Difference between revisions of "Rocky Linux Installation previously CentOS"
m |
m |
||
Line 97: | Line 97: | ||
'''Helpful Tips''' | '''Helpful Tips''' | ||
* Show Physical NICs and match them to their "logical" name; | *Show Physical NICs and match them to their "logical" name; | ||
** lspci | **lspci | ||
** lshw -class network -short (notice the Device name) | **lshw -class network -short (notice the Device name) | ||
** lshw -class network (notice the logical name) | **lshw -class network (notice the logical name) | ||
** ...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter | **...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter | ||
'''NetworkManager (if it is necessary to use it);''' | '''NetworkManager (if it is necessary to use it);''' | ||
Line 121: | Line 121: | ||
Because there seem to be so many different fashions (70-persistent-net.rules, udev, HWADDR) in how Linux in general and Rocky Linux 8 and 9 do things, here's a way to things for a server that has several NICs | Because there seem to be so many different fashions (70-persistent-net.rules, udev, HWADDR) in how Linux in general and Rocky Linux 8 and 9 do things, here's a way to things for a server that has several NICs | ||
* Pick a NIC port, assign an 'outlandish' (IE, you're not going to use it in the future) IP Address to it, make sure it works and then WHACK all the other ethernet devices / interfaces , using Webmin (handy if there are a bunch of NICs) or via command line. | *Pick a NIC port, assign an 'outlandish' (IE, you're not going to use it in the future) IP Address to it, make sure it works and then WHACK all the other ethernet devices / interfaces , using Webmin (handy if there are a bunch of NICs) or via command line. | ||
* Rename Interfaces if desired (AKA getting rid of the freaky Rocky8 Network Interface names), see below example where enp2s0 is renamed to eth0; | *Rename Interfaces if desired (AKA getting rid of the freaky Rocky8 Network Interface names), see below example where enp2s0 is renamed to eth0; | ||
** <code>ifdown enp2s0</code> | **<code>ifdown enp2s0</code> | ||
**<code>ip link set enp2s0 name eth0</code> | **<code>ip link set enp2s0 name eth0</code> | ||
**<code>mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/</code> | **<code>mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/</code> | ||
Line 129: | Line 129: | ||
**above is from: https://tekneed.com/how-to-rename-nic-in-linux-centos-rhel-7-8/ | **above is from: https://tekneed.com/how-to-rename-nic-in-linux-centos-rhel-7-8/ | ||
**...and check with above noted "Hardware Commands": lshw -class network -short | **...and check with above noted "Hardware Commands": lshw -class network -short | ||
*Everything good? Nope, not finished; | |||
**Gotta make sure Red Hat, err, Rocky Linux (especially 8) doesn't revert to the 'messed up', err, new method of naming interfaces (that don't work well with useful things like Shorewall, Webmin, etc): https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-consistent_network_device_naming | |||
**Make some boot configuration changes (sort of (don't set to stated values here) from https://yallalabs.com/linux/how-to-change-network-interface-name-from-enp0s3-to-eth0-centos-8/) | |||
***Make sure the /etc/default/grub GRUB_CMDLINE_LINUX: "WhatEverIsCurrentlyThere AndAddSpace net.ifnames=1 biosdevname=1" (more information: https://unix.stackexchange.com/questions/637295/linux-kernel-parameters-what-is-the-difference-of-net-ifnames-0-and-biosdevname and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-consistent_network_device_naming_using_biosdevname) | |||
***Rebuild Grub: See Above Section | |||
**...and still not done because this leaves the naming of interfaces completely up to Linux and the information from the BIOS (or UEFI) | |||
***Cute Story to start things: On a server with two built in NICs and an Intel i350 with 4 NICs on one x4 PCIe card, the names were as follows: eth0, eth1, eth2, eth4 were assigned to the Intel NICs, and eth3 and eth5 were assigned to the built in NICs. Did you catch that? Why did one of the built in one's nab eth3 from the Intel card. Who knows? (Hint: above BIOS setting wasn't correct) | |||
***Solution? See below... | |||
***Assign Hardware Addresses in /etc/sysconfig/network-scripts to make sure every NIC gets the IP Address it is supposed to get; | |||
****HWADDR=WhatEverMACAddress (use ''lshw -class network -short'' AND ''ip a'' to match things up) | |||
*From Here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager/amp/ | *From Here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager/amp/ |
Revision as of 19:09, 29 January 2023
General Notes (applies to various version of CentOS and Rocky Linux, but modified as it applies to Rocky Linux 8 and above)
- Hyper-V: Do not use virtual RAM when booting from CD / DVD, it will cause a Kernel Panic
Bash Prompt (something actually useful);
- For Existing Users, Current Session, at command prompt: PS1="\h} \w: "
- To make permanent and for New Users edit this File: /etc/bashrc: [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="\h} \w: "
Disable SELINUX:/etc/selinux/config, set SELINUX to disabled;
- sestatus to check status AND check /boot/efi/EFI/centos/grub, edit /etc/default/grub,
look for line that starts with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line.
