I’m having a Docker Dev Server kicking around on CentOS 7. I’ll test Updating that box now. Since 90% of our Linux Boxes run CentOS, this will be an interesting ride. I see long days of upgrading Servers ahead.
On the plus side, this might help with a lot of outdated python and php stuff.
Since i wanted to set-up spacewalk today anyways, i’ll give the installer a shot later on a fresh VM. I’ll let you now when anything weird happens.
Man, new CentOS Release. Not a lot of distros can get me that exited for a new Major Version.
Upgrade doesn’t seem as easy. Most information i found online isn’t working.
I imported the new “Project Keys” from here: https://www.centos.org/keys/ but they aren’t downloaded to my Server.
Also, i’m not sure how to upgrade other than bruteforcing it by changing all the repos in /etc/yum.repos.d , which i might try.
On a side not, i just read the release Notes and, holy hell, there is CentOS Stream. Like, there is a freakin’ Rolling Release CentOS Version? Is this new or did this just fly over my head. They say it’s a middleground between Fedora and RHEL. I’ll install this in a VM for sure. Depending on how “current” the packages are, this could very well replace debian on the Desktop for me. Exciting stuff.
Is it truly rolling release? I just thought it was basically a testing branch of RHEL.
They announced it without warning along with CentOS 8. I imagine it probably had a lot to do with why the release took so long.
So I’m back to configuring the servers (finally). I have hit my first snag. First of all, I should probably replace all those yum command with dnf since yum is deprecated and is just an alias for ease of use.
Also, yumdb is no longer a thing, so I’m not sure how to do the equivalent of:
Not sure if it’ll work. The suggestion on Stack Exchange didn’t inspire much confidence.
There is also a dnf protect.d directory where you can store packages that shouldn’t be removed. /etc/dnf/protected.d . However I have seen some people report this doesn’t work with specific versions.
Anyway, assuming that works, the system has an intial snapshot and the kernel is preserved (hopefully), so I can roll it back in the future, including the kernel, while retaining logs and user data in /home.
Now let’s continue configuring the system.
# Repo config
sudo sed -i 's/installonly_limit=3/installonly_limit=10/' /etc/dnf/dnf.conf
echo "deltarpm=1" | sudo tee -a /etc/dnf/dnf.conf
echo "repo_gpgcheck=1" | sudo tee -a /etc/dnf/dnf.conf
sudo dnf -y update
sudo dnf - install dnf-automatic
sudo sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf
sudo sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer
# SMART config
sudo dnf -y install smartmontools
read -a SMART_DRIVES -d $"\n" <<< "$(smartctl --scan | awk '{ print $1 }' | grep -o "/[a-z]*$")"
echo "DEVICESCAN" | sudo tee -a /etc/smartmontools/smartd.conf
for DRIVE in "${SMART_DRIVES[@]}"; do ls -ld /dev/disk/by-id/* | grep -m 1 "${DRIVE}" | awk '{ print $9" -a -o on -S on -n standby,q -s (S/../.././01|L/../../6/03) -W 4,35,40" }' | sudo tee -a /etc/smartmontools/smartd.conf; done
unset SMART_DRIVES
unset DRIVE
sudo systemctl start smartd
sudo systemctl enable smartd
# MD config
printf '#!/usr/bin/env bash\n\nfor MD in /sys/block/md*/md/sync_action; do echo "check" > "${MD}"; done' | sudo tee /etc/cron.weekly/md_scrub.sh
sudo chmod +x /etc/cron.weekly/md_scrub.sh
# User
sudo sed -i -E "s/(^[U,G]ID_MIN[[:space:]]*)1000$/\15000/g" /etc/login.defs
sudo dnf -y install setools-console setroubleshoot-server
sudo semanage login -a -s staff_u -rs0:c0.c1023 "$(whoami)"
sudo restorecon -FR /home/$(whoami)
echo "$(whoami) ALL=(ALL) TYPE=sysadm_t ROLE=sysadm_r ALL" | sudo tee /etc/sudoers.d/"$(whoami)"
exit #log back in to refresh the selinux user context (you will be locked out of sudo until you do)
From what i gathered, it’s basically Fedora but with the Package selection for the next minor RHEL Release. So, i think it’s truly rolling.
I installed it on my T510i yesterday. Software store doesn’t work, as a lot of repos don’t seem to be up (yet). First boot was really slow. Other than that, it’s CentOS 8 so far. It looks like that packages will be updated in the near future.
But again, i’m not really sure. I also just read the announcement and thought it was interesting. So my idea of what it is could be way off.
Also, Server upgrade didn’t work. I’m pretty sure there is still some work on the repos to do.
