User Tools

Site Tools


maintenance:general:installing_netyce_on_rhel7

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
maintenance:general:installing_netyce_on_rhel7 [2019/11/22 14:31]
jbosch
maintenance:general:installing_netyce_on_rhel7 [2019/11/27 16:41] (current)
yspeerte [Vsftpd]
Line 1: Line 1:
 +===== Installation NetYCE on RHEL 7 =====
  
 +This installation guide installs NetYCE version 7.x on a Redhat 7 or Centos 7 physical or virtual x86_64 platform.
 +
 +References to EL or RHEL refer to RedHat Enterprise Linux or CentOS Linux. All OS versions and packages are required to use the x86_64 architecture,​ that is x86 processors running 64-bit. The installation applies to both physical and virtual platform deployments.
 +
 +==== Introduction ====
 +
 +The choice of operating system (Redhat or CentOS), disk filesystem layout, installed packages, and security hardening are mostly defined by the customers common practice. NetYCE does have some requirements on disk-usage and directory-trees that may warrant filesystem allocations,​ and we do rely on a specific functional user, yce that requires some sudo permissions.
 +
 +A basic set of packages should be installed which will later be amended by specific NetYCE software. The basic OS installation can easily be realized by the customer, but we recommend the NetYCE software installation and configuration to be a joint effort.
 +
 +During the first install of the NetYCE software packages, the configuration preferences and details of the NetYCE system and its architecture will be defined and initialized. Subsequent software upgrades and patches can be installed by the application manager using the NetYCE front-end without requiring system privileges. Only on some major upgrades will those be required.
 +
 +The NetYCE software installation consists of two self-installing packages, YCE and YCEperl, a sample database and a license file. The installation depends on MariaDB (mysql server), apache (http server), fping and some standard distribution packages (openssl, tftp, ftp, ssh, telnet, gtar, etc). Mysecureshell is a non standard distribution package we use for sftp jail functionality.
 +
 +==== System specification ====
 +
 +The hardware requirements of NetYCE are moderate by itself although much depends on the intended level of use and the application architecture selected.
 +
 +In general we suggest to deploy two NetYCE servers in different data centers attached to Network Management (NMS) networks. These systems will provide both front-end (user and network facing) functions AND a database function. These functions can be configured to provide live failover and backup services by means of master-master replication. The front-end functions support 10-20 simultaneous users and can execute several thousand config changes per hour.
 +
 +For such deployments a physical or virtual x86 server needs to have at least two CPU cores and 4 GB of memory, but 4 cores and 8 GB memory is recommended.
 +
 +Disk space can be local or SAN based and should not exceed 50 GB. This disk space is allotted to a single filesystem or split across several, depending on system management preferences.
 +
 +The NetYCE directory structure uses several trees for various functions. Assigning the mysql, shared and working/​logs trees individual filesystems is recommended.
 +
 +<​code>​
 +/ - 3 to 6 GB (OS root, bin, usr, lib, opt, etc)
 +/opt/yce - 100 MB
 +/opt/nms - 100 MB
 +/opt/ycelib - 500 MB
 +/​var/​opt/​yce - 3 to 6 GB (logs and working data)
 +/​var/​opt/​shared - 6 to 12 GB (tftp, os-files)
 +/​var/​opt/​mysql -  4 to 8 GB (mysql data)
 +</​code>​
 +
 +==== Verifications and preparations ====
 +
 +=== SElinux ===
 +
 +verify SELinux is not active:​\\ ​
 +''​$ cat /​etc/​selinux/​config''​\\ ​
 +=> preferred SELINUX=disabled\\ ​
 +=> workable SELINUX=permissive\\ ​
 +
 +In case it's set to enforcing, edit /​etc/​selinux/​config
 +
 +change SELINUX=enforcing to SELINUX=disabled and reboot the VM otherwise it doesnt take effect.
 +
 +Make sure to have a hostname set, and check the output of the commands below
 +
 +=== Hostname ===
 +
 +<​code>​
 +hostnamectl set-hostname rhel7.netyce.org
 +</​code>​
 +
 +<​code>​
 +[root@localhost ~]# uname -i
 +x86_64
 +</​code>​
 +
 +verify ip settings:​\\ ​
 +''​$ hostname''​\\ ​
 +=> hostname (pref not fqdn)\\ ​
 +''​$ hostname %%--%%domain''​\\ ​
 +=>  domain name\\ ​
 +''​$ hostname %%--%%ip-address''​\\ ​
 +=> one (1) ip-address of the local interface\\ ​
 +correct using '​setup'​\\ ​
 +correct in /​etc/​hosts\\ ​
 +
 +=== DNS ===
 +
 +verify dns is configured:​\\ ​
 +- update ''/​etc/​resolv.conf''​ is needed\\ ​
 +- test using ''​nslookup''​ of a device (in case of installing on a minimal installation,​ you'll need to install bind-utils first using yum)\\ ​
 +- check search path and domain\\ ​
 +
 +=== Openssl ===
 +
 +verify openssl is installed:​\\ ​
 +''​$ openssl''​\\ ​
 +=> must start, then type '​quit'​
 +
 +=== Rpm ===
 +
 +verify rpm is functional:​\\ ​
 +- e.g. ''#​ rpm -v''​
 +
 +=== Valid release ===
 +
 +verify a valid RedHat (or Centos) release is present.\\ ​
 +''​$ cat /​etc/​redhat-release''​
 +
 +=> Supported RHEL7 release is 7.6
 +
 +To update a release to the latest RHEL7,
 +connect the server to the internet and use the command (as root):​\\ ​
 +''#​ yum update''​\\ ​
 +When completed, reboot and verify using:​\\ ​
 +''​$ cat /​etc/​redhat-release''​
 +
 +Note: During the install or updates, yum might (re-)enable '​firewalld'​!\\ ​
 +If your system'​s firewalld is not configured, the default setting will only allow SSH connections and block all others, including httpd, mysql, yce_xch, yce_sched, etc.
 +
 +=== Firewalld ===
 +
 +To disable '​firewalld':​\\
 +<​code>​
 +systemctl stop firewalld
 +systemctl disable firewalld
 +</​code>​
 +
 +=== Timezone ===
 +
 +Set timezone
 +
 +/​etc/​sysconfig/​clock
 +-- add UTC=yes for Hypervisors that do not set the hwclock to UTC time
 +<​code>​
 +ZONE="​Europe/​Amsterdam"​
 +UTC="​yes"​
 +</​code>​
 +
 +/​etc/​sysconfig/​ntpdate
 +-- set option to keep hw-clock in sync after ntpdate adjustment
 +<​code>​
 +SYNC_HWCLOCK=yes
 +</​code>​
 +
 +=== Set locales ===
 +
 +add the following lines to /​etc/​environment
 +
 +<​code>​
 +LANG=en_US.utf-8
 +LC_ALL=en_US.utf-8
 +</​code>​
 +
 +==== Filesystems ====
 +Some customer linux sytems have a filesystem setup where most applications subtrees
 +have their own volume. The sizes need to be adjusted to match the required size.
 +Use the command:​\\ ​
 +''#​ lvextend -L <​size>​ -r <​fs-device>''​
 +
 +On the filesystems below.
 +
 +Check with the ''​df -h''​ command the actual device name
 +<​code>​
 + ​mountpoint ​             size     ​device
 +/opt/nms
 +/opt/yce
 +/​opt/​ycelib ​           2G          /​dev/​mapper/​vg.appl-lv.optycelib
 +/​var/​opt/​yce ​          ​2G ​         /​dev/​mapper/​vg.appl-lv.varoptyce
 +/​var/​opt/​mysql ​        ​5G ​         /​dev/​mapper/​vg.appl-lv.varoptmysql
 +/​var/​opt/​shared ​       5G          /​dev/​mapper/​vg.appl-lv.varoptshared
 +</​code>​
 +
 +Typical systems are setup with separate filesystems for:
 +<​code>​
 +/opt                  10G
 +/​var/​opt/​mysql ​        5G
 +/​var/​opt/​shared ​       5G
 +</​code>​
 +
 + 
 +==== Prerequisites for installation ====
 +
 +Make sure to have the following available on your VM:
 +
 +The [[maintenance:​downloads:​system_updates:​system_updates#​perl_images|yceperl]] binary, ​ [[maintenance:​downloads:​system_updates:​system_updates#​update_images|YCE]] binary, your [[maintenance:​downloads:​system_updates:​system_updates#​licenses|yce_license]] and a NetYCE database if applicable.
 +
 +===== NetYCE installation =====
 +
 +==== Yum packages to install from default repository ====
 +
 +Install the following packages from the default repository using yum, we will install other packages from non standard repo's in this guide:
 +
 +<file text rhel7_packages.txt>​
 +SDL 
 +apr 
 +apr-util ​
 +at 
 +atlas 
 +autofs ​
 +autogen-libopts ​
 +avahi-libs ​
 +bc 
 +bind-libs ​
 +bind-utils ​
 +bison 
 +blas 
 +blktrace ​
 +boost-date-time ​
 +boost-program-options ​
 +boost-system ​
 +boost-thread ​
 +bridge-utils ​
 +byacc 
 +bzip2 
 +centos-indexhtml ​
 +cmake 
 +crda 
 +crypto-utils ​
 +cryptsetup ​
 +cscope ​
 +ctags 
 +cyrus-sasl-plain ​
 +desktop-file-utils ​
 +diffstat ​
 +dmraid ​
 +dmraid-events ​
 +doxygen ​
 +dstat 
 +dwz 
 +dyninst ​
 +ed 
 +efivar-libs ​
 +elfutils ​
 +emacs-filesystem ​
 +epel-release ​
 +flex 
 +fontconfig ​
 +fontpackages-filesystem ​
 +fribidi ​
 +ftp 
 +galera ​
 +gdbm-devel ​
 +gettext-common-devel ​
 +gettext-devel ​
 +gnutls ​
 +gpg-pubkey ​
 +gpm-libs ​
 +graphite2 ​
 +gsm 
 +gssproxy ​
 +harfbuzz ​
 +hdparm ​
 +hesiod ​
 +hicolor-icon-theme ​
 +httpd 
 +httpd-manual ​
 +httpd-tools ​
 +indent ​
 +iotop 
 +ius-release ​
 +jbigkit-libs ​
 +kernel ​
 +keyutils ​
 +keyutils-libs-devel ​
 +krb5-devel ​
 +lapack ​
 +ldns 
 +libarchive ​
 +libbasicobjects ​
 +libcollection ​
 +libcom_err-devel ​
 +libdwarf ​
 +libevent ​
 +libfprint ​
 +libgfortran ​
 +libini_config ​
 +libjpeg-turbo ​
 +libkadm5 ​
 +libmodman ​
 +libnfsidmap ​
 +libnl 
 +libogg ​
 +libpath_utils ​
 +libpcap ​
 +libproxy ​
 +libquadmath ​
 +libref_array ​
 +libselinux-devel ​
 +libsepol-devel ​
 +libsndfile ​
 +libtar ​
 +libtheora ​
 +libtirpc ​
 +libusbx ​
 +libverto-devel ​
 +libverto-libevent ​
 +libvorbis ​
 +libwayland-server ​
 +libxml2-python ​
 +libzip ​
 +lsof 
 +m4 
 +mailcap ​
 +mailx 
 +man-pages ​
 +man-pages-overrides ​
 +mdadm 
 +mlocate ​
 +mod_nss ​
 +mod_ssl ​
 +mod_wsgi ​
 +mokutil ​
 +mpfr 
 +mtr 
 +neon 
 +net-snmp-libs ​
 +net-snmp-utils ​
 +nettle ​
 +nfs-utils ​
 +nfs4-acl-tools ​
 +nscd 
 +nss-pam-ldapd ​
 +ntp 
 +ntpdate ​
 +ntsysv ​
 +numactl ​
 +numpy 
 +openldap-clients ​
 +openssl-devel ​
 +oprofile ​
 +pakchois ​
 +patch 
 +patchutils ​
 +pciutils ​
 +pcre-devel ​
 +perf 
 +php 
 +php-cli ​
 +php-common ​
 +pixman ​
 +psmisc ​
 +pygobject2 ​
 +pyparsing ​
 +python-augeas ​
 +python-backports ​
 +python-backports-ssl_match_hostname ​
 +python-chardet ​
 +python-ipaddress ​
 +python-kitchen ​
 +python-nose ​
 +python-setuptools ​
 +python-six ​
 +python2-futures ​
 +quota 
 +quota-nls ​
 +rcs 
 +redhat-rpm-config ​
 +rpcbind ​
 +rpm-sign ​
 +rsync 
 +satyr 
 +sg3_utils-libs ​
 +sgpio 
 +sos 
 +swig 
 +systemd-python ​
 +tcp_wrappers ​
 +tcsh 
 +telnet ​
 +tftp 
 +theora-tools ​
 +time 
 +tmpwatch ​
 +traceroute ​
 +trousers ​
 +unbound-libs ​
 +unzip 
 +usermode ​
 +vim-common ​
 +vim-enhanced ​
 +vim-filesystem ​
 +vsftpd ​
 +wget 
 +xdg-utils ​
 +xmlrpc-c ​
 +xmlrpc-c-client ​
 +xz-lzma-compat ​
 +yum-utils ​
 +zip 
 +zlib-devel
 +</​file>​
 +
 +==== Fping ====
 +<​code>​
 +yum -y install https://​centos7.iuscommunity.org/​ius-release.rpm
 +yum -y install fping
 +</​code>​
 +
 +==== MySecureShell ====
 +
 +<​code>​
 +echo "​[mysecureshell]
 +name=MySecureShell
 +baseurl=http://​mysecureshell.free.fr/​repository/​index.php/​centos/​6.4/​
 +enabled=1
 +gpgcheck=0"​ > /​etc/​yum.repos.d/​mysecureshell.repo
 +</​code>​
 +<​code>​
 +yum -y install mysecureshell
 +</​code>​
 +
 +==== Install MariaDB ====
 +
 +<​code>​
 +cat > /​etc/​yum.repos.d/​MariaDB_10_3.repo << EOF
 +# MariaDB 10.3 CentOS repository list - created 2019-06-20 15:41 UTC
 +# http://​downloads.mariadb.org/​mariadb/​repositories/​
 +[mariadb]
 +name = MariaDB
 +baseurl = http://​yum.mariadb.org/​10.3/​centos7-amd64
 +gpgkey=https://​yum.mariadb.org/​RPM-GPG-KEY-MariaDB
 +gpgcheck=1
 +EOF
 +</​code>​
 +<​code>​
 +yum -y install MariaDB-server MariaDB-client
 +</​code>​
 +
 +==== Install snmpd ====
 +
 +<​code>​
 +cat > /​etc/​snmp/​snmpd.conf << EOF
 +# Map '​readsys'​ community to the '​ConfigUser'​
 +# Map '​readall'​ community to the '​AllUser'​
 +# sec.name source community
 +com2sec ConfigUser default readsys
 +com2sec AllUser default readall
 +
 +# Map '​ConfigUser'​ to '​ConfigGroup'​ for SNMP Version 2c
 +# Map '​AllUser'​ to '​AllGroup'​ for SNMP Version 2c
 +# sec.model sec.name
 +group ConfigGroup v2c ConfigUser
 +group AllGroup v2c AllUser
 +
 +# Define '​SystemView',​ which includes everything under .1.3.6.1.2.1.1 (or .1.3.6.1.2.1.25.1)
 +# Define '​AllView',​ which includes everything under .1
 +# incl/excl subtree
 +view SystemView included .1.3.6.1.2.1.1
 +view SystemView included .1.3.6.1.2.1.25.1.1
 +view AllView included .1
 +
 +# Give '​ConfigGroup'​ read access to objects in the view '​SystemView'​
 +# Give '​AllGroup'​ read access to objects in the view '​AllView'​
 +# context model level prefix read write notify
 +access ConfigGroup ""​ any noauth exact SystemView none none
 +access AllGroup ""​ any noauth exact AllView none none
 +EOF
 +</​code>​
 +
 +To start snmpd: ''​systemctl start snmpd''​. ('​stop'​ to turn off)
 +
 +To enable snmpd at boot: ''​systemctl enable snmpd''​. ('​disable'​ to disable).
 +
 +==== Yce user creation and bash and vim profile settings ====
 +# create the group with gid 8000
 +<​code>​
 +groupadd -g 8000 nms
 +</​code>​
 +
 +# create a user with group nms with a home directory and no group yce
 +<​code>​
 +useradd -g nms -m -u 8000 -s /bin/bash yce
 +</​code>​
 +
 +# set the password for user yce 
 +<​code>​
 +passwd yce
 +</​code>​
 +
 +# .bash_profile for yce user:
 +
 +<​code>​
 +# .bash_profile
 +#
 +# NetYCE, 2018
 +#
 +
 +"​export LC_ALL=C"​
 +
 +if [ -r "/​opt/​yce/​system/​go"​ ]; then
 +    export RDEV="​devel6"​
 +    source "/​opt/​yce/​system/​go"​
 +else
 +    echo "​Skipping '​go'"​
 +fi
 +
 +export PATH="​$PATH:/​sbin:/​usr/​sbin:/​usr/​local/​sbin:/​bin:/​usr/​bin:/​usr/​local/​bin:/​opt/​yce/​bin:/​opt/​yce/​system:​."​
 +
 +export LD_LIBRARY_PATH="/​lib:/​usr/​lib:/​usr/​local/​lib"​
 +export LC_CTYPE="​en_US.UTF-8"​
 +export LC_ALL=C
 +export EDITOR=vi
 +
 +if [ "​${TERM}x"​ = "​x"​ ]; then
 +    export TERM=ansi
 +    stty erase ^?
 +fi
 +if [ "​$TERM"​ = "​ansi"​ ]; then
 +    stty erase ^H
 +fi
 +
 +set -o emacs
 +umask 0002
 +
 +export PS1='​\e[32m\u@\h\e[0m \w\n\$ '
 +
 +if [ -f /​etc/​DIR_COLORS ]; then
 +    # eval `dircolors -b /​etc/​DIR_COLORS | sed '​s/​di=01;​93/​di=01;​34/'​`
 +    alias ls='ls -N --color=tty -T 0 '
 +fi
 +
 +# Get the aliases and functions
 +if [ -f ~/.bashrc ]; then
 +    . ~/.bashrc
 +fi
 +
 +alias perl='/​opt/​ycelib/​perl/​bin/​perl'​
 +alias perldoc='/​opt/​ycelib/​perl/​bin/​perldoc'​
 +alias srch='/​opt/​yce/​system/​tools/​srch.pl'​
 +alias l='ls -lF'
 +alias ll='ls -laF'
 +alias lc='ls -CaF'
 +alias lr='ls -latrF'​
 +alias o='​less'​
 +alias grep='​grep --color=auto'​
 +alias gerp='​grep'​
 +alias cp='cp -i'
 +</​code>​
 +
 +# .bashrc for yce
 +<​code>​
 +cat >> /​home/​yce/​.bashrc << EOF
 +# User specific aliases and functions
 +if [ -f ~/​.bash_aliases ]; then
 +    . ~/​.bash_aliases
 +fi
 +EOF
 +</​code>​
 +
 +# .vimrc for yce
 +<​code>​
 +cat > /​home/​yce/​.vimrc << EOF
 +set ts=4
 +set sw=4
 +set ai
 +set noerrorbells
 +set formatoptions-=r
 +
 +EOF
 +</​code>​
 +
 +==== .bash_profile and .vimrc for root user: ==== 
 +
 +<​code>​
 +# .bash_profile
 +#
 +# NetYCE, 2018
 +#
 +
 +if [ -r "/​opt/​yce/​system/​go"​ ]; then
 +    export RDEV="​devel6"​
 +    source "/​opt/​yce/​system/​go"​
 +else
 +    echo "​Skipping '​go'"​
 +fi
 +
 +export PATH="​$PATH:/​sbin:/​usr/​sbin:/​usr/​local/​sbin:/​bin:/​usr/​bin:/​usr/​local/​bin:/​opt/​yce/​bin:/​opt/​yce/​system:​."​
 +
 +export LD_LIBRARY_PATH="/​lib:/​usr/​lib:/​usr/​local/​lib"​
 +export LC_CTYPE="​en_US.UTF-8"​
 +export LC_ALL=C
 +export EDITOR=vi
 +
 +if [ "​${TERM}x"​ = "​x"​ ]; then
 +    export TERM=ansi
 +    stty erase ^?
 +fi
 +if [ "​$TERM"​ = "​ansi"​ ]; then
 +    stty erase ^H
 +fi
 +
 +set -o emacs
 +umask 0002
 +
 +export PS1='​\e[32m\u@\h\e[0m \w\n\$ '
 +
 +if [ -f /​etc/​DIR_COLORS ]; then
 +    # eval `dircolors -b /​etc/​DIR_COLORS | sed '​s/​di=01;​93/​di=01;​34/'​`
 +    alias ls='ls -N --color=tty -T 0 '
 +fi
 +
 +# Get the aliases and functions
 +if [ -f ~/.bashrc ]; then
 +    . ~/.bashrc
 +fi
 +
 +alias perl='/​opt/​ycelib/​perl/​bin/​perl'​
 +alias perldoc='/​opt/​ycelib/​perl/​bin/​perldoc'​
 +alias srch='/​opt/​yce/​system/​tools/​srch.pl'​
 +alias l='ls -lF'
 +alias ll='ls -laF'
 +alias lc='ls -CaF'
 +alias lr='ls -latrF'​
 +alias o='​less'​
 +alias grep='​grep --color=auto'​
 +alias gerp='​grep'​
 +alias cp='cp -i'
 +
 +echo " ​ "
 +if [ -x "/​opt/​yce/​system/​net_setup.pl"​ ]; then
 +        /​opt/​yce/​system/​net_setup.pl
 +else
 +        echo "​ERROR:​ cannot start net_setup.pl"​
 +fi
 +
 +echo " ​ "
 +echo " ​ You can setup the networking by logging in "
 +echo " ​ as '​root'​ or using"
 +echo " ​   /​opt/​yce/​system/​net_setup.pl"​
 +echo " ​ "
 +echo " ​ YCE setup can be restarted as '​yce'​ user using"
 +echo " ​   /​opt/​yce/​system/​yce_setup.pl"​
 +echo " ​ "
 +</​code>​
 +
 +# .bashrc ​
 +<​code>​
 +cat >> ~/.bashrc << EOF
 +# User specific aliases and functions
 +if [ -f ~/​.bash_aliases ]; then
 +    . ~/​.bash_aliases
 +fi
 +EOF
 +</​code>​
 +
 +# .vimrc for root
 +<​code>​
 +cat > ~/.vimrc << EOF
 +set ts=4
 +set sw=4
 +set ai
 +set noerrorbells
 +set formatoptions-=r
 +EOF
 +</​code>​
 +
 +==== Sudo setup ====
 +
 +A couple of '​services'​ will be installed for NetYCE:
 +
 +- yce_psmon\\ ​
 +- httpd\\ ​
 +- mysql\\
 +- vsftpd\\
 +
 +Of these, yce_psmon and httpd require '​root'​ permissions to start.\\ ​
 +Since all application maintenance will (or should) be executed using the functional user '​yce',​ sudo should be setup to permit this.\\ ​
 +The default setup expects ''/​sbin/​service''​ to be available for the '​yce'​ user. Execution should not require a password.
 +
 +Add the following using visudo, remove any mention of sudoers.d (if present) at the end of the file:
 +
 +<​code>​
 +# Yce
 +Cmnd_Alias YCE = /​opt/​yce/​system/​init/​yce_tftpd
 +# Installation and management of software
 +Cmnd_Alias SOFTWARE = /bin/rpm, /​usr/​bin/​up2date,​ /​usr/​bin/​yum,​ /​usr/​bin/​updatedb,​ /bin/ping
 +# Processes
 +Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /​usr/​bin/​kill,​ /​usr/​bin/​killall,​ /​usr/​bin/​pkill
 +# Networking
 +Cmnd_Alias NETWORKING = /​sbin/​route,​ /​sbin/​ifconfig,​ /bin/ping, /​sbin/​dhclient,​ /​usr/​bin/​net,​ /​usr/​bin/​rfcomm,​ /​usr/​bin/​wvdial,​ /​sbin/​iwconfig,​ /​sbin/​mii-tool,​ /​usr/​sbin/​ip,​ /​usr/​sbin/​dhclient,​ /​usr/​sbin/​iptables,​ /​usr/​sbin/​ifstat,​ /​sbin/​iwconfig,​ /​usr/​sbin/​ethtool
 +
 +# Storage
 +Cmnd_Alias STORAGE = /​sbin/​fdisk,​ /​sbin/​sfdisk,​ /​sbin/​parted,​ /​sbin/​partprobe,​ /bin/mount, /bin/umount
 +
 +## Delegating permissions
 +Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
 +
 + ​Cmnd_Alias SHELLS = /​bin/​sh,/​bin/​bash
 + ​Cmnd_Alias SU = /bin/su
 + ​Cmnd_Alias LOGIN = /bin/login
 + ​Cmnd_Alias REBOOT = /​usr/​bin/​reboot
 + ​Cmnd_Alias SHUTDOWN = /​usr/​bin/​poweroff,​ /​usr/​bin/​halt,​ /​sbin/​shutdown
 +
 +Defaults ​   !requiretty
 +
 +#==== YCE user group '​nms'​
 +# Below are a few examples. ​
 +# For production the MINIMUM profile might be a good start.
 +# For testing, the MAINTENANCE is regularly used.
 +
 +# MINIMUM
 +# No password required for YCE applications,​ ALL other applications are allowed with a password.
 +%nms ALL = PASSWD:ALL, NOPASSWD:​YCE
 +
 +# MAINTENANCE
 +# No password required for YCE applications and services and processes. NO other applications are allowed to run at all!
 +# %nms ALL=NOPASSWD:​YCE,​ SERVICES, PROCESSES
 +
 +# Same, but all applications are allowed if you know the password.
 +# %nms ALL=NOPASSWD:​YCE,​ SERVICES, PROCESSES, PASSWD:ALL
 +
 +
 +# DEVELOPMENT
 +# %nms ALL=NOPASSWD:​SOFTWARE,​ YCE, SERVICES, PROCESSES, PASSWD:ALL
 +# %nms ALL=NOPASSWD:​DELEGATING,​ NETWORKING, SOFTWARE, YCE, SERVICES, PROCESSES, PASSWD:ALL
 +# %nms ALL=NOPASSWD:​ALL
 +</​code>​
 +
 +
 +==== bash_aliases for root ====
 +
 +put the following in /​root/​.bash_aliases:​
 +<​code>​
 +export PAGER="​less"​
 +export EDITOR="​vim"​
 +alias l='ls -CF'
 +alias ll='ls -lhF'
 +alias llt='​ls -latrF'​
 +alias lr='ls -latrF'​
 +alias la='ls -ahF'
 +alias lla='​ls -lahF'
 +alias lc='ls -CaF'
 +alias p='​ping'​
 +alias pst='​ps axjf'
 +alias t='​telnet'​
 +alias n='​nslookup'​
 +alias o='​less'​
 +if [ -x /​usr/​bin/​vim ]; then
 +  alias vi='​vim'​
 +fi
 +alias grep='​grep --color=auto'​
 +alias gerp='​grep'​
 +alias ip='ip --color'​
 +alias ip4='​ip -4 --color --brief addr | grep -v UNKNOWN'​
 +alias ip6='​ip -6 --color --brief addr | grep -v UNKNOWN'​
 +
 +# other
 +alias add='/​opt/​yce/​system/​patches/​vendor_support.pl add'
 +alias perl='/​opt/​ycelib/​perl/​bin/​perl'​
 +alias perldoc='/​opt/​ycelib/​perl/​bin/​perldoc'​
 +alias srch='/​opt/​yce/​system/​tools/​srch.pl'​
 +</​code>​
 +
 +==== Httpd ====
 +
 +# enable the httpd service at startup
 +<​code>​
 +sudo systemctl enable httpd
 +</​code>​
 +
 +# this creates the following symlink:
 +
 +Created symlink from /​etc/​systemd/​system/​multi-user.target.wants/​httpd.service to /​usr/​lib/​systemd/​system/​httpd.service
 +
 +# mv ssl, nss, manual out of the way
 +<​code>​
 +sudo mv /​etc/​httpd/​conf.d/​ssl.conf /​etc/​httpd/​conf.d/​ssl.conf.unwanted
 +sudo mv /​etc/​httpd/​conf.d/​nss.conf /​etc/​httpd/​conf.d/​nss.conf.unwanted
 +sudo mv /​etc/​httpd/​conf.d/​manual.conf /​etc/​httpd/​conf.d/​manual.conf.unwanted
 +</​code>​
 +
 +# This should actually be done in yce_setup.pl,​ it is dependent on the choice for SSL/https.
 +<​code>​
 +sudo mv /​etc/​httpd/​conf.modules.d/​00-ssl.conf /​etc/​httpd/​conf.modules.d/​00-ssl.conf.unwanted
 +</​code>​
 +
 +# put a '#'​ in front of every line in welcome.conf. If the file is deleted, it will be put back after an upgrade of apache
 +<​code>​
 +sudo sed -i -e 's/^/# /' /​etc/​httpd/​conf.d/​welcome.conf
 +</​code>​
 +
 +# suexec wasn't active on centos6, so disabled it as well on centos7. Eric, is this required?
 +<​code>​
 +sudo sed -i -e '​s@^LoadModule suexec_module modules/​mod_suexec.so@#​ LoadModule suexec_module modules/​mod_suexec.so@'​ /​etc/​httpd/​conf.modules.d/​00-base.conf
 +</​code>​
 +
 +==== Setup the perl env. ====
 +# copy the perl bin to the new system
 +<​code>​
 +sudo mkdir /opt/ycelib
 +sudo chown yce:nms /opt/ycelib
 +sh yceperl_7.0.2.bin # as yce user, no sudo!
 +</​code>​
 +
 +==== Cron ====
 +it seems like there is no entry for the yce user needed in /​etc/​cron.allow for the user to be able to create crontab entries
 +
 +==== Yce directories ====
 +
 +as yce user
 +
 +<​code>​
 +sudo mkdir /​var/​opt/​yce
 +cd /​var/​opt/​yce
 +sudo mkdir backup configs download jobs logs output
 +sudo chown -R yce:nms /​var/​opt/​yce/​
 +</​code>​
 +
 +==== Ycicle user ====
 +
 +# use the UID and GID from this user for the following cmd (if you followed this installation guide both values will be 8000)
 +<​code>​
 +cat /etc/passwd | grep yce  ​
 +useradd -M -d /​var/​opt/​shared -s /bin/bash -o -u 8000 -g 8000 ycicle
 +passwd ycicle
 +</​code>​
 +
 +prevent expiry
 +
 +<​code>​
 +/​usr/​bin/​passwd -n 0 -x 99999 -i -1 ycicle
 +</​code>​
 +
 +**make sure the shell of ycicle user is set to /​bin/​MySecureShell
 +**
 +
 +==== Vsftpd ====
 +
 +replace the contents of /​etc/​vsftpd/​vsftpd.conf with the following:
 +
 +<​code>​
 +# NetYCE 2019
 +
 +anonymous_enable=NO
 +local_enable=YES
 +write_enable=YES
 +local_umask=002
 +dirmessage_enable=YES
 +xferlog_enable=YES
 +connect_from_port_20=YES
 +xferlog_file=/​var/​opt/​yce/​logs/​ftpxfer.log
 +vsftpd_log_file=/​var/​opt/​yce/​logs/​ftplog.log
 +xferlog_std_format=YES
 +chroot_list_enable=YES
 +listen=NO
 +listen_ipv6=YES
 +
 +pam_service_name=vsftpd
 +userlist_enable=YES
 +tcp_wrappers=YES
 +
 +local_root=/​var/​opt/​shared
 +secure_chroot_dir=/​var/​opt/​shared
 +chown_username=yce.nms
 +guest_enable=NO
 +force_dot_files=NO
 +hide_file={.yce_prop}
 +delete_failed_uploads=YES
 +log_ftp_protocol=NO
 +</​code>​
 +
 +and the following in /​etc/​vsftpd/​chroot_list:​
 +
 +<​code>​
 +ycicle
 +</​code>​
 +
 +put the following in /​etc/​ssh/​sshd_config:​
 +<​code>​
 +#   ​$OpenBSD:​ sshd_config,​v 1.80 2008/07/02 02:24:18 djm Exp $
 +
 +# This is the sshd server system-wide configuration file.  See
 +# sshd_config(5) for more information.
 +
 +# This sshd was compiled with PATH=/​usr/​local/​bin:/​bin:/​usr/​bin
 +
 +# The strategy used for options in the default sshd_config shipped with
 +# OpenSSH is to specify options with their default value where
 +# possible, but leave them commented. ​ Uncommented options change a
 +# default value.
 +
 +#Port 22
 +#​AddressFamily any
 +#​ListenAddress 0.0.0.0
 +#​ListenAddress ::
 +
 +# Disable legacy (protocol version 1) support in the server for new
 +# installations. In future the default will change to require explicit
 +# activation of protocol 1
 +Protocol 2
 +
 +# HostKey for protocol version 1
 +#HostKey /​etc/​ssh/​ssh_host_key
 +# HostKeys for protocol version 2
 +#HostKey /​etc/​ssh/​ssh_host_rsa_key
 +#HostKey /​etc/​ssh/​ssh_host_dsa_key
 +
 +# Lifetime and size of ephemeral version 1 server key
 +#​KeyRegenerationInterval 1h
 +#​ServerKeyBits 1024
 +
 +# Logging
 +# obsoletes QuietMode and FascistLogging
 +#​SyslogFacility AUTH
 +SyslogFacility AUTHPRIV
 +#LogLevel INFO
 +
 +# Authentication:​
 +
 +#​LoginGraceTime 2m
 +#​PermitRootLogin yes
 +#​StrictModes yes
 +#​MaxAuthTries 6
 +#​MaxSessions 10
 +
 +#​RSAAuthentication yes
 +#​PubkeyAuthentication yes
 +#​AuthorizedKeysFile .ssh/​authorized_keys
 +#​AuthorizedKeysCommand none
 +#​AuthorizedKeysCommandRunAs nobody
 +
 +# For this to work you will also need host keys in /​etc/​ssh/​ssh_known_hosts
 +#​RhostsRSAAuthentication no
 +# similar for protocol version 2
 +#​HostbasedAuthentication no
 +# Change to yes if you don't trust ~/​.ssh/​known_hosts for
 +# RhostsRSAAuthentication and HostbasedAuthentication
 +#​IgnoreUserKnownHosts no
 +# Don't read the user's ~/.rhosts and ~/.shosts files
 +#​IgnoreRhosts yes
 +
 +# To disable tunneled clear text passwords, change to no here!
 +#​PasswordAuthentication yes
 +#​PermitEmptyPasswords no
 +PasswordAuthentication yes
 +
 +# Change to no to disable s/key passwords
 +#​ChallengeResponseAuthentication yes
 +ChallengeResponseAuthentication no
 +
 +# Kerberos options
 +#​KerberosAuthentication no
 +#​KerberosOrLocalPasswd yes
 +#​KerberosTicketCleanup yes
 +#​KerberosGetAFSToken no
 +#​KerberosUseKuserok yes
 +
 +# GSSAPI options
 +#​GSSAPIAuthentication no
 +GSSAPIAuthentication yes
 +#​GSSAPICleanupCredentials yes
 +GSSAPICleanupCredentials yes
 +#​GSSAPIStrictAcceptorCheck yes
 +#​GSSAPIKeyExchange no
 +
 +# Set this to '​yes'​ to enable PAM authentication,​ account processing,
 +# and session processing. If this is enabled, PAM authentication will
 +# be allowed through the ChallengeResponseAuthentication and
 +# PasswordAuthentication. ​ Depending on your PAM configuration,​
 +# PAM authentication via ChallengeResponseAuthentication may bypass
 +# the setting of "​PermitRootLogin without-password"​.
 +# If you just want the PAM account and session checks to run without
 +# PAM authentication,​ then enable this but set PasswordAuthentication
 +# and ChallengeResponseAuthentication to '​no'​.
 +#UsePAM no
 +UsePAM yes
 +
 +# Accept locale-related environment variables
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +AcceptEnv XMODIFIERS
 +
 +#​AllowAgentForwarding yes
 +#​AllowTcpForwarding yes
 +#​GatewayPorts no
 +#​X11Forwarding no
 +X11Forwarding yes
 +#​X11DisplayOffset 10
 +#​X11UseLocalhost yes
 +#PrintMotd yes
 +#​PrintLastLog yes
 +#​TCPKeepAlive yes
 +#UseLogin no
 +#​UsePrivilegeSeparation yes
 +#​PermitUserEnvironment no
 +#​Compression delayed
 +#​ClientAliveInterval 0
 +#​ClientAliveCountMax 3
 +#​ShowPatchLevel no
 +#UseDNS yes
 +#PidFile /​var/​run/​sshd.pid
 +#​MaxStartups 10:30:100
 +#​PermitTunnel no
 +#​ChrootDirectory none
 +
 +# no default banner path
 +#Banner none
 +
 +UseDNS no
 +
 +# override default of no subsystems
 +Subsystem ​  ​sftp ​   /​usr/​libexec/​openssh/​sftp-server
 +# Subsystem sftp    internal-sftp
 +
 +Match User ycicle
 +#    ChrootDirectory /​var/​opt/​shared
 +#    ForceCommand internal-sftp
 +#    ForceCommand /​opt/​yce/​bin/​cpsh.pl
 +    AllowTCPForwarding no
 +    X11Forwarding no
 +
 +# Example of overriding settings on a per-user basis
 +#Match User anoncvs
 +#   ​X11Forwarding no
 +#   ​AllowTcpForwarding no
 +#   ​ForceCommand cvs server
 +</​code>​
 +
 +Create the following in ''​**/​etc/​ssh/​sftp_config**''​ \\
 +The limited download speeds (100mbps global and 10mbps per session) are intended as guidelines to prevent multiple
 +OS-file transfers to consume too much bandwidth. These values can be adjusted to suit server and network capabilities.
 +
 +<​code>​
 +## MySecureShell Configuration File ##
 +# NetYCE 2019
 +
 +# Default rules for everybody
 +<​Default>​
 +        GlobalDownload ​         100m    #total speed download for all clients
 +                                        # o -> bytes   k -> kilo bytes   m -> mega bytes
 +        GlobalUpload ​           0       #​total speed upload for all clients (0 for unlimited)
 +        Download ​               10m     #​limit speed download for each connection
 +        Upload ​                 0       #​unlimited speed upload for each connection
 +        StayAtHome ​             true    #limit client to his home
 +        VirtualChroot ​          ​true ​   #fake a chroot to the home account
 +        LimitConnection ​        ​50 ​     #max connection for the server sftp
 +        LimitConnectionByUser ​  ​50 ​     #max connection for the account
 +        LimitConnectionByIP ​    ​50 ​     #max connection by ip for the account
 +        Home                    /​var/​opt/​shared/​
 +        Shell                   /​opt/​yce/​bin/​cpsh.pl
 +        IdleTimeOut ​            ​30m ​    # disconnect idle client after 30 min
 +        ResolveIP ​              ​false ​  #​resolve ip to dns
 +        IgnoreHidden ​           true    #treat all hidden files as if they don't exist
 +        DirFakeUser ​            ​true ​   #Hide real file/​directory owner (just change displayed permissions)
 +        DirFakeGroup ​           true    #Hide real file/​directory group (just change displayed permissions)
 +        DirFakeMode ​            ​0400 ​   #Hide real file/​directory rights (just change displayed permissions)
 +                                        #Add execution right for directory if read right is set
 +        HideNoAccess ​           true    #Hide file/​directory which user has no access
 +#       ​MaxOpenFilesForUser ​    ​20 ​     #limit user to open x files on same time
 +#       ​MaxWriteFilesForUser ​   10      #limit user to x upload on same time
 +#       ​MaxReadFilesForUser ​    ​10 ​     #limit user to x download on same time
 +        DefaultRights ​          0640 0750       #Set default rights for new file and new directory
 +#       ​MinimumRights ​          0400 0700       #Set minimum rights for files and dirs
 +        ShowLinksAsLinks ​       false   #show links as their destinations
 +        ConnectionMaxLife ​      ​2h ​     #limits connection lifetime to 2 hours
 +#       ​Charset ​                "​ISO-8859-15" ​  #set charset of computer
 +</​Default>​
 +
 +<User ycicle>
 +        Shell                   /​opt/​yce/​bin/​cpsh.pl
 +        Home                    /​var/​opt/​shared/​
 +        VirtualChroot ​          true
 +        ResolveIP ​              false
 +        IgnoreHidden ​           true
 +        ShowLinksAsLinks ​       false
 +</​User>​
 +
 +#Include /​etc/​my_sftp_config_file ​      #​include this valid configuration file
 +
 +</​code>​
 +
 +==== Create network config files ====
 +before we start this, run the yce binary and just enter through everything so that all directories will get created and files will be put in place, as root (filename may differ ofcourse):
 +
 +<​code>​
 +sh yce_7.1.1_20190522.bin
 +</​code>​
 +
 +At the moment net_setup.pl only supports centos6, therefore we need to create the network config files manually: revise the information below to suit your situation.
 +
 +<​code>​
 +IP=192.168.56.101
 +HOSTNAME=rhel7
 +DOMAIN=netyce.org
 +IFNY=enp0s8
 +IFNAT=enp0s3
 +
 +HWADDRNY=08:​00:​27:​DF:​B5:​07
 +DNS1=8.8.8.8
 +DNS2=8.8.4.4
 +</​code>​
 +
 +<​code>​
 +cat > /​opt/​yce/​etc/​net_setup.xml << EOF
 +<​setup>​
 +  <local name="​accounts"​ root_password="​initialized at 2015-04-01 09:​00:​30"​ yce_password="​initialized at 2015-04-01 09:​00:​37"​ />
 +  <local name="​host"​ application_if="​$IFNY"​ domainname="​${DOMAIN}"​ fqdn="​${HOSTNAME}.${DOMAIN}"​ hostname="​${HOSTNAME}"​ networking="​yes"​ ntpaddress="​149.210.205.44"​ />
 +  <local name="​net">​
 +    <$IFNAT bootproto="​dhcp"​ device="​$IFNAT"​ dhcphostname="​${HOSTNAME}.${DOMAIN}"​ gatewaydev="​$IFNAT"​ ipv4address="​10.0.3.15"​ ipv4gateway="​10.0.3.2"​ ipv4netmask="​255.255.255.0"​ ipv4network="​10.0.3.0"​ ipv4prefix="​24"​ macaddress="​08:​00:​27:​e4:​c0:​79"​ name="​$IFNAT"​ nmcontrolled="​yes"​ onboot="​yes"​ peerdns="​yes"​ primarydns="​$DNS1"​ secondarydns="​$DNS2"​ type="​Ethernet"​ />
 +    <$IFNY bootproto="​static"​ device="​$IFNY"​ dhcphostname=""​ gatewaydev="​$IFNAT"​ ipv4address="​$IP"​ ipv4gateway="​automatic"​ ipv4netmask="​255.255.255.0"​ ipv4network="​192.168.56.0"​ ipv4prefix="​24"​ macaddress="​$HWADDRNY"​ name="​$IFNY"​ nmcontrolled="​yes"​ onboot="​yes"​ peerdns="​yes"​ primarydns="​$DNS1"​ secondarydns="​$DNS2"​ type="​Ethernet"​ />
 +  </​local>​
 +</​setup>​
 +EOF
 +</​code>​
 +
 +
 +# YCE setup
 +<​code>​
 +cat > /​opt/​yce/​etc/​yce_setup.xml << EOF
 +<​setup>​
 +  <​override>​
 +    <configs crontab="​update"​ httpd="​update"​ mojo="​update"​ network="​keep"​ />
 +    <daemons yce_ibd="​disable"​ yce_nccmd="​enable"​ />
 +  </​override>​
 +  <yce name="​$HOSTNAME">​
 +    <​database database_id="​1"​ type="​mysql"​ />
 +    <host domainname="​$DOMAIN"​ fqdn="​${HOSTNAME}.${DOMAIN}"​ hostname="​$HOSTNAME"​ />
 +    <httpd mode="​root"​ proto="​http"​ type="​apache"​ urlbase="​name"​ />
 +    <login domainname="​$DOMAIN"​ expire="​10"​ />
 +    <mojo port="​8080"​ server="​mojo"​ />
 +    <morbo port="​3000"​ />
 +    <net ipv4="​$IP"​ />
 +    <roles database="​yes"​ frontend="​yes"​ />
 +    <wiki domain="​netyce.com"​ ip=""​ local="​no"​ name="​wiki"​ proto="​http"​ />
 +    <yce_db primary_db="​$HOSTNAME"​ secondary_db=""​ />
 +  </​yce>​
 +</​setup>​
 +EOF
 +</​code>​
 +
 +make sure the ownership of yce_setup.xml and net_setup.xml is yce:nms
 +
 +==== tool_setup.xml ====
 +
 +<​code>​
 +cat > /​opt/​yce/​etc/​tool_setup.xml << EOF
 +<!--
 +=== Scheduler and job tool configuration file ===
 +
 +See the NetYCE wiki article for a detailed description:​
 +  http://​wiki.netyce.com/​doku.php/​operate:​jobs:​job_configuration
 +
 +Currently supported job_type names:
 + command_job ​
 + basic_cmd_job
 + startup_cfg
 + reload_node
 + connect_dce
 + RXvlan_job
 + port_config - does not use scheduler: no approvals apply
 + os_upgrades
 +
 +Job types not listed above currently will use the <​default>​ job definitions. Support ​
 +will be incorporated in ongoing releases.
 +
 +Job-types not configured explicitly below will also use the <​default>​ job definitions.
 +
 +All variables not configured explicitly in their <​job_type>​ definitions will 
 +be lifted from the <​default>​ definition.
 +
 +-->
 +<​tool_setup>​
 +
 + <​queues>​
 + <queue name="​evpn"​ done_age="​180"​ cancel_age="​1800"​ job_int="​20"​ max_run="​50"​ max_wait="​3600"​ />
 + <queue name="​ios"​ done_age="​180"​ cancel_age="​1800"​ job_int="​5"​ max_run="​20"​ max_wait="​3600"​ />
 + <queue name="​yce"​ done_age="​180"​ cancel_age="​1800"​ job_int="​2"​ max_run="​50"​ max_wait="​3600"​ />
 + </​queues>​
 +
 + <​defaults job_type="​default"​ queue="​yce">​
 + <​auditors levels="​3456"​ />
 + <​notify pending="​yes"​ cancel="​yes"​ suspend="​yes"​ />
 + <​approvals name="​1"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​2"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​3"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​4"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​5"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​6"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​change_id option="​1"​ hint="​C000xxxxxx">​
 + <​validation>​^C000(\d){6}$</​validation>​
 + <​validation>​^O000(\d){6}$</​validation>​
 + <​validation>​^O000(\d){6}\-(\d){3}$</​validation>​
 + </​change_id>​
 + </​defaults>​
 +
 + <​command_job job_type="​command_job"​ queue="​yce">​
 + <​auditors levels="​3456"​ />
 + <​notify pending="​yes"​ cancel="​yes"​ suspend="​yes"​ />
 + <​approvals name="​2"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​3"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​4"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​5"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​approvals name="​6"​ levels=""​ threshold="​0"​ limit="​0"​ />
 + <​change_id option="​1"​ hint="​C000xxxxxx">​
 + <​validation>​^C000(\d){6}$</​validation>​
 + <​validation>​^O000(\d){6}$</​validation>​
 + <​validation>​^O000(\d){6}\-(\d){3}$</​validation>​
 + <​validation>​^T000(\d){6}$</​validation>​
 + </​change_id>​
 + </​command_job>​
 +
 + <​startup_config job_type="​startup_config">​
 + <​change_id hint="​T000xxxxxx">​
 + <​validation>​^T000(\d){6}$</​validation>​
 + </​change_id>​
 + </​startup_config>​
 +
 + <​RXvlan_job job_type="​RXvlan_job"​ queue="​evpn">​
 + </​RXvlan_job>​
 +
 + <​os_upgrades job_type="​os_upgrades"​ queue="​ios">​
 + </​os_upgrades>​
 +
 +</​tool_setup>​
 +EOF
 +</​code>​
 +
 +==== /​var/​opt/​shared/​ directory ====
 +
 +make sure /​var/​opt/​shared is owned by root:root and has 755 rights
 +
 +/​var/​opt/​shared/​public has to be owned by yce:nms and also have 755 rights
 +
 +==== Systemctl config files ====
 +
 +run the binary again, this time we should be able to generate config files:
 +
 +<​code>​
 +sh yce_7.1.1_20190522.bin
 +</​code>​
 +
 +# httpd
 +
 +<​code>​
 +cp /​opt/​yce/​etc/​rhel7_httpd.conf /​etc/​httpd/​conf.d/​yce.conf
 +
 +mkdir /​etc/​systemd/​system/​httpd.service.d
 +cp /​usr/​lib/​systemd/​system/​httpd.service /​etc/​systemd/​system
 +
 +cp /​opt/​yce/​system/​init/​httpd.service.d-yce.conf /​etc/​systemd/​system/​httpd.service.d/​yce.conf
 +
 +systemctl daemon-reload
 +
 +systemctl restart httpd
 +</​code>​
 +
 +# MariaDB
 +
 +<​code>​
 +cp /​opt/​yce/​etc/​rhel7_mysql.conf /etc/my.cnf
 +cp /​usr/​lib/​systemd/​system/​mariadb.service /​etc/​systemd/​system/​
 +mkdir /​etc/​systemd/​system/​mariadb.service.d
 +cp /​opt/​yce/​system/​init/​mariadb.service.d-yce.conf /​etc/​systemd/​system/​mariadb.service.d/​yce.conf
 +
 +systemctl daemon-reload
 +</​code>​
 +
 +==== Systemctl psmon ====
 +<​code>​
 +root@rhel7 /​etc/​systemd/​system # cp /​opt/​yce/​system/​init/​yce_psmon.service . 
