Rocky Linux Installation previously CentOS
Notes
- Hyper-V: Do not use virtual RAM when booting from CD / DVD, it will cause a Kernel Panic
- Bash Prompt (something actually useful): /etc/bashrc: [ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\w]\\$ "
- Disable SELINUX:/etc/selinux/config, set SELINUX to disabled, sestatus to check status AND /boot/efi/EFI/centos/grub.cfg, edit first line that starts with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line.
- This is only temporary (see above for making permanent): If issues occur when disabling SELINUX, reboot, make boot selection (do NOT press enter), press e, edit grub file, look for line near end that usually starts of with "linux..." and ends with a UTF setting, add selinux=0 to the end of the line. (Thanks to: https://www.virtualramblings.com/failed-to-load-selinux-policy-freezing/)
- See Below in Rocky Linux 9 Section:
Show useful information when booting (it is Linux afterall): edit line in /boot/efi/EFI/centos/grub.cfg that usually starts of with "linux..." and ends with a UTF setting, remove rhel and quiet switches. - Boot to a command prompt: systemctl set-default multi-user.target (Thanks to: https://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X)
- startx will activate GUI
- Disable firewall (if behind a hardware firewall, etc.): systemctl stop firewalld.service, systemctl disable firewalld.service
- Install Webmin RPM via Yum (it will also install dependencies automatically)
Rocky Linux 9 (New Stuff)
For Showing Useful Information While Booting, edit the /etc/default/grub File (get rid of quiet rhel Directives) and then use this command: grub2-mkconfig -o /boot/efi/EFI/rocky/grub.cfg (equivalent to what BootICE does for the Windows BCD File)
Cockpit AddOns;
- From: https://github.com/45Drives/cockpit-file-sharing
- Samba PlugIn: dnf install https://github.com/45Drives/cockpit-file-sharing/releases/download/v3.2.9/cockpit-file-sharing-3.2.9-2.el8.noarch.rpm
- Navigator (File Explorer): wget https://github.com/45Drives/cockpit-navigator/releases/download/v0.5.10/cockpit-navigator-0.5.10-1.el8.noarch.rpm, then rpm -Uhv WhateEverFileName
SAMBA / SMB: Remember, if SELINUX is enabled it messes up how SAMBA / SMB operates (can be very puzzling and frustrating): edit /etc/selinux/config and set to disabled (...yes I know, but when it's more hassle than it's worth forget it).
REMI (for multiple PHP version)
- dnf install epel-release
- Install the REMI RPM YUM Repos: dnf install https://rpms.remirepo.net/enterprise/remi-release-9.rpm
- It's changed a bit since CentOS 7, so: https://www.digitalocean.com/community/tutorials/how-to-run-multiple-php-versions-on-one-server-using-apache-and-php-fpm-on-centos-8
- dnf module list php
- dnf module reset php (turns off the current module installer)
- dnf module enable php:remi-7.4 or 8.0, 8.1, 8.2 (turns on this version installer)
- dnf install php74 php74-php-fpm OR php80 php80-php-fpm OR 81 OR 82, etc. (as of Rocky Linux 9.1: 7.4, 8.0, 8.1, 8.2 are available thru REMI and the default Rocky version is 8.1)
- systemctl enable php74-php-fpm OR WhatEverVersion (enable the FPM Service)
- systemctl start php74-php-fpm
- Configure the Socket or Port Number for each FPM version: /opt/remi/WhatEverVersion/php-fpm.d/www.conf (multiple listen = lines can exist)
- listen = 127.0.0.1:WXYZ (for ports)
- listen = /var/opt/remi/php74/run/php-fpm/www.sock (for socket, change phpXY as needed)
- For Apache / HTTPD, include one of the following;
- SetHandler "/var/opt/remi/php74/run/php-fpm/www.sock|fcgi://localhost" (an explanation for this funky syntax is given here:https://serverfault.com/questions/1044315/syntax-of-apache-sethandler-directive-when-configuring-php-fpm)
- SetHandler "proxy:fcgi://127.0.0.1:WXYZ"
- NOTE: This command will install a DEFAULT PHP version: dnf module install php:8.1/common (the default "appstream" version) or dnf module install php:remi-7.4/common (a REMI version)
* DNF = "Next Generation" of YUM
Gnome Initial GUI / Desktop Setup
...there are so many suggested solutions that don't work when one wants a single user (root)
- https://www.putorius.net/disable-gnome-initial-setup.html
- https://askubuntu.com/questions/1028822/disable-the-new-ubuntu-18-04-welcome-screen/1030095#1030095
- The best one that works every time is this: yum remove gnome-initial-setup (can't run if it "don't" exist!)
