Difference between revisions of "CentOS"

From Christoph's Personal Wiki
Jump to: navigation, search
(New page: '''CentOS''' (abbreviated from '''Community Enterprise Operating System''') is a Linux distribution that attempts to provide a free, enterprise class, community-supported computing pla...)
 
(LAMP on CentOS)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
'''CentOS''' (abbreviated from '''Community Enterprise Operating System''') is a [[Linux]] distribution that attempts to provide a free, enterprise class, community-supported computing platform which aims to be 100% binary compatible with its upstream source, Red Hat Enterprise Linux (RHEL).
 
'''CentOS''' (abbreviated from '''Community Enterprise Operating System''') is a [[Linux]] distribution that attempts to provide a free, enterprise class, community-supported computing platform which aims to be 100% binary compatible with its upstream source, Red Hat Enterprise Linux (RHEL).
 +
 +
==LAMP on CentOS==
 +
* Pre-CentOS 7:
 +
The following CLI one-liner will install and configure everything you need for a basic LAMP stack setup (including the [[iptables|firewall]]):
 +
sudo sh -c "yum install httpd httpd-devel mysql mysql-server mysql-devel php \
 +
  php-mysql php-common php-gd php-mbstring php-mcrypt php-devel php-xml -y; \
 +
  service mysqld start && mysql_secure_installation && service mysqld restart \
 +
  && service httpd start && chkconfig httpd on && chkconfig mysqld on && \
 +
  iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /etc/init.d/iptables save"
 +
 +
* CentOS 7:
 +
sudo yum install httpd mariadb-server mariadb php php-mysql php-fpm
 +
sudo systemctl start httpd.service && sudo systemctl enable httpd.service
 +
sudo systemctl start mariadb && sudo systemctl enable mariadb.service
 +
sudo mysql_secure_installation
 +
sudo systemctl restart httpd.service
 +
 +
# Firewall:
 +
sudo firewall-cmd --permanent --zone=public --add-service=http
 +
sudo firewall-cmd --permanent --zone=public --add-service=https
 +
sudo firewall-cmd --reload
 +
 +
# Testing:
 +
sudo vi /var/www/html/info.php  # => <?php phpinfo(); ?>
 +
curl -I <your-ip-address>/info.php
 +
sudo rm /var/www/html/info.php
  
 
==Packages to install==
 
==Packages to install==
Line 24: Line 50:
 
:libtool
 
:libtool
 
:binutils (and all dependencies)
 
:binutils (and all dependencies)
 +
 +
==How to switch from FirewallD to Iptables on CentOS 7==
 +
Starting with RHEL 7 / CentOS 7, [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Migration_Planning_Guide/sect-Red_Hat_Enterprise_Linux-Migration_Planning_Guide-Security_and_Access_Control.html firewalld was introduced] to manage [[iptables]]. As such, you will either need to use <code>`firewall-cmd`</code> commands or disable firewalld and enable iptables.
 +
 +
If you prefer to use the classic iptables setup, you will first need to stop and mask the firewalld service (see: [[systemd]] for details):
 +
 +
$ systemctl stop firewalld
 +
$ systemctl mask firewalld
 +
 +
Then, install the "iptables-services" package (if it is not already installed):
 +
 +
$ yum install iptables-services
 +
 +
Enable the service at boot-time:
 +
 +
$ systemctl enable iptables
 +
 +
You can now either add iptables rules from the CLI (e.g., <code>`iptables -I INPUT ...`</code>) or create/edit the <code>/etc/sysconfig/iptables</code> file to look something like the following (very basic with ports 22 and 80 open):
 +
 +
$ cat /etc/sysconfig/iptables
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [214:43782]
 +
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 +
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 +
-A INPUT -i lo -j ACCEPT
 +
COMMIT
 +
 +
Save you iptables rules:
 +
 +
$ iptables-save > /etc/sysconfig/iptables
 +
 +
If you are saving your rules in that <code>/etc/sysconfig/iptables</code> file, you will then need to run one of the following commands:
 +
 +
$ service iptables restart  # OR:
 +
$ systemctl restart iptables
 +
 +
Next, check that the iptables service is "active" with:
 +
 +
$ systemctl status iptables
 +
 +
Check your iptables rules with:
 +
 +
$ iptables -L
 +
#~OR~
 +
$ iptables -nvL
 +
 +
If you have any NAT rules, you can view them with:
 +
 +
$ iptables -t nat -vL
 +
 +
and that your server is listening on those ports you opened (22 and 80 in the above example):
 +
 +
$ netstat -plant
 +
 +
and you can query the systemd journal for a "log" of the changes you made to the iptables service with:
 +
 +
$ journalctl -f -u iptables.service
 +
 +
If you reboot your server after the above, your iptables rules should be saved and loaded again.
 +
 +
==Remove old/unneeded kernels==
 +
 +
It is sometimes necessary to remove old kernels, especially if you have a <code>/boot</code> partition running out of free space. The easiest (and safest) way to manually remove old/unneeded kernels is by using <code>[[yum]]</code>.
 +
 +
You can use <code>`yum list`</code> to find out what kernels are installed:
 +
$ yum list kernel.*
 +
kernel.x86_64    2.6.32-431.29.2.el6    @updates
 +
kernel.x86_64    2.6.32-504.el6        @base
 +
kernel.x86_64    2.6.32-504.8.1.el6    @updates
 +
 +
The above output shows that there are 3 kernels installed. It is a good practice to keep 3 to 5 kernels just in case a kernel update breaks something and you have to revert to an older version.
 +
 +
To remove the oldest version in the above kernel list, execute the following:
 +
$ yum remove kernel-2.6.32-431.29.2.el6
 +
 +
You can also use a <code>yum</code> plugin to keep a given number of kernels and automatically remove the older ones (e.g., always keep the latest 3 kernels). You can edit the <code>/etc/yum/pluginconf.d/installonlyn.conf</code> file (or create it if it does not exist) and add/change the following lines:
 +
 +
[main]
 +
enabled=1
 +
# set the number of package versions to keep:
 +
tokeep=3
 +
 +
The "<code>enabled=1</code>" line enables the <code>yum</code> plugin. The next time you run a <code>`yum update`</code>, <code>yum</code> will automatically remove the older versions and keep the latest 3 (note: This plugin will never remove your current working kernel). If you would prefer to keep any and all previous kernels, simply change that line to "<code>tokeep=0</code>".
  
