Difference between revisions of "Upgrading to Centos 7"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
= Start =
 +
 +
''' Start with the "Minimal" install '''
 +
 +
Then, once booted, use package groups to get the packages you want for the whole system. We also want the "EPEL" optional packages, so we add that too. Then, make Python users happy with ipython
 +
 +
 +
Example:
 +
yum -y  --setopt=group_package_types=mandatory,default,optional groupinstall "Scientific Support" "Developer Tools" "System Management" "Security Tools" "Legacy UNIX Compatibility" "Compatibility Libraries"
 +
yum -y install epel-release
 +
yum -y install python-pip python-devel python-virtualenv
 +
pip install --upgrade pip
 +
 +
This allows for the extra stuff to just be there. See the [[Package Management]] pages for more details.
 +
 +
== Setup Scientific Computing for Data Analysis ==
 +
 +
We need more! We need Python3 and ROOT, so get all of it from epel. ROOT also pulls in texlive in the bargain.
 +
 +
yum -y install root-*
 +
yum -y install python34 python34-scipy python34-numpy python34-pip python34-jupyter-core python34-root python34-jupyroot python34-Cython
 +
pip3 install --upgrade pip
 +
pip3 install ipython
 +
 
= Turn Off SELINUX =
 
= Turn Off SELINUX =
  
 
It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux
 
It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux
 
If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"
 
If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"
 +
 +
= FIX THE @#$%%(!!! (idiots) DEFAULT FOR PERSISTENT LOG FILES =
 +
<code>
 +
mkdir /var/log/journal
 +
systemd-tmpfiles --create --prefix /var/log/journal
 +
systemctl restart systemd-journald
 +
</code>
  
 
= Turn off "firewalld" and just use iptables =
 
= Turn off "firewalld" and just use iptables =
Line 22: Line 53:
 
; See [[Fail2ban]]
 
; See [[Fail2ban]]
  
= Ethernet Device Naming =
+
= Networking =
  
 
New feature makes sure the ethernet devices have a consistent name. See RedHat:  
 
New feature makes sure the ethernet devices have a consistent name. See RedHat:  
Line 30: Line 61:
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"
 
  SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"
  
I found this whole scheme very confusing and finicky. MUCH BETTER: Set the HWADDR in the network-scripts. This will then pick up the name from the script.
+
This works well and helps with using the system. You can also set the HWADDR in the network-scripts. This will then pick up the name from the script.
 
Example from Pepper:
 
Example from Pepper:
  
Line 55: Line 86:
 
  IPV6_PRIVACY=no
 
  IPV6_PRIVACY=no
 
  NM_CONTROLLED=no
 
  NM_CONTROLLED=no
 +
 +
You probably want to turn off the NetworkManager completely: [https://www.thegeekdiary.com/centos-rhel-7-how-to-disable-networkmanager See this]
 +
systemctl stop NetworkManager
 +
systemctl disable NetworkManager
 +
systemctl mask NetworkManager
 +
systemctl enable network
 +
systemctl restart network
 +
 +
Fixup the hostname:
 +
hostnamectl set-hostname "Your-Hostname"
 +
 +
= Restore SSH keys =
 +
 +
Copy the old /etc/ssh to the new one!
  
 
= Get LDAP login to work =
 
= Get LDAP login to work =
Line 68: Line 113:
 
   --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
 
   --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update
  
Enable and start the sssd service:   
+
Get Certificates and config file (from Gourd):
 +
 
 +
  cd /etc/openldap
 +
  rsync -ravHAX 10.0.0.252:/etc/openldap/cacerts  .
 +
  cd /etc/sssd
 +
  scp  10.0.0.252:/etc/sssd/sssd.conf  .
 +
 
 +
Enable and start the sssd service, or restart the service:   
 
   systemctl enable sssd
 
   systemctl enable sssd
 
   systemctl start sssd
 
   systemctl start sssd
  
Allow sss in /etc/pam.d/password-auth and /etc/nsswitch.conf
+
Test:
 +
  getent passwd
  
= Get Automount working =
+
= Get NFS and Automount working =
  
 
Install autofs and also install nfs:
 
