{"id":3761,"date":"2019-09-15T12:01:48","date_gmt":"2019-09-15T00:01:48","guid":{"rendered":"http:\/\/www.zoyinc.com\/?p=3761"},"modified":"2020-04-17T14:52:00","modified_gmt":"2020-04-17T02:52:00","slug":"centos-7-vm-for-wordpress-and-mythtv-post-install-setup","status":"publish","type":"post","link":"http:\/\/www.zoyinc.com\/?p=3761","title":{"rendered":"CentOS 7 VM for WordPress and MythTV – Post install setup"},"content":{"rendered":"

\"\"<\/p>\n

In the post\u00a0CentOS 7 base VM for WordPress and MythTV<\/a> I described how to create a base CentOS 7 VM. This post describes follows on from that post and describes the post installation tasks to make the VM a good solid base for me to run WordPress or MythTV.<\/p>\n

When setting up a Linux server there are a lot of choices you make and some of the more important ones are around security. There is an enormous amount you can do to lock down a server but it comes at a cost to time, effort and inconvenience.<\/p>\n

This setup is based on my requirements. My MythTV box is sitting on our LAN behind a reasonable firewall, it’s not used to surf the internet, it’s a media player.<\/p>\n

The WordPress server is in a DMZ completely separated from the LAN – from the LAN you can get to it but it can’t get to the LAN. It is sitting behind the same SonicWall firewall. I am planning on setting up WordPress to do daily backups of the DB and filesystem. So if it gets hacked then I rollback to a “known good” copy of the VM and then the backups are restored to it. I don’t believe I need firewalls on the host and because only HTTP and HTTPS are exposed I think security is adequate.Initial stuff<\/p>\n

Generic<\/h1>\n

Disable SE Linux<\/h2>\n

SE Linux has it’s place but it is complicated to administer and is not required for my boxes. When enabled it can cause all sorts of weird things not to work, things that I have spent hours trying to nut out only find it was SE Linux.<\/p>\n

Best to disable it right at the beginning!<\/p>\n

Backup and then edit the file \/etc\/selinux\/config<\/p>\n

Set the following:<\/p>\n

SELINUX=disabled<\/p>\n

Save the file<\/p>\n

Disable the firewall<\/h2>\n

Run the following:<\/p>\n

sudo systemctl stop firewalld
\nsudo systemctl disable firewalld
\nsudo systemctl mask –now firewalld<\/p>\n

Install the GUI – User Manager<\/h2>\n

This appears under “Sundry” in desktop menu. Run the following:<\/p>\n

yum install system-config-users<\/p>\n

Miscellaneous<\/h2>\n

Run the following to install any missing items:<\/p>\n

yum install telnet<\/p>\n

Enable the epel repo<\/p>\n

sudo yum install epel-release
\nrpm -Uvh http:\/\/rpms.famillecollet.com\/enterprise\/remi-release-7.rpm<\/p>\n

Enable software collections, scl:<\/p>\n

yum update
\nyum install centos-release-scl
\nyum install scl-utils-build<\/p>\n

You should edit the file \u201c\/etc\/yum.conf\u201d and look for the line:<\/p>\n

installonly_limit=5<\/p>\n

Change this to a 2. This is to stop previous kernels filling up the “\/boot” partition. See my post: Low Disk Space on \u201cboot\u201d<\/a><\/p>\n

Restart the host<\/h2>\n

Would be good to restart the VM now, just to make sure everything still works and ensure that SELinux is disabled.<\/p>\n

Create users and Groups<\/h2>\n

We some custom users and groups. Create the following:<\/p>\n

groupadd sambaguest
\nuseradd sambaguest -d \/home\/sambaguest -g sambaguest -s \/bin\/bash
\ngroupadd backup
\nuseradd backup -d \/home\/backup -g backup -s \/bin\/bash<\/p>\n

 <\/p>\n

Install MariaDB<\/h1>\n

MariaDB replaces MySQL but the version that comes with CentOS is 5.5.60 and we need version 10 for WordPress. You will note we have not yet selected to install either MariaDB or MySQL.<\/p>\n

yum install rh-mariadb102<\/p>\n

Enable the software collection and start the service<\/p>\n

scl enable rh-mariadb102 bash
\nservice rh-mariadb102-mariadb start<\/p>\n

Setup MariaDB<\/p>\n

mysql_secure_installation\u00a0\u00a0\u00a0 (If you exited bash you will have to run “scl enable rh-mariadb102 bash” again)<\/p>\n

