Difference between revisions of "Rocky Linux Installation previously CentOS"
m |
m |
||
(7 intermediate revisions by the same user not shown) | |||
Line 32: | Line 32: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
*Webmin Old (now there's a repository available): Install Webmin RPM via Yum (it will also install dependencies automatically) | *Webmin Old (now there's a repository available): Install Webmin RPM via Yum (it will also install dependencies automatically); | ||
**curl -o setup-repos.sh <nowiki>https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh</nowiki> | |||
**sh setup-repos.sh | |||
==Rocky Linux 9 (New Stuff)== | ==Rocky Linux 9 (New Stuff)== | ||
Line 40: | Line 42: | ||
*For BIOS Boot: grub2-mkconfig -o /boot/grub2/grub.cfg | *For BIOS Boot: grub2-mkconfig -o /boot/grub2/grub.cfg | ||
*If grub-mkconfig is "not found": notice the subtle difference above: grub2-mkconfig (not grub(WITHOUT THE NUMBER 2)-mkconfig) | *If grub-mkconfig is "not found": notice the subtle difference above: grub2-mkconfig (not grub(WITHOUT THE NUMBER 2)-mkconfig) | ||
...but that's not enough these days. You'll also need to use the GRUBBY command to modify the Kernel Parameters? Yup, the same Kernel Parameters that can be modified in /etc/default/grub and are reflected in /boot/grub2/grub.cfg (but apparently don't do a damn thing as far a Kernel Parameters) are instead modified in the following way (this is similar to turning on a light switch and also being required to clap to have a light come on); | |||
*grubby --info=ALL<span> </span>: Shows current settings, from https://forums.rockylinux.org/t/how-do-you-view-grub-command-line-options/11625 | |||
*Generally speaking, here's the syntax: grubby --update-kernel=ALL --args="new_option" OR grubby --update-kernel=ALL --remove-args="option_to_remove" | |||
*To disable IPv6: grubby --update-kernel=X --args="ipv6.disable=1" | |||
*To have useful "DMESG" information while booting instead of an Appled Up boring screen; | |||
**grubby --update-kernel=ALL --remove-args="rhgb" | |||
**grubby --update-kernel=ALL --remove-args="quiet" | |||
'''Firewall''': If using something like Shorewall, get rid of FirewallD: yum remove firewalld* --noautoremove | '''Firewall''': If using something like Shorewall, get rid of FirewallD: yum remove firewalld* --noautoremove | ||
Line 45: | Line 56: | ||
* | * | ||
'''Cockpit AddOns;''' | '''Cockpit and AddOns;''' | ||
*...make sure it is enabled and started (not so by default) | |||
*/etc/cockpit/disallowed-users (get rid of it to enable ROOT User) | |||
*From: https://github.com/45Drives/cockpit-file-sharing | *From: https://github.com/45Drives/cockpit-file-sharing | ||
**Don't use this one (too much of a hastle): Samba PlugIn: dnf install <nowiki>https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.2.9/cockpit-file-sharing-3.2.9-2.el8.noarch.rpm</nowiki> | **Don't use this one (too much of a hastle): Samba PlugIn: dnf install <nowiki>https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.2.9/cockpit-file-sharing-3.2.9-2.el8.noarch.rpm</nowiki> | ||
Line 77: | Line 90: | ||
<nowiki>*</nowiki> DNF = "Next Generation" of YUM | <nowiki>*</nowiki> DNF = "Next Generation" of YUM | ||
Gnome Initial GUI / Desktop Setup | Gnome Initial GUI / Desktop Setup; | ||
...there are so many suggested solutions that don't work when one wants a single user (root) | ...there are so many suggested solutions that don't work when one wants a single user (root) | ||
Line 84: | Line 97: | ||
*https://askubuntu.com/questions/1028822/disable-the-new-ubuntu-18-04-welcome-screen/1030095#1030095 | *https://askubuntu.com/questions/1028822/disable-the-new-ubuntu-18-04-welcome-screen/1030095#1030095 | ||
*The best one that works every time is this: yum remove gnome-initial-setup (can't run if it "don't" exist!) | *The best one that works every time is this: yum remove gnome-initial-setup (can't run if it "don't" exist!) | ||
*Disable Lock Screen; | |||
**Settings, Privacy, Screen Lock | |||
===Networking=== | ===Networking=== | ||
Line 102: | Line 117: | ||
**lshw -class network (notice the logical name) | **lshw -class network (notice the logical name) | ||
**...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter | **...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter | ||
*Webmin is a bit wonky with NetworkManager. | |||
