvement in the community!
-Nick
