CentOS 7 1511 Minimal x86_64 Base Installation Guide - rharmonson/richtech GitHub Wiki
#CentOS 7 1511 Minimal x86_64 Base Installation Guide
Updated article as of November 2017 at the URL below.
Revised November 12, 2016; netinstall, eth#, & default firewall revision
Revised October 29, 2016; using ss and disabling ipv6 listeners
Revised October 19, 2016; use 'timedatectl' to change time and versus 'date'
Revised: August 10, 2016
The purpose of this guide is provide the steps to install and configure a standardized CentOS 7.2.1511 aka Red Hat Enterprise Linux (RHEL) 7.2 Minimal x86_64 base operating system.
Current CentOS-7 Release Notes can be found at https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7.
CentOS FAQ can be found at http://wiki.centos.org/FAQ/CentOS7.
Base CentOS Installation Task Overview
- Obtain media
- Installation
- Host Name
- Network
- Name Resolution
- Disable ipv6
- iptables & firewalld
- Time zone
- Time & Date
- Network Time
- EPEL
- oVirt Guest
- Update
##Obtain Media If you are new to Linux or new to CentOS minimal installations, I would advise reviewing all the information at the URL below. For this article, I am using x86_64 version, also, known as 64 bit.
Download: http://wiki.centos.org/Download
netinstall
The netinstall ISO installer has only the necesary bits to boot a very basic operating system then using http or ftp to download the packages to be installed. This differs from the other installation methods that use the local repository found on the installation media. There is no link to the netinstall ISO. Oversight? However, if you browse the mirrors, you will find it with the other ISO installation media. For example:
http://mirrors.ocf.berkeley.edu/centos/7/isos/x86_64/CentOS-7-x86_64-NetInstall-1511.iso
During the install, you will need to provide a repository URL such as:
http://mirror.centos.org/centos/7/os/x86_64/
##Installation Boot from media and, generally, accept the defaults. You have an opportunity to provide time zone, a host name, configure network interfaces, provide DNS IP addresses, domain search, etc. If configured at this point, the installation script automatically configures the resulting installation using these settings. It is a time saver, however, I am going to assume these settings have not been set or changes will be needed. However, I use the following settings if using the graphical installer:
- Date & Time: your timezone and enable Network Time (assumes DHCP)
- Keyboard: default
- Language Support: default
- Security Policy: disable (revisited after implementing Foreman)
- Installation Source: default
- Software Selection: default
- Installation Destination: default
- KDump: disable
- Network & Host Name: configure as appropriate
- Date & Time: enable Network Time (assumes no DHCP)
- User Settings: set root password
Note
During installation and under "Installation Source" you have an option or button "Verify" to run a "Media Verification." If this is your first use of the media, I advise using this feature. Nothing worse then losing hours due to corrupted installation media. If you have previously verified the media at its current storage location, skip verification.
##Host Name
View current host name
[root@localhost ~]# hostnamectl
Static hostname: localhost.localdomain
Icon name: computer-desktop
Chassis: desktop
Machine ID: b2dc04fb1430417cad1042a40ac5189f
Boot ID: daaed889abfa4b45ad4120d25ff493d8
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
Set the hostname
[root@localhost ~]# hostnamectl set-hostname myhost.mydomain.net
Results
[root@localhost ~]# hostnamectl
Static hostname: myhost.mydomain.net
Icon name: computer-desktop
Chassis: desktop
Machine ID: b2dc04fb1430417cad1042a40ac5189f
Boot ID: daaed889abfa4b45ad4120d25ff493d8
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.el7.x86_64
Architecture: x86-64
##Network ###Network Manager
Red Hat has been changing how networking is configured and managed with an emphasis on the use of Network Manager. Network Manager is installed and in use by default on CentOS 7. Configure using either nmtui or nmcli. nmtui has a very intuitive interface but nmcli is useful for scripting.
