RHEL 7/Centos 7 Installation: Difference between revisions
No edit summary |
|||
(170 intermediate revisions by the same user not shown) | |||
Line 9: | Line 9: | ||
=Overview= | =Overview= | ||
This installation procedure has been tested on bare metal (ThinkPad laptops) and on VirtualBox VMs. | This installation procedure has been tested on bare metal (ThinkPad laptops) and on VirtualBox VMs, with Red Hat 7.2 DVD and Centos 7 DVD. The sections that refer to non-virtualized installation are prefixed with ''Bare Metal'' and indented. The sections that refer to virtualized installation are prefixed with ''VirtualBox'' and indented. | ||
If you need to create a VirtualBox virtual machine, start from here {{Internal|VirtualBox Virtual Machine Creation|VirtualBox Virtual Machine Creation}} | |||
=DVD= | =DVD= | ||
Download the RHEL 7 | Download the RHEL 7 Binary DVD from https://access.redhat.com. | ||
Download Centos 7 Binary ISO DVD https://www.centos.org/download/ | |||
=Procedure= | =Procedure= | ||
==Create a Bootable USB and Boot with the Image USB== | |||
Use: | |||
[[fdisk]] -l | |||
or | |||
[[mount]] | |||
to list disk devices and identify the correct USB device to use. Then: | |||
<syntaxhighlight lang='bash'> | |||
dd if=yyyy.iso of=/dev/xxxx | |||
</syntaxhighlight> | |||
==Boot with the Image DVD== | ==Boot with the Image DVD== | ||
Line 39: | Line 58: | ||
'''Virtual Box''' | '''Virtual Box''' | ||
: | :If the hardware configuration was done according to the [[VirtualBox_Virtual_Machine_Creation#Linux|VirtualBox Linux VM Creation]] procedure, the NAT adapter is eth1. Turn it "ON" (upper right "button"). This is the VirtualBox NAT network interface, so it should get an IP address from its DHCP server and allow immediate external connectivity during the installation. The interface should show "Connected", get a valid IP address (example IP address 10.0.3.15, default route 10.0.3.2, DNS: a valid DNS or your local router). Then go to eth0 and turn it ON. | ||
'''Bare Metal''' | '''Bare Metal''' | ||
:Turn ethernet (enp0s25) ON. | :Turn ethernet (eth0, enp0s25, em1, etc.) ON. | ||
Configure. | '''Main Network Interface - Common Configuration Procedure''' | ||
"Configure..." | |||
''General'' | ''General'' | ||
Line 56: | Line 76: | ||
''Ethernet'' | ''Ethernet'' | ||
Device: eth0/enp0s25 | Device: eth0/enp0s25/em1 | ||
MTU: automatic | MTU: automatic | ||
Wake on LAN: Ignore | |||
''IPv4 Settings'' | ''IPv4 Settings'' | ||
Line 68: | Line 90: | ||
'''Virtual Box''' | '''Virtual Box''' | ||
:Address 172.20. | Pick addresses from the same network the host-only interface belongs to. If you do so, you will avoid complications related to need to add extra routing on the host. For more details, see: | ||
{{Internal|VirtualBox_Virtual_Machine_Creation#VM_IP_Addresses|VirtualBox Virtual Machine Creation - VM IP Addresses}} | |||
<span id="ip_address_spreadsheet"></span>A spreadsheet with currently allocated addresses is available in <tt>.../VirtualBox VMs/IP Addresses.xlsx.</tt> | |||
Address 172.20.x.x, Netmask 255.255.0.0, Gateway: leave empty. If you plan to use previously created VMs from the same subnet at the same time, pick IP addresses that do not overlap. | |||
Note that the IP address does NOT have to be in the same subnet as the host-only network defined earlier. However, in this case, you will need to configure extra routing, so it's a good idea to stick to that network. | |||
Make sure to Save. | |||
'''Bare Metal''' | '''Bare Metal''' | ||
Line 75: | Line 107: | ||
Make sure you Save. | Make sure you Save. | ||
''Connect automatically after reboot'' | |||
Yes | |||
''Apply configuration in installer'' | |||
Yes | |||
===Host Name=== | ===Host Name=== | ||
Line 99: | Line 139: | ||
Done. | Done. | ||
For a list of NTP Servers see: | |||
{{Internal|Linux_NTP_Client_Configuration#US_NTP_Servers|US NTP Servers}} | |||
==Keyboard== | ==Keyboard== | ||
Line 106: | Line 150: | ||
==Installation Source== | ==Installation Source== | ||
Local media | |||
==Software Selection== | ==Software Selection== | ||
Line 122: | Line 160: | ||
'''Virtual Box''' | '''Virtual Box''' | ||
: Select the VBOX | : Select the ATA VBOX HARDDISK. You may go for "Automatically configure partitioning" or if you don't want a root and a home partition, choose "I will configure partitioning" and go to [[#Manual_Partitioning|Manual Partitioning]]. | ||
'''Bare Metal''' | '''Bare Metal''' | ||
: If the disk was previously partitioned and want to delete the previous partitions: Partitioning -> Automatically configure partitioning, check "I would like to make additional space available" -> Delete All -> Reclaim Space. | : If the disk was previously partitioned and want to delete the previous partitions: Partitioning -> Automatically configure partitioning, check "I would like to make additional space available" -> Delete All -> Reclaim Space. If you don't want a root and a home partition, choose "I will configure partitioning" and go to [[#Manual_Partitioning|Manual Partitioning]]. | ||
