Download the Ubuntu drivers from here
sudo dnf -y upgrade --refresh (to ensure everything is updated)
reboot to ensure using latest kernel
sudo dnf -y install dkms libdrm-devel openssl (I rebooted again to ensure those took effect as it didn’t seem to the first time)
sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out \ MOK.der -nodes -days 36500 -subj "/CN=Displaylink/" (This is to sign the module for secure boot)
sudo mkdir /usr/src/evdi-1.12.0/
mkdir displaylink && cd displaylink
Make sure to extract the downloaded file above into this directory. Make the file executable (I just did this in the GUI as it was easier for me at this point)
sudo git clone https://github.com/DisplayLink/evdi
cd evdi/module/
sudo cp * /usr/src/evdi-1.12.0/
sudo dkms build -m evdi -v 1.12.0 --force
sudo dkms install -m evdi -v 1.12.0
cd ~/displaylink
sudo ./displaylink-driver-5.6.1-59.184.run or whatever version is available when you read this
reboot
After doing that, I was able to get it all working from a fresh install.
Links:
https://www.reddit.com/r/Fedora/comments/yxkm3w/fedora_37_anybody_know_how_to_get_displaylink_to/
https://github.com/displaylink-rpm/displaylink-rpm#secure-boot-on-fedora
https://github.com/displaylink-rpm/displaylink-rpm/issues/229
Environment
Oracle VM Server 3.4 installed on Cisco UCS blade
Oracle VM Manager 3.4
Problem Summary
1) This server has the same IP address as another server. Please correct that on the servers. Or,
2)
The SMBIOS UUID of this server has changed due to a server motherboard
change. Please delete the server from the manager and then re-discover
it. Or,
3) The SMBIOS UUID has changed due to moving the blade in t
he chassis and there is an incorrect blade chassis SMBIOS UUID setting
which allows the UUID of the server to change with the slot. Please
update the blade chassis’s SMBIOS UUID settings and re-discover.
In
our situation we replaced failed RAM module. I don’t know why server
started with it’s original UUID instead of the one from the attached
Service Profile.
[root@ovm-manager ~]# ssh admin@localhost -p 10000
admin@localhost’s password:
OVM> list server
Command: list server
Status: Success
Time: 2019-10-10 09:56:20,186 EDT
Data:
id:12:a8:01:4c:e9:ab:e1:11:00:00:00:00:00:00:00:01 name:ovm01.domain.com
id:12:a8:02:4c:e9:ab:e1:11:00:00:00:00:00:00:00:02 name:ovm02.domain.com
id:12:a8:03:4c:e9:ab:e1:11:00:00:00:00:00:00:00:03 name:ovm03.domain.com
id:12:a8:04:4c:e9:ab:e1:11:00:00:00:00:00:00:00:04 name:ovm04.domain.com
OVM> refresh server name=ovm04.domain.com
Command: refresh server name=ovm04.domain.com
Status: Failure
Time: 2019-10-10 10:01:41,685 EDT
JobId: 1570716101312]
Error Msg: Job failed on Core: OVMAPI_6000E Internal Error: OVMAPI_4021E Server discover conflict at IP address: 10.10.10.10. The manager already has a server: ovm04.domain.com, at this IP address, with SMBIOS UUID: 12:a8:04:4c:e9:ab:e1:11:00:00:00:00:00:00:00:04 .
But the server now being discovered: unknown, at that same IP address, has a different SMBIOS UUID: 34:b9:15:5d:f0:cd:f2:22:00:00:00:00:00:00:00:05. This can happen in these cases:
1) This server has the same IP address as another server. Please correct that on the servers. Or,
2) The SMBIOS UUID of this server has changed due to a server motherboard change. Please delete the server from the manager and then re-discover it. Or,
3) The SMBIOS UUID has changed due to moving the blade in t he chassis and there is an incorrect blade chassis SMBIOS UUID setting which allows the UUID of the server to change with the slot. Please update the blade chassis’s SMBIOS UUID settings and re-discover.
Solution
Actually, we need to set the UUID of OVM Server in a way so that it shouldn’t change irrespective of any network changes
1. Get the OVM server UUID from OVM manager Under the Advance section by choosing the perspective as “Info”.
2. Now add the UUID to the file /etc/ovs-agent/agent.ini on Oracle VM server to the starting with “fakeuuid” line as there was no UUID present:
# cat /etc/ovs-agent/agent.ini
[server]
fakeuuid= 12:a8:04:4c:e9:ab:e1:11:00:00:00:00:00:00:00:04
3. Started the ovs-agent services of the OVM server :
# service ovs-agent restart
4. Refresh Server via OVM cli
4.1 Login to CLI from the manager server
#ssh admin@localhost -p 10000
4.2 List the servers and then do a refresh
OVM>list server
OVM>refresh server name=<Name of server found by “list server” command>
The starting status of the server will change to “Running”
Links:
https://k10technical.blogspot.com/2018/10/oracle-vm-server-hangs-with-starting.html
Problem Summary
Cisco UCS alert – default Keyring’s certificate is invalid, reason: expired.
Solution
SSH to UCS Manager cluster IP address and login as an admin user:
ssh -l admin 10.16.8.101
UCS-A# scope security
UCS-A /security # scope keyring default
UCS-A /security/keyring* # set regenerate yes
UCS-A /security/keyring* # commit-buffer
UCS-A /security/keyring #
UCS-A /security/keyring # scope security
UCS-A /security # show keyring detail
Links:
https://community.cisco.com/t5/unified-computing-system/default-keyring-s-certificate-is-invalid/td-p/2016168
http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/cli/config/guide/2.0/b_UCSM_CLI_Configuration_Guide_2_0_chapter_0110.pdf
It seems to be a race between systemd and nginx. As if systemd was expecting the PID file to be populated before nginx had the time to create it.
mkdir /etc/systemd/system/nginx.service.d
printf "[Service]\nExecStartPost=/bin/sleep 0.1\n" > /etc/systemd/system/nginx.service.d/override.conf
systemctl daemon-reload
systemctl restart nginx
Link: http://alfredoroca.github.io/nginx/2016/09/04/How-to-solve-failure-read-of-nginx-pid-file
Installation
Following instructions from here https://www.postgresql.org/download/linux/redhat/:
Select version: 9.6 (I needed 9.6 because of my specific product requirements)
Select platform: RHEL7
Install the repository RPM: yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-redhat96-9.6-3.noarch.rpm
yum install postgresql96 postgresql96-server postgresql96-libs postgresql96-contrib
/usr/pgsql-9.6/bin/postgresql96-setup initdb
My previous PostgreSQL was 9.2 and it was installed from RHEL repo, so all directories and configs are standards.
Upgrade
This is important! You can’t use pg_upgrade in this particular upgrade, because they *censored* changed “unix_socket_directory parameter” to “unix_socket_directories”. Check this out – https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343. Luckily there’s a workaround:
mv /usr/bin/pg_ctl{,-orig}
echo '#!/bin/bash' > /usr/bin/pg_ctl
echo '"$0"-orig "${@/unix_socket_directory/unix_socket_directories}"' >> /usr/bin/pg_ctl
chmod +x /usr/bin/pg_ctl
Let’s stop the old PostgreSQL 9.2 service and disable it
systemctl stop postgresql
systemctl disable postgresql
Finally actual upgrade:
su - postgres
#with --check first
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/ --check
#if everything is ok, then
/usr/pgsql-9.6/bin/pg_upgrade --old-bindir=/usr/bin/ --new-bindir=/usr/pgsql-9.6/bin/ --old-datadir=/var/lib/pgsql/data --new-datadir=/var/lib/pgsql/9.6/data/
Undo the “hack”:
mv -f /usr/bin/pg_ctl{-orig,}
systemctl enable postgresql-9.6
systemctl start postgresql-9.6
systemctl status postgresql-9.6
Let’s run this analyze_new_cluster.sh:
su - postgres
/var/lib/pgsql/analyze_new_cluster.sh
and also check DB version
psql -d
SHOW server_version;
\q
Links:
https://www.postgresql.org/download/linux/redhat/
https://dba.stackexchange.com/questions/50135/pg-upgrade-unrecognized-configuration-parameter-unix-socket-directory
https://www.postgresql.org/docs/9.3/release-9-3.html#AEN114343
https://support.code42.com/Administrator/6/Planning_and_installing/PostgreSQL_upgrade_on_Red_Hat
http://www.uptimemadeeasy.com/databases/upgrade-postgresql/
Install rTorrent
install rtorrent screen
adduser rtorrent
Confgure rTorrent
vi /home/rtorrent/.rtorrent.rc
# Where rTorrent saves the downloaded files
directory = /srv/torrent/downloads
# Where rTorrent saves the session
session = /srv/torrent/.session
# Which ports rTorrent can use (Make sure to open them in your router)
port_range = 50000-50000
port_random = no
# Check the hash after the end of the download
check_hash = yes
# Enable DHT (for torrents without trackers)
dht = auto
dht_port = 6881
peer_exchange = yes
# Authorize UDP trackers
use_udp_trackers = yes
# Enable encryption when possible
encryption = allow_incoming,try_outgoing,enable_retry
# SCGI port, used to communicate with Flood
scgi_port = 127.0.0.1:5000
mkdir /srv/torrent
mkdir /srv/torrent/downloads
mkdir /srv/torrent/.session
chmod 775 -R /srv/torrent
chown rtorrent:rtorrent -R /srv/torrent
chown rtorrent:rtorrent /home/rtorrent/.rtorrent.rc
vi /etc/systemd/system/rtorrent.service
[Unit]
Description=rTorrent
After=network.target
[Service]
User=rtorrent
Type=forking
KillMode=none
ExecStart=/usr/bin/screen -d -m -fa -S rtorrent /usr/bin/rtorrent
ExecStop=/usr/bin/killall -w -s 2 /usr/bin/rtorrent
WorkingDirectory=%h
[Install]
WantedBy=default.target
systemctl enable rtorrent.service
systemctl start rtorrent
Install Flood
yum install gcc-c++ make curl git -y
curl -sL https://rpm.nodesource.com/setup_8.x | bash -
yum install -y nodejs
cd /srv/torrent
git clone https://github.com/jfurrow/flood.git
cd flood
cp config.template.js config.js
To access flood remotely
vi config.js
floodServerHost: '0.0.0.0'
npm install
If no error, continue with:
npm install -g node-gyp
npm run build
Start Flood
adduser flood
chown -R flood:flood /srv/torrent/flood/
vi /etc/systemd/system/flood.service
[Service]
WorkingDirectory=/srv/torrent/flood
ExecStart=/usr/bin/npm start
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=notell
User=flood
Group=flood
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
systemctl enable flood
systemctl start flood
Flood should be available via http://IP:3000. You need to create a new user and you’re all set.
Links:
https://github.com/jfurrow/flood
https://freedif.org/flood-modern-web-ui-for-rtorrent
https://github.com/nodesource/distributions
https://wiki.archlinux.org/index.php/RTorrent
https://en.wikipedia.org/wiki/BitTorrent_protocol_encryption
Requirements
Supported Samba versions:
– Samba version 3.0.25 or later versions in the 3.0 series
– Samba 3.2.X
– Samba 3.4.X
– Samba 3.5.X
Winbind must be installed and running when you are using Samba version 3.0.25 or later versions in the 3.0 series.
If you are using Samba version 3.2.X or 3.5.X, Winbind is not required.
Samba package must support ADS security.
PowerBroker Identity Services relies on ADS security in a Samba and PowerBroker Identity Services configuration.
For more information, see: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Installation and configuration
https://github.com/BeyondTrust/pbis-open/releases
wget https://github.com/BeyondTrust/pbis-open/releases/download/8.6.0/pbis-open-8.6.0.427.linux.x86_64.rpm.sh
./pbis-open-8.6.0.427.linux.x86_64.rpm.sh install
/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes sub.domain.com domainjoinusername
/opt/pbis/bin/update-dns
/opt/pbis/bin/get-status
yum install samba-3.6.23
mv /etc/samba/smb.conf /etc/samba/smb.conf_bk
vi /etc/samba/smb.conf
[global]
workgroup = SUB
realm = SUB.DOMAIN.COM
server string = %h server
security = ADS
map to guest = Bad User
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
; syslog = 0
log file = /var/log/samba/log.%m
; max log size = 1000
load printers = No
printcap name = /dev/null
disable spoolss = Yes
dns proxy = No
; wins server = 10.10.10.10
; usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
; idmap config * : range = 10000-33554431
; idmap config * : range = 3000-7999
; idmap config * : backend = tdb
; printing = bsd
; print command = lpr -r -P'%p' %s
; lpq command = lpq -P'%p'
; lprm command = lprm -P'%p' %j
machine password timeout = 0
; log level = 5
; debug pid = true
[share]
path = /smb/share
valid users = @adgroup
force user = aduser
force group = domain^users
read only = No
acl check permissions = No
create mask = 0640
directory mask = 0750
browseable = No
/opt/pbis/bin/samba-interop-install --check-version
Found smbd version 3.6.23-46el6_9
Samba version supported
/opt/pbis/bin/samba-interop-install --install --loglevel verbose
service smb restart;service nmb restart;
Troubleshooting
Issue: The primary group domain sid(S-1-2-34-5678901234-5678901234-5678901234-567) does not match the domain sid(S-1-2-34-2414616913-1771598462-3719962008) for aduser(S-1-22-1-1234567890)
Fix:
net getdomainsid
net setlocalsid S-1-2-34-5678901234-5678901234-5678901234-567
————————————————————————
# net ads join -U administrator
Enter administrator’s password: Passw0rd
Using short domain name — SUB
Joined ‘SMBTEST01V’ to dns domain ‘sub.domain.com’
————————————————————————
Debug:
smbclient //10.10.10.11/share/ -U SUB/aduser
smbclient -L 10.10.10.11 -U SUB/aduser
/opt/pbis/bin/enum-users
pbis status
/opt/pbis/domainjoin-cli query
/opt/pbis/bin/lwsm list
/opt/pbis/bin/lwsm set-log-target -p lsass – file /tmp/lsass.log
/opt/pbis/bin/lwsm set-log-level -p lsass – debug
“Troubleshooting PBIS-Samba Integration” from here https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
Links:
https://www.beyondtrust.com/wp-content/uploads/documentation-pbis-samba-integration-guide.pdf
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
https://github.com/BeyondTrust/pbis-open/releases
To check the PIC media type and status for a particular FPC, use the show chassis fpc pic-status fpc-slot command.
To display PIC hardware information, including the media type description, use the show chassis hardware command.
show chassis fpc <pic-status <fpc-slot >>
show chassis hardware
show chassis fpc pic-status
Slot 0 Online EX4600-40F
PIC 0 Online 24x10G-4x40G
PIC 1 Online EX4600-EM-8F
show chassis pic fpc-slot 0 pic-slot 0
FPC slot 0, PIC slot 0 information:
Type 24x10G-4x40G
State Online
PIC version 3.22
Uptime 111 days, 1 hours, 11 minutes, 11 seconds
PIC port information:
Fiber Xcvr vendor Wave- Xcvr
Port Cable type type Xcvr vendor part number length Firmware
2 10GBASE LR SM FINISAR CORP. FTLX1471D3BCL-J1 1310 nm 0.0
6 GIGE 1000LX10 SM FINISAR CORP. FTLF1318P3BTL-J1 1310 nm 0.0
24 40GBASE SR4 MM AVAGO AFBR-79EQDZ-JU1 n/a 0.0
Some additional optic info…
show interfaces diagnostics optics xe-0/0/1
Physical interface: xe-0/0/1
Laser bias current : 42.276 mA
Laser output power : 0.6990 mW / -1.56 dBm
Module temperature : 38 degrees C / 100 degrees F
Module voltage : 3.3150 V
Receiver signal average optical power : 0.0001 mW / -40.00 dBm
Laser bias current high alarm : Off
Laser bias current low alarm : Off
Laser bias current high warning : Off
Laser bias current low warning : Off
Laser output power high alarm : Off
Laser output power low alarm : Off
Laser output power high warning : Off
Laser output power low warning : Off
Module temperature high alarm : Off
Module temperature low alarm : Off
Module temperature high warning : Off
Module temperature low warning : Off
Module voltage high alarm : Off
Module voltage low alarm : Off
Module voltage high warning : Off
Module voltage low warning : Off
Laser rx power high alarm : Off
Laser rx power low alarm : On
Laser rx power high warning : Off
Laser rx power low warning : On
Laser bias current high alarm threshold : 85.000 mA
Laser bias current low alarm threshold : 15.000 mA
Laser bias current high warning threshold : 80.000 mA
Laser bias current low warning threshold : 20.000 mA
Laser output power high alarm threshold : 1.5840 mW / 2.00 dBm
Laser output power low alarm threshold : 0.1580 mW / -8.01 dBm
Laser output power high warning threshold : 1.2580 mW / 1.00 dBm
Laser output power low warning threshold : 0.1990 mW / -7.01 dBm
Module temperature high alarm threshold : 78 degrees C / 172 degrees F
Module temperature low alarm threshold : -13 degrees C / 9 degrees F
Module temperature high warning threshold : 73 degrees C / 163 degrees F
Module temperature low warning threshold : -8 degrees C / 18 degrees F
Module voltage high alarm threshold : 3.700 V
Module voltage low alarm threshold : 2.900 V
Module voltage high warning threshold : 3.600 V
Module voltage low warning threshold : 3.000 V
Laser rx power high alarm threshold : 1.7783 mW / 2.50 dBm
Laser rx power low alarm threshold : 0.0100 mW / -20.00 dBm
Laser rx power high warning threshold : 1.5849 mW / 2.00 dBm
Laser rx power low warning threshold : 0.0158 mW / -18.01 dBm
FirewallD
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Nginx
yum install epel-release
yum install nginx
systemctl enable nginx
systemctl start nginx
setsebool -P httpd_can_network_relay 1
setsebool -P httpd_can_network_connect 1
getsebool -a | grep -i http
HTTPS
mkdir /etc/ssl/nginx/
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/drive.domain.com/dh4096.pem 4096
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/wiki.domain.com/dh4096.pem 4096
chown -R nginx:nginx /etc/ssl/nginx/
chmod 600 /etc/ssl/nginx/drive.domain.com/drive.domain.com.key
chmod 600 /etc/ssl/nginx/wiki.domain.com/wiki.domain.com.key
restorecon -Rv /etc/ssl/nginx/
Nginx configuration
vi /etc/nginx/nginx.conf
server {
listen 80;
return 301 https://$host$request_uri;
}
vi /etc/nginx/conf.d/wiki.domain.com.conf
server {
listen 443;
server_name wiki.domain.com www.wiki.domain.com;
ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/dh4096.pem;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/wiki.domain.com.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.0.24:8080;
proxy_read_timeout 90;
proxy_redirect http://192.168.0.24:8080 https://wiki.domain.com;
}
}
vi /etc/nginx/conf.d/drive.domain.com.conf
server {
listen 443;
server_name drive.domain.com www.drive.domain.com;
ssl_certificate /etc/ssl/nginx/drive.domain.com/drive.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/drive.domain.com/drive.domain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/drive.domain.com/dh4096.pem;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_stapling on;
ssl_stapling_verify on;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
access_log /var/log/nginx/drive.domain.com.access.log;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Fix the “It appears that your reverse proxy set up is broken" error.
proxy_pass http://192.168.0.23:8080;
proxy_read_timeout 90;
proxy_redirect http://192.168.0.23:8080 https://drive.domain.com;
}
}
Links:
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins
https://www.nginx.com/blog/nginx-se-linux-changes-upgrading-rhel-6-6/
http://sharadchhetri.com/2014/07/21/owncloud-error-accessing-server-untrusted-domain/
FirewallD
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
#yum install policycoreutils-python
yum install epel-release
Nginx
yum install nginx
systemctl enable nginx
systemctl start nginx
vi /etc/nginx/conf.d/wiki.domain.com.conf
server {
listen 80;
server_name wiki.domain.com www.wiki.domain.com;
# For Lets Encrypt, this needs to be served via HTTP
location /.well-known/acme-challenge/ {
root /usr/share/nginx/html; # Specify here where the challenge file is placed
}
# enforce https
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name wiki.domain.com www.wiki.domain.com;
ssl_certificate /etc/ssl/nginx/wiki.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/wiki.domain.com.key;
# Example SSL/TLS configuration. Please read into the manual of
# nginx before applying these.
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/dh4096.pem;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_stapling on;
ssl_stapling_verify on;
root /usr/share/nginx/html/;
#client_max_body_size 5m;
client_max_body_size 100m;
client_body_timeout 60;
location / {
try_files $uri $uri/ @rewrite;
}
location @rewrite {
rewrite ^/(.*)$ /index.php?title=$1&$args;
}
location ^~ /maintenance/ {
return 403;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
try_files $uri /index.php;
expires max;
log_not_found off;
}
location = /_.gif {
expires max;
empty_gif;
}
location ^~ /cache/ {
deny all;
}
location /dumps {
root /usr/share/nginx/html/local;
autoindex on;
}
}
systemctl restart nginx
PHP
yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum install php-fpm php-cli php-gd php-xml php-intl texlive php-xcache php-pgsql php-mbstring php-json php-openssl pcre
php --version
vi /etc/php.ini
cgi.fix_pathinfo=0
vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
systemctl enable php-fpm
systemctl start php-fpm
vi /usr/share/nginx/html/info.php
<?php phpinfo(); ?>
HTTPS
mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/wiki.domain.com.crt -keyout /etc/ssl/nginx/wiki.domain.com.key -subj "/CN=wiki.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096
PostgreSQL
yum install postgresql postgresql-server postgresql-contrib
postgresql-setup initdb
systemctl enable postgresql
systemctl start postgresql
vi /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
port = 5432
cat <<EOT > /var/lib/pgsql/data/pg_hba.conf
local all postgres trust
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
EOT
passwd postgres
su - postgres
psql -d template1 -c "ALTER USER postgres WITH PASSWORD 'newpassword';"
createuser -S -D -R -P -E wikiuser #(then enter the password)
createdb -O wikiuser wikidb
exit
systemctl restart postgresql
semanage boolean -m --on httpd_can_network_connect_db
MediaWiki
wget https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.1.tar.gz
tar zxvf mediawiki-1.29.1.tar.gz
mv mediawiki-1.29.1/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/*
chmod -R 0755 /usr/share/nginx/html/*
chmod 600 /usr/share/nginx/html/LocalSettings.php
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html'
restorecon -Rv '/usr/share/nginx/html'
systemctl restart php-fpm nginx; systemctl status php-fpm nginx
https://wiki.domain.com:20002/mw-config/index.php?page=Name
Name of wiki: wiki
Project namespace: Project
User rights profile: Private wiki
Settings for object caching: PHP object caching (APC, APCu, XCache or WinCache)
PostrgeSQL DB backup
pg_dump wikidb > wikidbdump2017_09_27.sql
pg_dumpall --globals > postgres_globals2017_09_27.sql
Issues
MediaWiki 1.29 internal error MediaWiki 1.29 requires at least PHP version 5.5.9, you are using PHP 5.4.16. Supported PHP versions Please consider upgrading your copy of PHP. PHP versions less than 5.5.0 are no longer supported by the PHP Group and will not receive security or bugfix updates. If for some reason you are unable to upgrade your PHP version, you will need to download an older version of MediaWiki from our website. See our compatibility page for details of which versions are compatible with prior versions of PHP. https://www.mediawiki.org/wiki/Compatibility#PHP
Links:
https://www.digitalocean.com/community/tutorials/how-to-install-mediawiki-on-centos-7
https://www.nginx.com/resources/wiki/start/topics/recipes/mediawiki/
https://www.rosehosting.com/blog/install-mediawiki-on-a-centos-7-vps/
https://www.mediawiki.org/wiki/Special:MyLanguage/Manual:Installing_MediaWiki
Interface configuration
set switch-options interface ge-2/0/17.0 interface-mac-limit 1
set switch-options interface ge-2/0/17.0 interface-mac-limit packet-action drop-and-log
set switch-options interface ge-2/0/17.0 persistent-learning
Clear specific interface MAC database
run clear ethernet-switching table interface ge-2/0/17.0
delete switch-options interface ge-2/0/17.0
Troubleshooting and verification
show interfaces ge-2/0/17 detail
show ethernet-switching interface ge-2/0/17
show ethernet-switching interface ge-2/0/17.0 brief
show configuration switch-options interface ge-2/0/17.0
interface-mac-limit {
3;
packet-action drop-and-log;
}
persistent-learning;
show ethernet-switching table interface ge-2/0/17.0
MAC database for interface ge-2/0/17.0
MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static
SE - statistics enabled, NM - non configured MAC, R - remote PE MAC)
Ethernet switching table : 73 entries, 73 learned
Routing instance : default-switch
Vlan MAC MAC Age Logical
name address flags interface
vlan.110 01:12:23:34:45:56 P - ge-2/0/17.0
vlan.110 56:45:34:23:12:01 P - ge-2/0/17.0
vlan.110 23:12:01:56:45:34 P - ge-2/0/17.0
show ethernet-switching table | match "01:12:23:34:45:56"
vlan.110 01:12:23:34:45:56 P - ge-2/0/17.0
show ethernet-switching table | match "ge-2/0/17.0"
vlan.110 01:12:23:34:45:56 P - ge-2/0/17.0
vlan.110 56:45:34:23:12:01 P - ge-2/0/17.0
vlan.110 23:12:01:56:45:34 P - ge-2/0/17.0
show ethernet-switching interface ge-2/0/17.0
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop,
LH - MAC limit hit, DN - interface down,
SCTL - shutdown by Storm-control )
Logical Vlan TAG MAC STP Logical Tagging
interface members limit state interface flags
ge-2/0/17.0 3 AD,LH untagged
vlan.110 110 65535 Forwarding untagged
show log messages | match ge-2/0/17
Link:
https://forums.juniper.net/t5/Ethernet-Switching/EX4300-Port-Security-MAC-Limiting-Allowed-MAC-amp-ELS/td-p/308978
http://www.juniper.net/documentation/en_US/junos10.2/topics/task/configuration/port-security-cli.html
http://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/ex4300/port-security.pdf
https://www.juniper.net/documentation/en_US/junos/topics/task/verification/port-security-qfx-series-mac-limiting.html
http://forums.juniper.net/t5/Junos/Mac-Filtering-on-EX4200-JUNOS/td-p/48473
https://networkengineering.stackexchange.com/questions/19181/how-can-i-view-a-list-of-which-macs-an-interface-is-restricted-to-on-a-juniper-s
FirewallD
#yum install policycoreutils-python
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
MySQL(MariaDB)
yum install mariadb-server mariadb
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation
mysql -u root -p
CREATE DATABASE owncloud;
GRANT ALL ON owncloud.* to 'ownclouduser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
quit
HTTPS
mkdir /etc/ssl/nginx/
restorecon -Rv /etc/ssl/nginx/
openssl req -new -x509 -days 365 -nodes -out /etc/ssl/nginx/drive.domain.com.crt -keyout /etc/ssl/nginx/drive.domain.com.key -subj "/CN=drive.domain.com"
openssl dhparam -out /etc/ssl/nginx/dh4096.pem 4096
Nginx
yum install epel-release
yum install nginx
systemctl enable nginx
systemctl start nginx
vi /etc/nginx/conf.d/drive.domain.com.conf
upstream php-handler {
#server 127.0.0.1:9000;
# Depending on your used PHP version
#server unix:/var/run/php5-fpm.sock;
#server unix:/var/run/php7-fpm.sock;
server unix:/var/run/php-fpm/php-fpm.sock;
}
server {
listen 80;
server_name drive.domain.com www.drive.domain.com;
# For Lets Encrypt, this needs to be served via HTTP
location /.well-known/acme-challenge/ {
root /usr/share/nginx/html; # Specify here where the challenge file is placed
}
# enforce https
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl http2;
server_name drive.domain.com www.drive.domain.com;
ssl_certificate /etc/ssl/nginx/drive.domain.com.crt;
ssl_certificate_key /etc/ssl/nginx/drive.domain.com.key;
# Example SSL/TLS configuration. Please read into the manual of
# nginx before applying these.
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "-ALL:EECDH+AES256:EDH+AES256:AES256-SHA:EECDH+AES:EDH+AES:!ADH:!NULL:!aNULL:!eNULL:!EXPORT:!LOW:!MD5:!3DES:!PSK:!SRP:!DSS:!AESGCM:!RC4";
ssl_dhparam /etc/ssl/nginx/dh4096.pem;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
ssl_stapling on;
ssl_stapling_verify on;
# Add headers to serve security related headers
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Path to the root of your installation
root /usr/share/nginx/html;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# The following 2 rules are only needed for the user_webfinger app.
# Uncomment it if you're planning to use this app.
#rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
#rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
# set max upload size
client_max_body_size 16400M;
fastcgi_buffers 64 4K;
# Disable gzip to avoid the removal of the ETag header
# Enabling gzip would also make your server vulnerable to BREACH
# if no additional measures are done. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773332
gzip off;
# Uncomment if your server is build with the ngx_pagespeed module
# This module is currently not supported.
#pagespeed off;
error_page 403 /core/templates/403.php;
error_page 404 /core/templates/404.php;
location / {
rewrite ^ /index.php$uri;
}
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
return 404;
}
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
return 404;
}
location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name; # necessary for owncloud to detect the contextroot https://github.com/owncloud/core/blob/v10.0.0/lib/private/AppFramework/Http/Request.php#L603
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_read_timeout 180; # increase default timeout e.g. for long running carddav/ caldav syncs with 1000+ entries
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off; #Available since NGINX 1.7.11
}
location ~ ^/(?:updater|ocs-provider)(?:$|/) {
try_files $uri $uri/ =404;
index index.php;
}
# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~ \.(?:css|js)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "max-age=15778463";
# Add headers to serve security related headers (It is intended to have those duplicated to the ones above)
# Before enabling Strict-Transport-Security headers please read into this topic first.
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
# Optional: Don't log access to assets
access_log off;
}
location ~ \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg|map)$ {
add_header Cache-Control "public, max-age=7200";
try_files $uri /index.php$uri$is_args$args;
# Optional: Don't log access to other assets
access_log off;
}
}
systemctl restart nginx
PHP
yum install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
#yum-config-manager --enable remi-php71
#yum --enablerepo=remi-php71 install php-fpm php-cli php-gd php-mcrypt php-mysql php-pear php-xml php-mbstring php-pdo php-json
vi /etc/yum.repos.d/remi-php71.repo
[remi-php71]
enabled=1
yum install php-fpm php-cli php-gd php-mcrypt php-mysqlnd php-pear php-xml php-mbstring php-pdo php-json php-pecl-zip php-intl
php --version
vi /etc/php.ini
cgi.fix_pathinfo=0
vi /etc/php-fpm.d/www.conf
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
user = nginx
group = nginx
env[HOSTNAME] = $HOSTNAME
env[PATH] = /usr/local/bin:/usr/bin:/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
systemctl enable php-fpm
systemctl start php-fpm
vi /usr/share/nginx/html/info.php
<? php phpinfo(); ?>
Owncload download and install
wget https://download.owncloud.org/community/owncloud-10.0.3.tar.bz2
tar jxvf owncloud-10.0.3.tar.bz2
mv owncloud/* /usr/share/nginx/html/
chown -R nginx:nginx /usr/share/nginx/html/
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/data'
restorecon '/usr/share/nginx/html/data'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/config'
restorecon '/usr/share/nginx/html/config'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/apps'
restorecon '/usr/share/nginx/html/apps'
semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/assets'
restorecon '/usr/share/nginx/html/assets'
chown -R nginx:nginx /var/lib/php/session
Caching
APCu
yum install php-devel
yum groupinstall "Development Tools"
pecl install apcu
cat < /etc/php.d/20-apcu.ini
; APCu php extension
extension=apcu.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.local' => '\OC\Memcache\APCu',
Redis
yum install centos-release-scl-rh
yum install rh-redis32-redis
pecl install redis
chown -R redis:redis /var/run/redis/
semanage fcontext -a -t redis_var_run_t '/var/run/redis(/.*)?'
