Daily mail reports with logwatch : pbraun.nethence.com/doc/sysutils/logwatch.html
Log rotation techniques : pbraun.nethence.com/doc/sysutils/log_rotation.html
Redhat/XEN configuration : pbraun.nethence.com/doc/sysutils/xen_redhat.html
Introduction
For RHEL3, RHEL4, RHEL5. We recomment to install a minimal Redhat (only @base) and proceed with other using YUM against a DVD or the network.
Redhat sources : ftp.redhat.com/
CentOS mirrors : mirror-status.centos.org/
Post-install configuration in brief- disable security level and selinux
- environment
- network configuration
- services
- syslog
- lvm
- additional packages
- sync time
- mail alias
- screen
- file indexation
(-) rhn
Post-install configuration
Disable security level and selinux
On Redhat's first boot,
Security level : disabled
SELinux : disabled
Note. otherwise once system has booted,
system-config-securitylevel-tui
Environment
Remove motd and show hidden files,
cd /etc
cat motd
#mv motd motd.dist
vi bashrc
add,
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$HOME/bin
LANG=C
export PATH LANG
[[ $USER = root ]] && \
PS1='${HOSTNAME%%.*}# ' \
PS1='${HOSTNAME%%.*}> '
case "$-" in *i*)
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
alias ll='ls -alkF'
alias vi='vim'
who
;;
esac
apply immediately,
source bashrc
No freacking colors,
cd ~/
echo "syn off" >> .vimrc
cat ~/.vimrc
Remove skeletons but bashrc and bash_profile,
cd /etc
mv skel skel.dist
mkdir skel
cp skel.dist/.bashrc skel
cp skel.dist/.bash_profile skel
cp ~/.vimrc skel
Setup default group,
useradd -D -g users
Note. also tweakable in /etc/default/useradd
Network configuration
Configure hostname and gateway,
vi /etc/sysconfig/network
like,
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=host.example.net
GATEWAY=10.1.1.254
Configure IP and netmask,
vi /etc/sysconfig/network-scripts/ifcfg-eth0
like,
DEVICE=eth0
BOOTPROTO=static
IPADDR=10.1.1.1
NETMASK=255.255.255.0
ONBOOT=yes
Note. "BOOTPROTO=static" is checked during Oracle installation
Note. remove HWADDR so you can replace network cards transparently (works best since RHEL5 and maybe on latest RHEL4s, bugs were fixed)
Note. otherwise,
#system-network-config-tui
Apply,
hostname host.example.net
service network restart
Configure file based host name resolution,
vi /etc/hosts
like,
127.0.0.1 localhost.localdomain localhost
#rhel5: ::1 localhost6.localdomain6 localhost6
10.1.1.254 gw.example.net gw
10.1.1.1 host.example.net host
Fix name resolution,
vi /etc/resolv.conf
like,
search example.net
nameserver DNS1_IP
nameserver DNS2_IP
Services
On RHEL3,
service apmd stop
service autofs stop
service cups stop
chkconfig apmd off
chkconfig autofs off
chkconfig cups off
On RHEL4,
service apmd stop
service autofs stop
service cups stop
service acpid stop
service bluetooth stop
service haldaemon stop
service hidd stop
service pcmcia stop
chkconfig apmd off
chkconfig autofs off
chkconfig cups off
chkconfig acpid off
chkconfig bluetooth off
chkconfig haldaemon off
chkconfig hidd off
chkconfig pcmcia off
On RHEL5,
#service acpid stop
service atd stop
service auditd stop
service autofs stop
service avahi-daemon stop
service bluetooth stop
service cups stop
service firstboot stop
#service haldaemon stop
service hidd stop
service pcscd stop
service yum-updatesd stop
#chkconfig acpid off
chkconfig atd off
chkconfig auditd off
chkconfig autofs off
chkconfig avahi-daemon off
chkconfig bluetooth off
chkconfig cups off
chkconfig firstboot off
#chkconfig haldaemon off
chkconfig hidd off
chkconfig pcscd off
chkconfig yum-updatesd off
Note. if xen domU,
#chkconfig microcode_ctl off
Note. if Compaq Smart Array (cciss),
#chkconfig smartd off
Note. if using serial console only, no PC console
#chkconfig gpm off
Syslog
Send all the system logs in one single file,
cd /etc
mv syslog.conf syslog.conf.dist
vi syslog.conf
like,
*.* -/var/log/messages
apply,
service syslog restart
Fix perms,
chown root:wheel /var/log/messages
chmod 640 /var/log/messages
LVM
Exclude CDrom from LVM,
cd /etc/lvm
cp lvm.conf lvm.conf.dist
vi lvm.conf
change the filter directive to,
filter = [ "r/dev/cdrom" ]
Note. if you've got SAN you might aslo want to exclude sd* and let LVM handle only dm-0
Additional packages
Configure your YUM repository and make sure you've got those installed,