If you have multiple interfaces, connect an Ethernet cable to the desired port, then execute ip addr to identify the interface. If using DHCP, it will show an IP address assigned. If not using DHCP, you should see 'up' status. Execute nmtui and "Edit" the interface then using nmtui, again, to "Activate".
###Removing Network Manager
For Minimal installations of CentOS, my preference is to remove Network Manager. I have seen no compelling reason to use it on a server.
Begin by stopping and disabling NetworkManager
[root@myhost ~]# systemctl stop NetworkManager
[root@myhost ~]# systemctl disable NetworkManager
Removed symlink /etc/systemd/system/multi-user.target.wants/NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.NetworkManager.service.
Removed symlink /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service.
Now remove NetworkManager
[root@myhost ~]# yum remove NetworkManager
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
NetworkManager x86_64 1:1.0.6-29.el7_2 @updates 9.1 M
Removing for dependencies:
NetworkManager-tui x86_64 1:1.0.6-29.el7_2 @updates 254 k
Transaction Summary
================================================================================
Remove 1 Package (+1 Dependent package)
Installed size: 9.4 M
================================================================================
Package Arch Version Repository Size
================================================================================
Removing:
NetworkManager x86_64 1:1.0.6-27.el7 @anaconda 9.1 M
Removing for dependencies:
NetworkManager-tui x86_64 1:1.0.6-27.el7 @anaconda 254 k
NetworkManager-wifi x86_64 1:1.0.6-27.el7 @anaconda 115 k
Transaction Summary
================================================================================
Remove 1 Package (+2 Dependent packages)
Installed size: 9.5 M
Is this ok [y/N]:
###Hand Crafting ifcfg Files
By default, the CentOS installation will have created ifcfg for detected interfaces, so the first step is to backup the original files with the exception of ifcfg-lo which will remain unmodified. Note that all files starting with "ifcfg" will be processed at start of the network service unless appending .orig. When backing up the files, either place in a different directory or append .orig.
View Interfaces
Connect the interface to be configured and use ip addr identify the 'up' interface.
For example
[root@myhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 0c:c4:7a:43:13:ee brd ff:ff:ff:ff:ff:ff
3: eno2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 0c:c4:7a:43:13:ef brd ff:ff:ff:ff:ff:ff
4: enp6s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:17:19:3d:6e brd ff:ff:ff:ff:ff:ff
5: enp6s0f1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN qlen 1000
link/ether 00:15:17:19:3d:6f brd ff:ff:ff:ff:ff:ff
6: enp1s0f4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:07:43:33:87:10 brd ff:ff:ff:ff:ff:ff
7: enp1s0f4d1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN qlen 1000
link/ether 00:07:43:33:87:18 brd ff:ff:ff:ff:ff:ff
Note interface enp6s0f0 is in an UP state. This is the interface to be configured.
Configure Interface
Create and/or edit a configuration file using vi /etc/sysconfig/network-scripts/ifcfg-enp6s0f0 and replace the values given in the example below with yours; IPADDR, PREFIX, and GATEWAY. The entry "DEFROUTE=yes" assumes the interface is to be the default route for unknown routes. All other interfaces should have "DEFROUTE=no."
DEVICE=enp6s0f0
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.1.1
PREFIX=24
GATEWAY=192.168.1.254
DEFROUTE=yes
After saving the ifcfg file, restart network services.
[root@myhost ~]# systemctl restart network
Results
[root@myhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 0c:c4:7a:43:13:ee brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 0c:c4:7a:43:13:ef brd ff:ff:ff:ff:ff:ff
4: enp6s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:15:17:19:3d:6e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global enp6s0f0
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fe19:3d6e/64 scope link
valid_lft forever preferred_lft forever
5: enp6s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:15:17:19:3d:6f brd ff:ff:ff:ff:ff:ff
6: enp1s0f4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:07:43:33:87:10 brd ff:ff:ff:ff:ff:ff
7: enp1s0f4d1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:07:43:33:87:18 brd ff:ff:ff:ff:ff:ff
Notes
-
NM_MANAGED=nodisables Network Manager for an interface, if using Network Manager -
IPV6INIT=nodisables IPv6 for an interface -
DEFROUTE=noorDEFROUTE=yesexcludes or sets an interface as the default route, respectively, if using Network Manager -
PEERDNS=yesadds the interface's DNS settings to the/etc/resolv.conf -
NETMASKis an alternative toPREFIX
Additional interfaces if needed have a much simpler configuration.
