Skip to main content

Notice: This Wiki is now read only and edits are no longer possible. Please see: for the plan.

Jump to: navigation, search

Difference between revisions of "EMFT Build Server Setup"

(See Also)
Line 553: Line 553:
[[Category:Modeling]] [[Category:EMFT]] [[Category:Releng]]
= See Also =
* Additional info and configuration steps are listed in [[EMF Build Server Setup]].
* Want to set up a local mirror of your build server so that you can test .php pages before publishing them? See [[Eclipse Server Sandbox Setup]].
[[Category:Modeling]] [[Category:EMF]] [[Category:Releng]]

Revision as of 15:00, 7 February 2008

EMFT Build Server Setup

You will need to be root for most of these tasks.

UPDATE: Apache 2.2, MySQL 5.0, PHP 5.2

Since and most of the rest of * has now completed the SLES 10 Upgrade, I decided to do the same with A few weeks ago we tried to build PHP 5 w/ support for MySQL 5 and get that working with Apache 2, but ultimately the make failed and we had to give up. Tonight, I discovered XAMPP 1.5.5a, which is SO MUCH EASIER it's kinda embarassing I didn't try it earlier. In about 15 mins I had 4 services set up: httpd, mysqld, php, and ftpd. Since I didn't feel like reconfiguring the MySQL 5 server - all that was missing was Apache's support for MySQL 5 with PHP 5 - I have since only turned on the XAMPP Apache 2.2 server, and disabled the rest.

Beyond the crazy-easy install instructions provided on the XAMPP website, the only additional thing I had to do was to create a replacement for /etc/init.d/httpd, then symlink that new script back to the previous so that the new apache would be used instead of the old one.

I also had to symlink the existing content in /var/www/html into the new location, /opt/lampp/htdocs/.

# /etc/init.d/xampp-httpd: symlink in /etc/init.d as httpd to replace default Xen-installed Apache at startup
case "$1" in
  start)    /opt/lampp/lampp startapache;;
  stop)     /opt/lampp/lampp stopapache;;
  restart) /opt/lampp/lampp stopapache; /opt/lampp/lampp startapache ;;
  *)          echo $"Usage: $0 {start|stop|restart}"; exit 1;;

UPDATE (2006/12/20): XAMPP (lampp) runs by default as user and group "nobody". This might be a problem if that user doesn't exist on your system or you've already got folders set to be owned by a different web user, such as "www-data" or "apache". You can fix this problem by editing /opt/lampp/etc/httpd.conf thus:

<IfModule !mpm_winnt_module>
<IfModule !mpm_netware_module>
User apache
Group apache

Set up web content

FROM ( (


Fix permissions & ownership

cd /var/www/html; find . -type f -exec chmod 664 {} \;
cd /var/www/html; find . -type d -exec chmod 775 {} \;
cd /var/www/html; find . -exec chown apache:www {} \;

cd /home/www-data/build; find . -type f -exec chmod 664 {} \;
cd /home/www-data/build; find . -type d -exec chmod 775 {} \;
cd /home/www-data/build; find . -exec chown apache:www {} \;
cd /home/www-data/build/modeling/scripts; find . -type f -name "*.sh" -exec chmod 755 {} \;

Apache 2 w/ PHP 5 was already installed. Only a few additional programs needed to be installed as well.

Install via yum using yum-xen.conf file

  • Get a list of the available updates
yum -c list 2>&1 | tee /tmp/yum-list.txt
  • Install required groups of installs - Java Development & Development Tools
yum -c groupinstall "Java Development"
yum -c groupinstall "Development Tools"
  • Install gtk- and x11-related packages (in order to do Eclipse UI JUnit tests)
yum -c install gtk2.i386
 Package                 Arch       Version          Repository        Size
 gtk2                    i386       2.6.10-2.fc4.4   updates-released  4.8 M
Installing for dependencies:
 atk                     i386       1.9.1-1          base              178 k
 pango                   i386       1.8.1-2          base              272 k
yum -c install xorg-x11.i386 xorg-x11-libs.i386 xorg-x11-xdm.i386 
 Package                 Arch       Version          Repository        Size
 xorg-x11                i386       6.8.2-37.FC4.49.2  updates-released   14 M
 xorg-x11-xdm            i386       6.8.2-37.FC4.49.2  updates-released  170 k
 xorg-x11-libs           i386       6.8.2-37.FC4.49.2  updates-released  2.5 M
Installing for dependencies:
 chkfontpath             i386       1.10.0-4         base               13 k
 fonts-xorg-base         noarch     6.8.2-1          base              7.3 M
 ttmkfdir                i386       3.0.9-16.1       updates-released   49 k
 xinitrc                 noarch       updates-released   28 k
 xorg-x11-font-utils     i386       6.8.2-37.FC4.49.2  updates-released  124 k
 xorg-x11-xauth          i386       6.8.2-37.FC4.49.2  updates-released  102 k
 xorg-x11-xfs            i386       6.8.2-37.FC4.49.2  updates-released  141 k
 xterm                   i386       208-4.FC4        updates-released  191 k


If you can't use the yum-xen.conf file noted above, you can update using the repository information in your /etc/yum.repos.d/*.repo files. If you're looking to upgrade your FC version, see Yum Upgrade FAQ.

Install & symlink

Fix hostname

  • Ensure your /etc/hosts file contains a line such as this, so that the server knows its own name: localhost localhost.localdomain

Configure Sendmail Message Relay

Your build server is probably not allowed to send mail by itself for a number of security and performance reasons. As such, you need to enable message relaying via a secondary mail host. Here's how.

  • Edit /etc/mail/
# "Smart" relay host (may be null)
  • Restart sendmail
 /etc/init.d/sendmail restart
  • Test w/ /usr/sbin/sendmail -t -v
Subject: test relay send

Hey, this is a test.

Fix web user (apache)

  • Edit /etc/group. Add www group:


  • Edit /etc/passwd. Change user's home directory and shell:


  • Edit /etc/sudoers to let you run commands and switch to the web user w/o needing a password. Add the following lines:


%www  ALL = (apache) NOPASSWD: ALL, (root) /usr/bin/su apache
  • Switch to the web user. You should NOT be prompted for a password.
sudo -u apache bash
  • Create an ssh key, WITH NO PASSPHRASE. Store in ~/.ssh/id_rsa and ~/.ssh/
ssh-keygen -b 2048 -t rsa
  • Copy contents of ~/.ssh/ into ~/.ssh/authorized_keys file for user on who

will be running builds. This is so that the web user can commit changes to cvs (tagging, updating map files) for I, M, S & R builds.

  • Test by ssh'ing to, where _username_ should be replaced with your actual username:
  • Run newgrp www so that when new files are created, they will use the group id www instead of apache:
newgrp www
  • Set umask 022 so that files will be created with group write perms 664 (see #/etc/bashrc):
umask 022
  • Set the remote shell connection method for CVS to be ssh instead of the default rsh (see #/etc/bashrc):
export CVS_RSH=/usr/bin/ssh
  • Set an ANT_HOME and JAVA_HOME, and add ant to the PATH (see #/etc/bashrc):
export ANT_HOME=/opt/apache-ant-1.6
export JAVA_HOME=/opt/sun-java2-5.0
export PATH=${PATH}:${ANT_HOME}/bin
  • Switch to the root user.
  • Append the following into /etc/bashrc, where _username_ should be replaced with your actual username:


umask 022
export ANT_HOME=/opt/apache-ant-1.6
export JAVA_HOME=/opt/sun-java2-5.0
export PATH=${PATH}:${ANT_HOME}/bin
export CVS_RSH=/usr/bin/ssh
  • Add the following to .bashrc and .bash_profile files:


if [ -f /etc/bashrc ]; then
  . /etc/bashrc

if [ "$PS1" ]; then
  # enable color support of ls and also add handy aliases
  eval `dircolors -b`
  alias ls='ls --color=auto'
  alias ll='ls -l --color=auto'

  # set a fancy prompt
  # 1;30 - grey, 1;31 - red, 1;32 - green, 1;33 - yellow, 1;34 - blue, etc.
  PS1="\[\033[<b>1;30</b>m\]\u@\h:\w\\[\033[0;39m\] \$ "
  export PS1=$PS1"\[\e]30;\u@\H:\w\a\]"
  export PATH

source ~/.alias
cat ~/.alias


if [ -f ~/.bashrc ]; then
  . ~/.bashrc

export PATH

Secure build script

  • Since the webserver is public but builds should only be run by authorized users, we must secure access to the build.php script.
  • Edit Apache config file to allow .htaccess rule changes to take affect. Change None to All:


# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
  AllowOverride All
  • Create password file, where _username_ should be replaced with an actual username and /path/to/password/file should be replaced with an actual path:
htpasswd -c /path/to/password/file _username_
  • You can add additional users to the password file like this:
htpasswd /path/to/password/file _username2_
  • Create .htaccess file, replacing /path/to/password/file with the same path used in the previous step:


AuthType Basic
AuthName "EMFT Build Server @"
AuthUserFile /path/to/password/file
Require valid-user
  • Restart apache, eg.:
/usr/sbin/httpd -k restart
 - or -
apache2ctl restart

Run a build

Using the username and password set up in the previous step, go here:

Check the build log while it's running or after it completes. If you see any messages such as permission denied or the following, something is amiss.

