Author: wahab Page 1 of 7

Installing ERPNext v15 on Debian 13 Using Docker (Production Guide)

This guide explains how to install ERPNext v15 on a single Debian 13 server using Docker and Docker Compose, following Frappe’s recommended production approach.

The setup is suitable for:

Single ERPNext instance
Production workloads
Existing or new web servers (Apache / Nginx / Traefik / Caddy)

Architecture Overview (Important to understand first)

This setup runs all ERPNext services inside Docker containers, fully isolated from the host OS.

Component	Purpose
frappe/erpnext	ERPNext + Frappe framework
MariaDB 10.6	ERPNext database (containerized)
Redis (cache + queue)	Background jobs, caching
Docker volumes	Persistent data storage
Reverse proxy	SSL & domain handling

Why Docker MariaDB instead of MariaDB installed on the host?

No dependency conflicts
Correct, tested database version
No interference with host MySQL/MariaDB on port 3306
Persistent data via Docker volumes

ERPNext Docker Architecture (Interactive)

Internet
HTTPS :443

⬇ Reverse Proxy

Apache / Nginx
SSL Termination

⬇ HTTP :8080 (internal)

ERPNext Frontend
(Nginx)

ERPNext Backend
(Frappe / Bench)

Redis Cache

Redis Queue

MariaDB 10.6

Step 0 – Install Docker & Docker Compose (run as root)

apt update
apt install -y ca-certificates curl gnupg

install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" \
> /etc/apt/sources.list.d/docker.list

apt update
apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

Step 1 – Add user to docker group (run as root)

adduser erp
usermod -aG docker erp

• Adding to docker group means you no longer need sudo to run docker commands
• Permission Alignment: All the files created will be under the user ownership

Step 2 – Install Git (run as root)

apt install -y git

Switch to non-root user

su - erp

Step 3 – Clone Frappe Docker repository (non-root)

git clone https://github.com/frappe/frappe_docker
cd frappe_docker

Step 4 – Create .env file

ERPNEXT_VERSION=v15.95.2
DB_PASSWORD=STRONG_DB_PASSWORD
FRAPPE_SITE_NAME_HEADER=example.com
HTTP_PUBLISH_PORT=8080
UPSTREAM_REAL_IP_ADDRESS=127.0.0.1
UPSTREAM_REAL_IP_HEADER=X-Forwarded-For

Note: Use a strong password for MySQL root user.

Step 5 – Fix MariaDB version (important)

By default, Frappe Docker pulls mariadb:11.8.
ERPNext v15 is tested with MariaDB ≤ 10.8.

You may see this warning:

Warning: MariaDB version ['11.8', '5'] is more than 10.8 which is not yet tested with Frappe Framework.

Edit:

overrides/compose.mariadb.yaml

Change:

image: mariadb:11.8

To:

image: mariadb:10.6

Step 6 – Start ERPNext stack

docker compose \
-f compose.yaml \
-f overrides/compose.mariadb.yaml \
-f overrides/compose.redis.yaml \
-f overrides/compose.noproxy.yaml \
up -d

Step 7 – Verify containers

docker compose ls

You should see:

frontend
backend
websocket
queue-short / queue-long
scheduler
redis-cache / redis-queue
mariadb (healthy)

Step 8 – Create ERPNext site

docker compose exec backend bench new-site example.com \
--mariadb-root-password DB_PASSWORD \
--admin-password ADMIN_PASSWORD \
--install-app erpnext

Important:
• --mariadb-root-password must match DB_PASSWORD in .env
• --admin-password is used to log in — note it down

Step 9 – Enable scheduler

docker compose exec backend bench --site example.com enable-scheduler
docker compose exec backend bench --site example.com scheduler enable
docker compose exec backend bench doctor

 bench doctor is your "General Health Check" tool

Expected output:

-----Checking scheduler status-----
Workers online: 2
-----internal.shenzhen24h.com Jobs-----

Step 10 – Access ERPNext

Open in browser:

http://SERVER-IP:8080/app

Username: Administrator
Password: The one you set in Step 8

Step 11 – Reverse proxy & SSL Examples

Apache

<VirtualHost *:443>
ServerName example.com
ProxyPreserveHost On
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
RequestHeader set X-Forwarded-Proto "https"
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

a2enmod proxy proxy_http headers rewrite
systemctl restart apache2

Nginx

server {
  listen 443 ssl;
  server_name example.com;
  location / {
    proxy_pass http://127.0.0.1:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto https;
  }
}

Step 12 – If no web server exists

Option A – Traefik

Automatic SSL
Docker-native
Uses compose.https.yaml

Option B – Caddy

Very simple configuration
Automatic HTTPS
Ideal for single-server deployments

Step 13 – Data persistence & backups

ERPNext data is stored in Docker volumes, not inside containers.
Containers can be safely recreated or upgraded without data loss.

Persistent Docker volumes

Database: frappe_docker_db-data
Sites & file uploads: frappe_docker_sites
Redis queue data: frappe_docker_redis-queue-data

Important: Containers are disposable; volumes are persistent.

Recommended backup method (ERPNext-aware)

The preferred way to back up ERPNext is using bench backup inside the backend container.

docker compose exec backend bench \
  --site internal.shenzhen24h.com backup --with-files

This creates a complete backup including:

Site configuration
MariaDB database (compressed SQL)
Public files
Private files

Example output:

Backup Summary for internal.shenzhen24h.com

Config  : site_config_backup.json
Database: database.sql.gz
Public  : files.tar
Private : private-files.tar

Backup completed successfully

Backups are stored inside the sites volume:

sites/internal.shenzhen24h.com/private/backups/

Optional: Volume-level backups (infrastructure safety)

For disaster recovery, you may also back up Docker volumes at the filesystem level:

Snapshot frappe_docker_db-data
Archive frappe_docker_sites

This is useful for full server restores, but bench backups should still be taken regularly.

Common Issues & Fixes

Issue	Fix
MariaDB 11.x warning	Downgrade to 10.6
Scheduler disabled	Enable manually
Login loop	Missing proxy headers
RequestHeader error	Enable `mod_headers`
Port 8080 exposed	Use reverse proxy only

Best Practices

Run Docker as non-root user
Use strong DB passwords
Do not expose ERPNext directly to the internet
Use reverse proxy + SSL
Backup Docker volumes regularly

Conclusion

This setup follows Frappe’s official Docker recommendations and provides a stable, secure, production-ready ERPNext installation on Debian 13.

Installing Ubuntu 22.04 with Btrfs RAID 1 on Hetzner Dedicated Server (installimage script)

By wahab

On May 4, 2025

In Linux server

Installing Ubuntu 22.04 with Btrfs RAID 1 on Hetzner Dedicated Server (NVMe Disks)

Objective

In this guide, I’ll walk you through installing Ubuntu 22.04 on a Hetzner dedicated server using Btrfs with RAID 1. We’ll be using Hetzner’s installimage tool with two NVMe drives. The initial provisioning will be done with software RAID disabled (SWRAID 0) — allowing Btrfs to manage the redundancy layer itself.

At the end of this process, we’ll have:

A running Ubuntu 22.04 system on Btrfs
Metadata and data converted to RAID1
Dual GRUB installations for boot redundancy
Clean separation of /boot/efi, swap, and Btrfs root.

Step 1: Boot into Rescue System

From the Hetzner Robot or Cloud Console, reboot the server into Rescue Mode and SSH into it.

Before starting the installation, make sure to clean up any existing software RAID and partitions:

mdadm --stop /dev/md/*
wipefs -fa /dev/sd* # for SATA
wipefs -fa /dev/nvme*n1   # for NVMe

Check the disk layout:

lsblk

You should see something like:

root@rescue ~ # lsblk
NAME     MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
loop0      7:0    0  3.4G  1 loop
nvme1n1  259:0    0  1.7T  0 disk
nvme0n1  259:1    0  1.7T  0 disk
root@rescue ~ #

Step 2: Prepare a Custom installimage.conf

Create a minimal config to set up EFI, swap, and a single Btrfs volume with one subvolume mounted as root (/):

cat > installimage.conf <<EOF
DRIVE1  /dev/nvme0n1
DRIVE2  /dev/nvme1n1
SWRAID  0
BOOTLOADER grub
PART /boot/efi esp 256M
PART swap swap 32G
PART btrfs.1 btrfs all
SUBVOL btrfs.1 @ /
IMAGE /root/.oldroot/nfs/images/Ubuntu-2204-jammy-amd64-base.tar.gz
HOSTNAME Ubuntu-2204-jammy-amd64-base
EOF

Ensure your SSH public key is available at /tmp/authorized_keys so you can log in post-installation.

Start installation:

installimage -c installimage.conf -K /tmp/authorized_keys

Step 3: Confirm Initial Installation

After installation, validate disk partitioning:

lsblk

You should see:

root@rescue ~ # lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0  3.4G  1 loop
nvme0n1     259:0    0  1.7T  0 disk
├─nvme0n1p1 259:2    0  256M  0 part
├─nvme0n1p2 259:4    0   32G  0 part
└─nvme0n1p3 259:6    0  1.7T  0 part
nvme1n1     259:1    0  1.7T  0 disk

Step 4: Clone Partition Table to Second Disk

To mirror partition layout:

sfdisk -d /dev/nvme0n1 | sfdisk --force /dev/nvme1n1

Verify:

lsblk

Now both disks should be identically partitioned.

root@rescue ~ # lsblk
NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0  3.4G  1 loop
nvme0n1     259:0    0  1.7T  0 disk
├─nvme0n1p1 259:2    0  256M  0 part
├─nvme0n1p2 259:4    0   32G  0 part
└─nvme0n1p3 259:6    0  1.7T  0 part
nvme1n1     259:1    0  1.7T  0 disk
├─nvme1n1p1 259:3    0  256M  0 part
├─nvme1n1p2 259:5    0   32G  0 part
└─nvme1n1p3 259:7    0  1.7T  0 part
root@rescue ~ #

Step 5: Add Second Disk to Btrfs

Mount the root Btrfs partition:

mount /dev/nvme0n1p3 /mnt

Add the second disk:

btrfs device add /dev/nvme1n1p3 /mnt
btrfs filesystem balance /mnt

Step 6: Chroot and Install GRUB on Both Drives

Bind system directories and chroot:

for fs in proc sys dev dev/pts; do mount --bind /$fs /mnt/$fs; done
chroot /mnt
mount /boot/efi
mount -t efivarfs none /sys/firmware/efi/efivars

Check UUIDs:

blkid /dev/nvme0n1p3
blkid /dev/nvme1n1p3

Ensure /etc/fstab uses the UUID from the Btrfs volume and points to the @ subvolume.

root@Ubuntu-2204-jammy-amd64-base / # blkid /dev/nvme0n1p3
/dev/nvme0n1p3: UUID="4e6ec869-1ba4-44f8-abb7-91fd693b8a09" UUID_SUB="cf7a33d7-cddd-49d9-b62d-28e3dcef354d" BLOCK_SIZE="4096" TYPE="btrfs" PARTUUID="a2ce8444-85eb -4c81-aa9a-3f2d822d047a"
root@Ubuntu-2204-jammy-amd64-base / # blkid /dev/nvme1n1p3
/dev/nvme1n1p3: UUID="4e6ec869-1ba4-44f8-abb7-91fd693b8a09" UUID_SUB="617abcc7-faf8-43fc-8fc3-224a688433e8" BLOCK_SIZE="4096" TYPE="btrfs" PARTUUID="a2ce8444-85eb -4c81-aa9a-3f2d822d047a"
root@Ubuntu-2204-jammy-amd64-base / # cat /etc/fstab
proc /proc proc defaults 0 0
# efi-boot-partiton
UUID=B416-C1F6 /boot/efi vfat umask=0077 0 1
# /dev/nvme0n1p2
UUID=c86e8a3e-ec66-4190-b585-237568b87c7a none swap sw 0 0
# /dev/nvme0n1p3 belongs to btrfs volume 'btrfs.1'
# /dev/nvme0n1p3
UUID=4e6ec869-1ba4-44f8-abb7-91fd693b8a09 / btrfs defaults,subvol=@ 0 0

Install and update GRUB on both disks:

grub-install --target=x86_64-efi --efi-directory=/boot/efi /dev/nvme0n1
grub-install --target=x86_64-efi --efi-directory=/boot/efi /dev/nvme1n1
update-grub

Step 7: Verify GRUB Configuration

Check that GRUB entries exist:

grep menuentry /boot/grub/grub.cfg

Also confirm that UUIDs in /etc/fstab and GRUB config match the Btrfs UUID.

root@Ubuntu-2204-jammy-amd64-base ~ # cat /boot/grub/grub.cfg | grep menuentry
if [ x"${feature_menuentry_id}" = xy ]; then
  menuentry_id_option="--id"
  menuentry_id_option=""
export menuentry_id_option
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-4e6ec869-1ba4-44f8-abb7-91fd693b8a09' {
submenu 'Advanced options for Ubuntu' $menuentry_id_option 'gnulinux-advanced-4e6ec869-1ba4-44f8-abb7-91fd693b8a09' {
        menuentry 'Ubuntu, with Linux 5.15.0-131-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-131-generic-advanced-4e6ec869-1ba4-44f8-abb7-91fd693b8a09' {
        menuentry 'Ubuntu, with Linux 5.15.0-131-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-5.15.0-131-generic-recovery-4e6ec869-1ba4-44f8-abb7-91fd693b8a09' {
menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' {

root@Ubuntu-2204-jammy-amd64-base ~ # cat /etc/fstab
proc /proc proc defaults 0 0
# efi-boot-partiton
UUID=B416-C1F6 /boot/efi vfat umask=0077 0 1
# /dev/nvme0n1p2
UUID=c86e8a3e-ec66-4190-b585-237568b87c7a none swap sw 0 0
# /dev/nvme0n1p3 belongs to btrfs volume 'btrfs.1'
# /dev/nvme0n1p3
UUID=4e6ec869-1ba4-44f8-abb7-91fd693b8a09 / btrfs defaults,subvol=@ 0 0

Step 8: Reboot and SSH Login

Exit chroot and unmount all binds, then reboot:

exit
reboot

Step 9: Convert Btrfs to RAID 1

Convert data and metadata to RAID 1:

btrfs balance start -dconvert=raid1 -mconvert=raid1 /

After completion:

btrfs filesystem df /
btrfs filesystem show /

You should now see:

Data, RAID1: ...
Metadata, RAID1: ...

root@Ubuntu-2204-jammy-amd64-base ~ #  btrfs filesystem df /
Data, RAID1: total=4.00GiB, used=2.32GiB
System, RAID1: total=32.00MiB, used=16.00KiB
Metadata, RAID1: total=2.00GiB, used=47.39MiB
GlobalReserve, single: total=5.92MiB, used=0.00B
root@Ubuntu-2204-jammy-amd64-base ~ #

✅ Final Verification

The btrfs filesystem usage / command gives an overview of the space utilization:

root@Ubuntu-2204-jammy-amd64-base ~ # btrfs filesystem usage /
Overall:
    Device size:                   3.43TiB
    Device allocated:             12.06GiB
    Device unallocated:            3.42TiB
    Device missing:                  0.00B
    Used:                          4.73GiB
    Free (estimated):              1.71TiB      (min: 1.71TiB)
    Free (statfs, df):             1.71TiB
    Data ratio:                       2.00
    Metadata ratio:                   2.00
    Global reserve:                5.92MiB      (used: 0.00B)
    Multiple profiles:                  no

Data,RAID1: Size:4.00GiB, Used:2.32GiB (57.91%)
   /dev/nvme0n1p3          4.00GiB
   /dev/nvme1n1p3          4.00GiB

Metadata,RAID1: Size:2.00GiB, Used:47.41MiB (2.31%)
   /dev/nvme0n1p3          2.00GiB
   /dev/nvme1n1p3          2.00GiB

System,RAID1: Size:32.00MiB, Used:16.00KiB (0.05%)
   /dev/nvme0n1p3         32.00MiB
   /dev/nvme1n1p3         32.00MiB

Unallocated:
   /dev/nvme0n1p3          1.71TiB
   /dev/nvme1n1p3          1.71TiB

The btrfs device stats / command shows the status of the disks, and thankfully, there are no reported input/output errors at this time:

root@Ubuntu-2204-jammy-amd64-base ~ # btrfs device stats /
[/dev/nvme0n1p3].write_io_errs    0
[/dev/nvme0n1p3].read_io_errs     0
[/dev/nvme0n1p3].flush_io_errs    0
[/dev/nvme0n1p3].corruption_errs  0
[/dev/nvme0n1p3].generation_errs  0
[/dev/nvme1n1p3].write_io_errs    0
[/dev/nvme1n1p3].read_io_errs     0
[/dev/nvme1n1p3].flush_io_errs    0
[/dev/nvme1n1p3].corruption_errs  0
[/dev/nvme1n1p3].generation_errs  0
root@Ubuntu-2204-jammy-amd64-base ~ #

root@Ubuntu-2204-jammy-amd64-base ~ # btrfs subvolume list /
ID 256 gen 147 top level 5 path @
root@Ubuntu-2204-jammy-amd64-base ~ #

Conclusion

You now have a robust Ubuntu 22.04 installation using Btrfs with RAID 1, fully bootable from either NVMe drive, and configured with GRUB on both.

