Technical Information: CentOS/RHEL Topics

See optum-specific details ...

• Unregister:
  subscription-manager remove –all
subscription-manager unregister
subscription-manager clean
• Register:

  subscription-manager register --username youraccountlogin --password yourpassword

• Configuration in /etc/rhsm/rhsm.conf
  • Set hostname to: subscription.rhn.redhat.com
  • Set prefix to: /subscription
  • Set port to: 443
  • Set baseurl to: https://cdn.redhat.com
  • Set repo_ca_cert to: %(ca_cert_dir)sredhat-uep.pem
  • Set full_refresh_on_yum to: 0
• Enabling repositories:

  subscription-manager list --available
  subscription-manager attach --pool=pool_id
  subscription-manager list --consumed
  subscription-manager repos --list
  subscription-manager repos --enable repository

• Do a yum update
• Add pathmunge $HOME/bin and pathmunge /usr/java/bin to /etc/profile

• yum install -y wget rsync git vim curl bzip2 zip unzip xz sharutils
• yum install -y xterm gvim dejavu-sans-mono-fonts
• yum install java-1.8.0-openjdk-devel
• yum groupinstall “X Window System”
• yum groupinstall “Fonts” (alternately, dejavu-fonts-common)
• yum install tigervnc-server
• yum install tigervnc
• yum install xorg-x11-server-devel
• yum install gcc-c++
• yum install mariadb-devel
• yum install centos-release-scl

• yum install gcc make perl kernel-devel
• Install the VirtualBox Guest Additions
• Shared folder mounted like: mount -t vboxsf -o uid=1000,gid=1000 sharename /home/you/some/folder

Docker requires the container-selinux package, not available in RHEL repos.
Get it from: CentOS 7 package mirror
Then, install Docker with:

yum remove docker docker-common docker-selinux docker-engine
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install docker-ce

… alternately …

yum check-update
curl -fsSL https://get.docker.com/ | sh
systemctl start docker
systemctl status docker
systemctl enable docker

See official documentation for further details

• dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
• yum install kernel-devel
• yum install http://download.zfsonlinux.org/epel/zfs-release.el7_4.noarch.rpm
• gpg –quiet –with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-zfsonlinux
• In /etc/yum.repos.d/zfs.repo, change:
  • enabled=1 to enabled=0 in the [zfs] section
  • enabled=0 to enabled=1 in the [zfs-kmod] section
• yum install zfs
• systemctl preset zfs-import-cache zfs-import-scan zfs-import.target zfs-mount zfs-share zfs-zed zfs.target
• modprobe zfs

• yum install debootstrap perl libvirt
• yum install lxc lxc-templates
• systemctl status lxc.service
• systemctl start lxc.service
• systemctl status lxc.service
• systemctl start libvirtd
• systemctl status lxc.service
• lxc-checkconfig

See also: CentOS/RHEL Specifics for LXC

• grep -E '(vmx|svm)' /proc/cpuinfo
• systemctl enable libvirtd
• x

• git
• gcc-c++
• wget
• xterm
• vim
• vim-x11
• java-1.8.0-openjdk-devel
• gd-devel

yum –disablerepo=“*” –enablerepo=“epel” update

… to be added …

hostnamectl set-hostname Your-New-Host-Name-Here
hostnamectl set-hostname "Your New Host Name Here" --pretty
hostnamectl set-hostname Your-New-Host-Name-Here --static
hostnamectl set-hostname Your-New-Host-Name-Here --transient

In /etc/security/limits.conf, create a file like 20-nofile.conf:

*        hard    nofile    4096
*        soft    nofile    1024
@users   soft    nofile    2048
rk4n3    hard    nofile    81920
rk4n3    soft    nofile    8192

• Duplicate SElinux attributes: chcon --reference=oldfileordir newfileordir
• Update from specific repo only: yum --disablerepo=“*” --enablerepo=“my-repo” update

