# in /etc/sysconfig/selinux echo " # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. #SELINUX=enforcing SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted # SETLOCALDEFS= Check local definition changes SETLOCALDEFS=0 " > /etc/sysconfig/selinux # disable at runtime - NOTE: it's still possible that a reboot is necessary setenforce 0
alternative
# or prevent blocking the app/storage directory sudo su chcon -R -h -t httpd_sys_script_rw_t /var/www/lara/storage
Interfaces
# create VLANs - Attention: edit "if" (interface) if necessary if="eno2" for word in 10 100 110 120 130; do Z=`echo "$word-100" | bc`; if [ $Z -lt 0 ]; then ip=192.168.253.1; else ip=172.20.$Z.1; fi; echo "DEVICE=$if.$word BOOTPROTO=none ONBOOT=yes IPADDR=$ip PREFIX=24 VLAN=yes " > /etc/sysconfig/network-scripts/ifcfg-$if.$word done
on VMs to avoid dhcp trouble on a bridged interface disable all ip stuff on the major provisioning interface
if="eno2" echo " DEVICE=$if ONBOOT=yes " > /etc/sysconfig/network-scripts/ifcfg-$if
Firewall
# assign internal network interfaces (vlans) to internal firewall zone (see Buglist: https://bugs.centos.org/view.php?id=7407) for i in `find /etc/sysconfig/network-scripts/ -name ifcfg-*.*`; do echo "ZONE=internal" >> $i; done # restart network that firewalld automatically assigns the interfaces systemctl enable firewalld systemctl start firewalld systemctl restart network.service # firewalld # remove not required services - ATTENTION: if ssh runs on private network then switch public and internal in following cmds for word in `firewall-cmd --list-services --zone=public`; do if [ $word != "ssh" ]; then firewall-cmd --remove-service=$word --zone=public --permanent; fi; done for word in `firewall-cmd --list-services --zone=internal`; do firewall-cmd --remove-service=$word --zone=internal --permanent; done # assign services for word in ssh https; do firewall-cmd --add-service=$word --zone=public --permanent; done for word in tftp dhcp dns; do firewall-cmd --add-service=$word --zone=internal --permanent; done firewall-cmd --add-port=37/udp --zone=internal --permanent # this is the port used to access the admin part of NMS Prime - feel free to restrict access to some IPs # to get all working we allow connections for complete zone public firewall-cmd --add-port=8080/tcp --zone=public --permanent # restart firewall-cmd --reload
- There are two different lists: the active list and the permanent list
- Use --permanent flag to work with permanent list
- permanent list will only be active after --reload command
- only permanent commands will generate /etc/firewalld/... files
Apache
SSL
# # SSL # Self Signed Certificat # mkdir /etc/httpd/ssl openssl req -new -x509 -days 365 -nodes -out /etc/httpd/ssl/httpd.pem -keyout /etc/httpd/ssl/httpd.key
Configuration for Laravel Webspace
echo "
<VirtualHost *:443>
SSLEngine On
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA:!RC4
SSLCertificateFile /etc/httpd/ssl/httpd.pem
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
</VirtualHost>
Alias /lara /var/www/lara/public
<Directory /var/www/lara/public>
AllowOverride all
</Directory>
" > /etc/httpd/conf.d/lara.conf
# start webserver systemctl enable httpd systemctl start httpd
RewriteBase in laravel public/.htaccess must match with apache mods config
# add the following line to /var/www/lara/public/.htaccess to change the root directory for the webbrowser RewriteBase /lara/ php_flag safe_mode off # disables some functionalities for security purposes (deprecated)
This is already done in GIT Repo and should be only relevant for new projects and maybe debug problems
TFTP
# edit tftp config file
echo "
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /tftpboot -v # changed root dir
disable = no # enable
per_source = 11
cps = 100 2
flags = IPv4
}" > /etc/xinetd.d/tftp
# start server
yum install xinetd
systemctl enable xinetd
systemctl start xinetd
DOCSIS Config File Tool
Requirements
required packages
# requires following packages
# already in install script
yum install -y net-snmp net-snmp-devel flex flex-devel bison gcc
Install from source code
There are two different ways go install – From:
- GIT repo
- wget
1. Install from git repo
This is recommend and allows running the latest stable git version from docsis tool: see https://github.com/rlaager/docsis.git
Version 0.9.8
# prepare yum install libtool glib2-devel cd ~ mkdir git # download cd git git clone https://github.com/rlaager/docsis.git # install cd docsis ./autogen.sh ./configure make && make install
(2. Install with wget – deprecated)
old version
# download wget http://sourceforge.net/projects/docsis/files/docsis/docsis-0.9.6/docsis-0.9.6.tar.bz2 # unzip tar jxf docsis-0.9.6.tar.bz2 cd docsis* # install ./configure make sudo make install
Last steps
cd /var/www/lara # fill database tables with examples - only useful for testing or development php artisan db:seed php artisan module:seed # Create CM and CPE configfiles php artisan nms:configfile # Create dhcp files php artisan nms:dhcp
You now should be able to login to your NMS installation – initial user is “root” with password “toor” (you should at least change the password NOW!)
TODO
- generic interface configuration (scripts)
/etc/sysconfig/network-scripts/ifcfg-$if