en🇬🇧 fr🇫🇷

Traductions disponibles:

en CentOS or Red-Hat best pratices /

Informations sur la page:

Cet article contient 1548 mots.
Comptez 8 minutes de temps de lecture

Bonnes pratiques CentOS et Red Hat

July 3, 2020
CentOS Red-Hat best-pratices

Objectifs

  • Lister les bonnes pratiques d’installation et dĂ©ploiement des systèmes d’exploitation CentOS / Red-Hat

Note
Ces bonnes pratiques ont étées testées sur CentOS 7 and Red-Hat 7.

YUM

Kernels

Supprimer manuellement ou automatiquement les anciens kernels: https://linuxconfig.org/how-to-remove-old-unused-kernels-on-centos-linux

Partitionnement

Principes de partitionnement LVM

Failed to generate image: blockdiag failed: ERROR: 'ImageDraw' object has no attribute 'textsize'

blockdiag {
   default_node_color = grey;
   default_textcolor = white;
   group physical_disk {
     textcolor = white;
     fontsize = 18;
     label = "Physical disk";
     // Set group shape to 'line group' (default is box)
     shape = line;
     orientation = landscape
     DISK1[shape = flowchart.database, label = "/dev/sda1 Type: 8e"];
     DISK2[shape = flowchart.database, label = "/dev/sda2 Type: 8e"];
     DISK3[shape = flowchart.database, label = "/dev/sdb1 Type: 8e"];
     DISK4[shape = flowchart.database, label = "/dev/sdc1 Type: 8e"];
     DISK5[shape = flowchart.database, label = "/dev/sdd1 Type: 8e"];
     DISK6[shape = flowchart.database, label = "/dev/sdd2 Type: 8e"];
    }
     group pv {
     textcolor = white;
     fontsize = 18;
     label = "Physical volume";
     // Set group shape to 'line group' (default is box)
     shape = line;
     orientation = landscape
     PV1[shape = flowchart.database];
     PV2[shape = flowchart.database];
     PV3[shape = flowchart.database];
     PV4[shape = flowchart.database];
     PV5[shape = flowchart.database];
     PV6[shape = flowchart.database];
      }
     group vg1 {
     textcolor = white;
     fontsize = 18;
     label = "Volume Group";
     // Set group shape to 'line group' (default is box)
     shape = line;
     orientation = landscape
     VG1[shape = flowchart.database];
      }
     group vg2 {
     textcolor = white;
     fontsize = 18;
     label = "Volume Group";
     // Set group shape to 'line group' (default is box)
     shape = line;
     orientation = landscape
     VG2[shape = flowchart.database];
      }
    group lv {
    textcolor = white;
    fontsize = 18;
    label = "Logical Volumes";
    // Set group shape to 'line group' (default is box)
    shape = line;
    orientation = landscape
    LV1[shape = flowchart.database];
    LV2[shape = flowchart.database];
    LV3[shape = flowchart.database];
    LV4[shape = flowchart.database];
    LV5[shape = flowchart.database];
    LV6[shape = flowchart.database];
     }
     group fs {
     textcolor = white;
     fontsize = 18;
     label = "File Systems";
     // Set group shape to 'line group' (default is box)
     shape = line;
     orientation = landscape
     FS1[shape = note, label = "FS1 Ext4"];
     FS2[shape = note, label = "FS2 Ext4"];
     FS3[shape = note, label = "FS3 XFS"];
     FS4[shape = note, label = "FS4 XFS"];
     FS5[shape = note, label = "FS5 XFS"];
     FS6[shape = note, label = "FS6 Ext4"];
      }
    DISK1 <- PV1;
    DISK2 <- PV2;
    DISK3 <- PV3;
    DISK4 <- PV4;
    DISK5 <- PV5;
    DISK6 <- PV6;
    PV1 -> VG1;
    PV2 -> VG1;
    PV3 -> VG2;
    PV4 -> VG2;
    PV5 -> VG2;
    PV6 -> VG2;
    VG1 -> LV1;
    VG1 -> LV2;
    VG2 -> LV3;
    VG2 -> LV4;
    VG2 -> LV5;
    VG2 -> LV6;
    LV1 -> FS1;
    LV2 -> FS2;
    LV3 -> FS3;
    LV4 -> FS4;
    LV5 -> FS5;
    LV6 -> FS6;
}

Le partitionnement correct de votre système est dépendant de l’utilisation que vous en ferez et des spécificités des services qui y seront déployés. Il faut prévoir dans tous les cas le partitionnement minimum suivant:

  • / =⇒ 2048 Mio voire moins (LVM et FS formattĂ© en XFS ou EXT4)

  • /usr =⇒ 4096 Mio (LVM et FS formattĂ© en XFS ou EXT4)

