Introduction
The following steps are performed after OS installation, before a specific ROLE is configured.
Cloud Variants
Azure Cloud
For Azure Cloud installations, a user is specified when the VM is created. The root password remains hidden. It is, however, possible to change to root using the following command, using the user's own password:
sudo -s
Additionally, it is necessary to configure the network card(s) in a particular Zone. This is performed by editing the network configuration file(s):
vi /etc/sysconfig/network-scripts/ifcfg-eth0 ... (add at end) ZONE=public ... service network restart
Make sure that firewalld is running and not iptables. The following commands are used to ensure this.
systemctl disable iptables systemctl mask iptables systemctl enable firewalld systemctl start firewalld
System Update
Update the system to the newest patch release and install basic packages.
Note, if this fails due to a proxy server being present, skip this step and create the jtel user first. Then configure the proxy as shown here.
Note, as most machines require the mysql connector, it is installed directly here.
dnf -y update dnf -y install nano unzip wget rsync sysstat nfs-utils cifs-utils nmap bind-utils tcpdump lsof tmux chrony virt-what policycoreutils-python-utils libaio dnf config-manager --disable mysql-connectors-community dnf config-manager --disable mysql-tools-community dnf -y module disable mysqldnf -y install https://dev.mysql.com/get/mysql80-community-release-el8-1.noarch.rpm dnf -y install mysql-community-client
If a new kernel is installed, then a reboot is required.
reboot
Mandatory Steps
jtel User
Create jtel User
Create the jtel user, and add to the group wheel, which allows the user to run commands with sudo.
CAUTION PASSWORD
useradd -m jtel gpasswd -a jtel wheel printf '<password>\n<password>\n' | passwd jtel
Configure wheel
The following command creates a configuration file allowing all users who are members of the wheel group to run commands as root with sudo.
cat <<EOFF > /etc/sudoers.d/wheelers ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL EOFF
Warning when using git as root
The following command makes it (intentionally) more difficult to use git as the root user.
cat <<EOFF >> ~/.bashrc alias git='printf "It looks like you are trying to run GIT as ROOT.\nFor jtel installations, GIT should always be run from the jtel user.\nIf you really want to run git as root, you will need to access it directly, using /usr/bin/git for example.\n"' EOFF source ~/.bashrc
Configure Chrony (NTP)
Chrony is a newer (better) replacement for ntpd. It is configured in a similar way, however the commands used to check the synchronisation are slightly different.
For further information, check out this link: https://opensource.com/article/18/12/manage-ntp-chrony
Setup chronyd
The following commands modify the basic chrony.conf file to remove usage of the default pool and any configured servers, and replace this with the 3 (very reliable) time servers from the German PTB.
# Replace all existing servers sed -i -e "s/^server /# server /" /etc/chrony.conf # Replace pool setting sed -i -e "s/^pool /# pool /" /etc/chrony.conf # Add PTB Servers cat << EOFF >> /etc/chrony.conf # Servers to use server ptbtime1.ptb.de iburst server ptbtime2.ptb.de iburst server ptbtime3.ptb.de iburst EOFF # Enable chronyd systemctl enable chronyd # Stop (just in case it was started), then start and get status systemctl stop chronyd systemctl start chronyd systemctl status chronyd
Check chronyd
# Check the status of the service systemctl status chronyd # Check the sources it is using chronyc sources
Remove Anacron, Install Cron
The jtel system requires that cron jobs are performed at a particular time. jtel servers will usually run continuously. The anacron service (which is installed by default) may run a cron job later if the machine has been powered off. However, on a jtel system there is no point doing this, and sometimes this can be destructive.
Therefore the anacron service is removed and replaced with the normal cron service.
dnf -y install cronie-noanacron dnf -y remove cronie-anacron
Install Hypervisor Tools
The hypervisor tools make support from the hypervisor console better, when performing operations such as snapshots, starting and stopping and resetting the virtual machine. It is important that the correct tools are installed.
Note: you will not need to and should not do this in most cloud environments!
