RHEL: Difference between revisions

From Han Wiki
Jump to navigation Jump to search
→‎Install byobu: Copy secret key from primary gpg
mNo edit summary
 
(4 intermediate revisions by the same user not shown)
Line 5: Line 5:
=== Create a new group ===
=== Create a new group ===


<source lang="console">
<syntaxhighlight lang="console">
$ sudo groupadd dev
$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1
$ sudo usermod -a -G dev mhan1
</source>
</syntaxhighlight>


== Folder set up for web services ==
== Folder set up for web services ==


<source lang="console">
<syntaxhighlight lang="console">
$ sudo mkdir /srv/www
$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www
$ sudo chmod g+s /srv/www
</source>
</syntaxhighlight>


== Web services ==
== Web services ==
Line 24: Line 24:
Disable apache
Disable apache


<source lang="sh">
<syntaxhighlight lang="sh">
# systemctl stop httpd
# systemctl stop httpd
# systemctl disable httpd
# systemctl disable httpd
</source>
</syntaxhighlight>


<source lang="sh">
<syntaxhighlight lang="sh">
$ sudo yum install yum-utils
$ sudo yum install yum-utils
</source>
</syntaxhighlight>


Create <code>/etc/yum.repos.d/nginx.repo</code>
Create <code>/etc/yum.repos.d/nginx.repo</code>


<source lang="cfg">
<syntaxhighlight lang="cfg">
[nginx-stable]
[nginx-stable]
name=nginx stable repo
name=nginx stable repo
Line 51: Line 51:
gpgkey=https://nginx.org/keys/nginx_signing.key
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
module_hotfixes=true
</source>
</syntaxhighlight>


Install nginx
Install nginx


<source lang="sh">
<syntaxhighlight lang="sh">
$ sudo yum install nginx
$ sudo yum install nginx
</source>
</syntaxhighlight>


Set up folders
Set up folders


<source lang="console">
<syntaxhighlight lang="console">
# cd /etc/nginx
# cd /etc/nginx
# mkdir sites-available
# mkdir sites-available
# mkdir sites-enabled
# mkdir sites-enabled
</source>
</syntaxhighlight>


Create a file named <code>sites-available/unm.edu.conf</code>
Create a file named <code>sites-available/unm.edu.conf</code>


<source lang="nginx">
<syntaxhighlight lang="nginx">
server {
server {
         listen 80;
         listen 80;
Line 109: Line 109:
         include ssl_params.conf;
         include ssl_params.conf;
}
}
</source>
</syntaxhighlight>




Line 115: Line 115:
Create a file named <code>/etc/nginx/php_81_params.conf</code>
Create a file named <code>/etc/nginx/php_81_params.conf</code>


<source lang="nginx">
<syntaxhighlight lang="nginx">
location ~ \.php$ {
location ~ \.php$ {
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
Line 131: Line 131:
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_pass 127.0.0.1:9000;
}
}
</source>
</syntaxhighlight>


Add <code>include /etc/nginx/sites-enabled/*.conf;</code> at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder
Add <code>include /etc/nginx/sites-enabled/*.conf;</code> at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder


<source lang="console">
<syntaxhighlight lang="console">
# ln -s /etc/nginx/sites-available/unm.edu.conf ./
# ln -s /etc/nginx/sites-available/unm.edu.conf ./
</source>
</syntaxhighlight>


Create <code>/etc/ssl/certs/dhparam.pem</code>
Create <code>/etc/ssl/certs/dhparam.pem</code>


<source lang="console">
<syntaxhighlight lang="console">
# openssl dhparam -out dhparam.pem 4096
# openssl dhparam -out dhparam.pem 4096
</source>
</syntaxhighlight>


Create a file named <code>/etc/nginx/ssl_params.conf</code>
Create a file named <code>/etc/nginx/ssl_params.conf</code>


<source lang="nginx">
<syntaxhighlight lang="nginx">
ssl_session_timeout 1d;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_cache shared:SSL:50m;
Line 161: Line 161:
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
add_header Strict-Transport-Security max-age=15768000;
</source>
</syntaxhighlight>


=== Install SSL certificates ===
=== Install SSL certificates ===
Line 167: Line 167:
Certificates should have been created by something like mkcert for development environment.  The certificate should be in <code>/etc/pki/tls/certs/</code> and the private key should be stored in <code>/etc/pki/tls/private/</code>. Then secure the private key with:
Certificates should have been created by something like mkcert for development environment.  The certificate should be in <code>/etc/pki/tls/certs/</code> and the private key should be stored in <code>/etc/pki/tls/private/</code>. Then secure the private key with:


<source lang="console">
<syntaxhighlight lang="console">
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem
</source>
</syntaxhighlight>


=== Install EPEL & REMI repo ===
=== Install EPEL & REMI repo ===


<source lang="console">
<syntaxhighlight lang="console">
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ cd /tmp
Line 180: Line 180:


$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
</source>
</syntaxhighlight>


=== Install PHP 8.1 ===
=== Install PHP 8.1 ===
Line 186: Line 186:
Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.
Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.


<source lang="console">
<syntaxhighlight lang="console">
# yum-config-manager --enable remi-php81
# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml
</source>
</syntaxhighlight>




Line 197: Line 197:
Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.
Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.


