Centos 6 to Centos 7 Changes
Overview of major changes: See the enclosed
Guide
for detailed information
New GUI usage compared to Centos 6 (see Guide chapter 3.2, others)
Common GUI tasks in Centos 6 vs Centos 7
Task |
Centos 6 |
Centos 7 |
view shortcuts |
displayed on top panel |
Applications | favorites or hit Windows key |
add shortcuts |
RC on top panel |
click grid button, select, drag to favorites bar |
configure firewall |
none |
Applications | Sundry | Firewall |
add/delete software |
|
Applications | System tools | Software [update] |
manage users |
|
Applications | System tools | Settings | Users (unlock) |
logout |
|
click arrow upper left | select user | Log out |
power off/restart |
|
click circle upper left | click next circle lower right |
configure network |
|
Applications | System tools | Settings | network | gear icon |
save network config |
|
Before closing turn wired off, then on with buttons |
unlock screen saver |
|
hit space bar |
Top
Configuing apache with apachectl instead of "service httpd" (see Guide chapter 12)
Task |
Centos 6 |
Centos 7 |
test configuration |
service httpd configtest |
apachectl configtest |
restart gracefully |
service httpd graceful |
apachectl graceful |
status |
service httpd status |
apachectl status |
start apache |
service httpd start |
apachectl start [systemctl start httpd.service] |
stop apache |
service httpd stop |
apachectl stop [systemctl stop httpd.service] |
restart apache |
service httpd restart |
apachectl restart [systemctl restart httpd.service] |
stop gracefully |
|
apachectl graceful-stop |
show version |
|
apachectl -v |
start on bootup |
chkconfig httpd on |
systemctl enable httpd.service |
disable on bootup |
chkconfig httpd off |
systemctl disable httpd.service |
reload configuration |
service httpd reload |
systemctl reload httpd.service |
|
|
|
Top
Configuring services with systemctl instead of "service" (see Guide chapter 9)
The "systemctl" command replaces the "service" command in Centos 7. Note that the order of the
action to be taken and the name of the service to act on is reversed for the two.
Also note that the name is supposed to be appended with .service but
this is optional.
Example "systemctl start sshd" and "systemctl start sshd.service" both work.
Replace "name" with the service you want to configure in the table below...
Task |
Centos6 |
Centos 7 |
Start a service |
service name start |
systemctl start name[.service] |
Stop a service |
service name stop |
systemctl stop name[.service] |
Restart a service |
service name restart |
systemctl restart name[.service] |
Restart only if running |
service name condrestart |
systemctl try-restart name[.service] |
Reload a configuration |
service name reload |
systemctl reload name[.service] |
Check if running |
service name status |
systemctl status name[.service] |
Display status of all services |
service --status-all |
systemctl list-units --type service --all |
Enable a service on bootup |
chkconfig name on |
systemctl enable name[.service] |
Disable a service on bootup |
chkconfig name off |
systemctl disable name[.service] |
Check if service is enabled |
chkconfig --list name |
systemctl is-enabled name[.service] |
List all services and check if enabled |
chkconfig --list |
systemctl list-unit-files --type service |
|
|
|
>Top
New Firewall management
OVERVIEW:
Centos 7 uses firewallD, much different from Centos 6
-See firewall.org/documentation for more complete documentation
Major difference is the addition of zones. Predefined zones include
public, internal, home, work, trusted, dmz, drop, and block.
You need to bind each interface (NIC) to a specific zone, then you can set different firewall rules to each zone.
For our purposes of a linux OS in a vm serving web pages to the public,
binding the single NIC to the public zone should be adequate.
You may need to bind the "lo" interface to the public or other zone??
A Clean Install of Centos 7 configures the firewall as follow:
default zone public
eth0 interface bind to public
ICMP messages all allowed
Open Ports ssh, dhcpv6-client
Than means you can shell into and ping the OS but nothing else.
Minimal Configuration for Web Server:
- TCP ports needed for a standard install:
- 22 ssh (installed by default)
- 25 smtp
- 53 dns (TCP and UDP)
- 80 http
- 443 https
- 9090 Our port for webmin
- ?? ntp, mysql, pop3, imap
- You may need to bind the "lo" interface to the public or other zone??
3 Ways to Configure Firewall:
1) NATIVE GUI INTERFACE: (RD into intel box, select hyper-v manager, connect to VM)
a) Click Applications | Sundry | Firewall
b) open terminal change to root, type firewall-config
c) maximize dialog so you can see buttons at the bottom.
1) view the active bindings on the left to ensure the eth0 is bound to the default public zone
2) Set the configuration to permanent to apply and save config next reboot,unless you want to test configurtions with the runtime configuration.
3) Select the public zone in the pane next to the active bindings panel
4) in the lower left panel, select the services tab to display the services currently avaialbe. Then check/uncheck ones to agree with the list above.
5) select the ports tab, add TCP port 9090
6) To activate the changes you made to the permanent config, you can:
make them again in the runtime config
Try Options | Runtime to Permanent
Reboot
2) WEBMIN GUI INTERFACE:
CAUTION: webmin network shows 3 different firewall tabs. Use the firewallD ONLY as the other ones will configure but will not work and may corrupt the firewall
CAUTION: default zone for webmin is "Block". We are using the "public" one.
CAUTION: using webmin is not tested. Be sure to backup vm .vhx file first !!!