restorecon -Rv /run/redis/
vi /etc/opt/rh/rh-redis32/redis.conf
unixsocket /var/run/redis/redis.sock
unixsocketperm 700
systemctl start rh-redis32-redis
systemctl enable rh-redis32-redis
yum install net-tools
ps ax | grep redis
netstat -tlnp | grep redis
cat < /etc/php.d/20-redis.ini
; Redis php extension
extension=redis.so
EOF
vi /usr/share/nginx/html/config/config.php
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => [
'host' => '/var/run/redis/redis.sock',
'port' => 0,
],
usermod -a -G redis nginx
Additional SELinux configuration
setsebool -P daemons_enable_cluster_mode 1
semodule -l | grep my-redisserver
ausearch -c 'redis-server' --raw | audit2allow -M my-redisserver
semodule -i my-redisserver.pp
ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
semodule -i my-phpfpm.pp
ausearch -c 'nginx' --raw | audit2allow -M my-nginx
semodule -i my-nginx.pp
setsebool -P httpd_can_sendmail=1
systemctl restart php-fpm nginx; systemctl status php-fpm nginx
crontab -u nginx -e
*/15 * * * * /usr/bin/php -f /usr/share/nginx/html/cron.php
yum install samba-client nfs-utils
Links:
https://www.howtoforge.com/tutorial/owncloud-centos-install/
https://tecadmin.net/install-owncloud-on-centos/
https://doc.owncloud.org/server/10.0/admin_manual
https://www.simplehelix.com/blog/uncategorized/installing-and-configuring-nginx-php-fpm-mariadb-on-centos-7/
https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-on-centos-7
https://www.digitalocean.com/community/tutorials/how-to-upgrade-to-php-7-on-centos-7
https://stackoverflow.com/questions/6628275/how-to-get-my-session-to-write-to-apache
https://github.com/owncloud/core/issues/25927#issuecomment-262703655
https://doc.owncloud.org/server/9.1/admin_manual/installation/selinux_configuration.html#troubleshooting
https://doc.owncloud.org/server/10.0/admin_manual/configuration/server/caching_configuration.html#redis-label
https://help.nextcloud.com/t/install-nextcloud-into-root-directory-of-my-domain/2513?page=2
https://github.com/nrk/predis/issues/277
https://doc.owncloud.org/server/latest/admin_manual/installation/nginx_configuration.html#example-configurations
yum install mailx sendmail sendmail-cf -y
vi /etc/mail/sendmail.mc
dnl define(`SMART_HOST', `smtp.domain.com')dnl
dnl MASQUERADE_AS(`domain.com')dnl
m4 /etc/mail/senmdmail.mc > /etc/mail/sendmail.cf
chkconfig sendmail on
service sendmail restart
GIT + gitolite installation
Prerequisites
yum install curl-devel expat-devel gettext-devel openssl-devel zlib-devel gcc perl-ExtUtils-MakeMaker
GIT installation
cd /usr/src
wget https://www.kernel.org/pub/software/scm/git/git-2.2.0.tar.gz
tar zxvf git-2.2.0.tar.gz
cd git-2.2.0
make prefix=/usr/local/git all
make prefix=/usr/local/git install
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bashrc
#SLES
echo "export PATH=$PATH:/usr/local/git/bin" >> /etc/bash.bashrc
source /etc/bashrc
#SLES
source /etc/bash.bashrc
#.bash_profile
#export PATH=$PATH:/usr/local/git/bin
git --version
After this is done, you can also get Git via Git itself for updates:
cd /usr/src
git clone git://git.kernel.org/pub/scm/git/git.git
cd git
groupadd -g 54001 git
adduser -m --system -g git -d /opt/git -s /bin/bash git
ssh-keygen -t rsa
scp .ssh/id_rsa.pub root@192.168.1.84:/tmp/git-admin.pub
su - git
git clone git://github.com/sitaramc/gitolite
cd $HOME
mkdir -p bin
gitolite/install -to $HOME/bin
cd $HOME
$HOME/bin/gitolite setup -pk /tmp/git-admin.pub
Now go to your workstation and type in
git ls-remote git@server:gitolite-admin
This should return something like
9dd8aab60bac5e54caf887a87b4f3d35c95b05e4 HEAD
9dd8aab60bac5e54caf887a87b4f3d35c95b05e4 refs/heads/master
GIT Configuration
Prevent git push –force
git config --system receive.denyNonFastForwards true
git config --system receive.denyDeletes true
cat /usr/local/git/etc/gitconfig
[receive]
denyNonFastForwards = true
denyDeletes = true
Administration from workstation
yum install git
mkdir /home/user/work/git
cd /home/user/work/git/
git clone git@srvgit01v:gitolite-admin
cd gitolite-admin/
vim conf/gitolite.conf
git config --global user.name "Git-Admin"
git config --global user.email "user@domain.com"
git add keydir conf
git commit -m 'added users, repos'
git push origin master
Clients access
To check the available repos, and your access to them, use the following:
ssh git@192.168.1.100 info
or
ssh git@srvgit01v.sub1.domain.com info
Clone down the repo using:
git clone git@192.168.1.100:repo
or
git clone git@srvgit01v.sub1.domain.com:repo
Mirroring gitolite servers
Gitolite: Add, Edit, or Delete Git Repository Name
Add or create repository
Add entry for new project or repository in your gitolite config (conf/gitolite.conf)
Commit and push your changes. this will create and initialize your new repo.
Rename a repository
Modify the name of repo in your gitolite config (conf/gitolite.conf)
Move or rename the actual directory (depending on where you install it, ex: /home/git/repositories) to match your changes in gitolite config.
Commit and push your changes.
Note: Obviously, this changes the remote url of your repo, so don’t forget to change your git remote url config in your project clones.
Delete a repository:
Open your gitolite config and remove the project from there. commit and push your changes.
Then delete its git directory (ex: /home/git/repositories/projectname.git)
