2

I used /etc/meshcentral and sub-folders were created on install

Basically with increased security, you want to run MeshCentral within a really restricted Linux user account that does not have shell access. It's mostly the same install, but a few differences.

1. For the increased security installation (6.8), I take it that 6.4, 6.5, 6.6 or 6.7 still needs to happen

Yes.

1. When installing MC2 into /opt/meshcentral there doesn't appear to be a meshcentral-data or meshcentral-files folder created underneath /opt/meshcentral (as there is in the ~ folder). Can these folders simply be moved to /opt/meshcentral and then permissions applied again?

Yes, create or move them and change the permissions. MeshCentral is running with much low privileges, it can't create it's normal folders automatically.

1. There's no mention of updating the systemd service file with the now created meshcentral user, and the revised working/home folders in /opt/. Just a missing part of the docs?

That is a problem/ommission. the user= and group= in the Systemd meshcentral.service should show the restricted user/group name.

1. Page 23 in the PDF states to use "sudo cd /opt/meshcentral" - "cd" doesn't like "sudo" (this is the first time the "cd" command is used on this page, a few lines down it's listed without "sudo")

Ha yes, that needs to be fixed. When I get home, I will update the docs. Thanks for pointing that out.

1. Just below the commands to install npm are "sudo npm install meshcentral" which goes against the warning made at the top of Page 20. Should this be "sudo -u meshcentral install meshcentral" so npm is installed as the meshcentral user?

Also a good point!

1. The reference to Lets Encrypt is related to (2) - if the folders aren't there ...

Yes.

In general, I am working on a new --install, --uninstall for MeshCentral that automates everything. I should really make a --secureinstall and --secureuninstall that automated the secure installation flow.

When back at work, I will take a look at this.

@Ylianst the installation isn't overly difficult and to be honest, if the documentation could be updated, I would suggest that that would be enough.

One thing that I would like to suggest is: why not put the documentation into a format (wiki?) that is accessed here on Github and available to be pulled? That way when an eagle-eyed user sees a typo or perhaps a reasonably simple update, they could pull it and then resubmit their changes as a patch. Once approved, it automatically gets published back here to Github? That way the documentation production doesn't solely come down on you and the team. I'm not a coder (dabble with PHP) but I'd be more than happy to contribute in this manner?

Migrating the docs to somewhere the community can help maintain them already has it's own issue (#233). I will post my comment on the matter there.

The --secureinstall and --secureuninstall arguments seem like a good idea for streamlining the process.

Some should start filling up project wiki page. :smiley:

I believe the wiki would be the best place - that means that both issues and documentation are all hosted on github and one doesn't need to route somewhere else to review the documentation. Additionally, a lot of (external) documentation sites generate their output from the code that's pushed, which means those editing the docs would constantly need to pull from here, then push and IMHO it would get all rather messy.

The wiki would work as although (by default) only @Ylianst and the team have (write) access to the project, they can grant others permission to the public wiki alone. That would seem like a good compromise of keeping everything neat and tidy and in one place, whilst still giving the team overall control on the content.

1. As I stated in #579:
   > I wouldn't recommend using [GitHub's built in Wiki function for documentation], especially considering the quality of [MeshCentral's] current documentation, as GitHub Wiki's are based on GitHub flavored MarkDown, which is missing a lot of features, most projects I know that do use them end up with broken links throughout their wiki's quickly, and they don't get versioning control.
2. Please use issue #233 for discussion about relocating the docs. This issue is about improving the 'increased security installation' portion of the docs.

I just attempted an "Increased Security Installation" on Ubuntu 20.04 and had similar failures during the installation. I notice that in the latest version of the Install Guide(0.0.9) the command to "sudo npm install meshcentral" is also still there.

I removed meshcentral and tried the non-sudo install and...

npm WARN checkPermissions Missing write access to /opt
...
npm ERR! code EACCES
...
npm ERR! Error: EACCES: permission denied, access '/opt'
...

It looks like the "Increased Security Installation" documentation needs a serious overhaul. :(

I just re-read that last post and it may have come across a little harsher than I meant. I'm absolutely supportive of this project, I just think I could have worded that last post a little better. :)

OK, so I followed the amended steps listed above and it installs and runs, I can get to the web page, create an admin user, create a device group, but cannot download the agent - "Couldn't download - network error" is being reported by the browser when clicking on the link.

We're definitely going to need to work on some better documentation for the "Increased Security Installation".

(I'll post another thread asking for an MSI instead of an EXE as Windows admins know the advantages of MSI installation over EXE installation, especially on a domain.)

