User Tools
tech:linux:centos:optum
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
tech:linux:centos:optum [2018/06/02 14:49] admin |
tech:linux:centos:optum [2021/03/28 09:47] (current) rk4n3 |
||
|---|---|---|---|
| Line 15: | Line 15: | ||
| * Update system with ''yum update'' | * Update system with ''yum update'' | ||
| * Lay out storage per conventions | * Lay out storage per conventions | ||
| - | * Install/enable EPEL | + | * Install/enable EPEL: ''dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm'' |
| * Install ''newterm'' | * Install ''newterm'' | ||
| * Create users | * Create users | ||
| Line 77: | Line 77: | ||
| * Make sure ''/var/lib/mysql'' has ''mysqld_db_t'' type, in the directory: ''chcon -t mysqld_db_t .'' | * Make sure ''/var/lib/mysql'' has ''mysqld_db_t'' type, in the directory: ''chcon -t mysqld_db_t .'' | ||
| + | ------ | ||
| ==== Apache Installation ==== | ==== Apache Installation ==== | ||
| Previously-mentioned package install via ''yum'' installs the software | Previously-mentioned package install via ''yum'' installs the software | ||
| Line 87: | Line 88: | ||
| Perform the typical ''systemctl enable httpd'' and ''service httpd start'' for startup | Perform the typical ''systemctl enable httpd'' and ''service httpd start'' for startup | ||
| + | ------ | ||
| ==== InfluxDB Installation ==== | ==== InfluxDB Installation ==== | ||
| + | Resource [[https://influxdbcom.readthedocs.io/en/latest/content/docs/v0.9/guides/clustering|Clustering InfluxDB ...]] \\ | ||
| + | |||
| Create the file ''/etc/yum.repos.d/influxdb.repo'' with this content: | Create the file ''/etc/yum.repos.d/influxdb.repo'' with this content: | ||
| <code> | <code> | ||
| Line 120: | Line 124: | ||
| </code> | </code> | ||
| Remember to ''systemctl enable influxdb'' and ''service influxdb start'' \\ | Remember to ''systemctl enable influxdb'' and ''service influxdb start'' \\ | ||
| - | See: [[https://docs.influxdata.com/influxdb/v1.5/query_language/authentication_and_authorization|InfluxDB auth]] | + | === InfluxDB Auth === |
| + | See: [[https://docs.influxdata.com/influxdb/v1.5/query_language/authentication_and_authorization|InfluxDB auth]] \\ | ||
| + | <code>create user admin with password 'somepassword' with all privileges; | ||
| + | create user jmeter with password 'somepassword'; | ||
| + | create database jmeter; | ||
| + | grant [READ,WRITE,ALL] on "jmeter" TO "jmeter"; | ||
| + | revoke [READ,WRITE,ALL] on "jmeter" from "jmeter";</code> | ||
| + | ------ | ||
| ==== Grafana Installation ==== | ==== Grafana Installation ==== | ||
| Create the file ''/etc/yum.repos.d/grafana.repo'' with this content: | Create the file ''/etc/yum.repos.d/grafana.repo'' with this content: | ||
| Line 143: | Line 154: | ||
| Log in (default login is ''admin'' with password ''admin'') and change password, add user(s) \\ | Log in (default login is ''admin'' with password ''admin'') and change password, add user(s) \\ | ||
| Install the InfluxDB datasource plugin (find in plugins section, follow instructions) | Install the InfluxDB datasource plugin (find in plugins section, follow instructions) | ||
| - | + | ==== LDAP for Grafana ==== | |
| - | ==== Jenkins Installation ==== | + | Edit ''/etc/grafana/grafana.ini'':<code>[auth.ldap] |
| - | Pull the Jenkins repository file and import its GPG key: | + | enabled = true |
| - | <code> | + | config_file = /etc/grafana/ldap.toml |
| - | wget -O /etc/yum.repos.d/jenkins.repo http://pkg.jenkins.io/redhat-stable/jenkins.repo | + | allow_sign_up = true |
| - | rpm --import http://pkg.jenkins.io/redhat-stable/jenkins.io.key | + | |
| </code> | </code> | ||
| - | ... then, do a ''yum update'' and ''yum install jenkins'' \\ | + | Edit ''/etc/grafana/ldap.toml'': |