Install autofs and also install nfs:
Line 97: Line 150:
 
  systemctl start autofs
 
  systemctl start autofs
  
= LOGS =
+
= Disks =
 +
 
 +
If there is a data drive, mount it. Edit /etc/fstab and add "LABEL=data  /data  ext4  defaults  1 2"
 +
Export the drive.
 +
      echo "/data  10.0.0.0/24(rw,no_root_squash,async,no_subtree_check)" >> /etc/exports
 +
      exportfs -a -v
  
 
= SUDO =
 
= SUDO =
  
Fix the sudoers file.
+
Fix the sudoers file, or copy it from the old config.
  
; UNKOWN ISSUE WITH SUDO and auth -- FIX ME
+
= IPTables =
  
= IPTables =
+
Copy a decent iptables file and put it in /etc/sysconfig/iptables-npg
 +
Make sure /etc/sysconfig/iptables-config points to that file.
 +
 
 +
Get the NPG tables system:
 +
yum install perl-LDAP
 +
scp gourd:/usr/local/bin/netgroup2iptables.pl  /usr/local/bin/
 +
scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
 +
systemctl enable iptables-netgroups
 +
 
 +
= Backups =
 +
 
 +
Restore backups:
 +
  cp /mnt/OldSys/etc/rsync-backup.conf  /etc
  
= Fail2Ban =  
+
= Gourd Specific =
  
== Gourd ==
 
 
== Initial ==  
 
== Initial ==  
  

Latest revision as of 17:49, 15 January 2018

Start

Start with the "Minimal" install

Then, once booted, use package groups to get the packages you want for the whole system. We also want the "EPEL" optional packages, so we add that too. Then, make Python users happy with ipython


Example:

yum -y  --setopt=group_package_types=mandatory,default,optional groupinstall "Scientific Support" "Developer Tools" "System Management" "Security Tools" "Legacy UNIX Compatibility" "Compatibility Libraries" 
yum -y install epel-release
yum -y install python-pip python-devel python-virtualenv
pip install --upgrade pip

This allows for the extra stuff to just be there. See the Package Management pages for more details.

Setup Scientific Computing for Data Analysis

We need more! We need Python3 and ROOT, so get all of it from epel. ROOT also pulls in texlive in the bargain.

yum -y install root-*
yum -y install python34 python34-scipy python34-numpy python34-pip python34-jupyter-core python34-root python34-jupyroot python34-Cython
pip3 install --upgrade pip
pip3 install ipython

Turn Off SELINUX

It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"

FIX THE @#$%%(!!! (idiots) DEFAULT FOR PERSISTENT LOG FILES

mkdir /var/log/journal
systemd-tmpfiles --create --prefix /var/log/journal
systemctl restart systemd-journald

Turn off "firewalld" and just use iptables

Again, firewalld is trying to be too sophisticated and is too obscure. Turn it off:

systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld

Install the standard iptables in /etc/sysconfig and run iptables.

yum install iptables-services
systemctl enable iptables

Make sure the correct tables are installed in /etc/sysconfig/iptables

Setup Fail2Ban

See Fail2ban

Networking

New feature makes sure the ethernet devices have a consistent name. See RedHat:

The trick is to add a line(s) to /etc/udev/rules.d/70-persistent-ipoib.rules like:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"

This works well and helps with using the system. You can also set the HWADDR in the network-scripts. This will then pick up the name from the script. Example from Pepper:

TYPE=Ethernet
NAME=farm
HWADDR=52:54:00:85:bf:0e
DEVICE=farm
ONBOOT=yes
IPADDR=10.0.0.245
PREFIX=24
GATEWAY=100.0.0.100
DNS2=10.0.0.245
DNS2=10.0.0.253
DOMAIN=farm.physics.unh.edu
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
NM_CONTROLLED=no

You probably want to turn off the NetworkManager completely: See this

systemctl stop NetworkManager 
systemctl disable NetworkManager
systemctl mask NetworkManager
systemctl enable network
systemctl restart network

Fixup the hostname:

hostnamectl set-hostname "Your-Hostname"

Restore SSH keys

Copy the old /etc/ssh to the new one!