[root@myhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp1s0f4
DEVICE=enp1s0f4
TYPE=Ethernet
BOOTPROTO=none
ONBOOT=yes
IPADDR=192.168.2.1
PREFIX=24
GATEWAY=192.168.2.254
DEFROUTE=no
If using bonds, bridges, or teams, details can be found here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/index.html
Reference
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Network_Interfaces.html#s1-networkscripts-files
###NOZEROCONF
Add the following line to /etc/sysconfig/network to prevent zero configuration networking, i.e. 169.254.0.0/16. Ick!
NOZEROCONF=yes
###Name Resolution
Network Manager may have updated resolv.conf to reflect ifcfg's DNS1, DNS2, and DOMAIN settings. If not, vi /etc/resolv.conf and update appropriately. Mine is given below.
[root@myhost network-scripts]# cat /etc/resolv.conf
# Generated by NetworkManager
search mydomain.net
nameserver 8.8.8.8
nameserver 8.8.4.4
###Network Testing
Use ping to verify basic interface, routing, and name resolution operation.
[root@myhost ~]# ping www.google.com -c 5
PING www.google.com (74.125.239.48) 56(84) bytes of data.
64 bytes from nuq04s19-in-f16.1e100.net (74.125.239.48): icmp_seq=1 ttl=128 time=9.83 ms
64 bytes from nuq04s19-in-f16.1e100.net (74.125.239.48): icmp_seq=2 ttl=128 time=9.05 ms
64 bytes from nuq04s19-in-f16.1e100.net (74.125.239.48): icmp_seq=3 ttl=128 time=13.4 ms
64 bytes from nuq04s19-in-f16.1e100.net (74.125.239.48): icmp_seq=4 ttl=128 time=8.40 ms
64 bytes from nuq04s19-in-f16.1e100.net (74.125.239.48): icmp_seq=5 ttl=128 time=8.25 ms
--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4070ms
rtt min/avg/max/mdev = 8.256/9.808/13.490/1.924 ms
###Disable IPv6
I don't use IPv6, so until such time as I need it, I disable it. Besides, it is just as easy to re-enable as it is to disable.
View IPv6 Settings using sysctl -a
[root@myhost ~]# sysctl -a | grep -i ipv6.conf.*.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.eno1.disable_ipv6 = 0
net.ipv6.conf.eno2.disable_ipv6 = 0
net.ipv6.conf.enp1s0f4.disable_ipv6 = 0
net.ipv6.conf.enp1s0f4d1.disable_ipv6 = 0
net.ipv6.conf.enp6s0f0.disable_ipv6 = 0
net.ipv6.conf.enp6s0f1.disable_ipv6 = 0
net.ipv6.conf.lo.disable_ipv6 = 0
Note the value of "0" means the feature is not enabled. Enable "all" and "default" to ensure no interfaces uses IPv6.
Edit vi /etc/sysctl.conf which will have no entries. We will add and enable all.disable and default.disable for IPv6.
Results
[root@myhost ~]# vi /etc/sysctl.conf
[root@myhost ~]# cat /etc/sysctl.conf
# System default settings live in /usr/lib/sysctl.d/00-system.conf.
# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
At this point, you can reboot or use sysctl to load the updated /etc/sysctl.conf.
