Centos 6 to Centos 7 Changes

Overview of major changes: See the enclosed Guide for detailed information

New GUI usage compared to Centos 6 (see Guide chapter 3.2, others)

Common GUI tasks in Centos 6 vs Centos 7

Task Centos 6

Centos 7

view shortcuts displayed on top panel Applications | favorites or hit Windows key
add shortcuts RC on top panel click grid button, select, drag to favorites bar
configure firewall none Applications | Sundry | Firewall
add/delete software   Applications | System tools | Software [update]
manage users   Applications | System tools | Settings | Users (unlock)
logout   click arrow upper left | select user | Log out
power off/restart   click circle upper left | click next circle lower right
configure network   Applications | System tools | Settings | network | gear icon
save network config   Before closing turn wired off, then on with buttons
unlock screen saver   hit space bar

Top

Configuing apache with apachectl instead of "service httpd" (see Guide chapter 12)


Task Centos 6 Centos 7
test configuration service httpd configtest apachectl configtest
restart gracefully service httpd graceful apachectl graceful
status service httpd status apachectl status
start apache service httpd start apachectl start [systemctl start httpd.service]
stop apache service httpd stop apachectl stop [systemctl stop httpd.service]
restart apache service httpd restart apachectl restart [systemctl restart httpd.service]
stop gracefully   apachectl graceful-stop
show version   apachectl -v
start on bootup chkconfig httpd on systemctl enable httpd.service
disable on bootup chkconfig httpd off systemctl disable httpd.service
reload configuration service httpd reload systemctl reload httpd.service
     
Top

Configuring services with systemctl instead of "service" (see Guide chapter 9)

The "systemctl" command replaces the "service" command in Centos 7. Note that the order of the
action to be taken and the name of the service to act on is reversed for the two.
  Also note that the name is supposed to be appended with .service but this is optional.
Example "systemctl start sshd" and "systemctl start sshd.service" both work.

   Replace "name" with the service you want to configure in the table below...
Task Centos6 Centos 7
Start a service service name start systemctl start name[.service]
Stop a service service name stop systemctl stop name[.service]
Restart a service service name restart systemctl restart name[.service]
Restart only if running service name condrestart systemctl try-restart name[.service]
Reload a configuration service name reload systemctl reload name[.service]
Check if running service name status systemctl status name[.service]
Display status of all services service  --status-all systemctl list-units  --type service  --all
Enable a service on bootup chkconfig name on systemctl enable name[.service]
Disable a service on bootup chkconfig name off systemctl disable name[.service]
Check if service is enabled chkconfig   --list name systemctl is-enabled name[.service]
List all services and check if enabled chkconfig --list systemctl list-unit-files   --type service
     
>Top

New Firewall management

OVERVIEW:
Centos 7 uses firewallD, much different from Centos 6
-See firewall.org/documentation for more complete documentation

  Major difference is the addition of zones. Predefined zones include public, internal, home, work, trusted, dmz, drop, and block.
You need to bind each interface (NIC) to a specific zone, then you can set different firewall rules to each zone.
   For our purposes of a linux OS in a vm serving web pages to the public,
binding the single NIC to the public zone should be adequate.
  You may need to bind the "lo" interface to the public or other zone??

A Clean Install of Centos 7 configures the firewall as follow:

Than means you can shell into and ping the OS but nothing else.

Minimal Configuration for Web Server:

3 Ways to Configure Firewall:

1) NATIVE GUI INTERFACE: (RD into intel box, select hyper-v manager, connect to VM)
a) Click Applications | Sundry | Firewall
b) open terminal change to root, type firewall-config
c) maximize dialog so you can see buttons at the bottom.
1) view the active bindings on the left to ensure the eth0 is bound to the default public zone
2) Set the configuration to permanent to apply and save config next reboot,unless you want to test configurtions with the runtime configuration.
3) Select the public zone in the pane next to the active bindings panel
4) in the lower left panel, select the services tab to display the services currently avaialbe. Then check/uncheck ones to agree with the list above.
5) select the ports tab, add TCP port 9090
6) To activate the changes you made to the permanent config, you can:
make them again in the runtime config
Try Options | Runtime to Permanent
Reboot

2) WEBMIN GUI INTERFACE:
CAUTION: webmin network shows 3 different firewall tabs. Use the firewallD ONLY as the other ones will configure but will not work and may corrupt the firewall
CAUTION: default zone for webmin is "Block". We are using the "public" one.
CAUTION: using webmin is not tested. Be sure to backup vm .vhx file first !!!
3) COMMAND LINE INTERFACE:
shell in, then as root type firewall-cmd with options to configure. Some common
commands are:
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld -l
firewall-cmd --state
firewall-cmd --reload
firewall-cmd --zone=public --add-service=http --permanent (then reload)
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-all-zones
firewall-cmd --get-services
firewall-cmd --zone=public --add-port=12345/tcp --permanent
firewall-cmd --zone=public --remove-port=12345/tcp --permanent
firewall-cmd --set-default-zone=zone (permanent and run time)
firewall-cmd --zone=public --query-port=80/tcp

See the folloiwng url for further details:
http://www.firewalld.org/documentation/man-pages/firewall-cmd.html

Top

using ssdh (OpenSSH) to chroot sftp users (see Guide chapter 10)

OVERVIEW Be SURE!! to test chroot when done, as mistakes are easy!!

For chroot to work, user must be configured to use the /sbin/nologin shell
and the /etc/ssh/sshd_config must be configured appropiately, as described below.

  There are two methods to confine users who sftp into the server to their individual home dir's.
MATCH USER and MATCH GROUP.
Our default /etc/ssh/ssh_config file has been modified as follows to allow both methods:

Subsystem sftp internal-sftp
Match Group clientuser_sftp
ChrootDirectory /var/www/html/%u
ForceCommand internal-sftp

#Match User ftpNancyT
#ForceCommand internal-sftp
#ChrootDirectory /var/www/html/nancyt


The main difference is
  MATCH USER requires you to append the /etc/ssh/ssh_config file every time you add a user
  while MATCH GROUP does not, but requires the home dir name to be the same as the user name.

Using the webcrn.sh script to create a chrooted user and website:

  Our webcrn.sh script creates properly configured "regular" users that are chrooted to their
home dir's automatically. Run from the webmasters home dir as root, select "y" for regular user
and follow the prompts.

When script is finished, you have a new user configured as follows
Creating a chrooted user manually using the MATCH USER method:
Using testman as the user name:
A)add user using B) make appropiate directories C) append the /etc/httpd/conf/vhosts.conf file for the new domain:
D) Add following section to the /etc/ssh/sshd_config file: D) If you want to create a webalizer configuration like the webcrn.sh script does: