Categories
Belekas Fun Linux install Linux tarnybos Paskaitos

Install CentOS Linux 8 and similar

Everything here is not mandatory, but nice to have, at least for me 🙂

Partition layout

First, we start with partitioning. Most interesting question here is: “Do you run it on Physical HW or on VM?”. If you are running it on Physical HW, then you cannot (in most cases) have 1GB disk. If you have VM, that is great! we can play a game! Have 2 disks at minimum. 1disk goes for ONLY /boot! Yes! !GB sized disk goes for /boot, as it needs to be on a partition! Everything else goes as LVM disk, but most important task here, is not to create a partition, but place LVM on the whole disk! In case you will need to increase that disk, for OS, you will just need to extend virtual disk on your hyper and run pvscan, vgscan and vgextend and other magic, easily, without any risk to destroy data by opening and editing start and end segment of partition 😉 Thank you Eimantas Z. for this tip! But it is a technical tip, as I mentioned previously, it is not mandatory, not must-have… So our layout should look like this:

/boot # 1G # ext4
LVM # ALL the rest or new disk
 
LVM system VG, VG name:`hostname` (without domain):
root / # 3GB # XFS
home /home # 1G # XFS
tmp /tmp # 1GB (mount options noexec,nodev,nosuid) # ext4
varlog /var/log # 1G # XFS
 
"swap" # generally do not need unless you really need it, but then you know how much :D # RAM * (0.5*RAM if RAM >4GB ||OR|| 1*RAM if RAM >2GB if requested use as requested) # maybe even DISK3

# I would suggest to separate to different DISK and LVM group your service, so you could move it somewhere else, yes depends on type of a service, but if it is webpage, or some specific APP, move it to a different LVM, so you can detatch it and move to other VM or even Physical HW.

LVM service VG, VG name $service-$(hostname) (without domain)
www /srv/www # if www service will be installed # 1GB # XFS if not specified
mysql /var/lib/mysql # if mysql service will be installed  # 1GB # ext4 if not specified
libvirt /var/lib/libvirt # if KVM service will be installed  # 10GB # XFS if not specified
 
app /app # if some other app should be installed # 1GB # XFS if not specified

So this setup is very very very simple and nothing special, if you are really very picky and fun guy, you can go through [1] and divide everything, BUT if you already separating into more partitions… I think you already went through LFH 😉 Nice, that you still read this…

Let’s disable|enable something

I think you noticed, there is no installation tutorial… Well, if you are not capable to go through it on your own… em, maybe you close this stuff, you will not understand it… Hmm, yes, there are many interesting options and questions regarding selectable options, but the install progress itself… sorry people…

NIC names

You know, my place is in the history museum… So I like those nice, not saying much, unpredictable network interface names 🙂 eth0 eth1 wlan0 and so on, I could go forever 🙂 So Let’s disable that predictable, your life should bring you surprises!

vi /etc/default/grub
# Add to: GRUB_CMDLINE_LINUX  
net.ifnames=0 biosdevname=0

And yes! I forgot! BE a wild person, Let’s make some noise! Remove quiet option too! You might learn something about your system in that case! Don’t be afraid to learn… Let’s update grub now, so it would make some effect, and you would not need to wait for new kernel so apt or dnf script would update it for you…

grub2-mkconfig -o /boot/grub2/grub.cfg

Disable some modules

And let’s disable some crap, not sure if this still works in C8, but should work on others 😉

# Modules disable
echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf
echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf
echo "install rds /bin/false" > /etc/modprobe.d/rds.conf
echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf
echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf
echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf
echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf
echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf
echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf
echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf
echo "install udf /bin/false" > /etc/modprobe.d/udf.conf

Firewall

I am not sure if there is at least one more person who uses Firewall or SELinux on the system, but if you are there, you are not a trending person, looks like you work too much… Do not surrender to those kids, use firewall! And I believe you already know how to use firewalld 😉 Just a gentle reminder is below, how to create a new service and add it to zone and add zone to interface!!! Easy, yes?

# Firewall:
## Firewalld
### Create zone for monitoring
#### Let's double check, maybe it already exists?
firewall-cmd --permanent --get-zones
#### Create new if not
firewall-cmd --permanent --new-zone=monitoring
#### Whoe is using that zone, not needed obviously during creation, but nice to know for later, yes?
firewall-cmd --permanent --list-all-zones
#### If needed let's here is how to add some rich-rule all to monitoring zone
# firewall-cmd --permanent --zone=monitoring --add-rich-rule='rule family="ipv4" source address="10.255.250.0/24" accept'
#### Let's add some known services to zone monitoring, such as ssh, https, mysql, snmp...
firewall-cmd --permanent --zone=monitoring --add-service=ssh
#### Let's attach This new zone to our physical interface used for monitoring (if you use one interface, consider using monitoring and backups on other interfaces)
firewall-cmd --permanent --zone=monitoring --change-interface=eth1
firewall-cmd --zone=monitoring --change-interface=eth1
#### If some ports are not in a service list, you can add a new service, you would know it is your monitoring ports or backup solution, or just ALL ports you need into one service group so you know that all of them are there! 
vi /etc/firewalld/services/boo.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>boo</short>
  <description>The only thing you really need to touch and squeeze</description>
  <port protocol="udp" port="6363"/>
  <port protocol="tcp" port="20-25"/>
  <port protocol="tcp" port="10078-10099"/>
  <port protocol="tcp" port="20100-20199"/>
</service>
#### Or single port in UDP...
vi  /etc/firewalld/services/snmp.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SNMP</short>
  <description>SNMP protocol</description>
  <port protocol="udp" port="161"/>
</service>
#### Reload firewalld to apply our changes
firewall-cmd --reload
#### poweron boo and snmp
firewall-cmd --permanent --zone=monitoring --add-service=boo
firewall-cmd --permanent --zone=monitoring --add-service=snmp
#### reload firewalld config again
firewall-cmd --reload

