RHEL

From Han Wiki
Jump to navigation Jump to search

Setting up from scratch on a VM at work

User accounts

Create a new group

$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1

Folder set up for web services

$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www

Web services

Install NGINX

Disable apache

# systemctl stop httpd
# systemctl disable httpd
$ sudo yum install yum-utils

Create /etc/yum.repos.d/nginx.repo

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install nginx

$ sudo yum install nginx

Set up folders

# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled

Create a file named sites-available/unm.edu.conf

server {
        listen 80;
        listen [::]:80;
        server_name unm.edu *.unm.edu;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name ~^(?<subdomain>.+)\.unm\.dev$;

        if (!-d /srv/www/unm.edu/$subdomain) {
                set $subdomain "base";
        }

        set $public "";
        if (-d /srv/www/unm.edu/$subdomain/public) {
                set $public public;
        }

        root /srv/www/unm.edu/$subdomain/$public;

        index index.php index.html index.htm;

        access_log /var/log/nginx/access-wildcard.unm.edu.log;
        error_log /var/log/nginx/error-wildcard.unm.edu.log;

        include php_81_params.conf;

        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

        ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
        ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
        include ssl_params.conf;
}


Create a file named /etc/nginx/php_81_params.conf

location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;

        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;

        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_pass 127.0.0.1:9000;
}

Add include /etc/nginx/sites-enabled/*.conf; at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder

# ln -s /etc/nginx/sites-available/unm.edu.conf ./

Create /etc/ssl/certs/dhparam.pem

# openssl dhparam -out dhparam.pem 4096

Create a file named /etc/nginx/ssl_params.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;

Install SSL certificates

Certificates should have been created by something like mkcert for development environment. The certificate should be in /etc/pki/tls/certs/ and the private key should be stored in /etc/pki/tls/private/. Then secure the private key with:

# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem

Install EPEL & REMI repo

$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm

$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Install PHP 8.1

Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.

# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml


Install byobu

Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.

# yum -y install byobu
# byobu-select-backend screen

Copy secret key from primary gpg

On the base machine:

$ gpg --export-secret-key -a > secretkey.asc

Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.

$ gpg --import secretkey.asc
$ shred --remove secretkey.asc

Install NodeJS

$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs

Install vim-plug

curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim

Rest of the set up detail

$ sudo yum install ncurses-devel
  • ~/.gitconfig
  • ~/.gitignore__global
  • ~/.vimrc

Useful commands

System services

List all services

# systemctl list-units --type=service
or
# systemctl --type=service

Package management

Clean up cache for yum PM

$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache

List all subscriptions

$ sudo subscription-manager list --all --available | more

Install downloaded RPM package

$ sudo yum -y localinstall ~/Downloads/screen

Check if there are any disabled repositories

$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=1
/etc/yum.repos.d/epel.repo.rpmsave:[epel-debuginfo]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/epel.repo.rpmsave:[epel-source]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/nginx.repo:[nginx-stable]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
...