Done. | Done. | ||
The top level menu should show ''Automatic partitioning selected''. | The top level menu should show ''Automatic partitioning selected''. | ||
===Manual Partitioning=== | |||
"Click here to create them automatically". This will give a reasonable starting point. | |||
Make sure new mount points will use the following partitioning scheme: [[Linux Logical Volume Management Concepts#Overview|LVM]]. | |||
Simplest configuration: | |||
* "/boot", capacity 500 MiB, device type: Standard Partition, file system "xfs" | |||
* "/", capacity 3140 MiB, device type: LVM, file system xfs, volume group: rhel_lb, name: root | |||
* swap, capacity 409.6 MiB, device type: LVM, file system swap, volume group: rhel_lb, name: swap | |||
Done | |||
For an example of partitioning used for a virtualization host, see [[RHEL_7_Virtualization_Host_Installation#Storage_Provisioning|RHEL7 Virtualization Host Installation - Storage Provisioning]]. | |||
==Kdump== | ==Kdump== | ||
Line 136: | Line 190: | ||
Disable. | Disable. | ||
=Begin Installation= | ==Begin Installation== | ||
Begin Installation | Begin Installation | ||
==User Settings== | |||
Root password. | |||
Create users as necessary, depending on the purpose of the box (openshift, wiki, etc) | |||
You may also want create a service user with same name as the machine's. | |||
If you create a service user, go to Advanced and add it to its own group. | |||
Capture credentials in the standard location (Contacts for the host in question). | |||
==Reboot== | |||
Will eject the DVD by itself. | |||
After reboot, the host should be available for ssh. | |||
=Post-Install Tasks= | |||
==Create a non-root Administrative User== | |||
<font size=-1> | |||
groupadd -g 1077 au739kr60c | |||
useradd -g 1077 -u 1077 -m au739kr60c | |||
passwd au739kr60c | |||
</font> | |||
==ssh Configuration== | |||
===Configure ssh to Start on an Arbitrary Port=== | |||
{{Internal|Sshd_Configuration#Change_the_Default_Port|Change the Default ssh Port}} | |||
===Turn off ssh DNS Resolution=== | |||
{{Internal|Sshd_Configuration#Turn_Off_Client_Name_DNS_Verification|sshd - Turn Off Client Name DNS Verification}} | |||
===Disallow root to connect over ssh=== | |||
Disallowing the root to connect over ssh is quite radical. If you want to do that, see: | |||
{{Internal|Sshd_Configuration#Disallow_root_to_Connect|Disallow root to Connect}} | |||
A less strict level of protection, but that still protects against root brute force password attack, is to not allow the root connecting with a password, but only with a ssh key. This is how it is done: {{Internal|Sshd_Configuration#Allow_root_Access_only_with_Public_Key|Allow root Access only with Public Key}} | |||
===Install a Public Key for Faster Access=== | |||
Install a public key in <code>.ssh/authorized_keys</code>. | |||
==Enable Network Interfaced to Start at Boot== | |||
Sometimes the NAT network interface comes disabled at boot. Set <code>ONBOOT=yes</code> in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>. | |||
Reboot and make sure the interface is correctly initialized, and the virtual machine has external connectivity. | |||
For more details configuring a network interface see: | |||
{{Internal|Linux 7 Configuring a Network Interface|Configuring a Linux Network Interface}} | |||
==Update All Installed Packages== | |||
<font size=-1> | |||
yum -y update | |||
</font> | |||
==Install Packages I Need== | |||
<font size=-1> | |||
yum -y install wget zip unzip bind-utils policycoreutils-python net-tools | |||
</font> | |||
<code>policycoreutils-python</code> is needed for <code>semanage</code>. See: {{Internal|selinux#Configuration|SELinux Configuration}} | |||
==Other Miscellaneous and Most Likely Optional Steps== | |||
===VMWare Fusion Guest Configuration=== | |||
VMware Fusion guests that are configured with static addressed also need to be configured with a specific gateway to make them able to establish TCP/IP connections. For more details see: | |||
{{Internal|VMware_Fusion_Configuration#Configure_a_Static_IP_Guest_to_be_Externally_Routable|Configure a Static IP VMware Fusion Guest to be Externally Routable}} | |||
===Register with the Subscription Manager=== | |||
If this is a supported RHEL system, register it with the subscription manager, this will give access to official repositories for update. Instructions are available here {{Internal|Red Hat Subscription Manager#Register_a_Linux_System|Red Hat Subscription Manager}} | |||
