There are two supported versions of CentOS in the wild now.
\nNote that I exclude CentOS6 as that is pretty much end of support now. So we have only versions 7 and 8 to play with.
\nVersion 7 is EOL in 2024, 8 is EOL in 2029.<\/p>\n
My reason for requiring CentOS was that Docker does not run out-of-the-box on Fedora31 so I was dubious about any future support for it there, and it was safer to move to a supported OS rather than just pray that the Docker team would bother with updating their packages for Fedora.<\/p>\n
RHEL8 (and therefore CentOS8 also) has dropped support for docker within their repositories so I had to rule out CentOS8. I may revisit that if the Docker packaging teams ever create their own upstream repository to support RHEL8.<\/p>\n
So this post is on installing CentOS7 and the required packages I needed to migrate my webserver from F30 to CentOS7.<\/p>\n
The conversion was relatively painless.<\/p>\n
The major steps needed for the conversion are documented below.<\/p>\n
My host machines are currently both on Fedora31, the ISO I was using was CentOS-7-x86_64-Everything-1503-01.iso.<\/p>\n
There was a rather large issue in building the VM, but I got there in the end.<\/p>\n
The resolution to this was to manually create a VM XML file (based on a CentOS7 VM I created a looong time ago when virt-manager did allow IDE, just updating things like name, uuid, disk name, mac address etc to match values used in the failed Centos7 attempt), precreate the qcow2 disk and simply ‘virsh define xx.xml’ to define the VM.<\/p>\n
At that point I could use virt-manager to select the cdrom as the boot device and install CentOS7 without further problems. I was also able to check that CentOS7 had all the packages available that I would need to migrate my webserve from Fedora to CentOS. Remembering of course to use ‘yum -y install epel-release’.<\/p>\n
CentOS7 shipped with php5.4 which is no longer supported, and most web applications will not even run on such and old version.<\/p>\n
php7.4 is available for CentOS7, but I chose to use 7.3 to match what was already running on my existing webserver.<\/p>\n
Rather than rewrite existing documentation this ecternal post on installing php 7.3 on CentOS7<\/a> covers all the steps needed. The procedure worked without error… although I did one additional step before following the procedure whist was to remove all the php5.4 packages installed by default with CentOS7.<\/p>\n A “yum search jetty” did not find an all encompassing package that would install Jetty, and I was not keen on just installing every package beginning with jetty.<\/p>\n Instead I followed the documentation on installing jetty on CentOS7<\/a> from the linuxhelp site. The procedure documented there worked without any problems.<\/p>\n The only additional step I had to do was move my apps from \/var\/lib\/jetty\/webapps (where F30 required them) to \/opt\/jetty\/webapps where the manual install expects Jetty apps.<\/p>\n I chose to install the version of Certbot recomended for CentOS8, the best choice as I had upgraded php.<\/p>\n Again the documentation on installing certbot<\/a> is easy to follow.<\/p>\n After downloading the certbot-auto file I chose perform only the “certbot-auto –install-only -v” step, which worked without issues.<\/p>\n I have not yet tried the “certbot-auto renew” comamnd to obtain new certificates as the ones I use are nowhere near their expiry date.<\/p>\n I use puppet for configuring my servers, installing the puppet agent was simply<\/p>\n The mariadb databases were simple to migrate as my webserver takes hourly database dumps.<\/p>\n On the new CentOS7 server it was simple a case of installing mariadb-server and starting the mariadb service, and running the secure setup script to get a nice clean setup.<\/p>\n Then sourcing (\\.) the latest dump file from the Fedora30 server. This completed with no errors and all users, databases and database grants etc. were in place and working; tested by logging onto all the apps that use the database to confirm stored app userids worked and apps behaved as expected.<\/p>\n All the PHP based applications (including wordpress) I use were able to be simply migrated across to the new server as part of the httpd directory structure copy, with the following additional steps<\/p>\n Owncloud server components do not exist in OS distribution repositories. You obtain the owncloud-files package from https:\/\/download.owncloud.org\/download\/repositories\/production\/owncloud\/<\/a>.<\/p>\n As I was installing onto CentOS7 I downloaded the rpm file for CentOS8 and manually installed it (rpm -i xxx.rpm), it matched the version used on Fedora30 so should work with the existing databases once the DNS entries for the server are changed so your clients point to it.<\/p>\n I chose to create a completely new database and re-install as I only one sync user (myself) so I could just re-add my credentials..