RHEL: Difference between revisions

From Han Wiki
Jump to navigation Jump to search
← Older edit
Check if there are any disabled repositories
mNo edit summary
 
(25 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Setting up from scratch on a VM at work =
= Setting up from scratch on a VM at work =
== User accounts ==
=== Create a new group ===
<syntaxhighlight lang="console">
$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1
</syntaxhighlight>
== Folder set up for web services ==
<syntaxhighlight lang="console">
$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www
</syntaxhighlight>


== Web services ==
== Web services ==


<source lang="bash">
=== Install NGINX ===
 
Disable apache
 
<syntaxhighlight lang="sh">
# systemctl stop httpd
# systemctl disable httpd
</syntaxhighlight>
 
<syntaxhighlight lang="sh">
$ sudo yum install yum-utils
$ sudo yum install yum-utils
</source>
</syntaxhighlight>


Create <code>/etc/yum.repos.d/nginx.repo</code>
Create <code>/etc/yum.repos.d/nginx.repo</code>


<source lang="config">
<syntaxhighlight lang="cfg">
[nginx-stable]
[nginx-stable]
name=nginx stable repo
name=nginx stable repo
Line 25: Line 51:
gpgkey=https://nginx.org/keys/nginx_signing.key
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
module_hotfixes=true
</source>
</syntaxhighlight>


Install nginx
Install nginx


<source lang="bash">
<syntaxhighlight lang="sh">
$ sudo yum install nginx
$ sudo yum install nginx
</source>
</syntaxhighlight>
 
Set up folders
 
<syntaxhighlight lang="console">
# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled
</syntaxhighlight>


Create a file named <code>sites-available/unm.edu.conf</code>
<syntaxhighlight lang="nginx">
server {
        listen 80;
        listen [::]:80;
        server_name unm.edu *.unm.edu;
        return 301 https://$host$request_uri;
}
server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name ~^(?<subdomain>.+)\.unm\.dev$;
        if (!-d /srv/www/unm.edu/$subdomain) {
                set $subdomain "base";
        }
        set $public "";
        if (-d /srv/www/unm.edu/$subdomain/public) {
                set $public public;
        }
        root /srv/www/unm.edu/$subdomain/$public;
        index index.php index.html index.htm;
        access_log /var/log/nginx/access-wildcard.unm.edu.log;
        error_log /var/log/nginx/error-wildcard.unm.edu.log;
        include php_81_params.conf;
        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }
        ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
        ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
        include ssl_params.conf;
}
</syntaxhighlight>
Create a file named <code>/etc/nginx/php_81_params.conf</code>
<syntaxhighlight lang="nginx">
location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
}
</syntaxhighlight>
Add <code>include /etc/nginx/sites-enabled/*.conf;</code> at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder
<syntaxhighlight lang="console">
# ln -s /etc/nginx/sites-available/unm.edu.conf ./
</syntaxhighlight>
Create <code>/etc/ssl/certs/dhparam.pem</code>
<syntaxhighlight lang="console">
# openssl dhparam -out dhparam.pem 4096
</syntaxhighlight>
Create a file named <code>/etc/nginx/ssl_params.conf</code>
<syntaxhighlight lang="nginx">
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
</syntaxhighlight>
=== Install SSL certificates ===
Certificates should have been created by something like mkcert for development environment.  The certificate should be in <code>/etc/pki/tls/certs/</code> and the private key should be stored in <code>/etc/pki/tls/private/</code>. Then secure the private key with:
<syntaxhighlight lang="console">
# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem
</syntaxhighlight>
=== Install EPEL & REMI repo ===
<syntaxhighlight lang="console">
$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm
$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm
</syntaxhighlight>
=== Install PHP 8.1 ===
Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages.
<syntaxhighlight lang="console">
# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml
</syntaxhighlight>
=== Install byobu ===
Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens.
<syntaxhighlight lang="console">
# yum -y install byobu
# byobu-select-backend screen
</syntaxhighlight>
=== Copy secret key from primary gpg ===
On the base machine:
<syntaxhighlight lang="console">
$ gpg --export-secret-key -a > secretkey.asc
</syntaxhighlight>
Copy the secretkey.asc from the base machine to the new box. Then delete it using shred.
<syntaxhighlight lang="console">
$ gpg --import secretkey.asc
$ shred --remove secretkey.asc
</syntaxhighlight>
=== Install NodeJS ===
<syntaxhighlight lang="console">
$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs
</syntaxhighlight>
=== Install vim-plug ===
<syntaxhighlight lang="console">
curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim
</syntaxhighlight>
=== Rest of the set up detail ===
<syntaxhighlight lang="console">
$ sudo yum install ncurses-devel
</syntaxhighlight>
* ~/.gitconfig
* ~/.gitignore__global
* ~/.vimrc