You can also remove users/keys that are no longer used
Generate GIT 2.2 RPM
yum install -y rpm-build
mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
mkdir -p ~/src && cd ~/src
wget https://www.kernel.org/pub/software/scm/git/git-2.2.0.tar.gz
tar -xzvf git-2.2.0.tar.gz
mv git-2.2.0.tar.gz ~/rpmbuild/SOURCES
# Locate .spec file and build rpm
# If you get any errors during build, it is usually because of dependencies. Simply
# install the dependencies with `yum install [dependency]` and run rpmbuild again.
cd ~/src/git-2.2.0 && ls | grep *.spec
rpmbuild -ba git.spec --define '_prefix /usr/local'
Find
%files -n perl-Git -f perl-files
%defattr(-,root,root)
and add
#for CentOS 6
%config(noreplace) /usr/local/git/share/perl5/vendor_perl/*
or
#for CentOS 5
%config(noreplace) /usr/local/lib/perl5/vendor_perl/5.8.8/*
%config(noreplace) /usr/local/share/man/man3/*
If error: File /usr/src/redhat/SOURCES/git-2.2.0.tar.gz: No such file or directory
echo '%_topdir %(echo $HOME)/rpmbuild' > ~/.rpmmacros
or
#for Centos 7
Find
%files -n perl-Git -f perl-files
%defattr(-,root,root)
and add
%config(noreplace) /usr/local/share/perl5/vendor_perl/*
Install GIT 2.2 RPM
#CentOS 5
Installation of RPMforge
RPMforge
wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.x86_64.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
rpm -i rpmforge-release-0.5.3-1.el5.rf.*.rpm
yum install perl-YAML
or
wget http://pkgs.repoforge.org/perl-YAML/perl-YAML-0.72-1.el5.rf.noarch.rpm
rpm --import http://apt.sw.be/RPM-GPG-KEY.dag.txt
yum install perl-YAML-0.72-1.el5.rf.noarch.rpm
yum install git-2.2.0-1.x86_64.rpm git-cvs-2.2.0-1.x86_64.rpm gitk-2.2.0-1.x86_64.rpm perl-Git-2.2.0-1.x86_64.rpm git-email-2.2.0-1.x86_64.rpm git-svn-2.2.0-1.x86_64.rpm git-gui-2.2.0-1.x86_64.rpm gitweb-2.2.0-1.x86_64.rpm --nogpgcheck
#CentOS 6
yum install git-2.2.0-1.el6.x86_64.rpm gitk-2.2.0-1.el6.x86_64.rpm git-cvs-2.2.0-1.el6.x86_64.rpm git-svn-2.2.0-1.el6.x86_64.rpm git-email-2.2.0-1.el6.x86_64.rpm gitweb-2.2.0-1.el6.x86_64.rpm git-gui-2.2.0-1.el6.x86_64.rpm perl-Git-2.2.0-1.el6.x86_64.rpm
#CentOS 7
yum install git-2.2.0-1.el7.centos.x86_64.rpm git-svn-2.2.0-1.el7.centos.x86_64.rpm git-cvs-2.2.0-1.el7.centos.x86_64.rpm git-email-2.2.0-1.el7.centos.x86_64.rpm git-gui-2.2.0-1.el7.centos.x86_64.rpm gitk-2.2.0-1.el7.centos.x86_64.rpm gitweb-2.2.0-1.el7.centos.x86_64.rpm perl-Git-2.2.0-1.el7.centos.x86_64.rpm git-debuginfo-2.2.0-1.el7.centos.x86_64.rpm
Delete Git branch
ssh root@srvgit01v
cd /opt/git/repositories/repo1.git
git branch -D 4.1.0.6-rel
chown -R git:git /opt/git/repositories/repo1.git
Link:
http://www.tikalk.com/devops/backing-git-repos-git-bundle/
http://gitolite.com/gitolite/mirroring/#setting-up-mirroring
Server side Syslog-ng installation
vi /etc/sysconfig/iptables
-A INPUT -p tcp -m state --state NEW -m tcp --dport 514 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
yum install epel-release
yum install syslog-ng syslog-ng-libdbi -y
vi /etc/syslog-ng/syslog-ng.conf
@version:3.2
options {
long_hostnames(off);
log_msg_size(8192);
flush_lines(1);
log_fifo_size(20480);
time_reopen(10);
# use_dns(yes);
use_dns(no);
# dns_cache(yes);
# use_fqdn(yes);
use_fqdn(no);
keep_hostname(yes);
chain_hostnames(no);
perm(0644);
stats_freq(43200);
};
source s_internal { internal(); };
destination d_syslognglog { file("/var/log/syslog-ng.log"); };
log { source(s_internal); destination(d_syslognglog); };
source s_local {
unix-dgram("/dev/log");
file("/proc/kmsg" program_override("kernel:"));
};
filter f_messages { level(info..emerg); };
filter f_secure { facility(authpriv); };
filter f_mail { facility(mail); };
filter f_cron { facility(cron); };
filter f_emerg { level(emerg); };
filter f_spooler { level(crit..emerg) and facility(uucp, news); };
filter f_local7 { facility(local7); };
destination d_messages { file("/var/log/messages"); };
destination d_secure { file("/var/log/secure"); };
destination d_maillog { file("/var/log/maillog"); };
destination d_cron { file("/var/log/cron"); };
destination d_console { usertty("root"); };
destination d_spooler { file("/var/log/spooler"); };
destination d_bootlog { file("/var/log/demsg"); };
log {source(s_local); filter(f_emerg); destination(d_console); };
log {source(s_local); filter(f_secure); destination(d_secure); flags(final); };
log {source(s_local); filter(f_mail); destination(d_maillog); flags(final); };
log {source(s_local); filter(f_cron); destination(d_cron); flags(final); };
log {source(s_local); filter(f_spooler); destination(d_spooler); };
log {source(s_local); filter(f_local7); destination(d_bootlog); };
log {source(s_local); filter(f_messages); destination(d_messages); };
source s_remote {
tcp(ip(0.0.0.0) port(514));
udp(ip(0.0.0.0) port(514));
};
destination r_console {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/console" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_secure {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/secure" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_cron {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/cron" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_spooler {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/spooler" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_bootlog {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/bootlog" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
destination r_messages {file("/var/log/syslog-ng/$YEAR$MONTH$DAY/$HOST/messages" owner("root") group("root") perm(0640) dir_perm(0750) create_dirs(yes)); };
log { source(s_remote); filter(f_emerg); destination(r_console); };
log { source(s_remote); filter(f_secure); destination(r_secure); flags(final); };
log { source(s_remote); filter(f_cron); destination(r_cron); flags(final); };
log { source(s_remote); filter(f_spooler); destination(r_spooler); };
log { source(s_remote); filter(f_local7); destination(r_bootlog); };
log { source(s_remote); filter(f_messages); destination(r_messages); };
mkdir /var/log/syslog-ng
chkconfig rsyslog off
chkconfig --list rsyslog
chkconfig syslog-ng on
chkconfig --list syslog-ng
service rsyslog stop
service syslog-ng restart
Client configuration
yum install epel-release -y
#CentOS6
yum install syslog-ng syslog-ng-libdbi -y
or
#CentOS5
yum install syslog-ng-y
echo 'destination pnjsvmon01v {udp("192.168.1.60" port(514));};' >> /etc/syslog-ng/syslog-ng.conf
echo 'log { source(s_sys); destination(srvmon01v); };' >> /etc/syslog-ng/syslog-ng.conf
#CentOS
chkconfig rsyslog off
chkconfig --list rsyslog
chkconfig syslog-ng on
chkconfig --list syslog-ng
service rsyslog stop
service syslog-ng restart
or
#SLES11
/etc/init.d/syslog restart
Installation and Configuration
yum install httpd php gcc glibc glibc-common gd gd-devel -y
useradd nagios
groupadd nagcmd
usermod -a -G nagcmd nagios
usermod -a -G nagcmd apache
yum install -y rpm-build doxygen gperf bind-utils mysql-devel net-snmp-utils openssl-devel postgresql-devel samba-client
mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
mkdir -p ~/src && cd ~/src
wget http://sourceforge.net/projects/nagios/files/nagios-4.x/nagios-4.0.8/nagios-4.0.8.tar.gz
wget http://www.nagios-plugins.org/download/nagios-plugins-2.0.3.tar.gz
tar zxvf nagios-4.0.8.tar.gz
tar zxvf nagios-plugins-2.0.3.tar.gz
mv nagios-4.0.8.tar.gz ~/rpmbuild/SOURCES
mv nagios-plugins-2.0.3.tar.gz ~/rpmbuild/SOURCES/
cd ~/src/nagios-4.0.8 && ls | grep *.spec
vi nagios.spec
#add
%define _libdir %{_exec_prefix}/lib
rpmbuild -ba nagios.spec
cd ~/src/nagios-plugins-2.0.3 && ls | grep *.spec
vi nagios-plugins.spec
comment %config(missingok,noreplace) %{_sysconfdir}/command.cfg
update %doc ChangeLog command.cfg
to
%doc ChangeLog
rpmbuild -ba nagios-plugins.spec
yum install -y nagios-4.0.8-2.el6.x86_64.rpm nagios-contrib-4.0.8-2.el6.x86_64.rpm nagios-devel-4.0.8-2.el6.x86_64.rpm nagios-plugins-2.0.3-1.x86_64.rpm
vi /etc/nagios/objects/contacts.cfg
mail user@domain.com;
vi /etc/httpd/conf.d/nagios.conf
#Order allow,deny
#Allow from all
Order deny,allow
Deny from all
Allow from 127.0.0.1 192.168.1.0/24 192.168.2.0/24
htpasswd -s -c /etc/nagios/htpasswd.users nagiosadmin
service httpd start
service nagios start
chkconfig httpd on
chkconfig nagios on
/usr/bin/nagios -v /etc/nagios/nagios.cfg
yum install policycoreutils-python
If SELinux is enforcing then add this line.