• In /etc/rsyslog.d/yourapp.conf

  # Separate yourapp logging into its own file
  if $programname == 'yourapp' then /var/log/yourapp.log
  & stop

• In /etc/logrotate.d/yourapp:

  /var/log/yourapp.log {
    missingok
    weekly
    size 2G
    copytruncate
    rotate 12
    notifempty
  }

• Wildfly likes to live at /opt/wildfly, so create a symbolic link at that location to the actual installation directory
• Set up the logging location:

  mkdir /var/log/wildfly
  chown wildfly:wildfly /var/log/wildfly
  chmod 755 /var/log/wildfly

• Set up the runtime location:

  mkdir /var/run/wildfly
  chown wildfly:wildfly /var/run/wildfly
  chmod 755 /var/run/wildfly

• Create a symbolic link at /etc/default/wildfly.conf to the standalone.conf file in the wildfly instance
• Edit /etc/default/wildfly.conf:
  • Make sure JAVA_HOME is set to the directory that the java you want to use lives at
  • Make sure JBOSS_HOME is set to /opt/wildfly
  • Add JBOSS_USER, and ensure its set to the user that you want wildfly to run as
• Copy /opt/wildfly/docs/contrib/scripts/init.d/wildfly-init-redhat.sh to /etc/init.d/wildfly
• Edit /opt/wildfly/standalone/configuration/standalone.xml:
  • Change 127.0.0.1 to actual IP address
• Add an admin user by invoking cd /opt/wildfly/bin ; ./add-user.sh
• Add as a service:

  chkconfig --add wildfly
  chkconfig wildfly on''

• Start with service wildfly start, and stop with service wildfly stop
• Admin console will be accessible on http://hostipaddress:9990/console
• HTTP service will be on http://hostipaddress:8080 by default (unless changed in config file)

See CentOS/RHEL section in Jenkins devops page

See CentOS/RHEL section in Gatling devops page

• Allow a program (i.e. /usr/bin/ping): setcap cap_net_raw+p /path/to/command

• Clear out journal(s): journalctl -m –vacuum-time=1s

CentOS will typically require accepting license agreement (again) after a significant upgrade.
This can mean that the system will not complete booting until license agreement acceptance is
completed on a console.

Example:

firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload

• Ensure desired grep exists locally (in /etc/group)
• Add an LDAP user to local copy of LDAP group: gpasswd -a ldaplogin localgroup

• For some strange reason, under RHEL new user home directories seem to be created with drwx—— permissions, which denies other uses visibility under then entire tree.
• SELinux can prevent SSH RSA key authentication, typically via file security context
  • Examine file context with:

    ls -lZd directorypath

    … or

    ls -lZ filepath

  • A full remediation might look like:

    chcon -t root_t /
    chcon -t home_root_t /home
    chcon -t home_root_t /home/you
    chcon -t ssh_home_t /home/you/.ssh
    chcon -t ssh_home_t /home/you/.ssh/*

• SELinux introduces some permissions complexity, so adjustments may need to be made on that level
  • Example - show SELinux context: ls -Z /some/dir
  • Example - apache logs: chcon -R -t httpd_log_t /some/log/dir
  • Example - apache doc root: chcon -R -t httpd_sys_content_t /some/www/docroot/dir
• SELinux can prohibit network connections, as well - if apache can't connect to a MySQL DB:
  setsebool -P httpd_can_network_connect=1

• If a filesystem won't either unmount or mount in new location after changing /etc/fstab:

  systemctl daemon-reload

This problem seems to be related to IPv6, so disabling IPv6 helps. Perform installation and first boot-up using the native Qemu GUI console, then disable IPv6 in the guest:

sysctl -a | grep ipv6 | grep disable | sed 's/= 0/= 1/g' > /etc/sysctl.d/ipv6.conf; sysctl -p /etc/sysctl.d/ipv6.conf

… then, the VM can be restarted in headless/VNC mode.

Links: Linux Info … Tech Info