RHEL: Difference between revisions
mNo edit summary |
|||
(20 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
= Setting up from scratch on a VM at work = | = Setting up from scratch on a VM at work = | ||
== User accounts == | |||
=== Create a new group === | |||
<syntaxhighlight lang="console"> | |||
$ sudo groupadd dev | |||
$ sudo usermod -a -G dev mhan1 | |||
</syntaxhighlight> | |||
== Folder set up for web services == | |||
<syntaxhighlight lang="console"> | |||
$ sudo mkdir /srv/www | |||
$ sudo chown -R mhan1:dev /srv/www | |||
$ sudo chmod g+s /srv/www | |||
</syntaxhighlight> | |||
== Web services == | == Web services == | ||
Line 5: | Line 22: | ||
=== Install NGINX === | === Install NGINX === | ||
< | Disable apache | ||
<syntaxhighlight lang="sh"> | |||
# systemctl stop httpd | |||
# systemctl disable httpd | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="sh"> | |||
$ sudo yum install yum-utils | $ sudo yum install yum-utils | ||
</ | </syntaxhighlight> | ||
Create <code>/etc/yum.repos.d/nginx.repo</code> | Create <code>/etc/yum.repos.d/nginx.repo</code> | ||
< | <syntaxhighlight lang="cfg"> | ||
[nginx-stable] | [nginx-stable] | ||
name=nginx stable repo | name=nginx stable repo | ||
Line 27: | Line 51: | ||
gpgkey=https://nginx.org/keys/nginx_signing.key | gpgkey=https://nginx.org/keys/nginx_signing.key | ||
module_hotfixes=true | module_hotfixes=true | ||
</ | </syntaxhighlight> | ||
Install nginx | Install nginx | ||
< | <syntaxhighlight lang="sh"> | ||
$ sudo yum install nginx | $ sudo yum install nginx | ||
</ | </syntaxhighlight> | ||
Set up folders | Set up folders | ||
< | <syntaxhighlight lang="console"> | ||
# cd /etc/nginx | # cd /etc/nginx | ||
# mkdir sites-available | # mkdir sites-available | ||
# mkdir sites-enabled | # mkdir sites-enabled | ||
</ | </syntaxhighlight> | ||
Create a file named <code>sites-available/unm.edu.conf</code> | Create a file named <code>sites-available/unm.edu.conf</code> | ||
< | <syntaxhighlight lang="nginx"> | ||
server { | server { | ||
listen 80; | listen 80; | ||
Line 75: | Line 99: | ||
error_log /var/log/nginx/error-wildcard.unm.edu.log; | error_log /var/log/nginx/error-wildcard.unm.edu.log; | ||
include | include php_81_params.conf; | ||
location / { | location / { | ||
Line 83: | Line 107: | ||
ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem; | ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem; | ||
ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem; | ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem; | ||
include | include ssl_params.conf; | ||
} | |||
</syntaxhighlight> | |||
Create a file named <code>/etc/nginx/php_81_params.conf</code> | |||
<syntaxhighlight lang="nginx"> | |||
location ~ \.php$ { | |||
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |||
fastcgi_index index.php; | |||
fastcgi_buffers 8 16k; | |||
fastcgi_buffer_size 32k; | |||
fastcgi_connect_timeout 60; | |||
fastcgi_send_timeout 300; | |||
fastcgi_read_timeout 300; | |||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | |||
include fastcgi_params; | |||
fastcgi_pass 127.0.0.1:9000; | |||
} | } | ||
</ | </syntaxhighlight> | ||
Add <code>include /etc/nginx/sites-enabled/*.conf;</code> at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder | |||
<syntaxhighlight lang="console"> | |||
# ln -s /etc/nginx/sites-available/unm.edu.conf ./ | |||
</syntaxhighlight> | |||
Create <code>/etc/ssl/certs/dhparam.pem</code> | |||
<syntaxhighlight lang="console"> | |||
# openssl dhparam -out dhparam.pem 4096 | |||
</syntaxhighlight> | |||
Create a file named <code>/etc/nginx/ssl_params.conf</code> | |||
<syntaxhighlight lang="nginx"> | |||
ssl_session_timeout 1d; | |||
ssl_session_cache shared:SSL:50m; | |||
ssl_session_tickets off; | |||
ssl_stapling on; | |||
ssl_stapling_verify on; | |||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |||
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD | |||
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |||
ssl_prefer_server_ciphers on; | |||
add_header Strict-Transport-Security max-age=15768000; | |||
</syntaxhighlight> | |||
=== Install SSL certificates === | |||
Certificates should have been created by something like mkcert for development environment. The certificate should be in <code>/etc/pki/tls/certs/</code> and the private key should be stored in <code>/etc/pki/tls/private/</code>. Then secure the private key with: | |||
= | <syntaxhighlight lang="console"> | ||
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem | |||
</syntaxhighlight> | |||
< | === Install EPEL & REMI repo === | ||
<syntaxhighlight lang="console"> | |||
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms | $ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms | ||
$ cd /tmp | $ cd /tmp | ||
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm | $ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm | ||
$ sudo yum install epel-release-latest-7.noarch.rpm | $ sudo yum -y install epel-release-latest-7.noarch.rpm | ||
</ | |||
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm | |||
</syntaxhighlight> | |||
=== Install PHP 8.1 === | |||
Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages. | |||
<syntaxhighlight lang="console"> | |||
# yum-config-manager --enable remi-php81 | |||
# yum -y autoremove rh-php72 | |||
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml | |||
</syntaxhighlight> | |||
=== Install byobu === | |||
Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens. | |||
<syntaxhighlight lang="console"> | |||
# yum -y install byobu | |||
# byobu-select-backend screen | |||
</syntaxhighlight> | |||
=== Copy secret key from primary gpg === | |||
On the base machine: | |||
<syntaxhighlight lang="console"> | |||
$ gpg --export-secret-key -a > secretkey.asc | |||
</syntaxhighlight> | |||
Copy the secretkey.asc from the base machine to the new box. Then delete it using shred. | |||
<syntaxhighlight lang="console"> | |||
$ gpg --import secretkey.asc | |||