semanage fcontext -a -t httpd_sys_content_t /usr/share/nagios/
yum install mod_ssl
service httpd restart
vi /etc/nagios/nagios.cfg
cfg_dir=/etc/nagios/servers
NRPE Server installation/configuration
yum install nagios-plugins-nrpe -y
ln -s /usr/lib64/nagios/plugins/check_nrpe /usr/lib/nagios/plugins/check_nrpe
vi /etc/nagios/objects/commands.cfg
define command{
command_name check_nrpe
command_line /usr/lib/nagios/plugins/check_nrpe -H '$HOSTADDRESS$' -c '$ARG1$'
}
NRPE Client installation/configuration
#nrpe is a part of EPEL repo
yum install nrpe openssl -y
yum install nagios-plugins-2.0.3-1.x86_64.rpm -y
vi /etc/nagios/nrpe.cfg
#nagios server
allowed_hosts=127.0.0.1,192.168.1.60
service nrpe restart
chkconfig nrpe on
NRPE Server/Client configuration for PostgreSQL monitoring
server:
vi /etc/nagios/servers/dev-servers-services.cfg
define service {
use generic-service
host_name srvwiki01v
service_description Mediawiki PostgreSQLD Connection
check_command check_nrpe!check_pgsql
}
client:
vi /etc/nagios/nrpe.cfg
command[check_pgsql]=/usr/lib/nagios/plugins/check_pgsql -H 192.168.1.62 -l nagios
service nrpe restart
Testing from server:
/usr/lib/nagios/plugins/check_nrpe -H 192.168.1.62 -c check_pgsql
CRITICAL – no connection to ‘wikidb’ (FATAL: no pg_hba.conf entry for host “192.168.1.62”, user “nagios”, database “wikidb”, SSL off). *
* or default DB – “template1”
Let’s configure ACL:
vi /var/lib/pgsql/data/pg_hba.conf
host template1 nagios 192.168.1.62/32 trust
Create nagios user in postgresql:
su postgres -c bash
$createuser
Enter name of role to add: nagios
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$exit
Testing connection from nagios server:
[root@srvmon01v ~]# /usr/lib/nagios/plugins/check_nrpe -H 192.168.1.62 -c check_pgsql
OK - database wikidb (0.003504 sec.)|time=0.003504s;2.000000;8.000000;0.000000
SNMP Client configuration
CentOS6
yum install -y net-snmp
or
CentOS5
yum install -y net-snmp net-snmp-utils net-snmp-devel
or
SLES11
zypper install net-snmp
service snmpd stop
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf_bak
#Creating snmpv3 user
CentOS6
net-snmp-create-v3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user
or
CentOS5
net-snmp-config --create-snmpv3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user
chkconfig snmpd on
service snmpd start
snmpwalk -u snmpv3user -A snmpv3authPass -a SHA -X snmpv3encPass -x AES -l authPriv 127.0.0.1 -v3
#Ubuntu 9
remove /usr/share/snmp/snmp.conf and /var/lib/snmp/snmpd.conf
net-snmp-config --create-snmpv3-user -ro -A snmpv3authPass -a SHA -X snmpv3encPass -x AES snmpv3user
start snmpd
vi /etc/sysconfig/iptables
CentOS6
-A INPUT -m state --state NEW -m udp -p udp -s 192.168.1.60 --dport 161 -j ACCEPT
or
CentOS5
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 192.168.1.60 --dport 161 -j ACCEPT
service iptables restart
Embedded DB wiki backup (sqlite)
cd /var/www/html/wiki/
php maintenance/sqlite.php --backup-to /home/user/wikisqlitedb-2017_01_27.backup
cd /var/www/html/
tar zcvfh wikidata2017_01_27.tar.gz wiki
cd /var/www/html/wiki
php maintenance/dumpBackup.php --full > dump-2017_01_27.xml
Mediawiki installation and configuration
Be careful, you have to create main page (there’s no way to import main page with xml import feature). Copy main page source code from the old mediawiki server!
yum install httpd php php-gd php-xml postgresql postgresql-server php-pgsql
chkconfig --level 345 postgresql on
chkconfig --level 345 httpd on
service postgresql initdb
vi /var/lib/pgsql/data/postgresql.conf
listen_addresses = 'localhost'
port = 5432
cat << _EOT >> /var/lib/pgsql/data/pg_hba.conf
local all postgres trust
local all all md5
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
_EOF
service postgresql start
su - postgres
psql -c "alter user postgres with password 'password'"
semanage boolean -m --on httpd_can_network_connect_db
vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
service httpd restart
wget http://releases.wikimedia.org/mediawiki/1.24/mediawiki-1.24.1.tar.gz
tar zxvf mediawiki-1.24.1.tar.gz
vi /etc/httpd/conf.d/mediawiki.conf
### MediaWiki Configuration
Alias /wiki /var/www/html/wiki
<Directory /var/www/html/wiki>
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
# Uncomment this if you have no restrictions
Allow from all
# For restrictive networks, consider using the
# below and tailoring it to your likings
#Allow from 127.0.0.1
#Allow from 192.168.0.
RewriteEngine On
# so skins, images and extensions work
RewriteRule ^(images|skins|extensions)/ - [L]
# Forces specified index page to go ahead and load
RewriteRule ^(load|index).php - [L]
# The following makes it so if our configuration file isn't
# present we will always catch this rewrite rule (allowing the
# user to set up mediawiki)
RewriteCond /usr/share/mediawiki/LocalSettings.php !-f
RewriteRule ^(.+) - [PT]
# Path Formating
RewriteRule ^/*$ /wiki/index.php?title=Main_Page [L,QSA]
RewriteRule ^/*(.+)$ /wiki/index.php?title=$1 [PT,L,QSA]
## Support colon (:)
RewriteRule ^/(.*:.*)$ /wiki/index.php?title=$1 [L]
</Directory>
<Directory "/var/www/html/wiki/images">
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php
# Don't run arbitrary PHP code. php_admin_flag engine off
RewriteEngine On
RewriteCond %{QUERY_STRING} \.[^\\/:*?\x22|%]+(#|\?|$) [nocase]
RewriteRule . - [forbidden]
# If you've other scripting languages, disable them too.
</Directory>
Go to http://Wiki_IP/wiki to configure and generate LocalSettings.php. Copy LocalSettings.php to wiki dir
Import content from old wiki
cd /var/www/html/wiki/
php maintenance/importDump.php < dumpfile.xml
Mediawiki AD integration
Go to http://www.mediawiki.org/wiki/Special:ExtensionDistributor/LdapAuthentication
https://extdist.wmflabs.org/dist/extensions/LdapAuthentication-REL1_24-24a399e.tar.gz
tar -xzf LdapAuthentication-REL1_24-24a399e.tar.gz -C /var/www/html/wiki/extensions
yum install php-ldap
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SUB1" );
$wgLDAPServerNames = array( "SUB1" => "dc01.sub1.domain.com" );
$wgLDAPSearchStrings = array( "SUB1" => "USER-NAME@SUB1" );
$wgLDAPEncryptionType = array( "SUB1" => "clear" );
$wgLDAPBaseDNs = array( "SUB1" => "dc=sub1,dc=domain,dc=com" );
$wgLDAPSearchAttributes = array( "SUB1" => "sAMAccountName" );
$wgLDAPProxyAgent = array("SUB1" => "CN=wikiop,OU=Other,OU=Users,OU=Administrative,DC=sub1,DC=domain,DC=com");
$wgLDAPProxyAgentPassword = array("SUB1" => "password");
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPDebug = 3; //for debugging LDAP
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgDebugLogFile = "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgLDAPBaseDNs = array( "SUB1" => "dc=sub1,dc=domain,dc=com" );
$wgLDAPRetrievePrefs = array( "SUB1" => "true" );
php maintenance/update.php
PostrgeSQL DB backup
pg_dump wikidb > wikidbdump2017_01_28.sql
pg_dumpall --globals > postgres_globals2017_01_28.sql
Download link: https://github.com/BeyondTrust/pbis-open/releases
PBIS AD membership, basic setup for Linux (RPM)
#UnattendedMode
./pbis-open-8.5.4.334.linux.x86_64.rpm.sh install
/opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname
# cat < /etc/pbis.conf
rem AD domain: YOUR
AssumeDefaultDomain true
HomeDirTemplate "%H/%D/%U"
LoginShellTemplate "/bin/bash"
RemoteHomeDirTemplate ""
CacheEntryExpiry "00000060"
EOT
/opt/pbis/bin/config --file /etc/pbis.conf
/opt/pbis/bin/update-dns
Login/Server Access Rights
In the /etc/pbis.conf file, before HomeDirTemplate, add or modify a new line beginning ‘RequireMembershipOf’. RequireMembershipOf specifies a comma separated list of AD groups – To login to the system the user must belong to one of the listed groups eg:
RequireMembershipOf "your\\group1" "your\\group2"
To apply a new configuration, you need to run /opt/pbis/bin/config –file /etc/pbis.conf manually.
SUDO Rights
Use the visudo command, and add the name of the AD group, prefixed with % using standard sudoers syntax: eg:
%group1 ALL=(ALL) ALL
PBIS Utilities
A number of useful scripts are available in the /opt/pbis/bin directory. Most of these scripts are self documenting and support eg, the –help argument.
/opt/pbis/bin/get-status ; show ad connection/status information
/opt/pbis/bin/find-user-by-name ; lookup an ad user by name.