- Alternatively or if Issues Occur: When disabling SELINUX, reboot, make boot selection (do NOT press enter), press e, edit grub file, look for line near end that usually starts of with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line. (Thanks to: https://www.virtualramblings.com/failed-to-load-selinux-policy-freezing/)
- See Below in Rocky Linux 9 Section:
Show useful information when booting (it is Linux afterall): edit line in /boot/efi/EFI/centos/grub.cfg that usually starts of with "linux..." and ends with a UTF setting, remove rhel and quiet switches.
Boot to a command prompt instead of GUI;
- systemctl set-default multi-user.target (Thanks to: https://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X)
- startx will activate GUI
- Disable firewall (if behind a hardware firewall, etc.): systemctl stop firewalld.service, systemctl disable firewalld.service
- Webmin New: Make a repo in /etc/yum.repos.d/webmin.repo (from https://www.webmin.com/rpm.html)
[Webmin]
name=Webmin Distribution Neutral
#baseurl=https://download.webmin.com/download/yum
mirrorlist=https://download.webmin.com/download/yum/mirrorlist
enabled=1
gpgkey=https://download.webmin.com/jcameron-key.asc
gpgcheck=1
- Webmin Old (now there's a repository available): Install Webmin RPM via Yum (it will also install dependencies automatically)
Rocky Linux 9 (New Stuff)
For Showing Useful Information While Booting, edit the /etc/default/grub File (get rid of quiet rhel Directives) and then use this command(s) (equivalent to what BootICE does for the Windows BCD File);
- For UEFI / EFI Boot: grub2-mkconfig -o /boot/efi/EFI/rocky/grub.cfg or
- For BIOS Boot: grub2-mkconfig -o /boot/grub2/grub.cfg
- If grub-mkconfig is "not found": notice the subtle difference above: grub2-mkconfig (not grub(WITHOUT THE NUMBER 2)-mkconfig)
Firewall: If using something like Shorewall, get rid of FirewallD: yum remove firewalld* --noautoremove
Cockpit AddOns;
- From: https://github.com/45Drives/cockpit-file-sharing
- Don't use this one (too much of a hastle): Samba PlugIn: dnf install https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.2.9/cockpit-file-sharing-3.2.9-2.el8.noarch.rpm
- Navigator (File Explorer): wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator-0.5.10-1.el8.noarch.rpm, then rpm -Uhv WhateEverFileName
SAMBA / SMB:
- smbpasswd -a WhatEverUserName
- Remember, if SELINUX is enabled it messes up how SAMBA / SMB operates (can be very puzzling and frustrating): edit /etc/selinux/config and set to disabled (...yes I know, but when it's more hassle than it's worth forget it).