<\/p>\n This was simply a case of “yum -y install libtool libpcap-devel libdnet-devel bison flex” then recompiling the DAQ and snort binaries.<\/p>\n As I installed using the default configuration files (mainly to allow me to document the changes) rather than just copy across my existing configurations there was also a bit of manual customisation needed as shown below.<\/p>\n Assuming you have downloaded the snort and daq static source from the snort website (and installed the packages listed two paragraphs up) the steps to get snort installed are below; note that I placed the sources in \/home\/mark\/installs\/snort so change that location to the one you used.<\/p>\n And you will need to add a user and group for snort, the group snort is added automatically when the user is added with system defaults. Using the community rules (the free rule packages for snort) quite a bit of editing of the snort.conf file. As you should edit it to define a trusted home network anyway lets edit the snort.conf file.<\/p>\n Rather than go into details, as this post is not about installing snort, below is a “diff” between the supplied snort.conf and my customised one ( < is my changes, > is the origional line ).<\/p>\n As mentioned above I use the community rules. To install those simply follow the below steps.<\/p>\n The commands in emphasis above should be placed into a weekly cron job along with a restart of snort to ensure you keep the rules up to date.<\/p>\n You will need to create a startup\/shutdown script<\/b>. The start command is (replace ens3 with your interface name)<\/p>\n Note: for testing run in foreground with “\/usr\/local\/bin\/snort -A fast -b -d -i eth0 -u snort -g snort -c \/etc\/snort\/snort.conf -l \/var\/log\/snort -b” so all errors are written to your terminal.<\/p>\n Conversion from Fedora30 to CentOS7 is a fairly painless exercise. Most of the work needed I did in two days to get a fully working server. I spent an additional three days was spent on customising\/testing puppet rules for this CentOS7 system (as some packages are different to Fedora), testing bacula backups\/restores, penetration testing etc; basically a lot of stuff most users do not need to do.<\/p>\n Was the conversion sucessfull ?. You are viewing this post on the CentOS7 server, so yes :-).<\/p>\n","protected":false},"excerpt":{"rendered":" There are two supported versions of CentOS in the wild now. Note that I exclude CentOS6 as that is pretty much end of support now. So we have only versions 7 and 8 to play with. Version 7 is EOL … Continue reading Installing Jetty<\/h2>\n
The EFF Certbot<\/h2>\n
Puppet Agent<\/h2>\n
\r\nrpm -Uvh https:\/\/yum.puppetlabs.com\/puppetlabs-release-pc1-el-7.noarch.rpm\r\nyum install puppet-agent\r\nsystemctl enable puppet\r\n<\/pre>\n
MariaDB Databases<\/h2>\n
PHP based applications<\/h2>\n
\n
Snort intrusion detection system (IDS)<\/h2>\n
\r\ncd \/home\/mark\/installs\/snort\/daq-2.0.6\r\n.\/configure\r\nmake\r\nmake install\r\nmake clean\r\n\r\ncd \/home\/mark\/installs\/snort\/snort-2.9.12\r\n.\/configure --enable-sourcefire --disable-open-appid\r\nmake\r\nmake install\r\nmake clean\r\n\r\nmkdir \/etc\/snort\r\ncd \/etc\/snort\r\ncp \/home\/mark\/installs\/snort\/snort-2.9.12\/etc\/* .\r\n<\/pre>\n
\nSimply “useradd snort”. Do that at this point as we will be changing filesystem permissions to this user in later steps.<\/p>\n\r\n< #ipvar HOME_NET any\r\n< ipvar HOME_NET 192.168.1.0\/24\r\n> ipvar HOME_NET any\r\n< #ipvar EXTERNAL_NET any\r\n< ipvar EXTERNAL_NET !$HOME_NET\r\n> ipvar EXTERNAL_NET any\r\n\r\n< var RULE_PATH \/etc\/snort\/community-rules\r\n< var SO_RULE_PATH \/etc\/snort\/so_rules\r\n< var PREPROC_RULE_PATH \/etc\/snort\/preproc_rules\r\n> var RULE_PATH ..\/rules\r\n> var SO_RULE_PATH ..\/so_rules\r\n> var PREPROC_RULE_PATH ..\/preproc_rules\r\n\r\n< var WHITE_LIST_PATH \/etc\/snort\/community-rules\r\n< var BLACK_LIST_PATH \/etc\/snort\/community-rules\r\n> var WHITE_LIST_PATH ..\/rules\r\n> var BLACK_LIST_PATH ..\/rules\r\n\r\n< include $RULE_PATH\/community.rules\r\n> include $RULE_PATH\/local.rules\r\n\r\nA N D -------- comment out all folowing includes after the community.rules\r\n entry as they are not provided with the community rules.\r\n<\/pre>\n
\r\n\r\nmkdir \/tmp\/snort\r\ncd \/tmp\/snort\r\nwget https:\/\/www.snort.org\/rules\/community\r\ncd \/etc\/snort\r\ntar -zxvf \/tmp\/snort\/community\r\n\/bin\/rm \/tmp\/snort\/community\r\nrmdir \/tmp\/snort\r\n<\/em>\r\nmkdir \/usr\/local\/lib\/snort_dynamicrules\r\ntouch \/etc\/snort\/community-rules\/black_list.rules\r\ntouch \/etc\/snort\/community-rules\/white_list.rules\r\nmkdir \/var\/log\/snort\r\nchown snort:snort \/var\/log\/snort\r\n<\/pre>\n
\r\n\/usr\/local\/bin\/snort -D -A fast -b -d -i ens3 -u snort -g snort -c \/etc\/snort\/snort.conf -l \/var\/log\/snort -b\r\n<\/pre>\n
Summary<\/h2>\n