Networking
And under the category of "It isn't broken, so let's fix it" (thanks Red Hat Morons, yes morons, because in all of the documentation available no one has any good reason why the old system really needed replacing), say hello to NetworkManager
https://docs.rockylinux.org/gemstones/nmtui/
https://www.redhat.com/en/blog/rhel-9-networking-say-goodbye-ifcfg-files-and-hello-keyfiles
For things like Webmin, seems to work OK. Shorewall and other deeper IP stuff, perhaps not so much
Tips if it is necessary to use it;
- GUI: nm-connection-editor
- Text Based Editor: nmtui
- Directory for direct Text Editing: /etc/NetworkManager/system-connections
"Over Coming" NetworkManager (not disabling);
- Edit this file to PRIORITIZE the "old fashion" method over NetworkManager: /etc/NetworkManager/NetworkManager.conf, edit the plugins= line and put ifcfg-rh first
- Leave this in place for /etc/sysconfig/network-scripts/ifcfg-ethWhatEverNumber: NM_CONTROLLED="yes"
- yum install network-scripts --enableprepo=devel (this gets back stuff like "service network restart")
- ifup (just run the command and it will offer to install the necessary files)
Disabling NetworkManager
- From Here: https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager/amp/
- systemctl stop NetworkManager
- systemctl disable NetworkManager
- Any Network Interfaces in /etc/sysconfig/network-scripts, set this line as follows: NM_CONTROLLED="no"
- systemctl enable network (which results in this: /usr/lib/systemd/systemd-sysv-install enable network )
- service network restart OR systemctl restart network
Disabling IPv6: https://www.tecmint.com/disable-ipv6-rhel-rocky-almalinux/
Boot Time
systemd-analyze blame
Shorewall
If using ShoreWall, some changes have been made over the years. Watch out for these items: https://sourceforge.net/p/webadmin/discussion/600155/thread/67206ca38b/
ApacheGUI (doesn't seem to have been popular and hasn't been supported for a couple of years, but still useful for quick viewing of files)
Install it from here:
To have it start automatically, create a file named ApacheGUI.service in /etc/systemd/system
[Unit]
Description=ApacheGUI
[Service]
WorkingDirectory=/usr/share/ApacheGUI/bin
ExecStart=/usr/share/ApacheGUI/bin/run.sh
ExecStop=/usr/share/ApacheGUI/bin/stop.sh
[Install]
WantedBy=multi-user.target
...then: systemctl enable ApacheGUI.service
Other Notes
After GUI installation, get it to boot to command line: http://www.itzgeek.com/how-tos/linux/centos-how-tos/change-default-runlevel-in-centos-7-rhel-7.html#axzz3PuGwJi3X
o systemctl set-default multi-user.target
o Start Gnome Desktop; startx
o Exit Gnome desktop; Click the User Name, and select Logout
o ..as of 7.4 root login is allowed
o Get rid of screen blanking on command line; setterm -blank 0 -powersave off, permanently; add consoleblank=0 to the kernel parameters (edit grub configuration), in etc/default/grub
· Webmin; just goto their page for install
o Turn off the firewall; systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
o HTTP or HTTPS; Well in Firefox HTTP breaks firefox as of 9.2017, v55, so HTTPS, plus no goofy firefox warning about HTTP
· MySQL, now MariaDB (a fork) in CentOS7, installed by default, but not set up; instruction from here; https://www.linode.com/docs/databases/mariadb/how-to-install-mariadb-on-centos-7
o Systemctl enable mariadb (then it shows up in Webmin Services)
o Systemctl start mariadb
o Run the security script, it asks questions; mysql_secure_installation
o Login with mysql -u root -p
· Command that gets new services to show up in Webmin; systemctl daemon-reload
· EPEL and REMI; These are repositories that have newer versions of stuff.
o After installing their Yum REPO via RPM, they’re all disabled by default. Instead of enabling them permanently, use the following command, example is for installing newer versions of PHP
§ 72 is actually the latest versions
§ yum --enablerepo=remi,remi-php56,remi-php56-debuginfo install php (that’s two dashes incase MS word messes things up with a long dash)
· phpMyAdmin; make sure to install from the above repos, yum install phpmyadmin, then download the newest from the phpMyAdmin site and untar it into the appropriate directory, and for Apache;
o tar -xzvf phpMyAdmin_x.x.x-all-languages.tar.gz
o If yum was used, the directory it install in is at /usr/share/phpMyAdmin AND the usual config file mentioned in the phpMyAdmin documentation isn’t there, and by default the root / whatever the root password is works
o in the /etc/httpd/conf.d/phpmyadmin.conf file, add the following
§ everywhere there is a Require local, REM it out and put in Require all granted
· OpenVPN Note: All the CentOS6 Routers use “MD5” for certificate generation, which has been deprecated in CentOS7 for security reasons (from: https://coderwall.com/p/x22bbw/centos-7-and-legacy-openvpn
o Or change the line in the /etc/openvpn/openvpn-ssl.cnf file from MD5 to sha256
o Add Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" to [[1]]
o OLD; To Start in CentOS7; systemctl start [[2]]
· OpenVPN, new note, just generate all certificates using sha256 instead of md5. DD-WRT as it comes on the original Buffalo router is compatible. Make the configuration change in the OpenSSL ‘cnf’ file in the OpenVPN directory.
· OpenVPN; An oddity is that if OpenVPN starts from boot, the systemctl stop has no effect on it.
· …and if you want the GUI, type: startx (NOTE, this isn’t necessary with the below VNC setup)
· Linux Integration Tools for Hyper-V; Seems they’re already installed with CentOS7
· Systemctl start whatever, is equivalent to service whatever start
· And if you want to exit from the GUI to a command line, just log out by clicking on the User Name (root) and Logging out.
· Turn off the Firewall: systemctl stop firewalld (and don’t forget to disable the Daemon on startup too)
· VNC Installation, of course make sure the Desktop is installed (yum groupinstall “GNOME Desktop”), and install VNC Server, which is either yum install vncserver or yum install tigervnc-server, as it turns out CentOS uses Tiger VNC Server as the default.
- cp /lib/systemd/system/vncserver@.service [[3]] (this is the configuration file)
- there are two instances of the ‘variable’ <USER> that should be replaced with a real user name like root
- …and the path is wrong for the log file, so get rid of the beginning of the line /home so it starts out as /root/…
- Vncserver command configures everything for the currently logged on user, hopefully no errors
- Vncpasswd resets the currently logged on user’s password, append it with a specific user name to change their password, creates the .vnc directory in a user’s folder (/root/.vnc)
- systemctl daemon-reload (this, as I read, reloads the systemd service, which in turn reloads all of the listed items in the /etc/systemd/system folder, IE, VNC runs as sort of a sub-service)
- ln -s '/etc/systemd/system/vncserver@:0.service' '/etc/systemd/system/multi-user.target.wants/vncserver@:0.service'
- systemctl enable [[4]]
- Reboot the computer
- …and hopefully the service starts automatically, if not, type: systemctl start vncserver@:1.service
- Reference: https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-remote-access-for-the-gnome-desktop-on-centos-7
Side note on systemd to remove a service that got listed accidentally, go to the /etc/systemd/system/multi-user.target.wants directory and eliminate what isn’t desired, then systemctl daemon-reload to clear it out.
Odd Note, on my CentOS7, the symbolic link in the /etc/systemd/system/multi-user.target.wants directory, it is redirected to [[5]], not the /etc/system/system directory, which might mean the vncserver command does that automatically. It works on port 5900 for me so I’m moving on, hopefully I can replicated this if necessary in the future.
· Progress Bar / Meter When Booting, of course it has changed from 6 to 7, first edit the /etc/default/grub file and eliminate the rhel and quiet items, then type: grub2-mkconfig –o /boot/grub2/grub.cfg, and of course the last line said I/O Error, so I deleted the original grub.cfg file in /boot/grub2 and reran the grub2-mkconfig command, same error, but it wrote the file and it worked on the next reboot. For editing at boot, press the E Key and ctrl-x to continue (this editor doesn’t work like the grub1 editior), but that only works fo • Command Prompt Show Path:
o UEFI; https://wiki.centos.org/HowTos/Grub2
· Command Prompt; nano /etc/bashrc look for the line that starts with [ $PS1, about 2/3 of the way down the first page, and change the last part of it, that starts with just PS1=, after the &&, and \W (a capital W) and some other stuff to just: PS1="[\w]\\$ "r one boot, IE the entire line should look as follows;
[ "$PS1" = "\\s-\\v\\\$ " ] && PS1="[\w]\\$ "
· PPTPD Poptop; yum install ppp pptp pptp-setup for client stuff, for pptpd (poptop), get RPM from: http://poptop.sourceforge.net/yum/stable/packages/, then rpm –Uhv WhatEverTheNameOfTheRPM
· OpenVPN; For CentOS 7, as of Feb 2015, everything is available from CentOS for OpenVPN in the latest version.