# Hostname
# Assumes host picked up short name from local DNS during installation and is also picking up a search domain from DHCP.
cp /etc/hosts /etc/hosts.default~
printf "$(hostname -i)\t$(hostname -f) $(hostname)\n" | sudo tee -a /etc/hosts
# Antivirus
sudo dnf -y install epel-release
sudo sed -i -E "s/(^enabled=[0,1]$)/\1\nrepo_gpgcheck=0/g" /etc/yum.repos.d/epel* #epel doesn't support gpg signed metadata
sudo dnf -y check-update
sudo dnf -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
sudo cp /etc/freshclam.conf /etc/freshclam.conf.default~
sudo cp /etc/clamd.d/scan.conf /etc/clamd.d/scan.conf.default~
sudo sed -i 's/^Example/#Example/' /etc/freshclam.conf /etc/clamd.d/scan.conf
sudo sed -i 's/^#LocalSocket/LocalSocket/' /etc/clamd.d/scan.conf
sudo sed -i 's/^#LocalSocketGroup/LocalSocketGroup/' /etc/clamd.d/scan.conf
sudo sed -i 's/virusgroup/clamscan/' /etc/clamd.d/scan.conf
sudo cp /etc/sysconfig/freshclam /etc/sysconfig/freshclam.default~
sudo sed -i 's/^FRESHCLAM_DELAY=disabled-warn/#FRESHCLAM_DELAY=disabled-warn/' /etc/sysconfig/freshclam
sudo setsebool -P antivirus_can_scan_system 1
sudo systemctl enable clamd@scan
sudo systemctl start clamd@scan
# Firewall
# Zone is set to subdomain of fqdn, so if you had srv1.www.something.com, the zone would be www
# This also assumes there is still only one interface up which is being used for management (ssh)
sudo firewall-cmd --permanent --new-zone=$(hostname -f | cut -d '.' -f 2)
sudo firewall-cmd --permanent --zone=$(hostname -f | cut -d '.' -f 2) --set-target=DROP
sudo firewall-cmd --permanent --zone=$(hostname -f | cut -d '.' -f 2) --add-service=ssh
sudo firewall-cmd --permanent --zone=$(hostname -f | cut -d '.' -f 2) --add-interface=$(nmcli -t -f device con show -a)
sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --complete-reload
# Security Policies
# Ban on repeated failed logins
sudo dnf -y install fail2ban
sudo printf '[sshd]\nenabled = true\n' | tee /etc/fail2ban/jail.d/20-sshd.conf
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# Selection from:
# https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-index.html
# cron
printf "root\n$(whoami)\n" | sudo tee /etc/cron.allow
sudo rm /etc/cron.deny
# ntp (chrony)
sudo cp /etc/chrony.conf /etc/chrony.conf.default~
sudo sed -i "s/ maxpoll [0-9]*//g" /etc/chrony.conf
sudo sed -i "s/^server .*/& maxpoll 10/g" /etc/chrony.conf
sudo systemctl restart chronyd
# kernel dumps
sudo systemctl disable kdump.service
sudo systemctl stop kdump.service
# sshd
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default~
sudo sed -i -E 's/^#(ClientAliveCountMax )[0-9]*/\10/' /etc/ssh/sshd_config
sudo sed -i -E 's/^#(ClientAliveInterval )[0-9]*/\1600/' /etc/ssh/sshd_config
echo "Unauthorized access to this information system will be prosecuted to the fullest extent of the law." | sudo tee /etc/issue
sudo sed -i -E 's/^#(Banner ).*/\1\/etc\/issue/' /etc/ssh/sshd_config
echo "UsePrivilegeSeparation sandbox" | sudo tee -a /etc/ssh/sshd_config
sudo sed -i -E 's/^(GSSAPIAuthentication ).*/\1no/' /etc/ssh/sshd_config
sudo sed -i -E 's/^(PermitRootLogin ).*/\1no/' /etc/ssh/sshd_config
# file permissons
printf '#!/usr/bin/env bash\n\n' | sudo tee /etc/cron.hourly/fix_permissions
printf 'while read -r WRONG_PERM; do /usr/bin/rpm --setperms "$(/usr/bin/rpm -qf "${WRONG_PERM}")"; done <<< "$(/usr/bin/rpm -Va | /usr/bin/awk '\''{ if (substr($0,2,1)=="M") print $NF }'\'')"\n\n' | sudo tee -a /etc/cron.hourly/fix_permissions
printf 'while read -r WRONG_PERM; do /usr/bin/rpm --setugids "$(/usr/bin/rpm -qf "${WRONG_PERM}")"; done <<< "$(/usr/bin/rpm -Va | /usr/bin/awk '\''{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'\'')"\n' | sudo tee -a /etc/cron.hourly/fix_permissions
sudo chmod +x /etc/cron.hourly/fix_permissions
sudo /etc/cron.hourly/fix_permissions
# dnf
echo "localpkg_gpgcheck=1" | sudo tee -a /etc/dnf/dnf.conf
# network
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
sudo sysctl -w net.ipv4.conf.default.accept_source_route=0
sudo sysctl -w net.ipv4.conf.default.accept_redirects=0
sudo sysctl -w net.ipv4.conf.all.accept_redirects=0
sudo sysctl -w net.ipv4.conf.all.send_redirects=0
sudo sysctl -w net.ipv4.conf.default.send_redirects=0
# boot stuff (ha)
sudo sed -i s/root/"$(whoami | rev)"/g /etc/grub.d/01_users #or whatever
sudo grub2-setpassword #set a unique password
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
sudo systemctl mask ctrl-alt-del.target
# misc
echo "TMOUT=600" | sudo tee /etc/profile.d/timeout.sh
echo "FAIL_DELAY 4" | sudo tee -a /etc/login.defs
# After the system is configured
# aide
sudo dnf -y install aide
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
printf '#!/usr/bin/env bash\n\n/usr/sbin/aide --check\n' | sudo tee /etc/cron.daily/aide_check
sudo chmod +x /etc/cron.daily/aide_check
And at this point, I accidentally typed sudo chmod -R go-rwx /etc/skel/.* which borked by permissions for everything in /etc. oOops.