You will be prompted with some questions. Below are the questions and my answers:<\/p>\n

Enter current password for root = This is the root database user, (First time this will be blank)
\nSet root password? [Y\/n] = Y
\nNew password: ******
\nRemove anonymous users? [Y\/n] = Y
\nDisallow root login remotely? [Y\/n] = n
\nRemove test database and access to it? [Y\/n] = Y
\nReload privilege tables now? [Y\/n] = Y<\/p>\n

I want to be able to connect remotely as the root user so run the following. Note when you first login remember it is the root password for the DB user remote. Where I have “<root password>, again this is the DB root user:<\/p>\n

mysql -u root -p
\nGRANT ALL PRIVILEGES ON *.* TO ‘root’@’%’ IDENTIFIED BY ‘<root password>’ WITH GRANT OPTION;
\nGRANT ALL ON *.* to ‘root’@’%’;
\nuse mysql;
\nUPDATE user SET authentication_string=PASSWORD(‘<root password>’) where User=’root’;
\nUPDATE user SET plugin=”mysql_native_password”;
\nFLUSH PRIVILEGES;
\nexit<\/p>\n

The ‘WITH GRANT OPTION’ is important otherwise even though you did grant all privileges this doesn’t appear to include GRANT.<\/p>\n

You should enable timezones which is required for MythTV if not others. Ensure you are still running “scl enable rh-mariadb102 bash”. Run the following<\/p>\n

mysql_tzinfo_to_sql \/usr\/share\/zoneinfo | mysql -u root mysql -p<\/p>\n

This will prompt you for the password for the root user in MariaDB – not the Unix account, the MariaDB root account. You may also get some warnings :<\/p>\n