o Yum install epel-release
o Yum install easy-rsa
o Yum install openvpn (and other dependencies are automatically installed)
o MD5 is no longer supported, so certificates must use SHA1 or SHA256, in /etc/openvpn/openvpn-ssl.cnf, change the line default_md = (to either SHA1 or SHA256)
o Create Certificate Authority, Server, and Client(s) Certificates
· If a later version of OpenVPN is made, then download the ‘GZ’ file from OpenVPN, since all the dependencies are already installed, just create the RPM with: rpmbuild –tb WhatEverOpenVPNFileName, it builds the RPM and lists the directory where it is, then rpm –Uhv WhatEverRPMName
· Samba, in /etc/sysconfig/selinux, set SELINUX=DISABLED, otherwise certain directories labeled with a “5” (when listing with ls –la) will not be visible. The alternative is very, very troublesome if Selinux is left enabled (see https://solargap.wordpress.com/2008/10/17/samba-and-selinux-things-you-need-to-know/). Smbpasswd or smbpasswd -a WhatEverUserName to set password. Webmin to configure everything else. systemctl daemon-reload to make it show up in Webmin
· Shorewall; per their web site, as of version 4.4 and later, the perl shell, regular shell, and base package files have been combined.
Wget the ‘plain / shorewall’ (the biggest size) and core file, from http://www.invoca.ch/pub/packages/shorewall/RPMS/ils-5/noarch/, the init is for initializing interfaces that aren’t up at boot time, the lite package is the small Light version, the shorewall6 packages are for IPV6. Then just rpm –ihv them, core first.
Then of course enable it in the conf file. FIRST ADD additional network cards and copy Conf Files!
· PostFix; most of the stuff in the CentOS6 Folder applies, but SQL is now the preferred storage place for settings
· MySQL insert query;
INSERT INTO `domain` (`domain`) VALUES ('AJHL.NET'), ('BJLindholm.COM'), ('BJLindholm.NAME'), ('DDHarrimanLLC.COM'), ('DelosDavidHarriman.COM'), ('DelosDavidHarrimanLLC.COM'), ('FreelancerConsultant.COM'), ('FS-EMail.COM'), ('FSBusinessServices.COM'), ('FSCNS.COM'), ('FSFTP.COM'), ('FullSpectrum.LAN'), ('FullSpectrumCNS.COM'), ('FullSpectrumDNS.COM'), ('FullSpectrumEMail.COM'), ('FullSpectrumVOIP.COM'), ('OnSourcing.COM'), ('OnSourcing.NET'), ('TerraBase.INFO'), ('Terrawide.COM'), ('Terrawide.NET'), ('TheErotiX.COM'), ('TheErotiX.NET'), ('TheErotiX.ORG'), ('WineStraw.COM'), ('WineStraw.NET'), ('WineStraw.ORG');
# add to /etc/sysctl.conf
net.ipv4.ip_forward = 1
# echo into current config to run without restart
echo 1 > /proc/sys/net/ipv4/ip_forward
Freshclam is to involved, but just as a note the CentOS 7 install has most of it correct. Instead of running as a cron job, it is running as a Daemon.
MailScanner and Webmin plugin, it’s old, like 2005, but still works.
Instead of /etc/init.d the location for MailScanner’s Webmin module program location is /usr/sbin
MailWatch and MailScanner note; Version 5 for MailScanner changes some stuff including directory files, see the ReadMe in the installation source folder.
· Old Fashion Start / Stop Method
o Copy the contents of the WhatEver.service name; systemctl edit –full WhatEver.service
o Create a new ‘Service File’; nano /etc/systemd/system/WhatEver.service and copy the information in there.
o Here too; /usr/lib/systemd/system/clam-freshclam.service
o I made OpenVPN.service from [[6]] (the at symbol allows one to insert a ‘conf’ file, for example [[7]] will use the conf file in the /etc/openvpn directory.
o The side effect is service OpenVPN start / stop, etc works great to provid a familiar method of starting and restarting a service.
o In the end I changed it from OpenVPN to openvpn
o Don’t forget to disable the original service and enable the newly named one and permissions too, chmod 664 /WhatEver.service
o Left mailscanner.service in place instead of MailScanner like in previous builds.
Postfix / MailScanner / etc general thought; Get Postfix working properly and tested as a relay first. Learned this from the overly restrictive and parnoid CentOS 7 default postfix config file that doesn’t even fucking include documentation in the file itself, as in the past.
And to do the above, just comment out that
Location of CHROOT for Postfix Script; \usr\share\doc\postfix-2.10.1\examples
Clamd fucked out of the box… Configuration file from YUM is /etc/clamd.d/scan.conf, in the example file it is something else, and it is actually configured to use amavisd.conf. WTF?
Could not make MailScanner work with Socket, so had to use TCP port
AutoFS; Finally got it to work. The key was so stupid. Permissions on the AutoMount config file have to be 644, 777 doesn’t work as it is ‘too much’