$ shred --remove secretkey.asc | |||
</syntaxhighlight> | |||
=== Install NodeJS === | |||
<syntaxhighlight lang="console"> | |||
$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash - | |||
$ sudo yum -y install nodejs | |||
</syntaxhighlight> | |||
=== Install vim-plug === | |||
<syntaxhighlight lang="console"> | |||
curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim | |||
</syntaxhighlight> | |||
=== Rest of the set up detail === | |||
<syntaxhighlight lang="console"> | |||
$ sudo yum install ncurses-devel | |||
</syntaxhighlight> | |||
* ~/.gitconfig | |||
* ~/.gitignore__global | |||
* ~/.vimrc | |||
= Useful commands = | = Useful commands = | ||
== System services == | |||
=== List all services === | |||
<syntaxhighlight lang="bash"> | |||
# systemctl list-units --type=service | |||
or | |||
# systemctl --type=service | |||
</syntaxhighlight> | |||
== Package management == | == Package management == | ||
Line 102: | Line 255: | ||
=== Clean up cache for yum PM === | === Clean up cache for yum PM === | ||
< | <syntaxhighlight lang="console"> | ||
$ sudo service rhsmcertd restart | $ sudo service rhsmcertd restart | ||
$ sudo subscription-manager refresh | $ sudo subscription-manager refresh | ||
$ sudo yum clean all && | $ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache | ||
</ | </syntaxhighlight> | ||
=== List all subscriptions === | === List all subscriptions === | ||
< | <syntaxhighlight lang="console"> | ||
$ sudo subscription-manager list --all --available | more | $ sudo subscription-manager list --all --available | more | ||
</ | </syntaxhighlight> | ||
=== Install downloaded RPM package === | === Install downloaded RPM package === | ||
< | <syntaxhighlight lang="console"> | ||
$ sudo yum -y localinstall ~/Downloads/screen | $ sudo yum -y localinstall ~/Downloads/screen | ||
</ | </syntaxhighlight> | ||
=== Check if there are any disabled repositories === | === Check if there are any disabled repositories === | ||
< | <syntaxhighlight lang="console"> | ||
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/* | $ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/* | ||
/etc/yum.repos.d/epel.repo.rpmsave:[epel] | /etc/yum.repos.d/epel.repo.rpmsave:[epel] | ||
Line 135: | Line 288: | ||
/etc/yum.repos.d/nginx.repo:enabled=1 | /etc/yum.repos.d/nginx.repo:enabled=1 | ||
... | ... | ||
</ | </syntaxhighlight> |
Latest revision as of 07:53, 31 August 2023
Setting up from scratch on a VM at work
User accounts
Create a new group
$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1
Folder set up for web services
$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www
Web services
Install NGINX
Disable apache
# systemctl stop httpd
# systemctl disable httpd
$ sudo yum install yum-utils
Create /etc/yum.repos.d/nginx.repo
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
Install nginx
$ sudo yum install nginx
Set up folders
# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled
Create a file named sites-available/unm.edu.conf
server {
listen 80;
listen [::]:80;
server_name unm.edu *.unm.edu;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ~^(?<subdomain>.+)\.unm\.dev$;
if (!-d /srv/www/unm.edu/$subdomain) {
set $subdomain "base";
}
set $public "";
if (-d /srv/www/unm.edu/$subdomain/public) {
set $public public;
}
root /srv/www/unm.edu/$subdomain/$public;
index index.php index.html index.htm;
access_log /var/log/nginx/access-wildcard.unm.edu.log;
error_log /var/log/nginx/error-wildcard.unm.edu.log;
include php_81_params.conf;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
include ssl_params.conf;
}
Create a file named /etc/nginx/php_81_params.conf
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_buffers 8 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
}
Add include /etc/nginx/sites-enabled/*.conf;
at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder
# ln -s /etc/nginx/sites-available/unm.edu.conf ./
Create /etc/ssl/certs/dhparam.pem
# openssl dhparam -out dhparam.pem 4096
Create a file named /etc/nginx/ssl_params.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
Install SSL certificates
Certificates should have been created by something like mkcert for development environment. The certificate should be in /etc/pki/tls/certs/
and the private key should be stored in /etc/pki/tls/private/
. Then secure the private key with:
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem
Install EPEL & REMI repo
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
Install PHP 8.1
Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.
# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml
Install byobu
Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.
# yum -y install byobu
# byobu-select-backend screen
Copy secret key from primary gpg
On the base machine:
$ gpg --export-secret-key -a > secretkey.asc
Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.
$ gpg --import secretkey.asc
$ shred --remove secretkey.asc
Install NodeJS
$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs
Install vim-plug
curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim
Rest of the set up detail
$ sudo yum install ncurses-devel
- ~/.gitconfig
- ~/.gitignore__global
- ~/.vimrc
Useful commands
System services
List all services
# systemctl list-units --type=service
or
# systemctl --type=service
Package management
Clean up cache for yum PM
$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache
List all subscriptions
$ sudo subscription-manager list --all --available | more
Install downloaded RPM package
$ sudo yum -y localinstall ~/Downloads/screen
Check if there are any disabled repositories
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=1
/etc/yum.repos.d/epel.repo.rpmsave:[epel-debuginfo]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/epel.repo.rpmsave:[epel-source]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/nginx.repo:[nginx-stable]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
...