diff --git a/docs/guides/email/01-email-system.md b/docs/guides/email/01-email-system.md index 4081eb3c82..262dad6665 100644 --- a/docs/guides/email/01-email-system.md +++ b/docs/guides/email/01-email-system.md @@ -61,14 +61,14 @@ As shown in the picture below, this is a simple illustration of the sending and For more information about postfix, please refer to these two links: -* [GitHub repository](https://github.com/vdukhovni/postfix) -* [Official website](http://www.postfix.org/) +- [GitHub repository](https://github.com/vdukhovni/postfix) +- [Official website](http://www.postfix.org/) ### The process of sending emails by the client ![legend01](./email-images/email-system02.jpg) -Postfix determines whether an email sent from a client belongs to the local or external domain. The email will be stored in the local domain mailbox if it belongs to the local domain. If the email sent belongs to an external domain, it is forwarded to another MTA (the user's identity needs to be verified from the database before forwarding). +Postfix determines whether an email sent from a client belongs to the local or external domain. The email will be stored in the local domain mailbox if it belongs to the local domain. If the email sent belongs to an external domain, it is forwarded to another MTA (the user's identity needs to be verified from the database before forwarding). ### The process of receiving emails by the client diff --git a/docs/guides/interoperability/import_rocky_to_wsl.md b/docs/guides/interoperability/import_rocky_to_wsl.md index f2704052a7..fb3dd3f622 100644 --- a/docs/guides/interoperability/import_rocky_to_wsl.md +++ b/docs/guides/interoperability/import_rocky_to_wsl.md @@ -16,7 +16,8 @@ tags: The Windows-Subsystem for Linux feature has to be enabled. This is possible with one of these options: - Since very shortly there is now [a new WSL version available in the Microsoft Store](https://apps.microsoft.com/store/detail/windows-subsystem-for-linux/9P9TQF7MRM4R), which has more features use this if possible -- Open an administrative Terminal (either PowerShell or Command-Prompt) and
run `wsl --install` ([ref.](https://docs.microsoft.com/en-us/windows/wsl/install)) +- Open an administrative Terminal (either PowerShell or Command-Prompt) and + run `wsl --install` ([ref.](https://docs.microsoft.com/en-us/windows/wsl/install)) - Go to the graphical Windows Settings and enable the optional feature `Windows-Subsystem for Linux` This feature should be available on every supported Windows 10 and 11 version right now. @@ -26,8 +27,12 @@ This feature should be available on every supported Windows 10 and 11 version ri 1. Get the container rootfs. This is possible in multiple ways: - **Prefered:** Download the image from the CDN: - - 8: [Base x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-Base.latest.x86_64.tar.xz), [Minimal x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-Minimal.latest.x86_64.tar.xz), [UBI x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-UBI.latest.x86_64.tar.xz),
[Base aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-Base.latest.aarch64.tar.xz), [Minimal aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-Minimal.latest.aarch64.tar.xz), [UBI aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-UBI.latest.aarch64.tar.xz) - - 9: [Base x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-Base.latest.x86_64.tar.xz), [Minimal x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-Minimal.latest.x86_64.tar.xz), [UBI x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-UBI.latest.x86_64.tar.xz),
[Base aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-Base.latest.aarch64.tar.xz), [Minimal aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-Minimal.latest.aarch64.tar.xz), [UBI aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-UBI.latest.aarch64.tar.xz) + - 8: [Base x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-Base.latest.x86_64.tar.xz), [Minimal x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-Minimal.latest.x86_64.tar.xz), [UBI x86_64](https://dl.rockylinux.org/pub/rocky/8/images/x86_64/Rocky-8-Container-UBI.latest.x86_64.tar.xz), + + [Base aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-Base.latest.aarch64.tar.xz), [Minimal aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-Minimal.latest.aarch64.tar.xz), [UBI aarch64](https://dl.rockylinux.org/pub/rocky/8/images/aarch64/Rocky-8-Container-UBI.latest.aarch64.tar.xz) + - 9: [Base x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-Base.latest.x86_64.tar.xz), [Minimal x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-Minimal.latest.x86_64.tar.xz), [UBI x86_64](https://dl.rockylinux.org/pub/rocky/9/images/x86_64/Rocky-9-Container-UBI.latest.x86_64.tar.xz), + + [Base aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-Base.latest.aarch64.tar.xz), [Minimal aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-Minimal.latest.aarch64.tar.xz), [UBI aarch64](https://dl.rockylinux.org/pub/rocky/9/images/aarch64/Rocky-9-Container-UBI.latest.aarch64.tar.xz) - Extract the image from either Docker Hub or Quay.io ([ref.](https://docs.microsoft.com/en-us/windows/wsl/use-custom-distro#export-the-tar-from-a-container)) ```sh diff --git a/docs/guides/mirror_management/add_mirror_manager.md b/docs/guides/mirror_management/add_mirror_manager.md index f6b48b04a2..f5c5824415 100644 --- a/docs/guides/mirror_management/add_mirror_manager.md +++ b/docs/guides/mirror_management/add_mirror_manager.md @@ -11,7 +11,7 @@ We always welcome new public mirrors. But they should be well maintained and hos Please do not submit mirrors hosted in an Anycast-CDN like Cloudflare, etc., as this can lead to sub-optimal performance with selecting the fastest mirror in `dnf`. -Please note that we cannot accept public mirrors in countries subject to US export regulations. You can find a list of those countries here: [https://www.bis.doc.gov/index.php/policy-guidance/country-guidance/sanctioned-destinations](https://www.bis.doc.gov/index.php/policy-guidance/country-guidance/sanctioned-destinations) +Please note that we cannot accept public mirrors in countries subject to US export regulations. You can find a list of those countries here: As of this writing (late 2022), storage space requirements for mirroring all current and past Rocky Linux releases is about 2 TB. @@ -26,7 +26,7 @@ Please set up a cron job to synchronize your mirror periodically and let it run Here are some crontab examples for you: -``` +```bash #This will synchronize your mirror at 0:50, 4:50, 8:50, 12:50, 16:50, 20:50 50 */6 * * * /path/to/your/rocky-rsync-mirror.sh > /dev/null 2>&1 @@ -40,27 +40,29 @@ Here are some crontab examples for you: For a simple synchronization you can use the following `rsync` command: -``` +```bash rsync -aqH --delete source-mirror destination-dir ``` + Consider using a locking mechanism to avoid running multiple `rsync` job simultaneously when we push a new release. -You can also use and modify our example script implementing locking and full sync if required. It can be found at [https://github.com/rocky-linux/rocky-tools/blob/main/mirror/mirrorsync.sh](https://github.com/rocky-linux/rocky-tools/blob/main/mirror/mirrorsync.sh). +You can also use and modify our example script implementing locking and full sync if required. It can be found at . After your first complete synchronization check that everything is fine with your mirror. Most importantly check all files and dirs got synchronized, your cron job is working properly and your mirror is reachable from the public Internet. Double check your firewall rules! To avoid any problems do not enforce http to https redirection. -If you have any questions setting up your mirror join https://chat.rockylinux.org/rocky-linux/channels/infrastructure +If you have any questions setting up your mirror join When you are done head over to the next section and propose your mirror to become public! ## What You Need -* An account on https://accounts.rockylinux.org/ + +- An account on ## Creating a site Rocky uses Fedora's Mirror Manager for organizing community mirrors. -Access Rocky's Mirror Manager here: https://mirrors.rockylinux.org/mirrormanager/ +Access Rocky's Mirror Manager here: After a successful login, your profile will be on the top right. Select the drop down then click "My sites". @@ -68,13 +70,13 @@ A new page will load listing all sites under the account. The first time it will A new page will load with an important Export Compliance statement to read. Then fill out the following information: -* "Site Name" -* "Site Password" - used by `report_mirrors` script, you make this anything you want -* "Organization URL" - Company/School/Organization URL e.g. https://rockylinux.org/ -* "Private" - Checking this box hides your mirror from public use. -* "User active" - Uncheck this box to temporarily disable this site, it will be removed from public listings. -* "All sites can pull from me?" - Enable all mirror sites to pull from me without explicitly adding them to my list. -* "Comments for downstream siteadmins. Please include your synchronization source here to avoid dependency loops." +- "Site Name" +- "Site Password" - used by `report_mirrors` script, you make this anything you want +- "Organization URL" - Company/School/Organization URL e.g. +- "Private" - Checking this box hides your mirror from public use. +- "User active" - Uncheck this box to temporarily disable this site, it will be removed from public listings. +- "All sites can pull from me?" - Enable all mirror sites to pull from me without explicitly adding them to my list. +- "Comments for downstream siteadmins. Please include your synchronization source here to avoid dependency loops." Upon clicking "Submit" you will be returned to the main mirror page. @@ -90,18 +92,18 @@ All of the options from the last section are listed again. At the bottom of the Fill out the following options that are appropriate for the site: -* "Host name" - required: FQDN of server as seen by a public end user -* "User active" - Uncheck this box to temporarily disable this host, it will be removed from public listings. -* "Country" - required: 2-letter ISO country code -* "Bandwidth" - required: integer megabits/sec, how much bandwidth this host can serve -* "Private" - e.g. not available to the public, an internal private mirror -* "Internet2" - on Internet2 -* "Internet2 clients" - serves Internet2 clients, even if private -* "ASN" - Autonomous System Number, used in BGP routing tables. Only if you are an ISP. -* "ASN Clients" - Serve all clients from the same ASN. Used for ISPs, companies, or schools, not personal networks. -* "Robot email" - email address, will receive notice of upstream content updates -* "Comment" - text, anything else you'd like a public end user to know about your mirror -* "Max connections" - Maximum parallel download connections per client, suggested via metalinks. +- "Host name" - required: FQDN of server as seen by a public end user +- "User active" - Uncheck this box to temporarily disable this host, it will be removed from public listings. +- "Country" - required: 2-letter ISO country code +- "Bandwidth" - required: integer megabits/sec, how much bandwidth this host can serve +- "Private" - e.g. not available to the public, an internal private mirror +- "Internet2" - on Internet2 +- "Internet2 clients" - serves Internet2 clients, even if private +- "ASN" - Autonomous System Number, used in BGP routing tables. Only if you are an ISP. +- "ASN Clients" - Serve all clients from the same ASN. Used for ISPs, companies, or schools, not personal networks. +- "Robot email" - email address, will receive notice of upstream content updates +- "Comment" - text, anything else you'd like a public end user to know about your mirror +- "Max connections" - Maximum parallel download connections per client, suggested via metalinks. Click "Create" and it will redirect back to the Information site for the host. @@ -109,13 +111,13 @@ Click "Create" and it will redirect back to the Information site for the host. At the bottom of the Information site, the option for "Hosts" should now display the host title next to it. Click on the name to load the host page. All of the same options from the previous step are listed again. There are new options at the bottom. -* "Site-local Netblocks": Netblocks are used to try to guide and end user to a site-specific mirror. For example, a university might list their netblocks, and the mirrorlist CGI would return the university-local mirror rather than a country-local mirror. Format is one of 18.0.0.0/255.0.0.0, 18.0.0.0/8, an IPv6 prefix/length, or a DNS hostname. Values must be public IP addresses (no RFC1918 private space addresses). Use only if you are an ISP and/or own a publicly routable netblock! +- "Site-local Netblocks": Netblocks are used to try to guide and end user to a site-specific mirror. For example, a university might list their netblocks, and the mirrorlist CGI would return the university-local mirror rather than a country-local mirror. Format is one of 18.0.0.0/255.0.0.0, 18.0.0.0/8, an IPv6 prefix/length, or a DNS hostname. Values must be public IP addresses (no RFC1918 private space addresses). Use only if you are an ISP and/or own a publicly routable netblock! -* "Peer ASNs": Peer ASNs are used to guide an end user on nearby networks to our mirror. For example, a university might list their peer ASNs, and the mirrorlist CGI would return the university-local mirror rather than a country-local mirror. You must be in the MirrorManager administrators group in order to create new entries here. +- "Peer ASNs": Peer ASNs are used to guide an end user on nearby networks to our mirror. For example, a university might list their peer ASNs, and the mirrorlist CGI would return the university-local mirror rather than a country-local mirror. You must be in the MirrorManager administrators group in order to create new entries here. -* "Countries Allowed": Some mirrors need to restrict themselves to serving only end users from their country. If you're one of these, list the 2-letter ISO code for the countries you will allow end users to be from. The mirrorlist CGI will honor this. +- "Countries Allowed": Some mirrors need to restrict themselves to serving only end users from their country. If you're one of these, list the 2-letter ISO code for the countries you will allow end users to be from. The mirrorlist CGI will honor this. -* "Categories Carried": Hosts carry categories of software. Example Fedora categories include Fedora and Fedora Archive. +- "Categories Carried": Hosts carry categories of software. Example Fedora categories include Fedora and Fedora Archive. Click on the "[add]" link under "Categories Carried". @@ -123,13 +125,13 @@ Click on the "[add]" link under "Categories Carried". For the Category, select "Rocky Linux" then "Create" to load the URL page. Then click "[add]" to load the "Add host category URL" page. There is one option. Repeat as needed for each of the mirrors supported protocols. -* "URL" - URL (rsync, https, http) pointing to the top directory +- "URL" - URL (rsync, https, http) pointing to the top directory Examples: -* `http://rocky.example.com` -* `https://rocky.example.com` -* `rsync://rocky.example.com` +- `http://rocky.example.com` +- `https://rocky.example.com` +- `rsync://rocky.example.com` ## Wrap up diff --git a/docs/guides/network/basic_network_configuration.md b/docs/guides/network/basic_network_configuration.md index 3954727abf..6d81325b42 100644 --- a/docs/guides/network/basic_network_configuration.md +++ b/docs/guides/network/basic_network_configuration.md @@ -14,21 +14,21 @@ You can't do much with a computer these days without network connectivity. Wheth ## Prerequisites -* A certain amount of comfort operating from the command line -* Elevated or administrative privileges on the system (for example root, `sudo` and so on) -* Optional: familiarity with networking concepts +- A certain amount of comfort operating from the command line +- Elevated or administrative privileges on the system (for example root, `sudo` and so on) +- Optional: familiarity with networking concepts === "9" - + ## Network Configuration - Rocky Linux 9 A lot has changed with network configuration as of Rocky Linux 9. One of the major changes is the move from Network-Scripts (still available to install-but effectively deprecated) to the use of Network Manager and key files, rather than `ifcfg` based files. `NetworkManager` as of 9, prioritizes `keyfiles` over the previous `ifcfg` files. Since this is now the default, the act of configuring the network should now take the default as the proper way of doing things, given that other changes over the years have meant the eventual deprecation and removal of older utilities. This guide will attempt to walk you through the use of Network Manager and the latest changes within Rocky Linux 9. ## Prerequisites - * A certain amount of comfort operating from the command line - * Elevated or administrative privileges on the system (for example root, `sudo` and so on) - * Optional: familiarity with networking concepts + - A certain amount of comfort operating from the command line + - Elevated or administrative privileges on the system (for example root, `sudo` and so on) + - Optional: familiarity with networking concepts ## Using NetworkManager service @@ -106,7 +106,7 @@ You can't do much with a computer these days without network connectivity. Wheth The static IP configuration scheme is very popular on server class systems or networks. - The dynamic IP approach is popular on home and office networks or workstation and desktop class systems in a business environment. The dynamic scheme usually needs _something_ extra that is locally available and that can supply proper IP configuration information to requesting workstations and desktops. This _something_ is called the Dynamic Host Configuration Protocol (DHCP). On a home network, and even on most business networks, this service is provided by a DHCP Server configured for the purpose. This can be a separate server or part of a router configuration. + The dynamic IP approach is popular on home and office networks or workstation and desktop class systems in a business environment. The dynamic scheme usually needs *something* extra that is locally available and that can supply proper IP configuration information to requesting workstations and desktops. This *something* is called the Dynamic Host Configuration Protocol (DHCP). On a home network, and even on most business networks, this service is provided by a DHCP Server configured for the purpose. This can be a separate server or part of a router configuration. ## IP Address @@ -116,25 +116,25 @@ You can't do much with a computer these days without network connectivity. Wheth ![nmtui](images/nmtui_first.png) - 2. It's already on the selection we need "Edit a connection" so hit the TAB key so that "OK" is highlighted and hit ENTER + 2. It's already on the selection we need "Edit a connection" so hit the ++tab++ key so that "OK" is highlighted and hit ++enter++ - 3. This will bring up a screen showing the Ethernet connections on the machine and allow you to choose one. In our case, there is *ONLY* one, so it is already highlighted, we simply need to hit the TAB key until "Edit" is highlighted and then hit ENTER + 3. This will bring up a screen showing the Ethernet connections on the machine and allow you to choose one. In our case, there is *ONLY* one, so it is already highlighted, we simply need to hit the ++tab++ key until "Edit" is highlighted and then hit ++enter++ ![nmtui_edit](images/nmtui_edit.png) - 4. Once we have done this, we will be on the screen showing our current configuration. What we need to do is switch from "Manual" to "Automatic" so hit the TAB key several times until you get to where "Manual" is highlighted and then hit ENTER. + 4. Once we have done this, we will be on the screen showing our current configuration. What we need to do is switch from "Manual" to "Automatic" so hit the ++tab++ key several times until you get to where "Manual" is highlighted and then hit ++enter++. ![nmtui_manual](images/nmtui_manual.png) - 5. Arrow up until "Automatic" is highlighted and then hit ENTER + 5. Arrow up until "Automatic" is highlighted and then hit ++enter++ ![nmtui_automatic](images/nmtui_automatic.png) - 6. Once we have switched the interface over to "Automatic" we need to remove the statically assigned IP so hit the TAB key until the "Remove" is highlighted next to the IP address and hit ENTER. + 6. Once we have switched the interface over to "Automatic" we need to remove the statically assigned IP so hit the ++tab++ key until the "Remove" is highlighted next to the IP address and hit ++enter++. ![nmtui_remove](images/nmtui_remove.png) - 7. Finally, hit the TAB key several times until you get to the bottom of the `nmtui` screen and the "OK" is highlighted and hit ENTER + 7. Finally, hit the ++tab++ key several times until you get to the bottom of the `nmtui` screen and the "OK" is highlighted and hit ++enter++ You can deactivate and reactivate your interface with `nmtui` as well, but instead let's do this with `nmcli`. In this way we can string the deactivation of the interface and the reactivation of the interface so that the interface is never down for long: @@ -167,10 +167,10 @@ You can't do much with a computer these days without network connectivity. Wheth Before we start, be aware that to reconfigure the interface to DHCP we need to: - * Remove the IPv4 Gateway - * Remove the IPv4 Address that we statically assigned - * Change the IPv4 Method to automatic - * Down and Up the interface + - Remove the IPv4 Gateway + - Remove the IPv4 Address that we statically assigned + - Change the IPv4 Method to automatic + - Down and Up the interface Note too, that we are not using examples that tell you to use -ipv4.address etc. These do not change the interface completely. To do that we must set the ipv4.address and the ipv4.gateway to an empty string. Again, to save as much time as possible with our command, we are going to string them all together in one line: @@ -214,10 +214,10 @@ You can't do much with a computer these days without network connectivity. Wheth In this example, we will assume the following parameters: - * interface name: enp0s3 - * ip address: 192.168.1.151 - * subnet mask: 24 - * gateway: 192.168.1.1 + - interface name: enp0s3 + - ip address: 192.168.1.151 + - subnet mask: 24 + - gateway: 192.168.1.1 ### Get general information @@ -230,7 +230,7 @@ You can't do much with a computer these days without network connectivity. Wheth !!! tip "**Pro tips:**" * use the `-c` flag to get a more readable coloured output: `ip -c a`. - * `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent + * `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent ### Bring interface up or down @@ -399,7 +399,7 @@ You can't do much with a computer these days without network connectivity. Wheth The static IP configuration scheme is very popular on server class systems or networks. - The dynamic IP approach is popular on home and office networks - or workstation and desktop class systems. The dynamic scheme usually needs _something_ extra that is locally available that can supply proper IP configuration information to requesting workstations and desktops. This _something_ is called the Dynamic Host Configuration Protocol (DHCP). + The dynamic IP approach is popular on home and office networks - or workstation and desktop class systems. The dynamic scheme usually needs *something* extra that is locally available that can supply proper IP configuration information to requesting workstations and desktops. This *something* is called the Dynamic Host Configuration Protocol (DHCP). Home or office users often do not have to worry about DHCP. This is because the something else automatically takes care of that in the background. The end user needs to physically or wirelessly connect to the right network (and of course make sure that their systems are powered on)! @@ -498,8 +498,8 @@ You can't do much with a computer these days without network connectivity. Wheth For example, we can see that the `ipv4.method` here is currently set to `auto`. There are many allowed values for the `ipv4.method` setting, but the main two you will most likely see are: - * `auto`: the appropriate automatic method (DHCP, PPP, etc) is used for the interface and most other properties can be left unset. - * `manual`: static IP addressing is used and at least one IP address must be given in the 'addresses' property. + - `auto`: the appropriate automatic method (DHCP, PPP, etc) is used for the interface and most other properties can be left unset. + - `manual`: static IP addressing is used and at least one IP address must be given in the 'addresses' property. If instead you want to configure the system to use a static IP address scheme, you will have to change the value of `ipv4.method` to `manual`, and also specify the `ipv4.gateway` and `ipv4.addresses`. @@ -557,10 +557,10 @@ You can't do much with a computer these days without network connectivity. Wheth In this example, we will assume the following parameters: - * interface name: ens19 - * ip address: 192.168.20.10 - * subnet mask: 24 - * gateway: 192.168.20.254 + - interface name: ens19 + - ip address: 192.168.20.10 + - subnet mask: 24 + - gateway: 192.168.20.254 ### Get general information @@ -572,8 +572,8 @@ You can't do much with a computer these days without network connectivity. Wheth !!! tip "**Pro tips:**" - * use the `-c` flag to get a more readable coloured output: `ip -c a`. - * `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent + - use the `-c` flag to get a more readable coloured output: `ip -c a`. + - `ip` accepts abbreviation so `ip a`, `ip addr` and `ip address` are equivalent ### Bring interface up or down @@ -602,10 +602,10 @@ You can't do much with a computer these days without network connectivity. Wheth will output: ```bash - 3: ens19: mtu 1500 qdisc fq_codel state UP group default qlen 1000 - link/ether 4a:f2:f5:b6:aa:9f brd ff:ff:ff:ff:ff:ff - inet 192.168.20.10/24 scope global ens19 - valid_lft forever preferred_lft forever + 3: ens19: mtu 1500 qdisc fq_codel state UP group default qlen 1000 + link/ether 4a:f2:f5:b6:aa:9f brd ff:ff:ff:ff:ff:ff + inet 192.168.20.10/24 scope global ens19 + valid_lft forever preferred_lft forever ``` Our interface is up and configured, but it is still lacking something! diff --git a/docs/guides/network/librenms_monitoring_server.md b/docs/guides/network/librenms_monitoring_server.md index 600e6b8119..c713a7ea61 100644 --- a/docs/guides/network/librenms_monitoring_server.md +++ b/docs/guides/network/librenms_monitoring_server.md @@ -20,35 +20,35 @@ The installation will closely follow the [official install instructions](https:/ ## Prerequisites, assumptions, and conventions -* A server or container (yes, LibreNMS will run in a container. If you have a great deal to monitor, your best bet would be to install on stand-alone hardware) running Rocky Linux. All commands assume a fresh install of Rocky Linux. -* Assumption: that you can run commands as root or can _sudo_ to elevate privileges -* Working knowledge of command-line tools, including text editors such as _vi_ -* Assumption: the use of SNMP v2. If you want to use SNMP v3, LibreNMS supports it and will work. You will need to switch up the SNMP configuration and options on your devices to match up to v3. -* Included here is the SELinux procedure. The container the author uses in the lab does not include it by default. For this reason, the SELinux procedure has **not** been lab tested. -* Throughout this document, the examples use the _vi_ editor. When the document says to save your changes and exit, use SHIFT+:+wq!. -* The procedure requires some troubleshooting skills, including log monitoring, web testing, and more +- A server or container (yes, LibreNMS will run in a container. If you have a great deal to monitor, your best bet would be to install on stand-alone hardware) running Rocky Linux. All commands assume a fresh install of Rocky Linux. +- Assumption: that you can run commands as root or can *sudo* to elevate privileges +- Working knowledge of command-line tools, including text editors such as *vi* +- Assumption: the use of SNMP v2. If you want to use SNMP v3, LibreNMS supports it and will work. You will need to switch up the SNMP configuration and options on your devices to match up to v3. +- Included here is the SELinux procedure. The container the author uses in the lab does not include it by default. For this reason, the SELinux procedure has **not** been lab tested. +- Throughout this document, the examples use the *vi* editor. When the document says to save your changes and exit, use ++shift+colon+w+q+exclam++. +- The procedure requires some troubleshooting skills, including log monitoring, web testing, and more ## Installing packages -Enter these commands as the root user. Before starting, note that this installation procedure focuses on *httpd*, rather than *nginx*. If you prefer the latter, follow the [Librenms Install Instructions](https://docs.librenms.org/Installation/Install-LibreNMS/) and guide there. +Enter these commands as the root user. Before starting, note that this installation procedure focuses on *httpd*, rather than *nginx*. If you prefer the latter, follow the [Librenms Install Instructions](https://docs.librenms.org/Installation/Install-LibreNMS/) and guide there. First, install the EPEL repository (Extra Packages for Enterprise Linux): -``` +```bash dnf install -y epel-release ``` -The current version of LibreNMS requires a minimum PHP version of 8.1. Rocky Linux 9.0 has PHP 8.0. Enable a third-party repository (also in Rocky Linux 8.6) for this newer version. +The current version of LibreNMS requires a minimum PHP version of 8.1. Rocky Linux 9.0 has PHP 8.0. Enable a third-party repository (also in Rocky Linux 8.6) for this newer version. -The version of the repository you install will depend on the version of Rocky Linux you are running. The assumption is version 9, but change this accordingly for the version you are running: +The version of the repository you install will depend on the version of Rocky Linux you are running. The assumption is version 9, but change this accordingly for the version you are running: -``` +```bash dnf install http://rpms.remirepo.net/enterprise/remi-release-9.rpm ``` Once both the EPEL and REMI repositories are installed, it is time to install the packages: -``` +```bash dnf install bash-completion cronie fping git httpd ImageMagick mariadb-server mtr net-snmp net-snmp-utils nmap php81-php-fpm php81-php-cli php81-php-common php81-php-curl php81-php-gd php81-php-json php81-php-mbstring php81-php-process php81-php-snmp php81-php-xml php81-php-zip php81-php-mysqlnd python3 python3-PyMySQL python3-redis python3-memcached python3-pip python3-systemd rrdtool unzip wget ``` @@ -58,7 +58,7 @@ All of these packages represent some portion of the LibreNMS feature set. Copy and paste (or enter) the following: -``` +```bash useradd librenms -d /opt/librenms -M -r -s "$(which bash)" ``` @@ -68,19 +68,19 @@ This command sets the default directory for the user to `/opt/librenms` however Git facilitates the Download. You might be familiar with the process. First, switch over to the `/opt` directory: -``` +```bash cd /opt ``` Clone the repository: -``` +```bash git clone https://github.com/librenms/librenms.git ``` Change permissions for the directory: -``` +```bash chown -R librenms:librenms /opt/librenms chmod 771 /opt/librenms setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ @@ -93,37 +93,37 @@ The `setfacl` command stands for "set file access control lists" and is another The PHP dependencies within LibreNMS need installation with the `librenms` user. To do this, run: -``` +```bash su - librenms ``` Enter the following: -``` +```bash ./scripts/composer_wrapper.php install --no-dev ``` Exit back to root: -``` +```text exit ``` ### Failure Of PHP dependency install workaround -LibreNMS documentation says that the above procedure might fail when you are behind a proxy server. It can fail for other reasons also. For this reason, a procedure for installing Composer comes later. +LibreNMS documentation says that the above procedure might fail when you are behind a proxy server. It can fail for other reasons also. For this reason, a procedure for installing Composer comes later. ## Set timezone You need to ensure the correct setting for the system and PHP. You can find a list of [valid timezone settings for PHP here](https://php.net/manual/en/timezones.php). For instance, for the Central timezone, a common entry is "America/Chicago". Start by editing the `php.ini` file: -``` +```bash vi /etc/opt/remi/php81/php.ini ``` Find the `date.timezone` line and modify it. Note that it is remarked out, so remove the ";" from the beginning of the line and add your timezone after the "=" sign. For the Central timezone example use: -``` +```bash date.timezone = America/Chicago ``` @@ -131,7 +131,7 @@ Save your changes and exit the `php.ini` file. You also need to ensure that the system timezone is correct. Using the Central timezone example, do this with: -``` +```bash timedatectl set-timezone America/Chicago ``` @@ -139,36 +139,35 @@ timedatectl set-timezone America/Chicago Before starting the database requirements for LibreNMS, run through the [MariaDB procedure](../database/database_mariadb-server.md), specifically the section for "Securing mariadb-server", and return here for these specific settings. Change the `mariadb-server.cnf` file: -``` +```bash vi /etc/my.cnf.d/mariadb-server.cnf ``` Add these lines to the "[Mysqld]" section: -``` +```bash innodb_file_per_table=1 lower_case_table_names=0 ``` Then enable and restart the `mariadb` server: -``` +```bash systemctl enable mariadb systemctl restart mariadb ``` Access `mariadb` as the root user. Remember to use the password that you created when following the "Securing mariadb-server" section performed earlier: - -``` +```sql mysql -u root -p ``` -Make some specific changes for LibreNMS. With the command below, remember to change the password "password" to something secure and document what that is in a safe spot. +Make some specific changes for LibreNMS. With the command below, remember to change the password "password" to something secure and document what that is in a safe spot. At the `mysql` prompt run: -``` +```sql CREATE DATABASE librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost'; @@ -181,13 +180,13 @@ Enter "exit" to exit out of `mariadb`. This not changed from the official documentation except for the path to the files. First, copy the `www.conf`: -``` +```bash cp /etc/opt/remi/php81/php-fpm.d/www.conf /etc/opt/remi/php81/php-fpm.d/librenms.conf ``` Change the `librenms.conf` file: -``` +```bash vi /etc/opt/remi/php81/php-fpm.d/librenms.conf ``` @@ -195,34 +194,34 @@ Change "[www]" to ["librenms]" Change the user and group to "librenms": -``` +```bash user = librenms group = librenms ``` Change the "listen" line to reflect a unique name: -``` +```bash listen = /run/php-fpm-librenms.sock ``` -Save your changes and exit the file. If this is the only web service that will be running on this machine, you can remove the old www.conf file you copied: +Save your changes and exit the file. If this is the only web service that will be running on this machine, you can remove the old file you copied: -``` +```bash rm -f /etc/opt/remi/php81/php-fpm.d/www.conf ``` -## Configure `httpd` +## Configure `httpd` Start by creating this file: -``` +```bash vi /etc/httpd/conf.d/librenms.conf ``` Enter the following in that file: -``` +```bash DocumentRoot /opt/librenms/html/ ServerName librenms.example.com @@ -247,13 +246,13 @@ Enter the following in that file: You should remove the old default site, `welcome.conf`: -``` +```bash rm /etc/httpd/conf.d/welcome.conf ``` Enable `httpd` and `php-fpm`: -``` +```bash systemctl enable --now httpd systemctl enable --now php81-php-fpm ``` @@ -264,7 +263,7 @@ If you do not plan to use SELinux, skip to the next section. This might also app To setup everything with SELinux, you will need an additional package installed: -``` +```bash dnf install policycoreutils-python-utils ``` @@ -272,7 +271,7 @@ dnf install policycoreutils-python-utils You will need to set the following contexts for LibreNMS to work properly with SELinux: -``` +```bash semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/html(/.