| Version 39 (modified by , 7 years ago) (diff) |
|---|
Default CentOS 7 host
IUS packages overview: https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/
1. Disable this
wpa_supplicant: we do not need wireless networking tools.
lvm2 and lvm2-libs: requires daemons, sometimes buggy ones such as dmeventd. Do not install without reason. At some data centers, e.g. MPCDF, LVM is mandatory.
tuned: undesirable?
NetworkManager: only desirable for GUI interaction, overwrites resolv.conf.
2. Run provisioning script
## Set hostname to hostname shown in hoster's control panel sudo hostnamectl set-hostname 'clarineric-vps4' ## Install default packages sudo yum update && ## Add the official Docker yum repository to get access to the latest Docker versions sudo tee '/etc/yum.repos.d/docker.repo' <<'EOF' [dockerrepo] name=Docker Repository baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/ enabled=1 gpgcheck=1 gpgkey=https://yum.dockerproject.org/gpg EOF ## Add the Fedora Extra Packages for Enterprise Linux (EPEL) yum repository ## http://www.rackspace.com/knowledge_center/article/install-epel-and-additional-repositories-on-centos-and-red-hat sudo yum makecache fast sudo yum install 'epel-release' 'git' 'docker-engine' 'unzip' 'mailx' 'tmux' 'tree' 'htop' 'rsync' 'collectd' && curl -L https://github.com/docker/compose/releases/download/1.8.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose && ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ###Td-agent (fluentd) #curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent2.sh | sh #/opt/td-agent/embedded/bin/gem install fluent-plugin-multi-format-parser #mkdir /var/log/fluent #chown -R td-agent /var/log/fluent/ #cp /etc/td-agent/td-agent.conf /etc/td-agent/td-agent.conf.orig ##download td-agent conf #systemctl enable td-agent #service td-agent start ## Create sysop users sudo useradd 'andmor' && sudo usermod -aG 'wheel' 'andmor' sudo useradd 'dietuyt' && sudo usermod -aG 'wheel' 'dietuyt' sudo useradd 'wilelb' && sudo usermod -aG 'wheel' 'wilelb' # TODO: why not let them set their own password, and only upload their SSH public key? ## Set passwords for the users: passwd <user> ## Disable unneeded/interfering services. sudo systemctl stop NetworkManager.service wpa_supplicant.service sudo systemctl disable NetworkManager.service wpa_supplicant.service sudo -e '/etc/ssh/sshd_config' && ## Configure sshd in '/etc/ssh/sshd_config' ### No root login # PermitRootLogin no ### No username/password login # PasswordAuthentication no # Configure postfix sed -i -e 's/^inet_protocols = all$/inet_protocols = ipv4/g'\ -e "/^#myhostname = virtual.domain.tld$/a myhostname = `hostname -A | awk '{print $1;}'`"\ -e 's/^#myorigin = \$myhostname$/myorigin = $myhostname/g' /etc/postfix/main.cf #forward mail from root to sysops@clarin.eu printf '%s\n' "root: sysops@clarin.eu" | sudo tee -a /etc/aliases && sudo newaliases && sudo service postfix restart ## Test the configuration printf '%s\n' 'test' | mail -s "test message from $(hostname)" root ## Enable services systemctl enable docker ## Start docker service service docker start
## Td-agent installation
echo "==============================" echo " td-agent Installation Script " echo "==============================" echo "This script requires superuser access to install rpm packages." echo "You will be prompted for your password by sudo." # clear any previous sudo permission sudo -k # run inside sudo sudo sh <<SCRIPT # add GPG key rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent # add treasure data repository to yum cat >/etc/yum.repos.d/td.repo <<'EOF'; [treasuredata] name=TreasureData baseurl=http://packages.treasuredata.com/2/redhat/\$releasever/\$basearch gpgcheck=1 gpgkey=https://packages.treasuredata.com/GPG-KEY-td-agent EOF # update your sources yum check-update # install the toolbelt yes | yum install -y td-agent SCRIPT # message echo "" echo "Intallation completed. Happy Logging!" echo "" echo "NOTE: In case you need any of these:" echo " 1) security tested binary with a clear life cycle management" echo " 2) advanced monitoring and management" echo " 3) support SLA" echo "Please check Fluentd Enterprise (https://fluentd.treasuredata.com/)."
## Td-agent Configuration
Reference: https://docs.fluentd.org/v0.12/articles/install-by-rpm
<system>
log_level warn
</system>
<source>
@type forward
port 24224
bind 127.0.0.1
</source>
<filter docker.**>
@type parser
format multi_format
key_name log
time_parse false
reserve_data false
#Match java logs
<pattern>
format /^(?<log_time>.+ .+ .+) (?<log_source>.+): \{"level":"(?<log_level>.*)","class":"(?<log_class>.*)","message":"(?<log_message>.*)"\}$/
</pattern>
#Match default fluentd messages
<pattern>
format /^(?<log_time>.+ .+ .+) (?<log_source>.+): \{"message":"(?<log_message>.*)"\}$/
</pattern>
#Match plain stdout messages
<pattern>
format /^(?<log_message>.*)$/
</pattern>
</filter>
<filter *.**>
@type record_transformer
<record>
hostname ${hostname}
</record>
</filter>
<match *.**>
@type copy
<store>
@type file
path /var/log/fluent/aggregation
time_slice_format %Y%m%d
time_slice_wait 10m
time_format %Y%m%dT%H%M%S%z
compress gzip
utc
</store>
</match>
3. Docker storage configuration
4. Install collectd
5. Setting multiple IPv4 addresses
In /etc/sysconfig/network-scripts/ifcfg-eth0:
# Generated by dracut initrd NAME="eth0" HWADDR="52:54:00:b1:a5:b9" ONBOOT=yes NETBOOT=yes UUID="f6b8e07f-d5c0-4729-bfc2-5f90cbfa06dd" IPV6INIT=no IPV6_AUTOCONF=no BOOTPROTO=static TYPE=Ethernet IPADDR0=37.97.154.156 IPADDR1=37.97.157.49 IPADDR2=37.97.157.50 NETMASK0=255.255.255.0 NETMASK1=255.255.255.0 NETMASK2=255.255.255.0 GATEWAY=37.97.154.1 GATEWAY0=37.97.154.1 GATEWAY1=37.97.157.1 GATEWAY2=37.97.157.1
1. SELinux
Check status:
sestatus
Check policy of a file:
ls -Z /etc/collectd.conf
Check policy of a process:
ps -Z docker
Set user, role and type on a file:
sudo chcon -v --user=system_u --role=object_r --type=etc_t /etc/collectd.conf
Restore policy on a file:
restorecon -v /etc/collectd.conf