| - | If the ''jenkins'' login isn't locked down off-server: | + | * Under ''servers.attributes'' section, make sure username is set to ''sAMAccountName'' for Active Directory |
| - | * Enable login for Jenkins with ''usermod -s /bin/bash jenkins'' | + | * Under ''servers.group_mappings'' section, group_dn should be ''cn=bluejay_adm,cn=Users,dc=ms,dc=ds,dc=uhc,dc=com'' |
| - | * Log in as ''jenkins'' and create SSH key with: ''ssh-keygen -t rsa'' | + | * Editor role: ''cn=github_users,cn=Users,dc=ms,dc=ds,dc=uhc,dc=com'' |
| - | Otherwise: | + | * Host: ''"ADC21101.ms.ds.uhc.com"'' |
| - | * Create SSH key for ''jenkins'' from root: ''ssh-keygen -f id_rsa -C "jenkins@bluejay"'' | + | * ssl_skip_verify = true |
| - | Open firewall for Jenkins:<code> | + | * bind_dn: ''"oaptbot@ms.ds.uhc.com"'' |
| - | firewall-cmd --permanent --zone=public --add-port=8080/tcp | + | * bind_password: '''BlueJay1!''' |
| - | firewall-cmd --reload | + | * search_filter: ''"(sAMAccountName=%s)"'' |
| - | </code> | + | * search_base_dns: ''["cn=Users,dc=ms,dc=ds,dc=uhc,dc=com"]'' |
| - | Remember to ''systemctl enable jenkins'' and ''service jenkins start'' \\ | + | * |
| - | Log in (default login is ''admin'' with password ''admin'') and change password, add user(s) \\ | + | |
| - | ==== Maven Installation ==== | + | ------ |
| - | Get latest maven archive, example:<code>wget http://www-eu.apache.org/dist/maven/maven-3/3.5.3/binaries/apache-maven-3.5.3-bin.tar.gz</code> | + | ==== Jenkins & Maven Installation ==== |
| - | Extract to suitable location and sym-link to it (''/usr/maven'' or ''/opt/maven'') \\ | + | See [[tech:devops:jenkins:start|Jenkins Topics]] \\ |
| - | Set environment variables in ''/etc/profile.d/maven.sh'':<code> | + | |
| - | export M3_HOME=/usr/maven | + | |
| - | export M2_HOME=${M3_HOME} | + | |
| - | export PATH=${M3_HOME}/bin:${PATH} | + | |
| - | </code> | + | |
| - | ... perform a ''source /etc/profile.d/maven.sh'' to get these in current shell. | + | |
| + | ------ | ||
| ===== Bluejay LG Node ===== | ===== Bluejay LG Node ===== | ||
| - | * Perform basic installation, and add the ''jenkins''/''bluejay'' logins, OpenJDK, and Maven \\ Initial steps:<code>lvcreate -l 100%FREE -n bluejay rootvg | + | * Ensure central repository at ''/var/www/html/pub/eptrepo/jmeter'' is populated, and create SSL cert |
| - | mkfs -t ext4 /dev/rootvg/bluejay | + | * Edit the ''create-rmi-keystore.sh'' script, changing the validity to ''99999'' and run to gen cert |
| + | * Ensure cert file ''rmi_keystore.jks'' has same ownership/permissions/seattr as other files | ||
| + | * On Jenkins slave, perform basic installation, update, and pkgs for: wget, htop, vim, git, and OpenJDK | ||
| + | * Populate /etc/hosts | ||
| + | * Create ''bluejay'' login<code>groupadd -g 39092 bluejay | ||
| useradd -u 441849 -g 39092 -d /home/bluejay -s /bin/bash -c "Bluejay" -m bluejay | useradd -u 441849 -g 39092 -d /home/bluejay -s /bin/bash -c "Bluejay" -m bluejay | ||
| passwd bluejay | passwd bluejay | ||
| chage -I -1 -m 0 -M 99999 -E -1 bluejay | chage -I -1 -m 0 -M 99999 -E -1 bluejay | ||
| + | </code> | ||
| + | * Extended storage setup:<code>lvcreate -l 100%FREE -n bluejay rootvg | ||
| + | mkfs -t ext4 /dev/rootvg/bluejay | ||
| blkid /dev/rootvg/bluejay >> /etc/fstab | blkid /dev/rootvg/bluejay >> /etc/fstab | ||
| vi /etc/fstab | vi /etc/fstab | ||
| ls -lZd /home/bluejay/. | ls -lZd /home/bluejay/. | ||
| - | mkdir -p tmp | + | mkdir -p ~/tmp |
| - | mv /home/bluejay/.??* ./tmp/ | + | mv /home/bluejay/.??* ~/tmp/ |
| - | chmod 775 /home/bluejay | + | chmod 755 /home/bluejay |
| mount /home/bluejay | mount /home/bluejay | ||
| chown bluejay:bluejay /home/bluejay/. | chown bluejay:bluejay /home/bluejay/. | ||
