= Default CentOS 7 host =
IUS packages overview: https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/

## Disable this ##

`wpa_supplicant`: we do not need wireless networking tools.

`lvm2` and `lvm2-libs`: requires daemons, sometimes buggy ones such as `dmeventd`. Do not install without reason. At some data centers, e.g. MPCDF, LVM is mandatory.

`tuned`: undesirable?

`NetworkManager`: only desirable for GUI interaction, overwrites `resolv.conf`.

## Install provisioning script ##

Run as root:

{{{
cd /root
yum install git epel-release
git clone https://gitlab.com/CLARIN-ERIC/provision.git
cd provision/
gpg -o /root/.server_config.json server_config.json.gpg
chmod 0600 /root/.server_config.json
vi /root/.server_config.json
#Adjust template as needed
}}}
## Run provisioning script ##

Provision the system:

{{{
./provision.sh --system --postfix --docker
}}}
The arguments `--system`, `--postfix` and `--docker` each specify a module of our setup, include all to install the full CLARIN deploy environment.

Example: installing without postfix:

{{{
./provision.sh --system --docker
}}}
# Old instructions #

{{{
#!sh

##Persist journalctl logs over reboot
## https://unix.stackexchange.com/questions/159221/how-do-i-display-log-messages-from-previous-boots-under-centos-7
mkdir -p /var/log/journal
systemd-tmpfiles --create --prefix /var/log/journal
systemctl restart systemd-journald

## Set hostname to hostname shown in hoster's control panel
## Use host's local name only, without the domain part in order for postfix mail system to work (see postfix configuration bellow)
sudo hostnamectl set-hostname 'clarineric-vps4'

## Install default packages
sudo yum update &&
## Add the official Docker yum repository to get access to the latest Docker versions
sudo tee '/etc/yum.repos.d/docker.repo' <<'EOF'
[dockerrepo]
name=Docker Repository
baseurl=https://download.docker.com/linux/centos/$releasever/x86_64/stable/
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/centos/gpg
EOF
## Add the Fedora Extra Packages for Enterprise Linux (EPEL) yum repository
## http://www.rackspace.com/knowledge_center/article/install-epel-and-additional-repositories-on-centos-and-red-hat
sudo yum makecache fast

sudo yum install 'epel-release' 'git' 'docker-ce' 'unzip' 'mailx' 'tmux' 'tree' 'htop' 'rsync' 'collectd' 'yum-utils' 'nc' 'jq' 'bzip2' &&
curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose &&
chmod +x /usr/local/bin/docker-compose &&
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose

mkdir /etc/docker/

### Configure collectd
# See section 2.1 on this page

### Configure Td-agent (fluentd)
# See section 3 on this page

### Configure docker daemon
# See section 2.3 on this page

## Create sysop users
sudo useradd 'andmor' &&
sudo usermod -aG 'wheel' 'andmor' &&
sudo passwd -d andmor &&
sudo passwd -e andmor &&
sudo mkdir -p /home/andmor/.ssh &&
sudo chmod 0700 /home/andmor/.ssh &&
sudo touch /home/andmor/.ssh/authorized_keys &&
sudo chmod 0644 /home/andmor/.ssh/authorized_keys &&
sudo chown -R andmor:andmor /home/andmor

sudo useradd 'dietuyt' &&
sudo usermod -aG 'wheel' 'dietuyt' && 
sudo passwd -d dietuyt &&
sudo passwd -e dietuyt
sudo useradd 'wilelb' &&
sudo usermod -aG 'wheel' 'wilelb' &&
sudo passwd -d wilelb &&
sudo passwd -e wilelb

## Disable unneeded/interfering services.
sudo systemctl stop NetworkManager.service wpa_supplicant.service
sudo systemctl disable NetworkManager.service wpa_supplicant.service

sudo -e '/etc/ssh/sshd_config' &&
## Configure sshd in '/etc/ssh/sshd_config'
### No root login
# PermitRootLogin no
### No username/password login
# PasswordAuthentication no
# Restart sshd: service sshd restart

## Enable services
systemctl enable rsyslog
systemctl enable systemd-journald
systemctl enable collectd
systemctl enable docker