This setup provides:

Redundancy on both bootloader and filesystem layers
Simple expandability for additional Btrfs devices or subvolumes
Clean EFI and swap layout

Deploy WordPress with Docker & SSL - No Headaches!

By wahab

On February 18, 2025

In Devops

Setting up WordPress with SSL can be a real headache. I’ve simplified the process using Docker, making it much easier to deploy a secure and scalable WordPress site. My latest Medium article walks you through the steps, eliminating the usual frustrations. Read the full guide here: Deploy WordPress with Docker & SSL (No Headaches!)

Multiple database server versions on Plesk server using Docker

By wahab

On February 1, 2025

In Plesk

Adding Multiple Database Servers in Plesk Using Docker

By default, you can only install a single version of MySQL/MariaDB on your server. However, if some of your customer require a different MySQL version, you can use docker. Plesk allows you to add multiple database servers using its Docker extension. This is particularly useful when hosting multiple applications requiring different database versions. In this guide, we will walk through installing and configuring a MariaDB 10.11 Docker container, mapping its ports, and adding it to Plesk as an external database server.

Step 1: Prepare the Server

Log into your server via SSH.
Create a directory for the Docker container’s data storage to ensure persistence:
```
mkdir -p /var/docker/mysql/
```

Step 2: Install and Configure Docker in Plesk

Log in to Plesk.
Navigate to Extensions and ensure the Docker extension is installed. If not, install it.
Go to Docker in Plesk.
In the search box, type mariadb and press Enter.

Select the MariaDB image and choose version 10.11.
Click Next.
Configure the container:
- Check Automatic start after system reboot.
- Uncheck Automatic port mapping and manually map:
  - Internal port 3306 to external port 3307.
- Ensure firewall rules allow traffic on ports 3307 and 33070.
- Set Volume mapping:
  - Container: /var/lib/mysql
  - Host: /var/docker/mysql
  - Warning: Not mapping this can result in data loss when the container is recreated.
- Add an environment variable MYSQL_ROOT_PASSWORD and specify a secure root password.
- Click Run to start the container.

Step 3: Add the MySQL Docker Container as an External Database in Plesk

Once the container is running, we need to add it to Plesk as an external database server:

Log in to Plesk.
Navigate to Tools & Settings > Database Servers (under Applications & Databases).
Click Add Database Server.
Configure the database server:
- Database server type: Select MariaDB.
- Hostname or IP Address: Use 127.0.0.1.
- Port: Enter 3307 (as mapped earlier).
- Set as Default (Optional): Check Use this server as default for MySQL if you want clients to use this server by default.
- Credentials: Enter the root user and password specified during container setup.
- Click OK to save the configuration.

Step 4: Using the New Database Server

Now that the new database server is added, clients can choose it when creating a new database in Plesk:

Go to Databases in Plesk.
Click Add Database.
Under Database server, select the newly added MariaDB 10.11 instance.

This setup allows clients to choose different database servers for their applications while ensuring database persistence and security.

Conclusion

By leveraging Docker, you can efficiently manage multiple database versions on a Plesk server. This method ensures better isolation, easier upgrades, and avoids conflicts between database versions, providing a flexible and robust hosting environment.

How to install a SSL certificate

By wahab

On January 19, 2025

In Cpanel and WHM, Linux server, SSL

Steps to Install an SSL Certificate

Introduction to SSL Certificates

An SSL (Secure Sockets Layer) certificate is a crucial security feature for websites, ensuring encrypted communication between the browser and the server. SSL protects sensitive information like passwords, payment details, and personal data from being intercepted. Additionally, it boosts user trust by displaying a padlock icon in the browser and improves search engine rankings as search engines prioritize HTTPS-enabled websites.

Installing an SSL certificate is essential to secure your website and provide a safe experience for your users. Below are the high-level steps for installing an SSL certificate on your server.

Steps to Install an SSL Certificate

Step 1: Generate a Certificate Signing Request (CSR)

To get an SSL certificate, you first need to generate a Certificate Signing Request (CSR), which includes your website’s details:

Generate a Private Key:
Use a tool like OpenSSL to create a private key:
```
openssl genrsa -out private.key 2048
```
Store the private key securely, as it is required during SSL installation.
Important: Never share the private key.
Generate the CSR:
Use the private key to generate a CSR:
```
openssl req -new -key private.key -out csr.pem
```
Provide the requested details, including:
- Common Name (the domain name to be secured)
- Organization Name (for business validation)
- Country, State, and City

Step 2: Purchase or Obtain an SSL Certificate

Choose a Certificate Authority (CA) or hosting provider for your SSL certificate.
Submit the CSR to the CA for verification.
Validate your domain ownership through one of the following methods:
- Email Validation: Respond to an email sent to your domain’s administrative address.
- DNS Validation: Add a specific DNS record to your domain.
- HTTP Validation: Upload a verification file to your website.
For Extended Validation (EV) or Organization Validation (OV) certificates, additional steps like verifying your business details with the CA may be required.
Once validated, download the issued SSL certificate and intermediate certificate bundle (CA bundle).

Step 3: Install the SSL Certificate on the Server

If Using a Control Panel:
Log in to the hosting control panel (e.g., cPanel, Plesk).
Navigate to the SSL/TLS or security settings.
Upload the SSL certificate, CA bundle, and private key.
Follow the instructions to install the certificate.
If No Control Panel:
Log in to the server via SSH.
Configure the web server (e.g., Apache, Nginx) to include the certificate details:
- SSL certificate file (.crt or .pem)
- Private key file
- Intermediate certificate file (CA bundle)
Restart the web server to apply the changes.

Step 4: Test the SSL Installation

Use online tools like SSL Labs SSL Test to verify your SSL setup.
Confirm that the certificate is valid and properly installed.
Ensure no SSL errors or warnings are displayed.

Step 5: Update Website Links

Update all internal links and references from http:// to https:// to avoid mixed content errors. Update your CMS settings (e.g., WordPress URL settings) to use HTTPS.

Step 6: Set Up HTTPS Redirects

Redirect all HTTP traffic to HTTPS by default to ensure all users access the secure version of your site.

Step 7: Monitor and Renew the SSL Certificate

Keep track of the certificate’s expiration date and renew it on time.
For free SSL certificates like Let’s Encrypt, automate the renewal process using tools like Certbot.
Periodically test your website’s SSL configuration for potential issues or updates.

How to Migrate a WordPress Site from One Host to Another: A Step-by-Step Guide

By wahab

On January 19, 2025

In Linux server, WordPress

WordPress is one of the most popular content management systems (CMS) in the world, powering over 40% of websites globally. Its flexibility, ease of use, and vast ecosystem of plugins and themes make it a favorite among bloggers, businesses, and developers alike.

At its core, WordPress has a simple structure:

Files: These include the WordPress core, themes, plugins, and the wp-content folder where your media files are stored.
Database: This stores all the critical information such as posts, pages, user data, and site configurations.

When migrating a WordPress site, it is essential to back up both the files and the database, as they work together to run your WordPress site seamlessly. Missing either part can cause errors or data loss. In this guide, we’ll walk you through the high-level steps of migrating your WordPress site to a new hosting provider.

Step 1: Backup Your Website Files

Backing up your WordPress files ensures that your themes, plugins, and media are safe. You can do this using the following methods:

Using an FTP Client:
Connect to your existing hosting account using an FTP client like FileZilla. Download all the WordPress files, especially the wp-content folder, which contains your themes, plugins, and uploads.
Using SCP for Secure Transfers:
If you have SSH access, use the scp command to securely copy files from your server to your local machine or another server:
```
scp -r username@oldhost:/path/to/wordpress /path/to/local/backup
```
Using File manager provided by the Hosting control panel:
If your webhost provider/control panel provides a file manager, you would be able to compress the files and download the zip .

Step 2: Export the WordPress Database

The database is the heart of your WordPress site, storing all the content and settings. It’s crucial to back it up properly:

Using phpMyAdmin:
Log in to your hosting control panel and open phpMyAdmin. Select your WordPress database, click the “Export” tab, and download it as a .sql file.
Using mysqldump via SSH:
If you have SSH access, create a backup of your database using the mysqldump command:
```
mysqldump -u username -p database_name > backup.sql
```

Step 3: Set Up the New Hosting Environment

Before importing the database, create a new database and user on the new hosting account:

Log in to your new hosting control panel or use SSH to access the server.
Create a new database and database user, assigning the necessary privileges.
Take note of the database name, username, and password for the next steps.

Step 4: Upload Website Files to the New Host

Use an FTP client, SCP, or File Manager to upload your WordPress files to the new hosting environment. Double-check that all files, particularly those in the wp-content folder, are uploaded correctly.

Step 5: Import the WordPress Database

Using phpMyAdmin:
Open phpMyAdmin on the new host, select the newly created database, and import the .sql file you exported earlier.
Using mysql via SSH:
If you have SSH access, import the database using the following command:
```
mysql -u username -p database_name < backup.sql
```

Step 6: Update the `wp-config.php` File

Open the wp-config.php file in the root directory of your WordPress site on the new host. Update the database details to match the new database:


define('DB_NAME', 'your_new_database_name');
define('DB_USER', 'your_new_database_user');
define('DB_PASSWORD', 'your_new_database_password');
define('DB_HOST', 'localhost'); // Or the database host provided by your new host

Step 7: Test the Website

Update your local hosts file or use a temporary URL provided by your new host to test the site. Verify that all pages, posts, media, plugins, and themes are working correctly.

Step 8: Update DNS Records

Log in to your domain registrar and update the DNS settings to point to your new hosting server.
Typically, you will update the A record (IP address) or nameservers.
Allow up to 48 hours for DNS propagation.

Step 9: Monitor the Website Post-Migration

After the DNS propagation, thoroughly test your website again to ensure everything is functioning as expected.
Monitor for broken links, missing media, or issues with plugins or themes.

Bonus Tips for a Smooth Migration

Use plugins like All-in-One WP Migration or UpdraftPlus if you're not comfortable with manual methods.
Always check for PHP and MySQL compatibility between the old and new hosts.
Keep backups until you're certain the migration is successful.

By following these steps, you can confidently migrate your WordPress site to a new hosting provider. With proper planning and attention to detail, the transition can be smooth and hassle-free.