Get LDAP login to work

You need to install the openldap and openldap-clients, and sssd-ldap:

yum install openldap  openldap-clients sssd-ldap nss-pam-ldapd

Create and populate /etc/openldap/cacerts (copy from gourd), and create the /etc/sssd/sssd.conf file (copy from grourd)

AUTHORIZE

  authconfig --enablesssd --enablesssdauth --enableldap --enableldapauth --enablemkhomedir \
  --ldapserver=ldap://einstein --ldapbasedn=dc=physics,dc=unh,dc=edu --enablelocauthorize --enableldaptls --update

Get Certificates and config file (from Gourd):

 cd /etc/openldap
 rsync -ravHAX 10.0.0.252:/etc/openldap/cacerts  .
 cd /etc/sssd
 scp  10.0.0.252:/etc/sssd/sssd.conf  .

Enable and start the sssd service, or restart the service:

 systemctl enable sssd
 systemctl start sssd

Test:

 getent passwd

Get NFS and Automount working

Install autofs and also install nfs:

yum install autofs nfs-utils

Enable and Startup the NFS subsystem:

systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
systemctl start rpc-statd
systemctl start nfs-idmapd

Install /etc/auto.master and /etc/auto.net

Create mount point:

mkdir  /net
systemctl enable autofs
systemctl start autofs

Disks

If there is a data drive, mount it. Edit /etc/fstab and add "LABEL=data /data ext4 defaults 1 2" Export the drive.

     echo "/data   10.0.0.0/24(rw,no_root_squash,async,no_subtree_check)" >> /etc/exports
     exportfs -a -v

SUDO

Fix the sudoers file, or copy it from the old config.

IPTables

Copy a decent iptables file and put it in /etc/sysconfig/iptables-npg Make sure /etc/sysconfig/iptables-config points to that file.

Get the NPG tables system:

yum install perl-LDAP
scp gourd:/usr/local/bin/netgroup2iptables.pl  /usr/local/bin/
scp gourd:/etc/init.d/iptables-netgroups /etc/init.d/
systemctl enable iptables-netgroups

Backups

Restore backups:

 cp /mnt/OldSys/etc/rsync-backup.conf  /etc

Gourd Specific

Initial

  • Gourd would not boot from a USB stick. It seems the HW doesn't support this, though it is also possible the fault is with the front USB port. Boot from installer DVD.
  • Standard server install
  • No ethernet driver: nForce ethernet "forcedeth" not available, use the kmod-forcedeth driver from elrepo.org: http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/kmod-forcedeth-0.64-1.el7.elrepo.x86_64.rpm
  • Note that Centos 7 (i.e. RHEL 7) comes standard with "firewalld". Not wanting to bother with "yet another config system for firewalls (tm)", this was disabled in favor of good old iptables, which is the underlaying system anyway. This policy may change int he future. (To disable firewalld: "systemctl stop firewalld ; systemctl mask firewalld'. To setup iptables: "yum install iptables-services; systemctl enable iptables", and then of course, configure the tables.)
  • Network interfaces are now renamed to a "consistent scheme" see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html
  • FARM network = enp0s8 = farm UNH network=enp0s9 = unh
  • Setting up bridge networking took a bit. The complication was that I just used "ifup" and "ifdown", and did not use "systemctl restart network".
  • Setting up sssd: The ldap authentication did not work when using TLS, because the MD5 encrypted certificate is no longer accepted. We need new certificates! For now, connect with ldap: instead of ldaps:
    • That does not appear to work for automount. Darn it!
  • Copied more sane iptable rules from endavour, including blacklist.

Continued

  • Copy the old ssh keys from backup to Gourd. Unfortunately, the keys in /root are not backed up. I grabbed the ones from endeavour.
  • Setup proper (not MD5 encrypted) TLS certificates on Einstein, then get ldaps to work properly.
  • Fix the NFS mounting issues. When mount nfsvers=4, the username and group do not get passed properly and everything is "nobody". Fix this by forcing automount to mount everything nfsvers=3 in the auto.net file