*Stop the "...renamed from eth0" 'consistent naming' 'capability' (from: https://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-change-network-interface-name-to-eth0-on-centos-8-rhel-8.html) | |||
** | |||
'''NetworkManager (if it is necessary to use it);''' | '''NetworkManager (if it is necessary to use it);''' | ||
Line 125: | Line 143: | ||
**<code>ifconfig WhatEverName down</code> | **<code>ifconfig WhatEverName down</code> | ||
**<code>ip link set enp2s0 name eth0</code> | **<code>ip link set enp2s0 name eth0</code> | ||
***<code>...then in /etc/default/grub: GRUB_CMDLINE_LINUX="net.ifnames=0"</code> | |||
***<code>...then: grub2-mkconfig /boot/grub2/grug.cfg</code> | |||
***<code>...then make sure the Hardware Address is defined in ifcfg-ethX: HWADDR=WhatEverMACAddress</code> | |||
**<code>mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/</code> | **<code>mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/</code> | ||
**<code>nano /etc/sysconfig/network-scripts/ifcfg-eth0: DEVICE=eth0 (NAME Directive too if present)</code> | **<code>nano /etc/sysconfig/network-scripts/ifcfg-eth0: DEVICE=eth0 (NAME Directive too if present)</code> | ||
Line 154: | Line 175: | ||
...and watch out for this annoying error from PING every time it is used: Address family not supported by protocol | ...and watch out for this annoying error from PING every time it is used: Address family not supported by protocol | ||
'''Update Check: Disabling''' | |||
There's a bunch of different things to do with a lot of 'it depends', so impossible to cover everything, sadly, look it up and resign one's self to doing a bunch of different things. | |||
===Boot Time=== | ===Boot Time=== | ||
Line 205: | Line 230: | ||
...and in the end test with the plain MOUNT command to find none of it works. So reboot. | ...and in the end test with the plain MOUNT command to find none of it works. So reboot. | ||
==Obnoxious Issues== | |||
===Error: Environment block too small ( in regards to grubenv )=== | |||
Source: https://www.linuxsysadmins.com/grub2-editenv-block-too-small/ | |||
==Other Notes== | ==Other Notes== | ||
After GUI installation, get it to boot to command line: <nowiki>http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X</nowiki> | After GUI installation, get it to boot to command line: <nowiki>http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X</nowiki> | ||
Lock | |||
*For Command Line instead of GUI interface: systemctl set-default multi-user.target | *For Command Line instead of GUI interface: systemctl set-default multi-user.target | ||
Line 395: | Line 427: | ||
MailWatch and MailScanner note; Version 5 for MailScanner changes some stuff including directory files, see the ReadMe in the installation source folder. | MailWatch and MailScanner note; Version 5 for MailScanner changes some stuff including directory files, see the ReadMe in the installation source folder. | ||
...path issue on Rocky Linux: MailWatchConf.pm and other files here: /usr/share/MailScanner/perl/custom | |||
Latest revision as of 16:29, 4 February 2024
General Notes (applies to various version of CentOS and Rocky Linux, but modified as it applies to Rocky Linux 8 and above)
- Hyper-V: Do not use virtual RAM when booting from CD / DVD, it will cause a Kernel Panic
Bash Prompt (something actually useful);
- For Existing Users, Current Session, at command prompt: PS1="\h} \w: "
- To make permanent and for New Users edit this File: /etc/bashrc: [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="\h} \w: "
Disable SELINUX:/etc/selinux/config, set SELINUX to disabled;
- sestatus to check status AND check /boot/efi/EFI/centos/grub, edit /etc/default/grub,
look for line that starts with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line.
- Alternatively or if Issues Occur: When disabling SELINUX, reboot, make boot selection (do NOT press enter), press e, edit grub file, look for line near end that usually starts of with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line. (Thanks to: https://www.virtualramblings.com/failed-to-load-selinux-policy-freezing/)
- See Below in Rocky Linux 9 Section:
Show useful information when booting (it is Linux afterall): edit line in /boot/efi/EFI/centos/grub.cfg that usually starts of with "linux..." and ends with a UTF setting, remove rhel and quiet switches.
