[Systems] CentOS 7 server

Discussion in 'The Common Room' started by Elf, Sep 5, 2015.

  1. Elf

    Elf Immortal Staff Member

    Likes Received:
    Clark County, WA
    Here is a guide for how I configure CentOS 7 server installations. I am making a set of new Virtual Machines and thought it would be a good time to document it. I will assume a hypervisor setup where you are provisioning this as a VM and have the ability to create multiple virtual hard drives.

    This is really more for my own reference than anything. However, someone else may find it useful.

    Install from media
    1. Create a VM of the desired specifications with a 40GB system drive -- other drives for other partitions can be created and mounted later
    2. Utilize the CentOS 7 DVD ISO installation media and boot to the installer
    3. System -> Installation Destination
      1. Accept the automatic partitioning (Click 'Done')
    4. System -> Network and Host Name
      1. Leave hostname as the default ("localhost.localdomain")
      2. Click 'Configure...' under Ethernet (eth0)
        1. Navigate to IPv4 settings
        2. Method: Manual
        3. Add an IPv4 address / netmask / gateway
        4. Add DNS servers as comma separated values (I often use OpenDNS: ',')
        5. Add the relevant search domain
        6. Save
      3. Click the 'On/Off' button next to Ethernet
      4. Click 'Done'
    5. Localization -> Date & Time
      1. Region: Etc
      2. City: Coordinated Universal Time
      3. Network time: On
      4. Click the gear icon next to Network Time to ensure that NTP servers are configured and working
      5. Click 'Done'
    6. Leave the rest of the defaults
      1. Installation Source: Local media
      2. Software Selection: Minimal Install
    7. Click 'Begin Installation'
    8. Click User Settings -> Root Password, and set the root user's password
      1. Utilize a randomly generated 20 character password containing upper case, lower case, digits, and symbols
    9. If the server will be a standalone server (e.g. no LDAP / AD authentication), utilize User Settings -> User Creation, and add your local user
      1. Select 'Make this user administrator' to allow sudo access
    Post-install setup
    After finishing with the installer, further steps will be necessary to bring the system to a usable state. Some of these are basic patching and updating steps, and some are workarounds for the idiosyncrasies of a SystemD based distribution. Further thoughts on SystemD components are below.

    Packages and services
    1. Log in to the root user
    2. Perform the following to update system base RPMs and install some core utilities:
      yum -y update
      yum -y install zsh.x86_64 rsyslog.x86_64 policycoreutils-python.x86_64 epel-release.noarch
    3. Disable avahi and the horrid NetworkManager (avahi-daemon may or may not be enabled by default depending on the release version, so ignore errors):
      systemctl disable NetworkManager
      systemctl disable avahi-daemon
    4. Turn on old style networking and syslog:
      systemctl enable network rsyslog
    1. Establish /etc/sysconfig/network:
      IPV6_DEFAULTGW=[v6 gateway]
    • Set /etc/hostname, e.g.: echo [hostname] > /etc/hostname
    • Establish /etc/sysconfig/network-scripts/ifcfg-eth0:
      IPADDR=[IPv4 host address]
      NETMASK=[IPv4 netmask]
      NETWORK=[IPv4 network address]
      GATEWAY=[IPv4 gateway]
      IPV6ADDR=[IPv6 address]
    1. Edit /etc/ssh/sshd_config to increase SSH security (vi /etc/ssh/sshd_config)
      1. Select a non-standard SSH port and uncomment/change the Port line, e.g.: Port 4422
      2. Uncomment/change the PermitRootLogin line to disable root logins, e.g.: PermitRootLogin No
      3. Save the file and exit the editor
    2. Use semanage to allow SSHd (via SELinux) to bind to the non-standard port, e.g. semanage port -a -t ssh_port_t -p tcp 4422
    3. Add a FirewallD service for the new SSH port in /etc/firewalld/services/hissh.xml, e.g.:
      <?xml version="1.0" encoding="utf-8"?>
        <port protocol="tcp" port="4422"/>
    1. Set the default firewall zone: firewall-cmd --set-default-zone=public
    2. Place eth0 in the public zone: firewall-cmd --permanent --zone=public --change-interface=eth0
    3. Remove out of the box allowed services: firewall-cmd --permanent --remove-service=ssh --remove-service=dhcpv6-client
    4. Allow your management subnets (e.g., to contact SSH:
      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="" service name="hissh" accept'
      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="" service name="hissh" accept'
    CentOS 7 changes
    There are three major new components in CentOS 7: NetworkManager, firewalld, and systemd. There are also some miscellaneous changes such as in device naming for Ethernet ports and the removal of the deprecated ifconfig utility (replaced by ip).

