RHEL 7/Centos 7 Installation: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
 
(13 intermediate revisions by the same user not shown)
Line 213: Line 213:


=Post-Install Tasks=
=Post-Install Tasks=
==Create a non-root Administrative User==
<font size=-1>
groupadd -g 1077 au739kr60c
useradd -g 1077 -u 1077 -m au739kr60c
passwd au739kr60c
</font>


==ssh Configuration==
==ssh Configuration==
Line 220: Line 226:
{{Internal|Sshd_Configuration#Turn_Off_Client_Name_DNS_Verification|sshd - Turn Off Client Name DNS Verification}}
{{Internal|Sshd_Configuration#Turn_Off_Client_Name_DNS_Verification|sshd - Turn Off Client Name DNS Verification}}
===Disallow root to connect over ssh===
===Disallow root to connect over ssh===
Disallowing the root to connect over ssh is quite radical. If you want to do that, see:
{{Internal|Sshd_Configuration#Disallow_root_to_Connect|Disallow root to Connect}}
{{Internal|Sshd_Configuration#Disallow_root_to_Connect|Disallow root to Connect}}
A less strict level of protection, but that still protects against root brute force password attack, is to not allow the root connecting with a password, but only with a ssh key. This is how it is done: {{Internal|Sshd_Configuration#Allow_root_Access_only_with_Public_Key|Allow root Access only with Public Key}}
===Install a Public Key for Faster Access===
===Install a Public Key for Faster Access===
Install a public key in .ssh/authorized_keys.
Install a public key in <code>.ssh/authorized_keys</code>.


==Enable Network Interfaced to Start at Boot==
==Enable Network Interfaced to Start at Boot==


Sometimes the NAT network interface comes disabled at boot. Set <tt>ONBOOT=yes</tt> in <tt>/etc/sysconfig/network-scripts/ifcfg-eth1</tt>.
Sometimes the NAT network interface comes disabled at boot. Set <code>ONBOOT=yes</code> in <code>/etc/sysconfig/network-scripts/ifcfg-eth1</code>.


Reboot and make sure the interface is correctly initialized, and the virtual machine has external connectivity.
Reboot and make sure the interface is correctly initialized, and the virtual machine has external connectivity.
Line 234: Line 244:
{{Internal|Linux 7 Configuring a Network Interface|Configuring a Linux Network Interface}}
{{Internal|Linux 7 Configuring a Network Interface|Configuring a Linux Network Interface}}


==VMWare Fusion Guest Configuration==
==Update All Installed Packages==
<font size=-1>
yum -y update
</font>
 
==Install Packages I Need==
<font size=-1>
yum -y install wget zip unzip bind-utils policycoreutils-python net-tools
</font>
<code>policycoreutils-python</code> is needed for <code>semanage</code>. See: {{Internal|selinux#Configuration|SELinux Configuration}}


==Other Miscellaneous and Most Likely Optional Steps==
===VMWare Fusion Guest Configuration===
VMware Fusion guests that are configured with static addressed also need to be configured with a specific gateway to make them able to establish TCP/IP connections. For more details see:
VMware Fusion guests that are configured with static addressed also need to be configured with a specific gateway to make them able to establish TCP/IP connections. For more details see:


{{Internal|VMware_Fusion_Configuration#Configure_a_Static_IP_Guest_to_be_Externally_Routable|Configure a Static IP VMware Fusion Guest to be Externally Routable}}
{{Internal|VMware_Fusion_Configuration#Configure_a_Static_IP_Guest_to_be_Externally_Routable|Configure a Static IP VMware Fusion Guest to be Externally Routable}}
 
===Register with the Subscription Manager===
==Register with the Subscription Manager==
 
If this is a supported RHEL system, register it with the subscription manager, this will give access to official repositories for update. Instructions are available here {{Internal|Red Hat Subscription Manager#Register_a_Linux_System|Red Hat Subscription Manager}}
If this is a supported RHEL system, register it with the subscription manager, this will give access to official repositories for update. Instructions are available here {{Internal|Red Hat Subscription Manager#Register_a_Linux_System|Red Hat Subscription Manager}}
==Update All Installed Packages==
<pre>
yum -y update
</pre>
==Install Packages I Need==
yum -y install wget zip unzip bind-utils policycoreutils-python net-tools
policycoreutils-python is needed for semanage. See {{Internal|selinux#Configuration|SELinux Configuration}}


=Configuration=
=Configuration=
Line 260: Line 267:
==Resolve the Host Name in /etc/hosts==
==Resolve the Host Name in /etc/hosts==


Execute
Execute:
<pre>
<syntaxhighlight lang='bash'>
hostname
hostname
</pre>
</syntaxhighlight>


and update <tt>/etc/hosts</tt> to resolve the host name to the main (business) interface of the host.
and update <code>/etc/hosts</code> to resolve the host name to the main (business) interface of the host.


