Centos 7

Recently I trained installing Centos 7 (1511) to be able to do it as flawlessly as possible on a new virtualization host. Here are some notes for people coming to Centos from other distributions and for people who are looking for solutions to some quirks in the installer.

Installation

Check installation media

Whichever install source you are using, check it before installing. It is extremely tiring to have to do things over because critical packets are corrupted (yes that happens).

UI: language selection

Whatever you select for the language in the frist step, in my experience it will not change the keyboard layout. If you hover the keyboard layout (top right corner) your mouse will change to a pointer symbol, but you cannot click the field (nothing happens). Just leave it at that, the keyboard/language settings here are only for the installer anyway.

UI: network before time

The first option is "Date & Time," however if you want to use NTP right away, you have to configure the network first.

UI: installation source

If you enter "Installation source" and try to leave it right away without making any changes, the system might prevent you from leaving claiming that "the url is empty" even though cdrom is selected as installation source. If that happens, just select the online installation radio button and then switch back to cdrom. It will then let you leave the menu.

Partitioning

Personally, I am coming from OpenSuSE (which has major flaws nowadays, especially when used as server operating system) but it has a rather nice and very powerful partitioning tool. Sadly this can not be said for Centos 7. I am aiming for a modern small server setup here, i.e.

  • two physical disks,
  • boot partition on raid1,
  • two swap partitions,
  • btrfs with raid1 for the root volume.

A more advanced setup might require raid 5 or raid 6 or even more exotic configurations which is not supported by the UI. Also, support for these raid levels in btrfs is rather experimental at the time of writing.

Coming from OpenSuSE, the Centos partitioner never seems to do what one expects. It is therefore advisable to double- and triple-check everything. Creating the mirrored boot mountpoint is straightforward:

  1. click the "+" sign.
  2. select mount point "boot" and a suitable size (e.g. 1GiB, do not make it too small or there might be problems with containing multiple backup kernels and when updating kernels - this is very annoying and 1GiB usually does not hurt on a server).
  3. Now set the device type to "RAID," check the raid level is "RAID1" and select the filesystem (personally I prefer ext4 over xfs but then again xfs is/was probably "the" server filesystem - it does not really matter).
  4. If you have more than two disks, click the "Modify" button to select which disks should participate in the RAID configuration.

Nowadays I prefer btrfs over xfs for the system partition. Getting the partitioner to do the right thing here is tricky.

  1. click the "+" sign.
  2. select mount point "/" and a suitable size.
  3. set device type to "btrfs."
  4. now click the "Modify" button (below "Device type"). Curiously, even though the raid level is "Single (No redundancy, no striping)," the partitioner still uses both disks, allocating half the selected space to each disk.
  5. Select raid level "RAID1."
  6. If you want to change the size to a different one from point 2, select "fixed size" and enter double the desired size.
  7. Also, check that both physical disks are used.

After completing the remaining tasks (like setting the desired security level), it is possible to begin the installation. During the installation, the root password can be set (for production systems and systems that could maybe end up in production accidentally I recommend a good random password).

Configuration

If you need to do this for a large number of hosts, I would recommend a configuration management tool like puppet. However, these tools need to be maintained too and if only one or two machines need to be set up, it is not worth it.

Many settings in Centos 7 can be accessed and modified like on RHEL 7. The RHEL documentation is therefore a good source of information, like this bit about setting the keyboard layout to keep you from going crazy.

To enable verbose booting (useful on servers), remove "quiet" in /etc/sysconfig/grub, then call

grub2-mkconfig -o /boot/grub2/grub.cfg

You can also achieve this using grubby (manual here, general grub manual here).

Updating

Centos uses the yellowdog updater, modified (yum). Usually, after installing (especially from dvd) there are tons of important updates which should be installed before any serious work is done on the server. Of course, updates still need to be installed regularly as well. Assuming the network is properly configured (such that "the internet" is reachable), to find updates execute

yum update

You should be asked to confirm the Centos software signing key. Centos is one of the few distributions which has an easily-accessible, central page with all its signing keys in large, friendly letters. And it is using https. If you value the security of your system, compare the fingerprints and check the website's certificate.

QoL improvements

If you have not configured the network during installation and selected the "minimal install" or any other variant that does not include "ifconfig" you will probably have to configure your network using the "ip" command (which nobody ever does because it is somewhat complicated). If you want to use commands like "wget," "ifconfig" or "route," execute

yum install epel-release
yum install wget net-tools yum-utils screen htop bind-utils

Firewall

Centos 7 moved from a pretty basic iptables-firewall to firewalld. This firewall allows runtime-configuration changes without breaking existing connections and other advanced stuff. Really, we are all lazy but sometimes change is good. The firewalld manual is here.

Some useful commands:

firewall-cmd --set-default-zone public
firewall-cmd --list-all-zones
firewall-cmd --list-all
firewall-cmd --get-active-zones

Set the default zone for an interface:

/etc/sysconfig/network-scripts/ifcfg-<interface>: ZONE=public

Panic mode on/off:

firewall-cmd --panic-on
firewall-cmd --panic-off

Remove a service from a zone:

firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent

Add a service:

firewall-cmd --reload
firewall-cmd --zone=public --add-service=myservice --permanent
firewall-cmd --get-services

Allow a service only from a certain source host or network:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.1" service name="sunstone" accept' --permanent

Service definition files are stored in /usr/lib/firewalld/services/. A service might look like this:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Sunstone</short>
  <description>Opennebula Sunstone Web Server</description>
  <port protocol="tcp" port="9869"/>
</service>

It would be saved in /usr/lib/firewalld/services/sunstone.xml.

If you set up a container image like Docker or OpenVZ, they might still use the old iptables-based system. You can swap to firewalld by running

systemctl disable iptables
systemctl enable firewalld
systemctl stop iptables
systemctl start firewalld

Then check the state of the services using

systemctl status iptables
systemctl status firewalld
firewall-cmd --state
iptables-save

Firewalld just manipulates the iptables entries so iptables-save will still produce an output. It should differ from what is in your iptables config file. Do not run both the iptables service and firewalld simultaneously.

SSH

The usual protections should be employed when using SSH:

  • Disable password authentication for root. Add
    PermitRootLogin no in /etc/ssh/sshd_config.
  • Use strong passwords and usernames.
  • If possible, make ssh only accessible via a VPN.
  • Use public key authentication.
  • If you really need to have your ssh port accessible directly from the internet, consider moving it to a nonstandard port which is not part of quick portscans and use firewall rules to restrict connection sources.

You just set up your new server - make a copy of the host key fingerprints! It is just stupid to rely on TOFU for authentication if it is not necessary. But how *wail*? Well, lazypants, here it goes:

cd /etc/ssh
for i in *_key; do ssh-keygen -l -f $i; done

Virtualization

Since the server is intended as a virtualization host based on kvm, several additional packages need to be installed. I would strongly recommend using the virtualization packages from the qemu-ev-repo, which contains qemu-kvm-ev.

yum install centos-release-qemu-ev
yum install qemu-kvm-ev libvirt

 

Last edited on 2015-05-08.

© 2010-2015 Stefan Birgmeier
birki@21er.org