As I said, no real DevOps or DevSecOps do not need Firewall, just disable it! It’s easy: systemctl disable firewalld ! But if you think that you need it, and have some brain, you will get your own recepie from above. Ok, we even did not reach half, MOVE ON!

Password settings

Who needs that password?! But maybe take a look at these options. Might be useful.

# PAM.d
/etc/pam.d/system-auth
session required pam_lastlog.so showfailed
# pam_pwquality.so # add retry=3
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
#password sufficient pam_unix.so # Let's add remember=14
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok existing_options remember=14
# REMOVE ALL nullok:
sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth

# And Login defs also: 
cat /etc/login.defs

CTRL + ALT + DEL

What do you want to do with that? Do you like the idea, that someone would like to have fun, and just press CTRL + ALT + DEL while your keyboard is locked and you just went for lunch or good nap?

# If your system is with SystemD:
systemctl mask control-alt-delete
# If your system is with inittab
# in /etc/inittab Comment out: ctrl-alt-del

IPv6

I am very disapointer to write this, but MOST of us do not use IPv6, not because you do not want, because ISP do not provide it… So Disable IPv6 till you start using it! P.S. here we need to understand, that it will be here, while any app is listening on ALL! we will need to change opensshd, MTA, and other so they would listen only on IPv4!!!

echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.d/99-sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6=1" >> /etc/sysctl.d/99-sysctl.conf
echo "NOZEROCONF=yes" >> /etc/sysconfig/network
 
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network

And a small addition to SSH, and I like to disable DNS resolves to SSH, just to speed everything up… I do not trust 100% to DNS…

vi /etc/ssh/sshd_config
# check these options
AddressFamily inet
PermitRootLogin yes # I have my own reason for this ;) 
UseDNS no
AllowUsers root@10.10.10.0/27 USERNAME


/etc/sysconfig/ssh or /etc/default/ssh
OPTIONS="-u0"

Network settings

Again, I believe you all know, but this is just a template I used on C7, same works on C8 and C6 and MOST which are RHEL based…

vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
IPV6INIT=no
NOZEROCONF=yes
GATEWAY=IP
HOSTNAME=hostname.domain.ltd
DNS1=IP
DNS2=IP

vi /etc/hosts
server_IP1 hostname.domain.ltd hostname
server_IP3 hostname2/servicename.domain.NAME hostname2/servicename

NAME="eth0"
HWADDR="ZZ:YY:XX:WW:VV:UU"
ONBOOT=yes
NETBOOT=yes
#UUID="..."
BOOTPROTO=none
IPADDR=IP
# NETMASK="255.255.255.240" 
# OR
PREFIX=27
GATEWAY=GWIP
TYPE=Ethernet
DNS1=1.1.1.1
DNS2=254.254.254.254

What I want to mention here. How your hostname -f and hostname will be shown, sais FIRST entry in /etc/hosts file after your IP… have FQDN first 😉 I recommend 😉

Bash

Nothing special here, I still did not add snoopy here, but you should and share with me how you tune it!

touch /etc/profile.d/os-tune.sh
chmod +x /etc/profile.d/os-tune.sh
vi /etc/profile.d/os-tune.sh
#!/usr/bin/bash
readonly HISTFILE
export HISTTIMEFORMAT="%F %T# "
export HISTSIZE=99999
shopt -s histappend histverify
PROMPT_COMMAND='history -a'
HISTCONTROL=ignoredups

Some minor things

Below ones, might drop you some error, as they might already be disabled or might not exist…

touch /etc/cron.allow
chmod 600 /etc/cron.allow
touch /etc/at.allow
chmod 600 /etc/at.allow
dnf install sysstat
systemctl enable irqbalance
systemctl enable psacct
systemctl disable smartd
systemctl enable sysstat
systemctl enable crond
systemctl disable nfslock
systemctl disable rpcgssd
systemctl disable rpcsvcgssd
systemctl disable rpcidmapd
systemctl disable netfs
systemctl disable nfs
systemctl disable cups
systemctl disable dhcpd

visudo
# Find line starting %wheel < comment it out.
# uncomment line starting with %wheel and with NOPASSWD:


vi /etc/yum.conf
# Just Below "distroverpkg" add new line with:
proxy=http://www-proxy.if.needed.xxx:6098080609/
installonly_limit=2 # how many old kernels do you want to keep?!

External links

  1. https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/index.html

By Ruslanas Gžibovskis

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.