Everything here is not mandatory, but nice to have, at least for me 🙂
First, we start with partitioning. Most interesting question here is: “Do you run it on Physical HW or on VM?”. If you are running it on Physical HW, then you cannot (in most cases) have 1GB disk. If you have VM, that is great! we can play a game! Have 2 disks at minimum. 1disk goes for ONLY /boot! Yes! !GB sized disk goes for /boot, as it needs to be on a partition! Everything else goes as LVM disk, but most important task here, is not to create a partition, but place LVM on the whole disk! In case you will need to increase that disk, for OS, you will just need to extend virtual disk on your hyper and run pvscan, vgscan and vgextend and other magic, easily, without any risk to destroy data by opening and editing start and end segment of partition 😉 Thank you Eimantas Z. for this tip! But it is a technical tip, as I mentioned previously, it is not mandatory, not must-have… So our layout should look like this:
/boot # 1G # ext4 LVM # ALL the rest or new disk LVM system VG, VG name:`hostname` (without domain): root / # 3GB # XFS home /home # 1G # XFS tmp /tmp # 1GB (mount options noexec,nodev,nosuid) # ext4 varlog /var/log # 1G # XFS "swap" # generally do not need unless you really need it, but then you know how much :D # RAM * (0.5*RAM if RAM >4GB ||OR|| 1*RAM if RAM >2GB if requested use as requested) # maybe even DISK3 # I would suggest to separate to different DISK and LVM group your service, so you could move it somewhere else, yes depends on type of a service, but if it is webpage, or some specific APP, move it to a different LVM, so you can detatch it and move to other VM or even Physical HW. LVM service VG, VG name $service-$(hostname) (without domain) www /srv/www # if www service will be installed # 1GB # XFS if not specified mysql /var/lib/mysql # if mysql service will be installed # 1GB # ext4 if not specified libvirt /var/lib/libvirt # if KVM service will be installed # 10GB # XFS if not specified app /app # if some other app should be installed # 1GB # XFS if not specified
So this setup is very very very simple and nothing special, if you are really very picky and fun guy, you can go through  and divide everything, BUT if you already separating into more partitions… I think you already went through LFH 😉 Nice, that you still read this…
Let’s disable|enable something
I think you noticed, there is no installation tutorial… Well, if you are not capable to go through it on your own… em, maybe you close this stuff, you will not understand it… Hmm, yes, there are many interesting options and questions regarding selectable options, but the install progress itself… sorry people…
You know, my place is in the history museum… So I like those nice, not saying much, unpredictable network interface names 🙂 eth0 eth1 wlan0 and so on, I could go forever 🙂 So Let’s disable that predictable, your life should bring you surprises!
vi /etc/default/grub # Add to: GRUB_CMDLINE_LINUX net.ifnames=0 biosdevname=0
And yes! I forgot! BE a wild person, Let’s make some noise! Remove quiet option too! You might learn something about your system in that case! Don’t be afraid to learn… Let’s update grub now, so it would make some effect, and you would not need to wait for new kernel so apt or dnf script would update it for you…
grub2-mkconfig -o /boot/grub2/grub.cfg
Disable some modules
And let’s disable some crap, not sure if this still works in C8, but should work on others 😉
# Modules disable echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf echo "install rds /bin/false" > /etc/modprobe.d/rds.conf echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf echo "install udf /bin/false" > /etc/modprobe.d/udf.conf
I am not sure if there is at least one more person who uses Firewall or SELinux on the system, but if you are there, you are not a trending person, looks like you work too much… Do not surrender to those kids, use firewall! And I believe you already know how to use firewalld 😉 Just a gentle reminder is below, how to create a new service and add it to zone and add zone to interface!!! Easy, yes?
# Firewall: ## Firewalld ### Create zone for monitoring #### Let's double check, maybe it already exists? firewall-cmd --permanent --get-zones #### Create new if not firewall-cmd --permanent --new-zone=monitoring #### Whoe is using that zone, not needed obviously during creation, but nice to know for later, yes? firewall-cmd --permanent --list-all-zones #### If needed let's here is how to add some rich-rule all to monitoring zone # firewall-cmd --permanent --zone=monitoring --add-rich-rule='rule family="ipv4" source address="10.255.250.0/24" accept' #### Let's add some known services to zone monitoring, such as ssh, https, mysql, snmp... firewall-cmd --permanent --zone=monitoring --add-service=ssh #### Let's attach This new zone to our physical interface used for monitoring (if you use one interface, consider using monitoring and backups on other interfaces) firewall-cmd --permanent --zone=monitoring --change-interface=eth1 firewall-cmd --zone=monitoring --change-interface=eth1 #### If some ports are not in a service list, you can add a new service, you would know it is your monitoring ports or backup solution, or just ALL ports you need into one service group so you know that all of them are there! vi /etc/firewalld/services/boo.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>boo</short> <description>The only thing you really need to touch and squeeze</description> <port protocol="udp" port="6363"/> <port protocol="tcp" port="20-25"/> <port protocol="tcp" port="10078-10099"/> <port protocol="tcp" port="20100-20199"/> </service> #### Or single port in UDP... vi /etc/firewalld/services/snmp.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>SNMP</short> <description>SNMP protocol</description> <port protocol="udp" port="161"/> </service> #### Reload firewalld to apply our changes firewall-cmd --reload #### poweron boo and snmp firewall-cmd --permanent --zone=monitoring --add-service=boo firewall-cmd --permanent --zone=monitoring --add-service=snmp #### reload firewalld config again firewall-cmd --reload
As I said, no real DevOps or DevSecOps do not need Firewall, just disable it! It’s easy: systemctl disable firewalld ! But if you think that you need it, and have some brain, you will get your own recepie from above. Ok, we even did not reach half, MOVE ON!