REMI (for multiple PHP version)
- dnf install epel-release
- Install the REMI RPM YUM Repos: dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
- It's changed a bit since CentOS 7, so: https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-8
- dnf module list php
- dnf module reset php (turns off the current module installer)
- dnf module enable php:remi-7.4 or 8.0, 8.1, 8.2 (turns on this version installer)
- dnf install php74 php74-php-fpm OR php80 php80-php-fpm OR 81 OR 82, etc. (as of Rocky Linux 9.1: 7.4, 8.0, 8.1, 8.2 are available thru REMI and the default Rocky version is 8.1)
- systemctl enable php74-php-fpm OR WhatEverVersion (enable the FPM Service)
- systemctl start php74-php-fpm
- Configure the Socket or Port Number for each FPM version: /opt/remi/WhatEverVersion/php-fpm.d/www.conf (multiple listen = lines can exist)
- listen = 127.0.0.1:WXYZ (for ports)
- listen = /var/opt/remi/php74/run/php-fpm/www.sock (for socket, change phpXY as needed)
- For Apache / HTTPD, include one of the following;
- SetHandler "/var/opt/remi/php74/run/php-fpm/www.sock|fcgi://localhost" (an explanation for this funky syntax is given here:https://serverfault.com/questions/1044315/syntax-of-apache-sethandler-directive-when-configuring-php-fpm)
- SetHandler "proxy:fcgi://127.0.0.1:WXYZ"
- NOTE: This command will install a DEFAULT PHP version: dnf module install php:8.1/common (the default "appstream" version) or dnf module install php:remi-7.4/common (a REMI version)
* DNF = "Next Generation" of YUM
Gnome Initial GUI / Desktop Setup
...there are so many suggested solutions that don't work when one wants a single user (root)
- https://www.putorius.net/disable-gnome-initial-setup.html
- https://askubuntu.com/questions/1028822/disable-the-new-ubuntu-18-04-welcome-screen/1030095#1030095
- The best one that works every time is this: yum remove gnome-initial-setup (can't run if it "don't" exist!)
Networking
And under the category of "It isn't broken, so let's fix it" (thanks Red Hat Morons, yes morons, because in all of the documentation available no one has any good reason why the old system really needed replacing), so say hello to a piece of junk, err, NetworkManager
For more information;
- https://docs.rockylinux.org/gemstones/nmtui/
- https://www.redhat.com/en/blog/rhel-9-networking-say-goodbye-ifcfg-files-and-hello-keyfiles
For things like Webmin, seems to work OK. Shorewall and other deeper IP stuff, perhaps not so much
Helpful Tips
- Show Physical NICs and match them to their "logical" name;
- lspci
- lshw -class network -short (notice the Device name)
- lshw -class network (notice the logical name)
- ...and for detailed information on as specific adapter: ethtool WhatEverLogicalNameOfAdapter
NetworkManager (if it is necessary to use it);
- Configuration: /etc/NetworkManger
- GUI: nm-connection-editor
- Text Based Editor: nmtui
- Directory for direct Text Editing: /etc/NetworkManager/system-connections
"Over Coming" NetworkManager (not disabling);
- Edit this file to PRIORITIZE the "old fashion" method over NetworkManager: /etc/NetworkManager/NetworkManager.conf, edit the plugins= line and put ifcfg-rh first
- Leave this in place for /etc/sysconfig/network-scripts/ifcfg-ethWhatEverNumber: NM_CONTROLLED="yes"
- yum install network-scripts --enableprepo=devel (this gets back stuff like "service network restart")
- ifup (just run the command and it will offer to install the necessary files)
Disabling NetworkManager
Because there seem to be so many different fashions (70-persistent-net.rules, udev, HWADDR) in how Linux in general and Rocky Linux 8 and 9 do things, here's a way to things for a server that has several NICs
- Pick a NIC port, assign an 'outlandish' (IE, you're not going to use it in the future) IP Address to it, make sure it works and then WHACK all the other ethernet devices / interfaces , using Webmin (handy if there are a bunch of NICs) or via command line.