Detect the Hypervisor
virt-what
VMWare
The tools are installed as follows:
dnf -y install open-vm-tools
Hyper-V
dnf -y install hyperv-daemons
Other Hypervisors
Consult the manufacturer for further detals.
Hosts File
The jtel system uses aliases to reference the other machines in the installation. This removes all dependencies to cryptic host names, and customer DNS servers.
The hosts file must be provided on each system, and should contain aliases pointing to the following machines (red entries are not required).
Alias | Signifies | Single DB Installation | Master-Slave Installation | Redundant Master-Master Installation |
---|---|---|---|---|
acd-dbm | Database Master | The database machine. | The database master. | The Load Balancer Virtual Shared IP Address. |
acd-dbm1 | First Database Master | The first database master. | ||
acd-dbm2 | Second Database Master | The second database master. | ||
acd-dbs | Database Slave | The database machine. | The database slave. | The Load Balancer Virtual Shared IP Address. |
acd-dbs1 | First Database Slave | The first database slave. | ||
acd-dbs2 | Second Database Slave | The second database slave. | ||
acd-dbr | Reporting Database | The database machine. | The database slave. | The Load Balancer Virtual Shared IP Address. |
acd-lb | The Load Balancer | The Load Balancer | The Load Balancer | The Load Balancer Virtual Shared IP Address. |
acd-store | The File Storage | The Load Balancer | The Load Balancer | The Load Balancer Virtual Shared IP Address. |
acd-tel1 | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N | The Telephony Machine(s) Numbered from 1 ... N |
acd-jb1 | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N | The Webserver Machine(s) Numbered from 1 ... N |
The hosts file is located in: /etc/hosts
Example Hosts File Single DB
10.0.0.1 acd-lb 10.0.0.1 acd-store 10.0.0.11 acd-dbm 10.0.0.11 acd-dbs 10.0.0.11 acd-dbr 10.0.0.31 acd-tel1 10.0.0.41 acd-jb1 10.0.0.42 acd-jb2
Example Hosts File Master-Slave
10.0.0.1 acd-lb 10.0.0.1 acd-store 10.0.0.11 acd-dbm 10.0.0.21 acd-dbs 10.0.0.21 acd-dbr 10.0.0.31 acd-tel1 10.0.0.41 acd-jb1 10.0.0.42 acd-jb2
Example Hosts File Redundant
10.0.0.1 acd-dbm 10.0.0.1 acd-dbs 10.0.0.1 acd-dbr 10.0.0.1 acd-lb 10.0.0.1 acd-store 10.0.0.11 acd-dbm1 10.0.0.12 acd-dbm2 10.0.0.21 acd-dbs1 10.0.0.22 acd-dbs2 10.0.0.31 acd-tel1 10.0.0.32 acd-tel2 10.0.0.41 acd-jb1 10.0.0.42 acd-jb2 10.0.0.43 acd-jb3 10.0.0.44 acd-jb4
Optional Steps
SSH Keys
SSH keys can be added, to enable login to the jtel user via an ssh key.