= Useful commands =
= Useful commands =
== System services ==
=== List all services ===
<syntaxhighlight lang="bash">
# systemctl list-units --type=service
or
# systemctl --type=service
</syntaxhighlight>


== Package management ==
== Package management ==
=== Clean up cache for yum PM ===
<syntaxhighlight lang="console">
$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache
</syntaxhighlight>
=== List all subscriptions ===
<syntaxhighlight lang="console">
$ sudo subscription-manager list --all --available | more
</syntaxhighlight>
=== Install downloaded RPM package ===
<syntaxhighlight lang="console">
$ sudo yum -y localinstall ~/Downloads/screen
</syntaxhighlight>


=== Check if there are any disabled repositories ===
=== Check if there are any disabled repositories ===


<source lang="console">
<syntaxhighlight lang="console">
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
Line 52: Line 287:
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/redhat.repo:[rhel-7-server-fastrack-rpms]
/etc/yum.repos.d/redhat.repo:enabled_metadata = 0
/etc/yum.repos.d/redhat.repo:enabled = 0
/etc/yum.repos.d/redhat.repo:[rhel-7-server-optional-fastrack-rpms]
/etc/yum.repos.d/redhat.repo:enabled_metadata = 0
/etc/yum.repos.d/redhat.repo:enabled = 0
/etc/yum.repos.d/redhat.repo:[rhel-7-server-satellite-tools-6.8-rpms]
/etc/yum.repos.d/redhat.repo:enabled_metadata = 0
/etc/yum.repos.d/redhat.repo:enabled = 0
...
...
</source>
</syntaxhighlight>

Latest revision as of 08:53, 31 August 2023

Setting up from scratch on a VM at work

User accounts

Create a new group

$ sudo groupadd dev
$ sudo usermod -a -G dev mhan1

Folder set up for web services

$ sudo mkdir /srv/www
$ sudo chown -R mhan1:dev /srv/www
$ sudo chmod g+s /srv/www

Web services

Install NGINX

Disable apache 

# systemctl stop httpd
# systemctl disable httpd

$ sudo yum install yum-utils

Create /etc/yum.repos.d/nginx.repo 

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

Install nginx 

$ sudo yum install nginx

Set up folders 

# cd /etc/nginx
# mkdir sites-available
# mkdir sites-enabled

Create a file named sites-available/unm.edu.conf 

server {
        listen 80;
        listen [::]:80;
        server_name unm.edu *.unm.edu;
        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name ~^(?<subdomain>.+)\.unm\.dev$;

        if (!-d /srv/www/unm.edu/$subdomain) {
                set $subdomain "base";
        }

        set $public "";
        if (-d /srv/www/unm.edu/$subdomain/public) {
                set $public public;
        }

        root /srv/www/unm.edu/$subdomain/$public;

        index index.php index.html index.htm;

        access_log /var/log/nginx/access-wildcard.unm.edu.log;
        error_log /var/log/nginx/error-wildcard.unm.edu.log;

        include php_81_params.conf;

        location / {
                try_files $uri $uri/ /index.php?$query_string;
        }

        ssl_certificate /etc/pki/tls/certs/_wildcard.unm.edu.pem;
        ssl_certificate_key /etc/pki/tls/private/_wildcard.unm.edu-key.pem;
        include ssl_params.conf;
}