<source lang="console">
<syntaxhighlight lang="console">
# yum -y install byobu
# yum -y install byobu
# byobu-select-backend screen
# byobu-select-backend screen
</source>
</syntaxhighlight>


=== Copy secret key from primary gpg ===
=== Copy secret key from primary gpg ===
Line 206: Line 206:
On the base machine:
On the base machine:


<source lang="console">
<syntaxhighlight lang="console">
$ gpg --export-secret-key -a > secretkey.asc
$ gpg --export-secret-key -a > secretkey.asc
</source>
</syntaxhighlight>


Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.
Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.


<source lang="console">
<syntaxhighlight lang="console">
$ gpg --import secretkey.asc
$ gpg --import secretkey.asc
$ shred --remove secretkey.asc
$ shred --remove secretkey.asc
</source>
</syntaxhighlight>
 
=== Install NodeJS ===
 
<syntaxhighlight lang="console">
$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs
</syntaxhighlight>
 
=== Install vim-plug ===
 
<syntaxhighlight lang="console">
curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim
</syntaxhighlight>
 
=== Rest of the set up detail ===
 
<syntaxhighlight lang="console">
$ sudo yum install ncurses-devel
</syntaxhighlight>
 
* ~/.gitconfig
* ~/.gitignore__global
* ~/.vimrc


= Useful commands =
= Useful commands =
== System services ==
=== List all services ===
<syntaxhighlight lang="bash">
# systemctl list-units --type=service
or
# systemctl --type=service
</syntaxhighlight>


== Package management ==
== Package management ==
Line 223: Line 255:
=== Clean up cache for yum PM ===
=== Clean up cache for yum PM ===


<source lang="console">
<syntaxhighlight lang="console">
$ sudo service rhsmcertd restart
$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache
</source>
</syntaxhighlight>


=== List all subscriptions ===
=== List all subscriptions ===


<source lang="console">
<syntaxhighlight lang="console">
$ sudo subscription-manager list --all --available | more
$ sudo subscription-manager list --all --available | more
</source>
</syntaxhighlight>


=== Install downloaded RPM package ===
=== Install downloaded RPM package ===


<source lang="console">
<syntaxhighlight lang="console">
$ sudo yum -y localinstall ~/Downloads/screen
$ sudo yum -y localinstall ~/Downloads/screen
</source>
</syntaxhighlight>


=== Check if there are any disabled repositories ===
=== Check if there are any disabled repositories ===


<source lang="console">
<syntaxhighlight lang="console">
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
Line 256: Line 288:
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:enabled=1
...
...
</source>
</syntaxhighlight>

Latest revision as of 07:53, 31 August 2023

Setting up from scratch on a VM at work

User accounts

Create a new group

$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1

Folder set up for web services

$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www

Web services

Install NGINX

Disable apache

# systemctl stop httpd
# systemctl disable httpd
$ sudo yum install yum-utils

Create /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install nginx

$ sudo yum install nginx

Set up folders

# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled

Create a file named sites-available/unm.edu.conf

server {
        listen 80;
        listen [::]:80;
        server_name unm.edu *.unm.edu;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name ~^(?<subdomain>.+)\.unm\.dev$;

        if (!-d /srv/www/unm.edu/$subdomain) {
                set $subdomain "base";
        }

        set $public "";
        if (-d /srv/www/unm.edu/$subdomain/public) {
                set $public public;
        }

        root /srv/www/unm.edu/$subdomain/$public;

        index index.php index.html index.htm;

        access_log /var/log/nginx/access-wildcard.unm.edu.log;
        error_log /var/log/nginx/error-wildcard.unm.edu.log;

        include php_81_params.conf;

        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

        ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
        ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
        include ssl_params.conf;
}


Create a file named /etc/nginx/php_81_params.conf

location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;

        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;

        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_pass 127.0.0.1:9000;
}

Add include /etc/nginx/sites-enabled/*.conf; at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder

# ln -s /etc/nginx/sites-available/unm.edu.conf ./

Create /etc/ssl/certs/dhparam.pem

# openssl dhparam -out dhparam.pem 4096

Create a file named /etc/nginx/ssl_params.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;

Install SSL certificates

Certificates should have been created by something like mkcert for development environment. The certificate should be in /etc/pki/tls/certs/ and the private key should be stored in /etc/pki/tls/private/. Then secure the private key with:

# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem

Install EPEL & REMI repo

$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm

$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Install PHP 8.1

Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.

# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml


Install byobu

Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.

# yum -y install byobu
# byobu-select-backend screen

Copy secret key from primary gpg

On the base machine:

$ gpg --export-secret-key -a > secretkey.asc

Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.

$ gpg --import secretkey.asc
$ shred --remove secretkey.asc

Install NodeJS

$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs

Install vim-plug

curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim

Rest of the set up detail

$ sudo yum install ncurses-devel
  • ~/.gitconfig
  • ~/.gitignore__global
  • ~/.vimrc

Useful commands

System services

List all services

# systemctl list-units --type=service
or
# systemctl --type=service

Package management

Clean up cache for yum PM

$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache

List all subscriptions

$ sudo subscription-manager list --all --available | more

Install downloaded RPM package

$ sudo yum -y localinstall ~/Downloads/screen

Check if there are any disabled repositories

$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=1
/etc/yum.repos.d/epel.repo.rpmsave:[epel-debuginfo]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/epel.repo.rpmsave:[epel-source]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/nginx.repo:[nginx-stable]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
...