Command Center: CentOS/RedHat

Showing posts with label CentOS/RedHat. Show all posts

Thursday, October 21, 2010

CentOS change hostname without reboot

Category: Centos, CentOS/RedHat — SkyHi @ Thursday, October 21, 2010

Step 1:
You may also need to add/change the hostname in the /etc/hosts file. By default this would look something like this, using our www.example.com example again:

127.0.0.1 www.example.com localhost localhost.localdomain

Step 2:
The file /etc/sysconfig/network contains the hostname and will look something like this:

NETWORKING="yes"
GATEWAY="10.1.1.1"
HOSTNAME="www.example.com"

Step 3:
This change won't take affect until the next reboot, but you can make the change happen immediately using the hostname command like so:

$ hostname ftp.example.com

Step 4:

service syslog restart

========================================================================

Change your Hostname without Rebooting in RedHat Linux
Written by Tony Bhimani
September 8, 2005
Requirements
RedHat Linux (should apply to 7.x and up)
This tutorial covers changing your hostname in RedHat Linux without having to do a reboot for the changes to take effect. I've tested this on RedHat 7.3, 9, Fedora Core 3, and CentOS 4.1. It should work for all the versions in between since they all closely follow the same RedHat configuration. What's the point of this tutorial? Never reboot if you don't have to and keep your uptime intact.
Make sure you are logged in as root and move to /etc/sysconfig and open the network file in vi.
cd /etc/sysconfig
vi network

Look for the HOSTNAME line and replace it with the new hostname you want to use. In this example I want to replace localhost with redhat9.

HOSTNAME=redhat9

When you are done, save your changes and exit vi. Next we will edit the /etc/hosts file and set the new hostname.
vi /etc/hosts

In hosts, edit the line that has the old hostname and replace it with your new one.

192.168.1.110  redhat9

Save your changes and exit vi. The changes to /etc/hosts and /etc/sysconfig/network are necessary to make your changes persistent (in the event of an unscheduled reboot).
Now we use the hostname program to change the hostname that is currently set.
hostname redhat9
And run it again without any parameters to see if the hostname changed.
hostname

Finally we will restart the network to apply the changes we made to /etc/hosts and /etc/sysconfig/network.
service network restart

To verify the hostname has been fully changed, logout of your system and you should see your new hostname being used at the login prompt and after you've logged back in.

Quick, painless, and you won't lose your server's uptime.

REFERENCES

http://www.electrictoolbox.com/changing-hostname-centos/

http://www.ducea.com/2006/08/07/how-to-change-the-hostname-of-a-linux-system/

http://www.xenocafe.com/tutorials/linux/redhat/change_hostname_without_reboot/index.php

Saturday, May 29, 2010

CentOS patching --exclude=kernel,kernel-headers

Category: Centos, CentOS/RedHat, Yum RPM — SkyHi @ Saturday, May 29, 2010

In my normal everyday job, I am tasked with managing and maintaining about 30-40 production CentOS servers. Being a security guy, I maintain a pretty rigorous patching routine. However, because these servers are customer production servers, one very important caveat is that I need to do everything I can to minimize customer downtime.

Normally when I patch a server, my routine is:

yum check-update (check what updates are available)

yum -y update (update everything)

And if the list produced by check-update shows the kernel or kernel-headers packages in the list, I promptly reboot the server. This translates into about 5 minutes of downtime for the customer as the server reboots.

So that got me thinking. Is every kernel update critical or can they easily be delayed? So then I stumbled across this excellent plug-in for yum.

yum-changelog-1.1.10-9.el5.centos

Name : yum-changelog
Arch : noarch
Version: 1.1.10
Release: 9.el5.centos
Size : 12 k
Repo : installed
Summary: Yum plugin for viewing package changelogs before/after updating
Description:
This plugin adds a command line option to allow viewing package changelog
deltas before or after updating packages.

Perfect! That will allow me to see exactly what is changing with each new version of the kernel. So I install that with:

yum install yum-changelog

Now we can use yum to show us the change log for certain packages. So, if I want to see the change log for the kernel related package, I could run something like:

yum update kernel kernel-headers --changelog

This will produce output similiar to:

Changes in packages about to be updated:

kernel-headers - 2.6.18-92.1.22.el5.x86_64
* Wed Dec 17 06:00:00 2008 Karanbir Singh [2.6.18-92.1.22.el5.centos]
- Roll in CentOS Branding

* Sat Dec 6 06:00:00 2008 Jiri Pirko [2.6.18-92.1.22.el5]
- [misc] hugepages: ia64 stack overflow and corrupt memory (Larry Woodman ) [474347 472802]
- [misc] allow hugepage allocation to use most of memory (Larry Woodman ) [474760 438889]

Ah, ha. As I suspected. Two memory related bugfixes and CentOS branding. Because we are currently not expirencing any memory related issues, this patch does NOT rate as critical and warrent immediate customer downtime. This can be delayed.

So now I can apply the other patches and exclude the kernel upgrades with:

yum update --exclude=kernel,kernel-headers

Now, I have a script that runs nightly on all my CentOS servers. This script gathers nightly statistics, logs entries, etc from my servers and emails it to me. This is pretty much jsut a CentOS port of my old Gentoo Update Script, with some CentOS speficic changes and additional features. The other thing it does, is generate a list (via yum check-update) of all the updates required. So the question now is, now can I get this interactive command to run via an automated script? The easiest way I could come up with is:

echo n | yum update kernel kernel-headers --changelog

Probably not the cleanest way, but does the job very well.

REFERENCE
http://monkey-house-org.blogspot.com/2009/02/centos-patching.html

Yum Check or Install Updates Script

Category: Centos, CentOS/RedHat, Yum RPM — SkyHi @ Saturday, May 29, 2010

Here's a quick script that will check yum updates and email you when there are new updates available.

Split into two sections, one script is for all package updates, and the other script is for letting us know if we need to reboot when a new kernel package has been installed.

Script to check for updates:

check-yum-updates.sh

#!/bin/bash
#
# check-yum-updates.sh
#
# checks for yum updates and emails if there are any available
#
#
# Eric Thern
# Zoidial Incorporated
# http://www.zoidial.com
#
# last update:
# Dec 30, 2008
#

#
# change this to your email
#
email="youremail@youremail.com"

#
# no need to change anything below here
#

yumtmp="/tmp/yum-check-update.$$"
yum="/usr/bin/yum"

$yum check-update >& $yumtmp

yumstatus="$?"

hostname=$(/bin/hostname)

case $yumstatus in
0)
# no updates!
exit 0
;;
*)
date=$(date)
number=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)' | wc -l)
updates=$(cat $yumtmp | egrep '(.i386|.x86_64|.noarch|.src)')
echo "
There are $number updates available on host $hostname at $date

The available updates are:
$updates
" | /bin/mail -s "UPDATE: $number updates available for $hostname" $email
;;
esac

# clean up

rm -f /tmp/yum-check-update.*

Script to check kernel (here we use 'ovzkernel' since we're running with an openvz kernel, if you have a stock centos kernel, change this to 'kernel')

check-yum-kernel.sh

#!/bin/bash
email=youremail@youremail.com
latestkernel=$(rpm -q ovzkernel |tail -n1|sed -e 's/kernel-//')

echo "$latestkernel"

if uname -a | grep -qv "$latestkernel"; then
echo "Running Kernel is" `uname -r` "but latest installed rpm is ${latestkernel}" |\
mail -s "UPDATE: ${HOSTNAME} reboot required" $email
fi;

Crontab entries:

30 21 * * * /root/bin/check-yum-updates.sh >/dev/null 2>&1
30 21 * * * /root/bin/check-yum-kernel.sh >/dev/null 2>&1

Run at 9:30 every night. Change times and paths to suit.