[root@mythsvr2 ~]# mysql_tzinfo_to_sql \/usr\/share\/zoneinfo | mysql -u root mysql -p\r\nEnter password: \r\nWarning: Unable to load '\/usr\/share\/zoneinfo\/leapseconds' as time zone. Skipping it.\r\nWarning: Unable to load '\/usr\/share\/zoneinfo\/tzdata.zi' as time zone. Skipping it.<\/pre>\n
Now enable MariaDB so it will autostart:<\/p>\n
systemctl enable rh-mariadb102-mariadb.service<\/p>\n
At this stage I would try to connect remotely as root, using say HeidiSQL. I would then restart the VM and double check that Maria has restarted – it should do.<\/p>\n
PostgreSQL 10<\/h1>\n
This is available in Software collections so begin by installing:<\/p>\n
yum install rh-postgresql10 rh-postgresql10-postgresql-devel<\/p>\n
Now scl enable PostgreSQL, initialize the DB then enable and start the service:<\/p>\n
scl enable rh-postgresql10 bash
\npostgresql-setup –initdb
\nsystemctl enable rh-postgresql10-postgresql.service
\nservice rh-postgresql10-postgresql start<\/p>\n
Note “–initdb” doesn’t ask any questions, just initializes.<\/p>\n
To enable remote access, from the LAN etc, we need to edit two files “pg_hba.conf” and “postgresql.conf”. Because this is running under software collections the folder is:<\/p>\n
\/var\/opt\/rh\/rh-postgresql10\/lib\/pgsql\/data<\/p>\n
So run the following commands<\/p>\n
systemctl stop rh-postgresql10-postgresql.service
\ncd \/var\/opt\/rh\/rh-postgresql10\/lib\/pgsql\/data
\ncp pg_hba.conf pg_hba.conf.ootb
\ncp postgresql.conf postgresql.conf.ootb<\/p>\n
Now edit postgresql.conf using your favorite editor and add the following lines at the bottom: access:<\/p>\n
# centos7-base customizations
\nlisten_addresses = ‘*’<\/p>\n
Now edit “pg_hba.conf” in the same folder and add the following lines:<\/p>\n
host all all 0.0.0.0\/0 md5
\nhost all all ::\/0 md5<\/p>\n
In the same file, “pg_hba.conf”, look for the following lines near the bottom:<\/p>\n
# “local” is for Unix domain socket connections only
\nlocal all all peer<\/span>
\n# IPv4 local connections:
\nhost all all 127.0.0.1\/32 ident<\/span><\/p>\n
and change the highlighted text to as below:<\/p>\n
# “local” is for Unix domain socket connections only
\nlocal all all trust<\/span>
\n# IPv4 local connections:
\nhost all all 127.0.0.1\/32 trust<\/span><\/p>\n
Now restart PostgreSQL and try to connect from your LAN computer.<\/p>\n
We now need to create a DB “root” user. This is different from the Linux account “root”. Because we need to do this via scl and scl clears environment variables, we can’t simply run “psql” we need to run the following:<\/p>\n
su – postgres -c ‘scl enable rh-postgresql10 — psql’<\/p>\n
This should put you into psql with a prompt “postgres=#”. To create the “root” DB user run:<\/p>\n
CREATE ROLE root SUPERUSER LOGIN PASSWORD ‘<my root DB password>’;<\/p>\n
To exit psql type “\\q<enter>”.<\/p>\n
At this point it would be a good idea to restart the VM and check that PostgreSQL starts on boot and that the login also works.<\/p>\n
Apache, PHP and Python<\/h1>\n
To install Apache 2.4, PHP 7.2 and Python 3.6 and have them all working together I installed them all using Software Collections. You can read about what I did in the post CentOS 7 + PHP 7.2 + Python 3.6 + Apache 2.4<\/a><\/p>\n
Create Apache users<\/h2>\n
I authenticate my users using basic authentication created by Apache’s htpasswd. For this box we will create some custom users.<\/p>\n
Run<\/p>\n
scl enable httpd24 bash
\nhtpasswd -c \/srv\/conf\/apache.users tony
\nhtpasswd \/srv\/conf\/apache.users svnanonymous
\nexit<\/p>\n
So this will create the file and create a user “tony” and one called “svnanonymous”. Also create an Apache group file:<\/p>\n
admin: tony\r\nfamily: tony jackie josh\r\nsvn: tony jackie josh svn<\/pre>\n
Self-signed SSL certificate<\/h2>\n
The goal is not to use self-signed certificates are these are not trusted by default. However should you want to go down this path, this is what to do.<\/p>\n
You should follow the instructions in the post\u00a0Adding an SSL certificate to Apache<\/a> , however,<\/span><\/strong> as you know we are using the software collections httpd24, which is the Apache httpd, so when the instructions say to move to:<\/p>\n
cd \/etc\/httpd\/conf.d<\/p>\n
You should instead move to:<\/p>\n
\/opt\/rh\/httpd24\/root\/etc\/httpd\/conf.d<\/p>\n
Otherwise the instructions are fine for creating the ssl certificate.<\/p>\n
Next you need to edit the ssl config file for Apache. So edit:<\/p>\n
\/opt\/rh\/httpd24\/root\/etc\/httpd\/conf\/ssl.conf<\/p>\n
Add:<\/p>\n
NSSEnforceValidCerts off<\/p>\n
Change:<\/p>\n
SSLCertificateFile \/etc\/pki\/tls\/certs\/localhost.crt<\/p>\n
to<\/p>\n
SSLCertificateFile \/opt\/rh\/httpd24\/root\/etc\/httpd\/conf.d\/zoyinc.com.crt<\/p>\n
Then change:<\/p>\n
SSLCertificateKeyFile \/opt\/rh\/httpd24\/root\/etc\/httpd\/conf.d\/zoyinc.com.key<\/p>\n
to:<\/p>\n
SSLCertificateFile \/opt\/rh\/httpd24\/root\/etc\/httpd\/conf.d\/zoyinc.com.key<\/p>\n
You can test your changes by running:<\/p>\n
scl enable http24-httpd bash
\nhttpd -t
\nexit<\/p>\n
Tomcat<\/h1>\n
Follow the instructions in Installing Tomcat 9 behind Apache on CentOS 7<\/a><\/p>\n
Subversion<\/h1>\n
Running SVN and using it in Apache and running Apache via scl means SVN also has to be run in scl. The bit that is not obvious is the software collection you need is actually sclo-subversion19<\/strong>.<\/p>\n
Note that for software collections:<\/p>\n