rpm -q \
sendmail \
man \
man-pages \
xorg-x11-xauth \
screen \
wget \
lynx \
lftp \
ntp \
vsftpd \
vim-enhanced \
cvs \
grep ^package
#rhel4 & rhel5 : mc
#rhel5 : mlocate
#rhel4 : slocate
#rhel3: XFree86-xauth
eventually,
#rpm-build
#rpm-devel
#gallery2-imagemagick or ImageMagick
Screen
Configure,
cd /etc
mv screenrc screenrc.dist
vi screenrc
like,
startup_message off
caption always "%-Lw%{= BW}%50>%n%f* %t%{-}%+Lw%< %{=b BW} %H %{-} %l %c %d/%m/%Y" bindkey ^[, prev bindkey ^[; next shelltitle "" autodetach on defscrollback 65000 then user specifics, cd ~/ vi .screenrc like, screen -t "log" 0 tail -F /var/log/messages and launch, cd ~/ screen Sync time cd /etc mv ntp.conf ntp.conf.dist #sed '/^#/d; /^$/d;' ntp.conf.dist > ntp.conf
vi ntp.conf
like,
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server ntp.obspm.fr
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
apply,
service ntpd start
chkconfig ntpd on
Otherwise,
#ntpdate -u ntp.obspm.fr
or even simply,
#date -s 20091020
#date -s 09:24
Mail alias
Configure the root and wheel users aliases,
cd /etc
vi aliases
change,
root: yourmail@example.net
check for MX and apply,
host -t mx example.net
newaliases
File indexation
Update the mlocate database,
updatedb
RHN
Register to the Redhat network,
rhn_register
Advanced configuration
FTP server
Enable vsftpd,
rpm -q vsftpd
service vsftpd start
chkconfig vsftpd on
Note. /etc/skel was configured previously
You can now create FTP users
Miscellaneous
Prevent ctrl-alt-suppr from restarting the box,
vi /etc/inittab
comment that line,
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To change language's locale,
vi /etc/sysconfig/i18n
To get everything through serial console, configure GRUB and inittab.
Ref. www.faqs.org/docs/pocket_linux/x1252.html
Advanced network configuration
Check network interfaces negociation & link,
ethtool eth0 grep Link
To force network interface's bandwidth,
ethtool -s eth0 speed 1000 duplex full autoneg off
And apply it permanently,
vi /etc/sysconfig/network-scripts/ifcfg-eth0
for example,
ETHTOOL_OPTS="speed 1000 duplex full autoneg off"
As for static routes,
vi /etc/sysconfig/static-routes
or
vi /etc/sysconfig/network-scripts/route-ethX
e.g.,
GATEWAY0=10.10.0.1
NETMASK0=255.0.0.0
ADDRESS0=10.0.0.0
GATEWAY1=10.2.0.1
NETMASK1=255.255.0.0
ADDRESS1=192.168.0.0
Refs.
web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/pt-network-related-config.html
kbase.redhat.com/faq/FAQ_79_2561.shtm
RHEL installation numbers
They're supposed to simplify deployments in environments with different subscriptions. However, it's just a pain for non supported Redhats. Here are a few working install numbers as a workaround,
Client,
0000000e0017fc01
Server,
000000e90007fc00
Server with Cluster,
00000065000bfc00
Server with ClusterStorage,
000000ab000ffc00
Server with HPC,
000000e30013fc00
Server with Directory,
000000890017fc00
Server with SMB,
00000052001bfc00
Ref. linuxczar.net/moin/RHEL_Instaltion_Numbers
Ref. www.redhat.com/support/resources/faqs/installation_numbers/
Huge memory
RHEL4 had the hugemem kernel but it wasn't recommended to use it even though you had 64Go+ of RAM. Today RHEL5 is fine with default kernel, althouth HP says it runs with max 64Go in its OS compatibility table.
Comparison & critics
- how to fix it afterwards if a fake/temporary install number has been given during installation ?
- the useless "complete log install.log" warning during install
- initrd shouldn't exist. At least the disk drivers should be included into the bare kernel.
- when updating httpd with "yum update", files that were intentionally removed come back, like,
/etc/httpd/conf.d/welcome.conf
Note. this may unfortunately happen with other updates.
- should be english only, no translations. for example, lynx keyboard interaction stays english while the messages are in french. Spooky.
- logwatch sucks compared to custom scripts
- logrotate sucks compared to newsyslog
- RHEL vs Centos: silly constrain about the CDs
References
www.redhat.com/docs/manuals/enterprise/
web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/
mirror.centos.org/centos/4/os/i386/NOTES/RELEASE-NOTES-U5-fr.html
Init scripts lock files : www.redhat.com/magazine/008jun05/departments/tips_tricks/