mkdir -p /home/jtel/.ssh cat << EOFF > /home/jtel/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAgJWox9vkWssx24V6m+VB/9cfFUznUnVJqHeSnQFcE+ANzH+lgv90jQYXRf8XLSaKA4HZGO7SFUwLz7eNHk0lIS+TG+WKGrjl3GRvzNoYVAapeKUV7HjbeagQPNOCKTr6G8Vi/GVMyOx8XhJAgpr5gjyW9GdMdqnOS9uxd83BCh/UiAP9oVUbLiIIxbtmLAzyfJdjnbFP9sJXw96Vl040Fe4aoLofrkPyPu7cst6TPJx5myDhORG31nD/2iwUNLfv58m9ABMsePfhqzSp/Hi2XY/e5gikDh3xUxoBmL9fWwbiFb92AFW08rP1CtoCEtOe2nJkdtRzt0GiE+A+zgdDjw== support@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuP5DEZDI6/CITTqk8qburqDuKNj6jnQ9Zbjz6BO+5P8MlrS8KT7y56u/PSqdO3OzD58D2JS0yNvM5RbBGYDUD1ng7VSJLFLfErbuCzJ/Q+BSRaee+7MhLWXdVSc/EY2B4qUcZGRL/NXHtAY/3KvSSU3wnhI4edLYMAzuxAhNEPRkmniq1CAuykDdHvm0kVQzaSShYDBQWIlbWIMG6jsCmMpZR7v+v6gKWeowQkM4T4XZ1f2K5zlQXd6FHGY8C/+XICefum2qgQtqgjfQMoqIQbnmfKDGIHPvkas287tdCbU4y1lTsJbTiT7INkd6QbiVUayVxVwwoV+G2F7WofN4nw== root@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArTi8N08gDz1CvDriZNALa1tHky/1+QNP0WU43dI7hkn2zH7fz9bXAs32z7dRjfgxaYXWPmClcDLDb0xwjGfMXK0HABPtp0bxh/58Y0QowBUJkcNi6hUphT+ArGkpjQb5CJcArnbLO727R8jJFgE1QpiWdehd5t3ec0wOL0NhnIE63S+DUm7+bQW6Z8Kmzl0+opGyoURLf8hxeAIUJwdeMFN7AIVPZlyuPobowwjGDXD9YpwXZ2oPtg6XISwW/O1fsetzmGkgD4gedxJxjc5x5ByZX98UsNJORrG5R5slLqQTJkJzGBLpH8kC9WLIEW0RduVR2mrQzOBRgA92i5ZUFw== lewis.graham@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9W40vFohIPQsH6Q5Rfef7xiC4WRHOkMaMsUXxLCnTCDGI0PDib23NBUTevcnAc+OrCUITRmwngRbcItbR9QM1qNhzrwS8ZI00psZVVnBUwVVpX4UJtmX0CDrtVwH1yz51/WnZVeS17JqoMjVMB3p+n1CjViwh6qlRTI/9F/KfaOfiLEiHnvcnmSq67R7o5wP65TR00xqA20E569M1lcdn43xL2GylkwHuWw+XcusKqf+lnaawFWhdZUTOuF3ZB+ssuEbXSyZEGtc5/HNUG8rg9tutzAfq3fNWc5Y5pY+B048g4oDyAQpwMB7i9OwNNk1IEZA+rmqIImf7XLVKIsNn andrey.tsvetkov@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkBiz9SsIXMO/a+7hCxNGQuQ4s/gqUZ6pyxDxjpDTD+bewxumyhn5aITbBSuHpx0n05JL4nGGdROii54ATildm3Uhi8JSljGy5uv97Sw8Kpy0eO314tOLU3NkAe2YOH1aUeArne4bYPebKBq0r1oln1Gu2+TFvCmMqu3FmleMv1xvw/waTwO57hSBPN83gOaJR7w6lOUp5HjYLSA0zRs1Os3g6ldQkHeGBknJ6jChqFXJHGl0KYzZGv3Q46fVTptS7NACxZs+ARUzJjbGjxnpHYK8rmSoTfoBS4qlN5+LxYKG341Hmq7cOsaISwUFbE/CbFOqUtjBviI1c7RLgtGnJQ== serge.djomo@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuh3ZLgQo2e9Uv1vAQxxCGxe9D3u8DWh4egeteUAPj4b7tOxQ6to3zAlGytUR9R6sANL/CIP3nEA2d3r4km0FQWQ4QFCLTFjyXl0Kvsn1ahN8DljJ6mRlwtvN2r5mBIEy1ClGCh+Jvchzf4ZhXrWxOTYYO77O8wjj9Zbk0Y6wI2qBnE6TaxsRQ7Z61zTe80xfLPQLKjgQ/5Hdk0z0HAx3jEsZRo9CqMLb44UD+6jVCih1JPMFcnUu0uxRQdOHrg243tqAUmuqICWompZNO75v