Boot to a command prompt instead of GUI;
- systemctl set-default multi-user.target (Thanks to: https://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X)
- startx will activate GUI
- Disable firewall (if behind a hardware firewall, etc.): systemctl stop firewalld.service, systemctl disable firewalld.service
- Webmin New: Make a repo in /etc/yum.repos.d/webmin.repo (from https://www.webmin.com/rpm.html)
[Webmin]
name=Webmin Distribution Neutral
#baseurl=https://download.webmin.com/download/yum
mirrorlist=https://download.webmin.com/download/yum/mirrorlist
enabled=1
gpgkey=https://download.webmin.com/jcameron-key.asc
gpgcheck=1
- Webmin Old (now there's a repository available): Install Webmin RPM via Yum (it will also install dependencies automatically);
- curl -o setup-repos.sh https://raw.githubusercontent.com/webmin/webmin/master/setup-repos.sh
- sh setup-repos.sh
Rocky Linux 9 (New Stuff)
For Showing Useful Information While Booting, edit the /etc/default/grub File (get rid of quiet rhel Directives) and then use this command(s) (equivalent to what BootICE does for the Windows BCD File);
- For UEFI / EFI Boot: grub2-mkconfig -o /boot/efi/EFI/rocky/grub.cfg or
- For BIOS Boot: grub2-mkconfig -o /boot/grub2/grub.cfg
- If grub-mkconfig is "not found": notice the subtle difference above: grub2-mkconfig (not grub(WITHOUT THE NUMBER 2)-mkconfig)
...but that's not enough these days. You'll also need to use the GRUBBY command to modify the Kernel Parameters? Yup, the same Kernel Parameters that can be modified in /etc/default/grub and are reflected in /boot/grub2/grub.cfg (but apparently don't do a damn thing as far a Kernel Parameters) are instead modified in the following way (this is similar to turning on a light switch and also being required to clap to have a light come on);
- grubby --info=ALL : Shows current settings, from https://forums.rockylinux.org/t/how-do-you-view-grub-command-line-options/11625
- Generally speaking, here's the syntax: grubby --update-kernel=ALL --args="new_option" OR grubby --update-kernel=ALL --remove-args="option_to_remove"
- To disable IPv6: grubby --update-kernel=X --args="ipv6.disable=1"
- To have useful "DMESG" information while booting instead of an Appled Up boring screen;
- grubby --update-kernel=ALL --remove-args="rhgb"
- grubby --update-kernel=ALL --remove-args="quiet"
Firewall: If using something like Shorewall, get rid of FirewallD: yum remove firewalld* --noautoremove
Cockpit and AddOns;
- ...make sure it is enabled and started (not so by default)
- /etc/cockpit/disallowed-users (get rid of it to enable ROOT User)
- From: https://github.com/45Drives/cockpit-file-sharing
- Don't use this one (too much of a hastle): Samba PlugIn: dnf install https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.2.9/cockpit-file-sharing-3.2.9-2.el8.noarch.rpm
- Navigator (File Explorer): wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator-0.5.10-1.el8.noarch.rpm, then rpm -Uhv WhateEverFileName
SAMBA / SMB:
- smbpasswd -a WhatEverUserName
- Remember, if SELINUX is enabled it messes up how SAMBA / SMB operates (can be very puzzling and frustrating): edit /etc/selinux/config and set to disabled (...yes I know, but when it's more hassle than it's worth forget it).