## Start services
systemctl start rsyslog.service
systemctl start systemd-journald.service
systemctl start collectd.service
systemctl start docker.service

sysctl net.bridge.bridge-nf-call-iptables=1 &&
sysctl net.bridge.bridge-nf-call-ip6tables=1
}}}
### "deploy" and "setup" users' configuration -> needs manual copy of private deploy key for gitlab/github to /tmp before running ###

{{{
#!/bin/bash

## Make git only usable for git group
groupadd 'git'
chown root:git /bin/git
chmod 750 /bin/git

## Create deploy user and add to the the 'docker' group
sudo useradd 'deploy'
usermod -aG 'docker' 'deploy'

## Create setup user and add it to the 'deploy', 'git' and 'docker' groups:
useradd 'setup'
usermod -aG 'deploy' 'setup'
usermod -aG 'git' 'setup'
usermod -aG 'docker' 'setup'

## Configure 'setup' user gitlab access
mkdir -p /home/setup/.ssh
sudo tee '/home/setup/.ssh/config' <<'EOF'
#Deploys
Host gitlab.com
    User git
    HostName gitlab.com
    IdentityFile ~/.ssh/id_rsa_gitlab_deploy
EOF

## <1> <Manually copy the private deploy key to /tmp/id_rsa_gitlab_deploy>
mkdir -p /home/setup/.ssh/
mv /tmp/id_rsa_gitlab_deploy /home/setup/.ssh/

chown -R setup:setup /home/setup/.ssh
chmod -R 600 /home/setup/.ssh/id_rsa_gitlab_deploy
chmod go+rx /home/deploy

## Add sudo rights to deploy and setup users
echo 'Cmnd_Alias GIT_TAGSONLY_COMMANDS = /bin/git init *, /bin/git remote add origin *, /bin/git reflog expire --expire=all --all, /bin/git tag -l, /bin/git tag -d *, /bin/git fetch origin --depth\=1 +refs/tags/*\:refs/tags/*, /bin/git reset --hard tags/*, /bin/git ls-remote --tags *, /bin/git describe --tags, /bin/git gc --prune=all, /bin/git add ., /bin/git commit -m *, /bin/git rev-parse --abbrev-ref HEAD, /bin/git branch *, /bin/git branch -D *.backup*, /bin/git checkout *, /bin/git status, /bin/git status *, /bin/git diff, /bin/git diff *, /bin/git describe --tags'  | sudo EDITOR='tee -a' visudo
echo 'Cmnd_Alias CONTAINER_CONTROL = /home/deploy/**/control.sh'  | sudo EDITOR='tee -a' visudo
echo 'Cmnd_Alias SYMLINK_COMMANDS = /bin/ln -s *'  | sudo EDITOR='tee -a' visudo
echo `Cmnd_Alias SWITCH_DEPLOY = /bin/su deploy`  | sudo EDITOR='tee -a' visudo

echo 'deploy ALL= NOPASSWD: CONTAINER_CONTROL'  | sudo EDITOR='tee -a' visudo
echo 'deploy ALL=(setup) NOPASSWD: GIT_TAGSONLY_COMMANDS'  | sudo EDITOR='tee -a' visudo
echo 'deploy ALL=(setup) NOPASSWD: SYMLINK_COMMANDS'  | sudo EDITOR='tee -a' visudo
echo 'setup ALL= NOPASSWD: CONTAINER_CONTROL'  | sudo EDITOR='tee -a' visudo

## Add alias to deploy user shell
echo 'alias git="sudo -u setup git"' | tee -a /home/deploy/.bashrc &> /dev/null

## Configure git on 'setup' user account
sudo -i -u setup git config --global user.email "sysops@clarin.eu"
sudo -i -u setup git config --global user.name "deploy" 
 
## Setup the deploy.sh script on the 'deploy' user home
sudo -u deploy bash -i -c "
(cd ~
mkdir -p deploy-assets
cd deploy-assets
git init deploy-script
cd deploy-script
git remote add origin git@gitlab.com:CLARIN-ERIC/deploy-script.git
git fetch origin --depth=1 +refs/tags/1.0.1:refs/tags/1.0.1
git reset --hard tags/1.0.1
git gc --prune=all
cd ../..
ln -s deploy-assets/deploy-script/deploy.sh deploy.sh)"