Who needs that password?! But maybe take a look at these options. Might be useful.
# PAM.d /etc/pam.d/system-auth session required pam_lastlog.so showfailed # pam_pwquality.so # add retry=3 password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= #password sufficient pam_unix.so # Let's add remember=14 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok existing_options remember=14 # REMOVE ALL nullok: sed -i 's/\<nullok\>//g' /etc/pam.d/system-auth # And Login defs also: cat /etc/login.defs
CTRL + ALT + DEL
What do you want to do with that? Do you like the idea, that someone would like to have fun, and just press CTRL + ALT + DEL while your keyboard is locked and you just went for lunch or good nap?
# If your system is with SystemD: systemctl mask control-alt-delete # If your system is with inittab # in /etc/inittab Comment out: ctrl-alt-del
I am very disapointer to write this, but MOST of us do not use IPv6, not because you do not want, because ISP do not provide it… So Disable IPv6 till you start using it! P.S. here we need to understand, that it will be here, while any app is listening on ALL! we will need to change opensshd, MTA, and other so they would listen only on IPv4!!!
echo "net.ipv6.conf.all.disable_ipv6=1" >> /etc/sysctl.d/99-sysctl.conf echo "net.ipv6.conf.default.disable_ipv6=1" >> /etc/sysctl.d/99-sysctl.conf echo "NOZEROCONF=yes" >> /etc/sysconfig/network echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network echo "IPV6INIT=no" >> /etc/sysconfig/network
And a small addition to SSH, and I like to disable DNS resolves to SSH, just to speed everything up… I do not trust 100% to DNS…
vi /etc/ssh/sshd_config # check these options AddressFamily inet PermitRootLogin yes # I have my own reason for this ;) UseDNS no AllowUsers firstname.lastname@example.org/27 USERNAME /etc/sysconfig/ssh or /etc/default/ssh OPTIONS="-u0"
Again, I believe you all know, but this is just a template I used on C7, same works on C8 and C6 and MOST which are RHEL based…
vi /etc/sysconfig/network NETWORKING=yes NETWORKING_IPV6=no IPV6INIT=no NOZEROCONF=yes GATEWAY=IP HOSTNAME=hostname.domain.ltd DNS1=IP DNS2=IP vi /etc/hosts server_IP1 hostname.domain.ltd hostname server_IP3 hostname2/servicename.domain.NAME hostname2/servicename NAME="eth0" HWADDR="ZZ:YY:XX:WW:VV:UU" ONBOOT=yes NETBOOT=yes #UUID="..." BOOTPROTO=none IPADDR=IP # NETMASK="255.255.255.240" # OR PREFIX=27 GATEWAY=GWIP TYPE=Ethernet DNS1=22.214.171.124 DNS2=254.254.254.254
What I want to mention here. How your hostname -f and hostname will be shown, sais FIRST entry in /etc/hosts file after your IP… have FQDN first 😉 I recommend 😉
Nothing special here, I still did not add snoopy here, but you should and share with me how you tune it!
touch /etc/profile.d/os-tune.sh chmod +x /etc/profile.d/os-tune.sh vi /etc/profile.d/os-tune.sh #!/usr/bin/bash readonly HISTFILE export HISTTIMEFORMAT="%F %T# " export HISTSIZE=99999 shopt -s histappend histverify PROMPT_COMMAND='history -a' HISTCONTROL=ignoredups
Some minor things
Below ones, might drop you some error, as they might already be disabled or might not exist…
touch /etc/cron.allow chmod 600 /etc/cron.allow touch /etc/at.allow chmod 600 /etc/at.allow dnf install sysstat systemctl enable irqbalance systemctl enable psacct systemctl disable smartd systemctl enable sysstat systemctl enable crond systemctl disable nfslock systemctl disable rpcgssd systemctl disable rpcsvcgssd systemctl disable rpcidmapd systemctl disable netfs systemctl disable nfs systemctl disable cups systemctl disable dhcpd visudo # Find line starting %wheel < comment it out. # uncomment line starting with %wheel and with NOPASSWD: vi /etc/yum.conf # Just Below "distroverpkg" add new line with: proxy=http://www-proxy.if.needed.xxx:6098080609/ installonly_limit=2 # how many old kernels do you want to keep?!