[root@myhost ~]# sysctl --load=/etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[root@myhost ~]# sysctl -a | grep -i ipv6.conf.*.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.eno1.disable_ipv6 = 1
net.ipv6.conf.eno2.disable_ipv6 = 1
net.ipv6.conf.enp1s0f4.disable_ipv6 = 1
net.ipv6.conf.enp1s0f4d1.disable_ipv6 = 1
net.ipv6.conf.enp6s0f0.disable_ipv6 = 1
net.ipv6.conf.enp6s0f1.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
As with NetworkManager, I have found no compelling reason to use firewalld. It sits on top of iptables and adds unnecessary complexity.
My preference is to remove firewalld and use iptables directly.
###Remove firewalld
[root@myhost ~]# systemctl disable firewalld
[root@myhost ~]# systemctl stop firewalld
[root@myhost ~]# yum remove firewalld
###Install iptables-services
# yum install iptables-services
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
iptables-services x86_64 1.4.21-16.el7 base 50 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 50 k
Installed size: 24 k
Is this ok [y/d/N]: y
[root@myhost ~]# systemctl enable iptables
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
[root@myhost ~]# systemctl start iptables
[root@myhost ~]# systemctl status iptables
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2016-08-07 15:02:42 PDT; 8s ago
Process: 1524 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
Main PID: 1524 (code=exited, status=0/SUCCESS)
Aug 07 15:02:42 myhost.mydomain.net systemd[1]: Starting IPv4 firewall ...
Aug 07 15:02:42 myhost.mydomain.net iptables.init[1524]: iptables: Appl...
Aug 07 15:02:42 myhost.mydomain.net systemd[1]: Started IPv4 firewall w...
Hint: Some lines were ellipsized, use -l to show in full.
Note
If you receive error "Failed to execute operation: Access denied" when using systemctl to disable firewalld, you disabled "Security Policy" during the graphical install. Install iptables-services
Create file, vi default.fw
#!/bin/bash
#Flush current policies
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow established sessions to receive traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept on localhost
iptables -A INPUT -i lo -j ACCEPT
#ICMP Echo (OPTIONAL)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
# Accept incoming SSH
iptables -I INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
# Save Changes
service iptables save
# Service
systemctl restart iptables
systemctl status iptables
Set the file to executable using chmod +x default.fw then execute ./default.fw. Review the change using iptables -L -n -v.
##Time zone
After installation, the default time zone is America/New_York. CentOS 7 uses timedatectl to manage time and date related settings.
Check current settings using timedatectl
[root@myhost ~]# timedatectl
Local time: Fri 2016-04-01 18:01:44 EDT
Universal time: Fri 2016-04-01 22:01:44 UTC
RTC time: Fri 2016-04-01 22:01:43
Time zone: America/New_York (EDT, -0400)
NTP enabled: n/a
NTP synchronized: no
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2016-03-13 01:59:59 EST
Sun 2016-03-13 03:00:00 EDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2016-11-06 01:59:59 EDT
Sun 2016-11-06 01:00:00 EST
Find your time zone
[root@myhost ~]# timedatectl list-timezones | grep -i angeles
America/Los_Angeles
Set your time zone
[root@myhost ~]# timedatectl set-timezone America/Los_Angeles
Results
[root@myhost ~]# timedatectl
Local time: Fri 2016-04-01 15:08:10 PDT
Universal time: Fri 2016-04-01 22:08:10 UTC
RTC time: Fri 2016-04-01 22:08:10
Time zone: America/Los_Angeles (PDT, -0700)
NTP enabled: n/a
NTP synchronized: no
RTC in local TZ: no
DST active: yes
Last DST change: DST began at
Sun 2016-03-13 01:59:59 PST
Sun 2016-03-13 03:00:00 PDT
Next DST change: DST ends (the clock jumps one hour backwards) at
Sun 2016-11-06 01:59:59 PDT
Sun 2016-11-06 01:00:00 PST
References:
http://www.server-world.info/en/note?os=CentOS_7&p=timezone
##Time & Date
View the current date and time using date.
Set the current local time and date using timedatectl 2016-04-02 17:48:12. The result is Sat Apr 2 17:48:12 PDT 2016.