REFERENCES
http://thern.org/linux-and-freebsd/yum-update-check-script-runs-via-crontab-and-emails-when-new-updates-are-available/

CentOS / RHEL Configure Yum Automatic Update Retrieval and Installation

Category: Centos, CentOS/RedHat, Yum RPM — SkyHi @ Saturday, May 29, 2010

The yum command line tool is used to install and update software packages under RHEL / CentOS Linux server. I know how to apply updates using yum update command line, but I'd like to use cron to manually update packages where appropriate. How do I configure yum to install software patches / updates automatically with cron?

You can use yum-updatesd service provided with CentOS / RHEL servers. However, this service provides a few overheads. You can create daily or weekly updates with the following shell script. Create

/etc/cron.daily/yumupdate.sh to apply updates one a day.
/etc/cron.weekly/yumupdate.sh to apply updates once a week.

Sample shell script to update system

A shell script that instructs yum to update any packages it finds via cron:

#!/bin/bash
YUM=/usr/bin/yum
$YUM -y -R 120 -d 0 -e 0 update yum
$YUM -y -R 10 -e 0 -d 0 update

(Code listing -01: /etc/cron.daily/yumupdate.sh)

Where,

First command will update yum itself and next will apply system updates.
-R 120 : Sets the maximum amount of time yum will wait before performing a command
-e 0 : Sets the error level to 0 (range 0 - 10). 0 means print only critical errors about which you must be told.
-d 0 : Sets the debugging level to 0 - turns up or down the amount of things that are printed. (range: 0 - 10).
-y : Assume yes; assume that the answer to any question which would be asked is yes.

Make sure you setup executable permission:
# chmod +x /etc/cron.daily/yumupdate.sh

REFERENCES

http://www.cyberciti.biz/faq/fedora-automatic-update-retrieval-installation-with-cron/

Wednesday, May 26, 2010

NSA Security Configuration Guides Red Hat Linux 5 Hardening Tips

Category: CentOS/RedHat, Security — SkyHi @ Wednesday, May 26, 2010

NSA RHEL5 cheat-sheet:
www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf

A 170 page PDF about securely configuring Red Hat, written by and for
the government. If you look around on NSA.gov

http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf

The United States National Security Agency has created some excellent guides for securely configuring today’s more popular operating systems. Check out the links below for PDF copies of the guides.

From the National Security Agency and Central Security Service Website:

“NSA has developed and distributed configuration guidance for operating systems. These guides are currently being used throughout the government and by numerous entities as a security baseline [for] their systems.”

Mac OS X

Linux

Microsoft Windows

Solaris

For more information and guides to additional operating systems refer to the National Security Agency and Central Security Service’s Operating Systems Website listed below:

Operating Systems – NSA/CSS.

Friday, April 9, 2010

Michael Conigliaro RHCE Exam Experience

Category: CentOS/RedHat, Cheatsheets — SkyHi @ Friday, April 09, 2010

On September 4th, 2009, I took the new 3.5 hour, single-section RHCE exam. This was my first time taking the exam, and to be perfectly honest, it was nowhere near as challenging as I thought it would be. While I don’t want to downplay the significance of the RHCE certification or give anyone the false impression that the exam is necessarily easy, I do want to emphasize that contrary to popular belief, it is quite possible to self-study your way to a perfect score. Not only was I able to breeze through the entire list of test objectives, I had time to thoroughly check and double-check all of my work with almost an hour to spare. This meant I was done long before anyone else in the room, including those who took the official Red Hat training courses. So how did I accomplish this feat?

The first thing you should know is that I had already been working professionally with Linux for ~10 years before I began studying for the exam. I doubt that so much experience is really necessary, but because the exam measures actual competency on live systems rather than your ability to memorize or “read between the lines,” I think it’s highly unlikely that someone with little or no working knowledge of Linux could successfully cram for this test. So I’d have to say that experience is an important prerequisite, but I’d also have to say that experience alone is almost certainly not enough. Considering the wide range of subject matter, it’s very likely that you’ll be tested on something you’ve never had to touch before.

In my opinion, the hardest thing about self-studying for the RHCE exam is knowing how much you need to know about each study point in the RHCE Prep Guide. In other words, when it says something like “you need to know basic configuration of x,” it’s hard to know exactly what “basic configuration” means. Although I’ve signed an NDA preventing me from revealing any details about the exam itself, I can tell you that nearly all of my study material came from two places:

RHCE Red Hat Certified Engineer Linux Study Guide by Michael Jang
Red Hat Deployment Guide

The rest of my study material came from search engines. I spent a lot of time comparing other people’s study notes to mine and reading anecdotes about the RHCE exam. While the result of this was usually a temporary blow to my confidence (there are a lot of horror stories out there!), I did find a few blogs and forum posts with some helpful information. Usually it was just an alternative way of doing something, but it was also nice to come across the occasional words of encouragement from a self-studied RHCE. Just knowing that other people had done it gave me a slight confidence boost (as I hope this post does for some of you).

The first thing I did was read Michael Jang’s book cover to cover, just trying to absorb what I considered to be the most important information from each chapter (i.e. concepts rather than commands). This took me a week or two. When I was done, I set up a test environment using VirtualBox. Then I decided it would help to have a condensed, single-page study guide to refer to, so I created a “wikified” version of the RHCE Prep Guide which I called my RHCE “cheat sheet”. For the next few weeks, I went through each study point on the “cheat sheet” and used my study material to test and document everything I thought I might need to know.

I found Michael Jang’s book to be a great study guide (the labs and example problems were a huge help), but I wasn’t completely happy with the amount of detail on some topics, as well as how it tends to follow the Red Hat course outlines rather than just sticking to the RHCE Prep Guide. I also found quite a few typos and just plain incorrect information, so that’s where the Red Hat Deployment Guide came in. While I was working on the RHCE “cheat sheet,” I would usually read the appropriate chapter(s) from Michael Jang’s book first, then I would supplement it with the appropriate chapter(s) from the Red Hat Deployment Guide. If I felt particularly weak in a certain area, I would also peruse the man pages and any HOWTOs I could find online. This was a long, arduous process, but it helped ensure that I wasn’t missing any important details.

For the last couple weeks, I tested myself by putting the “cheat sheet” away, doing a minimal install of CentOS in my test environment, and trying to configure everything I could without referring to any documentation whatsoever. Since the test takes place on a live system, I assumed from the beginning that the man pages would be available, but in order to save time, I wanted to make sure I could do everything off the top of my head. As a result, I ended up memorizing almost everything on the “cheat sheet,” which is probably why I was able to complete the exam so quickly.

Since I didn’t have a study partner, preparing for the troubleshooting section of the exam was a bit of a challenge. I did come across an interesting project called Trouble Maker which directly addresses this problem, but unfortunately, it has not been updated in several years and does not work on recent versions of CentOS. For a while, I actually considered writing my own trouble maker program, but I ultimately decided that this would be too much work. Luckily, I have a few friends who know enough about Linux to make a machine unbootable, so we made a game of it. I would give them my root password and challenge them to do something that would keep me from using my computer, then I would try to fix it as fast as I could.

When it was all said and done, I spent roughly six weeks (studying a few hours each day) to prepare for the RHCE. Considering how easy the exam was for me, I believe that I worked a lot harder than I needed to, but the results were clearly well worth the effort. The best advice I can give to prospective RHCEs is to take your time and practice until you can do everything in the RHCE Prep Guide off the top of your head. If you feel weak in anything, do yourself a favor and postpone the exam.

REFERENCE

http://conigliaro.org/2009/09/08/my-rhce-exam-experience/

RHCE "Cheat Sheet"

Category: CentOS/RedHat, Cheatsheets — SkyHi @ Friday, April 09, 2010

This document attempts to provide answers to all study points on the RHCE and RHCT Exam Preparation Guide in a single-page (and thus, printable) format. This is not a “brain dump” or an attempt to cheat the RH302 exam in any way. These are just my self-study notes. Use them at your own risk.

:!: Note: Study points last updated on 2009-08-11. This list may become out of date without notice (especially after I pass the test ;-)).
Testing Environment with Sun VirtualBox

install guest additions:

yum install gcc kernel-devel
sh /media/VBOXADDITIONS*/VBoxLinuxAdditions-x86.run
reboot

Prerequisite skills for RHCT and RHCE

Candidates should possess the following skills, as they may be necessary in order to fulfill requirements of the RHCT and RHCE exams:
use standard command line tools (e.g., ls, cp, mv, rm, tail, cat, etc.) to create, remove, view, and investigate files and directories
use grep, sed, and awk to process text streams and files
use a terminal-based text editor, such as vim or nano, to modify text files
use input/output redirection
operator description
> redirect STDOUT to a file
2> redirect STDERR to a file
&> redirect all output to a file
2>&1 redirect all output to a pipe

*
use » to append instead of overwrite

understand basic principles of TCP/IP networking, including IP addresses, netmasks, and gateways for IPv4 and IPv6
use su to switch user accounts

su -

use passwd to set passwords

passwd

use tar, gzip, and bzip2

# compress (tar/gzip)
tar cvzf .tgz

# extract (tar/gzip)
tar xvzf .tgz

# compress (tar/bzip)
tar cvjf .tbz

# extract (tar/bzip)
tar xvjf .tbz

configure an email client on Red Hat Enterprise Linux

echo "message" | mail -s "subject"
mail -s "subject" <

use text and/or graphical browser to access HTTP/HTTPS URLs

*
elinks
*
lynx

use lftp to access FTP URLs
RHCT skills
Troubleshooting and System Maintenance

RHCTs should be able to:
boot systems into different run levels for troubleshooting and system maintenance

append the desired runlevel to grub's kernel line:

*
1-5 runs appropriate rc and init scripts
*
single only runs rc.sysinit
*
emergency skips all rc and init scripts

diagnose and correct misconfigured networking

1.
check /etc/sysconfig/network
2.
check /etc/sysconfig/network-scripts/ifcfg-
3.
service network restart
4.
chkconfig network on
5.
ifconfig
6.
ping
7.
netstat -r
8.
ping
9.
ping 4.2.2.2

redhat network config tool:

system-config-network

diagnose and correct hostname resolution problems

1.
check /etc/nsswitch.conf
2.
check /etc/resolv.conf
3.
check /etc/hosts
4.
dig @ google.com

redhat network config tool:

system-config-network

configure the X Window System and a desktop environment

install x:

yum groupinstall "x window system"

*
init respawns /etc/X11/prefdm -nodaemon to keep x running in runlevel 5
*
startx to start manually

xfs is supposedly required for x windows (even though i can run x fine without it…):

service xfs on
chkconfig xfs on

x environment config:

*
/etc/sysconfig/desktop
*
/etc/X11/xinit/xinitrc
*
/etc/X11/xinit/Xclients
*
~/.xinitrc
*
~./Xclients

redhat display config tool:

system-config-display [--reconfig]

install gnome desktop:

yum groupinstall "gnome desktop environment"

switchdesk allows you to change your desktop environment:

yum install switchdesk
switchdesk

if switchdesk is not available, edit /etc/sysconfig/desktop:

DISPLAYMANAGER=
DESKTOP=

add new partitions, filesystems, and swap to existing systems
partitions

manage partitions:

fdisk
partprobe

filesystems

make filesystems:

mkfs.

label filesystems:

e2label
blkid

manage filesystem settings:

tune2fs
dumpe2fs

swap

note that it's possible to create a swap file instead of a partition:

dd if=/dev/zero of= bs=1024 count=

format the file/partition:

mkswap
nano -w /etc/fstab
swapon -va
cat /proc/swaps

use standard command-line tools to analyze problems and configure system

*
check for full filesystems, quotas

Installation and Configuration

RHCTs must be able to:
perform network OS installation

at boot prompt:

linux askmethod

implement a custom partitioning scheme
configure printing

printing support is provided by cups:

service cups start
chkconfig cups on

redhat printer config tool:

system-config-printer

web config tool:

http://localhost:631

printing via command line:

# print
lpr
# view print queue
lpq
# remove print job
lprm

configure the scheduling of tasks using cron and at
cron

make sure vixie cron is installed and running:

yum install vixie-cron
service crond start
chkconfig crond on

1.
if /etc/cron.allow exists, only these users are allowed (/etc/cron.deny is ignored)
2.
if /etc/cron.allow does not exist, everyone allowed except users in /etc/cron.deny
3.
if neither exists, only root allowed
4.
empty /etc/cron.deny means all users allowed (default)

edit your cron jobs:

crontab -e

crontab format:

:!: /etc/crontab has additional user field before command.
at/batch

make sure at is installed and running:

yum install at
service atd start
chkconfig atd on

1.
if /etc/at.allow exists, only these users are allowed (/etc/at.deny is ignored)
2.
if /etc/at.allow does not exist, everyone allowed except users in /etc/at.deny
3.
if neither exists, only root allowed
4.
empty /etc/at.deny means all users allowed (default)

# add jobs
at now + 1 hour
at>

at 09:00 2009-07-23
at>

batch
at>

# list jobs
atq

remove jobs
atrm

attach system to a network directory service, such as NIS or LDAP

redhat config tools:

system-config-authentication
authconfig-tui

required packages for nis:

yum install ypbind portmap

required packages for ldap:

yum install nss-ldap openldap

configure autofs

make sure the autofs service is running:

service autofs start
chkconfig autofs on

ensure the following line in /etc/nsswitch.conf:

automount: files nis

define an autofs-controlled mountpoint called test by adding the following to /etc/auto.master:

/test /etc/auto.test

create /etc/auto.test:

blah example.com:/pub/something
* example:/home/&

1.
local /test/blah ⇒ remote example.com:/pub/something
2.
local /test/user ⇒ remote example:/home/user (:!: this method can be used to automount home directories)

test automounting:

ls /test/blah
ls /test/user

# redhat defaults
ls /net/
ls /misc/cd

add and manage users, groups, quotas, and File Access Control Lists

redhat user/group config tool:

system-config-users

users

/etc/passwd file format:

username:password:uid:gid:gecos:homedir:shell

/etc/shadow file format:

username:password:lastpwchange:minpwchange:maxpwage:pwchangewarn:inactive:expire

command line user management:

useradd
usermod
chage
userdel
pwck

*
default account expiration settings in /etc/login.defs

groups

/etc/group file format:

groupname:password:gid:members

command line group management:

groups
groupadd
groupmod
groupdel
grpck

quotas

install quota package

yum install quota

add fs options to /etc/fstab:

usrquota,grpquota

remount device

mount -o remount

init quota database:

quotacheck -cugm

enable/disable quotas

quotaon
quotaoff

edit quotas

edquota -u
edquota -g

edit grace time

edquota -ut
edquota -gt

check/report quotas

quota
repquota -aug

Access Control Lists

install acl package

yum install acl

add fs options to /etc/fstab:

acl

remount device:

mount -o remount

manage acls:

# set acls
setfacl -m [d:]u::
setfacl -m [d:]g::

# get acls
getfacl

# remove acls
setfacl -x u:
setfacl -x g:
setfacl --remove-all
setfacl --remove-default

configure filesystem permissions for collaboration

1.
create new group
2.
add users to group
3.
chown folder to root.
4.
chmod folder to 2770 (g+s)

install and update packages using rpm

# install
rpm -ivh .rpm

# update
rpm -Uvh .rpm

# freshen
rpm -Fvh .rpm

# remove
rpm -e

# query by file name
rpm -qf

# verify a file
rpm -Vf >

# verify status of all packages
rpm -Va > /tmp/rpmverify

:!: while inside the rescue environment, use the –root option to specify the real location of your root file system (e.g. –root=/mnt/sysimage).
properly update the kernel package