I've volunteered to keep the documentation up to date and I've been horrendously busy since I offered, but I will make a concerted effort in the future weeks to get this sorted out.On Jul 19, 2020 19:27, RavHilton notifications@github.com wrote:
OK, so I followed the amended steps listed above and it installs and runs, I can get to the web page, create an admin user, create a device group, but cannot download the agent - "Couldn't download - network error" is being reported by the browser when clicking on the link.
We're definitely going to need to work on some better documentation for the "Increased Security Installation".
(I'll post another thread asking for an MSI instead of an EXE as Windows admins know the advantages of MSI installation over EXE installation, especially on a domain.)

—You are receiving this because you authored the thread.Reply to this email directly, view it on GitHub, or unsubscribe.

I completely understand - we all have lives...

Do you have any idea why I cannot download the agents, therefore why I can't connect anything to the MeshCentral Server? As another thing, I also cannot upload files - I get a huge "X" on the web page when I attempt to...

OK, I blew the Ubuntu 20.04 server away and restarted from scratch. There's still an issue with downloading the agent (I'm using a Windows box as the test agent). It has to be a permissions thing with the agents folder, but I'm kinda stuck here...

I can create folders and files this time, at least, but without being able to download, and therefore install an agent, it isn't really that much use. :)

I'm guessing at this point, that it's a permission issue. Just a thought here and is the first place I go to when something doesn't appear to work in a Linux environment. So, if you're running as a service, check the user and group within that service file to ensure that there are no typos etc. I don't believe there would be as other things are working, but still a good habit to get into.

The next thing I would imagine, is to re-run the sudo chown -R user:group /opt/meshcentral to ensure that ownership is set up correctly. Please note that user:group relates to the same user/group details you've supplied in the service file. Additionally, if /opt/meshcentral isn't your secure install folder, then adjust accordingly.

After that, I would also run sudo chmod -R 0775 /opt/meshcentral to ensure that permissions are set correctly.

Finally (and I apologize for this, I'm actually on vacation right now so not in front of a MC2 server, but...) I would check the /opt/meshcentral/meshcentral-data/agents* folder and ensure that you see a list of files. In fact, why not perform an ls -al within that folder and post the results here: that way we can see the ownership, permissions and the content in one quick and easy command.

HTH

Dave

*I believe that this is the correct folder: it could be /opt/meshcentral/meshcentral-files/agents

From: RavHilton notifications@github.com
Sent: Monday, July 20, 2020 1:01 AM
To: Ylianst/MeshCentral MeshCentral@noreply.github.com
Cc: Dave Monk d4vem@hotmail.com; Author author@noreply.github.com
Subject: Re: [Ylianst/MeshCentral] New installation (Increased Security Installation) (#830)

OK, I blew the Ubuntu 20.04 server away and restarted from scratch. There's still an issue with downloading the agent (I'm using a Windows box as the test agent). It has to be a permissions thing with the agents folder, but I'm kinda stuck here...

I can create folders and files this time, at least, but without being able to download, and therefore install an agent, it isn't really that much use. :)

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/Ylianst/MeshCentral/issues/830#issuecomment-660869816, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABZY2BS5EEWFMP6NVQKHML3R4P2WFANCNFSM4KGZOAXA.

Thanks for that, Dave. Enjoy your holiday - they come too rarely and are never long enough...

Yeah, I had done the chmod/chown again in case, and currently am manually running meshcentral with "sudo -u meshcentral node /opt/meshcentral/node_modules/meshcentral"

OK, there is no "/opt/meshcentral/meshcentral-files/agents" folder - only a "domain" folder in there and nothing else. The "domain" folder has a "user-meshadmin" and "mesh-GUID" folder in it.

Even rerunning the "sudo -u meshcentral npm install meshcentral" now doesn't create it.

Maybe I'll just set up a "eeewwwww, running with too many rights? Seriously?" installation and when you're back from holidays we can work on getting these instructions for running as a non-root user worked out... :)

@RavHilton I'm back and need to spend a couple of days working on MC2 as it's not working for me in my environment so I'm starting to get into this a little bit more, so please bear with me - should have a response for you within the next couple of hours...

@RavHilton - please find attached a document that I've just created that notes how I've gotten an MC2 installation to work, along with the secure installation details. @Ylianst would be the only one to "bless" this as being as safe as the original text and as per the handbook and, to be fair, I do not have this working in production as of right now (I need to add the MySQL database details for me to get it working as I would like). Additionally I note that some of the formatting has been removed - I need to work out how to export content from Confluence into PDF and retain all colors, font etc. so please forgive me that.
DOC-222461959-280720-0403.pdf

I've also not tried this with Focal but will intend on doing so this week to see how the notes fare...
Do let me know how you get on with it.

Regards

Dave