##Network Time
Time synchronization can play a big role in kerberos authentication and other services. By default "chrony" is installed instead of the "ntpd." To update chrony time sources, # vi /etc/chrony.conf and update or add "server" values.
##EPEL (optional) EPEL repository is optional. The installation steps are as follows:
- Install the repository's key, so the package can be verified and trusted.
- Install the repository package for your distribution.
- Configure, if desired, the repository configuration files found
/etc/yum.repos.d.
For CentOS 7 64 bit
[root@myhost ~]# rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
[root@myhost ~]# yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
Results
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
epel-release noarch 7-7 /epel-release-latest-7.noarch 24 k
Transaction Summary
================================================================================
Install 1 Package
Total size: 24 k
Installed size: 24 k
Is this ok [y/d/N]: y
##oVirt Guest (optional)
If using CentOS 7 Minimal as an oVirt Guest (virtual machine), install the oVirt repository and guest agent.
[root@myhost ~]# yum install -y http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm
[root@myhost ~]# yum install ovirt-guest-agent-common
Results
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
ovirt-guest-agent-common noarch 1.0.12-3.el7 epel 69 k
Installing for dependencies:
libnl x86_64 1.1.4-3.el7 base 128 k
python-ethtool x86_64 0.8-5.el7 base 33 k
qemu-guest-agent x86_64 10:2.3.0-4.el7 base 121 k
usermode x86_64 1.111-5.el7 base 193 k
Transaction Summary
================================================================================
Install 1 Package (+4 Dependent packages)
Total download size: 544 k
Installed size: 1.8 M
Is this ok [y/d/N]:
Enable and start the agent.
[root@myhost ~]# systemctl enable ovirt-guest-agent
[root@myhost ~]# systemctl start ovirt-guest-agent
[root@myhost ~]# systemctl status ovirt-guest-agent
● ovirt-guest-agent.service - oVirt Guest Agent
Loaded: loaded (/usr/lib/systemd/system/ovirt-guest-agent.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2016-08-07 15:54:42 PDT; 8s ago
Process: 19530 ExecStartPre=/bin/chown ovirtagent:ovirtagent /run/ovirt-guest-agent.pid (code=exited, status=0/SUCCESS)
Process: 19526 ExecStartPre=/bin/touch /run/ovirt-guest-agent.pid (code=exited, status=0/SUCCESS)
Process: 19524 ExecStartPre=/sbin/modprobe virtio_console (code=exited, status=0/SUCCESS)
Main PID: 19532 (python)
CGroup: /system.slice/ovirt-guest-agent.service
└─19532 /usr/bin/python /usr/share/ovirt-guest-agent/ovirt-guest-a...
Aug 07 15:54:42 myhost.mydomain.net systemd[1]: Starting oVirt Guest Ag...
Aug 07 15:54:42 myhost.mydomain.net systemd[1]: Started oVirt Guest Agent.
Aug 07 15:54:42 myhost.mydomain.net userhelper[19540]: pam_succeed_if(o...
Aug 07 15:54:42 myhost.mydomain.net userhelper[19540]: running '/usr/sh...
Aug 07 15:54:43 myhost.mydomain.net userhelper[19542]: pam_succeed_if(o...
Aug 07 15:54:43 myhost.mydomain.net userhelper[19543]: pam_succeed_if(d...
Aug 07 15:54:43 myhost.mydomain.net userhelper[19543]: running '/usr/sh...
Aug 07 15:54:43 myhost.mydomain.net userhelper[19542]: running '/usr/sh...
Hint: Some lines were ellipsized, use -l to show in full.
##Update
Update CentOS base installation prior to building services.