    NetworkManager is almost completely useless. It doesn’t support much more than static addresses or DHCP on an Ethernet interface, and even these are kind of slow to come up sometimes and a pain to configure. No good support for even mildly off-the-path networking (link aggs, bridges, loopbacks). Despite being the out-of-the-box default way of doing networking in RHEL/CentOS 7 and part of the SystemD ecosystem, it seems that it was only built with desktops and laptops in mind. Thankfully the legacy networking method (/etc/sysconfig/network-scripts) is still available and can be re-enabled by disabling the NetworkManager service (systemctl disable NetworkManager) and enabling the network service (systemctl enable network). Alternatively it can be disabled/enabled completely on a per-interface basis by using the NM_CONTROLLED variable in the relevant ifcfg configuration file.

    Verdict on NetworkManager: disable it completely.

    FirewallD is a bit different and has some desktop-y features that it could do without (e.g. placing interfaces in zones). However, it is actually fairly easy to work with and simplifies the configuration of iptables if you don’t need complex rules (just want to enable/disable certain service ports). Past that you can also insert direct rules, although you have to play around a bit to order them, or use its native syntax, but it isn’t really lending you much over just using the old iptables file. However, it is part of the whole SystemD universe and it’s likely the old firewall scripts (while still available) will be deprecated soon.

    Verdict on firewalld: live with it.

    The base SystemD is actually not too bad to deal with and does give some nice extra info on running processes. Creating new service entries is less work than creating old init scripts. There are a lot of general concerns about feature bloat and the direction of the project, but unfortunately there aren’t any serious alternative options if you want to use a modern stable/enterprise Linux distribution. Notably besides replacing SysV Init functionality, the SystemD project also has tentacles into the system console, networking (networkd/networkmanager, firewalld, aspires to replace DHCPd), NTP (aspires to replace standalone NTP daemon), and logging (journald/no more syslog). It also comes with a slew of dependencies you wouldn’t otherwise normally need.

    To get system logs back into traditional text syslog format you need to run a local syslog daemon (e.g. rsyslog).

    Verdict on SystemD: install rsyslog and live with it.
    Last edited: Sep 24, 2015
  2. Elf

    Elf Immortal Staff Member

    Likes Received:
    Clark County, WA
    Active Directory Authentication
    CentOS 7 can be joined up to a Windows Active Directory domain for centralized authentication and authorization by using the 'winbind' component of Samba and Kerberos.

    For the purposes of this example, I will build on the base install procedure above. Also I will use the sample Active Directory parameters below:
    • AD Domain: example.corp.com
    • AD Domain NetBIOS name: EXAMPLE
    • Domain Administrator user: Administrator
    • Domain controllers (in the same site as the CentOS server)
      • dc-1.example.corp.com /
      • dc-2.example.corp.com /
    • CentOS server name: loonix-1.example.corp.com
    • Group of users allowed to log in: loonix-1 login
    The hostname (in /etc/hostname and /etc/sysconfig/network) should be set to the fully qualified AD domain name as per the above (loonix-1.example.corp.com), to successfully register the server in AD.