| chmod 775 /home/bluejay/. | chmod 775 /home/bluejay/. | ||
| chcon -u unconfined_u -t user_home_dir_t /home/bluejay/. | chcon -u unconfined_u -t user_home_dir_t /home/bluejay/. | ||
| - | mv ./tmp/.??* /home/bluejay/ | + | mv ~/tmp/.??* /home/bluejay/</code> |
| + | * Populate ''bluejay'' login's ''~/.ssh'' directory:<code>cd ~bluejay ; mkdir .ssh ; cd .ssh | ||
| + | ssh-keygen -t rsa -f id_rsa -C bluejay@hostname | ||
| + | cp -a id_rsa.pub authorized_keys | ||
| + | chown -R bluejay:bluejay . | ||
| + | chcon -R -u unconfined_u -t ssh_home_t . | ||
| + | chmod 700 . ; chmod 600 *</code> | ||
| + | * Copy public key to central staging location:<code>scp ./id_rsa.pub someone@somewhere:/home/someone/dot-ssh/bluejay_host.pub</code> | ||
| + | * Create ''jenkins'' login<code>groupadd -g 822 jenkins | ||
| + | useradd -u 990 -g 822 -d /var/lib/jenkins -s /bin/bash -c "Jenkins" jenkins | ||
| + | usermod -a -G bluejay jenkins | ||
| + | usermod -a -G jenkins bluejay | ||
| + | chcon -u system_u -t var_lib_t /var/lib/jenkins/. | ||
| + | chmod 750 /var/lib/jenkins/.</code> | ||
| + | * Populate ''jenkins'' login's ''~/.ssh'' directory:<code>cd ~jenkins ; mkdir .ssh ; cd .ssh | ||
| + | ssh-keygen -t rsa -f id_rsa -C jenkins@hostname | ||
| + | cp -a id_rsa.pub authorized_keys | ||
| + | chown -R jenkins:jenkins . | ||
| + | chcon -R -u unconfined_u -t ssh_home_t . | ||
| + | chmod 700 . ; chmod 600 *</code> | ||
| + | * Copy public key to central staging location, and make sure it gets populated into Bluejay web server's ''bluejay'' login ''~/.ssh/authorized_keys'' file:<code>scp ./id_rsa.pub someone@somewhere:/home/someone/dot-ssh/jenkins_host.pub</code> | ||
| + | * Create Jenkins agent workspace:<code>cd ~bluejay ; mkdir -p jenkins | ||
| + | chown bluejay:jenkins ./jenkins/. | ||
| + | chmod 770 ./jenkins/. | ||
| + | chmod g+s ./jenkins/. | ||
| + | chcon -u system_u -t var_lib_t ./jenkins/. | ||
| </code> | </code> | ||
| - | * Create ''jenkins'' login SSH keys and populate on ''bluejay'' web server | ||
| * Populate Jenkins controller's ''jenkins'' login SSH key into ''bluejay'' login's ''authorized_keys'' | * Populate Jenkins controller's ''jenkins'' login SSH key into ''bluejay'' login's ''authorized_keys'' | ||
| - | * Populate the central repository at ''/var/www/html/pub/eptrepo/jmeter'' and create SSL cert | + | * Populate jenkins ''known_hosts'' file on Jenkins host |
| - | * Edit the ''create-rmi-keystore.sh'' script, changing the validity to ''99999'' and run to gen cert | + | |
| - | * Ensure cert file ''rmi_keystore.jks'' has same ownership/permissions/seattr as other files | + | \\ |
| + | ------ | ||
| ====== Trivia ====== | ====== Trivia ====== | ||
| ===== Optum-specific Admin Concerns ===== | ===== Optum-specific Admin Concerns ===== | ||
| Line 207: | Line 243: | ||
| * apache: uid=48, gid=1739 | * apache: uid=48, gid=1739 | ||
| * mantis: uid=''17236'', gid=''?'' | * mantis: uid=''17236'', gid=''?'' | ||
| - | * wildfly: uid=''282'', gid=''28202'' | + | * wildfly: uid=''185'', gid=''185'' <del>wildfly: uid=''282'', gid=''28202''</del> |
| + | * thorium: gid=''34625'' | ||
| * perfmgmt: gid=''4035'' | * perfmgmt: gid=''4035'' | ||
| Line 231: | Line 268: | ||
| Perform the whole thing in reverse when ''/opt'' is resized \\ | Perform the whole thing in reverse when ''/opt'' is resized \\ | ||
| + | |||
| + | ===== Some Problems/Resolutions ===== | ||
| + | ==== FIPS-compliant Venafi-generated SSL certs ==== | ||
| + | This problem: [[http://openssl.6102.n7.nabble.com/DEK-info-FIPS-openssl-td23289.html]] \\ | ||
| + | ... is resolved by downloading cert from Venafi in ''PKCS#8'' format \\ | ||
tech/linux/centos/optum.1527968949.txt.gz · Last modified: 2018/06/02 14:49 by admin
Page Tools