<pre>
<pre>

Latest revision as of 23:24, 5 August 2023

External

Internal

Overview

This installation procedure has been tested on bare metal (ThinkPad laptops) and on VirtualBox VMs, with Red Hat 7.2 DVD and Centos 7 DVD. The sections that refer to non-virtualized installation are prefixed with Bare Metal and indented. The sections that refer to virtualized installation are prefixed with VirtualBox and indented.

If you need to create a VirtualBox virtual machine, start from here

VirtualBox Virtual Machine Creation

DVD

Download the RHEL 7 Binary DVD from https://access.redhat.com.

Download Centos 7 Binary ISO DVD https://www.centos.org/download/

Procedure

Create a Bootable USB and Boot with the Image USB

Use:

fdisk -l 

or

mount

to list disk devices and identify the correct USB device to use. Then:

dd if=yyyy.iso of=/dev/xxxx

Boot with the Image DVD

Install Red Hat Enterprise Linux 7.2
...
Starting installer, one moment.

Welcome to Red Hat Enterprise Linux 7.2

What language would you like to use during the installation process? English -> English (United States) -> Continue

Installation Summary

First go to "Network & Host Name" to set external access.

Network & Host Name

Turn wireless off.

Virtual Box

If the hardware configuration was done according to the VirtualBox Linux VM Creation procedure, the NAT adapter is eth1. Turn it "ON" (upper right "button"). This is the VirtualBox NAT network interface, so it should get an IP address from its DHCP server and allow immediate external connectivity during the installation. The interface should show "Connected", get a valid IP address (example IP address 10.0.3.15, default route 10.0.3.2, DNS: a valid DNS or your local router). Then go to eth0 and turn it ON.

Bare Metal

Turn ethernet (eth0, enp0s25, em1, etc.) ON.

Main Network Interface - Common Configuration Procedure

"Configure..."

General

Automatically connect to this network when it is available.

All users may connect to this network.

Ethernet

Device: eth0/enp0s25/em1

MTU: automatic

Wake on LAN: Ignore

IPv4 Settings

Method: Manual

Addresses: Add

Virtual Box

Pick addresses from the same network the host-only interface belongs to. If you do so, you will avoid complications related to need to add extra routing on the host. For more details, see:

VirtualBox Virtual Machine Creation - VM IP Addresses

A spreadsheet with currently allocated addresses is available in .../VirtualBox VMs/IP Addresses.xlsx.

Address 172.20.x.x, Netmask 255.255.0.0, Gateway: leave empty. If you plan to use previously created VMs from the same subnet at the same time, pick IP addresses that do not overlap.

Note that the IP address does NOT have to be in the same subnet as the host-only network defined earlier. However, in this case, you will need to configure extra routing, so it's a good idea to stick to that network.

Make sure to Save.

Bare Metal

Address 192.168.1.8, Netmask 255.255.255.0, Gateway: 192.168.1.1, DNS servers: 192.168.1.1

Make sure you Save.

Connect automatically after reboot

Yes

Apply configuration in installer

Yes

Host Name

DO NOT FORGET

Go to "Host name".

Virtual Box

Specify the local host name: openshift-master1. If you are planning to use a local DNS server, specify openshift-master1.openshift.local

Bare Metal

now510.local

Done.

Date & Time

Time Zone.

Network Time: ON

Done.

For a list of NTP Servers see:

US NTP Servers

Keyboard

English(US)

Installation Source

Local media

Software Selection

Minimal Install

Installation Destination

Virtual Box

Select the ATA VBOX HARDDISK. You may go for "Automatically configure partitioning" or if you don't want a root and a home partition, choose "I will configure partitioning" and go to Manual Partitioning.

Bare Metal

If the disk was previously partitioned and want to delete the previous partitions: Partitioning -> Automatically configure partitioning, check "I would like to make additional space available" -> Delete All -> Reclaim Space. If you don't want a root and a home partition, choose "I will configure partitioning" and go to Manual Partitioning.

Done.

The top level menu should show Automatic partitioning selected.

Manual Partitioning

"Click here to create them automatically". This will give a reasonable starting point.

Make sure new mount points will use the following partitioning scheme: LVM.

