Tag: CentOS

  • How to Migrate CentOS 7 cPanel Server to Almalinux 8

    How to Migrate CentOS 7 cPanel Server to Almalinux 8

    CentOS Linux was discontinued at the end of 2021 in favor of CentOS Stream. CentoS 7 will continue to be supported through the remainder of the RHEL 7 life cycle, which will end on June 30, 2024. If you are using CentOS 7 server with cPanel, it is better to upgrade to AlmaLinux 8, which is a clone of RHEL 8 supported by cPanel.

    cPanel provides an open-source script to upgrade your CentOS 7 installation to AlmaLinux.

    https://github.com/cpanel/elevate

    Download elevate-cpanel

    To download elevate-cpanel, run

    wget -O /scripts/elevate-cpanel https://raw.githubusercontent.com/cpanel/elevate/release/elevate-cpanel
chmod 700 /scripts/elevate-cpanel

    Update the server

    yum update
/scripts/upcp

    Reboot the server

    reboot

    Check for upgrade blockers

    You need to run this script to see if any software installed on your server is computable or not.

    /scripts/elevate-cpanel --check --upgrade-to=almalinux

    If there is no problem detected, you can run the upgrade script.

    Upgrade to AlmaLinux 8

    To upgrade to AlmaLinux, run

    /scripts/elevate-cpanel --start --upgrade-to=almalinux

    Server will auto restart during the upgrade process. Once it is finished, you will have AlmaLinux 8.

    Back to Cpanel

  • How to install MySQL 5.7 on CentOS 7 Server

    How to install MySQL 5.7 on CentOS 7 Server

    To install MySQL 5.7 on CentOS 7 server, install the repository

    rpm -ivh http://repo.mysql.com/mysql57-community-release-el7.rpm

    import MySQL GPG key with

    rpm --import https://repo.mysql.com/RPM-GPG-KEY-mysql-2022

    Install MySQL with the command

    yum install mysql-community-server.x86_64

    Enable MySQL to start on boot

    systemctl enable mysqld

    Start MySQL with

    systemctl start mysqld

    Find the initial MySQL password with the command

    grep 'password' /var/log/mysqld.log

    This initial password is expired, you should change this password before you can start using MySQL server.

    To set MySQL password and secure MySQL server, run the command

    mysql_secure_installation
  • Static IP for CentOS LXC container

    Static IP for CentOS LXC container

    LXC containers get dynamic IP from DHCP. When you stop and start a container, its IP gets changed. If you hosting some web application on this container, you need to point the application to new IP. To avoid this, you can configure static IP on the container.

    LXC containers get IP in the range 10.0.3.2-255. To make CentOS container IP static, edit file

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

    Find

    BOOTPROTO=dhcp

    Replace with

    BOOTPROTO=STATIC

    Add below

    IPADDR=10.0.3.2
GATEWAY=10.0.3.1
DNS1=1.1.1.1
DNS1=8.8.8.8

    10.0.3.2 = replace with any unused IP in the range your LXC container assign using DHCP.

    Create a static route file

    vi /etc/sysconfig/network-scripts/route-eth0

    Add

    10.0.3.1 dev eth0
default via 10.0.3.1 dev eth0

    After restarting the LXC container, you will have a fixed IP.

    reboot
  • How to Migrate CentOS to Oracle Linux

    How to Migrate CentOS to Oracle Linux

    Oracle Linux is Free 100% binary-compatible with Red Hat Enterprise Linux, same as CentOS. Unlike RHEL, Oracle Linux is free even for commercial use. Oracle only charges if you need support.

    Oracle provides a script to convert CentOS to Oracle Linux

    https://github.com/oracle/centos2ol

    This script support CentOS 6, CentOS 7 and CentOS 8.

    Before you can run the convert script, make sure you have updated the system to the latest version with yum or dnf and take a backup in case anything goes wrong.

    yum update

    Download update centos2ol script

    wget https://raw.githubusercontent.com/oracle/centos2ol/main/centos2ol.sh

    Convert your CentOS installation to Oracle Linux with the command

    bash centos2ol.sh -V

    Reboot the server

    reboot
  • Install Nginx ModSecurity on CentOS 7

    Install Nginx ModSecurity on CentOS 7

    ModSecurity is a Web Application Firewall that protects your website from hacking attacks. It is Open Source and free to use. It can be used with webservers like Apache, Nginx, and IIS. To install ModSecurity with Nginx, we need to compile the ModSecurity Nginx module and activate it in the Nginx configuration file.