Debugging tips

execvp: Permission denied
  • Shell scripts must contain unix line endings. Run dos2unix to make sure, if copying them from a non-unix filesystem.
  • Shell scripts /home/www-data/build/emft/scripts/*.sh must be executable. See #Fix permissions & ownership.


  • Directories, eg. /home/www-data/build/emft/jet/downloads/drops/1.0.0 must be writable by the web user

(or group www). See #Fix permissions & ownership.

-- Connection refused
cvs [checkout aborted]: end of file from server (consult above messages if any)
  • CVS connection refusals are the result of not being able to automatically ssh as the web user to This

could be a problem with ssh keys (see above - #Fix web user (apache)) or the method CVS uses to connect (rsh instead of ssh - see #/etc/bashrc).


  • For any compilation-related problems, missing file problems, or other issues not touched upon in this document, see EMFT_Procedures.

Display build logs, details & test results

Builds - including unpublished Nightly builds - are listed on the downloads page here:

Published builds are located here:

Add additional users

  • As root, run:
adduser -p newuserpassword newuser
  • Then copy .bashrc, .bash_profile, and .alias from an existing user (if not using /etc/skel) to the new user's home dir.
 cp /home/user/.bashrc /home/user/.bash_profile /home/user/.alias /home/newuser
  • Fix permissions on copied files
 chown newuser:newuser /home/newuser/.bashrc /home/newuser/.bash_profile /home/newuser/.alias

Install & configure mysql server 5

This section documents setting up the build server with MySQL 5.0. If you'd like details on setting up MySQL 4.1, go here: EMFT Build Server Setup (Archived) - Install & configure mysql server 4.1

Install via rpm

Download the RPMs listed below, then install them manually.

rpm -i \
  MySQL-client-5.0.24-0.glibc23.i386.rpm \
  MySQL-server-5.0.24-0.glibc23.i386.rpm \
  MySQL-devel-5.0.24-0.glibc23.i386.rpm \

Set mysql root user password

Per instructions posted here

  • Stop running daemon
 /etc/init.d/mysql stop
  • Start mysql server
 /usr/bin/mysqld_safe --skip-grant-tables --user=root &

 mysql -u root
  • In mysql, run the following commands:
 UPDATE mysql.user SET Password=PASSWORD('newpwd') WHERE User='root';
  • Stop server
 kill `cat /var/lib/mysql/`;
    - or -
 kill `cat /var/run/mysqld/`
  • Wait until process is actually killed
 ps ax | grep mysql
  • Start mysql daemon
 /etc/init.d/mysql start
  • To verify password set correctly:
 mysql -u root -p
  • Enter new assigned root password when prompted

Add a user

  • Start up mysql if not already connected.
 mysql -u root -p
  • In mysql, run the following commands:
 UPDATE mysql.user SET Password=PASSWORD('newuserpwd') WHERE User='newuser';
  • Verify connection - connect as newuser using the assigned password, newuserpwd.
 mysql -u newuser -p

Firewall configuration

  • Create the following script as /root/firewall
# suggested by (Denis)

# Flush the INPUT chain
/sbin/iptables -F INPUT
/sbin/iptables -P INPUT ACCEPT

# Flush FORWARD chain
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD DROP

# Drop all SSH connections
/sbin/iptables -I INPUT -p tcp --dport 22 -j REJECT
/sbin/iptables -I INPUT -p tcp --dport 22 -j LOG
# Accept from localhost
/sbin/iptables -I INPUT -p tcp -s --dport 22 -j ACCEPT
# Accept from *
/sbin/iptables -I INPUT -p tcp -s --dport 22 -j ACCEPT