3HjIIXOebxVGBXugrYc2xR1q964/EE0ZR7JMWM+HJ47V8WJKkE126n9ZElCqNGIR+Q== heidi.mueller@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAilON3Cn1bZPBYtv67Bv63llD1KMTTH52/ioPLm+qYYDV80mSHSb+PHD9awXNKNv5iTecaQ/a56CkK0z+KI5zvJb3EiRZaRe70cIqdflHmTcasVPVk1hAma5xc5UOCr+dKokqMQGwpDRrDvdS3atflQznvlR8+qoxPjlKC4KDx0GOUeSOIPBO6DdYGPlFX6ohMVRE7p/vHIRAOfehmG1xFtfk+rGPmgiblPWWWklKYQUfMnHI0pqFJwrPW46nqdUlQwtknATZC2cuKe931zstFhuDsm218yS4hTTlcjw5i/DH7PFr9Y58BtY6ZTy8khwTUeMPpSxE7i2WYoqoJ7DXcw== sou@jtel.de ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0czZLbpaxo/EY9iHDq9n6EWTALeYB7GVmp/mLwp66zeV4DbvTm+3FDUJSD9rqMJzJkAAEicFe+II/ZdIeZzG4JdYf66M/Y6k0w0Y8jJqDtsdgUf3OJ1hJ53Z+BwFqy1vD/a7N2hxlEKD2rzyAfVb+xzTzhJTjpX1kNiUxDMXRZs4ytW0CbOqZSpTJ3eT9NS9gH188KFTvHN8rPzDAxRKcexO2fSzNa7e+dYsfImOQoYlxFBX5YU74Ay9F5b7K95Cxe8EstvKNVmjkNWgnNWuS2d7eabepC1jv3z0FdOGiVoZ1SDgqKz8ysBa6Rzkt5L5peHYAKyH8TedeUk7kRIwZQ== dhia@jtel.de EOFF restorecon -R -v /home/jtel/.ssh chown -R jtel:jtel /home/jtel/.ssh chmod 0700 /home/jtel/.ssh chmod 0644 /home/jtel/.ssh/authorized_keys
Note, login by ssh key only must be enabled (this is not discussed here, and a word of caution - make sure you have recorded the root password before you do this so at least you can access the machine via the console).
Proxy Server
If a proxy server is used, the following commands will configure the proxy server for root and the jtel user. The top 5 lines should be modified.
CAUTION PASSWORD
PROXY_USERNAME= PROXY_PASSWORD= PROXY_SERVER=proxy.example.de PROXY_PORT=3128 PROXY_EXCEPTIONS=.example.de,.local,10. if [ -n "$PROXY_USERNAME" ] && [ -n "$PROXY_PASSWORD" ] then PROXY="http://$USERNAME:$PASSWORD@$PROXY_SERVER:$PROXY_PORT" elif [ -n "$PROXY_USERNAME" ] then PROXY="http://$USERNAME@$PROXY_SERVER:$PROXY_PORT" else PROXY="http://$PROXY_SERVER:$PROXY_PORT" fi cat <<EOFF >> ~/.bashrc export ALL_PROXY=$PROXY export HTTP_PROXY=$PROXY export HTTPS_PROXY=$PROXY export FTP_PROXY=$PROXY export RSYNC_PROXY=$PROXY export http_proxy=$PROXY export https_proxy=$PROXY export ftp_proxy=$PROXY export rsync_proxy=$PROXY export NO_PROXY=$PROXY_EXCEPTIONS EOFF cat <<EOFF >> /home/jtel/.bashrc export ALL_PROXY=$PROXY export HTTP_PROXY=$PROXY export HTTPS_PROXY=$PROXY export FTP_PROXY=$PROXY export RSYNC_PROXY=$PROXY export http_proxy=$PROXY export https_proxy=$PROXY export ftp_proxy=$PROXY export rsync_proxy=$PROXY export NO_PROXY=$PROXY_EXCEPTIONS EOFF source ~/.bashrc