## Setup the control.sh script on the 'deploy' user home
sudo -u deploy bash -i -c "
(cd ~
mkdir -p deploy-assets
cd deploy-assets
git init control-script
cd control-script
git remote add origin git@gitlab.com:CLARIN-ERIC/control-script.git
git fetch origin --depth=1 +refs/tags/0.0.6:refs/tags/0.0.6
git reset --hard tags/0.0.6
git gc --prune=all
cd ../..
ln -s deploy-assets/control-script/control.sh control.sh
ln -s deploy-assets/control-script/file-clean_linux_v0.0.1 file-clean)"

## Install version script
(cd /home/deploy/build-assets && curl -o version.sh https://gitlab.com/CLARIN-ERIC/build-assets/raw/master/version.sh)
}}}
To enable users to become deploy add lines as follows:

{{{
twagoo ALL=(root) SWITCH_DEPLOY
}}}
### Postfix configuration for host email (script) -> define "SMTP_USER" "SMTP_PWD" and run as it is ###

{{{
#!/bin/bash

DOMAIN=clarin.eu
HOSTNAME=$(hostname -f)
HOSTNAME_REGEX_ESC=${HOSTNAME//./\\.}
ROOT_EMAIL=sysops@${DOMAIN}
SMTP_ADDR=vps.transip.email:587
SMTP_USER=< check: Transip control panel->BladeVPS->Manage your mail service->Username & Password. >
SMTP_PWD=< check: Transip control panel->BladeVPS->Manage your mail service->Username & Password. >


yum install postfix cyrus-sasl cyrus-sasl-plain

postconf -e "inet_protocols=ipv4"
postconf -e "mydomain=${DOMAIN}"
postconf -e "myhostname=${HOSTNAME}"
postconf -e "myorigin=\$myhostname"
postconf -e "mydestination=\$myhostname,localhost.\$mydomain,localhost"
postconf -e "virtual_alias_maps=regexp:/etc/postfix/virtual"
postconf -e "sender_canonical_maps=regexp:/etc/postfix/canonical"
postconf -e "smtp_header_checks=regexp:/etc/postfix/header_checks"
postconf -e "mynetworks_style=host"
postconf -e "remote_header_rewrite_domain=${DOMAIN}"
postconf -e "append_dot_mydomain=no"
postconf -e "relayhost=vps.transip.email:587"
postconf -e "smtp_sasl_auth_enable=yes"
postconf -e "smtp_sasl_security_options=noanonymous"
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_use_tls=yes"
postconf -e "smtp_tls_security_level=encrypt"
postconf -e "smtp_tls_note_starttls_offer=yes"
printf '%s\n' "/^andmor@${HOSTNAME_REGEX_ESC}\$/ andmor@clarin.eu" | tee -a /etc/postfix/virtual &> /dev/null
printf '%s\n' "/^wilelb@${HOSTNAME_REGEX_ESC}\$/ willem@clarin.eu" | tee -a /etc/postfix/virtual &> /dev/null
printf '%s\n' "/^twagoo@${HOSTNAME_REGEX_ESC}\$/ twan@clarin.eu" | tee -a /etc/postfix/virtual &> /dev/null
printf '%s\n' "/^(.+)@${HOSTNAME_REGEX_ESC}\$/ ${ROOT_EMAIL}" | tee -a /etc/postfix/virtual &> /dev/null
printf '%s\n' "/^(.+)@${HOSTNAME_REGEX_ESC}\$/ vps-\${1}_at_${HOSTNAME}@${DOMAIN}" | tee -a /etc/postfix/canonical &> /dev/null
printf '%s\n' "/^From:[[:space:]]+vps\-(.+)_at_(.+)@(.+)/ REPLACE From: \"VPS host mail [\${1}@\${2}]\" <vps-\${1}_at_\${2}@\${3}>" | tee -a /etc/postfix/header_checks &> /dev/null
printf '%s\n' "${SMTP_ADDR} ${SMTP_USER}:${SMTP_PWD}" | tee -a /etc/postfix/sasl_passwd &> /dev/null
postmap /etc/postfix/virtual
postmap /etc/postfix/canonical
postmap /etc/postfix/header_checks
postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chown -Rv postfix:postfix /var/lib/postfix

sudo systemctl restart postfix.service

## Test the configuration
printf '%s\n' 'test' | mail -s "test message from $(hostname)" root
}}}
### Collectd configuration ###

Create or edit /etc/collectd.d/metrics.clarin.eu.conf with the following content:

{{{
LoadPlugin cpu
LoadPlugin df
<Plugin df>
       MountPoint "/"
       IgnoreSelected false
       ReportByDevice false
       ReportReserved false
       ReportInodes true
       ValuesAbsolute true
       ValuesPercentage true
</Plugin>
LoadPlugin disk
LoadPlugin interface
LoadPlugin load
LoadPlugin memory
<Plugin "memory">
  ValuesAbsolute true
  ValuesPercentage true
</Plugin>
LoadPlugin network
<Plugin network>
    Server "collect.metrics.clarin.eu" "25826"
</Plugin>
LoadPlugin processes
LoadPlugin users
}}}
### Docker daemon configuration ###

Create or edit /etc/docker/daemon.json with the following content:

{{{
{
  "log-driver": "fluentd",
  "log-opts": {
    "fluentd-address": "localhost:24224",
    "tag": "docker.{{.Name}}"
  }
}
}}}
#### Docker daemon storage driver options ####

For docker versions 18+ on CentOS 7 no extra configuration is needed. The system will use the overlay2 driver by default.

More information can be found [https://github.com/docker/docker.github.io/blob/master/install/linux/docker-ce/centos.md here].

## Td-agent ## ### Td-agent installation ###

Reference: https://docs.fluentd.org/v1.0/articles/install-by-rpm

Run as it is:

{{{
#!/bin/bash

TD_AGENT_VERSION="3.2.1-0.el7"
MULTI_FORMAT_PARSER_VERSION="1.0.0"
SECURE_FORWARD_PARSER_VERSION="0.4.5"
 
echo "=============================="
echo " td-agent Installation Script "
echo "=============================="
echo "This script requires superuser access to install rpm packages."
echo "You will be prompted for your password by sudo."

# clear any previous sudo permission
sudo -k

# run inside sudo
sudo sh <<SCRIPT

  # add GPG key
  rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent

  # add treasure data repository to yum
  cat >/etc/yum.repos.d/td.repo <<'EOF';
[treasuredata]
name=TreasureData
baseurl=http://packages.treasuredata.com/3/redhat/\$releasever/\$basearch
gpgcheck=1
gpgkey=https://packages.treasuredata.com/GPG-KEY-td-agent
EOF

  # update your sources
  yum check-update

  # install the toolbelt
  yes | yum install -y td-agent-${TD_AGENT_VERSION}

SCRIPT

# message
echo ""
echo "Installation completed. Happy Logging!"
echo ""
echo "NOTE: In case you need any of these:"
echo "  1) security tested binary with a clear life cycle management"
echo "  2) advanced monitoring and management"
echo "  3) support SLA"
echo "Please check Fluentd Enterprise (https://www.treasuredata.com/fluentd/)."

/opt/td-agent/embedded/bin/gem install fluent-plugin-multi-format-parser -v ${MULTI_FORMAT_PARSER_VERSION}
/opt/td-agent/embedded/bin/gem install fluent-plugin-secure-forward -v ${SECURE_FORWARD_PARSER_VERSION}
mkdir /var/log/fluent
mkdir -p /home/td-agent/certstore
#put ca_cert.pem in /home/td-agent/certstore/ca_cert.pem
chown -R td-agent /var/log/fluent/
chown -R td-agent:td-agent /home/td-agent
systemctl enable td-agent
systemctl start td-agent.service
}}}
### Td-agent Configuration ###

Create or edit /etc/td-agent/td-agent.conf with the following content (adapt the variable !`self_hostname`):

{{{
<system>
  log_level warn
</system>

<source>
    @type forward
    port 24224
    bind 127.0.0.1
</source>

<filter **>
  @type record_transformer
  <record>
    clarin_host ${hostname}
  </record>
</filter>