Protecting Critical Packages in YUM to Prevent Unintended Removal

By wahab

On December 16, 2024

In Cpanel and WHM, Linux server

Managing RPM-based systems with tools like YUM (Yellowdog Updater Modified) is an integral part of provisioning and maintaining Linux servers. While YUM simplifies the process of managing package dependencies, it can sometimes lead to unintended consequences, especially when developers remove a package that has critical dependencies. In this blog, we’ll explore a common use case and demonstrate how to safeguard important packages using YUM’s package protection features.

The Problem: Accidental Removal of Critical Packages
Let’s consider a scenario:
You have a custom package called dep-web that automates server provisioning by installing essential components like httpd, mod_ssl, and ingest, along with scripts and cron jobs critical to your environment. When a developer installs dep-web, everything works seamlessly. However, issues arise when they attempt to test a specific version of ingest.

A typical action might be:

yum remove ingest
This operation not only removes ingest but also uninstalls dep-web, since dep-web depends on ingest. Consequently, all the additional configurations, scripts, and cron jobs set up by dep-web are also removed. Even if the developer reinstalls ingest, dep-web and its functionality are not restored, leading to potential operational disruptions.

Developers may not always notice these cascading effects, causing long-term inconsistencies and errors in the environment. Clearly, there is a need to prevent the accidental removal of critical packages like dep-web.

The Solution: Protecting Packages in YUM
YUM includes functionality to prevent the removal of certain packages using the /etc/yum/protected.d directory and the yum-plugin-protect-packages. By default, YUM protects itself and its dependencies (e.g., rpm, python, glibc) from being uninstalled. However, administrators can extend this protection to other packages.

Steps to Protect Critical Packages
Install the YUM Plugin
Ensure the yum-plugin-protect-packages is installed on your system:

yum install yum-plugin-protect-packages
Create a Configuration File
Add your critical package to the protected list by creating a .conf file under /etc/yum/protected.d/. For example, to protect the dep-web package:

vi /etc/yum/protected.d/dep-web.conf
Add the following content:

dep-web
Save and close the file.

Verify the Protection
Attempt to remove the protected package to test the configuration:

yum remove dep-web
YUM will block the operation and display an error message, ensuring the package remains intact:

Error: Trying to remove "dep-web", which is protected
Add Additional Packages (Optional)
If there are other critical packages that need protection, create or edit their respective .conf files under the same directory.

Benefits of Package Protection
By implementing package protection, you can:

Prevent the accidental removal of critical packages and their dependencies.
Ensure that operational scripts, configurations, and cron jobs tied to these packages are preserved.
Enhance the reliability of your environment, especially in shared development and production systems.

Conclusion
Managing dependencies with YUM requires careful oversight, particularly in environments where multiple developers and administrators interact with the system. Protecting critical packages using YUM’s protected.d directory and plugins like yum-plugin-protect-packages provides a robust safeguard against unintended package removal.

In the example of dep-web, protecting the package ensures that its functionality, including the custom scripts and cron jobs, remains intact. This small configuration step can save countless hours of troubleshooting and recovery in large-scale deployments.

Proactively implementing such measures demonstrates a commitment to best practices in system administration, reducing downtime and fostering a more stable infrastructure.

Automating Email Cleanup with doveadm expunge

By wahab

On November 16, 2024

In Cpanel and WHM, iRedmail Mailserver, Linux server, Plesk, Postfix

Managing email storage is a crucial part of maintaining efficient mail servers, especially for administrators using Dovecot. Over time, mailboxes can accumulate a massive number of emails, leading to performance issues and potential storage costs. One effective way to manage this is by automatically deleting emails older than a specific period. In this blog, we’ll discuss how to use doveadm expunge to delete old emails.

Understanding the Basics
Dovecot’s doveadm expunge command is a powerful utility for deleting emails based on specified criteria. Here’s a quick overview of the command syntax:

doveadm expunge -u mailbox '' -u: Specifies the user mailbox. mailbox '': Specifies the folder, such as INBOX, INBOX.Spam, etc. : Defines the filter for emails to be deleted, e.g., before 1w (one week) or before 2w (two weeks).

Use Cases
1. List Existing Mailboxes
Before deleting emails, identify the folders within a specific mailbox. Use the following command:

doveadm mailbox list -u user@example.com
Sample output:

INBOX INBOX.Spam INBOX.Drafts INBOX.Trash INBOX.Sent
2. Delete Emails Older Than 2 Weeks in All Folders
To remove all emails older than two weeks in all folders for a specific mailbox:

doveadm expunge -u user@example.com mailbox '*' before 2w
3. Exclude INBOX Folder While Deleting
If you want to delete old emails from all folders except INBOX, use:

doveadm expunge -u user@example.com mailbox INBOX.'*' before 2w
4. Delete All Emails in a Mailbox
To delete all emails from all folders within a specific mailbox:

doveadm expunge -u user@example.com mailbox '*' all
Bulk Removal of Old Emails
When managing multiple accounts, you may need to automate the process for all mailboxes on a server. Here’s how to approach this on Plesk and cPanel.