1.
always do an install (i.e. rpm -ivh ) rather than an update
2.
check /boot/grub/grub.conf for proper configuration

configure the system to update/install packages from remote repositories using yum or pup

yum config goes in /etc/yum.repos.d/

[id]
name=my repo
baseurl=http://example.com/centos/
enabled=1

modify the system bootloader

*
production config is in /boot/grub/grub.conf
*
see examples in /usr/share/doc/grub-*/menu.lst

implement software RAID at install-time and run-time

to start, we need at least two devices/partitions of type “linux raid autodetect” (use fdisk to set partition type to “fd”)

create raid device:

mdadm --create /dev/md0 --level=<0|1|4|5|6|10> --raid-devices=

fail disk in array:

mdadm /dev/md0 -f

remove disk from array:

mdadm /dev/md0 -r

add disk to array:

mdadm /dev/md0 -a

stop array:

mdadm --stop /dev/md0

check raid status:

mdadm --detail /dev/md0

cat /proc/mdstat

format works as usual:

mkfs.ext3 /dev/md0

:!: don't forget to configure /etc/fstab appropriately.
use /proc/sys and sysctl to modify and set kernel run-time parameters

config is in /etc/sysctl.conf

# search through parameters
sysctl -a | grep
# apply changes from config file immediately
sysctl -p

use scripting to automate system maintenance tasks
configure NTP for time synchronization with a higher-stratum server

redhat config tool:

system-config-date

*
config is in /etc/ntp.conf

synchronization configuration example:

server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

apply changes:

service ntpd restart
chkconfig ntpd on

verify changes:

ntpq -p

RHCE skills
Troubleshooting and System Maintenance

RHCEs must demonstrate the RHCT skills listed above, and should be able to:
use the rescue environment provided by first installation CD

linux rescue

*
when working in non-chrooted rescue mode:
o
mount /dev/hdc /mnt/source (to access install files on the cd/dvd)
o
rpm commands should use the –root=/mnt/sysimage option

manually make /dev and /proc available in chrooted mode:

mount -o bind /dev /mnt/sysimage/dev
mount -o bind /proc /mnt/sysimage/proc

diagnose and correct boot failures arising from bootloader, module, and filesystem errors

check in order:

1.
mbr
2.
/boot/grub/grub.conf
3.
/etc/fstab
4.
/etc/inittab
5.
/etc/rc.d/rc.sysinit
6.
/etc/rc.d/rc*.d
7.
/etc/rc.d/init.d/*
8.
/etc/rc.d/rc.local

grub errors

*
in general, use the last line before the error message to see where grub error'd out
*
to find correct value for root option, type find /grub/stage1 at the grub command line (:!: remember that all file names in grub.conf are relative to the root option)
*
check for missing files in kernel and/or initrd lines

kernel errors

*
missing/corrupt initrd file results in: kernel panic - not syncing: vfs: unable to mount root fs on unknown-block
*
invalid root parameter for kernel results in: setuproot: error mounting /proc: No such file or directory

reinstall grub to mbr:

grub-install

recreate initrd:

mkinitrd

fix corrupt filesystem:

fsck

if fsck is unable to locate a superblock, you can specify an alternative one:

dumpe2fs
fsck -b

diagnose and correct problems with network services (see Installation and Configuration below for a list of these services)

see what's listening on what port:

netstat -ntaupe

add, remove, and resize logical volumes

redhat lvm config tool:

yum install system-config-lvm
system-config-lvm

create physical volume:

pvcreate

create volume group:

vgcreate [pv device]

extend volume group:

vgextend

create logical volume:

lvcreate --size M --name

extend logical volume:

lvextend --size M
resize2fs

shrink logical volume:

resize2fs M
lvreduce --size M

remove logical volume:

lvremove

diagnose and correct networking services problems where SELinux contexts are interfering with proper operation.

enable/disable selinux in /etc/sysconfig/selinux:

SELINUX=enforcing
SELINUXTYPE=targeted

install selinux troubleshooter:

yum install setroubleshoot
service setroubleshoot start
chkconfig setroubleshoot on

install selinux management tool:

yum install policycoreutils-gui

list selinux errors:

sealert -a /var/log/audit/audit.log | less

launch gui browser:

sealert -b

list selinux booleans:

getsebool -a

set selinux boolean:

setsebool -P = <0|1>

list security contexts:

ls -Z

change security contexts:

# using reference (copy contexts from existing known-good file)
chcon -R --reference

# manual
chcon -R -u
chcon -R -t

Installation and Configuration

RHCEs must demonstrate the RHCT-level skills listed above, and they must be capable of configuring the following network services. For each of these services, RHCEs must be able to:

*
install the packages needed to provide the service
*
configure SELinux to support the service
*
configure the service to start when the system is booted
*
configure the service for basic operation
*
Configure host-based and user-based security for the service

HTTP/HTTPS
install

yum install httpd mod_ssl

selinux

make new DocumentRoot match default DocumentRoot (:!: this applies to any directory that apache will serve files from):

chcon -R --reference /var/www /www

start at boot

chkconfig httpd on

basic config

*
requirements for ~user/ directories:
o
UserDir directive
o
chmod 701 the user's home directory
o
change security context on the user's UserDir

*
requirements for .htaccess file usage:
o
AllowOverride All directive

*
requirements for name-based virtual hosts:
o
NameVirtualHost *:80 and NameVirtualHost *:443 directives
o
each virtual host requires appropriate ServerName and ServerAlias directives
o
:!: a single virtual host cannot span multiple ports (i.e. 80 and 443). two separate VirtualHost *: sections are needed to do this.

self-signed ssl cert:

cd /etc/pki/tls/certs
rm localhost.crt
make testcert

check virtual host config:

httpd -D DUMP_VHOSTS

host-based security

firewall config:
protocol ports
tcp 80, 443

hosts are allowed by default and must be explicitly denied:

Order deny,allow
Deny from 192.168.0.0/255.255.255.0
Deny from badguys.example.com

hosts are denied by default and must be explicitly allowed:

Order allow,deny
Allow from 192.168.0.0/255.255.255.0
Allow from goodguys.example.com

user-based security

create web password file:

htpasswd -c /etc/httpd/webusers testuser1
htpasswd /etc/httpd/webusers testuser2

create web group file (/etc/httpd/webgroups):

testgroup: testuser1 testuser2

allow access by group:

AuthType Basic
AuthName "top secret area"
AuthUserFile /etc/httpd/webusers
AuthGroupFile /etc/httpd/webgroups
Require group testgroup

verify service functionality

test http/https:

elinks :///[path]

SMB
install

yum install samba samba-client

selinux

allow samba to share home directories:

setsebool -P samba_enable_home_dirs=1

mark a directory as sharable with samba:

chcon -R -T samba_share_t

start at boot

chkconfig smb on

basic config

redhat samba config tool:

yum install system-config-samba
system-config-samba

set workgroup/domain:

workgroup =

security modes:

# connections check local pwdb (default)
security = user

# member server on a domain, uses pwdb on a dc
security = domain
workgroup = EXAMPLE

# member server on an ad domain using kerberos, uses pwdb on a dc
security = ads
realm = EXAMPLE.COM
password server = kerberos.example.com

# used when samba was not capable of being a domain member server (DO NOT USE)
security = server
encrypt passwords = yes
password server =

# each share requires a password (DO NOT USE)
security = share

share options:

[]
# path for share
path =

# share is visible
browseable =

# rw enabled
writeable =

# this is a shared printer
printable =

# all users connecting to this share use as their primary group
group =

join domain:

net rpc join -U root

fstab example:

/// cifs user=,pass= 0 0

:!: mount.cifs and umount.cifs need to be chmod'ed u+s in order to be used by non-root users
host-based security

firewall config:
protocol ports
tcp 139, 445
udp 137, 138

hosts allow/deny can be used per-server or per-share:

hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0

user-based security

account maintenance:

# add account (local linux account must exist first, or be translated via /etc/samba/smbusers):
smbpasswd -a

# enable/disable account:
smbpasswd -e
smbpasswd -d

# remove account:
smbpasswd -x

:!: service smb reload may be needed after account changes

share access:

valid users = @

*
share access is also controlled by unix file permissions

verify service functionality

list shares:

smbclient -L -U

browse shares:

smbclient /// -U

test allow/deny statements for a host:

testparm /etc/samba/smb.conf

NFS
install

yum install portmap nfs-utils

start at boot

chkconfig portmap on
chkconfig nfs on
chkconfig nfslock on
chkconfig netfs on

basic config

redhat config tool:

yum install system-config-nfs
system-config-nfs

format of /etc/exports:

() [() ...]

activate new exports:

/etc/init.d/nfs restart

host-based security

:!: edit /etc/sysconfig/nfs and restart nfs to set static ports

firewall config:

# see ports
rpcinfo -p

host based security is intrinsic to the format of the exports file
user-based security

use standard file permissions
verify service functionality

list exports:

showmount -e

FTP
install

yum install vsftpd

selinux

allow local users to log in and cd into home directories:

setsebool -P ftp_home_dir=1

start at boot

chkconfig vsftpd on

basic config
host-based security

*
use ipchains with -[!]s option

firewall config:
protocol ports
tcp 21

:!: ftp data transfers will not work unless ip_conntrack_ftp is added to IPTABLES_MODULES in /etc/sysconfig/iptables-config

tcp_wrappers example:

vsftpd : 192.168.0.

user-based security

*
allow/deny controlled via /etc/vsftpd/user_list (:!: users in /etc/vsftpd/ftpusers are always denied via pam)
*
default allow/deny is configured by userlist_deny statement in vsftpd.conf

verify service functionality

test ftp:

ftp

Web proxy
install

yum install squid

selinux

allow squid to connect to the network (this is recommended, but was not needed in my testing):

setsebool -P squid_connect_any=1

start at boot

chkconfig squid on

host-based security

firewall config:
protocol ports
tcp 3128

allow access from local networks:

acl our_networks src 192.168.1.0/24 192.168.2.0/23
http_access allow our_networks

user-based security

FIXME
verify service functionality

test proxy:

HTTP_PROXY=:3128 elinks

SMTP
install

yum install postfix
alternatives --config mta
service sendmail stop

start at boot

chkconfig postfix on

basic config

listen on public interfaces:

inet_interfaces = all

specify all destination hostnames/domains:

mydestination = , , ...

specify origin domain:

myorigin = $mydomain

local aliases in /etc/aliases (:!: dont forget to run newaliases to apply changes):

: [, user2]

virtual aliases in /etc/postfix/virtual (:!: dont forget to run postmap /etc/postfix/virtual to apply changes):

:

enable virtual aliases:

virtual_alias_maps = hash:/etc/postfix/virtual

outbound address rewriting in /etc/postfix/generic (:!: dont forget to run postmap /etc/postfix/generic to apply changes):

:

enable outbound aliases:

smtp_generic_maps = hash:/etc/postfix/generic

host-based security

*
use ipchains with -[!]s option

firewall config:
protocol ports
tcp 25
user-based security

FIXME use smtp auth?
verify service functionality

test smtp:

telnet 25

IMAP, IMAPS, and POP3
install

yum install dovecot

start at boot

chkconfig dovecot on

basic config

enable protocols:

protocols =

create custom ssl cert:

nano -w /etc/pki/dovecot/dovecot-openssl.cnf
/usr/share/doc/dovecot-*/examples/mkcert.sh
service dovecot restart

host-based security

use ipchains with -[!]s option
protocol ports
tcp 143, 110, 995, 993
user-based security

use pam_listfile in /etc/pam.d/dovecot
verify service functionality

test mailbox acess:

mutt -f ://@

SSH
install

yum install openssh-server

start at boot

chkconfig sshd on

user-based security

allow/deny user access:

AllowUsers user1 user2 user3@example.com
DenyUsers user4 user5 user6@example.com

host-based security

*
use ipchains with -[!]s option

firewall config:
protocol ports
tcp 22

tcp_wrappers example:

sshd : 192.168.0.

verify service functionality

test logging in:

ssh @

DNS (caching name server, slave name server)
install

yum install bind-chroot caching-nameserver

start at boot

chkconfig named on

basic config

copy sample config:

cp -a /var/named/chroot/etc/named.caching-nameserver.conf /var/named/chroot/etc/named.conf

caching-only nameserver:

*
edit listen-on directives (comment out to listen on all interfaces)
*
edit allow-query directives (comment out allow queries from everyone)
*
edit match-clients and match-destinations directives to allow recursive queries from other hosts

slave nameserver:

*
get slave example from /usr/share/doc/bind-*/sample/etc/named.conf

host-based security

firewall config:
protocol ports
tcp 53
udp 53

allow-query example:

allow-query { 192.168.0.0/16; localnets; };

user-based security

N/A
verify service functionality

test query:

dig @

test zone transfer:

dig @ axfr

NTP
install

yum install ntp

start at boot

chkconfig ntpd on

host-based security

firewall config:
protocol ports
udp 123

allow other servers to sync with us:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

user-based security

N/A
verify service functionality

show peers:

ntpq -p

RHCEs must also be able to:
configure hands-free installation using Kickstart

yum install system-config-kickstart

1.
make installation tree available
2.
create kickstart file (use system-config-kickstart to create ks.cfg) and validate (using ksvalidator)
3.
validate kickstart file
4.
make kickstart file available
*
bootable diskette (place in top level directory)
*
bootable cdrom (place in top level directory)
*
network (http, ftp, nfs)
5.
use bootable media and supply appropriate kernel parameter

ks=floppy:/ks.cfg
ks=cdrom:/ks.cfg
ks=http://example.com/ks.cfg
ks=nfs:example.com:/ks.cfg

implement logical volumes at install-time
use iptables to implement packet filtering and/or NAT

:!: do not use system-config-securitylevel, as it will overwrite your custom iptables rules. the following method seems to be the best way to go:

1.
make changes in /etc/sysconfig/iptables
2.
run /etc/init.d/iptables restart to apply changes

packet filtering

packet filtering example:

-A -p -m [-s[!] ] --dport -j ACCEPT

NAT

enable ip forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward = 1

to test from another machine:

ip route replace default via

inbound dnat:

iptables -t nat -A PREROUTING -p --dport -j DNAT --to-dest :

outbound dnat:

iptables -t nat -A OUTPUT -p --dport -j DNAT --to-dest :

masquerading:

iptables -t nat -A POSTROUTING -o -j MASQUERADE

snat:

iptables -t nat -A POSTROUTING -j SNAT --to-source :

FIXME
use PAM to implement user-level restrictions
module documentation

*
/usr/share/doc/pam-*/txts

module configuration

*
/etc/pam.d
*
/etc/security

module interface description
auth user authentication (e.g. verifies password, set group membership or kerberos tickets, etc.)
account verifies that access is allowed (e.g. expired account?, check group membership, etc.)
password handles password changes
session manages user sessions (e.g. mount home dir, create mailbox, logging, etc.)
control flag description
required must pass, continue testing on failure
requisite must pass, stop testing on failure
sufficient failure is ignored, but if passing so far, return success at this point
optional pass or failure is irrelevant
include include another file
pam_listfile.so example

allow/deny users if listed in /etc/special:

auth required pam_listfile.so onerr=success item=user sense= file=/etc/special

Additional Notes
tcp_wrappers

file format:

: [except ] [:

Saturday, March 27, 2010

setup 64bit centos php5 mysql memcached-ketama

Category: CentOS/RedHat, PHP — SkyHi @ Saturday, March 27, 2010

<pre class="php" name="code">

if [ ! -d src ]; then
mkdir src
fi;
cd src

if [ ! -f php-5.2.5.tar.gz ]; then
wget http://jp2.php.net/get/php-5.2.5.tar.gz/from/jp.php.net/mirror
tar xvzf php-5.2.5.tar.gz
sudo yum remove httpd
fi;

if [ ! -f memcached-1.2.5.tar.gz ]; then
wget http://www.danga.com/memcached/dist/memcached-1.2.5.tar.gz
tar xvzf memcached-1.2.5.tar.gz
fi;

if [ ! -d ketama ]; then
svn co svn://svn.audioscrobbler.net/misc/ketama
cd ketama/libketama
sed -ri "s|PREFIX=/usr/local|PREFIX=/usr|" Makefile
fi;

sudo yum install \
libxml2 libxml2-devel \
openssl openssl-devel \
pcre pcre-devel \
bzip2 bzip2-devel \
curl curl-devel \
db4 db4-devel \
libjpeg libjpeg-devel \
libpng libpng-devel \
freetype freetype-devel \
gmp gmp-devel \
libc-client-devel \
openldap-devel \
libmcrypt libmcrypt-devel \
libmhash libmhash-devel \
mysql-devel \
ncurses-devel \
unixODBC-devel \
postgresql postgresql-devel \
sqlite sqlite-devel \
readline readline-devel \
net-snmp net-snmp-devel \
libtidy libtidy-devel \
libxslt libxslt-devel \
expat-devel \
httpd-devel \
libtool-ltdl libtool-ltdl-devel \
krb5-libs krb5-devel \
libevent libevent-devel \
autoconf \
bison \
flex

if [ -d /usr/lib64 ]; then
export LDFLAGS=-L/usr/lib64/mysql

if [ ! -f /usr/lib/libexpat.so.32bit ]; then
sudo mv /usr/lib/libexpat.so /usr/lib/libexpat.so.32bit
fi;
sudo rm -f /usr/lib/libexpat.so
sudo ln -s /usr/lib64/libexpat.so /usr/lib/libexpat.so

if [ ! -f /usr/lib/libdb-4.3.so.32bit ]; then
sudo mv /usr/lib/libdb-4.3.so /usr/lib/libdb-4.3.so.32bit
fi;
sudo rm -f /usr/lib/libdb-4.3.so
sudo ln -s /usr/lib64/libdb-4.3.so /usr/lib/libdb-4.3.so

if [ ! -f /usr/lib/libltdl.so.32bit ]; then
sudo mv /usr/lib/libltdl.so /usr/lib/libltdl.so.32bit
fi;
sudo rm -f /usr/lib/libltdl.so
sudo ln -s /usr/lib64/libltdl.so /usr/lib/libltdl.so

fi;

cd ketama/libketama
make clean
make
sudo make install
cd ../../
curr_dir=`pwd`
echo ${curr_dir}
rm -f php-5.2.5/ext/ketama
ln -s ${curr_dir}/ketama/php_ketama ${curr_dir}/php-5.2.5/ext/ketama
if [ -d /usr/lib64 ]; then
sudo rm -f /usr/lib64/libketama.so
sudo ln -s /usr/lib/libketama.so /usr/lib64/
fi;

cd memcached-1.2.5
make clean
./configure
make
sudo make install
cd ../

cd php-5.2.5
make clean
rm -Rf autom4te.cache
./buildconf --force

'./configure' \
'--host=i686-redhat-linux-gnu' \
'--build=i686-redhat-linux-gnu' \
'--target=i386-redhat-linux' \
'--prefix=/usr/local/php-5.2.5' \
'--bindir=/usr/bin' \
'--sbindir=/usr/sbin' \
'--sysconfdir=/etc' \
'--datadir=/usr/share' \
'--includedir=/usr/include' \
'--libdir=/usr/lib' \
'--libexecdir=/usr/libexec' \
'--localstatedir=/var' \
'--sharedstatedir=/usr/com' \
'--mandir=/usr/share/man' \
'--infodir=/usr/share/info' \
'--cache-file=../config.cache' \
'--with-libdir=lib' \
'--with-config-file-path=/etc' \
'--with-config-file-scan-dir=/etc/php.d' \
'--disable-debug' \
'--with-pic' \
'--disable-rpath' \
'--with-bz2' \
'--with-curl' \
'--with-exec-dir=/usr/bin' \
'--with-freetype-dir=/usr/lib' \
'--with-png-dir=/usr/lib' \
'--enable-gd-native-ttf' \
'--without-gdbm' \
'--with-gettext' \
'--with-gmp' \
'--with-iconv' \
'--with-jpeg-dir=/usr/lib' \
'--with-openssl' \
'--with-libexpat-dir=/usr/lib' \
'--with-pcre-regex=/usr' \
'--with-zlib' \
'--with-layout=GNU' \
'--enable-exif' \
'--enable-ftp' \
'--enable-magic-quotes' \
'--enable-sockets' \
'--enable-sysvsem' \
'--enable-sysvshm' \
'--enable-sysvmsg' \
'--enable-track-vars' \
'--enable-trans-sid' \
'--enable-yp' \
'--enable-wddx' \
'--with-kerberos' \
'--enable-ucd-snmp-hack' \
'--with-unixODBC=shared,/usr' \
'--enable-memory-limit' \
'--enable-shmop' \
'--enable-calendar' \
'--enable-dbx' \
'--enable-dio' \
'--without-mime-magic' \
'--without-sqlite' \
'--with-libxml-dir=/usr/lib' \
'--enable-force-cgi-redirect' \
'--enable-pcntl' \
'--with-imap=shared' \
'--with-imap-ssl' \
'--enable-mbstring=shared' \
'--enable-mbstr-enc-trans' \
'--enable-mbregex' \
'--with-ncurses=shared' \
'--with-gd=shared' \
'--enable-bcmath=shared' \
'--enable-dba=shared' \
'--with-db4=/usr/lib' \
'--with-xmlrpc=shared' \
'--with-ldap=shared' \
'--with-ldap-sasl' \
'--with-mysql=shared,/usr/lib/mysql' \
'--with-mysqli=shared,/usr/bin/mysql_config' \
'--enable-dom=shared' \
'--with-dom-xslt=/usr/lib' \
'--with-pgsql=shared' \
'--with-snmp=shared,/usr'\
'--enable-soap=shared' \
'--with-xsl=shared,/usr' \
'--enable-xmlreader=shared' \
'--enable-xmlwriter=shared' \
'--enable-fastcgi' \
'--enable-pdo=shared' \
'--with-pdo-odbc=shared,unixODBC,/usr' \
'--with-pdo-mysql=shared,/usr' \
'--with-pdo-pgsql=shared,/usr' \
'--with-pdo-sqlite=shared,/usr' '--enable-json=shared' \
'--enable-zip=shared' \
'--with-readline' \
'--enable-dbase=shared' \
'--with-mcrypt=shared,/usr' \
'--with-mhash=shared,/usr' \
'--with-tidy=shared,/usr' '--with-apxs2' \
'--with-ketama'

sudo yum remove php php-dba php-ldap php-mysql php-mysqli php-pdo

make
sudo make install
cd ../
sudo cp ../php/php.conf /etc/httpd/conf.d/
sudo cp ../php/info.php /var/www/html/
sudo cp ../php/php.ini /etc/php.ini
sudo /usr/sbin/httpd -k stop

# PECL path problem - not sure why
sudo sed -ri "s|exec$\"php-config --prefix\"$|\"/usr/lib/20060613\"|" /usr/share/pear/PEAR/Builder.php
sudo pecl install --force memcache

sudo /usr/sbin/httpd -k start

cd ../

</pre>

REFERENCE
http://recurser.com/articles/2008/06/23/setup-64bit-centos-php5-mysql-memcached-ketama/

How to install mcrypt in Linux (Cent OS) and recompile php?

