Recently I trained installing Centos 7 (1511) to be able to do it as flawlessly as possible on a new virtualization host. Here are some notes for people coming to Centos from other distributions and for people who are looking for solutions to some quirks in the installer.
Whichever install source you are using, check it before installing. It is extremely tiring to have to do things over because critical packets are corrupted (yes that happens).
Whatever you select for the language in the frist step, in my experience it will not change the keyboard layout. If you hover the keyboard layout (top right corner) your mouse will change to a pointer symbol, but you cannot click the field (nothing happens). Just leave it at that, the keyboard/language settings here are only for the installer anyway.
The first option is "Date & Time," however if you want to use NTP right away, you have to configure the network first.
If you enter "Installation source" and try to leave it right away without making any changes, the system might prevent you from leaving claiming that "the url is empty" even though cdrom is selected as installation source. If that happens, just select the online installation radio button and then switch back to cdrom. It will then let you leave the menu.
Personally, I am coming from OpenSuSE (which has major flaws nowadays, especially when used as server operating system) but it has a rather nice and very powerful partitioning tool. Sadly this can not be said for Centos 7. I am aiming for a modern small server setup here, i.e.
A more advanced setup might require raid 5 or raid 6 or even more exotic configurations which is not supported by the UI. Also, support for these raid levels in btrfs is rather experimental at the time of writing.
Coming from OpenSuSE, the Centos partitioner never seems to do what one expects. It is therefore advisable to double- and triple-check everything. Creating the mirrored boot mountpoint is straightforward:
Nowadays I prefer btrfs over xfs for the system partition. Getting the partitioner to do the right thing here is tricky.
After completing the remaining tasks (like setting the desired security level), it is possible to begin the installation. During the installation, the root password can be set (for production systems and systems that could maybe end up in production accidentally I recommend a good random password).
If you need to do this for a large number of hosts, I would recommend a configuration management tool like puppet. However, these tools need to be maintained too and if only one or two machines need to be set up, it is not worth it.
Many settings in Centos 7 can be accessed and modified like on RHEL 7. The RHEL documentation is therefore a good source of information, like this bit about setting the keyboard layout to keep you from going crazy.
To enable verbose booting (useful on servers), remove "quiet" in /etc/sysconfig/grub, then call
grub2-mkconfig -o /boot/grub2/grub.cfg
You can also achieve this using grubby (manual here, general grub manual here).
Centos uses the yellowdog updater, modified (yum). Usually, after installing (especially from dvd) there are tons of important updates which should be installed before any serious work is done on the server. Of course, updates still need to be installed regularly as well. Assuming the network is properly configured (such that "the internet" is reachable), to find updates execute
yum update
You should be asked to confirm the Centos software signing key. Centos is one of the few distributions which has an easily-accessible, central page with all its signing keys in large, friendly letters. And it is using https. If you value the security of your system, compare the fingerprints and check the website's certificate.
If you have not configured the network during installation and selected the "minimal install" or any other variant that does not include "ifconfig" you will probably have to configure your network using the "ip" command (which nobody ever does because it is somewhat complicated). If you want to use commands like "wget," "ifconfig" or "route," execute
yum install epel-release
yum install wget net-tools yum-utils screen htop bind-utils
Centos 7 moved from a pretty basic iptables-firewall to firewalld. This firewall allows runtime-configuration changes without breaking existing connections and other advanced stuff. Really, we are all lazy but sometimes change is good. The firewalld manual is here.
Some useful commands:
firewall-cmd --set-default-zone public
firewall-cmd --list-all-zones
firewall-cmd --list-all
firewall-cmd --get-active-zones
Set the default zone for an interface:
/etc/sysconfig/network-scripts/ifcfg-<interface>: ZONE=public
Panic mode on/off:
firewall-cmd --panic-on
firewall-cmd --panic-off
Remove a service from a zone:
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public --remove-service=ssh --permanent
Add a service:
firewall-cmd --reload
firewall-cmd --zone=public --add-service=myservice --permanent
firewall-cmd --get-services
Allow a service only from a certain source host or network:
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.1" service name="sunstone" accept' --permanent
Service definition files are stored in /usr/lib/firewalld/services/. A service might look like this:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Sunstone</short>
<description>Opennebula Sunstone Web Server</description>
<port protocol="tcp" port="9869"/>
</service>
It would be saved in /usr/lib/firewalld/services/sunstone.xml.
If you set up a container image like Docker or OpenVZ, they might still use the old iptables-based system. You can swap to firewalld by running
systemctl disable iptables
systemctl enable firewalld
systemctl stop iptables
systemctl start firewalld
Then check the state of the services using
systemctl status iptables
systemctl status firewalld
firewall-cmd --state
iptables-save
Firewalld just manipulates the iptables entries so iptables-save will still produce an output. It should differ from what is in your iptables config file. Do not run both the iptables service and firewalld simultaneously.
The usual protections should be employed when using SSH:
PermitRootLogin no in /etc/ssh/sshd_config.You just set up your new server - make a copy of the host key fingerprints! It is just stupid to rely on TOFU for authentication if it is not necessary. But how *wail*? Well, lazypants, here it goes:
cd /etc/ssh
for i in *_key; do ssh-keygen -l -f $i; done
Since the server is intended as a virtualization host based on kvm, several additional packages need to be installed. I would strongly recommend using the virtualization packages from the qemu-ev-repo, which contains qemu-kvm-ev.
yum install centos-release-qemu-ev
yum install qemu-kvm-ev libvirt
Last edited on 2015-05-08.