IntroductionThe following steps are performed after OS installation, before a specific ROLE is configured. Cloud Variants Info |
---|
| For Azure Cloud installations, a user is specified when the VM is created. The root password remains hidden. It is, however, possible to change to root using the following command, using the user's own password: Additionally, it is necessary to configure the network card(s) in a particular Zone. This is performed by editing the network configuration file(s): Translations Ignore |
---|
Code Block |
---|
| vi /etc/sysconfig/network-scripts/ifcfg-eth0
... (add at end)
ZONE=public
...
service network restart |
|
Make sure that firewalld is running and not iptables. The following commands are used to ensure this. Translations Ignore |
---|
Code Block |
---|
| systemctl disable iptables
systemctl mask iptables
systemctl enable firewalld
systemctl start firewalld
|
|
|
System UpdateUpdate the system to the newest patch release and install basic packages. Note, if this fails due to a proxy server being present, skip this step and create the jtel user first. Then configure the proxy as shown here. Translations Ignore |
---|
Code Block |
---|
| dnf -y update
dnf -y install nano unzip wget rsync sysstat nfs-utils cifs-utils nmap bind-utils tcpdump lsof tmux chrony virt-what policycoreutils-python-utils |
|
If a new kernel is installed, then a reboot is required. Mandatory Stepsjtel UserCreate jtel UserCreate the jtel user, and add to the group wheel, which allows the user to run commands with sudo. Status |
---|
colour | Red |
---|
title | Caution Password |
---|
|
Translations Ignore |
---|
Code Block |
---|
| useradd -m jtel
gpasswd -a jtel wheel
printf '<password>\n<password>\n' | passwd jtel |
|
The following command creates a configuration file allowing all users who are members of the wheel group to run commands as root with sudo. Translations Ignore |
---|
Code Block |
---|
| cat <<EOFF > /etc/sudoers.d/wheelers
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
EOFF
|
|
Warning when using git as rootThe following command makes it (intentionally) more difficult to use git as the root user. Translations Ignore |
---|
Code Block |
---|
| cat <<EOFF >> ~/.bashrc
alias git='printf "It looks like you are trying to run GIT as ROOT.\nFor jtel installations, GIT should always be run from the jtel user.\nIf you really want to run git as root, you will need to access it directly, using /usr/bin/git for example.\n"'
EOFF
source ~/.bashrc |
|
Chrony is a newer (better) replacement for ntpd. It is configured in a similar way, however the commands used to check the synchronisation are slightly different. For further information, check out this link: https://opensource.com/article/18/12/manage-ntp-chrony Setup chronydThe following commands modify the basic chrony.conf file to remove usage of the default pool and any configured servers, and replace this with the 3 (very reliable) time servers from the German PTB. Translations Ignore |