REMI (for multiple PHP version)
- dnf install epel-release
- Install the REMI RPM YUM Repos: dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
- It's changed a bit since CentOS 7, so: https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-8
- dnf module list php
- dnf module reset php (turns off the current module installer)
- dnf module enable php:remi-7.4 or 8.0, 8.1, 8.2 (turns on this version installer)
- dnf install php74 php74-php-fpm OR php80 php80-php-fpm OR 81 OR 82, etc. (as of Rocky Linux 9.1: 7.4, 8.0, 8.1, 8.2 are available thru REMI and the default Rocky version is 8.1)
- systemctl enable php74-php-fpm OR WhatEverVersion (enable the FPM Service)
- systemctl start php74-php-fpm
- Configure the Socket or Port Number for each FPM version: /opt/remi/WhatEverVersion/php-fpm.d/www.conf (multiple listen = lines can exist)
- listen = 127.0.0.1:WXYZ (for ports)
- listen = /var/opt/remi/php74/run/php-fpm/www.sock (for socket, change phpXY as needed)
- For Apache / HTTPD, include one of the following;
- SetHandler "/var/opt/remi/php74/run/php-fpm/www.sock|fcgi://localhost" (an explanation for this funky syntax is given here:https://serverfault.com/questions/1044315/syntax-of-apache-sethandler-directive-when-configuring-php-fpm)
- SetHandler "proxy:fcgi://127.0.0.1:WXYZ"
- NOTE: This command will install a DEFAULT PHP version: dnf module install php:8.1/common (the default "appstream" version) or dnf module install php:remi-7.4/common (a REMI version)
* DNF = "Next Generation" of YUM
Gnome Initial GUI / Desktop Setup;
...there are so many suggested solutions that don't work when one wants a single user (root)
- https://www.putorius.net/disable-gnome-initial-setup.html
- https://askubuntu.com/questions/1028822/disable-the-new-ubuntu-18-04-welcome-screen/1030095#1030095
- The best one that works every time is this: yum remove gnome-initial-setup (can't run if it "don't" exist!)
- Disable Lock Screen;
- Settings, Privacy, Screen Lock
Networking
And under the category of "It isn't broken, so let's fix it" (thanks Red Hat Morons, yes morons, because in all of the documentation available no one has any good reason why the old system really needed replacing), so say hello to a piece of junk, err, NetworkManager
For more information;
- https://docs.rockylinux.org/gemstones/nmtui/
- https://www.redhat.com/en/blog/rhel-9-networking-say-goodbye-ifcfg-files-and-hello-keyfiles
For things like Webmin, seems to work OK. Shorewall and other deeper IP stuff, perhaps not so much
Helpful Tips
- Show Physical NICs and match them to their "logical" name;
- lspci
- lshw -class network -short (notice the Device name)
- lshw -class network (notice the logical name)
- ...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter
- Webmin is a bit wonky with NetworkManager.
- Stop the "...renamed from eth0" 'consistent naming' 'capability' (from: https://www.itzgeek.com/how-tos/linux/centos-how-tos/how-to-change-network-interface-name-to-eth0-on-centos-8-rhel-8.html)
NetworkManager (if it is necessary to use it);
- Configuration: /etc/NetworkManger
- GUI: nm-connection-editor
- Text Based Editor: nmtui
- Directory for direct Text Editing: /etc/NetworkManager/system-connections
"Over Coming" NetworkManager (not disabling);
- Edit this file to PRIORITIZE the "old fashion" method over NetworkManager: /etc/NetworkManager/NetworkManager.conf, edit the plugins= line and put ifcfg-rh first
- Leave this in place for /etc/sysconfig/network-scripts/ifcfg-ethWhatEverNumber: NM_CONTROLLED="yes"
- yum install network-scripts --enableprepo=devel (this gets back stuff like "service network restart")
- ifup (just run the command and it will offer to install the necessary files)
Disabling NetworkManager
Because there seem to be so many different fashions (70-persistent-net.rules, udev, HWADDR) in how Linux in general and Rocky Linux 8 and 9 do things, here's a way to things for a server that has several NICs
- Pick a NIC port, assign an 'outlandish' (IE, you're not going to use it in the future) IP Address to it, make sure it works and then WHACK all the other ethernet devices / interfaces , using Webmin (handy if there are a bunch of NICs) or via command line.
