The Perfect Setup - CentOS 4.4 (32-bit) - Page 4

7 Quota

To install quota, we run this command:

yum install quota

Edit /etc/fstab and add ,usrquota,grpquota to the / partition (/dev/VolGroup00/LogVol00):

vi /etc/fstab

# This file is edited by fstab-sync - see 'man fstab-sync' for details
/dev/VolGroup00/LogVol00 /                       ext3    defaults,usrquota,grpquota        1 1
LABEL=/boot             /boot                   ext3    defaults        1 2
none                    /dev/pts                devpts  gid=5,mode=620  0 0
none                    /dev/shm                tmpfs   defaults        0 0
none                    /proc                   proc    defaults        0 0
none                    /sys                    sysfs   defaults        0 0
/dev/VolGroup00/LogVol01 swap                    swap    defaults        0 0
/dev/hdc                /media/cdrom            auto    pamconsole,exec,noauto,managed 0 0
/dev/fd0                /media/floppy           auto    pamconsole,exec,noauto,managed 0 0

Then run

touch /aquota.user /aquota.group
chmod 600 /aquota.*
mount -o remount /
quotacheck -avugm
quotaon -avug

to enable quota.

 

8 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
chkconfig --levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

 

9 MySQL (4.1)

To install MySQL, we do this:

yum install mysql mysql-devel mysql-server

The MySQL init script on CentOS might cause problems when you try to restart MySQL. In some cases it tries to start MySQL before the old MySQL process has stopped which leads to a failure. The solution is to edit the restart section of /etc/init.d/mysqld and add a few seconds delay between the stop and the start of MySQL.

Edit /etc/init.d/mysqld:

vi /etc/init.d/mysqld

and change this section:

restart(){
    stop
    start
}

so that it looks like this:

restart(){
    stop
	sleep 3
    start
}

This adds a three second delay between the stop and start of MySQL.

Then we create the system startup links for MySQL (so that MySQL starts automatically whenever the system boots) and start the MySQL server:

chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start

Now check that networking is enabled. Run

netstat -tap

It should show a line like this:

tcp        0      0 *:mysql                     *:*                         LISTEN      2995/mysqld

If it does not, edit /etc/my.cnf and comment out the option skip-networking:

vi /etc/my.cnf

#skip-networking

and restart your MySQL server:

/etc/init.d/mysqld restart

Run

mysqladmin -u root password yourrootsqlpassword
mysqladmin -h server1.example.com -u root password yourrootsqlpassword

to set a password for the user root (otherwise anybody can access your MySQL database!).

Share this page:

13 Comment(s)

Add comment

Comments

From: hoihtah at: 2006-10-11 23:53:44

Thank you guys for putting up this well written guide.

 Just one question,  how do I do this setup with mysql version 5 instead of 4?

From: orentocy at: 2006-10-12 16:09:59

Enable CentOS plus yum repository in your /etc/yum.repos.d/CentOS-Base.repo, then you will be able to upgrade both your mysql and php to version 5.

From: jperrin at: 2006-10-13 00:28:30

Very good tutorial, and very detailed, however one part concerns me. Your rebuild of zlib at the end does not address removing the currently installed zlib, or address the problem of future rpms which may rely on zlib failing because of the one built from source (rpms are rather ignorant about source built software). I would also posit that you cannot rely on the version of zlib to identify that it's vulnerable. Security fixes are backported in centos (and it's parent distro, RHEL), so version numbers may be inaccurate. The changelog for the zlib rpm lists several CAN- advisory fixes, so I wonder if the bug you claim is one of these. If it is not, has this been reported to the centos folks, or to the upstream RedHat bugzilla?

 If this bug is not fixed in the RPM as one of the listed CAN changes in the changelog and the rpm does indeed contain vulnerable code, I'd like to see it fixed in the distro, rather than being bolted onto a(n excellent) tutorial.

From: till at: 2006-10-13 14:29:25

I dont think that theare is really a bug in the zlib that ships with CentOS, the problem is that the version number dont get updated when the fixes where applied.

For example if you want o compile ClamAV which is nescessary for ISPConfig, Clamav complains about a bug in zlib and stops compiling. So either the ClamAV team has to add a better zlib detection routine or the CentOS team has to set a higher version number in the zlib library when they apply fixes.

From: jperrin at: 2006-10-13 15:02:42

This is addressed a bit more thoroughly in the post by Johnny Hughes, who is one of the CentOS Project leads, http://www.howtoforge.com/perfect_setup_centos_4.4_p6#comment-3055 What it comes down to is an upstream versioning decision by redhat, which centos inherits as a clone/rebuild product. I would consider this to be a flaw in ClamAV/ISPConfig packaging, and that it should not be advertised as a CentOS vulnerability unless such a problem actually exists.

From: at: 2006-11-04 07:57:58

Hi, I enabled cetosplus section using enabled=1,  No my system is updated with php 5 and mysql 5 with the command


yum update -y 


Enabling the centosplus section: 


vi /etc/yum.repos.d/CentOS-Base.repo
[centosplus]
gpgcheck=1
enabled=1

From: at: 2006-11-07 20:14:43

there is one more thing you need to do.  update php.conf file


 cp /etc/httpd/conf.d/php.conf.rpmnew /etc/httpd/conf.d/php.conf


Otherwise, httpd will error out when trying to start.  Or at least it does on mine.  :) 

From: at: 2007-02-13 23:14:51

Hi all,


I found some bugs if the yum CentOS Plus is enabled before starting the ISPconfig  OS  preparation.


If it happens to you, go back to mysql4 and php4, make your ISPconfig prep THEN enable the CentOS plus repo to install Mysql5 and php5.


Now you are ready for ISPconfig install.


Thanks for this perfect howto. Saves a lot of hours. 

From: at: 2007-04-18 02:25:10

First, thanks for an excellent tutorial!

I had serious problems with ntp running the Perfect setup on a Windows host using VMWare GSX server. My clock was constantly running behind and I would use rdate to set the clock but very soon the clock was running behind again.

Googling I found a workaround that worked out well (if running SMP on single core processor):

1. Edit /etc/grub.conf
Add 'noapic nosmp nolapic clock=pit acpi=no' so your grub.conf looks like this:

title CentOS (2.6.9-42.0.10.ELsmp)
        root (hd0,0)
        kernel /vmlinuz-2.6.9-42.0.10.ELsmp ro root=/dev/VolGroup00/LogVol00 noapic nosmp nolapic clock=pit acpi=no
        initrd /initrd-2.6.9-42.0.10.ELsmp.img


2. Edit /etc/ntp.conf
Add 'burst iburst' after your server:

# --- OUR TIMESERVERS -----
server 0.pool.ntp.org burst iburst
server 1.pool.ntp.org burst iburst
server 2.pool.ntp.org burst iburst


This solved all my problems with a slow clock and my time is now on the spot 24/7.

My Windows system:
P4 3 GHz
3.5 GB RAM
VMWare GSX server

From: hughesjr at: 2006-10-13 12:16:39

This is an excellent article ... the only thing I am not sure about is the zlib comment.


The upstream provider uses a process called Backporting


Backporting takes security issues and rolls them into older packages to prevent breaking abi's that people have based custom programing on.


I have looked at the zlib that you mention at the end of the article and it fixes these security issues:


CAN-2004-0797


CAN-2005-2096


(see the zib website for more details) 


Both of these security issues are fixed in the zlib that is included in CentOS via backporting and I do not recommend that people compile their own zlib unless someone can point out a different issue that is fixed in zlib-1.2.3.


I would even say that installing your own zlib is BAD, as it will put different libraries than the ones used to build the other CentOS executables ... which can cause issues with how these applications function.  We are talking about very system critical applications like openssh, openssl, etc.


Thanks,


Johnny Hughes, CentOS-4 Lead Developer. 


From: at: 2006-11-02 11:07:15

The ISPConfig setup routine includes compiling ClamAV which is the culprit. It checks for a specific zlib version. This check can be skipped by modifying


install_ispconfig/compile_aps/compile


and adding


--disable-zlib-vcheck


to the ClamAV configure script. 

From: Anonymous at: 2009-02-16 07:44:14

yum -y remove ftp vsftpd webmin usermin xinetd php* httpd* proftpd mysql* bind* post*;yum update -y;cd /etc/yum.repos.d/;wget http://centos.karan.org/kbsingh-CentOS-Extras.repo;rpm --import http://centos.karan.org/RPM-GPG-KEY-karan.org.txt;yum -y install proftpd;chkconfig --levels 235 proftpd on;/etc/init.d/proftpd start;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/device-mapper-1.02.21-1.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hotplug-2004_04_01-7.8.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/lvm2-2.02.27-2.el4.i386.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/hwdata-0.146.33.EL-1.noarch.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/usbutils-0.11-7.RHEL4.1.i386.rpm;rpm -Uvh *.rpm;rm -r -f *.rpm;wget http://mirror.centos.org/centos/4.6/os/i386/CentOS/RPMS/udev-039-10.19.el4.i386.rpm;rpm -ivh udev*rpm --justdb;yum -y install up2date nano;wget http://download.lxlabs.com/download/lxadmin/production/lxadmin-install-master.sh;yum update -y;nano /etc/pam.d/ftp;

From: Matthew at: 2011-09-25 16:22:06

yum install webalizer

 once you run that... then what? how do you configure it?