    Install the compilers and libraries needed for building the source code.

    yum groupinstall "Development Tools"

    Install dependency

    yum install bison curl curl-devel doxygen flex gcc-c++ git GeoIP-devel libxml2 libxml2-devel lmdb lmdb-devel lua lua-devel pcre-devel ssdeep ssdeep-devel yajl yajl-devel zlib-devel

    Download and install ModSecurity

    cd /usr/local/src/
git clone --depth 1 -b v3/master --single-branch https://github.com/SpiderLabs/ModSecurity
cd ModSecurity/
git submodule init
git submodule update
./build.sh
./configure
make
make install

    Clone ModSecurity-nginx repository. This contains Nginx ModSecurity module source code.

    cd /usr/local/src
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx.git

    We need to download the source code for the version of Nginx you are running now. For this, check Nginx version with the command

    [root@ok ~]# nginx -v
nginx version: nginx/1.20.1
[root@ok ~]#

    In this case, we use Nginx 1.20.1, go to http://nginx.org/en/download.html and download the source code for Nginx version you are using.

    cd /usr/local/src
wget http://nginx.org/download/nginx-1.20.1.tar.gz
tar xvf nginx-1.20.1.tar.gz
cd nginx-1.20.1

    Find out the configure command used to compile nginx.

    [root@ok ~]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
[root@ok ~]#

    You can see configure arguments on the last line, we need to use these arguments when we compile Nginx from source code.

    Run

    cd /usr/local/src/nginx-1.20.1
./configure --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-dynamic-module=../ModSecurity-nginx

    In the above, we added –add-dynamic-module=../ModSecurity-nginx at end of the configure command to compile the Nginx module.

    To build Nginx modules, run

    make modules

    Once the module is built, copy it to /etc/nginx/modules

    cp objs/ngx_http_modsecurity_module.so /etc/nginx/modules

    Copy ModSecurity configuration files

    cp /usr/local/src/ModSecurity/modsecurity.conf-recommended /etc/nginx/modsecurity.conf
cp /usr/local/src/ModSecurity/unicode.mapping /etc/nginx/unicode.mapping

    Enable ModSecurity

    sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/g' /etc/nginx/modsecurity.conf

    To load ModSecurity module, edit file

    vi /etc/nginx/nginx.conf

    Find

    worker_processes  auto;

    Add below

    load_module modules/ngx_http_modsecurity_module.so;

    Edit your server config (virtual host entry), add

    modsecurity on;
modsecurity_rules_file /etc/nginx/modsecurity.conf;

    Install ModSecurity Rules

    You can download ModSecurity rules from

    https://coreruleset.org

    At the time of writing this, the latest version is v3.3.2. So let’s download and install it.

    cd /usr/local/src
wget https://github.com/coreruleset/coreruleset/archive/refs/tags/v3.3.4.tar.gz
tar xvf v3.3.4.tar.gz
mv coreruleset-3.3.4 /etc/nginx
cd /etc/nginx/coreruleset-3.3.4
cp crs-setup.conf.example crs-setup.conf

    To activate the rule, edit the file

    vi /etc/nginx/modsecurity.conf

    At end of the file, add

    Include /etc/nginx/coreruleset-3.3.4/crs-setup.conf
Include /etc/nginx/coreruleset-3.3.4/rules/*.conf
SecRule ARGS:sec-test "@contains hacker" "id:1234,deny,status:403"

    Restart Nginx

    systemctl restart nginx

    To verify ModSecurity is working, access your website URL with 

    curl -I http://YOUR-SERVER-IP-OR-DOMAIN/?sec-test=hacker

    You will see 403 Forbidden error.

    boby@sok-01:~$ curl -I http://152.167.4.94?sec-test=hacker
HTTP/1.1 403 Forbidden
Server: nginx/1.20.1
Date: Mon, 12 Jul 2021 18:24:36 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

boby@sok-01:~$

    See ModSecurity Web Application Firewall, Nginx

  • bash: mysql_safe: command not found

    bash: mysql_safe: command not found

    On CentOS 7 server running MySQL 5.7, when trying to reset MySQL root password, I get an error

    [root@SAU-8E161-OR ~]# mysqld_safe --skip-grant-tables
-bash: mysqld_safe: command not found
[root@SAU-8E161-OR ~]#

    This is because MySQL 5.7 installation using yum removed the mysqld_safe binary file.