=Configuration= | |||
==Resolve the Host Name in /etc/hosts== | |||
Execute: | |||
<syntaxhighlight lang='bash'> | |||
hostname | |||
</syntaxhighlight> | |||
and update <code>/etc/hosts</code> to resolve the host name to the main (business) interface of the host. | |||
<pre> | |||
... | |||
192.168.1.8 now510.local now510 | |||
</pre> | |||
==Disable the Network Manager== | |||
For hosts on which the configuration is static, disable the Network Manager. Note that if you plan to run OpenShift on this host, Nework Manager must stay in place. | |||
{{Internal|NetworkManager_Operations#Disable_the_Network_Manager|Disable Linux Network Manager}} | |||
==Turn off firewalld and configure the iptables service== | |||
* Usually a new system comes with firewalld enabled. Turn it off. [[firewalld#Disable|This is how you turn the firewall off and remove it from the system]]. | |||
* Install the iptables service. [[Iptables#iptables_Service_Installation|This is how to install the iptables service]]. | |||
* Configure the iptables service (both iptables and ip6tables). [[Iptables#iptables_Service_Configuration|This is how to configure the iptables service]]. | |||
* Reboot to make sure you still have ssh access. | |||
Optionally, add additional IPv4 firewall rules depending on the purpose of the host: | |||
# [[iptables Command Line Tool Examples#Allow_SSH_Only_From_the_Internal_Network_on_a_Non-Standard_Port|Allow ssh access only from the internal network on a non-standard port]]. Note this procedure implies reconfiguring the sshd server at the same time, otherwise we may lose remote access. | |||
# [[iptables Command Line Tool Examples#Allow_a_Web_Server_on_a_Specific_Interface|Allow web traffic access]]. | |||
If IPv6 is not explicitly configured and used, best if you block IPv6 access in firewall: [[iptables Command Line Tool Examples#Base_IPv6_Configuration|block IPv6 inbound traffic]]. | |||
For a discussion on iptables service and firewalld, see [[iptables Concepts]]. | |||
==Configure DNS== | |||
{{Internal|bind Operations#Set_Up_DNS_on_a_Newly_Installed_Linux_System|Set Up DNS on a Newly Installed Linux System}} | |||
==Configure Log Rotation== | |||
{{ | {{Internal|Linux_Logging_Configuration#rsyslogd_Log_Rotation_Configuration|rsyslogd Log Rotation Configuration}} | ||
==Configure root mail Forwarding== | |||
Configure the mail system on the host so it can send mail. | |||
Forward root's mail to an account that is read regularly. | |||
{{ | See: {{Internal|Mailx|mailx}} | ||
==Security Hardening== | |||
{{Internal|Linux Security Hardening#Overview|Security Hardening}} | |||
==Configure the Host as a NFS Client== | |||
{{ | This is an optional step. {{Internal|Linux_NFS_Installation#Client_Installation|Linux NFS Client Installation}} | ||
==Enable Multicast== | |||
This is an optional step. | |||
{{Internal|Linux 7 Multicast Configuration|Multicast Configuration}} | |||
==Prevent the Computer to Go to Sleep when the Lid is Closed== | |||
For laptops only. | |||
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;"> | |||
:[[Systemd-logind#How_to_Prevent_the_Computer_to_Go_to_Sleep_when_the_Lid_is_Closed|How to Prevent the Computer to Go to Sleep when the Lid is Closed]] | |||
</blockquote> | |||
==Other Optional Settings== | |||
* [[Linux Configure Bluetooth#Turn_Bluetooth_Off|Turn Bluetooth Off]] | |||
* [[Linux Configure GPU#Turn_GPU_Off|Turn GPU Off]] | |||
=Reboot = | |||
Reboot one more time, to make sure the system starts after patching and configuration: | |||
<pre> | |||
init 0 | init 0 | ||
</pre> | |||
'''Bare Metal''' | |||
: Start the system from the power button. | |||
'''VirtualBox''' | |||
: Start the system from the VirtualBox console. Start -> Headless start. | |||
=Next Steps= | |||
'''VirtualBox''' | |||
: Continue VirtualBox Installation. If installing in VirtualBox, go back to the [[VirtualBox Virtual Machine Creation#Guest_Additions|VirtualBox guest additions installation procedure]]. | |||
=Troubleshooting= | |||
==A Network Adapter Does Not Start== | |||
| | {{Internal|Linux 7 Network Configuration#Network_Adapter_Does_Not_Start_After_Installation|Linux 7 Network Configuration - Network Adapter Does Not Start After Installation}} |
Latest revision as of 23:24, 5 August 2023
External
- Red Hat Enterprise Linux 7 Installation Guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/index.html
Internal
Overview
This installation procedure has been tested on bare metal (ThinkPad laptops) and on VirtualBox VMs, with Red Hat 7.2 DVD and Centos 7 DVD. The sections that refer to non-virtualized installation are prefixed with Bare Metal and indented. The sections that refer to virtualized installation are prefixed with VirtualBox and indented.
If you need to create a VirtualBox virtual machine, start from here
DVD
Download the RHEL 7 Binary DVD from https://access.redhat.com.
Download Centos 7 Binary ISO DVD https://www.centos.org/download/
Procedure
Create a Bootable USB and Boot with the Image USB
Use:
fdisk -l
or
mount
to list disk devices and identify the correct USB device to use. Then:
dd if=yyyy.iso of=/dev/xxxx
Boot with the Image DVD
Install Red Hat Enterprise Linux 7.2 ... Starting installer, one moment.
Welcome to Red Hat Enterprise Linux 7.2
What language would you like to use during the installation process? English -> English (United States) -> Continue
Installation Summary
First go to "Network & Host Name" to set external access.
Network & Host Name
Turn wireless off.
Virtual Box
- If the hardware configuration was done according to the VirtualBox Linux VM Creation procedure, the NAT adapter is eth1. Turn it "ON" (upper right "button"). This is the VirtualBox NAT network interface, so it should get an IP address from its DHCP server and allow immediate external connectivity during the installation. The interface should show "Connected", get a valid IP address (example IP address 10.0.3.15, default route 10.0.3.2, DNS: a valid DNS or your local router). Then go to eth0 and turn it ON.
Bare Metal
- Turn ethernet (eth0, enp0s25, em1, etc.) ON.
Main Network Interface - Common Configuration Procedure
"Configure..."
General
Automatically connect to this network when it is available.
All users may connect to this network.
Ethernet
Device: eth0/enp0s25/em1
MTU: automatic
Wake on LAN: Ignore
IPv4 Settings
Method: Manual
Addresses: Add
Virtual Box
Pick addresses from the same network the host-only interface belongs to. If you do so, you will avoid complications related to need to add extra routing on the host. For more details, see:
A spreadsheet with currently allocated addresses is available in .../VirtualBox VMs/IP Addresses.xlsx.
Address 172.20.x.x, Netmask 255.255.0.0, Gateway: leave empty. If you plan to use previously created VMs from the same subnet at the same time, pick IP addresses that do not overlap.
Note that the IP address does NOT have to be in the same subnet as the host-only network defined earlier. However, in this case, you will need to configure extra routing, so it's a good idea to stick to that network.
Make sure to Save.
Bare Metal
- Address 192.168.1.8, Netmask 255.255.255.0, Gateway: 192.168.1.1, DNS servers: 192.168.1.1
Make sure you Save.
Connect automatically after reboot
Yes
Apply configuration in installer
Yes
Host Name
DO NOT FORGET
Go to "Host name".
Virtual Box
- Specify the local host name: openshift-master1. If you are planning to use a local DNS server, specify openshift-master1.openshift.local
Bare Metal
- now510.local
Done.
Date & Time
Time Zone.
Network Time: ON
Done.
For a list of NTP Servers see:
Keyboard
English(US)
Installation Source
Local media
Software Selection
Minimal Install
Installation Destination
Virtual Box
- Select the ATA VBOX HARDDISK. You may go for "Automatically configure partitioning" or if you don't want a root and a home partition, choose "I will configure partitioning" and go to Manual Partitioning.