Category: CentOS/RedHat, PHP — SkyHi @ Saturday, March 27, 2010

I realized that I need to install mcrypt libraries in order to operate your php encryption. In addition to installing mcrypt, I will have to re-compile php in order to include the support for mcrypt. Initially, I struggled hard and finally made it work. Hence, I am sharing this information whatever I collected from internet and tested at my site.

This has worked for me numerous times without anything breaking or failing to operate. Obviously, I’m not responsible for whether you try this or not. A healthy and current backup is always a good idea before diving into the world of re-compiling software packages.

What is MCrypt?

MCrypt is a replacement for the old crypt() package and crypt(1) command, with extensions. It allows developers to use a wide range of encryption functions, without making drastic changes to their code. It allows users to encrypt files or data streams without having to be cryptographers. Above all, it allows you to have some really neat code on your machine.

Site Source: http://mcrypt.sourceforge.net/

Mcrypt is a powerful encryption library containing 22 block algorithms. Specifically, the following algorithms are supported:

Blowfish

Cast-256

DES

Enigma

Gost

LOKI97

Panama

RC2

RC4

RC4-iv

Rijndael-128

Rijndael-192

Rijndael-256

Safer-sk128

Safer-sk64 xtea

Saferplus

Serpent

Threeway

TripleDES

Twofish

Wake

Simple steps: follow these steps to compile Mcrypt and build the extension into your PHP distribution:

1. Download the Mcrypt library

2. gunzip mcrypt-x.x.x.tar.gz

3. tar -xvf mcrypt-x.x.x.tar

4. ./configure –disable-posix-threads

5. make

6. make install

7. cd to your PHP directory.

8. ./configure -with-mcrypt=[dir] [--other-configuration-directives]

9. make

10. make install

However, complex and complete steps are given below:

FYI – My machine stats are:

Cent OS 5.0

Apache 2.0

PHP 5.0

Ready? Here’s how you do it.

As root:

1) Install libmcrypt (2.5.x or better) http://mcrypt.hellug.gr/lib/index.html

-download and uncompress: tar z -xvf xxx.tar.gz

-cd into libmcrypt dir and type: ./configure

-when configure is done type: make

-when make is done type: make install

2) Add the library dir to /etc/ld.so.conf

-edit /etc/ld.so.conf and add: /usr/local/lib

-save file and then type the command: ldconfig

3) Update/Install Mhash (0.8.15 or newer) http://mhash.sourceforge.net/

-download and uncompress: tar z -xvf xxx.tar.gz

-cd into libmcrypt dir and type: ./configure

-when configure is done type: make

-when make is done type: make install

-when make install is done type: ldconfig

4) Install latest version of mcrypt (2.6.x or better) http://mcrypt.hellug.gr/mcrypt/index.html

-download and uncompress: tar z -xvf xxx.tar.gz

-cd into mcrypt dir and type: ./configure

-when configure is done type: make

-when make is done type: make install

-when make install is done type: ldconfig

5) Take note of your current php info

-create a file somewhere on your webserver called phpinfo.php

-edit the file and add the single line:

-make sure a normal user owns the file (not root – ie: chown user.user phpinfo.php)

-issue the command: chmod 755 phpinfo.php

-open the file in a web browser ie: www.yourserver.com/phpinfo.php

-copy the contents of “Configure Command” to a text file somewhere.

-It will look something like this (probably all on 1 line – leave it on 1 line):

‘./configure’ ‘–with-apxs=/usr/local/apache/bin/apxs’ ‘–with-xml’ ‘–enable-bcmath’

‘–enable-calendar’ ‘–enable-ftp’ ‘–enable-magic-quotes’ ‘–with-mysql’ ‘–with-pear’

‘–enable-sockets’ ‘–enable-track-vars’ ‘–enable-versioning’ ‘–with-zlib’

-edit the command to remove all the ‘ ‘ marks so it looks like this:

./configure –with-apxs=/usr/local/apache/bin/apxs –with-xml –enable-bcmath –enable-calendar

–enable-ftp –enable-magic-quotes –with-mysql –with-pear –enable-sockets –enable-track-vars

–enable-versioning –with-zlib

-at the end, add the following (assuming mcrypt is actually found in /usr/local/bin/mcrypt):

–with-mcrypt=/usr/local/bin/mcrypt

-save the text file.

6) Go into your php source directory: /home/cpapachebuild/buildapache/php-4.3.1/

-type: make clean

-type: rm config.cache (yes, remove that file)

-issue your command you saved in the text file. Something like this:

./configure –with-apxs=/usr/local/apache/bin/apxs –with-xml –enable-bcmath –enable-calendar

–enable-ftp –enable-magic-quotes –with-mysql –with-pear –enable-sockets –enable-track-vars

–enable-versioning –with-zlib –with-mcrypt=/usr/local/bin/mcrypt

-when that is done, type: make

-when that is done, type: make test (most tests will fail… about 50%-60% or so)

-when that is done, type make install

enable support for php. requires php-mcrypt and php-mhash packages:

yum install php-mcrypt*

yum install php-mhash*

7) Restart Apache

-issue the command: service httpd restart

-go back to your phpinfo.php page and check to see that –with-mcrypt now shows up in the “Configure Command”

Question:

I am trying to have mcrypt support in php. I installed libmcrypt and mhash using yum. They installed okay, but they weren’t added to phpinfo(), so they do not work.

Reading mcrypt info it says I need to recompile php.

Answer: It is working!

While I was requiring to recompile php according to the information on the mcrypt package to enable mcrypt support. I found an alternative.

There are 2 solutions to this problem:

A) This is the painless way to do it.

After a lot of research, as I couldn’t find answers on forums and other places. I found on sourceforge.net they released some rpm packages to integrate mcrypt and mhash with php.

First we need to install mcrypt and mhash as follows:

1) Install mcrypt & mhash

yum install mcrypt*

yum install mhash*

answer y to the question if matched your system (it should).

If it comes out

Setting up Install Process

Parsing package install arguments

No package mcrypt available.

Nothing to do

Manually install from the source after compiling as indicated from the start or the post.

2) enable support for php. requires php-mcrypt and php-mhash packages:

yum install php-mcrypt*

yum install php-mhash*

If you get an error saying packages not signed (unsigned packages), do the following:

edit /etc/yum.conf

change:

gpgcheck=1 to gpgcheck=0

attempt step 2 again. Once completed change back yum.conf

REFERENCE
http://www.notesbit.com/index.php/web-mysql/web-scripts/how-to-install-mcrypt-in-linux-cent-os-and-recompile-php/

How I updated PHP & MySQL on RedHat Enterprise Linux (RHEL) 5.3

Category: CentOS/RedHat, PHP, Yum RPM — SkyHi @ Saturday, March 27, 2010

This is my post about the steps which I used to update the versions of PHP and MySQL on RHEL 5.3. As of this writing the latest versions of PHP is 5.2.9 and that of MySQL server is 5.1.32-1. The installation of RHEL5 (after making updates) had versions of PHP/MySQL which were as much as 2.5 years old. You obviously don’t want so old versions of the software for security reasons. So I decided to upgrade versions of PHP/MySQL on the system. Obviously the default repository of RHEL does not have the updated versions of PHP and MySQL (and many other softwares I believe).

I searched online for making the upgrades and after a long search, I came across links on the web which helped me perform the upgrades. So, I decided to write a detailed post about my upgrade process so it could be helpful to others.

The packet management tool which I’m using is yum. So its a good idea to know few basic yum commands:

`yum list available`

`yum list installed`

`yum list updates`

`yum install [package]`

`yum remove [package]`

I guess all of above commands are self explanatory.

