Version 40 (modified by 7 years ago) (diff) | ,
---|
Default CentOS 7 host
IUS packages overview: https://dl.iuscommunity.org/pub/ius/stable/CentOS/7/x86_64/repoview/
1. Disable this
wpa_supplicant
: we do not need wireless networking tools.
lvm2
and lvm2-libs
: requires daemons, sometimes buggy ones such as dmeventd
. Do not install without reason. At some data centers, e.g. MPCDF, LVM is mandatory.
tuned
: undesirable?
NetworkManager
: only desirable for GUI interaction, overwrites resolv.conf
.
2. Run provisioning script
## Set hostname to hostname shown in hoster's control panel sudo hostnamectl set-hostname 'clarineric-vps4' ## Install default packages sudo yum update && ## Add the official Docker yum repository to get access to the latest Docker versions sudo tee '/etc/yum.repos.d/docker.repo' <<'EOF' [dockerrepo] name=Docker Repository baseurl=https://yum.dockerproject.org/repo/main/centos/$releasever/ enabled=1 gpgcheck=1 gpgkey=https://yum.dockerproject.org/gpg EOF ## Add the Fedora Extra Packages for Enterprise Linux (EPEL) yum repository ## http://www.rackspace.com/knowledge_center/article/install-epel-and-additional-repositories-on-centos-and-red-hat sudo yum makecache fast sudo yum install 'epel-release' 'git' 'docker-engine' 'unzip' 'mailx' 'tmux' 'tree' 'htop' 'rsync' 'collectd' && curl -L https://github.com/docker/compose/releases/download/1.8.1/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose && chmod +x /usr/local/bin/docker-compose && ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose ###Td-agent (fluentd) #curl -L https://toolbelt.treasuredata.com/sh/install-redhat-td-agent2.sh | sh #/opt/td-agent/embedded/bin/gem install fluent-plugin-multi-format-parser #mkdir /var/log/fluent #chown -R td-agent /var/log/fluent/ #cp /etc/td-agent/td-agent.conf /etc/td-agent/td-agent.conf.orig ##download td-agent conf #systemctl enable td-agent #service td-agent start ## Create sysop users sudo useradd 'andmor' && sudo usermod -aG 'wheel' 'andmor' sudo useradd 'dietuyt' && sudo usermod -aG 'wheel' 'dietuyt' sudo useradd 'wilelb' && sudo usermod -aG 'wheel' 'wilelb' # TODO: why not let them set their own password, and only upload their SSH public key? ## Set passwords for the users: passwd <user> ## Disable unneeded/interfering services. sudo systemctl stop NetworkManager.service wpa_supplicant.service sudo systemctl disable NetworkManager.service wpa_supplicant.service sudo -e '/etc/ssh/sshd_config' && ## Configure sshd in '/etc/ssh/sshd_config' ### No root login # PermitRootLogin no ### No username/password login # PasswordAuthentication no # Configure postfix sed -i -e 's/^inet_protocols = all$/inet_protocols = ipv4/g'\ -e "/^#myhostname = virtual.domain.tld$/a myhostname = `hostname -A | awk '{print $1;}'`"\ -e 's/^#myorigin = \$myhostname$/myorigin = $myhostname/g' /etc/postfix/main.cf #forward mail from root to sysops@clarin.eu printf '%s\n' "root: sysops@clarin.eu" | sudo tee -a /etc/aliases && sudo newaliases && sudo service postfix restart ## Test the configuration printf '%s\n' 'test' | mail -s "test message from $(hostname)" root ## Enable services systemctl enable docker ## Start docker service service docker start
## Td-agent installation
echo "==============================" echo " td-agent Installation Script " echo "==============================" echo "This script requires superuser access to install rpm packages." echo "You will be prompted for your password by sudo." # clear any previous sudo permission sudo -k # run inside sudo sudo sh <<SCRIPT # add GPG key rpm --import https://packages.treasuredata.com/GPG-KEY-td-agent # add treasure data repository to yum cat >/etc/yum.repos.d/td.repo <<'EOF'; [treasuredata] name=TreasureData baseurl=http://packages.treasuredata.com/2/redhat/\$releasever/\$basearch gpgcheck=1 gpgkey=https://packages.treasuredata.com/GPG-KEY-td-agent EOF # update your sources yum check-update # install the toolbelt yes | yum install -y td-agent SCRIPT # message echo "" echo "Intallation completed. Happy Logging!" echo "" echo "NOTE: In case you need any of these:" echo " 1) security tested binary with a clear life cycle management" echo " 2) advanced monitoring and management" echo " 3) support SLA" echo "Please check Fluentd Enterprise (https://fluentd.treasuredata.com/)."
## Td-agent Configuration
Reference: https://docs.fluentd.org/v0.12/articles/install-by-rpm
<system> log_level warn </system> <source> @type forward port 24224 bind 127.0.0.1 </source> <filter docker.**> @type parser format multi_format key_name log time_parse false reserve_data false #Match java logs <pattern> format /^(?<log_time>.+ .+ .+) (?<log_source>.+): \{"level":"(?<log_level>.*)","class":"(?<log_class>.*)","message":"(?<log_message>.*)"\}$/ </pattern> #Match default fluentd messages <pattern> format /^(?<log_time>.+ .+ .+) (?<log_source>.+): \{"message":"(?<log_message>.*)"\}$/ </pattern> #Match plain stdout messages <pattern> format /^(?<log_message>.*)$/ </pattern> </filter> #<filter docker.**> # @type record_transformer # <record> # hostname ${hostname} # </record> #</filter> <match docker.**> @type rewrite_tag_filter rewriterule1 log_message ^(.*)$ ${hostname}.${tag} </match> <match *.docker.**> @type copy <store> @type file path /var/log/fluent/aggregation time_slice_format %Y%m%d time_slice_wait 10m time_format %Y%m%dT%H%M%S%z compress gzip utc </store> </match>
3. Docker storage configuration
4. Install collectd
5. Setting multiple IPv4 addresses
In /etc/sysconfig/network-scripts/ifcfg-eth0
:
# Generated by dracut initrd NAME="eth0" HWADDR="52:54:00:b1:a5:b9" ONBOOT=yes NETBOOT=yes UUID="f6b8e07f-d5c0-4729-bfc2-5f90cbfa06dd" IPV6INIT=no IPV6_AUTOCONF=no BOOTPROTO=static TYPE=Ethernet IPADDR0=37.97.154.156 IPADDR1=37.97.157.49 IPADDR2=37.97.157.50 NETMASK0=255.255.255.0 NETMASK1=255.255.255.0 NETMASK2=255.255.255.0 GATEWAY=37.97.154.1 GATEWAY0=37.97.154.1 GATEWAY1=37.97.157.1 GATEWAY2=37.97.157.1
1. SELinux
Check status:
sestatus
Check policy of a file:
ls -Z /etc/collectd.conf
Check policy of a process:
ps -Z docker
Set user, role and type on a file:
sudo chcon -v --user=system_u --role=object_r --type=etc_t /etc/collectd.conf
Restore policy on a file:
restorecon -v /etc/collectd.conf