- Rename Interfaces if desired (AKA getting rid of the freaky Rocky8 Network Interface names), see below example where enp2s0 is renamed to eth0;
ifconfig WhatEverName down
ip link set enp2s0 name eth0
...then in /etc/default/grub: GRUB_CMDLINE_LINUX="net.ifnames=0"
...then: grub2-mkconfig /boot/grub2/grug.cfg
...then make sure the Hardware Address is defined in ifcfg-ethX: HWADDR=WhatEverMACAddress
mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/
nano /etc/sysconfig/network-scripts/ifcfg-eth0: DEVICE=eth0 (NAME Directive too if present)
- above is from: https://tekneed.com/how-to-rename-nic-in-linux-centos-rhel-7-8/
- ...and check with above noted "Hardware Commands": lshw -class network -short
- Everything good? Nope, not finished;
- Gotta make sure Red Hat, err, Rocky Linux (especially 8) doesn't revert to the 'messed up', err, new method of naming interfaces (that don't work well with useful things like Shorewall, Webmin, etc): https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-consistent_network_device_naming
- Make some boot configuration changes (sort of (don't set to stated values here) from https://yallalabs.com/linux/how-to-change-network-interface-name-from-enp0s3-to-eth0-centos-8/)
- Make sure the /etc/default/grub GRUB_CMDLINE_LINUX: "WhatEverIsCurrentlyThere AndAddSpace net.ifnames=1 biosdevname=1" (more information: https://unix.stackexchange.com/questions/637295/linux-kernel-parameters-what-is-the-difference-of-net-ifnames-0-and-biosdevname and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-consistent_network_device_naming_using_biosdevname)
- Rebuild Grub: See Above Section
- ...and still not done because this leaves the naming of interfaces completely up to Linux and the information from the BIOS (or UEFI)
- Cute Story to start things: On a server with two built in NICs and an Intel i350 with 4 NICs on one x4 PCIe card, the names were as follows: eth0, eth1, eth2, eth4 were assigned to the Intel NICs, and eth3 and eth5 were assigned to the built in NICs. Did you catch that? Why did one of the built in one's nab eth3 from the Intel card. Who knows? (Hint: above BIOS setting wasn't correct)
- Solution? See below...
- Assign Hardware Addresses in /etc/sysconfig/network-scripts to make sure every NIC gets the IP Address it is supposed to get;
- HWADDR=WhatEverMACAddress (use lshw -class network -short AND ip a to match things up)
- From Here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager/amp/
- systemctl stop NetworkManager
- systemctl disable NetworkManager
- Any Network Interfaces in /etc/sysconfig/network-scripts, set this line as follows: NM_CONTROLLED="no"
- systemctl enable network (which results in this: /usr/lib/systemd/systemd-sysv-install enable network )
- service network restart OR systemctl restart network
- If needed: yum install network-scripts
- ...and in /etc/NetworkManager/NetworkManager.conf: plugins=ifcfg-rh,keyfile (with keyfile second)
Disabling IPv6 (hint, it's in the GRUB configuration file);
https://www.tecmint.com/disable-ipv6-rhel-rocky-almalinux/
...and watch out for this annoying error from PING every time it is used: Address family not supported by protocol
Update Check: Disabling
There's a bunch of different things to do with a lot of 'it depends', so impossible to cover everything, sadly, look it up and resign one's self to doing a bunch of different things.
Boot Time
systemd-analyze blame
Shorewall
If using ShoreWall, some changes have been made over the years. Watch out for these items: https://sourceforge.net/p/webadmin/discussion/600155/thread/67206ca38b/
ApacheGUI (doesn't seem to have been popular and hasn't been supported for a couple of years, but still useful for quick viewing of files)
Install it from here:
To have it start automatically, create a file named ApacheGUI.service in /etc/systemd/system
[Unit]
Description=ApacheGUI
[Service]
WorkingDirectory=/usr/share/ApacheGUI/bin
ExecStart=/usr/share/ApacheGUI/bin/run.sh
ExecStop=/usr/share/ApacheGUI/bin/stop.sh
[Install]
WantedBy=multi-user.target
...then: systemctl enable ApacheGUI.service
Apache / HTTPD
Believe it or not, SSL (AKA TLS) capability is not installed by default: yum install mod_ssl
To check general Apache performance (not troubleshooting) (from https://github.com/richardforth/apache2buddy, updated in late 2022, so seems current and valid as of this writing in early 2023 );
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl
phpMyAdmin
The install via Yum / DNF puts things in locations that are different than if phpMyAdmin is installed manually.
- Directory for Files: /usr/share/phpMyAdmin
- Directories for Configuration
- /etc/phpMyAdmin/config.inc (for phpMyAdmin configuration) (ain't no config.sample.inc by default, as it has already been 'defaulted' by Red Hat)
- /etc/httpd/conf.d/phpMyAdmin.conf (for Apache level configuration)
- SSL / TLS / HTTPS: Believe it or not, out of the box accessing phpMyAdmin via HTTPS will not work (even if all the Apache stuff is properly configured). Solution?
- Add this line to /etc/phpMyAdmin/config.inc: $cfg['Servers'][$i]['ssl'] = true;
- Some other comments here (but keep in mind this dude is trying to turn off HTTPS): https://stackoverflow.com/questions/57972164/run-phpmyadmin-without-ssl-https
FSTAB
Oh, where to begin. Well, the only solution as of 2023 is to reboot. Go ahead. Try it. Research it. And see if you come to any conclusion other than the last sentence in this section.
Old Way (AKA, the first 1000 results from Google): mount -a
New Way (AKA, results sporadically starting at 1001 from Google): systemctl daemon-reload
Part they left out of New Way, in addition to the New Way (AKA, result 2000 plus from Google): systemctl restart-remote-fs.target AND systemctl restart-local-fs.target (thanks to: https://bbs.archlinux.org/viewtopic.php?id=192991)
...and in the end test with the plain MOUNT command to find none of it works. So reboot.
Obnoxious Issues
Error: Environment block too small ( in regards to grubenv )
Source: https://www.linuxsysadmins.com/grub2-editenv-block-too-small/
Other Notes
After GUI installation, get it to boot to command line: http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X
Lock
- For Command Line instead of GUI interface: systemctl set-default multi-user.target
- Display Current Setting: systemctl get-default OR ls -l /usr/lib/systemd/system/default.target
- List what is available: systemctl list units --type target
- More details here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/working-with-systemd-targets_configuring-basic-system-settings
- Start Gnome Desktop from command line; startx
o Exit Gnome desktop; Click the User Name, and select Logout
o ..as of 7.4 root login is allowed
o Get rid of screen blanking on command line; setterm -blank 0 -powersave off, permanently; add consoleblank=0 to the kernel parameters (edit grub configuration), in etc/default/grub
· Webmin; just goto their page for install
o Turn off the firewall; systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
o HTTP or HTTPS; Well in Firefox HTTP breaks firefox as of 9.2017, v55, so HTTPS, plus no goofy firefox warning about HTTP
· MySQL, now MariaDB (a fork) in CentOS7, installed by default, but not set up; instruction from here; https://www.linode.com/docs/databases/mariadb/how-to-install-mariadb-on-centos-7
o Systemctl enable mariadb (then it shows up in Webmin Services)
o Systemctl start mariadb
o Run the security script, it asks questions; mysql_secure_installation
o Login with mysql -u root -p
· Command that gets new services to show up in Webmin; systemctl daemon-reload
· EPEL and REMI; These are repositories that have newer versions of stuff.
o After installing their Yum REPO via RPM, they’re all disabled by default. Instead of enabling them permanently, use the following command, example is for installing newer versions of PHP
§ 72 is actually the latest versions
§ yum --enablerepo=remi,remi-php56,remi-php56-debuginfo install php (that’s two dashes incase MS word messes things up with a long dash)
· phpMyAdmin; make sure to install from the above repos, yum install phpmyadmin, then download the newest from the phpMyAdmin site and untar it into the appropriate directory, and for Apache;
o tar -xzvf phpMyAdmin_x.x.x-all-languages.tar.gz
o If yum was used, the directory it install in is at /usr/share/phpMyAdmin AND the usual config file mentioned in the phpMyAdmin documentation isn’t there, and by default the root / whatever the root password is works
o in the /etc/httpd/conf.d/phpmyadmin.conf file, add the following
§ everywhere there is a Require local, REM it out and put in Require all granted
· OpenVPN Note: All the CentOS6 Routers use “MD5” for certificate generation, which has been deprecated in CentOS7 for security reasons (from: https://coderwall.com/p/x22bbw/centos-7-and-legacy-openvpn
o Or change the line in the /etc/openvpn/openvpn-ssl.cnf file from MD5 to sha256
o Add Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" to [[1]]
o OLD; To Start in CentOS7; systemctl start [[2]]
· OpenVPN, new note, just generate all certificates using sha256 instead of md5. DD-WRT as it comes on the original Buffalo router is compatible. Make the configuration change in the OpenSSL ‘cnf’ file in the OpenVPN directory.
· OpenVPN; An oddity is that if OpenVPN starts from boot, the systemctl stop has no effect on it.
· …and if you want the GUI, type: startx (NOTE, this isn’t necessary with the below VNC setup)
· Linux Integration Tools for Hyper-V; Seems they’re already installed with CentOS7
· Systemctl start whatever, is equivalent to service whatever start
· And if you want to exit from the GUI to a command line, just log out by clicking on the User Name (root) and Logging out.
· Turn off the Firewall: systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
· VNC Installation, of course make sure the Desktop is installed (yum groupinstall “GNOME Desktop”), and install VNC Server, which is either yum install vncserver or yum install tigervnc-server, as it turns out CentOS uses Tiger VNC Server as the default.
- cp /lib/systemd/system/vncserver@.service [[3]] (this is the configuration file)
- there are two instances of the ‘variable’ <USER> that should be replaced with a real user name like root
- …and the path is wrong for the log file, so get rid of the beginning of the line /home so it starts out as /root/…
- Vncserver command configures everything for the currently logged on user, hopefully no errors
- Vncpasswd resets the currently logged on user’s password, append it with a specific user name to change their password, creates the .vnc directory in a user’s folder (/root/.vnc)
- systemctl daemon-reload (this, as I read, reloads the systemd service, which in turn reloads all of the listed items in the /etc/systemd/system folder, IE, VNC runs as sort of a sub-service)
- ln -s '/etc/systemd/system/vncserver@:0.service' '/etc/systemd/system/multi-user.target.wants/vncserver@:0.service'
- systemctl enable [[4]]
- Reboot the computer
- …and hopefully the service starts automatically, if not, type: systemctl start vncserver@:1.service
- Reference: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-remote-access-for-the-gnome-desktop-on-centos-7
Side note on systemd to remove a service that got listed accidentally, go to the /etc/systemd/system/multi-user.target.wants directory and eliminate what isn’t desired, then systemctl daemon-reload to clear it out.
Odd Note, on my CentOS7, the symbolic link in the /etc/systemd/system/multi-user.target.wants directory, it is redirected to [[5]], not the /etc/system/system directory, which might mean the vncserver command does that automatically. It works on port 5900 for me so I’m moving on, hopefully I can replicated this if necessary in the future.
· Progress Bar / Meter When Booting, of course it has changed from 6 to 7, first edit the /etc/default/grub file and eliminate the rhel and quiet items, then type: grub2-mkconfig –o /boot/grub2/grub.cfg, and of course the last line said I/O Error, so I deleted the original grub.cfg file in /boot/grub2 and reran the grub2-mkconfig command, same error, but it wrote the file and it worked on the next reboot. For editing at boot, press the E Key and ctrl-x to continue (this editor doesn’t work like the grub1 editior), but that only works fo • Command Prompt Show Path:
o UEFI; https://wiki.centos.org/HowTos/Grub2
· Command Prompt; nano /etc/bashrc look for the line that starts with [ $PS1, about 2/3 of the way down the first page, and change the last part of it, that starts with just PS1=, after the &&, and \W (a capital W) and some other stuff to just: PS1="[\w]\\$ "r one boot, IE the entire line should look as follows;
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\w]\\$ "
· PPTPD Poptop; yum install ppp pptp pptp-setup for client stuff, for pptpd (poptop), get RPM from: http://poptop.sourceforge.net/yum/stable/packages/, then rpm –Uhv WhatEverTheNameOfTheRPM
· OpenVPN; For CentOS 7, as of Feb 2015, everything is available from CentOS for OpenVPN in the latest version.
o Yum install epel-release
o Yum install easy-rsa
o Yum install openvpn (and other dependencies are automatically installed)
o MD5 is no longer supported, so certificates must use SHA1 or SHA256, in /etc/openvpn/openvpn-ssl.cnf, change the line default_md = (to either SHA1 or SHA256)
o Create Certificate Authority, Server, and Client(s) Certificates
· If a later version of OpenVPN is made, then download the ‘GZ’ file from OpenVPN, since all the dependencies are already installed, just create the RPM with: rpmbuild –tb WhatEverOpenVPNFileName, it builds the RPM and lists the directory where it is, then rpm –Uhv WhatEverRPMName
· Samba, in /etc/sysconfig/selinux, set SELINUX=DISABLED, otherwise certain directories labeled with a “5” (when listing with ls –la) will not be visible. The alternative is very, very troublesome if Selinux is left enabled (see https://solargap.wordpress.com/2008/10/17/samba-and-selinux-things-you-need-to-know/). Smbpasswd or smbpasswd -a WhatEverUserName to set password. Webmin to configure everything else. systemctl daemon-reload to make it show up in Webmin
· Shorewall; per their web site, as of version 4.4 and later, the perl shell, regular shell, and base package files have been combined.
Wget the ‘plain / shorewall’ (the biggest size) and core file, from http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/, the init is for initializing interfaces that aren’t up at boot time, the lite package is the small Light version, the shorewall6 packages are for IPV6. Then just rpm –ihv them, core first.
Then of course enable it in the conf file. FIRST ADD additional network cards and copy Conf Files!
· PostFix; most of the stuff in the CentOS6 Folder applies, but SQL is now the preferred storage place for settings
· MySQL insert query;
INSERT INTO `domain` (`domain`) VALUES ('AJHL.NET'), ('BJLindholm.COM'), ('BJLindholm.NAME'), ('DDHarrimanLLC.COM'), ('DelosDavidHarriman.COM'), ('DelosDavidHarrimanLLC.COM'), ('FreelancerConsultant.COM'), ('FS-EMail.COM'), ('FSBusinessServices.COM'), ('FSCNS.COM'), ('FSFTP.COM'), ('FullSpectrum.LAN'), ('FullSpectrumCNS.COM'), ('FullSpectrumDNS.COM'), ('FullSpectrumEMail.COM'), ('FullSpectrumVOIP.COM'), ('OnSourcing.COM'), ('OnSourcing.NET'), ('TerraBase.INFO'), ('Terrawide.COM'), ('Terrawide.NET'), ('TheErotiX.COM'), ('TheErotiX.NET'), ('TheErotiX.ORG'), ('WineStraw.COM'), ('WineStraw.NET'), ('WineStraw.ORG');
# add to /etc/sysctl.conf
net.ipv4.ip_forward = 1
# echo into current config to run without restart
echo 1 > /proc/sys/net/ipv4/ip_forward
Freshclam is to involved, but just as a note the CentOS 7 install has most of it correct. Instead of running as a cron job, it is running as a Daemon.
MailScanner and Webmin plugin, it’s old, like 2005, but still works.
Instead of /etc/init.d the location for MailScanner’s Webmin module program location is /usr/sbin
MailWatch and MailScanner note; Version 5 for MailScanner changes some stuff including directory files, see the ReadMe in the installation source folder.
...path issue on Rocky Linux: MailWatchConf.pm and other files here: /usr/share/MailScanner/perl/custom
· Old Fashion Start / Stop Method
o Copy the contents of the WhatEver.service name; systemctl edit –full WhatEver.service
o Create a new ‘Service File’; nano /etc/systemd/system/WhatEver.service and copy the information in there.
o Here too; /usr/lib/systemd/system/clam-freshclam.service
o I made OpenVPN.service from [[6]] (the at symbol allows one to insert a ‘conf’ file, for example [[7]] will use the conf file in the /etc/openvpn directory.
o The side effect is service OpenVPN start / stop, etc works great to provid a familiar method of starting and restarting a service.
o In the end I changed it from OpenVPN to openvpn
o Don’t forget to disable the original service and enable the newly named one and permissions too, chmod 664 /WhatEver.service
o Left mailscanner.service in place instead of MailScanner like in previous builds.
Postfix / MailScanner / etc general thought; Get Postfix working properly and tested as a relay first. Learned this from the overly restrictive and parnoid CentOS 7 default postfix config file that doesn’t even forking include documentation in the file itself, as in the past.
And to do the above, just comment out that
Location of CHROOT for Postfix Script; \usr\share\doc\postfix-2.10.1\examples
Clamd forked out of the box… Configuration file from YUM is /etc/clamd.d/scan.conf, in the example file it is something else, and it is actually configured to use amavisd.conf. WTF?
Could not make MailScanner work with Socket, so had to use TCP port
AutoFS; Finally got it to work. The key was so stupid. Permissions on the AutoMount config file have to be 644, 777 doesn’t work as it is ‘too much’