Create a file named /etc/nginx/php_81_params.conf 

location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;

        fastcgi_buffers 8 16k;
        fastcgi_buffer_size 32k;
        fastcgi_connect_timeout 60;
        fastcgi_send_timeout 300;
        fastcgi_read_timeout 300;

        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        include fastcgi_params;

        fastcgi_pass 127.0.0.1:9000;
}

Add include /etc/nginx/sites-enabled/*.conf; at the end of the first block before the closing brace. Then add a link inside the /etc/nginx/sites-enabled/ folder 

# ln -s /etc/nginx/sites-available/unm.edu.conf ./

Create /etc/ssl/certs/dhparam.pem 

# openssl dhparam -out dhparam.pem 4096

Create a file named /etc/nginx/ssl_params.conf 

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_stapling on;
ssl_stapling_verify on;

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD
SA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;

Install SSL certificates

Certificates should have been created by something like mkcert for development environment. The certificate should be in /etc/pki/tls/certs/ and the private key should be stored in /etc/pki/tls/private/. Then secure the private key with: 

# chmod 600 /etc/pki/tls/private/_wildcard.unm.edu-key.pem

Install EPEL & REMI repo

$ sudo subscription-manager repos --enable rhel-7-server-optional-rpms --enable rhel-7-server-extras-rpms
$ cd /tmp
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
$ sudo yum -y install epel-release-latest-7.noarch.rpm

$ sudo yum install -y https://rpms.remirepo.net/enterprise/remi-release-7.rpm

Install PHP 8.1

Install Oracle Instant Client (at least the basic package). They're dependencies for oci-related PHP packages. 

# yum-config-manager --enable remi-php81
# yum -y autoremove rh-php72
# yum install -y php php-cli php-bcmath php-devel php-fpm php-gd imap php-intl php-mbstring php-mysqlnd php-oci8 php-odbc php-pdo php-tidy php-xml


Install byobu

Install byobu and choose screen as a multiplexer. Tmux doesn't allow for multiple ssh sessions to show different screens. 

# yum -y install byobu
# byobu-select-backend screen

Copy secret key from primary gpg

On the base machine: 

$ gpg --export-secret-key -a > secretkey.asc

Copy the secretkey.asc from the base machine to the new box. Then delete it using shred. 

$ gpg --import secretkey.asc
$ shred --remove secretkey.asc

Install NodeJS

$ sudo curl -sL https://rpm.nodesource.com/setup_14.x | sudo -E bash -
$ sudo yum -y install nodejs

Install vim-plug

curl -fLo ~/.vim/autoload/plug.vim --create-dirs https://raw.githubusercontent.com/junegunn/vim-plug/master/plug.vim

Rest of the set up detail

$ sudo yum install ncurses-devel
  • ~/.gitconfig
  • ~/.gitignore__global
  • ~/.vimrc

Useful commands

System services

List all services

# systemctl list-units --type=service
or
# systemctl --type=service

Package management

Clean up cache for yum PM

$ sudo service rhsmcertd restart
$ sudo subscription-manager refresh
$ sudo yum clean all && sudo rm -rf /var/cache/yum && sudo yum makecache

List all subscriptions

$ sudo subscription-manager list --all --available | more

Install downloaded RPM package

$ sudo yum -y localinstall ~/Downloads/screen

Check if there are any disabled repositories

$ egrep -Hi '(^\[|^enabled)' /etc/yum.repos.d/*
/etc/yum.repos.d/epel.repo.rpmsave:[epel]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=1
/etc/yum.repos.d/epel.repo.rpmsave:[epel-debuginfo]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/epel.repo.rpmsave:[epel-source]
/etc/yum.repos.d/epel.repo.rpmsave:enabled=0
/etc/yum.repos.d/nginx.repo:[nginx-stable]
/etc/yum.repos.d/nginx.repo:enabled=1
/etc/yum.repos.d/nginx.repo:[nginx-mainline]
/etc/yum.repos.d/nginx.repo:enabled=1
...
Retrieved from "https://wiki.michaelhan.net/index.php?title=RHEL&oldid=4075"