Bare Metal
- If the disk was previously partitioned and want to delete the previous partitions: Partitioning -> Automatically configure partitioning, check "I would like to make additional space available" -> Delete All -> Reclaim Space. If you don't want a root and a home partition, choose "I will configure partitioning" and go to Manual Partitioning.
Done.
The top level menu should show Automatic partitioning selected.
Manual Partitioning
"Click here to create them automatically". This will give a reasonable starting point.
Make sure new mount points will use the following partitioning scheme: LVM.
Simplest configuration:
- "/boot", capacity 500 MiB, device type: Standard Partition, file system "xfs"
- "/", capacity 3140 MiB, device type: LVM, file system xfs, volume group: rhel_lb, name: root
- swap, capacity 409.6 MiB, device type: LVM, file system swap, volume group: rhel_lb, name: swap
Done
For an example of partitioning used for a virtualization host, see RHEL7 Virtualization Host Installation - Storage Provisioning.
Kdump
Disable.
Begin Installation
Begin Installation
User Settings
Root password.
Create users as necessary, depending on the purpose of the box (openshift, wiki, etc)
You may also want create a service user with same name as the machine's.
If you create a service user, go to Advanced and add it to its own group.
Capture credentials in the standard location (Contacts for the host in question).
Reboot
Will eject the DVD by itself.
After reboot, the host should be available for ssh.
Post-Install Tasks
Create a non-root Administrative User
groupadd -g 1077 au739kr60c useradd -g 1077 -u 1077 -m au739kr60c passwd au739kr60c
ssh Configuration
Configure ssh to Start on an Arbitrary Port
Turn off ssh DNS Resolution
Disallow root to connect over ssh
Disallowing the root to connect over ssh is quite radical. If you want to do that, see:
A less strict level of protection, but that still protects against root brute force password attack, is to not allow the root connecting with a password, but only with a ssh key. This is how it is done:
Install a Public Key for Faster Access
Install a public key in .ssh/authorized_keys
.
Enable Network Interfaced to Start at Boot
Sometimes the NAT network interface comes disabled at boot. Set ONBOOT=yes
in /etc/sysconfig/network-scripts/ifcfg-eth1
.
Reboot and make sure the interface is correctly initialized, and the virtual machine has external connectivity.
For more details configuring a network interface see:
Update All Installed Packages
yum -y update
Install Packages I Need
yum -y install wget zip unzip bind-utils policycoreutils-python net-tools
policycoreutils-python
is needed for semanage
. See:
Other Miscellaneous and Most Likely Optional Steps
VMWare Fusion Guest Configuration
VMware Fusion guests that are configured with static addressed also need to be configured with a specific gateway to make them able to establish TCP/IP connections. For more details see:
Register with the Subscription Manager
If this is a supported RHEL system, register it with the subscription manager, this will give access to official repositories for update. Instructions are available here
Configuration
Resolve the Host Name in /etc/hosts
Execute:
hostname
and update /etc/hosts
to resolve the host name to the main (business) interface of the host.
... 192.168.1.8 now510.local now510
Disable the Network Manager
For hosts on which the configuration is static, disable the Network Manager. Note that if you plan to run OpenShift on this host, Nework Manager must stay in place.
Turn off firewalld and configure the iptables service
- Usually a new system comes with firewalld enabled. Turn it off. This is how you turn the firewall off and remove it from the system.
- Install the iptables service. This is how to install the iptables service.
- Configure the iptables service (both iptables and ip6tables). This is how to configure the iptables service.
- Reboot to make sure you still have ssh access.
Optionally, add additional IPv4 firewall rules depending on the purpose of the host:
- Allow ssh access only from the internal network on a non-standard port. Note this procedure implies reconfiguring the sshd server at the same time, otherwise we may lose remote access.
- Allow web traffic access.
If IPv6 is not explicitly configured and used, best if you block IPv6 access in firewall: block IPv6 inbound traffic.
For a discussion on iptables service and firewalld, see iptables Concepts.
Configure DNS
Configure Log Rotation
Configure root mail Forwarding
Configure the mail system on the host so it can send mail.
Forward root's mail to an account that is read regularly.
See:
Security Hardening
Configure the Host as a NFS Client
This is an optional step.
Enable Multicast
This is an optional step.
Prevent the Computer to Go to Sleep when the Lid is Closed
For laptops only.
Other Optional Settings
Reboot
Reboot one more time, to make sure the system starts after patching and configuration:
init 0
Bare Metal
- Start the system from the power button.
VirtualBox
- Start the system from the VirtualBox console. Start -> Headless start.
Next Steps
VirtualBox
- Continue VirtualBox Installation. If installing in VirtualBox, go back to the VirtualBox guest additions installation procedure.