    A set of packages will need to be installed to facilitate the AD domain join and authentication:
    yum -y install samba-winbind.x86_64 samba-winbind-clients.x86_64 pam_krb5.x86_64 nscd.x86_64 oddjob.x86_64 oddjob-mkhomedir.x86_64
    Modify /etc/resolv.conf and change the search domain to your AD domain. You may also wish to set your nameservers to the AD DCs if the domain is not Internet DNS resolvable. For example:
    search example.corp.com
    Setting up the Kerberos, Samba, and basic PAM configurations will be done via the RHEL authconfig tool. Ignore errors regarding DNS updates or starting winbind.

    authconfig --enablecache \
      --enablekrb5 \
      --krb5kdc=dc-1.example.corp.com,dc-2.example.corp.com \
      --krb5adminserver=dc-1.example.corp.com,dc-2.example.corp.com \
      --krb5realm=EXAMPLE.CORP.COM \
      --enablewinbind --enablewinbindauth --enablewinbindusedefaultdomain \
      --smbsecurity=ads --smbrealm=EXAMPLE.CORP.COM \
      --smbservers=dc-1.example.corp.com,dc-2.example.corp.com \
      --smbworkgroup=EXAMPLE \
      --winbindtemplatehomedir=/home/%U \
      --winbindtemplateshell=/bin/zsh \
      --enablemkhomedir \
    Look for uses of pam_mkhomedir.so in /etc/pam.d scripts (grep pam_mkhomedir /etc/pam.d/*). Use a text editor and replace any of these occurrences with pam_oddjob_mkhomedir.so and remove the umask parameter (Oddjob's mkhomedir is configured in /etc/oddjobd.conf.d/oddjobd-mkhomedir.conf). For example:
    • Before:
      session     optional      pam_mkhomedir.so umask=0077
    • After:
      session     optional      pam_oddjob_mkhomedir.so
    Domain Join
    1. Test domain controller lookup. This should return familiar, favorable results about one of your domain controllers. If not, check network connectivity or your authconfig settings.
      net ads lookup dc
    2. Join the domain using Domain Administrator credentials:
      net ads join -U Administrator
    3. Enable winbind:
      systemctl enable winbind
      systemctl start winbind
    4. Check the domain join: net ads info
    5. Show AD user/group info: wbinfo -ug
    6. Reboot the server and attempt to log in using a domain user
    1. Enable users in the Domain Admins and Enterprise Admins groups to use sudo
      1. Execute visudo to edit the sudoers file
      2. Add the following lines:
        User_Alias WINADMINS = %Domain\ Admins, %Enterprise\ Admins
      1. Save the file and exit the editor
    2. Restrict the domain users allowed to log in to the machine
      1. In Windows
        1. Create the loonix-1 login group in Active Directory (Active Directory Administrative Center or Active Directory Users and Computers).
        2. Add the users allowed to log in to the machine to the loonix-1 login group
        3. Use Powershell to locate the SID of the group created:
          $g = New-Object System.Security.Principal.NTAccount("loonix-1 login")
          For example, the SID here may be S-1-5-21-2363080627-1058686939-1320131010-1607
    3. On the CentOS server
      1. Locate all PAM authentication system files containing pam_krb5.so auth lines (e.g. grep -e "auth.*pam_krb5" /etc/pam.d/*)
      2. Edit each of these files
        1. Change pam_krb5.so to optional, and then add a sufficient pam_winbind.so entry to restrict to the specified group, above the pam_deny.so line. For example, from /etc/pam.d/system-auth:
          auth        required      pam_env.so
          auth        sufficient    pam_unix.so nullok try_first_pass
          auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
          auth        optional      pam_krb5.so use_first_pass
          auth        sufficient    pam_winbind.so use_first_pass require_membership_of=S-1-5-21-2363080627-1058686939-1320131010-1607
          auth        required      pam_deny.so
    Last edited: Sep 23, 2015