*)?' semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/(logs|rrd|storage)(/.*)?' restorecon -RFvv /opt/librenms @@ -285,7 +284,7 @@ chcon -t httpd_sys_rw_content_t /opt/librenms/.env Create a file called `http_fping.tt` anywhere. It does not matter where. Installing this happens next. The contents of this file are: -``` +```bash module http_fping 1.0; require { @@ -301,7 +300,7 @@ allow httpd_t self:rawip_socket { getopt create setopt write read }; Install this file with the following commands: -``` +```bash checkmodule -M -m -o http_fping.mod http_fping.tt semodule_package -o http_fping.pp -m http_fping.mod semodule -i http_fping.pp @@ -309,21 +308,22 @@ semodule -i http_fping.pp If you run into problems and you suspect it might be due to an SELinux issue, run the following: -``` +```bash audit2why < /var/log/audit/audit.log ``` ## `firewalld` configuration -The `firewalld` instructions follow the official documentation. +The `firewalld` instructions follow the official documentation. The command to use for `firewalld` allow rules are as follows: -``` +```bash firewall-cmd --zone public --add-service http --add-service https firewall-cmd --permanent --zone public --add-service http --add-service https ``` -The author has problems with this simplistic `firewalld` rule set. This rule allows your web services to be open to the world, but is that what you want for a monitoring server? + +The author has problems with this simplistic `firewalld` rule set. This rule allows your web services to be open to the world, but is that what you want for a monitoring server? This is usually **not** the case. If you would like a more granular approach to using `firewalld`, review [this document](../security/firewalld.md) and then make changes to your `firewalld` rules accordingly. @@ -331,43 +331,43 @@ This is usually **not** the case. If you would like a more granular approach to First, you need a symbolic link on your `lnms` command so it is possible to run from anywhere: -``` +```bash ln -s /opt/librenms/lnms /usr/bin/lnms ``` Next, set it up for autocomplete: -``` +```bash cp /opt/librenms/misc/lnms-completion.bash /etc/bash_completion.d/ ``` ## Configure `snmpd` -_SNMP_ stands for "Simple Network Management Protocol" and is in use by many monitoring programs for pulling data. Version 2, used here, requires a "community string" which is specific to your environment. +*SNMP* stands for "Simple Network Management Protocol" and is in use by many monitoring programs for pulling data. Version 2, used here, requires a "community string" which is specific to your environment. Assign this "community string" to your network devices you want to monitor, so that `snmpd` (the "d" here stands for the daemon) will be able to find it. You might already have a "community string" in use if your network is not new. Copy the `snmpd.conf` file from LibreNMS: -``` +```bash cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf ``` Edit this file and change the community string from "RANDOMSTRINGGOESHERE" to whatever your community string is or will be. In the example, this is "LABone": -``` +```bash vi /etc/snmp/snmpd.conf ``` Change this line: -``` +```bash com2sec readonly default RANDOMSTRINGGOESHERE ``` to -``` +```bash com2sec readonly default LABone ``` @@ -377,7 +377,7 @@ Save your changes and exit. Run the following commands to set up the cron jobs: -``` +```bash cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms ``` @@ -385,12 +385,11 @@ The poller must run once, even though nothing is there to poll, before running t The poller runs with the "librenms" user, and though it is possible to switch to this user and run the cron files, it is really better to let the poller do it on its own. Ensure that at least 5 minutes have passed to allow the cron to run and then continue the "Web Setup" section. - ## Log rotation LibreNMS will create a large set of logs over time. You will need to setup log rotation for this to conserve disk space. To do this, run this command: -``` +```bash cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms ``` @@ -398,17 +397,17 @@ cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms PHP Composer is a requirement for the current installation (mentioned in the earlier procedure). If the install you ran earlier failed, you will need to do this. -Before starting, you need to link your current version of the `php` binary to a location in the path. This procedure used the REMI installation to get the correct version of PHP, and it is not installed within the path. +Before starting, you need to link your current version of the `php` binary to a location in the path. This procedure used the REMI installation to get the correct version of PHP, and it is not installed within the path. This is fixable with a symbolic link and will make your life much easier as you run the remaining steps: -``` +```bash ln -s /opt/remi/php81/root/usr/bin/php /usr/bin/php ``` -Go to the [Composer website](https://getcomposer.org/download/) and ensure that the following steps have not changed. Then run these commands somewhere on the machine. You will move composer when this is done: +Go to the [Composer website](https://getcomposer.org/download/) and ensure that the following steps have not changed. Then run these commands somewhere on the machine. You will move composer when this is done: -``` +```php php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php -r "if (hash_file('sha384', 'composer-setup.php') === '55ce33d7678c5a611085589f1f3ddf8b3c52d662cd01d4ba75c0ee0459970c2200a51f492d557530c71c15d8dba01eae') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL;" php composer-setup.php @@ -417,13 +416,13 @@ php -r "unlink('composer-setup.php');" Move it to a spot within the path. Use `/usr/local/bin/` for this: -``` +```bash mv composer.phar /usr/local/bin/composer ``` ## Web setup -With all of the components installed and configured, your next step is to finish the installation via the web. In the lab version, you have no hostname setup. To finish the setup, you need to go to the web server by IP address. +With all of the components installed and configured, your next step is to finish the installation via the web. In the lab version, you have no hostname setup. To finish the setup, you need to go to the web server by IP address. The IP of the lab machine is 192.168.1.140. Navigate to the following address in a web browser to finish the install: @@ -455,7 +454,7 @@ Click the link. A redirect occurs to the login page. Login with your administrat ## Adding devices -Again, one of the assumptions was that you are using SNMP v2. Remember that each device you add must be a member of your community string. Here the author uses two device examples, An Ubuntu workstation and a CentOS server. +Again, one of the assumptions was that you are using SNMP v2. Remember that each device you add must be a member of your community string. Here the author uses two device examples, An Ubuntu workstation and a CentOS server. You will likely have managed switches, routers, and other devices to add. The author can tell you from experience that adding switches and routers is easier than adding workstations and servers. @@ -463,45 +462,45 @@ You will likely have managed switches, routers, and other devices to add. The au First, install `snmpd` on the workstation and update packages just to be safe: -``` +```bash sudo update && sudo apt-get upgrade && sudo apt-get install snmpd ``` Next, you need to change the `snmpd.conf` file: -``` +```bash sudo vi /etc/snmpd/snmpd.conf ``` Find the lines that describe your workstation and change them to things that identify the workstation: -``` +```bash sysLocation Desktop sysContact Username ``` When you install `snmpd` on Ubuntu, it only binds to the local address. It does not listen on your machine IP address. This will not allow LibreNMS to connect to it. You need to remark out this line: -``` +```bash agentaddress 127.0.0.1,[::1] ``` Add a new line: (In this example, the IP address of your workstation is 192.168.1.122 and the UDP port you are setting is "161") -``` +```bash agentAddress udp:127.0.0.1:161,udp:192.168.1.122:161 ``` You need to specify the read-only access community string. Find the below lines and remark them out as shown: -``` +```bash #rocommunity public default -V systemonly #rocommunity6 public default -V systemonly ``` Add a line: -``` +```bash rocommunity LABone ``` @@ -509,7 +508,7 @@ Save your changes and exit. Enable and start `snmpd`: -``` +```bash sudo systemctl enable snmpd sudo systemctl start snmpd ``` @@ -520,25 +519,25 @@ If you are running a firewall on your internal workstations, you will need to ch The assumption is you are root or that you can `sudo` to elevate privileges. You need to install some packages: -``` +```bash dnf install net-snmp net-snmp-utils ``` Create a `snmpd.conf` file. Rather than try to navigate the included file, move this file to rename it, and create a brand new empty file: -``` +```bash mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig ``` and -``` +```bash vi /etc/snmp/snmpd.conf ``` Copy this into the new file: -``` +```bash # Map 'LABone' community to the 'AllUser' # sec.name source community com2sec AllUser default LABone @@ -564,7 +563,7 @@ When you have made the changes, save them and exit the file. Enable and start `snmpd`: -``` +```bash systemctl enable snmpd systemctl start snmpd ``` @@ -573,30 +572,31 @@ systemctl start snmpd If you are running a server, then you **are** running a firewall, right? If you are running `firewalld` the assumption is that you use the "trusted" zone and you just want to allow all traffic from your monitoring server, 192.168.1.140: -``` +```bash firewall-cmd --zone=trusted --add-source=192.168.1.140 --permanent ``` + If the "trusted" zone is incorrect for your environment, change this to suite your needs. Consider your rules and their effect before adding them in. ## Adding the devices in Librenms -With your sample devices configured to accept SNMP traffic from the LibreNMS server, the next step is adding those devices to LibreNMS. With the web interface for LibreNMS open, click to add a device: +With your sample devices configured to accept SNMP traffic from the LibreNMS server, the next step is adding those devices to LibreNMS. With the web interface for LibreNMS open, click to add a device: ![LibreNMS Add Device](../images/librenms_add_device.png) -Put in the information used for your test devices. Enter the IP for the Ubuntu workstation to start. In the example that is 192.168.1.122. Add the "LABone" community string in the "Community" field. +Put in the information used for your test devices. Enter the IP for the Ubuntu workstation to start. In the example that is 192.168.1.122. Add the "LABone" community string in the "Community" field. -Click the "Add Device" button. Assuming everything is correct, this process will complete successfully. +Click the "Add Device" button. Assuming everything is correct, this process will complete successfully. If you run into a "failure to add" error, review the SNMP setup for the workstation or the firewall if it exists. Repeat the "Add Device" process for your CentOS server. ## Getting alerts -As noted from the start, this document will only get you started with LibreNMS. A large number of additional configuration items exist, an extensive API (Application Programming Interface), an alerts system that provides a huge number of options for delivery, called "Transports", and much more. +As noted from the start, this document will only get you started with LibreNMS. A large number of additional configuration items exist, an extensive API (Application Programming Interface), an alerts system that provides a huge number of options for delivery, called "Transports", and much more. This document does not contain any alert rules creation procedures. Instead, you will edit the built-in alert rule "Device Down! Due to no ICMP response" that is pre-configured out of the box. For "Transports" use "Mail", which is just email. Know that you are not limited to this alert. -Mail must be working to use email for transport. Use this [Postfix Procedure](../email/postfix_reporting.md) to get this going. +Mail must be working to use email for transport. Use this [Postfix Procedure](../email/postfix_reporting.md) to get this going. ### Transports @@ -647,8 +647,8 @@ These two devices will now alert you by email if they are down, and upon recover ## Conclusion -LibreNMS is a powerful monitoring tool with a full set of features in one application. This document has _just_ scratched the surface on its capabilities. Some of the simpler screens are not shown. +LibreNMS is a powerful monitoring tool with a full set of features in one application. This document has *just* scratched the surface on its capabilities. Some of the simpler screens are not shown. -When you add devices, assuming that all of the SNMP properties are correctly set, you will start to receive bandwidth, memory utilization, and CPU utilization graphs on each device. This lab has not shown you the wealth of transports available besides "Mail". +When you add devices, assuming that all of the SNMP properties are correctly set, you will start to receive bandwidth, memory utilization, and CPU utilization graphs on each device. This lab has not shown you the wealth of transports available besides "Mail". This document has shown you enough to get a good start monitoring your environment. LibreNMS takes some time to master all of the elements. You should visit the project's [excellent documentation](https://docs.librenms.org/) for additional information. diff --git a/docs/guides/network/openbgpd_bgp_router.md b/docs/guides/network/openbgpd_bgp_router.md index 441875e90c..7f10a17b79 100644 --- a/docs/guides/network/openbgpd_bgp_router.md +++ b/docs/guides/network/openbgpd_bgp_router.md @@ -17,10 +17,10 @@ Border Gateway Protocol (BGP) is the routing protocol that holds the internet to ## Prerequisites -* A server, virtual machine, or lab network with BGP connectivity -* An AS number from your [Regional Internet Registry](https://www.nro.net/about/rirs/) -* An owned or leased IPv4 or IPv6 block -* Knowledge of network administration +- A server, virtual machine, or lab network with BGP connectivity +- An AS number from your [Regional Internet Registry](https://www.nro.net/about/rirs/) +- An owned or leased IPv4 or IPv6 block +- Knowledge of network administration ## Installing packages @@ -79,25 +79,25 @@ neighbor PEER_IPV6 { Replace the following information: -* **YOUR_ASN** with your AS number. -* **YOUR_IPV4** with your server's IPv4 address. -* **YOUR_IPV6** with your server's IPv6 address. -* **PEER_ASN** with your upstream ISP's AS number. -* **PEER_IPV4** with your upstream ISP's IPv4 address. -* **PEER_IPV6** with your upstream ISP's IPv6 address. +- **YOUR_ASN** with your AS number. +- **YOUR_IPV4** with your server's IPv4 address. +- **YOUR_IPV6** with your server's IPv6 address. +- **PEER_ASN** with your upstream ISP's AS number. +- **PEER_IPV4** with your upstream ISP's IPv4 address. +- **PEER_IPV6** with your upstream ISP's IPv6 address. The above lines mean the following: -* The `AS` line contains your BGP AS number. -* The `router-id` line contains your BGP router ID. This is an IPv4 address but can be a dummy non-routable address (e.g. 169.254.x.x) if you are doing IPv6-only BGP. -* The `listen on` line tells which interfaces to listen to. We should listen on all interfaces speaking BGP. -* The `network` lines add the networks we want to advertise. -* The `allow to ebgp prefix` line adds [RFC8212](https://datatracker.ietf.org/doc/html/rfc8212) compliance for routing security. Some hosting companies, such as BuyVM, require this. -* The `neighbor` blocks specify each IPv4 and IPv6 peer. -* The `remote-as` line specifies the upstream's AS number. -* The `announce IPv4` line specifies whether we should announce `unicast` IPv4 routes or `none`. This should be `none` on an IPv6 upstream. -* The `announce IPv6` line specifies whether we should announce `unicast` IPv6 routes or `none`. This should be `none` on an IPv4 upstream. -* The `local-address` line is the upstream's IPv4 or IPv6 address. +- The `AS` line contains your BGP AS number. +- The `router-id` line contains your BGP router ID. This is an IPv4 address but can be a dummy non-routable address (e.g. 169.254.x.x) if you are doing IPv6-only BGP. +- The `listen on` line tells which interfaces to listen to. We should listen on all interfaces speaking BGP. +- The `network` lines add the networks we want to advertise. +- The `allow to ebgp prefix` line adds [RFC8212](https://datatracker.ietf.org/doc/html/rfc8212) compliance for routing security. Some hosting companies, such as BuyVM, require this. +- The `neighbor` blocks specify each IPv4 and IPv6 peer. +- The `remote-as` line specifies the upstream's AS number. +- The `announce IPv4` line specifies whether we should announce `unicast` IPv4 routes or `none`. This should be `none` on an IPv6 upstream. +- The `announce IPv6` line specifies whether we should announce `unicast` IPv6 routes or `none`. This should be `none` on an IPv4 upstream. +- The `local-address` line is the upstream's IPv4 or IPv6 address. Some upstreams may use an MD5 password or BGP multihop. Should that be the case, your `neighbor` blocks will look like this: diff --git a/docs/guides/package_management/dnf_package_manager.md b/docs/guides/package_management/dnf_package_manager.md index 298d3b4f34..f75ebed9a8 100644 --- a/docs/guides/package_management/dnf_package_manager.md +++ b/docs/guides/package_management/dnf_package_manager.md @@ -18,7 +18,7 @@ DNF is commonly used in Rocky Linux, Fedora, RHEL (Red Hat Enterprise Linux) 8 a ## Prerequisites -* For all Rocky Linux versions, the ability to use `sudo` to elevate privileges. +- For all Rocky Linux versions, the ability to use `sudo` to elevate privileges. ## Installing packages diff --git a/docs/guides/package_management/package_build_troubleshooting.md b/docs/guides/package_management/package_build_troubleshooting.md index a267af385d..6fbcee937d 100644 --- a/docs/guides/package_management/package_build_troubleshooting.md +++ b/docs/guides/package_management/package_build_troubleshooting.md @@ -6,11 +6,11 @@ title: Package Build & Troubleshooting This article was written originally in Early 2021 during the bootstrap of Rocky Linux. Content on this page is kept for historical reasons, but has been edited lightly to fix links, provide context, or remove instructions that are no longer relevant to prevent confusion. This document will be archived. -# First get Familiar with the Mock build tool: +# First get Familiar with the Mock build tool Once you get through that, the biggest and most relevant technical/intro page for our package debugging effort is this: -https://wiki.rockylinux.org/archive/legacy/mock_building_guide/ + We are using the “mock” program to perform our builds, just like the real Rocky infrastructure will. You should install it and get very used to it. Please use this guide to get started, and explain a bit about what we hope to achieve and why we have to build all these packages in a specific order. @@ -20,14 +20,13 @@ Mock is really great, as it’s an easy-to-call program that constructs an entir Please use the mock configurations for Rocky Linux provided by the `mock` package in EPEL. - ## Intro - What needs to be done The area we need help the most right now, and the easiest way to contribute, is to help troubleshoot failing package builds. We’re rebuilding CentOS 8.3 as “practice”, so we can figure out any issues that crop up with our official Rocky build ahead of time. We are documenting any errors we find in the packages and how to fix them (to make it build). This documentation will help our release engineering team when it comes time to do official builds. -## Helping with the debug effort: +## Helping with the debug effort Once you are familiar with Mock, and especially with debugging its output, you can begin looking at failing packages. Some of this information is also on the Mock HowTo page linked above. @@ -39,4 +38,4 @@ Investigate the error(s). Figure out what’s going on, and how to fix it. It may take the form of special mock settings, or a patch added to the program + specfile. Report your findings to the #Dev/Packaging channel, and someone will record them on the Wiki Package_Error_Tracking page linked above. -The idea is to shrink the Build Failures, and grow the Package_Error_Tracking page. If necessary, we will commit build fixes to our patch repo for the different packages located here: https://git.rockylinux.org/staging/patch. +The idea is to shrink the Build Failures, and grow the Package_Error_Tracking page. If necessary, we will commit build fixes to our patch repo for the different packages located here: . diff --git a/docs/guides/package_management/package_debranding.md b/docs/guides/package_management/package_debranding.md index 81d1be3fe9..b069f844b2 100644 --- a/docs/guides/package_management/package_debranding.md +++ b/docs/guides/package_management/package_debranding.md @@ -6,18 +6,16 @@ title: Package Debranding This explains how to debrand a package for the Rocky Linux distribution. - General Instructions First, identify the files in the package that need to be changed. They could be text files, image files, or others. You can identify the file(s) by digging into git.centos.org/rpms/PACKAGE/ Develop replacements for these files, but with Rocky branding placed instead. Depending on the content being replaced, diff/patch files may be needed for certain types of text. -Replacement files go under https://git.rockylinux.org/patch/PACKAGE/ROCKY/_supporting/ -Config file (specifying how to apply the patches) goes in https://git.rockylinux.org/patch/PACKAGE/ROCKY/CFG/*.cfg +Replacement files go under +Config file (specifying how to apply the patches) goes in Note: Use spaces, not tabs. -When srpmproc goes to import the package to Rocky, it will see the work done in https://git.rockylinux.org/patch/PACKAGE , and apply the stored debranding patches by reading the config file(s) under ROCKY/CFG/*.cfg - +When srpmproc goes to import the package to Rocky, it will see the work done in , and apply the stored debranding patches by reading the config file(s) under ROCKY/CFG/*.cfg from [debranding wiki page](https://wiki.rockylinux.org/team/release_engineering/debranding/) diff --git a/docs/guides/package_management/package_dev_start.md b/docs/guides/package_management/package_dev_start.md index 91d03586f0..75a70c0064 100644 --- a/docs/guides/package_management/package_dev_start.md +++ b/docs/guides/package_management/package_dev_start.md @@ -4,7 +4,6 @@ title: Packaging And Developer Guide # Packaging and developer starter guide - Rocky Devtools refers to a set of homegrown scripts and utilities created by members of the Rocky Linux community to help with sourcing, creating, branding, patching, and building software packages distributed with the Rocky Linux Operating system. Rocky Devtools consists of `rockyget`, `rockybuild`, `rockypatch`, and `rockyprep`. @@ -15,8 +14,10 @@ You'll need an existing modern RPM based Linux system to install and use Rocky d Let's walk through a typical installation and usage scenario of the devtools. ## Dependencies + Several packages are required on the system before you can begin to use the devtools. These commands have been tested on Rocky Linux but should work on CentOS 8 / RHEL 8 too -``` + +```bash dnf install git make golang ``` @@ -24,42 +25,41 @@ dnf install git make golang Download the devtools zipped source from the following URL: -https://github.com/rocky-linux/devtools/archive/refs/heads/main.zip + Here we use the `curl` command: -``` +```bash curl -OJL https://github.com/rocky-linux/devtools/archive/refs/heads/main.zip ``` You should now have a zipped archive named `devtools-main.zip` - ## 2. Install Rocky Devtools Locate and uncompress the devtools archive that you just downloaded. Here we'll use the `unzip` command line utility: -``` +```bash unzip devtools-main.zip ``` Change your working directory to the new devtool source directory that was just created: -``` +```bash cd devtools-main ``` Run `make` to configure and compile devtools: -``` +```bash make ``` Install devtools: -``` +```bash sudo make install ``` @@ -69,14 +69,15 @@ Once installed, the main utility for finding and downloading SRPMs is the `rocky Let's use `rockyget` to download the SRPM for the popular `sed` package: -``` +```bash rockyget sed ``` + The first time rockyget is run, it will automatically create a directory structure that roughly mimics the repository structure of Rocky's build servers. For example the `~/rocky/rpms` folder will be automaically created. For our current sed example, its sources will be stored under the following sample folder hierchy: -``` +```bash ~rocky/rpms/sed/ └── r8 ├── SOURCES @@ -89,12 +90,13 @@ For our current sed example, its sources will be stored under the following samp └── sed.spec ``` -### TIP : -Once you have the original sources, this might be a good time to look through the SPECs file (`~rocky/rpms/sed/SPECS/specs.spec`) to look for potential debranding opportinites in the given package. Debranding might include replacing upstream artwork/logos and so on. +!!! Tip + + Once you have the original sources, this might be a good time to look through the SPECs file (`~rocky/rpms/sed/SPECS/specs.spec`) to look for potential debranding opportinites in the given package. Debranding might include replacing upstream artwork/logos and so on. -### TIP -If you are looking for other Rocky packages to build and experiment with, you can browse the list of packages that are currently failing in the Rocky automated build environment [here](https://kojidev.rockylinux.org/koji/builds?state=3&order=-build_id) - https://kojidev.rockylinux.org/koji/builds?state=3&order=-build_id +!!! Tip + If you are looking for other Rocky packages to build and experiment with, you can browse the list of packages that are currently failing in the Rocky automated build environment [here](https://kojidev.rockylinux.org/koji/builds?state=3&order=-build_id) ## 4. Use Rocky Devtools (rockybuild) to build a new package for the Rocky OS @@ -102,7 +104,7 @@ Under the hood, `rockybuild` calls `rpmbuild` and `mock` utilities to build the Use `rockybuild` to build the sed utility: -``` +```bash rockybuild sed ``` @@ -110,7 +112,7 @@ The time needed to complete the build process/step depends on the size and compl At the end of the `rockybuild` run, an output similar to the one here indicates that the build completed successfully. -``` +```bash .......... + exit 0 Finish: rpmbuild sed-4.5-2.el8.src.rpm @@ -120,19 +122,15 @@ INFO: Results and/or logs in: /home/centos/rocky/builds/sed/r8 ........ ``` - If all goes well you should end up with a Rocky ready SRPM file under the `~/rocky/builds/sed/r8` directory. `~/rocky/rpms/sed/r8/SRPMS/sed-4.5-2.el8.src.rpm` - - ## 5. Debugging a failed package build The previous rockybuild process will generate some log files that can be used in debugging failed application builds. The results and/or logs of the build process are stored under the `~/rocky/builds//r8`. For example `~/rocky/builds/sed/r8` - -``` +```bash ~/rocky/builds/sed/r8 ├── build.log ├── hw_info.log diff --git a/docs/guides/package_management/package_signing.md b/docs/guides/package_management/package_signing.md index 1ad64e3104..24d428a5c9 100644 --- a/docs/guides/package_management/package_signing.md +++ b/docs/guides/package_management/package_signing.md @@ -4,7 +4,6 @@ title: Package Signing & Testing # Package signing and testing' - RPMs produced by us should be cryptographically signed with a Rocky Linux key, which guarantees to users that the package was indeed built by the Rocky Linux project. diff --git a/docs/guides/proxies/haproxy_apache_lxd.md b/docs/guides/proxies/haproxy_apache_lxd.md index 2f5997cc27..355687b428 100644 --- a/docs/guides/proxies/haproxy_apache_lxd.md +++ b/docs/guides/proxies/haproxy_apache_lxd.md @@ -10,7 +10,6 @@ tested_with: 8.5, 8.6, 9.0 HAProxy stands for "High Availability Proxy." This proxy can sit before any TCP application (such as web servers), but it is often used as a load balancer between many website instances. - There might be many reasons for doing this. If you have a website that is being hit hard — adding another instance of that same website and placing HAProxy in front of both — allows you to distribute traffic between instances. Another reason might be to be able to update content on a website without any down time. HAProxy can also help mitigate DOS and DDOS attacks. This guide will explore using HAProxy with two website instances, and load balancing with round-robin rotation on the same LXD host. This might be a perfectly fine solution for ensuring that updates can be performed without downtime. @@ -19,25 +18,26 @@ However, if your problem is website performance, you may need to distribute your ## Prerequisites and assumptions -* Complete comfort at the command line on a Linux machine -* Experience with a command line editor (using `vim` here) -* Experience with `crontab` -* Knowledge of LXD. For more information, you may want to consult the [LXD Server](../../books/lxd_server/00-toc.md) document. It is fine to install LXD on a notebook or workstation without doing the full-blown server install. This document is written with a lab machine running LXD, but is not set up as an entire server as the document linked above uses. -* Some knowledge of installing, configuring, and using web servers. -* We will assume that LXD is already installed and ready to create containers. +- Complete comfort at the command line on a Linux machine +- Experience with a command line editor (using `vim` here) +- Experience with `crontab` +- Knowledge of LXD. For more information, you may want to consult the [LXD Server](../../books/lxd_server/00-toc.md) document. It is fine to install LXD on a notebook or workstation without doing the full-blown server install. This document is written with a lab machine running LXD, but is not set up as an entire server as the document linked above uses. +- Some knowledge of installing, configuring, and using web servers. +- We will assume that LXD is already installed and ready to create containers. ## Installing containers On your LXD host for this guide, you will need three containers. There can be more web server containers if you want. You will use **web1** and **web2** for our website containers and **proxyha** for our HAProxy container. To install these on your LXD host do: -``` +```bash lxc launch images:rockylinux/8 web1 lxc launch images:rockylinux/8 web2 lxc launch images:rockylinux/8 proxyha ``` + Running an `lxc list` should return something like this: -``` +```bash +---------+---------+----------------------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------+---------+----------------------+------+-----------+-----------+ @@ -63,11 +63,12 @@ Ensure that your editor is set to your preferred editor, in this case `vim`: Next, change the `macvlan` profile. Before you do, you need to know what interface the host uses for our LAN. Run `ip addr` and look for the interface with the LAN IP assignment: -``` +```bash 2: eno1: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether a8:5e:45:52:f8:b6 brd ff:ff:ff:ff:ff:ff inet 192.168.1.141/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1 ``` + !!! Note In this case, the interface you are looking for is "eno1", which could be completely different on your system. Use **your** interface information! @@ -78,7 +79,7 @@ Now that you know the LAN interface, you can change our `macvlan` profile. To do Edit the profile to look something like this. The author excluded the comments at the top of the file, but if you are new to LXD, examine those: -``` +```bash config: {} description: "" devices: @@ -94,7 +95,7 @@ When creating the `macvlan` profile, the system copies the `default` profile. Ch Now that the `macvlan` profile exists, you need to apply it to our three containers: -``` +```bash lxc profile assign web1 default,macvlan lxc profile assign web2 default,macvlan lxc profile assign proxyha default,macvlan @@ -104,19 +105,19 @@ Unfortunately, the default behavior of `macvlan` as implemented in the kernel, i Doing this is pretty simplistic when using DHCP. Just follow this for each container: -* `lxc exec web1 bash` which will put you at the command line of the **web1** container -* `crontab -e` which will edit root's `crontab` on the container -* type `i` to get into insert mode. -* add a line: `@reboot /usr/sbin/dhclient` -* hit the `ESC` key to exit out of insert mode. -* save your changes with `SHIFT: wq` -* type `exit` to exit the container +- `lxc exec web1 bash` which will put you at the command line of the **web1** container +- `crontab -e` which will edit root's `crontab` on the container +- type ++i++ to get into insert mode. +- add a line: `@reboot /usr/sbin/dhclient` +- hit the ++escape++ key to exit out of insert mode. +- save your changes with ++shift++colon+w+q++ +- type `exit` to exit the container Repeat steps for **web2** and **proxyha**. After completing these steps, restart the containers: -``` +```bash lxc restart web1 lxc restart web2 lxc restart proxyha @@ -124,7 +125,7 @@ lxc restart proxyha and when you do an `lxc list` again, you will see that the DHCP addresses are now assigned from your LAN: -``` +```bash +---------+---------+----------------------+------+-----------+-----------+ | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | +---------+---------+----------------------+------+-----------+-----------+ @@ -140,17 +141,18 @@ and when you do an `lxc list` again, you will see that the DHCP addresses are no Our environment is ready. Next, install Apache (`httpd`) on each web container. You can do this without physically accessing them: -``` +```bash lxc exec web1 dnf install httpd lxc exec web2 dnf install httpd ``` + You will need more than Apache for any modern web server, but this is enough to run some tests. Next, enable `httpd`, start it, and change the default welcome screen. This way, you know the server is responding when attempting to access by proxy. Enable and start `httpd`: -``` +```bash lxc exec web1 systemctl enable httpd lxc exec web1 systemctl start httpd lxc