[root@myhost ~]# yum update
Results
================================================================================
Package Arch Version Repository
Size
================================================================================
Installing:
kernel x86_64 3.10.0-327.28.2.el7 updates 33 M
Updating:
NetworkManager-libnm x86_64 1:1.0.6-30.el7_2 updates 498 k
avahi-autoipd x86_64 0.6.31-15.el7_2.1 updates 39 k
avahi-libs x86_64 0.6.31-15.el7_2.1 updates 61 k
bash x86_64 4.2.46-20.el7_2 updates 1.0 M
bind-libs-lite x86_64 32:9.9.4-29.el7_2.3 updates 724 k
bind-license noarch 32:9.9.4-29.el7_2.3 updates 82 k
ca-certificates noarch 2015.2.6-70.1.el7_2 updates 428 k
chkconfig x86_64 1.3.61-5.el7_2.1 updates 173 k
coreutils x86_64 8.22-15.el7_2.1 updates 3.2 M
cronie x86_64 1.4.11-14.el7_2.1 updates 90 k
cronie-anacron x86_64 1.4.11-14.el7_2.1 updates 35 k
cyrus-sasl-lib x86_64 2.1.26-20.el7_2 updates 155 k
dbus x86_64 1:1.6.12-14.el7_2 updates 306 k
dbus-libs x86_64 1:1.6.12-14.el7_2 updates 151 k
device-mapper x86_64 7:1.02.107-5.el7_2.5 updates 252 k
device-mapper-event x86_64 7:1.02.107-5.el7_2.5 updates 167 k
device-mapper-event-libs x86_64 7:1.02.107-5.el7_2.5 updates 169 k
device-mapper-libs x86_64 7:1.02.107-5.el7_2.5 updates 305 k
device-mapper-persistent-data x86_64 0.6.2-1.el7_2 updates 366 k
dracut x86_64 033-360.el7_2.1 updates 311 k
dracut-config-rescue x86_64 033-360.el7_2.1 updates 50 k
dracut-network x86_64 033-360.el7_2.1 updates 90 k
glibc x86_64 2.17-106.el7_2.8 updates 3.6 M
glibc-common x86_64 2.17-106.el7_2.8 updates 11 M
gmp x86_64 1:6.0.0-12.el7_1 updates 280 k
gnutls x86_64 3.3.8-14.el7_2 updates 662 k
grub2 x86_64 1:2.02-0.34.el7.centos updates 1.5 M
grub2-tools x86_64 1:2.02-0.34.el7.centos updates 3.3 M
initscripts x86_64 9.49.30-1.el7_2.3 updates 429 k
iproute x86_64 3.10.0-54.el7_2.1 updates 526 k
kernel-tools x86_64 3.10.0-327.28.2.el7 updates 2.4 M
kernel-tools-libs x86_64 3.10.0-327.28.2.el7 updates 2.3 M
kexec-tools x86_64 2.0.7-38.el7_2.1 updates 306 k
kpartx x86_64 0.4.9-85.el7_2.5 updates 60 k
krb5-libs x86_64 1.13.2-12.el7_2 updates 843 k
libblkid x86_64 2.23.2-26.el7_2.3 updates 167 k
libgudev1 x86_64 219-19.el7_2.12 updates 66 k
libmount x86_64 2.23.2-26.el7_2.3 updates 169 k
libndp x86_64 1.2-6.el7_2 updates 31 k
libssh2 x86_64 1.4.3-10.el7_2.1 updates 134 k
libuuid x86_64 2.23.2-26.el7_2.3 updates 74 k
libxml2 x86_64 2.9.1-6.el7_2.3 updates 668 k
logrotate x86_64 3.8.6-7.el7_2 updates 66 k
lvm2 x86_64 7:2.02.130-5.el7_2.5 updates 1.0 M
lvm2-libs x86_64 7:2.02.130-5.el7_2.5 updates 873 k
mariadb-libs x86_64 1:5.5.47-1.el7_2 updates 755 k
microcode_ctl x86_64 2:2.1-12.el7_2.1 updates 535 k
nspr x86_64 4.11.0-1.el7_2 updates 126 k
nss x86_64 3.21.0-9.el7_2 updates 850 k
nss-softokn x86_64 3.16.2.3-14.2.el7_2 updates 305 k
nss-softokn-freebl x86_64 3.16.2.3-14.2.el7_2 updates 204 k
nss-sysinit x86_64 3.21.0-9.el7_2 updates 55 k