- Rename Interfaces if desired (AKA getting rid of the freaky Rocky8 Network Interface names), see below example where enp2s0 is renamed to eth0;
ifdown enp2s0
ip link set enp2s0 name eth0
mv /etc/sysconfig/network-scripts/ifcfg-enp2s0 /etc/sysconfig/network-scripts/ifcfg-eth0/
nano /etc/sysconfig/network-scripts/ifcfg-eth0: DEVICE=eth0 (NAME Directive too if present)
- above is from: https://tekneed.com/how-to-rename-nic-in-linux-centos-rhel-7-8/
- ...and check with above noted "Hardware Commands": lshw -class network -short
- Everything good? Nope, not finished;
- Gotta make sure Red Hat, err, Rocky Linux (especially 8) doesn't revert to the 'messed up', err, new method of naming interfaces (that don't work well with useful things like Shorewall, Webmin, etc): https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/ch-consistent_network_device_naming
- Make some boot configuration changes (sort of (don't set to stated values here) from https://yallalabs.com/linux/how-to-change-network-interface-name-from-enp0s3-to-eth0-centos-8/)
- Make sure the /etc/default/grub GRUB_CMDLINE_LINUX: "WhatEverIsCurrentlyThere AndAddSpace net.ifnames=1 biosdevname=1" (more information: https://unix.stackexchange.com/questions/637295/linux-kernel-parameters-what-is-the-difference-of-net-ifnames-0-and-biosdevname and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/networking_guide/sec-consistent_network_device_naming_using_biosdevname)
- Rebuild Grub: See Above Section
- ...and still not done because this leaves the naming of interfaces completely up to Linux and the information from the BIOS (or UEFI)
- Cute Story to start things: On a server with two built in NICs and an Intel i350 with 4 NICs on one x4 PCIe card, the names were as follows: eth0, eth1, eth2, eth4 were assigned to the Intel NICs, and eth3 and eth5 were assigned to the built in NICs. Did you catch that? Why did one of the built in one's nab eth3 from the Intel card. Who knows? (Hint: above BIOS setting wasn't correct)
- Solution? See below...
- Assign Hardware Addresses in /etc/sysconfig/network-scripts to make sure every NIC gets the IP Address it is supposed to get;
- HWADDR=WhatEverMACAddress (use lshw -class network -short AND ip a to match things up)
- From Here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager/amp/
- systemctl stop NetworkManager
- systemctl disable NetworkManager
- Any Network Interfaces in /etc/sysconfig/network-scripts, set this line as follows: NM_CONTROLLED="no"
- systemctl enable network (which results in this: /usr/lib/systemd/systemd-sysv-install enable network )
- service network restart OR systemctl restart network
- If needed: yum install network-scripts
- ...and in /etc/NetworkManager/NetworkManager.conf: plugins=ifcfg-rh,keyfile (with keyfile second)
Disabling IPv6 (hint, it's in the GRUB configuration file);
https://www.tecmint.com/disable-ipv6-rhel-rocky-almalinux/
Boot Time
systemd-analyze blame
Shorewall
If using ShoreWall, some changes have been made over the years. Watch out for these items: https://sourceforge.net/p/webadmin/discussion/600155/thread/67206ca38b/
ApacheGUI (doesn't seem to have been popular and hasn't been supported for a couple of years, but still useful for quick viewing of files)
Install it from here:
To have it start automatically, create a file named ApacheGUI.service in /etc/systemd/system
[Unit]
Description=ApacheGUI
[Service]
WorkingDirectory=/usr/share/ApacheGUI/bin
ExecStart=/usr/share/ApacheGUI/bin/run.sh
ExecStop=/usr/share/ApacheGUI/bin/stop.sh
[Install]
WantedBy=multi-user.target
...then: systemctl enable ApacheGUI.service
Apache / HTTPD
Believe it or not, SSL (AKA TLS) capability is not installed by default: yum install mod_ssl
To check general Apache performance (not troubleshooting) (from https://github.com/richardforth/apache2buddy, updated in late 2022, so seems current and valid as of this writing in early 2023 );
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl
phpMyAdmin
The install via Yum / DNF puts things in locations that are different than if phpMyAdmin is installed manually.