Simplest configuration:

  • "/boot", capacity 500 MiB, device type: Standard Partition, file system "xfs"
  • "/", capacity 3140 MiB, device type: LVM, file system xfs, volume group: rhel_lb, name: root
  • swap, capacity 409.6 MiB, device type: LVM, file system swap, volume group: rhel_lb, name: swap

Done

For an example of partitioning used for a virtualization host, see RHEL7 Virtualization Host Installation - Storage Provisioning.

Kdump

Disable.

Begin Installation

Begin Installation

User Settings

Root password.

Create users as necessary, depending on the purpose of the box (openshift, wiki, etc)

You may also want create a service user with same name as the machine's.

If you create a service user, go to Advanced and add it to its own group.

Capture credentials in the standard location (Contacts for the host in question).

Reboot

Will eject the DVD by itself.

After reboot, the host should be available for ssh.

Post-Install Tasks

Create a non-root Administrative User

groupadd -g 1077 au739kr60c
useradd -g 1077 -u 1077 -m au739kr60c
passwd au739kr60c

ssh Configuration

Configure ssh to Start on an Arbitrary Port

Change the Default ssh Port

Turn off ssh DNS Resolution

sshd - Turn Off Client Name DNS Verification

Disallow root to connect over ssh

Disallowing the root to connect over ssh is quite radical. If you want to do that, see:

Disallow root to Connect

A less strict level of protection, but that still protects against root brute force password attack, is to not allow the root connecting with a password, but only with a ssh key. This is how it is done:

Allow root Access only with Public Key

Install a Public Key for Faster Access

Install a public key in .ssh/authorized_keys.

Enable Network Interfaced to Start at Boot

Sometimes the NAT network interface comes disabled at boot. Set ONBOOT=yes in /etc/sysconfig/network-scripts/ifcfg-eth1.

Reboot and make sure the interface is correctly initialized, and the virtual machine has external connectivity.

For more details configuring a network interface see:

Configuring a Linux Network Interface

Update All Installed Packages

yum -y update

Install Packages I Need

yum -y install wget zip unzip bind-utils policycoreutils-python net-tools

policycoreutils-python is needed for semanage. See:

SELinux Configuration

Other Miscellaneous and Most Likely Optional Steps

VMWare Fusion Guest Configuration

VMware Fusion guests that are configured with static addressed also need to be configured with a specific gateway to make them able to establish TCP/IP connections. For more details see:

Configure a Static IP VMware Fusion Guest to be Externally Routable

Register with the Subscription Manager

If this is a supported RHEL system, register it with the subscription manager, this will give access to official repositories for update. Instructions are available here

Red Hat Subscription Manager

Configuration

Resolve the Host Name in /etc/hosts

Execute:

hostname

and update /etc/hosts to resolve the host name to the main (business) interface of the host.

...
192.168.1.8 now510.local now510

Disable the Network Manager

For hosts on which the configuration is static, disable the Network Manager. Note that if you plan to run OpenShift on this host, Nework Manager must stay in place.

Disable Linux Network Manager

Turn off firewalld and configure the iptables service

Optionally, add additional IPv4 firewall rules depending on the purpose of the host:

  1. Allow ssh access only from the internal network on a non-standard port. Note this procedure implies reconfiguring the sshd server at the same time, otherwise we may lose remote access.
  2. Allow web traffic access.

If IPv6 is not explicitly configured and used, best if you block IPv6 access in firewall: block IPv6 inbound traffic.

For a discussion on iptables service and firewalld, see iptables Concepts.

Configure DNS

Set Up DNS on a Newly Installed Linux System

Configure Log Rotation

rsyslogd Log Rotation Configuration

Configure root mail Forwarding

Configure the mail system on the host so it can send mail.

Forward root's mail to an account that is read regularly.

See:

mailx

Security Hardening

Security Hardening

Configure the Host as a NFS Client

This is an optional step.

Linux NFS Client Installation

Enable Multicast

This is an optional step.

Multicast Configuration

Prevent the Computer to Go to Sleep when the Lid is Closed

For laptops only.

How to Prevent the Computer to Go to Sleep when the Lid is Closed

Other Optional Settings

Reboot

Reboot one more time, to make sure the system starts after patching and configuration:

init 0

Bare Metal

Start the system from the power button.

VirtualBox

Start the system from the VirtualBox console. Start -> Headless start.

Next Steps

VirtualBox

Continue VirtualBox Installation. If installing in VirtualBox, go back to the VirtualBox guest additions installation procedure.

Troubleshooting

A Network Adapter Does Not Start

Linux 7 Network Configuration - Network Adapter Does Not Start After Installation