  • /var =⇒ 2048 Ă  4096 Mio (LVM et FS formattĂ© en XFS ou EXT4)

  • /tmp =⇒ 512 Ă  2048 Mio (LVM et FS formattĂ© en XFS ou EXT4)

  • /boot =⇒ 512 Ă  1024 Mio en (LVM et FS formattĂ© en XFS ou EXT4)

RĂ©seau

Serveur de temps NTP

Lors de l’installation de l’OS vous avez du spécifier le fuseau horaire. S’il n’est pas correct ou si vous souhaitez connaitre la valeur actuelle, saisissez la commande suivante:

Valeur actuelle

[root@test-server:] # timedatectl
[root@test-server:] # timedatectl
      Local time: Mon 2020-07-06 16:08:16 CEST
  Universal time: Mon 2020-07-06 14:08:16 UTC
        RTC time: Mon 2020-07-06 14:08:16
       Time zone: Europe/Paris (CEST, +0200)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: yes
 Last DST change: DST began at
                  Sun 2020-03-29 01:59:59 CET
                  Sun 2020-03-29 03:00:00 CEST
 Next DST change: DST ends (the clock jumps one hour backwards) at
                  Sun 2020-10-25 02:59:59 CEST
                  Sun 2020-10-25 02:00:00 CET
[root@test-server:] #

Modification du fuseau horaire

[root@test-server:] # sudo imedatectl set-timezone Europe/Paris

VĂ©rifiez le changement de fuseau horaire

[root@test-server:] # timedatectl
      Local time: Mon 2020-07-06 16:08:16 CEST
  Universal time: Mon 2020-07-06 14:08:16 UTC
        RTC time: Mon 2020-07-06 14:08:16
       Time zone: Europe/Paris (CEST, +0200)
     NTP enabled: yes
NTP synchronized: yes
 RTC in local TZ: no
      DST active: yes
 Last DST change: DST began at
                  Sun 2020-03-29 01:59:59 CET
                  Sun 2020-03-29 03:00:00 CEST
 Next DST change: DST ends (the clock jumps one hour backwards) at
                  Sun 2020-10-25 02:59:59 CEST
                  Sun 2020-10-25 02:00:00 CET
[root@test-server:] #

DĂ©sactivation IPV6

[root@test-server:] echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/01-disable_IPV6.conf
[root@test-server:] echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/01-disable_IPV6.conf
[root@test-server:] sysctl -p
[root@test-server:] echo "AddressFamily inet" >> /etc/ssh/sshd_config
[root@test-server:] service sshd restart

DĂ©sactivation NetworkManager

Network Manager est installé et actif par défaut. Vous pouvez controlez la configuration réseau en gérant les fichiers de configuration sous /etc/sysconfig/network-scripts.

[root@test-server:] systemctl disable NetworkManager
[root@test-server:] systemctl stop NetworkManager

Corrélation carte réseau et adresse MAC

Cette commande vous permettra d’afficher pour chaque carte réseau physique, son adresse MAC.

[root@test-server:] for i in $(find /sys/class/net/* -not -lname "*virtual*" | sed -e "s/\// /g" | awk '{print $4}' ); do MAC=$(cat /sys/class/net/$i/address);echo $i: $MAC; done

Retour affiché de la commande: (Machine virtuelle avec 4 cartes réseau):

enp0s10: 08:00:27:34:a7:5b
enp0s3: 08:00:27:22:1d:03
enp0s8: 08:00:27:35:a8:74
enp0s9: 08:00:27:66:62:47

Rennomage carte réseau physique enpXsY vers ethX

Script tout en un:

Warning
Sauvegardez vos fichiers de configuration réseau.
[root@test-server:] inc="0";for i in $(find /sys/class/net/* -not -lname "*virtual*" | \
sed -e "s/\// /g" | \
awk '{print $4}' ); do inc=$((inc+1));\
MAC=$(cat /sys/class/net/$i/address) ; \
rm -f /etc/sysconfig/network-scripts/ifcfg-eth$inc;\
echo "HWADDR=$MAC" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
cat /etc/sysconfig/network-scripts/ifcfg-$i >> /etc/sysconfig/network-scripts/ifcfg-eth$inc; \
sed -i "s/$i/eth$inc/g" /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
mv /etc/sysconfig/network-scripts/ifcfg-$i /etc/sysconfig/network-scripts/ifcfg-$i.old.bkp;\
done

Script de création de Team (Serveurs Physique):

Script tout en un:

Warning
Sauvegardez vos fichiers de configuration réseau.
[root@test-server:] inc="0";for i in $(find /sys/class/net/* -not -lname "*virtual*" | \
sed -e "s/\// /g" | \
awk '{print $4}' ); do inc=$((inc+1));\
MAC=$(cat /sys/class/net/$i/address) ; \
rm -f /etc/sysconfig/network-scripts/ifcfg-eth$inc;\
echo "HWADDR=$MAC" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "DEVICE=eth$inc" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "NAME=eth$inc" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "DEVICETYPE=TeamPort" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "TEAM_MASTER=team0" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "NM_CONTROLLED=no" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
done;\
rm -f /etc/sysconfig/network-scripts/ifcfg-team0;\
echo "DEVICE=team0" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "DEVICETYPE=Team" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "NM_CONTROLLED=no" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "IPADDR=10.99.0.51" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "GATEWAY=10.99.2.254" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "PREFIX=16" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "TEAM_CONFIG='{\"runner\": {\"name\": \"loadbalance\"}, \"link_watch\": {\"name\": \"ethtool\"} }'" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
ifup team0;

Script de création de Team (Serveurs Virtuels):

Pour les machines virtuelles il est nécessaire de procéder à un petit hack afin de permettre un bon fonctionnement du balancing des cartes réseau dans la team. Par ce que le mode promiscuité n’est pas géré depuis CentOS / RedHat 7 il faudra également ajouter un service systemd pour prise en compte à chaque redémarrage. Pour VirtualBox par exemple, configurez tel que le screenshot ci-dessous:

Best Pratices CentOS RedHat d690f

Script tout en un:

Warning
Sauvegardez vos fichiers de configuration réseau.
[root@test-server:] inc="0";for i in $(find /sys/class/net/* -not -lname "*virtual*" | \
sed -e "s/\// /g" | \
awk '{print $4}' ); do inc=$((inc+1));\
MAC=$(cat /sys/class/net/$i/address) ; \
rm -f /etc/sysconfig/network-scripts/ifcfg-eth$inc;\
echo "HWADDR=$MAC" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "DEVICE=eth$inc" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "NAME=eth$inc" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "DEVICETYPE=TeamPort" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "PROMISC=yes" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "TEAM_MASTER=team0" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
echo "NM_CONTROLLED=no" >> /etc/sysconfig/network-scripts/ifcfg-eth$inc ;\
done;\
rm -f /etc/sysconfig/network-scripts/ifcfg-team0;\
echo "DEVICE=team0" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "DEVICETYPE=Team" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "NM_CONTROLLED=no" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "IPADDR=192.168.1.120" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "GATEWAY=192.168.1.254" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "PREFIX=24" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
echo "TEAM_CONFIG='{\"runner\": {\"name\": \"loadbalance\"}, \"link_watch\": {\"name\": \"ethtool\"} }'" >> /etc/sysconfig/network-scripts/ifcfg-team0 ;\
ifup team0;

Création du service promisc systemd

[root@test-server:] inc="0";echo "[Unit]" > /etc/systemd/system/promisc.service ;\
echo "Description=Makes an interface run in promiscuous mode at boot" >> /etc/systemd/system/promisc.service ;\
echo "After=network.target"  >> /etc/systemd/system/promisc.service ;\
echo "[Service]"  >> /etc/systemd/system/promisc.service ;\
echo "Type=oneshot" >> /etc/systemd/system/promisc.service ;\
echo "TimeoutStartSec=0" >> /etc/systemd/system/promisc.service ;\
echo "RemainAfterExit=yes" >> /etc/systemd/system/promisc.service ;\
for i in $(find /sys/class/net/* -not -lname "*virtual*" | \
sed -e "s/\// /g" | \
awk '{print $4}' ); do inc=$((inc+1));\
echo "ExecStart=/usr/sbin/ip link set dev eth$inc promisc on" >> /etc/systemd/system/promisc.service ;\
done;\
echo "[Install]" >> /etc/systemd/system/promisc.service ;\
echo "WantedBy=default.target" >> /etc/systemd/system/promisc.service ;\
systemctl daemon-reload;\
systemctl enable promisc;\
systemctl start promisc

La configuration réseu des cartes devrait mainetanir contenir le statut "PROMISC" (même après un redémarrage du serveur):

[root@test-server:] # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP group default qlen 1000
    link/ether 08:00:27:22:1d:03 brd ff:ff:ff:ff:ff:ff
3: eth2: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP group default qlen 1000
    link/ether 08:00:27:22:1d:03 brd ff:ff:ff:ff:ff:ff
4: eth3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP group default qlen 1000
    link/ether 08:00:27:22:1d:03 brd ff:ff:ff:ff:ff:ff
5: eth4: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master team0 state UP group default qlen 1000
    link/ether 08:00:27:22:1d:03 brd ff:ff:ff:ff:ff:ff
6: team0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 08:00:27:22:1d:03 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.120/24 brd 192.168.1.255 scope global team0
       valid_lft forever preferred_lft forever

Auteur:

Vincent Gourrierec