<filter docker.**>
    @type parser
    key_name log
    reserve_data true
    remove_key_name_field true
    <parse>
        @type multi_format
        #Match default fluentd messages
        <pattern>
            format regexp
            expression /^(?<log_time>[^ ]+ [^ ]+ [^ ]+) (?<log_source>[^:]+): \{\\*"message\\*":\\*"(?<message>.*?)\\*"\}$/
        </pattern>
        #Match fluentd JSON messages
        <pattern>
            format regexp
             expression /^(?<log_time>[^ ]+ [^ ]+ [^ ]+) (?<log_source>[^:]+): (?<message>\{.*\})$/
        </pattern>
        #Match plain stdout messages
        <pattern>
            format regexp
            expression /^(?<message>.*)$/
        </pattern>
        <pattern>
            format none
        </pattern>
     </parse>
</filter>

<filter docker.**>
    @type parser
    key_name message
    reserve_data true
    remove_key_name_field true
    <parse>
      @type multi_format
      <pattern>
        format json
      </pattern>
      <pattern>
        format none
      </pattern>
    </parse>
</filter>

<match docker.**>
  @type rewrite_tag_filter
  hostname_command "hostname -s"
  <rule>
    key container_id
    pattern ^(.*)$
    tag ${hostname}.${tag}
  </rule>
</match>

<match fluent.**>
  @type rewrite_tag_filter
  hostname_command "hostname -s"
  <rule>
    key message
    pattern ^(.*)$
    tag ${hostname}.${tag}
  </rule>
</match>

<match **>
    @type copy
    <store>
        @type secure_forward
        self_hostname clarin-XYX
        shared_key    mxXWooqM2NWBoFbkpmALz8Aw

        secure yes
        ca_cert_path /home/td-agent/certstore/ca_cert.pem

        <server>
            host 91.250.80.240
            port 24284
        </server>
        flush_interval 30s
    </store>
    <store>
        @type file
        path /var/log/fluent/aggregation
        symlink_path /var/log/fluent/aggregation.current
        compress gzip
        append true
        time_slice_format %Y%m%d
        time_format %Y%m%dT%H%M%S%z
        time_key sent_at
        <buffer>
            @type file
            path /var/log/fluent/aggregation.*
            chunk_limit_size 5MB
            queued_chunks_limit_size 512
            flush_mode interval
            flush_interval 60s
            timekey_wait 1m
        </buffer>
    </store>
</match>
}}}
Restart td-agent service

{{{
systemctl restart td-agent.service
}}}
## Install [../Monitoring/collectd collectd] ##

## Setting multiple IPv4 addresses ##

In `/etc/sysconfig/network-scripts/ifcfg-eth0`:

{{{
# Generated by dracut initrd
NAME="eth0"
HWADDR="52:54:00:b1:a5:b9"
ONBOOT=yes
NETBOOT=yes
UUID="f6b8e07f-d5c0-4729-bfc2-5f90cbfa06dd"
IPV6INIT=no
IPV6_AUTOCONF=no
BOOTPROTO=static
TYPE=Ethernet
IPADDR0=37.97.154.156
IPADDR1=37.97.157.49
IPADDR2=37.97.157.50
NETMASK0=255.255.255.0
NETMASK1=255.255.255.0
NETMASK2=255.255.255.0
GATEWAY=37.97.154.1
GATEWAY0=37.97.154.1
GATEWAY1=37.97.157.1
GATEWAY2=37.97.157.1
}}}
# SELinux #

Check status:

{{{
sestatus
}}}
Check policy of a file:

{{{
ls -Z /etc/collectd.conf
}}}
Check policy of a process:

{{{
ps -Z docker
}}}
Set user, role and type on a file:

{{{
sudo chcon -v --user=system_u --role=object_r --type=etc_t /etc/collectd.conf
}}}
Restore policy on a file:

{{{
restorecon -v /etc/collectd.conf
}}}

# Transip #

## BigStorage ##

https://www.transip.nl/knowledgebase/artikel/195-big-storage-aan-linux-koppelen/

{{{
lsblk
parted -s --align optimal /dev/vdb -- mklabel gpt mkpart primary 4MiB 100%
mkfs.xfs /dev/vdb1
mkdir /mnt/bigstorage
echo "/dev/vdb1 /mnt/bigstorage xfs defaults 0 0" | sudo tee -a /etc/fstab
mount /mnt/bigstorage
df -h | grep bigstorage
touch /mnt/bigstorage/testfile && rm /mnt/bigstorage/testfile
}}}