Step 1: Generate a List of Mailboxes
For Plesk:
Run the following command to get a list of all active mailboxes:

plesk db -Ne "select concat(m.mail_name,'@',d.name) as mailbox, m.postbox from domains d, mail m, accounts a where m.dom_id=d.id and m.account_id=a.id and m.postbox='true'" | awk '{print $1}' >mbox.txt
For cPanel:
Generate a list of all mailboxes with:

for i in $(awk '{print $2}' /etc/trueuserdomains); do uapi --user=$i Email list_pops | egrep "\s+email:" ; done | awk '{print $2}' >mbox.txt
Step 2: Automate Deletion with a Script
Create a shell script (mailbox-doveadm-expunge.sh) to process the mailboxes:

#!/bin/bash
# Script to delete emails older than 2 weeks from all mailboxes

MAILBOX_FILE="mbox.txt"

if [ ! -f "$MAILBOX_FILE" ]; then
    echo "Mailbox list file $MAILBOX_FILE not found!"
    exit 1
fi

for mailbox in $(cat $MAILBOX_FILE); do
    echo "Processing mailbox: $mailbox"
    doveadm expunge -u $mailbox mailbox 'INBOX' before 2w
    doveadm expunge -u $mailbox mailbox 'INBOX.*' before 2w
    doveadm expunge -u $mailbox mailbox 'Sent' before 2w
    doveadm expunge -u $mailbox mailbox 'Trash' before 2w
    doveadm expunge -u $mailbox mailbox 'Drafts' before 2w
    doveadm expunge -u $mailbox mailbox 'Spam' before 2w
done

Save the script and ensure it has executable permissions:

chmod +x mailbox-doveadm-expunge.sh
Run the script:

./mailbox-doveadm-expunge.sh

Best Practices
1. Backup Emails: Before performing a mass deletion, create a backup of your mail directories.
2. Test on a Single Mailbox: Verify your deletion criteria by testing on a single mailbox before applying changes in bulk.
3. Monitor Logs: After running doveadm expunge, check Dovecot logs for errors or warnings.

Conclusion
Using doveadm expunge simplifies email management and helps prevent mail server overload by automatically removing old emails. Whether you’re working with individual accounts or hundreds of mailboxes, this approach can save significant time and effort. Integrate this cleanup process into your routine server maintenance to keep your mail system optimized.

Configuring Multiple IP Addresses with Netplan on Ubuntu 24.04

By wahab

On August 23, 2024

In Cloud, Linux server

Managing Network Configurations in Ubuntu with Netplan

Netplan has simplified network configuration management in Ubuntu. This tutorial will guide you through setting up multiple IP addresses on a single network interface using Netplan.

Prerequisites

An Ubuntu 24.04 system with Netplan installed (default in Ubuntu installations).
Administrative (root) privileges or sudo access.
A network interface name (e.g., ens192).

Step-by-Step Configuration

1. Edit the Netplan Configuration File

Create or modify a Netplan configuration file, typically located in `/etc/netplan/`. Here, we’ll use `00-Public_network.yaml`.

Run:


  sudo nano /etc/netplan/00-Public_network.yaml

Add the following configuration:


  network:
    version: 2
    renderer: networkd
    ethernets:
      ens192:
        addresses:
          - 77.68.48.229/32
          - 77.68.13.96/32
          - 77.68.115.25/32
        nameservers:
          addresses: [212.227.123.16, 212.227.123.17]
        routes:
          - to: default
            via: 10.255.255.1
            on-link: true

2. Apply the Configuration

After saving the file, apply the changes using the following command:


  sudo netplan --debug apply

The `–debug` flag provides detailed logs for troubleshooting.

3. Verify the Configuration

Check the IP addresses and routing table to ensure the configuration is applied correctly.

Verify IP addresses:


  ip a

Expected output:


  inet 77.68.48.229/32 scope global ens192
  inet 77.68.13.96/32 scope global ens192
  inet 77.68.115.25/32 scope global ens192

Verify routing table:


  ip route show

Expected output:


  default via 10.255.255.1 dev ens192 proto static onlink

Understanding Key Network Configuration Components

Nameservers

These are DNS (Domain Name System) servers responsible for translating domain names (e.g., example.com) into IP addresses.

In the configuration:


  nameservers:
    addresses: [212.227.123.16, 212.227.123.17]

These are the DNS servers provided by your hosting provider.

If the provider does not specify DNS servers, you can use public options such as:

Google: 8.8.8.8, 8.8.4.4
Cloudflare: 1.1.1.1, 1.0.0.1
OpenDNS: 208.67.222.222, 208.67.220.220

Default Gateway

The default gateway routes traffic from your system to other networks, such as the internet.

In the configuration:


  routes:
    - to: default
      via: 10.255.255.1
      on-link: true

`via 10.255.255.1`: The gateway IP provided by the server/hosting provider.

`on-link: true`: Indicates the gateway is directly reachable on the local link.

Always use the gateway provided by your hosting provider.

Troubleshooting

If changes are not applied, check the configuration syntax:


  sudo netplan generate

Look for error messages in `/var/log/syslog` for additional details.

Conclusion

Using Netplan, you can easily assign multiple IP addresses to a single network interface in Ubuntu 24.04. This setup is ideal for scenarios like hosting multiple websites or services requiring distinct public IPs. Ensure you use the nameservers and default gateway provided by your hosting provider for proper network connectivity. Public DNS servers can be used as an alternative if needed.

How to verify if a public and private SSH key match?

By wahab

On June 24, 2024

In Linux server

SSH (Secure Shell) relies on public-key cryptography for secure logins. But how can you be sure your public and private key pair are actually linked? This blog post will guide you through a simple method to verify their authenticity in Linux and macOS.

Understanding the Key Pair:

Imagine a lock and key. Your public key acts like the widely distributed lock – anyone can see it. The private key is the unique counterpart, kept secret, that unlocks the metaphorical door (your server) for SSH access.

Using ssh-keygen

This method leverages the ssh-keygen tool, already available on most Linux and macOS systems.

1. Locate the keys :Open a terminal and use cd to navigate to the directory where your private key resides (e.g., cd ~/.ssh).
2. Use the command ‘ls -al’ to list all files in the directory, and locate your private/public keypair you wish to check.