    To reset, you need to start MySQL using systemctl with skip-grant-tables options. So you don’t need mysqld_safe. To see how to reset MySQL root password on CentOS 7, follow instructions avaialble at

    CentOS 7 MySQL 5.7 root password reset

  • yum fix duplicate package error

    When installing a package, i get following error

    Protected multilib versions: 1:systemd-libs-219-78.el7.cloudlinux.i686 != 1:systemd-libs-219-78.el7_9.2.cloudlinux.x86_64

    To fix, remove the conflicting package with

    rpm -e --nodeps --justdb systemd-libs

    See yum, Fix yum duplicate packages

  • Red Hat Killing CentOS Linux, Fight for CentOS clone

    Red Hat Killing CentOS Linux, Fight for CentOS clone

    RedHat, parent company of CentOS Linux announce it will stop supporting CentOS 8, the latest version of CentOS. CentOS is build from the source code RHEL, making a free version of stable and well-tested enterprise ready RHEL Linux. CentOS 7 will keep getting security updates until it reaches End Of Life June 30th, 2024. For Red Hat, maintaining CentOS wont help with their business. Now they don’t need to maintain CentOS, this will force many users to pay for Red Hat Enterprise Linux (RHEL).

    RedHat Killing CentOS Linux

    The new version of CentOS known as CentOS Stream is a rolling release. It will be used as a staging version of RHEL. Red Hat expect CentOS Stream to be stable and allow community participation as users will be able to contribute to CentOS Steam. With CentOS, community contribution was limited because it was a copy of RHEL.

    CentOS is populary used in web hosting servers as cpanel only supposed RHEL based Linux. With death of CentOS 8, cpanel have announced they will accelerate investment in development efforts to support additional operating systems. cPanel will suport Ubuntu LTS and expect to deliver a production-ready version in late 2021. After Ubuntu LTS, they will look into supporting Debian. Ubuntu is very popular with Cloud Servers as it come with latest software compared to CentOS. With many developers already using Ubuntu on their Desktop, supporting Ubuntu is wise decision by cpanel.

    With CentOS 8 unexpected demise, many users will be looking for alternative OS. This opens up market for next CentOS clone.

    Rocky Linux

    CentOS co-founder, Gregory Kurtzer announced he will be releasing his own Red Hat Enterprise Linux (RHEL) replacement Rocky Linux. No ETA on release date yet.

    https://rockylinux.org

    You can join discussion on their reddit.com/r/RockyLinux/

    Project Lenix

    Igor Seletskiy, CloudLinux CEO and founder said they will make their own RHEL patch to patch compatible Open Source Linux – Project Lenix.

    CloudLinux is a CentOS based commerical Linux, that is popular amoung web hosting providers as it allow resource limit per user and user isolation with CageFS. They also have support for kernel update with out reboot.

    CloudLinux will be investing more than a million dollar into Project Lenix. CentOS 8 users will be able to convert into Project Lenix or CloudLinux easily with out reboot. In the announcement Igor Seletskiy said “Red Hat’s announcement has left users looking for an alternative with all that CentOS provides and without the disruption of having to move to alternative distributions. We promise to dedicate the resources required to Project Lenix that will ensure impartiality and a not-for-profit community initiative. CloudLinux already has the assets, infrastructure, and experience to carry out the mission, and we promise to be open about the process of developing Project Lenix”.

    See CentOS

  • CentOS 6 Invalid release/repo/arch combination

    CentOS 6 Invalid release/repo/arch combination

    When i run yum update on a CentOS 6 server, i get error “Invalid release/repo/arch combination/”.

    CentOS 6 invalid release

    This error is due to CentOS reaching its End Of Life and no longer supported.

    What you need to do is upgrade your server to the latest supported CentOS versions like CentOS 7 or CentOS 8. Converting to Oracle Linux 6 is another option, it is binary compatible with CentOS/RHEL 6, offers extended support until Jun 2024 and Indefinite Sustaining Support. If you want to convert CentOS 6 to Oracle Linux, see How to Migrate CentOS to Oracle Linux.

    If you just need to fix the error, you need to go through each .repo file in the folder

    /etc/yum.repos.d/

    Comment out lines like

    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra

    Replace it with centos 6 vault repo URL

    baseurl=https://vault.centos.org/centos/$releasever/os/$basearch/

    You can find modified yum repository files at

    https://github.com/serverok/centos6-repo

    You can replace your existing repository files inside /etc/yum.repos.d folder with files in the above git repository with following commands.

    cd /etc
mv yum.repos.d yum.repos.d-old
git clone https://github.com/serverok/centos6-repo.git yum.repos.d

    If you get git not found error, you may need to manually download files from the repo and place in the directory /etc/yum.repos.d/.

