SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

redhatpostinstall

Red Hat 6.5 Post Install

Note that if you experience the GSSAPI errors in the /var/log/messages logfile and experience slow logon times you should disable LDAP referral in the config file, see Fix: Red Hat GSSAPI Error

After creating a server with kickstart from Red Hat Enterprise Linux 6.5 Management Server you need to do some more configuration depending on the exact machine. This post install page will tell you all the steps but change details depending on your requirements:

Create Extra Disks

First list the devices of the system so you can locate the new disk:

  • ls /dev/

Partition the new disk with LVM:

  • sudo fdisk -cu /dev/sdd
    • Command: n (Add a new partition)
      • Partition number: 1
      • Keep defaults for sectors (use entire disk)
    • Command: t (change a partition's system id)
      • 8e (for Linux LVM)
    • Command: w (write table to disk and exit)

Show current Volume Groups:

  • sudo vgs

Create new volume group on the partitioned disk:

  • sudo vgcreate vg_rhapplserver_data /dev/sdd1

Create a logical volume in the volume group:

  • sudo lvcreate -n data -l 100%FREE vg_rhapplserver_data

Create the mountpoint:

  • sudo mkdir /data

Format the filesystem on the logical volume:

  • sudo mkfs.ext4 /dev/vg_rhapplserver_data/data

Add the filesystem to the /etc/fstab file:

  • sudo vim /etc/fstab
/dev/mapper/vg_rhapplserver_data-data /data                 ext4    defaults        1 2

Mount the filesystem:

  • sudo mount /data

Add Local Application Users

Request all users to check which user ids (uid) are in use:

cut -d: -f1,3 /etc/passwd

Local application users should have a uid over 50000. To create the user issue this command:

sudo mkdir -p /appl/
sudo useradd --uid 55555 -p 'XXXXXXXXXXXXXXXXX' -d /appl/appl1user -m appl1user

Don't forget to put the password in KeePass.

Create NFS Shares

Note that the NFS share creation should take place here: Red Hat 6.5 NFS Server

To prevent that users are not recognized as file owners edit the /etc/idmapd.conf:

[adminsjoerd@nfsserver rhmgmtsrv-jobs]$ egrep -v '^#|^$' /etc/idmapd.conf
[General]
Domain = getshifting.local
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch

Also create the applicationuser on the NFS server as well with the same id:

[adminsjoerd@nfsserver ~]$ sudo useradd --uid 55555 appl1user 
--- now files are created as expected instead of as nobody:nobody

One server specific share is needed and needs to be created, and the server shared temp directory which is used to transfer data between servers is also needed.

NFS shares:

  • /appl/scriptlogs (100 GB)
    • sudo mkdir /data/rhmgmtsrv-jobs
    • sudo chown -R 55555:55555 /data/rhmgmtsrv-jobs/
  • /appl/appl_tmp (50 GB)
Note: For the mixed NFS share for local and AD accounts as is the case for the interface share this setup is preferred:
[adminsjoerd@nfsserver biztalk-acp]$ sudo chown -R srv-linux-bizacc:55555 /data/biztalk-acp/appl1/
[adminsjoerd@nfsserver biztalk-acp]$ sudo chown -R srv-linux-bizacc:55556 /data/biztalk-acp/appl2/
[adminsjoerd@nfsserver biztalk-acp]$ sudo chown -R srv-linux-bizacc:55554 /data/biztalk-acp/appl3/
[adminsjoerd@nfsserver biztalk-acp]$ sudo chmod g+w appl3/
[adminsjoerd@nfsserver biztalk-acp]$ sudo chmod g+w appl2/
[adminsjoerd@nfsserver biztalk-acp]$ sudo chmod g+w appl1/
drwxrwxr-x. 2 srv-linux-bizacc appl3user     4096 Sep 11 13:53 appl3
drwxrwxr-x. 2 srv-linux-bizacc appl2user     4096 Sep 11 11:43 appl2
drwxrwxr-x. 2 srv-linux-bizacc appl1user 4096 Sep 11 11:43 appl1

Add the servers specific share to the /etc/exports file on the NFS server, and check if the server has access to the appl_tmp share:

[adminsjoerd@nfsserver ~]$ cat /etc/exports
# Share the home directory will all redhat 6.5 servers
/data/all-servers-home applprda4*.getshifting.local(rw,sync)
/data/all-servers-home applprdd4*.getshifting.local(rw,sync)
/data/all-servers-home applacpa4*.getshifting.local(rw,sync)
/data/all-servers-home applacpd4*.getshifting.local(rw,sync)
/data/all-servers-home applacta0*.getshifting.local(rw,sync)
/data/all-servers-home applactd0*.getshifting.local(rw,sync)
/data/all-servers-home rhapplserver.getshifting.local(rw,sync)
# Share the appl_home directory will all unix and redhat servers
/data/all-servers-appl_tmp applprd*.getshifting.local(rw,sync)
/data/all-servers-appl_tmp applacp*.getshifting.local(rw,sync)
/data/all-servers-appl_tmp applact*.getshifting.local(rw,sync)
# Server specific shares
/data/rhmgmtsrv-jobs rhmgmtsrv.getshifting.local(rw,sync,fsid=0)

After adding the share to the exports file, export the shares:

sudo exportfs -ra

You can check if the export was successful using the showmount command:

[adminsjoerd@nfsserver data]$ showmount -e
Export list for nfsserver.getshifting.local:
/data/all-servers-appl_tmp applact*.getshifting.local,applacp*.getshifting.local,applprd*.getshifting.local
/data/rhmgmtsrv-jobs      rhmgmtsrv.getshifting.local
/data/all-servers-home     applactd0*.getshifting.local,applacta0*.getshifting.local,applacpd4*.getshifting.local,applacpa4*.getshifting.local,applprdd4*.getshifting.local,applprda4*.getshifting.local,rhapplserver.getshifting.local
Note that the fsid=0 has something to do with NFS4, if I don't us it I get the error: mount.nfs4: mounting nfsserver:/data/rhmgmtsrv-jobs failed, reason given by server: No such file or directory

Mount NFS Shares

To prevent that users are not recognized as file owners edit the /etc/idmapd.conf:

[adminsjoerd@rhmgmtsrv]$ egrep -v '^#|^$' /etc/idmapd.conf
[General]
Domain = getshifting.local
[Mapping]
Nobody-User = nobody
Nobody-Group = nobody
[Translation]
Method = nsswitch

After creating the NFS shares on the NFS server you now have to add them to the NFS client to use them. First make the mountpoints:

sudo mkdir -p /appl/scriptlogs
sudo mkdir /appl/appl_tmp

Then add the mount to the /etc/fstab file so the mounts will be automatically mounted after a restart:

nfsserver:/data/rhmgmtsrv-jobs      /appl/scriptlogs     nfs     hard,intr,rsize=8192,wsize=8192     0 0
nfsserver:/data/all-servers-appl_tmp      /appl/appl_tmp     nfs     hard,intr,rsize=8192,wsize=8192     0 0

If the mount is being used for oracle backup you need these settings:

bcksrv:Oracle       /dbbackup               nfs     rw,rsize=32768,wsize=32768,hard,nointr,bg,nfsvers=3,tcp,actimeo=0,timeo=600 0 0

The nfs mount options have the following results:

  • hard/intr: The program accessing a file on a NFS mounted file system will hang when the server crashes. The process cannot be interrupted or killed (except by a “sure kill”) unless you also specify intr. When the NFS server is back online the program will continue undisturbed from where it was. It is usually recommended to use hard mounts over soft mounts, as soft mounts could result in corrupted data.
  • rsize=n and wsize=n: These specify the datagram size used by the NFS clients on read and write requests. We increase the block size to 8 K to obtain better performance because most files that will be placed on the mount will be big files.

Mount the shares like this:

sudo mount /appl/scriptlogs
sudo mount /appl/appl_tmp

Create Other Local Directories And Set Permissions

The two required directories should been created while creating the user and the mountpoints for the NFS shares. Check this and set the required permissions:

sudo mkdir /appl/appldata
sudo mkdir /appl/applcode

Set ownership:

sudo chown -R appl1user:appl1user /appl/appldata
sudo chown -R appl1user:appl1user /appl/applcode

For the Biztalk user (from Active Directory) the homedir in the userobject should be set to /appl/interfaces, make sure that directory also exists:

sudo mkdir /appl/appldata/acp/interfaces

Set the ownership as well:

sudo chown -R srv-linux-bizacp:UNIX-SRV-Accounts /appl/appldata/acp/interfaces

SSH Access

Make sure members of the three Unix Administrator groups can access the server over ssh by adding the groups in the /etc/ssh/sshd_config file:

# Only allow users in these groups to access over ssh
AllowGroups UNIX-Server-Admins UNIX-Server-AppM UNIX-SRV-Accounts

Then restart ssh daemon:

sudo service sshd restart

Sudo

Make sure members of the UNIX-Server-AppM can use sudo to switch to the local application user. That way they don't need to type the password of the users every time they have to do something. To configure this add a Command Aliases group to the sudoers file and allow the group to use that commandgroup:

Cmnd_Alias AMSU = /bin/su - appl1user
%UNIX-Server-AppM ALL=(ALL) NOPASSWD: AMSU

The part ALL=(ALL) means:

  • ALL = on all servers
  • (ALL) = As all users

Firewall

Open required ports:

[adminsjoerd@rhmgmtsrv appl_tmp]$ sudo iptables -I INPUT -p tcp --dport 21000 -j ACCEPT
[adminsjoerd@rhmgmtsrv appl_tmp]$ sudo iptables -I INPUT -p tcp --dport 22000 -j ACCEPT
[adminsjoerd@rhmgmtsrv appl_tmp]$ sudo service iptables save 

Other

  • Add the server to the correct backup policy in netbackup on the bckprdc01.
  • Add the server to the CMDB
  • Add the server to SCOM

Markets User Limits

Create the file /etc/security/limits.d/99-appl1user-limits.conf and add the following lines:

appl1user soft nproc 50000
appl1user hard nproc 709150
appl1user soft nofile 10000
appl1user hard nofile 10000

Oracle Client Permissions

Set the permissions so user can start the oracle client:

[adminsjoerd@applacta003 opt]$ sudo chmod -R go+rx oracle/

redhat linux

You could leave a comment if you were logged in.
redhatpostinstall.txt · Last modified: 2021/09/24 00:25 (external edit)