exec web2 systemctl enable httpd @@ -178,7 +180,8 @@ It is simplistic to install HAProxy on the proxy container. Again, no need to ac `lxc exec proxyha dnf install haproxy` Next you want to configure `haproxy` to listen on port 80 and port 443 for the web services. Do this with the configure subcommand of `lxc`: -``` + +```bash lxc config device add proxyha http proxy listen=tcp:0.0.0.0:80 connect=tcp:127.0.0.1:80 lxc config device add proxyha https proxy listen=tcp:0.0.0.0:443 connect=tcp:127.0.0.1:443 ``` @@ -193,7 +196,7 @@ You have already installed HAProxy on the container, but you have done nothing w Add the following records to the bottom of the file: -``` +```bash 192.168.1.150 site1.testdomain.com site1 192.168.1.101 site2.testdomain.com site2 ``` @@ -210,7 +213,7 @@ Create a new configuration file: Note, the commenting out of HTTPS protocol lines for now. In a production environment, you will want to use a wildcard certificate that covers your web servers and enable HTTPS: -``` +```bash global log /dev/log local0 log /dev/log local1 notice @@ -300,7 +303,7 @@ Create each of these files in that directory. Note that you can do this with eac File name `400.http`: -``` +```bash HTTP/1.0 400 Bad request Cache-Control: no-cache Connection: close @@ -313,7 +316,7 @@ Your browser sent an invalid request. File name `403.http`: -``` +```bash HTTP/1.0 403 Forbidden Cache-Control: no-cache Connection: close @@ -326,7 +329,7 @@ Request forbidden by administrative rules. Filename `408.http`: -``` +```bash HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close @@ -339,7 +342,7 @@ Your browser didn't send a complete request in time. Filename `500.http`: -``` +```bash HTTP/1.0 500 Internal Server Error Cache-Control: no-cache Connection: close @@ -352,7 +355,7 @@ An internal server error occurred. Filename `502.http`: -``` +```bash HTTP/1.0 502 Bad Gateway Cache-Control: no-cache Connection: close @@ -365,7 +368,7 @@ The server returned an invalid or incomplete response. Filename `503.http`: -``` +```bash HTTP/1.0 503 Service Unavailable Cache-Control: no-cache Connection: close @@ -378,7 +381,7 @@ No server is available to handle this request. Filename `504.http`: -``` +```bash HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close @@ -396,10 +399,12 @@ Create a "run" directory for `haproxy` before starting the service: `lxc exec proxyha mkdir /run/haproxy` Next, enable the service and start it: -``` + +```bash lxc exec proxyha systemctl enable haproxy lxc exec proxyha systemctl start haproxy ``` + If you get any errors, research the reason by using: `lxc exec proxyha systemctl status haproxy` @@ -416,14 +421,14 @@ To do this, change your `/etc/hosts` file on your local machine. Consider this m Add these two lines: -``` +```bash 192.168.1.149 site1.testdomain.com site1 192.168.1.149 site2.testdomain.com site2 ``` If you ping either **site1** or **site2** on your local machine now, you will get a response from **proxyha**: -``` +```bash PING site1.testdomain.com (192.168.1.149) 56(84) bytes of data. 64 bytes from site1.testdomain.com (192.168.1.149): icmp_seq=1 ttl=64 time=0.427 ms 64 bytes from site1.testdomain.com (192.168.1.149): icmp_seq=2 ttl=64 time=0.430 ms @@ -431,7 +436,6 @@ PING site1.testdomain.com (192.168.1.149) 56(84) bytes of data. Open your web browser and type site1.testdomain.com (or site2.testdomain.com) as the URL in the address bar. You will get a response back from one of the two test pages and if you load the page again, you will get the next server's test page. Note that the URL does not change, but the returned page will change alternately between servers. - ![screenshot of web1 being loaded and showing the second server test message](../images/haproxy_apache_lxd.png) ## Logging @@ -446,7 +450,7 @@ Next, create a system process for `rsyslogd` to grab instances from the socket ( Add the following contents to that file: -``` +```bash $AddUnixListenSocket /var/lib/haproxy/dev/log # Send HAProxy messages to a dedicated logfile @@ -455,6 +459,7 @@ $AddUnixListenSocket /var/lib/haproxy/dev/log stop } ``` + Save the file and exit, and restart `rsyslog`: `lxc exec proxyha systemctl restart rsyslog` @@ -469,7 +474,7 @@ View the log file created: Which will show you something like this: -``` +```bash Sep 25 23:18:02 proxyha haproxy[4602]: Proxy http_frontend started. Sep 25 23:18:02 proxyha haproxy[4602]: Proxy http_frontend started. Sep 25 23:18:02 proxyha haproxy[4602]: Proxy subdomain1 started. diff --git a/docs/guides/proxies/pound.md b/docs/guides/proxies/pound.md index 3ea15b06c7..8164eb237a 100644 --- a/docs/guides/proxies/pound.md +++ b/docs/guides/proxies/pound.md @@ -16,11 +16,11 @@ tags: ## Introduction -Pound is a web server agnostic reverse proxy and load balancer that is simplistic to setup and manage. It does not use a web service, but does listens on the web service ports (http, https). +Pound is a web server agnostic reverse proxy and load balancer that is simplistic to setup and manage. It does not use a web service, but does listens on the web service ports (http, https). Now, many proxy server options exist, some referenced in these documentation pages. A document on using [HAProxy is here](haproxy_apache_lxd.md) and references to applying Nginx for a reverse proxy exist in other documents. -Load balancing services are quite useful for a busy web server environment. Many proxy servers exist, including the previously mentioned HAProxy, and have uses for many service types. +Load balancing services are quite useful for a busy web server environment. Many proxy servers exist, including the previously mentioned HAProxy, and have uses for many service types. In the case of Pound, it is only usable for web services, but it is good at what it does. @@ -28,13 +28,13 @@ In the case of Pound, it is only usable for web services, but it is good at what The following are minimum requirements for using this procedure: -* A desire to load balance between a few websites, or the willingness to learn a new tool to do the same. -* The ability to run commands as the root user or use `sudo` to elevate privileges. -* Familiarity with a command-line editor. The author is using `vi` or `vim` here, but substitute in your favorite editor. -* Comfort with changing the listen ports on a few types of web servers. -* Assuming the earlier installation of the Nginx and Apache servers. -* Assuming that you are using Rocky Linux servers or containers for everything here. -* While all kinds of statements regarding `https` are in this document, this guide only deals with the `http` service. To properly do `https`, you will need to configure your pound server with a real certificate from a real certificate authority. +- A desire to load balance between a few websites, or the willingness to learn a new tool to do the same. +- The ability to run commands as the root user or use `sudo` to elevate privileges. +- Familiarity with a command-line editor. The author is using `vi` or `vim` here, but substitute in your favorite editor. +- Comfort with changing the listen ports on a few types of web servers. +- Assuming the earlier installation of the Nginx and Apache servers. +- Assuming that you are using Rocky Linux servers or containers for everything here. +- While all kinds of statements regarding `https` are in this document, this guide only deals with the `http` service. To properly do `https`, you will need to configure your pound server with a real certificate from a real certificate authority. !!! tip @@ -52,9 +52,9 @@ The following are minimum requirements for using this procedure: ## Conventions -For this procedure, we are going to be using two web servers (known as back end servers), one running Nginx (192.168.1.111) and one running Apache (192.168.1.108). +For this procedure, we are going to be using two web servers (known as back end servers), one running Nginx (192.168.1.111) and one running Apache (192.168.1.108). -Our Pound server (192.168.1.103) is the gateway. +Our Pound server (192.168.1.103) is the gateway. You will be switching your listen ports on the back end servers to 8080 for the Nginx server and 8081 for the Apache server. (Showing everything below.) @@ -66,13 +66,13 @@ You will be switching your listen ports on the back end servers to 8080 for the To install Pound, you need to first install the EPEL (Extra Packages for Enterprise Linux) and run updates: -``` +```bash dnf -y install epel-release && dnf -y update ``` Then install Pound. (Yes that is a capital "P"): -``` +```bash dnf -y install Pound ``` @@ -117,17 +117,17 @@ End ### Taking a closer look -* The "User" and "Group" - populated with the installation -* The "Control" file is not used anywhere -* The "ListenHTTP" section represents the service `http` (Port 80) and the "Address" that the proxy will listen on. You will change this to the actual IP of our Pound server. -* The "ListenHTTPS" section represents the service `https` (Port 443) and the "Address" that the proxy will listen on. You will change this to the IP of the Pound server. -* The "Cert" option is the self-signed certificate provided by the Pound install process. You want to replace this in a production environment with a real certificate using one of these procedures: [Generating SSL Keys](../security/ssl_keys_https.md) or [SSL Keys with Let's Encrypt](../security/generating_ssl_keys_lets_encrypt.md). -* The "Service" section configures the "BackEnd" servers with their listening ports. You can have as many "BackEnd" servers as you need. +- The "User" and "Group" - populated with the installation +- The "Control" file is not used anywhere +- The "ListenHTTP" section represents the service `http` (Port 80) and the "Address" that the proxy will listen on. You will change this to the actual IP of our Pound server. +- The "ListenHTTPS" section represents the service `https` (Port 443) and the "Address" that the proxy will listen on. You will change this to the IP of the Pound server. +- The "Cert" option is the self-signed certificate provided by the Pound install process. You want to replace this in a production environment with a real certificate using one of these procedures: [Generating SSL Keys](../security/ssl_keys_https.md) or [SSL Keys with Let's Encrypt](../security/generating_ssl_keys_lets_encrypt.md). +- The "Service" section configures the "BackEnd" servers with their listening ports. You can have as many "BackEnd" servers as you need. ### Changing the configuration -* change the IP Address under each listen option to our Pound server IP, 192.168.1.103 -* change the IP Addresses and ports under the "BackEnd" sections to match our configuration found in "Conventions" above (IPs and Ports) +- change the IP Address under each listen option to our Pound server IP, 192.168.1.103 +- change the IP Addresses and ports under the "BackEnd" sections to match our configuration found in "Conventions" above (IPs and Ports) When you are all done modifying the configuration, your file will look something like this: @@ -176,7 +176,7 @@ listen 8080 default_server; Save your changes and restart the nginx service: -``` +```bash systemctl restart nginx ``` @@ -184,7 +184,6 @@ systemctl restart nginx Since you have set the listen port for Apache in our Pound configuration to 8081, you need to also make that change on our running Apache server. You do this by modifying the `httpd.conf`: - ```bash vi /etc/httpd/conf/httpd.conf ``` @@ -197,7 +196,7 @@ Listen 8081 Save your changes and restart the httpd service: -``` +```bash systemctl restart httpd ``` @@ -205,7 +204,7 @@ systemctl restart httpd Once you have your web services up and running and listening on the right ports on each of your servers, the next step is to turn up the pound service on the Pound server: -``` +```bash systemctl enable --now pound ``` @@ -227,19 +226,19 @@ When you open your proxy server IP in a web browser you will see one of these tw Or -![Pound Apache](images/pound_apache.jpg) +![Pound Apache](images/pound_apache.jpg) ## Using "Emergency" One thing that you may need to do when using a load balancer such as Pound, is to take the productions servers off-line for maintenance or to have a fall-back "BackEnd" for a complete outage. Do this with the "Emergency" declaration in the `pound.conf` file. You can only have one "Emergency" declaration per service. In our case, this will appear at the end of the "Service" section in our configuration file: -``` +```bash ... Service BackEnd Address 192.168.1.117 Port 8080 - Priority 9 + Priority 9 End BackEnd @@ -247,8 +246,8 @@ Service Port 8081 End Emergency - Address 192.168.1.104 - Port 8000 + Address 192.168.1.104 + Port 8000 End End ``` @@ -257,7 +256,7 @@ This server might only show a message that says, "Down For Maintenance". ## Security considerations -Something that most documents dealing with load balancing proxy servers will not deal with are security issues. For instance, if this is a public facing web server, you will need to have `http` and `https` services open to the world on the load balancing proxy. But what about the "BackEnd" servers? +Something that most documents dealing with load balancing proxy servers will not deal with are security issues. For instance, if this is a public facing web server, you will need to have `http` and `https` services open to the world on the load balancing proxy. But what about the "BackEnd" servers? Those only need accessing by their ports from the Pound server, but since the Pound server is redirecting to 8080 or 8081 on the BackEnd servers, and since the BackEnd servers have `http` listening on those subsequent ports, you can just use the service names for the firewall commands on those BackEnd servers. @@ -277,19 +276,19 @@ To accomplish this, you will use the built-in firewall for Rocky Linux, `firewal Start by adding our source IPs to the "trusted" zone. This is our LAN here (in our example: 192.168.1.0/24): -``` +```bash firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent ``` Then, add the `ssh` service to the zone: -``` +```bash firewall-cmd --zone=trusted --add-service=ssh --permanent ``` And reload the firewall with: -``` +```bash firewall-cmd --reload ``` @@ -315,18 +314,19 @@ trusted (active) Next you need to make changes to the "public" zone, which by default has the `ssh` service enabled. This needs to be carefully removed (again, the author assumes that you are **NOT** remote to the server here!) with the following: -``` +```bash firewall-cmd --zone=public --remove-service=ssh --permanent ``` + You also need to add `http` and `https` services: -``` +```bash firewall-cmd --zone=public --add-service=http --add-service=https --permanent ``` Then reload the firewall before to see the changes: -``` +```bash firewall-cmd --reload ``` @@ -353,15 +353,15 @@ Those are the only changes needed to our pound server load balancer within the l ### Firewall - back end servers -For the "BackEnd" servers, you do not need to allow access from the world for anything. You will need to allow `ssh` from the LAN IPs, and `http` and `https` from our Pound load balancer. +For the "BackEnd" servers, you do not need to allow access from the world for anything. You will need to allow `ssh` from the LAN IPs, and `http` and `https` from our Pound load balancer. -That is pretty much it. +That is pretty much it. -Again, you are going to add the `ssh` service to your "trusted" zone, with the essentially the same commands used for your pound server. Then add a zone called "balance" that you will use for the remaining `http` and `https`, and set the source IPs to that of the load balancer. +Again, you are going to add the `ssh` service to your "trusted" zone, with the essentially the same commands used for your pound server. Then add a zone called "balance" that you will use for the remaining `http` and `https`, and set the source IPs to that of the load balancer. To simplify things, use all of those commands that you used for the "trusted" zone in a single set of commands: -``` +```bash firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent firewall-cmd --zone=trusted --add-service=ssh --permanent firewall-cmd --reload @@ -389,7 +389,7 @@ trusted (active) Again, test your `ssh` rule from an IP on the LAN, and then remove the `ssh` service from the "public" zone. **Remember our warning earlier, and do this only if you have local access to the server!