---|
Code Block |
---|
| # Replace all existing servers
sed -i -e "s/^server /# server /" /etc/chrony.conf
# Replace pool setting
sed -i -e "s/^pool /# pool /" /etc/chrony.conf
# Add PTB Servers
cat << EOFF >> /etc/chrony.conf
# Servers to use
server ptbtime1.ptb.de iburst
server ptbtime2.ptb.de iburst
server ptbtime3.ptb.de iburst
EOFF
# Enable chronyd
systemctl enable chronyd
# Stop (just in case it was started), then start and get status
systemctl stop chronyd
systemctl start chronyd
systemctl status chronyd |
|
Check chronyd Translations Ignore |
---|
Code Block |
---|
| # Check the status of the service
systemctl status chronyd
# Check the sources it is using
chronyc sources |
|
Remove Anacron, Install CronThe jtel system requires that cron jobs are performed at a particular time. jtel servers will usually run continuously. The anacron service (which is installed by default) may run a cron job later if the machine has been powered off. However, on a jtel system there is no point doing this, and sometimes this can be destructive. Therefore the anacron service is removed and replaced with the normal cron service. Translations Ignore |
---|
Code Block |
---|
| dnf -y install cronie-noanacron
dnf -y remove cronie-anacron |
|
The hypervisor tools make support from the hypervisor console better, when performing operations such as snapshots, starting and stopping and resetting the virtual machine. It is important that the correct tools are installed. Warning |
---|
Note: you will not need to and should not do this in most cloud environments! |
Detect the HypervisorVMWareThe tools are installed as follows: Translations Ignore |
---|
Code Block |
---|
| dnf -y install open-vm-tools |
|
Hyper-V Translations Ignore |
---|
Code Block |
---|
language | bash |
---|
title | Installing Hyper-V Tools |
---|
| dnf -y install hyperv-daemons |
|
Other HypervisorsConsult the manufacturer for further detals. Hosts FileThe jtel system uses aliases to reference the other machines in the installation. This removes all dependencies to cryptic host names, and customer DNS servers. The hosts file must be provided on each system, and should contain aliases pointing to the following machines (red entries are not required). Alias | Signifies | Single DB Installation | Master-Slave Installation | Redundant Master-Master Installation |
---|
acd-dbm | Database Master | The database machine. | The database master. | The Load Balancer Virtual Shared IP Address. | acd-dbm1 | First Database Master |
|
| The first database master. | acd-dbm2 | Second Database Master |
|
| The second database master. | acd-dbs | Database Slave | The database machine. | The database slave. | The Load Balancer Virtual Shared IP Address. | acd-dbs1 | First Database Slave |
|
| The first database slave. | acd-dbs2 | Second Database Slave |
|