 
==External links==
 
==External links==

Latest revision as of 00:00, 27 August 2016

CentOS (abbreviated from Community Enterprise Operating System) is a Linux distribution that attempts to provide a free, enterprise class, community-supported computing platform which aims to be 100% binary compatible with its upstream source, Red Hat Enterprise Linux (RHEL).

LAMP on CentOS

  • Pre-CentOS 7:

The following CLI one-liner will install and configure everything you need for a basic LAMP stack setup (including the firewall):

sudo sh -c "yum install httpd httpd-devel mysql mysql-server mysql-devel php \
  php-mysql php-common php-gd php-mbstring php-mcrypt php-devel php-xml -y; \
  service mysqld start && mysql_secure_installation && service mysqld restart \
  && service httpd start && chkconfig httpd on && chkconfig mysqld on && \
  iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT && /etc/init.d/iptables save"
  • CentOS 7:
sudo yum install httpd mariadb-server mariadb php php-mysql php-fpm
sudo systemctl start httpd.service && sudo systemctl enable httpd.service
sudo systemctl start mariadb && sudo systemctl enable mariadb.service
sudo mysql_secure_installation
sudo systemctl restart httpd.service

# Firewall:
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

# Testing:
sudo vi /var/www/html/info.php  # => <?php phpinfo(); ?>
curl -I <your-ip-address>/info.php
sudo rm /var/www/html/info.php

Packages to install

  • Install the "Development Tools":
yum groupinstall 'Development Tools' -y

These core development tools are required to compile software and build new rpms and including the following packages:

autoconf
bison
gdb
flex
gcc (c/c++ compiler)
gcc-c++ compiler
redhat-rpm-config
strace
strace64
rpm-build
make
automake
pkgconfig
gettext
libtool
binutils (and all dependencies)

How to switch from FirewallD to Iptables on CentOS 7

Starting with RHEL 7 / CentOS 7, firewalld was introduced to manage iptables. As such, you will either need to use `firewall-cmd` commands or disable firewalld and enable iptables.

If you prefer to use the classic iptables setup, you will first need to stop and mask the firewalld service (see: systemd for details):

$ systemctl stop firewalld
$ systemctl mask firewalld

Then, install the "iptables-services" package (if it is not already installed):

$ yum install iptables-services

Enable the service at boot-time:

$ systemctl enable iptables

You can now either add iptables rules from the CLI (e.g., `iptables -I INPUT ...`) or create/edit the /etc/sysconfig/iptables file to look something like the following (very basic with ports 22 and 80 open):

$ cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [214:43782]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

Save you iptables rules:

$ iptables-save > /etc/sysconfig/iptables

If you are saving your rules in that /etc/sysconfig/iptables file, you will then need to run one of the following commands:

$ service iptables restart  # OR:
$ systemctl restart iptables

Next, check that the iptables service is "active" with:

$ systemctl status iptables

Check your iptables rules with:

$ iptables -L
#~OR~
$ iptables -nvL

If you have any NAT rules, you can view them with:

$ iptables -t nat -vL

and that your server is listening on those ports you opened (22 and 80 in the above example):

$ netstat -plant

and you can query the systemd journal for a "log" of the changes you made to the iptables service with:

$ journalctl -f -u iptables.service

If you reboot your server after the above, your iptables rules should be saved and loaded again.

Remove old/unneeded kernels

It is sometimes necessary to remove old kernels, especially if you have a /boot partition running out of free space. The easiest (and safest) way to manually remove old/unneeded kernels is by using yum.

You can use `yum list` to find out what kernels are installed:

$ yum list kernel.*
kernel.x86_64    2.6.32-431.29.2.el6    @updates
kernel.x86_64    2.6.32-504.el6         @base
kernel.x86_64    2.6.32-504.8.1.el6     @updates

The above output shows that there are 3 kernels installed. It is a good practice to keep 3 to 5 kernels just in case a kernel update breaks something and you have to revert to an older version.

To remove the oldest version in the above kernel list, execute the following:

$ yum remove kernel-2.6.32-431.29.2.el6

You can also use a yum plugin to keep a given number of kernels and automatically remove the older ones (e.g., always keep the latest 3 kernels). You can edit the /etc/yum/pluginconf.d/installonlyn.conf file (or create it if it does not exist) and add/change the following lines:

[main]
enabled=1
# set the number of package versions to keep:
tokeep=3

The "enabled=1" line enables the yum plugin. The next time you run a `yum update`, yum will automatically remove the older versions and keep the latest 3 (note: This plugin will never remove your current working kernel). If you would prefer to keep any and all previous kernels, simply change that line to "tokeep=0".

External links