** -``` +```bash firewall-cmd --zone=public --remove-service=ssh --permanent firewall-cmd --reload firewall-cmd --zone=public --list-all @@ -420,7 +420,7 @@ Add that new zone to deal with `http` and `https`. Remember that the source IP h A new zone must be added with the `--permanent` option and cannot be used until the firewall is reloaded. Also, do not forget to `--set-target=ACCEPT` for this zone! -``` +```bash firewall-cmd --new-zone=balance --permanent firewall-cmd --reload firewall-cmd --zone=balance --set-target=ACCEPT @@ -461,8 +461,8 @@ Conveniently, Pound automatically figures out if one of the "BackEnd" servers is ## Conclusion -Pound offers another option for those who do not want to use HAProxy or Nginx as for load balancing. +Pound offers another option for those who do not want to use HAProxy or Nginx as for load balancing. -Pound as a load balancing server is very easy to install, set up and use. As noted here, you can use Pound as a reverse proxy, and many proxy and load balancing options exist. +Pound as a load balancing server is very easy to install, set up and use. As noted here, you can use Pound as a reverse proxy, and many proxy and load balancing options exist. And you should always remember to keep security in mind when setting up any service, including a load balancing proxy server. diff --git a/docs/guides/proxies/tor_relay.md b/docs/guides/proxies/tor_relay.md index 8e38848bb5..344b2ecd83 100644 --- a/docs/guides/proxies/tor_relay.md +++ b/docs/guides/proxies/tor_relay.md @@ -18,13 +18,13 @@ tags: The following are minimum requirements for using this procedure: -* A public IPv4 address, whether directly on the server or with port forwarding -* A system that is able to run 24/7, to be useful for the Tor network -* The ability to run commands as the root user or use `sudo` to elevate privileges -* Familiarity with a command-line editor. The author is using `vi` or `vim` here, but substitute in your favorite editor -* Comfort with changing SELinux and firewall settings -* An unmetered connection, or a connection with a high bandwidth limit -* Optional: A public IPv6 address for dual-stack connectivity +- A public IPv4 address, whether directly on the server or with port forwarding +- A system that is able to run 24/7, to be useful for the Tor network +- The ability to run commands as the root user or use `sudo` to elevate privileges +- Familiarity with a command-line editor. The author is using `vi` or `vim` here, but substitute in your favorite editor +- Comfort with changing SELinux and firewall settings +- An unmetered connection, or a connection with a high bandwidth limit +- Optional: A public IPv6 address for dual-stack connectivity ## Installing Tor @@ -59,10 +59,10 @@ Log notice syslog ### Taking a closer look -* The `Nickname` is a (non-unique) nickname for your Tor relay. -* The `ORPort` is the TCP port your Tor relay listens on. The default is `9001`. -* The `ContactInfo` is your contact information, in case there's issues with your Tor relay. Set this to your email address. -* The `Log` is the severity and destination of your Tor relay logs. We are logging `notice` to prevent sensitive information from being logged, and `syslog` to output to the `systemd` log. +- The `Nickname` is a (non-unique) nickname for your Tor relay. +- The `ORPort` is the TCP port your Tor relay listens on. The default is `9001`. +- The `ContactInfo` is your contact information, in case there's issues with your Tor relay. Set this to your email address. +- The `Log` is the severity and destination of your Tor relay logs. We are logging `notice` to prevent sensitive information from being logged, and `syslog` to output to the `systemd` log. ### System configuration @@ -110,8 +110,8 @@ AccountingMax 20 GB These values imply that: -* Your bandwidth accounting period is every day starting at 00:00 system time. You can also change `day` to `week` or `month`, or replace `00:00` with another time. -* In your bandwidth accounting period, you will transfer 20 GB. Increase or decrease the value if you want to allow more or less bandwidth for your relay. +- Your bandwidth accounting period is every day starting at 00:00 system time. You can also change `day` to `week` or `month`, or replace `00:00` with another time. +- In your bandwidth accounting period, you will transfer 20 GB. Increase or decrease the value if you want to allow more or less bandwidth for your relay. What happens after you used your specified bandwidth? Your relay will block new connection attempts until the end of the period. If your relay did not use the specified bandwidth in your period, the counter will reset without any downtime. @@ -190,8 +190,8 @@ ExitPolicy reject *:* These values imply that: -* We allow exit traffic to TCP ports 53 (DNS), 80 (HTTP), and 443 (HTTPS) with our `ExitPolicy accept` lines -* We disallow exit traffic to any other TCP port with our wildcard `ExitPolicy reject` lines +- We allow exit traffic to TCP ports 53 (DNS), 80 (HTTP), and 443 (HTTPS) with our `ExitPolicy accept` lines +- We disallow exit traffic to any other TCP port with our wildcard `ExitPolicy reject` lines If you want an unrestrictive exit policy, by only blocking SMTP traffic, this can be set as: @@ -204,8 +204,8 @@ ExitPolicy accpet *:* These values imply that -* We disallow exit traffic to the standard SMTP TCP ports of 25, 465, and 587 in our `ExitPolicy reject` lines -* We allow exit traffic to all other TCP ports in our wildcard `ExitPolicy accept` line +- We disallow exit traffic to the standard SMTP TCP ports of 25, 465, and 587 in our `ExitPolicy reject` lines +- We allow exit traffic to all other TCP ports in our wildcard `ExitPolicy accept` line We can also allow or block a range of ports as follows: @@ -216,8 +216,8 @@ ExitPolicy reject *:993-995 These values imply that: -* We allow exit traffic to TCP ports 80-81 -* We disallow exit traffic to TCP ports 993-995, which are used for the SSL-secured IMAP, IRC, and POP3 variants +- We allow exit traffic to TCP ports 80-81 +- We disallow exit traffic to TCP ports 993-995, which are used for the SSL-secured IMAP, IRC, and POP3 variants You can also allow exit traffic to IPv6 addresses, assuming your server has dual-stack connectivity: @@ -266,9 +266,9 @@ ExtORPort auto These values imply that: -* We are running an obfs4 pluggable transport located at `/usr/local/bin/obfs4proxy` on our `ServerTransportPlugin` line -* `ServerTransportListenAddr` makes our pluggable transport listen on port 12345 -* Our `ExtORPort` line will listen on an randomly chosen port for connections between Tor and our pluggable transport. Normally, this line should not be changed +- We are running an obfs4 pluggable transport located at `/usr/local/bin/obfs4proxy` on our `ServerTransportPlugin` line +- `ServerTransportListenAddr` makes our pluggable transport listen on port 12345 +- Our `ExtORPort` line will listen on an randomly chosen port for connections between Tor and our pluggable transport. Normally, this line should not be changed If you want to listen on another TCP port, change `12345` with your desired TCP port. diff --git a/docs/guides/security/dnf_automatic.md b/docs/guides/security/dnf_automatic.md index 6e2ca27ed7..949ff7c3ed 100644 --- a/docs/guides/security/dnf_automatic.md +++ b/docs/guides/security/dnf_automatic.md @@ -26,7 +26,7 @@ The security of your information system will be strengthened. `dnf-automatic` is You can install `dnf-automatic` from the rocky repositories: -``` +```bash sudo dnf install dnf-automatic ``` @@ -34,7 +34,7 @@ sudo dnf install dnf-automatic By default, the update process will start at 6am, with a random extra time delta to avoid all your machines updating simultaneously. To change this behavior, you must override the timer configuration associated with the application service: -``` +```bash sudo systemctl edit dnf-automatic.timer [Unit] @@ -56,8 +56,8 @@ This configuration reduces the start-up delay between 6:00 and 6:10 am. (A serve Then activate the timer associated with the service (not the service itself): -``` -$ sudo systemctl enable --now dnf-automatic.timer +```bash +sudo systemctl enable --now dnf-automatic.timer ``` ## What about CentOS 7 servers? @@ -68,15 +68,15 @@ $ sudo systemctl enable --now dnf-automatic.timer The process under CentOS 7 is similar but uses: `yum-cron`. -``` -$ sudo yum install yum-cron +```bash +sudo yum install yum-cron ``` This time, the configuration of the service is done in the file `/etc/yum/yum-cron.conf`. Set configuration as needed: -``` +```text [commands] # What kind of update to use: # default = yum upgrade @@ -111,8 +111,8 @@ The comments in the configuration file speak for themselves. You can now enable the service and start it: -``` -$ sudo systemctl enable --now yum-cron +```bash +sudo systemctl enable --now yum-cron ``` ## Conclusion diff --git a/docs/guides/security/enabling_iptables_firewall.md b/docs/guides/security/enabling_iptables_firewall.md index 05ab06cf4a..3025b5e989 100644 --- a/docs/guides/security/enabling_iptables_firewall.md +++ b/docs/guides/security/enabling_iptables_firewall.md @@ -2,7 +2,7 @@ title: Enabling `iptables` Firewall author: Steven Spencer contributors: Ezequiel Bruni, Ganna Zhyrnova -tested_with: 8.5, 8.6, 9.0 +tested*with: 8.5, 8.6, 9.0 tags: - security - iptables @@ -13,7 +13,7 @@ tags: ## Prerequisites -* A burning, unquenchable desire to disable the default _firewalld_ application, and enable _iptables_. +- A burning, unquenchable desire to disable the default *firewalld* application, and enable *iptables*. !!! warning "This Process Is Deprecated" @@ -21,17 +21,17 @@ tags: ## Introduction -_firewalld_ is now the default firewall on Rocky Linux. _firewalld_ **was** nothing more than a dynamic application of _iptables_ using xml files that loaded changes without flushing the rules in CentOS 7/RHEL 7. With CentOS 8/RHEL 8/Rocky 8, _firewalld_ is now a wrapper around _nftables_. It is still possible, however, to install and use straight _iptables_ if that is your preference. To install and run straight _iptables_ without _firewalld_ you can do so by following this guide. What this guide will **not** tell you is how to write rules for _iptables_. It is assumed that if you want to get rid of _firewalld_, you must already know how to write rules for _iptables_. +*firewalld* is now the default firewall on Rocky Linux. *firewalld* **was** nothing more than a dynamic application of *iptables* using xml files that loaded changes without flushing the rules in CentOS 7/RHEL 7. With CentOS 8/RHEL 8/Rocky 8, *firewalld* is now a wrapper around *nftables*. It is still possible, however, to install and use straight *iptables* if that is your preference. To install and run straight *iptables* without *firewalld* you can do so by following this guide. What this guide will **not** tell you is how to write rules for *iptables*. It is assumed that if you want to get rid of *firewalld*, you must already know how to write rules for *iptables*. ## Disabling firewalld -You can't really run the old _iptables_ utilities alongside _firewalld_. They're just not compatible. The best way to get around this is to disable _firewalld_ entirely (no need to uninstall it unless you want to) , and reinstall the _iptables_ utilities. Disabling _firewalld_ can be done using these commands: +You can't really run the old *iptables* utilities alongside *firewalld*. They're just not compatible. The best way to get around this is to disable *firewalld* entirely (no need to uninstall it unless you want to) , and reinstall the *iptables* utilities. Disabling *firewalld* can be done using these commands: -Stop _firewalld_: +Stop *firewalld*: `systemctl stop firewalld` -Disable _firewalld_ so it won't start on boot: +Disable *firewalld* so it won't start on boot: `systemctl disable firewalld` @@ -41,16 +41,16 @@ Mask the service so that it can't be found: ## Installing And Enabling iptables Services -Next, we need to install the old _iptables_ services and utilities. This is done with the following: +Next, we need to install the old *iptables* services and utilities. This is done with the following: `dnf install iptables-services iptables-utils` -This will install everything that is needed to run a straight _iptables_ rule set. +This will install everything that is needed to run a straight *iptables* rule set. -Now we need to enable the _iptables_ service to make sure that it starts on boot: +Now we need to enable the *iptables* service to make sure that it starts on boot: `systemctl enable iptables` ## Conclusion -You can return to using straight _iptables_ if you prefer it over _firewalld_. You can return to using the default _firewalld_ by simply reversing these changes. +You can return to using straight *iptables* if you prefer it over *firewalld*. You can return to using the default *firewalld* by simply reversing these changes. diff --git a/docs/guides/security/firewalld-beginners.md b/docs/guides/security/firewalld-beginners.md index 798b1bea29..b777fdb49d 100644 --- a/docs/guides/security/firewalld-beginners.md +++ b/docs/guides/security/firewalld-beginners.md @@ -16,10 +16,10 @@ So, let's talk about what we're here for. `firewalld` is the default firewall ap Here you'll learn: -* The very basics of how `firewalld` works -* How to use `firewalld` to restrict or allow incoming and outgoing connections -* How to allow only people from certain IP addresses or places to log into your machine remotely -* How to manage some `firewalld`-specific features like Zones. +- The very basics of how `firewalld` works +- How to use `firewalld` to restrict or allow incoming and outgoing connections +- How to allow only people from certain IP addresses or places to log into your machine remotely +- How to manage some `firewalld`-specific features like Zones. Please note that this is *not* intended to be a complete or exhaustive firewall guide; And as a result it only covers the basics. @@ -31,12 +31,13 @@ Well... there *are* graphical firewall configuration options. On the desktop, th 2. Understanding how the `firewalld` commands work might help you better grasp how the firewall software works. You can take the same principles you learn here and better understand what you're doing if you decide to use a graphical interface in the future. ## Prerequisites and Assumptions + You'll need: -* A Rocky Linux machine of any kind, local or remote, physical or virtual -* Access to the terminal, and a willingness to use it -* You need root access, or at least the ability to use `sudo` on your user account. For simplicity's sake, I'm assuming all commands are being run as root -* A basic understanding of SSH wouldn't hurt for managing remote machines. +- A Rocky Linux machine of any kind, local or remote, physical or virtual +- Access to the terminal, and a willingness to use it +- You need root access, or at least the ability to use `sudo` on your user account. For simplicity's sake, I'm assuming all commands are being run as root +- A basic understanding of SSH wouldn't hurt for managing remote machines. ## Basic Usage @@ -147,21 +148,13 @@ If your machine has multiple ways to connect to different networks (e.g., Ethern Default zones include the following (I've taken this explanation from [DigitalOcean's guide to `firewalld`](https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8), which you should also read): > **drop:** The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible. - > **block:** Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message. - > **public:** Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis. - > **external:** External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable. - > **internal:** The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy, and some additional services are available. - > **dmz:** Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed. - > **work:** Used for work machines. Trust most of the computers in the network. A few more services might be allowed. - > **home:** A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted. - > **trusted:** Trust all of the machines in the network. The most open of the available options and should be used sparingly. Okay, so some of those explanations get complicated, but honestly? The average beginner can get by with understanding "trusted", "home", and "public", and when to use which. @@ -271,10 +264,10 @@ As you might imagine, services are fairly standardized programs that run on your This is the preferred way to open up the ports for these common services, and a whole lot more: -* HTTP and HTTPS: for web servers -* FTP: For moving files back and forth (the old-fashioned way) -* SSH: For controlling remote machines and moving files back and forth the new way -* Samba: For sharing files with Windows machines. +- HTTP and HTTPS: for web servers +- FTP: For moving files back and forth (the old-fashioned way) +- SSH: For controlling remote machines and moving files back and forth the new way +- Samba: For sharing files with Windows machines. !!! Warning @@ -363,7 +356,6 @@ public (active) rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept ``` - Secondly, you can use two different zones at a time. If your interface is bound to the public zone, you can activate a second zone (the "trusted" zone, for example) by adding a source IP or IP range, as shown above. Then, add the SSH service to the trusted zone, and remove it from the public zone. When you're done, the output should look a bit like this: @@ -419,7 +411,7 @@ If you get locked out, restart the server (most VPS control panels have an optio This is far from an exhaustive guide, and you can learn a whole lot more with the [official `firewalld` documentation](https://firewalld.org/documentation/). There are also handy app-specific guides all over the internet that will show you how to set up your firewall for those specific apps. -For you fans of `iptables` (if you've gotten this far...), [we have a guide](firewalld.md) detailing some of the differences in how `firewalld` and `iptables` work. That guide might help you figure out if you want to stay with `firewalld` or go back to The Old Ways(TM). There is something to be said for The Old Ways(TM), in this case. +For you fans of `iptables` (if you've gotten this far...), [we have a guide](firewalld.md) detailing some of the differences in how `firewalld` and `iptables` work. That guide might help you figure out if you want to stay with `firewalld` or go back to The Old Ways^(TM)^. There is something to be said for The Old Ways^(TM)^, in this case. ## Conclusion diff --git a/docs/guides/security/firewalld.md b/docs/guides/security/firewalld.md index f771286d28..892950a31a 100644 --- a/docs/guides/security/firewalld.md +++ b/docs/guides/security/firewalld.md @@ -10,8 +10,7 @@ tags: # `iptables` guide to `firewalld` - Introduction - -When the introduction of `firewalld` as the default firewall happened (Its introduction was in 2011, but I believe it showed up first in CentOS 7.), the author continued to use `iptables`. There were two reasons for this. First, the documentation available at the time for `firewalld` used simplistic rules and did not show how `firewalld` was securing the server *down to the IP level*. Second, the author had over a decade of experience with `iptables` and it was easier to continue using that instead of learning `firewalld`. +When the introduction of `firewalld` as the default firewall happened (Its introduction was in 2011, but I believe it showed up first in CentOS 7.), the author continued to use `iptables`. There were two reasons for this. First, the documentation available at the time for `firewalld` used simplistic rules and did not show how `firewalld` was securing the server *down to the IP level*. Second, the author had over a decade of experience with `iptables` and it was easier to continue using that instead of learning `firewalld`. This document aims to address the limitations of most `firewalld` references and, to force the author to use `firewalld` to mimic those more granular firewall rules. @@ -23,10 +22,10 @@ This guide focuses on applying rules from an `iptables` firewall to a `firewalld ## Prerequisites and assumptions -* Throughout this document, the assumption is that you are the root user or have elevated privileges with `sudo`. -* A passing knowledge of firewall rules, particularly `iptables` or at minimum, you want to learn something about `firewalld`. -* You feel comfortable entering commands at the command line. -* All of the examples here deal with IPv4 IPs. +- Throughout this document, the assumption is that you are the root user or have elevated privileges with `sudo`. +- A passing knowledge of firewall rules, particularly `iptables` or at minimum, you want to learn something about `firewalld`. +- You feel comfortable entering commands at the command line. +- All of the examples here deal with IPv4 IPs. ## Zones @@ -77,7 +76,7 @@ The author does not like most of these zone names. drop, block, public, and trus Here you are allowing a single IP address for SSH (port 22) into the server. If you decide to use the built-in zones, you could use "trusted" for this. First, you add the IP to the zone and second, you apply the rule to the zone: -``` +```bash firewall-cmd --zone=trusted --add-source=192.168.1.122 --permanent firewall-cmd --zone trusted --add-service=ssh --permanent ``` @@ -129,7 +128,6 @@ Before using this zone, you need to reload the firewall: Before going any further, you need to examine the process of listing zones. You get a single production column rather than a tabular output provided by `iptables -L`. List a zone with the command `firewall-cmd --zone=[zone_name] --list-all`. Here is what this looks like when you list out the newly created "admin" zone: - `firewall-cmd --zone=admin --list-all` ```bash @@ -148,6 +146,7 @@ admin icmp-blocks: rich rules: ``` + You can list out the active zones on your system by using this command: `firewall-cmd --get-active-zones` @@ -189,7 +188,7 @@ and reload: Now just repeat our original steps using the "admin" zone: -``` +```bash firewall-cmd --zone=admin --add-source=192.168.1.122 firewall-cmd --zone admin --add-service=ssh ``` @@ -207,6 +206,7 @@ Test your rule to ensure it works. To test: Feb 14 22:02:34 serverhostname sshd[9805]: Accepted password for root from 192.168.1.122 port 42854 ssh2 Feb 14 22:02:34 serverhostname sshd[9805]: pam_unix(sshd:session): session opened for user root by (uid=0) ``` + This shows that the source IP for our SSH connection is the same IP that you just added to the "admin" zone. You will be safe to move this rule permanent: `firewall-cmd --runtime-to-permanent` @@ -271,14 +271,14 @@ From 192.168.1.104 icmp_seq=3 Packet filtered Here is the `iptables` script for publicly allowing `http` and `https`, the protocols you will need to serve web pages: -``` +```bash iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT ``` And here is the `firewalld` equivalent that you have probably seen many times before: -``` +```bash firewall-cmd --zone=public --add-service=http --add-service=https --permanent ``` @@ -304,14 +304,14 @@ Reload: Returning to the `iptables` script. You have the following rules dealing with FTP: -``` +```bash iptables -A INPUT -p tcp -m tcp --dport 20-21 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 7000-7500 -j ACCEPT ``` This portion of the script deals with the standard FTP ports (20 and 21) and some additional passive ports. FTP servers such as [VSFTPD](../file_sharing/secure_ftp_server_vsftpd.md) often need these sort of rules. Generally, this sort of rule will be on a publicly facing web server, and is there for allowing ftp connections from your customers. -No ftp-data service (port 20) exists in `firewalld`. The ports 7000 through 7500 listed here are for passive FTP connections, and again, these do not exist as a service in `firewalld`. You could switch to SFTP, which simplifies the port-allow rules here and is likely the recommended way. +No ftp-data service (port 20) exists in `firewalld`. The ports 7000 through 7500 listed here are for passive FTP connections, and again, these do not exist as a service in `firewalld`. You could switch to SFTP, which simplifies the port-allow rules here and is likely the recommended way. This demonstrates the conversion of a set of `iptables` rules to `firewalld`. To get around all of these issues, you can do the following. @@ -416,6 +416,7 @@ public icmp-blocks: echo-reply echo-request rich rules: ``` + Note that you have removed SSH access from services and blocked ICMP "echo-reply" and "echo-request". In your "admin" zone so far, it looks like this: @@ -453,12 +454,13 @@ Interfaces are not added in our examples, because the lab uses LXD for testing. To assign these zones to the appropriate interface, you use the following commands: -``` +```bash firewall-cmd --zone=public --change-interface=enp3s0 --permanent firewall-cmd --zone=trusted --change-interface=enp3s1 --permanent firewall-cmd --zone=admin --change-interface=enp3s1 --permanent firewall-cmd --reload ``` + ## Common firewall-cmd commands You have used some commands already. Here are a few more common commands and what they do: @@ -481,4 +483,4 @@ Since `firewalld` is the recommended and included firewall with Rocky Linux, it When you see these instructions, think about what your server's use and whether the service needs to be open to the world. If not, consider applying more granularity in your rules as described above. -This is not meant to be an exhaustive guide to `firewalld`, but rather a starting point. +This is not meant to be an exhaustive guide to `firewalld`, but rather a starting point. diff --git a/docs/guides/security/generating_ssl_keys_lets_encrypt.md b/docs/guides/security/generating_ssl_keys_lets_encrypt.md index ff855b6666..cde5979cf5 100644 --- a/docs/guides/security/generating_ssl_keys_lets_encrypt.md +++ b/docs/guides/security/generating_ssl_keys_lets_encrypt.md @@ -2,7 +2,7 @@ title: Generating SSL Keys - Let's Encrypt author: Steven Spencer contributors: wsoyinka, Antoine Le Morvan, Ezequiel Bruni, Andrew Thiesen, Ganna Zhyrnova -tested_with: 8.5 +tested*with: 8.5 tags: - security - ssl @@ -13,12 +13,12 @@ tags: ## Prerequisites & assumptions -* Comfort with the command line -* Familiarity with securing web sites with SSL certificates is a plus -* Knowledge of command line text editors (this example uses _vi_) -* A web server open to the world and running on port 80 (http) -* Familiarity with _ssh_ (secure shell) and the ability to access your server with _ssh_ -* All commands assume that you are either the root user or that you have used _sudo_ to gain root access. +- Comfort with the command line +- Familiarity with securing web sites with SSL certificates is a plus +- Knowledge of command line text editors (this example uses *vi*) +- A web server open to the world and running on port 80 (http) +- Familiarity with *ssh* (secure shell) and the ability to access your server with *ssh* +- All commands assume that you are either the root user or that you have used *sudo* to gain root access. ## Introduction @@ -28,7 +28,7 @@ These are actual certificates, not self-signed or snake oil, etc., so they are g ## Installation -To do the next steps, use _ssh_ to log into your server. If your server's fully qualified DNS name was www.myhost.com, then you would use: +To do the next steps, use *ssh* to log into your server. If your server's fully qualified DNS name was , then you would use: ```bash ssh -l root www.myhost.com @@ -46,9 +46,9 @@ And then: sudo -s ``` -You will need your _sudo_ user's credentials in this case to gain access to the system as root. +You will need your *sudo* user's credentials in this case to gain access to the system as root. -Let's Encrypt uses a package called _certbot_ which needs to be installed via the EPEL repositories. Add those first: +Let's Encrypt uses a package called *certbot* which needs to be installed via the EPEL repositories. Add those first: ```bash dnf install epel-release @@ -70,8 +70,7 @@ You can always install both server modules if necessary. !!! Note - An earlier version of this guide required the snap package version of _certbot_, which was necessary at the time. The RPM versions have been re-tested recently, and are working now. That said, Certbot strongly recommends the use of the [snap install procedure](https://certbot.eff.org/instructions?ws=apache&os=centosrhel8). Rocky Linux 8 and 9 have _certbot_ available in the EPEL, so we show that procedure here. If you would like to use the procedure recommended by Certbot, just follow that procedure instead. - + An earlier version of this guide required the snap package version of *certbot*, which was necessary at the time. The RPM versions have been re-tested recently, and are working now. That said, Certbot strongly recommends the use of the [snap install procedure](https://certbot.eff.org/instructions?ws=apache&os=centosrhel8). Rocky Linux 8 and 9 have *certbot* available in the EPEL, so we show that procedure here. If you would like to use the procedure recommended by Certbot, just follow that procedure instead. ## Getting The Let's Encrypt Certificate for the Apache Server @@ -91,7 +90,7 @@ certbot certonly --apache Both commands will generate a set of prompts you need to answer. The first is to give an email address for important information: -``` +```bash Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) @@ -100,7 +99,7 @@ Enter email address (used for urgent renewal and security notices) The next asks you to read and accept the terms of the subscriber agreement. Once you have read the agreement answer 'Y' to continue: -``` +```bash - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must @@ -111,7 +110,7 @@ agree in order to register with the ACME server. Do you agree? The next is a request to share your email with the Electronic Frontier Foundation. Answer 'Y' or 'N' as is your preference: -``` +```bash - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding @@ -124,7 +123,7 @@ EFF news, campaigns, and ways to support digital freedom. The next prompt asks you which domain you want the certificate for. It should display a domain in the listing based on your running web server. If so, enter the number next to the domain for which you are getting the certificate. In this case there is only one option ('1'): -``` +```bash Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: yourdomain.com @@ -135,7 +134,7 @@ blank to select all options shown (Enter 'c' to cancel): If all goes well, you should receive the following message: -``` +```bash Requesting a certificate for yourdomain.com Performing the following challenges: http-01 challenge for yourdomain.com @@ -160,11 +159,11 @@ IMPORTANT NOTES: ## The Site Configuration - https -Applying the configuration file to our site is slightly different than if we were using a purchased SSL certificate from another provider (and if we didn't let _certbot_ do it automatically). +Applying the configuration file to our site is slightly different than if we were using a purchased SSL certificate from another provider (and if we didn't let *certbot* do it automatically). A single PEM (Privacy Enhanced Mail) file includes the certificate and chain file. This is a common format for all certificate files now, so even though it has "Mail" in the reference, it is just a type of certificate file. To illustrate the configuration file, we will show it in it's entirety and then describe what is happening: -``` +```bash ServerName www.yourdomain.com ServerAdmin username@rockylinux.org @@ -178,8 +177,8 @@ A single PEM (Privacy Enhanced Mail) file includes the certificate and chain fil Alias /icons/ /var/www/icons/ # ScriptAlias /cgi-bin/ /var/www/sub-domains/com.yourdomain.www/cgi-bin/ - CustomLog "/var/log/httpd/com.yourdomain.www-access_log" combined - ErrorLog "/var/log/httpd/com.yourdomain.www-error_log" + CustomLog "/var/log/httpd/com.yourdomain.www-access_log" combined + ErrorLog "/var/log/httpd/com.yourdomain.www-error_log" SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 @@ -206,19 +205,19 @@ A single PEM (Privacy Enhanced Mail) file includes the certificate and chain fil Here's what's happening above. You may want to review the [Apache Web Server Multi-Site Setup](../web/apache-sites-enabled.md) to see the differences in the application of an SSL purchased from another provider and the Let's Encrypt certificate: -* Even though port 80 (standard http) is listening, we are redirecting all traffic to port 443 (https) -* SSLEngine on - simply says to use SSL -* SSLProtocol all -SSLv2 -SSLv3 -TLSv1 - says to use available protocols, except those found to have vulnerabilities. You should research periodically which protocols are currently acceptable for use. -* SSLHonorCipherOrder on - this deals with the next line regarding the cipher suites, and says to deal with them in the order that they are given. This is another area where you should review the cipher suites that you want to include periodically -* SSLCertificateFile - this is the PEM file, that contains the site certificate **AND** the intermediate certificate. We still need the 'SSLCertificateChainFile' line in our configuration, but it will simply specify the same PEM file again. -* SSLCertificateKeyFile - the PEM file for the private key, generated with the _certbot_ request. -* SSLCertificateChainFile - the certificate from your certificate provider, often called the intermediate certificate, in this case exactly like the 'SSLCertificateFile' location above. +- Even though port 80 (standard http) is listening, we are redirecting all traffic to port 443 (https) +- SSLEngine on - simply says to use SSL +- SSLProtocol all -SSLv2 -SSLv3 -TLSv1 - says to use available protocols, except those found to have vulnerabilities. You should research periodically which protocols are currently acceptable for use. +- SSLHonorCipherOrder on - this deals with the next line regarding the cipher suites, and says to deal with them in the order that they are given. This is another area where you should review the cipher suites that you want to include periodically +- SSLCertificateFile - this is the PEM file, that contains the site certificate **AND** the intermediate certificate. We still need the 'SSLCertificateChainFile' line in our configuration, but it will simply specify the same PEM file again. +- SSLCertificateKeyFile - the PEM file for the private key, generated with the *certbot* request. +- SSLCertificateChainFile - the certificate from your certificate provider, often called the intermediate certificate, in this case exactly like the 'SSLCertificateFile' location above. -Once you have made all of your changes, simply restart _httpd_ and if it starts test your site to make sure you now have a valid certificate file showing. If so, you are ready to move on to the next step: automation. +Once you have made all of your changes, simply restart *httpd* and if it starts test your site to make sure you now have a valid certificate file showing. If so, you are ready to move on to the next step: automation. -## Using _certbot_ With Nginx +## Using *certbot* With Nginx -A quick note: using _certbot_ with Nginx is pretty much the same as with Apache. Here's the short, short version of the guide: +A quick note: using *certbot* with Nginx is pretty much the same as with Apache. Here's the short, short version of the guide: Run this command to get started: @@ -228,7 +227,7 @@ certbot --nginx You will need to enter your email address and the site you want a certificate for. Assuming you have at least one site configured (with a domain name pointing at the server), you'll see a list like this: -``` +```bash 1. yourwebsite.com 2. subdomain.yourwebsite.com ``` @@ -237,12 +236,12 @@ If you have multiple sites, press the number that corresponds to the site you wa The rest of the text is similar to what is above. The results will be a bit different. If you have an Nginx configuration file that looks like this: -``` +```bash server { server_name yourwebsite.com; listen 80; - listen [::]:80; + listen [::]:80; location / { root /usr/share/nginx/html; @@ -252,11 +251,11 @@ server { ``` -After _certbot_ gets through with it, it'll look like a bit this: +After *certbot* gets through with it, it'll look like a bit this: -``` +```bash server { - server_name yourwebsite.com; + server*name yourwebsite.com; listen 443 ssl; # managed by Certbot listen [::]:443 ssl; # managed by Certbot @@ -284,12 +283,13 @@ server { } ``` -Depending on a couple of things (for example, if you're using Nginx as a reverse proxy), you may need to dive into the new configuration file to fix up a few things that _certbot_ won't handle perfectly on its own. +Depending on a couple of things (for example, if you're using Nginx as a reverse proxy), you may need to dive into the new configuration file to fix up a few things that *certbot* won't handle perfectly on its own. Or write your own configuration file the hard way. + ## Automating Let's Encrypt Certificate Renewal -The beauty of installing _certbot_ is that the Let's Encrypt certificate will be automatically renewed. There is no need to create a process to do this. We do need to test the renewal with: +The beauty of installing *certbot* is that the Let's Encrypt certificate will be automatically renewed. There is no need to create a process to do this. We do need to test the renewal with: ```bash certbot renew --dry-run @@ -297,7 +297,7 @@ certbot renew --dry-run When you run this command, you'll get a nice output showing the renewal process: -``` +```bash Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -323,13 +323,13 @@ Congratulations, all simulated renewals succeeded: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` -The command to renew _certbot_ can be found using one of the following methods: +The command to renew *certbot* can be found using one of the following methods: -* By listing the contents of `/etc/crontab/` -* By listing the contents of `/etc/cron.*/*` -* By running `systemctl list-timers` +- By listing the contents of `/etc/crontab/` +- By listing the contents of `/etc/cron.*/*` +- By running `systemctl list-timers` -In this example, we are using the last option and we can see that _certbot_ exists and that it was installed with the `snap` procedure: +In this example, we are using the last option and we can see that *certbot* exists and that it was installed with the `snap` procedure: ```bash sudo systemctl list-timers diff --git a/docs/guides/security/learning_selinux.md b/docs/guides/security/learning_selinux.md index 391ade7706..3e562d9acd 100644 --- a/docs/guides/security/learning_selinux.md +++ b/docs/guides/security/learning_selinux.md @@ -51,10 +51,10 @@ The security context is assigned to a user during their connection, according to Consider the following pieces of the SELinux puzzle: -* The subjects -* The objects -* The policies -* The mode +- The subjects +- The objects +- The policies +- The mode When a subject (an application for example) tries to access an object (a file for example), the SELinux part of the Linux kernel queries its policy database. Depending on the mode of operation, SELinux authorizes access to the object in case of success, otherwise it records the failure in the file `/var/log/messages`. @@ -66,7 +66,7 @@ By default, the security context of the process is defined by the context of the A domain is a specific type (in the SELinux sense) linked to a process and inherited (normally) from the user who launched it. Its rights are expressed in terms of authorization or refusal on types linked to objects: -A process whose context has security __domain D__ can access objects of __type T__. +A process whose context has security **domain D** can access objects of **type T**. ![The SELinux context of standard processes](../images/selinux_003.png) @@ -84,14 +84,14 @@ This mechanism is essential since it restricts the rights of a process as much a The `semanage` command manages SELinux rules. -``` +```bash semanage [object_type] [options] ``` Example: -``` -$ semanage boolean -l +```bash +semanage boolean -l ``` | Options | Observations | @@ -105,13 +105,13 @@ The `semanage` command may not be installed by default under Rocky Linux. Without knowing the package that provides this command, you should search for its name with the command: -``` +```bash dnf provides */semanage ``` then install it: -``` +```bash sudo dnf install policycoreutils-python-utils ``` @@ -119,13 +119,13 @@ sudo dnf install policycoreutils-python-utils Booleans allow the containment of processes. -``` +```bash semanage boolean [options] ``` To list the available Booleans: -``` +```bash semanage boolean –l SELinux boolean State Default Description … @@ -139,13 +139,13 @@ httpd_can_sendmail (off , off) Allow httpd to send mail The `setsebool` command is used to change the state of a boolean object: -``` +```bash setsebool [-PV] boolean on|off ``` Example: -``` +```bash sudo setsebool -P httpd_can_sendmail on ``` @@ -162,13 +162,13 @@ sudo setsebool -P httpd_can_sendmail on The `semanage` command is used to manage objects of type port: -``` +```bash semanage port [options] ``` Example: allow port 81 for httpd domain processes -``` +```bash sudo semanage port -a -t http_port_t -p tcp 81 ``` @@ -176,15 +176,15 @@ sudo semanage port -a -t http_port_t -p tcp 81 SELinux has three operating modes: -* Enforcing +- Enforcing Default mode for Rocky Linux. Access will be restricted according to the rules in force. -* Permissive +- Permissive Rules are polled, access errors are logged, but access will not be blocked. -* Disabled +- Disabled Nothing will be restricted, nothing will be logged. @@ -192,32 +192,32 @@ By default, most operating systems are configured with SELinux in Enforcing mode The `getenforce` command returns the current operating mode -``` +```bash getenforce ``` Example: -``` +```bash $ getenforce Enforcing ``` The `sestatus` command returns information about SELinux -``` +```bash sestatus ``` Example: -``` +```bash $ sestatus -SELinux status: enabled -SELinuxfs mount: /sys/fs/selinux +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted -Current mode: enforcing +Current mode: enforcing Mode from config file: enforcing ... Max kernel policy version: 33 @@ -225,13 +225,13 @@ Max kernel policy version: 33 The `setenforce` command changes the current operating mode: -``` +```bash setenforce 0|1 ``` Switch SELinux to permissive mode: -``` +```bash sudo setenforce 0 ``` @@ -245,7 +245,7 @@ The `/etc/sysconfig/selinux` file allows you to change the operating mode of SEL Edit the file `/etc/sysconfig/selinux` -``` +```bash SELINUX=disabled ``` @@ -255,7 +255,7 @@ SELINUX=disabled Reboot the system: -``` +```bash sudo reboot ``` @@ -269,7 +269,7 @@ To reactivate SELinux, you will have to reposition the labels on your entire sys Labeling the entire system: -``` +```bash sudo touch /.autorelabel sudo reboot ``` @@ -278,8 +278,8 @@ sudo reboot SELinux provides two standard types of rules: -* **Targeted**: only network daemons are protected (`dhcpd`, `httpd`, `named`, `nscd`, `ntpd`, `portmap`, `snmpd`, `squid` and `syslogd`) -* **Strict**: all daemons are protected +- **Targeted**: only network daemons are protected (`dhcpd`, `httpd`, `named`, `nscd`, `ntpd`, `portmap`, `snmpd`, `squid` and `syslogd`) +- **Strict**: all daemons are protected ## Context @@ -287,39 +287,39 @@ The display of security contexts is done with the `-Z` option. It is associated Examples: -``` -id -Z # the user's context -ls -Z # those of the current files -ps -eZ # those of the processes +```bash +id -Z # the user's context +ls -Z # those of the current files +ps -eZ # those of the processes netstat –Z # for network connections -lsof -Z # for open files +lsof -Z # for open files ``` The `matchpathcon` command returns the context of a directory. -``` +```bash matchpathcon directory ``` Example: -``` +```bash sudo matchpathcon /root - /root system_u:object_r:admin_home_t:s0 + /root system_u:object_r:admin_home_t:s0 sudo matchpathcon / - / system_u:object_r:root_t:s0 + / system_u:object_r:root_t:s0 ``` The `chcon` command modifies a security context: -``` +```bash chcon [-vR] [-u USER] [–r ROLE] [-t TYPE] file ``` Example: -``` +```bash sudo chcon -vR -t httpd_sys_content_t /data/websites/ ``` @@ -331,13 +331,13 @@ sudo chcon -vR -t httpd_sys_content_t /data/websites/ The `restorecon` command restores the default security context (the one provided by the rules): -``` +```bash restorecon [-vR] directory ``` Example: -``` +```bash sudo restorecon -vR /home/ ``` @@ -348,7 +348,7 @@ sudo restorecon -vR /home/ To make a context change survive to a `restorecon`, you have to modify the default file contexts with the `semanage fcontext` command: -``` +```bash semanage fcontext -a options file ``` @@ -358,22 +358,22 @@ semanage fcontext -a options file Example: -``` -$ sudo semanage fcontext -a -t httpd_sys_content_t "/data/websites(/.*)?" -$ sudo restorecon -vR /data/websites/ +```bash +sudo semanage fcontext -a -t httpd_sys_content_t "/data/websites(/.*)?" +sudo restorecon -vR /data/websites/ ``` ## `audit2why` command The `audit2why` command indicates the cause of a SELinux rejection: -``` +```bash audit2why [-vw] ``` Example to get the cause of the last rejection by SELinux: -``` +```bash sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2why ``` @@ -386,13 +386,13 @@ sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2why The `audit2allow` command creates a module to allow a SELinux action (when no module exists) from a line in an "audit" file: -``` +```bash audit2allow [-mM] ``` Example: -``` +```bash sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2allow -M mylocalmodule ``` @@ -405,25 +405,25 @@ sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2all After the execution of a command, the system gives you back the command prompt but the expected result is not visible: no error message on the screen. -* **Step 1**: Read the log file knowing that the message we are interested in is of type AVC (SELinux), refused (denied) and the most recent one (therefore the last one). +- **Step 1**: Read the log file knowing that the message we are interested in is of type AVC (SELinux), refused (denied) and the most recent one (therefore the last one). -``` +```bash sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 ``` The message is correctly isolated but is of no help to us. -* **Step 2**: Read the isolated message with the `audit2why` command to get a more explicit message that may contain the solution to our problem (typically a boolean to be set). +- **Step 2**: Read the isolated message with the `audit2why` command to get a more explicit message that may contain the solution to our problem (typically a boolean to be set). -``` +```bash sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2why ``` There are two cases: either we can place a context or fill in a boolean, or we must go to step 3 to create our own context. -* **Step 3**: Create your own module. +- **Step 3**: Create your own module. -``` +```bash $ sudo cat /var/log/audit/audit.log | grep AVC | grep denied | tail -1 | audit2allow -M mylocalmodule Generating type enforcement: mylocalmodule.te Compiling policy: checkmodule -M -m -o mylocalmodule.mod mylocalmodule.te diff --git a/docs/guides/web/nginx-multisite.md b/docs/guides/web/nginx-multisite.md index 576c5e37c0..4e58aac7c4 100644 --- a/docs/guides/web/nginx-multisite.md +++ b/docs/guides/web/nginx-multisite.md @@ -29,32 +29,33 @@ I'll be explaining a *lot* of details... but in the end, the whole process basic This is everything you'll need: -* A Rocky Linux server connected to the internet, with Nginx already running on it. If you haven't gotten that far, you can follow [our guide to installing Nginx](nginx-mainline.md) first. -* Some comfort with doing things on the command line, and a terminal-based text editor like `nano` installed. +- A Rocky Linux server connected to the internet, with Nginx already running on it. If you haven't gotten that far, you can follow [our guide to installing Nginx](nginx-mainline.md) first. +- Some comfort with doing things on the command line, and a terminal-based text editor like `nano` installed. !!! tip "In a pinch" ... you could use something like Filezilla or WinSCP — and a regular GUI-based text editor — to replicate most of these steps, but we'll be doing things the nerdy way in this tutorial. -* At least one domain pointed at your server for one of the test websites. You can use either a second domain or a subdomain for the other. +- At least one domain pointed at your server for one of the test websites. You can use either a second domain or a subdomain for the other. !!! tip If you're doing all of this on a local server, adjust your hosts file as necessary to create simulated domain names. Instructions below. -* We are assuming that you're running Nginx on a bare metal server or regular VPS, and that SELinux is running. All instructions will be compatible with SELinux by default. -* *All commands must be run as root,* either by logging in as the root user, or using `sudo`. +- We are assuming that you're running Nginx on a bare metal server or regular VPS, and that SELinux is running. All instructions will be compatible with SELinux by default. +- *All commands must be run as root,* either by logging in as the root user, or using `sudo`. ## Setting up Your Folders and Test Sites ### The website folders + First, you're going to need a couple of folders for your website files. When you first install Nginx, all of the "demo" website files will be in `/usr/share/nginx/html`. That's fine if you're hosting just the one site, but we're going to get fancy. Ignore the `html` directory for now, and just navigate its parent folder: ```bash cd /usr/share/nginx ``` -The test domains for the sake of this tutorial will be `site1.server.test` and `site2.server.test`, and we're going to name those website folders accordingly. You should change those domains to whatever you're using, of course. However (and here's a trick I picked up from Smarter PeopleTM), we're going to write the domain names "backwards". +The test domains for the sake of this tutorial will be `site1.server.test` and `site2.server.test`, and we're going to name those website folders accordingly. You should change those domains to whatever you're using, of course. However (and here's a trick I picked up from Smarter People^TM^), we're going to write the domain names "backwards". eg. "yourwebsite.com" would go in a folder called `com.yourwebsite`. Mind you, you can *literally* name these folders whatever you want, but there's a good reason for this method, which I've outlined below. @@ -110,9 +111,9 @@ cd /etc/nginx/ If you run the `ls` command to see what files and folders are in here, you'll see a bunch of different things, most of which are irrelevant today. The ones to note are these: -* `nginx.conf` is the file that contains, you guessed it, the default Nginx configuration. We'll be editing that later. -* `conf.d` is a directory where you can put custom configuration files. You *could* use this for websites, but it's better to use it for feature-specific settings that you want on all of your websites. -* `default.d` is a directory where your website config *might* go if you were only running one site on the server, or if your server has a "primary" website. Leave it alone for now. +- `nginx.conf` is the file that contains, you guessed it, the default Nginx configuration. We'll be editing that later. +- `conf.d` is a directory where you can put custom configuration files. You *could* use this for websites, but it's better to use it for feature-specific settings that you want on all of your websites. +- `default.d` is a directory where your website config *might* go if you were only running one site on the server, or if your server has a "primary" website. Leave it alone for now. We want to create two new folders called `sites-available` and `sites-enabled`: @@ -159,13 +160,13 @@ nano nginx.conf First, find the line that looks like this: -``` +```bash include /etc/nginx/conf.d/*.conf; ``` And **add** this bit just below it: -``` +```bash include /etc/nginx/sites-enabled/*.conf; ``` @@ -173,7 +174,7 @@ That will load in our website configuration files when they're ready to go live. Now head down to the section that looks like this, and either **comment it out** with the hash sign ++#++, or delete it if you feel so inclined: -``` +```bash server { listen 80; listen [::]:80; @@ -195,7 +196,7 @@ server { What that would look like "commented out": -``` +```bash #server { # listen 80; # listen [::]:80; @@ -235,7 +236,6 @@ Now let's make your test websites available on the server. As previously mention However, if you delete a link to the target, nothing at all happens to the original file. This trick is what allows us to put the website configuration files in a working directory (`sites-available`), and then "activate" them by linking to those files from `sites-enabled`. - I'll show you what I mean. Make a configuration file for the first website like so: ```bash @@ -244,7 +244,7 @@ nano sites-available/test.server.site1.conf Now paste in this code. This is about the simplest working Nginx configuration you can have, and should work fine for most static HTML websites: -``` +```bash server { listen 80; listen [::]:80; @@ -338,14 +338,14 @@ On Windows, the hosts file is located at `C:\Windows\system32\drivers\etc\hosts` So if you're working on a Rocky Linux computer, and are running your Nginx server on the same machine, you'd just open up the file, and define the domains/IP addresses you want. If you're running your workstation and test server on the same machine, that'd be: -``` +```bash 127.0.0.1 site1.server.test 127.0.0.1 site2.server.test ``` If you're running your Nginx server on another machine on the network, just use the address of that machine, eg.: -``` +```bash 192.168.0.45 site1.server.test 192.168.0.45 site2.server.test ``` @@ -362,4 +362,4 @@ Remember, most of the folder/file organization and naming conventions here are t The actual website files should be somewhere in `/usr/share/nginx/`, and the rest is gravy. -Try it out, do some ScienceTM, and don't forget to run `nginx -t` before you restart Nginx to make sure you didn't miss a semi-colon or anything. It'll save you a lot of time. +Try it out, do some Science^TM^, and don't forget to run `nginx -t` before you restart Nginx to make sure you didn't miss a semi-colon or anything. It'll save you a lot of time.