3) COMMAND LINE INTERFACE:
shell in, then as root type firewall-cmd with options to configure. Some common
commands are:
systemctl stop firewalld
systemctl disable firewalld
systemctl status firewalld -l
firewall-cmd --state
firewall-cmd --reload
firewall-cmd --zone=public --add-service=http --permanent (then reload)
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
firewall-cmd --list-all-zones
firewall-cmd --get-services
firewall-cmd --zone=public --add-port=12345/tcp --permanent
firewall-cmd --zone=public --remove-port=12345/tcp --permanent
firewall-cmd --set-default-zone=zone (permanent and run time)
firewall-cmd --zone=public --query-port=80/tcp
See the folloiwng url for further details:
http://www.firewalld.org/documentation/man-pages/firewall-cmd.html
Top
using ssdh (OpenSSH) to chroot sftp users (see Guide chapter 10)
OVERVIEW Be SURE!! to test chroot when done, as mistakes are easy!!
For chroot to work, user must be configured to use the /sbin/nologin shell
and the /etc/ssh/sshd_config must be configured appropiately, as described below.
There are two methods to confine users who sftp into the server to their individual home dir's.
MATCH USER and MATCH GROUP.
Our default /etc/ssh/ssh_config file has been modified as follows to allow both methods:
Subsystem sftp internal-sftp
Match Group clientuser_sftp
ChrootDirectory /var/www/html/%u
ForceCommand internal-sftp
#Match User ftpNancyT
#ForceCommand internal-sftp
#ChrootDirectory /var/www/html/nancyt
The main difference is
MATCH USER requires you to append the /etc/ssh/ssh_config file every time you add a user
while MATCH GROUP does not, but requires the home dir name to be the same as the user name.
Using the webcrn.sh script to create a chrooted user and website:
Our webcrn.sh script creates properly configured "regular" users that are chrooted to their
home dir's automatically. Run from the webmasters home dir as root, select "y" for regular user
and follow the prompts.
enter domain name with no suffix
accept remaining defaults or hit no to change each item
enter user password when prompted
hit y to confirm
hit y to make new default website when prompted
hit y to update vhosts.conf file when prompted
hit y again to confirm vhosts.conf changes
optionally hit y to create a starter index.html file when prompted
When script is finished, you have a new user configured as follows
username same as domain with ftp99 appended
user belongs to the clientuser_sftp group and uses the /sbin shell with no login
home dir is /var/www/html/<username>
access and error logs are sent to /var/www/logs/<username> dir
webalizer config file created in /var/www/webalizer/conf/<username>.conf file
webalizer data file directory created in /var/www/webalizer/stat/<username> dir
user is chrooted to his home dir when he logs in.
a simple index.html file is created so you can test installation immediately.
Creating a chrooted user manually using the MATCH USER method:
Using testman as the user name:
A)add user using
/usr/sbin/useradd testman -d /var/www/html/testman -s /sbin/nologin
password testman
B) make appropiate directories
1) mkdir /var/www/html/testman (if not auto created by useradd)
2) chown root:root /var/www/html/testman
3) mkdir /var/www/html/testman/site
4) chown -R testman:testman /var/www/html/testman/site
5) chmod -R 755 /var/www/html/testman
6) mkdir /var/www/logs/testman
7) touch /var/www/logs/testman/access_log
C) append the /etc/httpd/conf/vhosts.conf file for the new domain:
1) DocumentRoot is /var/www/html/testman/site
2) ServerName is testman.com
3) ServerAlias is www/testman.com
4) ErrorLog is /var/www/html/testman/site/error_log
5) apachectl configtest
D) Add following section to the /etc/ssh/sshd_config file:
Match User testman
ForceCommand internal-sftp
ChrootDirectory /var/www/html/testman
D) If you want to create a webalizer configuration like the webcrn.sh script does:
1) cd /var/www/webalizer
2) mkdir stats/testman
3) mkdir conf/testman
4) cd conf
5) cp webalizermodel.conf testman.conf
6) edit the testman.conf to append the following lines
a) LogFile /var/www/logs/testman/access_log
b) OutputDir /var/www/webalizer/stats/testman
c) HostName localhost (or actual hostname?)
d) IncrementalName webalizer.current
Top
yum usage in Centos 7 (see Guide chapter 8)
Yum can query, fetch, install and update packages from built in repositories and user added ones.
In the table below, a glob_expression is a term with a* at the end, which must be escaped with a \ such as abrt\*
Task |
Command |
Check for updates to installed packages |
yum check-update [package-name] |
Update a single package |
yum update package-name |
Update all packages |
yum update |
Update security related packages |
yum update --security |
Update just security patches |
yum update-minimal --security |
Search for package(s) |
yum search "term" "term" "term"... |
List all packages |
yum list all |
List wildcard specified packages |
yum list term1\* term2\* ... |
List all installed packages |
yum list installed [glob_expression] |
List available packages |
yum list available [glob_expression] |
List available and enabled repositories |
yum repolist [-v] |
Display package information |
yum info package-name |
Display more package information |
yumdb info package-name |
Install a package |
yum install package-name [package-name] |
Remove a package |
yum remove package-name |
Show history of yum transactions |
yum history list [all] [glob_expression] [1..5] [summary] |
Install remove groups of packages |
See guide chapter 8.3.2 |
Configuring yum and yum repositories |
edit /etc/yum.conf see guide chapter 8.5 |
Adding a yum repository |
yum-config-manager --add-repo repository_url |
Enabling a yum repositiory |
yum-config-manager --enable repositoryID |
Configuring yum plugins |
see guide chapter 8.6.1 |
Top
Configuring installed named DNS server
The named dns service is installed and configured as an authoritive server.
If your not using it, you should disable it with systemctl disable named.service
If you want to configure a slave dns server, use https://ip:9090 to loginto webmin
then server | bind dns to add slave zones.
Easiest way to make a master dns server is to make a slave server first, then
use webmin to convert to master zones.
Top