SE Linux is automatically disabled during installation of nmsprime-base.
See: https://github.com/schmto/nmsprime/blob/dev/Install/after_install.sh
| Code Block |
|---|
|
# in /etc/sysconfig/selinux
echo "
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
#SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0
" > /etc/sysconfig/selinux
# disable at runtime - NOTE: it's still possible that a reboot is necessary
setenforce 0
|
| Info |
|---|
|
# or prevent blocking the app/storage directory
sudo su
chcon -R -h -t httpd_sys_script_rw_t /var/www/lara/storage |
Interfaces
| Code Block |
|---|
|
# create VLANs - Attention: edit "if" (interface) if necessary
if="eno2"
for word in 10 100 110 120 130; do
Z=`echo "$word-100" | bc`;
if [ $Z -lt 0 ];
then ip=192.168.253.1;
else ip=172.20.$Z.1;
fi;
echo "DEVICE=$if.$word
BOOTPROTO=none
ONBOOT=yes
IPADDR=$ip
PREFIX=24
VLAN=yes
" > /etc/sysconfig/network-scripts/ifcfg-$if.$word
done |
| Info |
|---|
on VMs to avoid dhcp trouble on a bridged interface disable all ip stuff on the major provisioning interface | Code Block |
|---|
if="eno2"
echo "
DEVICE=$if
ONBOOT=yes
" > /etc/sysconfig/network-scripts/ifcfg-$if |
|
Firewall
| Code Block |
|---|
|
# assign internal network interfaces (vlans) to internal firewall zone (see Buglist: https://bugs.centos.org/view.php?id=7407)
for i in `find /etc/sysconfig/network-scripts/ -name ifcfg-*.*`; do echo "ZONE=internal" >> $i; done
# restart network that firewalld automatically assigns the interfaces
systemctl enable firewalld
systemctl start firewalld
systemctl restart network.service
# firewalld
# remove not required services - ATTENTION: if ssh runs on private network then switch public and internal in following cmds
for word in `firewall-cmd --list-services --zone=public`; do if [ $word != "ssh" ]; then firewall-cmd --remove-service=$word --zone=public --permanent; fi; done
for word in `firewall-cmd --list-services --zone=internal`; do firewall-cmd --remove-service=$word --zone=internal --permanent; done
# assign services
for word in ssh https; do firewall-cmd --add-service=$word --zone=public --permanent; done
for word in tftp dhcp dns; do firewall-cmd --add-service=$word --zone=internal --permanent; done
firewall-cmd --add-port=37/udp --zone=internal --permanent
# this is the port used to access the admin part of NMS Prime - feel free to restrict access to some IPs
# to get all working we allow connections for complete zone public
firewall-cmd --add-port=8080/tcp --zone=public --permanent
# restart
firewall-cmd --reload
|
| Info |
|---|
- There are two different lists: the active list and the permanent list
- Use --permanent flag to work with permanent list
- permanent list will only be active after --reload command
- only permanent commands will generate /etc/firewalld/... files
|
Apache
SSL
| Code Block |
|---|
|
#
# SSL
# Self Signed Certificat
#
mkdir /etc/httpd/ssl
openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key |
Configuration for Laravel Webspace
| Code Block |
|---|
|
echo "
<VirtualHost *:443>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
SSLCertificateFile /etc/httpd/ssl/httpd.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>
Alias /lara /var/www/lara/public
<Directory /var/www/lara/public>
AllowOverride all
</Directory>
" > /etc/httpd/conf.d/lara.conf |
| Code Block |
|---|
|
# start webserver
systemctl enable httpd
systemctl start httpd |
| Info |
|---|
RewriteBase in laravel public/.htaccess must match with apache mods config | Code Block |
|---|
# add the following line to /var/www/lara/public/.htaccess to change the root directory for the webbrowser
RewriteBase /lara/
php_flag safe_mode off # disables some functionalities for security purposes (deprecated) |
This is already done in GIT Repo and should be only relevant for new projects and maybe debug problems |
TFTP
| Code Block |
|---|
|
# edit tftp config file
echo "
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot -v # changed root dir
disable = no # enable
per_source = 11
cps = 100 2
flags = IPv4
}" > /etc/xinetd.d/tftp
# start server
yum install xinetd
systemctl enable xinetd
systemctl start xinetd |
DOCSIS Config File Tool
Requirements
...
# requires following packages
...
yum install -y net-snmp net-snmp-devel flex flex-devel bison gcc
Install from source code
There are two different ways go install – From:
- GIT repo
- wget
1. Install from git repo
This is recommend and allows running the latest stable git version from docsis tool: see https://github.com/rlaager/docsis.git
| Code Block |
|---|
| language | bash |
|---|
| title | Version 0.9.8 |
|---|
|
# prepare
yum install libtool glib2-devel
cd ~
mkdir git
# download
cd git
git clone https://github.com/rlaager/docsis.git
# install
cd docsis
./autogen.sh
./configure
make && make install |
(2. Install with wget – deprecated)
| Code Block |
|---|
| language | bash |
|---|
| title | old version |
|---|
|
# download
wget http://sourceforge.net/projects/docsis/files/docsis/docsis-0.9.6/docsis-0.9.6.tar.bz2
# unzip
tar jxf docsis-0.9.6.tar.bz2
cd docsis*
# install
./configure
make
sudo make install |
Last steps
| Code Block |
|---|
|
cd /var/www/lara
# fill database tables with examples - only useful for testing or development
php artisan db:seed
php artisan module:seed
# Create CM and CPE configfiles
php artisan nms:configfile
# Create dhcp files
php artisan nms:dhcp |
You now should be able to login to your NMS installation – initial user is “root” with password “toor” (you should at least change the password NOW!)
TODO
- generic interface configuration (scripts)
...