- Directory for Files: /usr/share/phpMyAdmin
- Directories for Configuration
- /etc/phpMyAdmin/config.inc (for phpMyAdmin configuration) (ain't no config.sample.inc by default, as it has already been 'defaulted' by Red Hat)
- /etc/httpd/conf.d/phpMyAdmin.conf (for Apache level configuration)
- SSL / TLS / HTTPS: Believe it or not, out of the box accessing phpMyAdmin via HTTPS will not work (even if all the Apache stuff is properly configured). Solution?
- Add this line to /etc/phpMyAdmin/config.inc: $cfg['Servers'][$i]['ssl'] = true;
- Some other comments here (but keep in mind this dude is trying to turn off HTTPS): https://stackoverflow.com/questions/57972164/run-phpmyadmin-without-ssl-https
Other Notes
After GUI installation, get it to boot to command line: http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X
- For Command Line instead of GUI interface: systemctl set-default multi-user.target
- Display Current Setting: systemctl get-default OR ls -l /usr/lib/systemd/system/default.target
- List what is available: systemctl list units --type target
- More details here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_basic_system_settings/working-with-systemd-targets_configuring-basic-system-settings
- Start Gnome Desktop from command line; startx
o Exit Gnome desktop; Click the User Name, and select Logout
o ..as of 7.4 root login is allowed
o Get rid of screen blanking on command line; setterm -blank 0 -powersave off, permanently; add consoleblank=0 to the kernel parameters (edit grub configuration), in etc/default/grub
· Webmin; just goto their page for install
o Turn off the firewall; systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
o HTTP or HTTPS; Well in Firefox HTTP breaks firefox as of 9.2017, v55, so HTTPS, plus no goofy firefox warning about HTTP
· MySQL, now MariaDB (a fork) in CentOS7, installed by default, but not set up; instruction from here; https://www.linode.com/docs/databases/mariadb/how-to-install-mariadb-on-centos-7
o Systemctl enable mariadb (then it shows up in Webmin Services)
o Systemctl start mariadb
o Run the security script, it asks questions; mysql_secure_installation
o Login with mysql -u root -p
· Command that gets new services to show up in Webmin; systemctl daemon-reload
· EPEL and REMI; These are repositories that have newer versions of stuff.
o After installing their Yum REPO via RPM, they’re all disabled by default. Instead of enabling them permanently, use the following command, example is for installing newer versions of PHP
§ 72 is actually the latest versions
§ yum --enablerepo=remi,remi-php56,remi-php56-debuginfo install php (that’s two dashes incase MS word messes things up with a long dash)
· phpMyAdmin; make sure to install from the above repos, yum install phpmyadmin, then download the newest from the phpMyAdmin site and untar it into the appropriate directory, and for Apache;
o tar -xzvf phpMyAdmin_x.x.x-all-languages.tar.gz
o If yum was used, the directory it install in is at /usr/share/phpMyAdmin AND the usual config file mentioned in the phpMyAdmin documentation isn’t there, and by default the root / whatever the root password is works
o in the /etc/httpd/conf.d/phpmyadmin.conf file, add the following
§ everywhere there is a Require local, REM it out and put in Require all granted
· OpenVPN Note: All the CentOS6 Routers use “MD5” for certificate generation, which has been deprecated in CentOS7 for security reasons (from: https://coderwall.com/p/x22bbw/centos-7-and-legacy-openvpn
o Or change the line in the /etc/openvpn/openvpn-ssl.cnf file from MD5 to sha256
o Add Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" to [[1]]
o OLD; To Start in CentOS7; systemctl start [[2]]
· OpenVPN, new note, just generate all certificates using sha256 instead of md5. DD-WRT as it comes on the original Buffalo router is compatible. Make the configuration change in the OpenSSL ‘cnf’ file in the OpenVPN directory.
· OpenVPN; An oddity is that if OpenVPN starts from boot, the systemctl stop has no effect on it.
· …and if you want the GUI, type: startx (NOTE, this isn’t necessary with the below VNC setup)
· Linux Integration Tools for Hyper-V; Seems they’re already installed with CentOS7
· Systemctl start whatever, is equivalent to service whatever start
· And if you want to exit from the GUI to a command line, just log out by clicking on the User Name (root) and Logging out.
· Turn off the Firewall: systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
· VNC Installation, of course make sure the Desktop is installed (yum groupinstall “GNOME Desktop”), and install VNC Server, which is either yum install vncserver or yum install tigervnc-server, as it turns out CentOS uses Tiger VNC Server as the default.
- cp /lib/systemd/system/vncserver@.service [[3]] (this is the configuration file)
- there are two instances of the ‘variable’ <USER> that should be replaced with a real user name like root
- …and the path is wrong for the log file, so get rid of the beginning of the line /home so it starts out as /root/…
- Vncserver command configures everything for the currently logged on user, hopefully no errors
- Vncpasswd resets the currently logged on user’s password, append it with a specific user name to change their password, creates the .vnc directory in a user’s folder (/root/.vnc)
- systemctl daemon-reload (this, as I read, reloads the systemd service, which in turn reloads all of the listed items in the /etc/systemd/system folder, IE, VNC runs as sort of a sub-service)
- ln -s '/etc/systemd/system/vncserver@:0.service' '/etc/systemd/system/multi-user.target.wants/vncserver@:0.service'
- systemctl enable [[4]]
- Reboot the computer
- …and hopefully the service starts automatically, if not, type: systemctl start vncserver@:1.service
- Reference: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-remote-access-for-the-gnome-desktop-on-centos-7
Side note on systemd to remove a service that got listed accidentally, go to the /etc/systemd/system/multi-user.target.wants directory and eliminate what isn’t desired, then systemctl daemon-reload to clear it out.
Odd Note, on my CentOS7, the symbolic link in the /etc/systemd/system/multi-user.target.wants directory, it is redirected to [[5]], not the /etc/system/system directory, which might mean the vncserver command does that automatically. It works on port 5900 for me so I’m moving on, hopefully I can replicated this if necessary in the future.
· Progress Bar / Meter When Booting, of course it has changed from 6 to 7, first edit the /etc/default/grub file and eliminate the rhel and quiet items, then type: grub2-mkconfig –o /boot/grub2/grub.cfg, and of course the last line said I/O Error, so I deleted the original grub.cfg file in /boot/grub2 and reran the grub2-mkconfig command, same error, but it wrote the file and it worked on the next reboot. For editing at boot, press the E Key and ctrl-x to continue (this editor doesn’t work like the grub1 editior), but that only works fo • Command Prompt Show Path:
o UEFI; https://wiki.centos.org/HowTos/Grub2
· Command Prompt; nano /etc/bashrc look for the line that starts with [ $PS1, about 2/3 of the way down the first page, and change the last part of it, that starts with just PS1=, after the &&, and \W (a capital W) and some other stuff to just: PS1="[\w]\\$ "r one boot, IE the entire line should look as follows;
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\w]\\$ "
· PPTPD Poptop; yum install ppp pptp pptp-setup for client stuff, for pptpd (poptop), get RPM from: http://poptop.sourceforge.net/yum/stable/packages/, then rpm –Uhv WhatEverTheNameOfTheRPM
· OpenVPN; For CentOS 7, as of Feb 2015, everything is available from CentOS for OpenVPN in the latest version.
o Yum install epel-release
o Yum install easy-rsa
o Yum install openvpn (and other dependencies are automatically installed)
o MD5 is no longer supported, so certificates must use SHA1 or SHA256, in /etc/openvpn/openvpn-ssl.cnf, change the line default_md = (to either SHA1 or SHA256)
o Create Certificate Authority, Server, and Client(s) Certificates
· If a later version of OpenVPN is made, then download the ‘GZ’ file from OpenVPN, since all the dependencies are already installed, just create the RPM with: rpmbuild –tb WhatEverOpenVPNFileName, it builds the RPM and lists the directory where it is, then rpm –Uhv WhatEverRPMName
· Samba, in /etc/sysconfig/selinux, set SELINUX=DISABLED, otherwise certain directories labeled with a “5” (when listing with ls –la) will not be visible. The alternative is very, very troublesome if Selinux is left enabled (see https://solargap.wordpress.com/2008/10/17/samba-and-selinux-things-you-need-to-know/). Smbpasswd or smbpasswd -a WhatEverUserName to set password. Webmin to configure everything else. systemctl daemon-reload to make it show up in Webmin
· Shorewall; per their web site, as of version 4.4 and later, the perl shell, regular shell, and base package files have been combined.
Wget the ‘plain / shorewall’ (the biggest size) and core file, from http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/, the init is for initializing interfaces that aren’t up at boot time, the lite package is the small Light version, the shorewall6 packages are for IPV6. Then just rpm –ihv them, core first.
Then of course enable it in the conf file. FIRST ADD additional network cards and copy Conf Files!
· PostFix; most of the stuff in the CentOS6 Folder applies, but SQL is now the preferred storage place for settings
· MySQL insert query;
INSERT INTO `domain` (`domain`) VALUES ('AJHL.NET'), ('BJLindholm.COM'), ('BJLindholm.NAME'), ('DDHarrimanLLC.COM'), ('DelosDavidHarriman.COM'), ('DelosDavidHarrimanLLC.COM'), ('FreelancerConsultant.COM'), ('FS-EMail.COM'), ('FSBusinessServices.COM'), ('FSCNS.COM'), ('FSFTP.COM'), ('FullSpectrum.LAN'), ('FullSpectrumCNS.COM'), ('FullSpectrumDNS.COM'), ('FullSpectrumEMail.COM'), ('FullSpectrumVOIP.COM'), ('OnSourcing.COM'), ('OnSourcing.NET'), ('TerraBase.INFO'), ('Terrawide.COM'), ('Terrawide.NET'), ('TheErotiX.COM'), ('TheErotiX.NET'), ('TheErotiX.ORG'), ('WineStraw.COM'), ('WineStraw.NET'), ('WineStraw.ORG');
# add to /etc/sysctl.conf
net.ipv4.ip_forward = 1
# echo into current config to run without restart
echo 1 > /proc/sys/net/ipv4/ip_forward
Freshclam is to involved, but just as a note the CentOS 7 install has most of it correct. Instead of running as a cron job, it is running as a Daemon.
MailScanner and Webmin plugin, it’s old, like 2005, but still works.
Instead of /etc/init.d the location for MailScanner’s Webmin module program location is /usr/sbin
MailWatch and MailScanner note; Version 5 for MailScanner changes some stuff including directory files, see the ReadMe in the installation source folder.
· Old Fashion Start / Stop Method
o Copy the contents of the WhatEver.service name; systemctl edit –full WhatEver.service
o Create a new ‘Service File’; nano /etc/systemd/system/WhatEver.service and copy the information in there.
o Here too; /usr/lib/systemd/system/clam-freshclam.service
o I made OpenVPN.service from [[6]] (the at symbol allows one to insert a ‘conf’ file, for example [[7]] will use the conf file in the /etc/openvpn directory.
o The side effect is service OpenVPN start / stop, etc works great to provid a familiar method of starting and restarting a service.
o In the end I changed it from OpenVPN to openvpn
o Don’t forget to disable the original service and enable the newly named one and permissions too, chmod 664 /WhatEver.service
o Left mailscanner.service in place instead of MailScanner like in previous builds.
Postfix / MailScanner / etc general thought; Get Postfix working properly and tested as a relay first. Learned this from the overly restrictive and parnoid CentOS 7 default postfix config file that doesn’t even forking include documentation in the file itself, as in the past.
And to do the above, just comment out that
Location of CHROOT for Postfix Script; \usr\share\doc\postfix-2.10.1\examples
Clamd forked out of the box… Configuration file from YUM is /etc/clamd.d/scan.conf, in the example file it is something else, and it is actually configured to use amavisd.conf. WTF?
Could not make MailScanner work with Socket, so had to use TCP port
AutoFS; Finally got it to work. The key was so stupid. Permissions on the AutoMount config file have to be 644, 777 doesn’t work as it is ‘too much’