Difference between revisions of "Upgrading to Centos 7"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
Line 92: Line 92:
 
= LOGS =
 
= LOGS =
  
 +
= SUDO =
 +
 +
Fix the sudoers file.
 +
 +
; UNKOWN ISSUE WITH SUDO and auth -- FIX ME
  
 
== Gourd ==
 
== Gourd ==

Revision as of 21:35, 4 August 2017

Turn Off SELINUX

It's a pain, we don't need it, turn it off. Edit /etc/sysconfig/selinux If you cannot reboot, you can set SELINUX into "permissive" mode with "setenforce 0", check with "sestatus"

Turn off "firewalld" and just use iptables

Again, firewalld is trying to be too sophisticated and is too obscure. Turn it off:

systemctl stop firewalld
systemctl disable firewalld
systemctl mask firewalld

Install the standard iptables in /etc/sysconfig and run iptables.

yum install iptables-services
systemctl enable iptables

Make sure the correct tables are installed in /etc/sysconfig/iptables

Setup Fail2Ban

See Fail2ban

Ethernet Device Naming

New feature makes sure the ethernet devices have a consistent name. See RedHat:

The trick is to add a line(s) to /etc/udev/rules.d/70-persistent-ipoib.rules like:

SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:38", NAME="farm"
SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:30:48:ce:e2:39", NAME="unh"

I found this whole scheme very confusing and finicky. MUCH BETTER: Set the HWADDR in the network-scripts. This will then pick up the name from the script. Example from Pepper:

TYPE=Ethernet
NAME=farm
HWADDR=52:54:00:85:bf:0e
DEVICE=farm
ONBOOT=yes
IPADDR=10.0.0.245
PREFIX=24
GATEWAY=100.0.0.100
DNS2=10.0.0.245
DNS2=10.0.0.253
DOMAIN=farm.physics.unh.edu
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_PRIVACY=no
NM_CONTROLLED=no

Get LDAP login to work

You need to install the openldap and openldap-clients, and sssd-ldap:

yum install openldap  openldap-clients sssd-ldap

Create and populate /etc/openldap/cacerts (copy from gourd), and create the /etc/sssd/sssd.conf file (copy from grourd) Enable and start the sssd service:

 systemctl enable sssd
 systemctl start sssd

Allow sss in /etc/pam.d/password-auth and /etc/nsswitch.conf

Get Automount working

Install autofs and also install nfs:

yum install autofs, nfs-utils

Enable and Startup the NFS subsystem:

systemctl enable rpcbind
systemctl enable nfs-server
systemctl start rpcbind
systemctl start nfs-server
systemctl start rpc-statd
systemctl start nfs-idmapd

Install /etc/auto.master and /etc/auto.net

Create mount point:

mkdir  /net
systemctl enable autofs
systemctl start autofs

LOGS

SUDO

Fix the sudoers file.

UNKOWN ISSUE WITH SUDO and auth -- FIX ME

Gourd

Initial

  • Gourd would not boot from a USB stick. It seems the HW doesn't support this, though it is also possible the fault is with the front USB port. Boot from installer DVD.
  • Standard server install
  • No ethernet driver: nForce ethernet "forcedeth" not available, use the kmod-forcedeth driver from elrepo.org: http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/kmod-forcedeth-0.64-1.el7.elrepo.x86_64.rpm
  • Note that Centos 7 (i.e. RHEL 7) comes standard with "firewalld". Not wanting to bother with "yet another config system for firewalls (tm)", this was disabled in favor of good old iptables, which is the underlaying system anyway. This policy may change int he future. (To disable firewalld: "systemctl stop firewalld ; systemctl mask firewalld'. To setup iptables: "yum install iptables-services; systemctl enable iptables", and then of course, configure the tables.)
  • Network interfaces are now renamed to a "consistent scheme" see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Consistent_Network_Device_Naming.html
  • FARM network = enp0s8 = farm UNH network=enp0s9 = unh
  • Setting up bridge networking took a bit. The complication was that I just used "ifup" and "ifdown", and did not use "systemctl restart network".
  • Setting up sssd: The ldap authentication did not work when using TLS, because the MD5 encrypted certificate is no longer accepted. We need new certificates! For now, connect with ldap: instead of ldaps:
    • That does not appear to work for automount. Darn it!
  • Copied more sane iptable rules from endavour, including blacklist.

Continued

  • Copy the old ssh keys from backup to Gourd. Unfortunately, the keys in /root are not backed up. I grabbed the ones from endeavour.
  • Setup proper (not MD5 encrypted) TLS certificates on Einstein, then get ldaps to work properly.
  • Fix the NFS mounting issues. When mount nfsvers=4, the username and group do not get passed properly and everything is "nobody". Fix this by forcing automount to mount everything nfsvers=3 in the auto.net file