/opt/pbis/bin/find-group-by-name ; lookup an ad group by name.
/opt/pbis/bin/list-groups-for-user [–level=2] ; show group membership for a user.
There are lots of useful scripts in this directory, it’s worth exploring.
Delegate rights using Active Directory Users and Computers for PBIS computer join user
This process allows a specific user/group to manage a group, or a section of the AD tree.
1.Open the Active Directory Users and Computers snap-in.
2.Right-click the container under which you want the computers added, and press Delegate Control.
3.Press Next.
4.Press Add.
5.After adding all the users and/or groups, press Next.
6.Select Create custom task to delegate and press Next.
7.Select Only the following objects in the folder, check Computer objects, check the “Create selected objects in this folder”, “Create selected objects in this folder” boxes, and press Next.
8.Check the “Create all child object”, “Delete all child object” boxes and press Next.
9.Press Finish.
ISSUES
If pbis just stopped working and you get “Error: ERROR_FILE_NOT_FOUND code 0x00000002” after “service lwsmd restart”, remove it completely:
/opt/pbis/bin/domainjoin-cli leave
/opt/pbis/bin/uninstall.sh uninstall
and reinstall/reconfigure
pbis-open-8.5.4.334.linux.x86_64.rpm.sh install /opt/pbis/bin/domainjoin-cli join --assumeDefaultDomain yes your.domain.com yourname
Prerequisites
vi /etc/sysconfig/selinux
SELINUX=disabled
or
sed -i 's/SELINUX\=enforcing/SELINUX\=disabled/g'/etc/selinux/config
Turn off the iptables.
service iptables stop
chkconfig iptables off
Or Allow the following ports, if you want it enabled.
vi /etc/sysconfig/iptables
#Allow the http ports(80/443), Cobbler’s ports 69, and 25151.
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 69 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25151 -j ACCEPT
Installation
Cobbler is not available on CentOS default repositories, so let us add EPEL repository first, and install Cobbler.
yum install epel-release
Now, install cobbler, cobbler web interface ,and its dependencies as shown below.
yum -y install cobbler cobbler-web dhcp pykickstart system-config-kickstart mod_python tftp wget cman
Enable TFTP and rsync
vi /etc/xinetd.d/tftp #change disable = yes to disable = no
vi /etc/xinetd.d/rsync #change disable = yes to disable = no
Restart xinetd Now we can restart xinetd to make the changes take affect.
/etc/init.d/xinetd restart
Start xinetd on boot
/sbin/chkconfig xinetd on
Start cobbler services Now lets start the apache webserver (httpd), and cobbler itself. Apache is required by cobbler to serve up the OS images.
/etc/init.d/httpd start
/etc/init.d/cobblerd start
/sbin/chkconfig httpd on
/sbin/chkconfig cobblerd on
Configure Cobbler
Generate a password hash
openssl passwd -1 -salt ‘random-phrase-here’ ‘your-password-here’
I get the hash below for the password motorrobot
openssl passwd -1 -salt
vi /etc/cobbler/settings
Change: next_server: 127.0.0.1 to next_server: 192.168.1.64
Change: server: 127.0.0.1 to server: 192.168.1.64
Change: default_password_crypted: “$1$mF86/UHC$WvcEcX3s9crCz2inWryabc.” to above generated hash default_password_crypted: “$1$centosho$06Gedn1z8BjSu2ZbV4fS.0″
Change: manage_dhcp: 0 to manage_dhcp: 1
sed -i ‘s/server\:\ 127\.0\.0\.1/server\:\ 192\.168\.1\.64/g’ /etc/cobbler/settings
sed -i ‘s/default\_password\_crypted\:\ \”\$1\$mF86\/UHC\$WvcEcX3s9crCz2inWryabc\.\”/default\_password\_crypted\:\ \”\$1\$centosho\$06Gedn1z8BjSu2ZbV4fS\.0\”/g’ /etc/cobbler/settings
sed -i ‘s/manage_dhcp: 0/manage_dhcp: 1/g’ /etc/cobbler/settings
Now, edit file /etc/cobbler/dhcp.template,
vi /etc/cobbler/dhcp.template
ddns-update-style interim;
allow booting;
allow bootp;
ignore client-updates;
set vendorclass = option vendor-class-identifier;
option pxe-system-type code 93 = unsigned integer 16;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.99;
option domain-name-servers 192.168.2.31,192.168.2.32;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.1.150 192.168.1.250;
default-lease-time 21600;
max-lease-time 43200;
next-server $next_server;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
if option pxe-system-type = 00:02 {
filename "ia64/elilo.efi";
} else if option pxe-system-type = 00:06 {
filename "grub/grub-x86.efi";
} else if option pxe-system-type = 00:07 {
filename "grub/grub-x86_64.efi";
} else {
filename "pxelinux.0";
}
}
}
Next, we should enable Cobbler’s web interface, and set username and password for Cobbler’s web interface.
To enable, Cobbler’s web interface, edit file /etc/cobbler/modules.conf,
vi /etc/cobbler/modules.conf
[authentication]
module = authn_configfile
[authorization]
module = authz_allowall
Next, we have to setup the setup the username and password for the cobbler web interface. To do that, run the following command. Input your preferred password twice.
htdigest /etc/cobbler/users.digest "Cobbler" cobbler
Download the required network boot loaders using the following command.
cobbler get-loaders
cobbler check
/etc/init.d/cobblerd restart
cobbler sync
Importing multiple CentOS Linux DVDs into Cobbler
Linux distributions are getting larger and larger; CentOS 6.0 64-bit won’t fit on a single DVD anymore. A Cobbler-based provisioning server will normally import only one DVD. So, how do you get around this?
Import the first DVD as usual
Manually add content from the second DVD
Import the first DVD (ISO image):
mkdir /mnt/dvd1; mount -o ro,loop /tmp/CentOS-6.6-x86_64-bin-DVD1.iso /mnt/dvd1
DISTRO=centos66
cobbler import --name=${DISTRO} --arch=x86_64 --path=/mnt/dvd1
Watch the output from Cobbler closely – it will basically shows you the commands you need to import the second DVD
Import the second DVD (ISO image):
mkdir /mnt/dvd2; mount -o ro,loop /tmp/CentOS-6.6-x86_64-bin-DVD2.iso /mnt/dvd2
rsync -a '/mnt/dvd2/' /var/www/cobbler/ks_mirror/${DISTRO} --exclude-from=/etc/cobbler/rsync.exclude --progress
COMPSXML=$(ls /var/www/cobbler/ks_mirror/${DISTRO}/repodata/*comps*.xml)
createrepo -c cache -s sha --update --groupfile ${COMPSXML} /var/www/cobbler/ks_mirror/${DISTRO}
Adding Kickstart file to Cobbler server
vi /var/lib/cobbler/kickstarts/centos65test.ks
url --url http://192.168.1.80/cobbler/ks_mirror/centos66-x86_64/
And then, add the kickstart file(centos65test.ks) to the pxe server.
cobbler profile add --name=CentOS_6.5_KS --distro=CentOS_6.5 --kickstart=/var/lib/cobbler/kickstarts/centos65test.ks
Restart cobbler once again, and run “cobble sync” command to save the changes.
service cobblerd restart
cobbler sync
Local repo on cobbler server
vi /etc/yum.repos.d/centos-6.6-local.repo
[Centos-6.6-local]
name=CentOS 6.5 local repository
baseurl=http://192.168.1.80/cobbler/ks_mirror/centos66-x86_64/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
yum install createrepo
mkdir /mnt/dvd1 && mkdir /mnt/dvd2 && mkdir /opt/repo && mkdir /opt/iso
mount -o loop /opt/iso/CentOS-6.6-x86_64-bin-DVD1.iso /mnt/dvd1/ && mount -o loop /opt/iso/CentOS-6.6-x86_64-bin-DVD2.iso /mnt/dvd2/
rsync -arv /mnt/dvd1/ /opt/repo/
rsync -arv /mnt/dvd2/ /opt/repo/
createrepo -c cache -s sha –update –groupfile `ls /opt/repo/repodata/*comps*.xml` /opt/repo
cat <<EOT > /etc/yum.repos.d/local.repo
[local-repo]
name=CentOS 6.6 local repository
baseurl=file:///opt/repo/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
EOT
Page 1 of 612345...»Last »