Funnily enough, the fix_permissions script that I set to run hourly did execute and the system is functional again, however, since my user file in /etc/sudoers.d was not installed by a package, it is still unreadable, so I cannot sudo.
I can reboot and fix this in single user mode. I think I can use aide to indicate any other permissions in /etc that haven’t been repaired.
Another note on installation. I did run into an error when I had a pre-existing system in place with somewhat complex storage (md raid, lvm volumes with snapshots). The installer would produce this error very soon after entering the user creation page.
I found that if I dropped to command line (ctrl-alt-F1), and used fdisk to erase the existing partitions early during installation, the installer would still show the pre-existing partitions in storage config (despite partprobe), but it would get through the installation process without any errors. Btw, ctrl-alt-F6 gets you back to the GUI installer and alt-tab cycles through the various cli views (use it once to get to a shell).
Already in progress, although it’s more like ”How to install and configure CentOS 8 for sysadmins who are pragmatically paranoid and don’t need to adhere to FIPS”.
I’m down. I don’t use centos but I guess if I wanted to get on a common rpm base… centos could be my server since my desktops and laptops are fedora… does centos behave like fedora? Selinux ACLs and stuff?
That’s good to hear. I know @Novasty recommended it to me. I might through it in a VM and learn to administer it well… then maybe I’ll convert next time I bring my services back online
For the most part, yes. CentOS 7 runs a very old kernel and uses yum instead of dnf, but neither of those is the case for CentOS 8.
Btw, if anyone wants to use the minimal boot ISO for installing CentOS 8, the config from the PXE version was mostly correct. The only difference was that I got an error about AppStream already being used, so I just appended a 2.
$ sudo systemctl enable tmp.mount
The unit files have no installation config (WantedBy, RequiredBy, Also, Alias
settings in the [Install] section, and DefaultInstance for template units).
This means they are not meant to be enabled using systemctl.
Possible reasons for having this kind of units are:
1) A unit may be statically enabled by being symlinked from another unit's
.wants/ or .requires/ directory.
2) A unit's purpose may be to act as a helper for some other unit which has
a requirement dependency on it.
3) A unit may be started when needed via activation (socket, path, timer,
D-Bus, udev, scripted systemctl call, ...).
4) In case of template units, the unit is meant to be enabled with some
instance name specified.
$ sudo systemctl start tmp.mount
$ sudo systemctl status tmp.mount
● tmp.mount - Temporary Directory (/tmp)
Loaded: loaded (/usr/lib/systemd/system/tmp.mount; static; vendor preset: disabled)
Active: active (mounted) since Thu 2019-10-03 16:31:03 EDT; 5s ago
Where: /tmp
What: tmpfs
Docs: man:hier(7)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Tasks: 0 (limit: 26213)
Memory: 0B
CGroup: /system.slice/tmp.mount
$ mount | grep /tmp
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel)
Sure enough, -/usr/lib/systemd/system/tmp.mount- has no [Install] section, so:
sudo cp /usr/lib/systemd/system/tmp.mount /etc/systemd/system/
echo "
[Install]
WantedBy=multi-user.target
" | sudo tee -a /etc/systemd/system/tmp.mount
sudo sed -iE "s/\(Options=.*$\)/\1,noexec/" /etc/systemd/system/tmp.mount
sudo systemctl enable tmp.mount
sudo systemctl start tmp.mount
I’m down. I don’t use centos but I guess if I wanted to get on a common rpm base… centos could be my server since my desktops and laptops are fedora… does centos behave like fedora? Selinux ACLs and stuff?