    After this, you will be able to update your system. If you have any other repo installed, you can copy it from yum.repos.d-old folder to make it active again.

    Here is the updated CentOS-Base.repo file

    https://raw.githubusercontent.com/serverok/centos6-repo/main/CentOS-Base.repo

    # CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the 
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#released updates 
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://vault.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=https://vault.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

    After updating yum repo, run 

    yum clean all
yum makecache

  • Install Monit on CentOS

    Monit allow you to monitor process. It can restart failed process or alert when server is overloaded.

    On CentOS server, you need to enable EPEL repo to install monit.

    yum install epel-release -y

    Install monit with

    yum install monit -y

    Enable monit to auto start on boot

    systemctl enable monit

    Start monit service

    systemctl start monit

    On CentOS, monit configuration file located at

    vi  /etc/monitrc

    See monit

  • Prometheus init script for CentOS 6

    Create init file.

    touch /etc/rc.d/init.d/prometheus
chmod 755 /etc/rc.d/init.d/prometheus
vi /etc/rc.d/init.d/prometheus

    Add following

    #!/bin/bash
#
# /etc/rc.d/init.d/prometheus
#
# Prometheus monitoring server
#
#  chkconfig: 2345 20 80 Read
#  description: Prometheus monitoring server
#  processname: prometheus

# Source function library.
. /etc/rc.d/init.d/functions

PROGNAME=prometheus
PROG=/usr/hostonnet/prometheus/$PROGNAME
USER=prometheus
LOGFILE=/var/log/prometheus.log
DATADIR=/usr/hostonnet/prometheus/data
LOCKFILE=/var/run/$PROGNAME.pid
CONFIG_FILE=/usr/hostonnet/prometheus/prometheus.yml
ALERT_MGR_URL=localhost:9093

start() {
    echo -n "Starting $PROGNAME: "
    cd /usr/hostonnet/prometheus/
    #daemon --user $USER --pidfile="$LOCKFILE" "$PROG -config.file $CONFIG_FILE -storage.local.path $DATADIR -alertmanager.url $ALERT_MGR_URL &>$LOGFILE &"
    daemon --user $USER --pidfile="$LOCKFILE" "$PROG -config.file $CONFIG_FILE -storage.local.path $DATADIR &>$LOGFILE &"
    echo $(pidofproc $PROGNAME) >$LOCKFILE
    echo
}

stop() {
    echo -n "Shutting down $PROGNAME: "
    killproc $PROGNAME
    rm -f $LOCKFILE
    echo
}


case "$1" in
    start)
    start
    ;;
    stop)
    stop
    ;;
    status)
    status $PROGNAME
    ;;
    restart)
    stop
    start
    ;;
    reload)
    echo "Sending SIGHUP to $PROGNAME"
    kill -SIGHUP $(pidofproc $PROGNAME)
    ;;
    *)
        echo "Usage: service prometheus {start|stop|status|reload|restart}"
        exit 1
    ;;
esac

    Create User For Prometheus

    groupadd -r prometheus
useradd -r -g prometheus -s /sbin/nologin -d /usr/hostonnet/prometheus/ -c "prometheus Daemons" prometheus
chown -R prometheus:prometheus /usr/hostonnet/prometheus/
chown prometheus:prometheus /var/log/prometheus.log

    Run prometheus on Boot

    chkconfig --add prometheus
chkconfig prometheus on

    Verify it is enabled 

    [root@backup ~]# chkconfig --list | grep prome
prometheus     	0:off	1:off	2:on	3:on	4:on	5:on	6:off
[root@backup ~]#

    “3:on” will start prometheus on run level 3, that is normal boot.

    Start Prometheus 

    [root@backup ~]# service prometheus start
Starting prometheus:                                       [  OK  ]
[root@backup ~]#

    See Monitor Server with Prometheus and Grafana

  • rpmquery

    rpmquery command allow you to check if a specific rpm package installed on your computer.

    rpmquery PKG_NAME

    Example

    root@server20 [~]# rpmquery nmap
nmap-6.40-19.el7.x86_64
root@server20 [~]#

    See rpm