nss-tools x86_64 3.21.0-9.el7_2 updates 487 k
nss-util x86_64 3.21.0-2.2.el7_2 updates 72 k
numactl-libs x86_64 2.0.9-6.el7_2 updates 29 k
openldap x86_64 2.4.40-9.el7_2 updates 348 k
openssh x86_64 6.6.1p1-25.el7_2 updates 435 k
openssh-clients x86_64 6.6.1p1-25.el7_2 updates 639 k
openssh-server x86_64 6.6.1p1-25.el7_2 updates 436 k
openssl x86_64 1:1.0.1e-51.el7_2.5 updates 712 k
openssl-libs x86_64 1:1.0.1e-51.el7_2.5 updates 952 k
pcre x86_64 8.32-15.el7_2.1 updates 420 k
polkit x86_64 0.112-7.el7_2 updates 166 k
procps-ng x86_64 3.3.10-5.el7_2 updates 287 k
python-perf x86_64 3.10.0-327.28.2.el7 updates 2.4 M
python-pyudev noarch 0.15-7.el7_2.1 updates 54 k
selinux-policy noarch 3.13.1-60.el7_2.7 updates 376 k
selinux-policy-targeted noarch 3.13.1-60.el7_2.7 updates 3.9 M
sudo x86_64 1.8.6p7-17.el7_2 updates 732 k
systemd x86_64 219-19.el7_2.12 updates 5.1 M
systemd-libs x86_64 219-19.el7_2.12 updates 358 k
systemd-sysv x86_64 219-19.el7_2.12 updates 53 k
tuned noarch 2.5.1-4.el7_2.3 updates 193 k
tzdata noarch 2016f-1.el7 updates 439 k
util-linux x86_64 2.23.2-26.el7_2.3 updates 1.9 M
Transaction Summary
================================================================================
Install 1 Package
Upgrade 75 Packages
Total download size: 96 M
Is this ok [y/d/N]:
The basic build is complete. However, you may want to consider the following:
###ss
Using ss -tulpn observe what listeners are active.
[root@node1 network-scripts]# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=755,fd=1))
udp UNCONN 0 0 ::1:323 :::* users:(("chronyd",pid=755,fd=2))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=1027,fd=3))
tcp LISTEN 0 100 127.0.0.1:25 *:* users:(("master",pid=1106,fd=13))
tcp LISTEN 0 128 :::22 :::* users:(("sshd",pid=1027,fd=4))
tcp LISTEN 0 100 ::1:25 :::* users:(("master",pid=1106,fd=14))
Note the ipv6 loopback interface ::1. I disabled ipv6 and don't permit it through my local area network, so I need to disable those. Also, I have no intention of using SMTP, so need to kill that too.
ssh
Update sshd to only use ipv4 by changing the value of AddressFamily from any to inet.
# vi /etc/ssh/sshd_config
..
AddressFamily inet
..
ntp
If using chrony
Create a chronyd file with option -4.
# echo "OPTIONS= -4" >> /etc/sysconfig/chronyd
# systemctl restart chronyd
If using ntp update OPTIONS from -g to -4.
# vi /etc/sysconfig/ntpd
..
OPTIONS="-4"
..
# systemctl restart ntp
smtp
Update Postfix's main.cfg for inet_protocols from any to ipv4.
# vi /etc/postfix/main.cf
..
inet_protocols = ipv4
..
# systemctl restart postfix
Alternatively, you can just disable postfix if unneeded.
# systemctl disable postfix
# systemctl stop postfix
Results
# ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:323 *:* users:(("chronyd",pid=749,fd=1))
tcp LISTEN 0 128 *:22 *:* users:(("sshd",pid=744,fd=3))
##Additional Packages
I install a number of optional packages for my builds including:
- deltarpm
- yum-utils
- tmux