RockyLinuxでサーバー構築 - 1.環境設定

CentOS8が2021/12/31にサポート終了になりました。
CentOS7はまだ猶予がありそうですが、
代わりにRockyLinuxで環境を構築しました。
RockyLinuxインストール後の設定です。
インストールから始める方はこちらを参照↓
VMware+CentOS7で開発環境構築 - 1.インストール

SELinux停止

SELinuxが停止されているか確認

# getenforce
Disabled

停止されていなかったら停止しておく

# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
# vi /etc/sysconfig/selinux 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are proo
tected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Enforcing	SELinux有効
Permissive	SELinux無効。ポリシーに違反するアクセスがあった場合アクセスを許可する
Disable	SELinux無効

rootになれるユーザの管理

wheelにrootになれるユーザhogehogeを追加

# usermod -G wheel hogehoge

#%PAM-1.0
auth            required        pam_env.so
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth           required        pam_wheel.so use_uid ←コメント削除
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

root宛のメールを一般ユーザで受け取る

root宛をhogehogeに転送

# sed -i '/^root:/d' /etc/aliases
# echo "root: hogehoge" >> /etc/aliases
# newaliases

# newaliases
-bash: newaliases: command not found

と出た場合。Postfixがまだインストールされていないのでインストール後に。

# newaliases
newaliases: fatal: parameter inet_interfaces: no local interface found for ::1

と出た場合はPostfixが起動してないので起動させてから。

dnfリポジトリを日本サーバーに設定

AppStreamリポジトリファイルの修正

# vi /etc/yum.repos.d/Rocky-AppStream.repo

[appstream]
name=Rocky Linux $releasever - AppStream
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$relea
sever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/
baseurl=https://ftp.riken.jp/Linux/rocky/$releasever/AppStream/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

BaseOSリポジトリファイルの修正

# vi /etc/yum.repos.d/Rocky-BaseOS.repo

[baseos]
name=Rocky Linux $releasever - BaseOS
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasev
er
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
baseurl=https://ftp.riken.jp/Linux/rocky/$releasever/BaseOS/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

BaseOSリポジトリファイルの修正

# vi /etc/yum.repos.d/Rocky-Extras.repo

[extras]
name=Rocky Linux $releasever - Extras
#mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-$releasever
#baseurl=http://dl.rockylinux.org/$contentdir/$releasever/extras/$basearch/os/
baseurl=https://ftp.riken.jp/Linux/rocky/$releasever/extras/$basearch/os/
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial:q

有効にしているリポジトリの確認

# grep 'enabled=1' /etc/yum.repos.d/*
/etc/yum.repos.d/Rocky-AppStream.repo:enabled=1
/etc/yum.repos.d/Rocky-BaseOS.repo:enabled=1
/etc/yum.repos.d/Rocky-Extras.repo:enabled=1

epelリポジトリの追加

epel-releaseインストール

# dnf -y install epel-release

リポジトリ修正

# vi /etc/yum.repos.d/epel.repo

[epel]
name=Extra Packages for Enterprise Linux $releasever - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/$releasever/Everything/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-$releasever&arch=$basearch&i
nfra=$infra&content=$contentdir
enabled=1
priority=10
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8

elrepoリポジトリの追加

elrepo-releaseインストール

# dnf -y install elrepo-release

リポジトリ修正

#  vi /etc/yum.repos.d/elrepo.repo

[elrepo]
name=ELRepo.org Community Enterprise Linux Repository - el8
baseurl=http://elrepo.org/linux/elrepo/el8/$basearch/
        http://mirrors.coreix.net/elrepo/elrepo/el8/$basearch/
        http://mirror.rackspace.com/elrepo/elrepo/el8/$basearch/
        http://linux-mirrors.fnal.gov/linux/elrepo/elrepo/el8/$basearch/
mirrorlist=http://mirrors.elrepo.org/mirrors-elrepo.el8
enabled=1
priority=10
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-elrepo.org

remiリポジトリの追加

RockyLinuxのバージョン確認

# cat /etc/redhat-release
Rocky Linux release 8.5 (Green Obsidian)

remi-releaseインストール

#  dnf -y install https://rpms.remirepo.net/enterprise/remi-release-8.5.rpm

※自分の環境にあったrpmを使用する事。

リポジトリ修正

# vi /etc/yum.repos.d/remi-safe.repo

[remi-safe]
name=Safe Remi's RPM repository for Enterprise Linux 8 - $basearch
#baseurl=http://rpms.remirepo.net/enterprise/8/safe/$basearch/
#mirrorlist=https://rpms.remirepo.net/enterprise/8/safe/$basearch/httpsmirror
mirrorlist=http://cdn.remirepo.net/enterprise/8/safe/$basearch/mirror
enabled=1
priority=10
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el8

# vi /etc/yum.repos.d/remi-modular.repo

[remi-modular]
name=Remi's Modular repository for Enterprise Linux 8 - $basearch
#baseurl=http://rpms.remirepo.net/enterprise/8/modular/$basearch/
#mirrorlist=https://rpms.remirepo.net/enterprise/8/modular/$basearch/httpsmirror
mirrorlist=http://cdn.remirepo.net/enterprise/8/modular/$basearch/mirror
enabled=1
priority=10
gpgcheck=1
repo_gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-remi.el8

有効にしているリポジトリの確認

# grep 'enabled=1' /etc/yum.repos.d/*
/etc/yum.repos.d/elrepo.repo:enabled=1
/etc/yum.repos.d/epel-modular.repo:enabled=1
/etc/yum.repos.d/epel.repo:enabled=1
/etc/yum.repos.d/remi-modular.repo:enabled=1
/etc/yum.repos.d/remi-safe.repo:enabled=1
/etc/yum.repos.d/Rocky-AppStream.repo:enabled=1
/etc/yum.repos.d/Rocky-BaseOS.repo:enabled=1
/etc/yum.repos.d/Rocky-Extras.repo:enabled=1

最新のパッケージに更新

# dnf -y upgrade

その他の初期設定

ホスト名の設定

# hostnamectl set-hostname kowloonet.net

自動アップデート

#  dnf -y install dnf-automatic
systemctl start dnf-automatic.timer
systemctl enable dnf-automatic.timer

開発ツールのインストール

# dnf -y groupinstall base "Development tools"

コンソール日本語化

# dnf -y install langpacks-ja glibc-langpack-ja
# localectl set-locale LANG=ja_JP.UTF-8

vimの設定

# echo "alias vi='vim'" >> /etc/profile
# source /etc/profile
# vi /etc/vimrc

下記を追加

set tabstop=2
set expandtab
set shiftwidth=2
set list
set whichwrap=b,s,[,],<,>

PERLのシンボリックリンク作成

# ln -s /usr/bin/perl /usr/local/bin/perl

不要なサービスの停止

サービス一覧

# systemctl list-units --type service
UNIT                                   LOAD   ACTIVE SUB     DESCRIPTION
auditd.service                         loaded active running Security Auditing Service
chronyd.service                        loaded active running NTP client/server
crond.service                          loaded active running Command Scheduler
dbus.service                           loaded active running D-Bus System Message Bus
dovecot.service                        loaded active running Dovecot IMAP/POP3 email server
dracut-shutdown.service                loaded active exited  Restore /run/initramfs on shutdown
firewalld.service                      loaded active running firewalld - dynamic firewall daemon
getty@tty1.service                     loaded active running Getty on tty1
httpd.service                          loaded active running The Apache HTTP Server
import-state.service                   loaded active exited  Import network configuration from initramfs
irqbalance.service                     loaded active running irqbalance daemon
kmod-static-nodes.service              loaded active exited  Create list of required static device nodes for the curre>
ldconfig.service                       loaded active exited  Rebuild Dynamic Linker Cache
lvm2-monitor.service                   loaded active exited  Monitoring of LVM2 mirrors, snapshots etc. using dmeventd>
mailman.service                        loaded active running GNU Mailing List Manager
NetworkManager-wait-online.service     loaded active exited  Network Manager Wait Online
NetworkManager.service                 loaded active running Network Manager
nis-domainname.service                 loaded active exited  Read and set NIS domainname from /etc/sysconfig/network
polkit.service                         loaded active running Authorization Manager
postfix.service                        loaded active running Postfix Mail Transport Agent
rsyslog.service                        loaded active running System Logging Service
saslauthd.service                      loaded active running SASL authentication daemon.
selinux-autorelabel-mark.service       loaded active exited  Mark the need to relabel after reboot
serial-getty@ttyS0.service             loaded active running Serial Getty on ttyS0
sshd.service                           loaded active running OpenSSH server daemon
sssd.service                           loaded active running System Security Services Daemon
systemd-fsck-root.service              loaded active exited  File System Check on Root Device
systemd-hwdb-update.service            loaded active exited  Rebuild Hardware Database
systemd-journal-catalog-update.service loaded active exited  Rebuild Journal Catalog
systemd-journal-flush.service          loaded active exited  Flush Journal to Persistent Storage
systemd-journald.service               loaded active running Journal Service
systemd-logind.service                 loaded active running Login Service
systemd-random-seed.service            loaded active exited  Load/Save Random Seed
systemd-remount-fs.service             loaded active exited  Remount Root and Kernel File Systems
systemd-sysctl.service                 loaded active exited  Apply Kernel Variables
systemd-sysusers.service               loaded active exited  Create System Users
systemd-tmpfiles-setup-dev.service     loaded active exited  Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service         loaded active exited  Create Volatile Files and Directories
systemd-udev-trigger.service           loaded active exited  udev Coldplug all Devices
systemd-udevd.service                  loaded active running udev Kernel Device Manager
systemd-update-done.service            loaded active exited  Update is Completed
systemd-update-utmp.service            loaded active exited  Update UTMP about System Boot/Shutdown
systemd-user-sessions.service          loaded active exited  Permit User Sessions
tuned.service                          loaded active running Dynamic System Tuning Daemon
user-runtime-dir@0.service             loaded active exited  User runtime directory /run/user/0
user-runtime-dir@1000.service          loaded active exited  User runtime directory /run/user/1000
user@0.service                         loaded active running User Manager for UID 0
user@1000.service                      loaded active running User Manager for UID 1000
vsftpd.service                         loaded active running Vsftpd ftp daemon

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.

49 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

postfix,dovecot,httpd,sshd,vsftpd,mailmanは導入済み
不要なサービスはどれでしょうか。後回し。