Operating System

As mentioned in System overview, Helix TeamHub is provided as a native operating system package, such as .rpm and .deb for one of our supported 64-bit architecture Linux platforms:

Since some of the above distributions have several minor versions, only the 2 latest minor releases are supported. For example, as of writing this document, the latest two releases of RedHat Enterprise Linux 6 family are 6.5 and 6.6. To benefit from the OS level security updates, performance optimizations, and compatibility with Helix TeamHub, closely follow the release cycle of the operating system in use and upgrade in a timely manner.

In addition to the operating system, the following preparations are required:

Ports

Helix TeamHub application binds to a number of ports that must be free before proceeding with installations. In some cases, the Linux distribution may already have an installed package that uses the ports Helix TeamHub needs. Therefore, make sure all the ports listed in Inbound and Inter-server connections are available. The following command can be executed to check if anything is listening on port 80:

netstat -tulpn | grep :80

Local Firewall

In addition to the company wide firewall, the local firewall may also be installed by default, for example iptables. Make sure it's either disabled or configured to accept the ports listed in Inbound and Inter-server connections.

UID and GID

When Helix TeamHub is installed, the new hth user account and system group are created with predefined UID and GID of 21212, so make sure they are not reserved.

Locale

Make sure en_US.UTF-8 locale is installed and no errors are reported when running export LC_ALL=en_US.UTF-8.

Linux Security Modules

LSMs (Linux Security Modules) such as SELinux may also prevent Helix TeamHub from running. To disable LSMs:

RHEL and CentOS

Edit /etc/selinux/config and ensure that SELINUX is either in disabled or permissive mode. To avoid restarting the server for changes to come into effect, run the command below to immediately disable SELinux:

setenforce 0

Debian and Ubuntu

Does not need any changes.

OpenSSH and repository SSH access

Helix TeamHub supports accessing repositories over SSH protocol. OpenSSH version 6.9 or later is required with support for AuthorizedKeysCommand with arguments. Repository SSH access can be enabled after installing Helix TeamHub by either using the system or bundled OpenSSH. It’s recommended to use system OpenSSH, but the bundled OpenSSH can be used if upgrading OpenSSH is not otherwise possible.

Use system OpenSSH

Append following configuration to the end of the sshd configuration file (/etc/ssh/sshd_config) and reload sshd:

Match User hth
    AuthorizedKeysCommand /usr/bin/hth-ssh-auth %t %k
    AuthorizedKeysCommandUser hth

Use bundled OpenSSH

When using the bundled OpenSSH, it is important that automatic updates are configured to skip OpenSSH package. OpenSSH updates can be disabled as follows:

RHEL and CentOS

Open /etc/yum.conf and add the following line under [main] section:

exclude=openssh*

Debian and Ubuntu

sudo apt-mark hold openssh-server

When using systemd, change the service configuration file (usually in /etc/systemd/system/sshd.service) to use simple type under [Service] section:

Type=simple

Reload systemd configuration after changing service configuration:

systemctl daemon-reload

In order to use the bundled OpenSSH, merge the following configuration to /var/opt/hth/shared/hth.json, run sudo hth-ctl reconfigure and reload sshd: Note: this will symlink the existing sshd to the bundled sshd.

{
    "opensshp": {
        "enable": true
    }
}

SSH Optimization

For Helix TeamHub setups that are relatively large, we found that setting the following parameters for SSHD helps with security and efficiency of the system overall:

MaxStartups 100
ClientAliveInterval 60
ClientAliveCountMax 3

You can add those parameters manually to /etc/ssh/sshd_config on either the helix teamhub combo node or the hth-web node.

Memory Optimization

Network Optimization

Updated on: 5 October 2017