Example:

ababwaha@ababwaha-mac .ssh % ls -al
total 32
drwx------   6 ababwaha  staff   192 Jun 24 16:04 .
drwxr-x---+ 68 ababwaha  staff  2176 Jun 24 16:04 ..
-rw-------   1 ababwaha  staff   411 Jun 24 16:04 id_ed25519 
-rw-r--r--   1 ababwaha  staff   103 Jun 24 16:04 id_ed25519.pub    
-rw-------   1 ababwaha  staff  3389 Jun 24 16:04 id_rsa            
-rw-r--r--   1 ababwaha  staff   747 Jun 24 16:04 id_rsa.pub

3. Verify the Key Pair: Run the following command, replacing with the actual path to your private key file (e.g., ssh-keygen -lf ~/.ssh/id_rsa):

ssh-keygen -lf ssh-keygen -lf

This command displays fingerprint information about your key pair.

ababwaha@ababwaha-mac .ssh % ssh-keygen -l -f id_rsa
4096 SHA256:7qXL09ejiSkrKs8HfhEo8EXkUVFOsoPfv52QY/l/kzg ababwaha@ababwaha-mac (RSA)
ababwaha@ababwaha-mac .ssh % ssh-keygen -l -f id_rsa.pub 
4096 SHA256:7qXL09ejiSkrKs8HfhEo8EXkUVFOsoPfv52QY/l/kzg ababwaha@ababwaha-mac (RSA)
ababwaha@ababwaha-mac .ssh % 
ababwaha@ababwaha-mac .ssh % 
ababwaha@ababwaha-mac .ssh % 
ababwaha@ababwaha-mac .ssh % ssh-keygen -l -f id_ed25519
256 SHA256:4pWu5rdA1IvbbjD7/k4/k/7A4X6kft28MpKL1HMqmgQ ababwaha@ababwaha-mac (ED25519)
ababwaha@ababwaha-mac .ssh % ssh-keygen -l -f id_ed25519.pub 
256 SHA256:4pWu5rdA1IvbbjD7/k4/k/7A4X6kft28MpKL1HMqmgQ ababwaha@ababwaha-mac (ED25519)
ababwaha@ababwaha-mac .ssh %

4. Match the Fingerprints: Compare the fingerprint displayed by ssh-keygen with the beginning of the text in your public key file. If they match, congratulations! Your public and private keys are a verified pair.

Remember:

Security: Always keep your private key secure. Avoid storing it on publicly accessible locations.

Permissions: Ensure your private key file has appropriate permissions (usually 600) to prevent unauthorized access.

By following this method, you can easily verify the authenticity of your public and private SSH key pair, ensuring a secure connection to your server.

Author: wahab Page 1 of 7

Installing ERPNext v15 on Debian 13 Using Docker (Production Guide)

The setup is suitable for:

Architecture Overview (Important to understand first)

Why Docker MariaDB instead of MariaDB installed on the host?

ERPNext Docker Architecture (Interactive)

Step 0 – Install Docker & Docker Compose (run as root)

Step 1 – Add user to docker group (run as root)

Step 2 – Install Git (run as root)

Switch to non-root user

Step 3 – Clone Frappe Docker repository (non-root)

Step 4 – Create .env file

Step 5 – Fix MariaDB version (important)

Step 6 – Start ERPNext stack

Step 7 – Verify containers

Step 8 – Create ERPNext site

Step 9 – Enable scheduler

Step 10 – Access ERPNext

Step 11 – Reverse proxy & SSL Examples

Apache

Nginx

Step 12 – If no web server exists

Option A – Traefik

Option B – Caddy

Step 13 – Data persistence & backups

Persistent Docker volumes

Recommended backup method (ERPNext-aware)

Optional: Volume-level backups (infrastructure safety)

Common Issues & Fixes

Best Practices

Conclusion

Installing Ubuntu 22.04 with Btrfs RAID 1 on Hetzner Dedicated Server (NVMe Disks)

Objective

Step 1: Boot into Rescue System

Step 2: Prepare a Custom installimage.conf

Step 3: Confirm Initial Installation

Step 4: Clone Partition Table to Second Disk

Step 5: Add Second Disk to Btrfs

Step 6: Chroot and Install GRUB on Both Drives

Step 7: Verify GRUB Configuration

Step 8: Reboot and SSH Login

Step 9: Convert Btrfs to RAID 1

✅ Final Verification

Conclusion

Adding Multiple Database Servers in Plesk Using Docker

Step 1: Prepare the Server

Step 2: Install and Configure Docker in Plesk

Step 3: Add the MySQL Docker Container as an External Database in Plesk

Step 4: Using the New Database Server

Conclusion

Introduction to SSL Certificates

Steps to Install an SSL Certificate

Step 1: Generate a Certificate Signing Request (CSR)

Step 2: Purchase or Obtain an SSL Certificate

Step 3: Install the SSL Certificate on the Server

Step 4: Test the SSL Installation

Step 5: Update Website Links

Step 6: Set Up HTTPS Redirects

Step 7: Monitor and Renew the SSL Certificate

Step 1: Backup Your Website Files

Step 2: Export the WordPress Database

Step 3: Set Up the New Hosting Environment

Step 4: Upload Website Files to the New Host

Step 5: Import the WordPress Database

Step 6: Update the wp-config.php File

Step 7: Test the Website

Step 8: Update DNS Records

Step 9: Monitor the Website Post-Migration

Bonus Tips for a Smooth Migration

Managing Network Configurations in Ubuntu with Netplan

Prerequisites

Step-by-Step Configuration

1. Edit the Netplan Configuration File

2. Apply the Configuration

3. Verify the Configuration

Understanding Key Network Configuration Components

Nameservers

Default Gateway

Troubleshooting

Conclusion

Step 6: Update the `wp-config.php` File