| The second database slave. | acd-dbr | Reporting Database | The database machine. | The database slave. | The Load Balancer Virtual Shared IP Address. | acd-lb | The Load Balancer | The Load Balancer | The Load Balancer | The Load Balancer Virtual Shared IP Address. | acd-store | The File Storage | The Load Balancer | The Load Balancer | The Load Balancer Virtual Shared IP Address. | acd-tel1 ... acd-telN | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N | acd-jb1 ... acd-jbN | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N |
The hosts file is located in: /etc/hosts Example Hosts File Single DB Translations Ignore |
---|
Code Block |
---|
10.0.0.1 acd-lb
10.0.0.1 acd-store
10.0.0.11 acd-dbm
10.0.0.11 acd-dbs
10.0.0.11 acd-dbr
10.0.0.31 acd-tel1
10.0.0.41 acd-jb1
10.0.0.42 acd-jb2 |
|
Example Hosts File Master-Slave Translations Ignore |
---|
Code Block |
---|
10.0.0.1 acd-lb
10.0.0.1 acd-store
10.0.0.11 acd-dbm
10.0.0.21 acd-dbs
10.0.0.21 acd-dbr
10.0.0.31 acd-tel1
10.0.0.41 acd-jb1
10.0.0.42 acd-jb2 |
|
Example Hosts File Redundant Translations Ignore |
---|
Code Block |
---|
10.0.0.1 acd-dbm
10.0.0.1 acd-dbs
10.0.0.1 acd-dbr
10.0.0.1 acd-lb
10.0.0.1 acd-store
10.0.0.11 acd-dbm1
10.0.0.12 acd-dbm2
10.0.0.21 acd-dbs1
10.0.0.22 acd-dbs2
10.0.0.31 acd-tel1
10.0.0.32 acd-tel2
10.0.0.41 acd-jb1
10.0.0.42 acd-jb2
10.0.0.43 acd-jb3
10.0.0.44 acd-jb4 |
|
Optional StepsSSH KeysSSH keys can be added, to enable login to the jtel user via an ssh key. Translations Ignore |
---|
Code Block |
---|
language | bash |
---|
title | SSH Keys |
---|
| mkdir -p /home/jtel/.ssh
cat << EOFF > /home/jtel/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAgJWox9vkWssx24V6m+VB/9cfFUznUnVJqHeSnQFcE+ANzH+lgv90jQYXRf8XLSaKA4HZGO7SFUwLz7eNHk0lIS+TG+WKGrjl3GRvzNoYVAapeKUV7HjbeagQPNOCKTr6G8Vi/GVMyOx8XhJAgpr5gjyW9GdMdqnOS9uxd83BCh/UiAP9oVUbLiIIxbtmLAzyfJdjnbFP9sJXw96Vl040Fe4aoLofrkPyPu7cst6TPJx5myDhORG31nD/2iwUNLfv58m9ABMsePfhqzSp/Hi2XY/e5gikDh3xUxoBmL9fWwbiFb92AFW08rP1CtoCEtOe2nJkdtRzt0GiE+A+zgdDjw== support@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuP5DEZDI6/CITTqk8qburqDuKNj6jnQ9Zbjz6BO+5P8MlrS8KT7y56u/PSqdO3OzD58D2JS0yNvM5RbBGYDUD1ng7VSJLFLfErbuCzJ/Q+BSRaee+7MhLWXdVSc/EY2B4qUcZGRL/NXHtAY/3KvSSU3wnhI4edLYMAzuxAhNEPRkmniq1CAuykDdHvm0kVQzaSShYDBQWIlbWIMG6jsCmMpZR7v+v6gKWeowQkM4T4XZ1f2K5zlQXd6FHGY8C/+XICefum2qgQtqgjfQMoqIQbnmfKDGIHPvkas287tdCbU4y1lTsJbTiT7INkd6QbiVUayVxVwwoV+G2F7WofN4nw== root@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArTi8N08gDz1CvDriZNALa1tHky/1+QNP0WU43dI7hkn2zH7fz9bXAs32z7dRjfgxaYXWPmClcDLDb0xwjGfMXK0HABPtp0bxh/58Y0QowBUJkcNi6hUphT+ArGkpjQb5CJcArnbLO727R8jJFgE1QpiWdehd5t3ec0wOL0NhnIE63S+DUm7+bQW6Z8Kmzl0+opGyoURLf8hxeAIUJwdeMFN7AIVPZlyuPobowwjGDXD9YpwXZ2oPtg6XISwW/O1fsetzmGkgD4gedxJxjc5x5ByZX98UsNJORrG5R5slLqQTJkJzGBLpH8kC9WLIEW0RduVR2mrQzOBRgA92i5ZUFw== lewis.graham@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9W40vFohIPQsH6Q5Rfef7xiC4WRHOkMaMsUXxLCnTCDGI0PDib23NBUTevcnAc+OrCUITRmwngRbcItbR9QM1qNhzrwS8ZI00psZVVnBUwVVpX4UJtmX0CDrtVwH1yz51/WnZVeS17JqoMjVMB3p+n1CjViwh6qlRTI/9F/KfaOfiLEiHnvcnmSq67R7o5wP65TR00xqA20E569M1lcdn43xL2GylkwHuWw+XcusKqf+lnaawFWhdZUTOuF3ZB+ssuEbXSyZEGtc5/HNUG8rg9tutzAfq3fNWc5Y5pY+B048g4oDyAQpwMB7i9OwNNk1IEZA+rmqIImf7XLVKIsNn andrey.tsvetkov@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkBiz9SsIXMO/a+7hCxNGQuQ4s/gqUZ6pyxDxjpDTD+bewxumyhn5aITbBSuHpx0n05JL4nGGdROii54ATildm3Uhi8JSljGy5uv97Sw8Kpy0eO314tOLU3NkAe2YOH1aUeArne4bYPebKBq0r1oln1Gu2+TFvCmMqu3FmleMv1xvw/waTwO57hSBPN83gOaJR7w6lOUp5HjYLSA0zRs1Os3g6ldQkHeGBknJ6jChqFXJHGl0KYzZGv3Q46fVTptS7NACxZs+ARUzJjbGjxnpHYK8rmSoTfoBS4qlN5+LxYKG341Hmq7cOsaISwUFbE/CbFOqUtjBviI1c7RLgtGnJQ== serge.djomo@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuh3ZLgQo2e9Uv1vAQxxCGxe9D3u8DWh4egeteUAPj4b7tOxQ6to3zAlGytUR9R6sANL/CIP3nEA2d3r4km0FQWQ4QFCLTFjyXl0Kvsn1ahN8DljJ6mRlwtvN2r5mBIEy1ClGCh+Jvchzf4ZhXrWxOTYYO77O8wjj9Zbk0Y6wI2qBnE6TaxsRQ7Z61zTe80xfLPQLKjgQ/5Hdk0z0HAx3jEsZRo9CqMLb44UD+6jVCih1JPMFcnUu0uxRQdOHrg243tqAUmuqICWompZNO75v3HjIIXOebxVGBXugrYc2xR1q964/EE0ZR7JMWM+HJ47V8WJKkE126n9ZElCqNGIR+Q== heidi.mueller@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAilON3Cn1bZPBYtv67Bv63llD1KMTTH52/ioPLm+qYYDV80mSHSb+PHD9awXNKNv5iTecaQ/a56CkK0z+KI5zvJb3EiRZaRe70cIqdflHmTcasVPVk1hAma5xc5UOCr+dKokqMQGwpDRrDvdS3atflQznvlR8+qoxPjlKC4KDx0GOUeSOIPBO6DdYGPlFX6ohMVRE7p/vHIRAOfehmG1xFtfk+rGPmgiblPWWWklKYQUfMnHI0pqFJwrPW46nqdUlQwtknATZC2cuKe931zstFhuDsm218yS4hTTlcjw5i/DH7PFr9Y58BtY6ZTy8khwTUeMPpSxE7i2WYoqoJ7DXcw== sou@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0czZLbpaxo/EY9iHDq9n6EWTALeYB7GVmp/mLwp66zeV4DbvTm+3FDUJSD9rqMJzJkAAEicFe+II/ZdIeZzG4JdYf66M/Y6k0w0Y8jJqDtsdgUf3OJ1hJ53Z+BwFqy1vD/a7N2hxlEKD2rzyAfVb+xzTzhJTjpX1kNiUxDMXRZs4ytW0CbOqZSpTJ3eT9NS9gH188KFTvHN8rPzDAxRKcexO2fSzNa7e+dYsfImOQoYlxFBX5YU74Ay9F5b7K95Cxe8EstvKNVmjkNWgnNWuS2d7eabepC1jv3z0FdOGiVoZ1SDgqKz8ysBa6Rzkt5L5peHYAKyH8TedeUk7kRIwZQ== dhia@jtel.de
EOFF
restorecon -R -v /home/jtel/.ssh
chown -R jtel:jtel /home/jtel/.ssh
chmod 0700 /home/jtel/.ssh
chmod 0644 /home/jtel/.ssh/authorized_keys |
|
Note, login by ssh key only must be enabled (this is not discussed here, and a word of caution - make sure you have recorded the root password before you do this so at least you can access the machine via the console). Proxy ServerIf a proxy server is used, the following commands will configure the proxy server for root and the jtel user. The top 5 lines should be modified. Status |
---|
colour | Red |
---|
title | Caution Password |
---|
|
Translations Ignore |
---|
Code Block |
---|
|
PROXY_USERNAME=
PROXY_PASSWORD=
PROXY_SERVER=proxy.example.de
PROXY_PORT=3128
PROXY_EXCEPTIONS=.example.de,.local,10.
if [ -n "$PROXY_USERNAME" ] && [ -n "$PROXY_PASSWORD" ]
then
PROXY="http://$USERNAME:$PASSWORD@$PROXY_SERVER:$PROXY_PORT"
elif [ -n "$PROXY_USERNAME" ]
then
PROXY="http://$USERNAME@$PROXY_SERVER:$PROXY_PORT"
else
PROXY="http://$PROXY_SERVER:$PROXY_PORT"
fi
cat <<EOFF >> ~/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
cat <<EOFF >> /home/jtel/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
source ~/.bashrc
|
|
|