Since the repositories which are used by RHEL are not up to date, so we need to use and setup some other repository. One of the most popular and the one which I used is Remi’s repository which has latest packages for most of the software:

http://rpms.famillecollet.com/index.html

This repository is not there in the repository directory

`/etc/yum.repos.d`

yet so we need to enable it in order to use it. To do that we need to download some additional RPMs and install them first. The 2 RPMs which we need are:

epel-release and remi-release

My architecture is i386 so if yours is x86_64 then get the RPMs for it accordingly.

We can get the first one from here:

http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

using:

`wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm`

`rpm -Uvh epel-release-5-3.noarch.rpm`

Download the 2nd one from Remi’s site:

http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

using:

`wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm`

`rpm -Uvh remi-release-5.rpm`

2nd package is dependent on first one so we need to install 1st before the 2nd.

Now, I removed the older packages first (not sure if this was needed though) by using:

`yum list installed`

and looking for those packages which started with php or mysql. That also included php packages dependent on mysql and vice-versa. Remove them using:

`yum remove [package]`

IMPORTANT: I didn’t mention it here but if you have any data present (especially MySQL database) then please make sure that you back them up first before removing packages as that may result in loss of data also. I didn’t have any data when I started so I didn’t mention it before.

The steps will now create corresponding information for Remi’s repository in:

`/etc/yum.repos.d/`

So, now we have the older packages removed and need to install the new ones. Before that we need to enable Remi’s repository. For that goto file called remi.repo in the repo directory and under the section [remi] there, change enabled = 0 to enabled = 1.

After doing this, run the following command:

`yum install php`

Now, run:

`php -v`

and you should get something like this:

`PHP 5.2.9 (cli) (built: Feb 27 2009 14:42:58) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies`

as the output.

Now, run the following commands:

`yum install mysql-server`

`yum install php-mysql`

`yum install mysql-devel`

and it should install MySQL server and PHP-MySQL module along with necessary dependencies.

Now, you can check your working of PHP and MySQL server by starting httpd and mysql services and may be writing a phpinfo() file:

`/sbin/service httpd start`

`/sbin/service mysqld start`

So the PHP and MySQL should be working now. I have not yet done any configuration of any of those and its likely that I’ll run into some problems there and so may be I’ll make another post about it.

Some of the links which were useful to me and from where I used information for the installation process:

https://forums.misdivision.com/showthread.php?t=1285

http://timt881.wordpress.com/2009/02/17/installing-phpmyadmin-and-php-52-on-a-centos-52-server/

http://forum.parallels.com/showthread.php?t=86086

Since this thing worked for me for RHEL 5.3 so I believe it should work for CentOS as well.

REFERENCE

http://binit933x.wordpress.com/2009/03/05/how-i-updated-php-mysql-on-redhat-enterprise-linux-rhel-53/

How to Install Apache 2.2.x and PHP 5.2.x on CentOS 5

Category: Apache, CentOS/RedHat, PHP — SkyHi @ Saturday, March 27, 2010

This guide assumes you have a minimal CentOS installation and are not planning on running a control panel such as cPanel, which install the webserver for you. Some of the software versions listed below may need to be changed as they are updated. As of the writing of this article, Apache 2.2.14 and PHP 5.2.11 are the latest versions.

# yum install bison flex gcc db4 db4-devel libxml2-devel libpng-devel mysql-devel make
# wget http://www.apache.org/dist/httpd/httpd-2.2.14.tar.gz
# wget http://us3.php.net/get/php-5.2.11.tar.gz/from/us2.php.net/mirror
# tar zxvf httpd-2.2.14.tar.gz
# tar zxvf php-5.2.11.tar.gz
# cd httpd-2.2.14
# ./configure --enable-so --enable-rewrite=shared
# make
# make install
# cd ../php-5.2.11
# ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql --enable-bcmath --enable-ftp --enable-magic-quotes --with-pear --enable-sockets --enable-track-vars --with-zlib --with-gd --with-freetype
# make
# make install
# cp php.ini-dist /usr/local/lib/php.ini

You can change the values passed to the configure lines of Apache and PHP to add/remove software from the build. Apache in this guide is built with DSO support and mod_rewrite as a shared module. PHP is built as an Apache DSO with MySQL, FTP, BCMath, magic quotes, PEAR, sockets, Zlib, and GD with TTF.

Finally, edit your Apache config:

# vi /usr/local/apache2/conf/httpd.conf

Add AddHandler application/x-httpd-php .php .phtml .php4 to a blank like. Now start Apache using /usr/local/apache2/bin/apachectl start.

Thats it, you're good to go! You may want to tweak your Apach configuration to suit your specific needs including adding Virtualhosts, however that is outside the scope of this article. Please refer to the Apache Docs for that information.

REFERENCE

http://www.networkdatacenterhost.com/wiki/server-administration/install-apache-php-on-centos

Installing PHP 5.2.x or 5.3.x on RedHat ES5, CentOS 5, etc

Category: Centos, CentOS/RedHat, PHP — SkyHi @ Saturday, March 27, 2010

I’ve had to follow this tutorial a few times myself now so decided I should share it with the world.
A few of our applications which make use of SOAP get a Segmentation Fault if run with PHP 5.1.x or lower. We believe this is due to a bug in PHP but can’t be sure, regardless it works fine in PHP 5.2.4 and above.
Problem is, RedHat ES5 does not have support at this time for anything higher than 5.1.6, and we didn’t want to break RPM dependancys etc by installing from source.
To install PHP 5.2.5 (Highest in repository at this time) you can make use of a RPM repository maintained by Remi. He has a repository for each distro, but to save you translating for the ES5 one I’ll give you the commands here. Run the following to get up and running:

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm
rpm -Uvh remi-release-5*.rpm epel-release-5*.rpm

You now have the Remi repository on your system, however it is disabled by default. Obviously you don’t want all of your packages been effected by this repository, however to enable it for a specific package, run the following:

yum --enablerepo=remi update php

You should now have the latest PHP5 installed:

# php -v

PHP 5.2.5 (cli) (built: Nov 10 2007 10:52:30)

Copyright (c) 1997-2007 The PHP Group

Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

Update 12th Aug ’08:
There is now an English page on the Remi site on how to configure repositories for all sorts of distros: http://blog.famillecollet.com/pages/Config-en

Update 13th June ’09:
The download link for the ES5 package has changed, post updated above.: http://blog.famillecollet.com/pages/Config-en

Update 9th August ’09: It would seem this repo has now been upgraded to PHP 5.3.0.

Thursday, October 21, 2010

Saturday, May 29, 2010

Sample shell script to update system

Wednesday, May 26, 2010

Friday, April 9, 2010

Saturday, March 27, 2010

yum list available

yum list installed

yum list updates

yum install [package]

yum remove [package]

/etc/yum.repos.d

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm

rpm -Uvh epel-release-5-3.noarch.rpm

wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm

rpm -Uvh remi-release-5.rpm

yum list installed

yum remove [package]

/etc/yum.repos.d/

yum install php

php -v

PHP 5.2.9 (cli) (built: Feb 27 2009 14:42:58)Copyright (c) 1997-2009 The PHP GroupZend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

yum install mysql-serveryum install php-mysql

yum install mysql-devel

/sbin/service httpd start/sbin/service mysqld start

Labels

Blog Archive

My Blog List

`yum list available`

`yum list installed`

`yum list updates`

`yum install [package]`

`yum remove [package]`

`/etc/yum.repos.d`

`wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-3.noarch.rpm`

`rpm -Uvh epel-release-5-3.noarch.rpm`

`wget http://rpms.famillecollet.com/enterprise/remi-release-5.rpm`

`rpm -Uvh remi-release-5.rpm`

`yum list installed`

`yum remove [package]`

`/etc/yum.repos.d/`

`yum install php`

`php -v`

`PHP 5.2.9 (cli) (built: Feb 27 2009 14:42:58) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies`

`yum install mysql-server`

`yum install php-mysql`

`yum install mysql-devel`

`/sbin/service httpd start`

`/sbin/service mysqld start`