# Allow one IP
# /sbin/iptables -I INPUT -p tcp -s --dport 22 -j ACCEPT

# Allow an entire subnet
# /sbin/iptables -I INPUT -p tcp -s --dport 22 -j ACCEPT
  • Then link to it from init.d and rc.d to make it run on vserver startup
ln -s /root/firewall /etc/init.d/firewall
ln -s /etc/init.d/firewall /etc/rc.d/rc3.d/S56firewall
ln -s /etc/init.d/firewall /etc/rc.d/rc5.d/S56firewall

CVS configuration

(With thanks to

  • Install CVS
yum install cvs
  • Create cvs group
vi /etc/group
  • Add the following line (or similar), listing all the users to have CVS access, then exit and save (ESC, :wq)
  • Create CVSROOT
mkdir -p /cvsroot/modeling
cvs -d /cvsroot/modeling init
  • Set permissions
cd /cvsroot/modeling
chgrp -R cvs .
chmod -R 2775 . CVSROOT

CVS Mirroring

  • In order to create a clone of the cvs repositories so as to be able to massage them in a sandbox environment, the following script can be used:

# to use these colour escapes, must do `echo -e`
red="\033[1;31m"; green="\033[1;32m"; yellow="\033[1;33m"; blue="\033[1;34m"; norm="\033[0;39m";

getFromRemote () {
  root=$1; proj=$2;
  echo -e $green"Synch /cvsroot/$root/$proj ..."$norm;
  rsync -Phzogtr $$root/$proj .;

mkdir -p ./cvsroot/modeling; cd ./cvsroot/modeling;

# tech homes, source
for d in gmt-home; do getFromRemote technology $d; done
for d in org.eclipse.gmt org.eclipse.gmf org.eclipse.emft org.eclipse.mddi; do getFromRemote technology $d; done

# tools homes, source
for d in gef-home emf-home uml2-home; do getFromRemote tools $d; done
for d in org.eclipse.gef.source-feature org.eclipse.gef.examples-feature org.eclipse.gef-feature \
  org.eclipse.gef.examples.ediagram  org.eclipse.releng.gefbuilder org.eclipse.gef.source \
  org.eclipse.draw2d.examples  org.eclipse.draw2d  org.eclipse.gef.examples.text org.eclipse.gef.doc.isv \
  org.eclipse.gef.test org.eclipse.gef.examples.logic org.eclipse.gef.examples.shapes org.eclipse.gef.examples.flow \
  org.eclipse.gef org.eclipse.draw2d.test org.eclipse.draw2d.doc.isv org.eclipse.gef.releng org.eclipse.uml2 \
  org.eclipse.emf org.eclipse.emf.ecore.sdo org.eclipse.xsd org.eclipse.uml2.releng ; do \
  getFromRemote tools $d; done

echo "";
du --max-depth=1 -h;
cd -;
  • Then copy or merge these files into /cvsroot/modeling

Verify X Server

See Verify X Server.

Secure filesystem access with tripwire

  • Install tripwire
yum install tripwire
tripwire                i386       2.3.1-22         extras            1.8 M
  • Configure tripwire
  • Review/edit policy file in /etc/tripwire/twpol.txt
  • Initialize tripwire database. Log problems to a textfile, then filter them to extract just a list of missing files
tripwire --init 2>&1 | tee problems.txt; \
grep Filename problems.txt > problems.txt1; \
cat problems.txt1 | awk -F: '{ print $2 }' > problems.txt; \
rm -fr problems.txt1;
  • Remove any warnings about missing files (ie., things not actually installed)
cp twpol.txt twpol.txt.bak
for f in `cat problems.txt`; do 
  f=${f//\//\\\/}; # echo $f; # escape slashes
  cat twpol.txt | sed -e "s/ $f /#REMOVE# $f /" > twpol.txt1; diff twpol.txt1 twpol.txt; mv twpol.txt1 twpol.txt; 
diff twpol.txt twpol.txt.bak
  • Remove the database and start over using the new text policy file.
rm -fr /var/lib/tripwire/;
mkdir old; mv site.key problems.txt* tw.* *.bak old/
tripwire --init  2>&1 | tee problems.txt
  • Perform integrity check
tripwire --check
rpm -i ccrypt-1.7-1.i386.rpm
  • Encrypt policy file in /etc/tripwire/twpol.txt
ccrypt -e /etc/tripwire/twpol.txt

Thanks to the following Red Hat manuals for assistance in setup:

See Also

Copyright © Eclipse Foundation, Inc. All Rights Reserved.