 +
 +systemctl daemon-reload ​
 +systemctl stop yce_psmon
 +</​code>​
 +
 +==== Install the binary ====
 +
 +<​code>​
 +sh yce_7.1.1_20190522.bin
 +</​code>​
 +
 +<​code>​
 +Backup and Extraction will use /​usr/​bin/​openssl and /​usr/​bin/​gtar
 +Will extract to '/​var/​tmp/​yce_install/​YCE_7.1.1_20190522'​
 +Skipping rollback archive: file exists '​YCEsrc_rhel7_20190806.des3'​
 +Starting YCE installation verifications
 +Located YCE perl. Good
 +Installing YCE with '​root'​ privileges
 +Verifications complete
 +Found installation YCE manifest file '/​var/​tmp/​yce_install/​YCE_7.1.1_20190522/​YCE_7.1.1_20190522.xml'​. Good
 +Reading manifest '/​var/​tmp/​yce_install/​YCE_7.1.1_20190522/​YCE_7.1.1_20190522.xml'​
 +Parsing manifest parameters
 +Looking for existing YCE configuration
 +Loading existing YCE configuration
 +Will perform installation update in '/​opt/​yce'​
 +Continue to do an UPDATE install? ​ [Y] Y
 +Located YCE license file '/​opt/​yce/​etc/​yce_license'​
 +Location of '​yce_license'? ​ [/​opt/​yce/​etc/​yce_license]
 +
 +Will use YCE license file '/​opt/​yce/​etc/​yce_license'​. Good
 +   ​License registered to '​netYCE'​
 +OK: License will not expire until '​20191231'​
 +   /​var/​tmp/​yce_install/​YCE_7.1.1_20190522/​YCE_7.1.1_20190522.xml version = 7.1.1
 +License version '​7'​ matches distribution version '​7.1.1'​. Good
 +You have licences for:
 +   IOS
 +   ​Rabo_spc
 +   NCCM
 +   ​Ziggo_sp
 +   ​Infoblox
 +   ​Netcool
 +   YCE
 +   ​Vancis_s
 +Found YCE distribution archive '/​var/​tmp/​yce_install/​YCE_7.1.1_20190522/​YCEsrc_7.1.1_20190522.des3'​. Good
 +Scanning build information of previous installed manifests
 +WARNING: Missing manifest file of previous installation
 +Must perform an initial install using interactive shell
 +Cannot continue using automatic updates - must perform first install
 +Error found. Continue? y
 +Starting package installations
 +yce_core (1)
 +nccm (2)
 +c3_connect (3)
 +rabo_dns_uitwijk (4)
 +dce_connect (5)
 +netcool_reporter (6)
 +ziggo_ipvpn (7)
 +rabo_wlc_poller (8)
 +netcool_services (9)
 +rabo_cmdb (10)
 +infoblox_dhcp (11)
 +rabo_systems (12)
 +os_upgrades (13)
 +rn3_evpn_failover (14)
 +netcool_mes (15)
 +infoblox_dns (16)
 +rabo_acs_update (17)
 +rabo_webcheck (18)
 +rn3_central (19)
 +rn3_sla (20)
 +Removing unlicensed package '​compliancy',​ requiring license '​Compliancy'​
 +File installation complete
 +Do you want to create config files at this time?  [Y]
 +Starting configuration creation
 +-- ----------------------------------------
 +-- Starting '​yce_setup'​ interactive
 +--   ​operating system: CentOS (7.6.1810)
 +--   read network setup: '/​opt/​yce/​etc/​net_setup.xml'​
 +--   read yce setup: '/​opt/​yce/​etc/​yce_setup.xml'​
 +WARNING: No NetYCE database can be reached
 +YCE servers currently in setup:
 +  #  Hostname ​        ​IP-address ​          FQDN
 +* 0) rhel7            192.168.56.103 ​      ​rhel7.netyce.org
 +  Select the server# to Remove, or '​A'​ to add, '​C'​ to continue: [C]
 +YCE server roles:
 +  #  Hostname ​        ​Front-end ​   SSL     ​HTTPD ​    ​URL ​     Mojo     ​Database ​    Id
 +* 0) rhel7            yes          http    root      name     ​8080 ​    ​yes ​         1
 +  Select the server# to change, '​C'​ to continue: [0] C
 +YCE server database mapping:
 +  #  Hostname ​        ​Db-Id ​   Primary ​         Secondary
 +* 0) rhel7            1        rhel7
 +  Select the server# to change, '​C'​ to continue: [0] C
 +Login setup:
 +    Domain name for login (single-sign-on cookie)? [netyce.org]
 +    Hours until Login session expiry (single-sign-on cookie)? [10]
 +Login setup:
 +  Single-sign-on domain ​         Expire (hrs)
 +  netyce.org ​                    10
 +Wiki setup:
 +    '​rhel7'​ will use the NetYCE public Wiki server? [Y]
 +-- New setup
 +#
 +# YCE Server overview:
 +# Name         ​Domain ​              ​IP-address ​     Database Front-end Primary-db ​  ​Secondary-db
 +# ----         ​------ ​              ​---------- ​     -------- --------- ---------- ​  ​------------
 +# rhel7        netyce.org ​          ​192.168.56.103 ​  ​id=1 ​   yes       rhel7
 +#
 +-- Saved setup in '/​opt/​yce/​etc/​yce_setup.xml'​
 +Create the YCE, httpd, and mysql configuration files for the this system
 +* 0)  '​rhel7'​
 +  Create configuration for local server (y/n) ? [Y]
 +-- Create configs for server '​rhel7'​
 +-- Yce: /​opt/​yce/​etc/​rhel7_yce.conf
 +WARNING vsftpd_conf:​ '​vsftpd_conf':​ psmon not running
 +WARNING sftp_conf: '​sftp_conf':​ psmon not running
 +WARNING vsftpd_chroot:​ '​vsftpd_chroot':​ psmon not running
 +WARNING sshd_conf: '​sshd_conf':​ psmon not running
 +    cannot support '​sftp'​
 +    cannot support '​scp'​
 +    cannot support '​ftp'​
 +    can support '​tftp'​
 +-- Mojo: /​opt/​yce/​htdocs/​angular/​app/​host.js
 +--   mojo url set to '​http://​rhel7.netyce.org:​8080/'​
 +--   wiki url set to '​http://​wiki.netyce.com/'​
 +--   ​cacheswap '​rhel7'​ now at '​201908060618'​
 +-- Yce_psmon: /​opt/​yce/​etc/​rhel7_psmon.conf
 +ERROR: No sudo permissions available
 +ERROR: No sudo permissions available
 +ERROR: No sudo permissions available
 +ERROR: No sudo permissions available
 +-- Crontab: /​opt/​yce/​etc/​rhel7_crontab.conf
 +-- Httpd: /​opt/​yce/​etc/​rhel7_httpd.conf
 +-- Mysql: /​opt/​yce/​etc/​rhel7_mysql.conf
 +--   mysql version is '​10.3.17'​
 +--   mysql key_buffer set to '​202M'​
 +--   mysql tmpdir set to '/​var/​tmp'​
 +-- Updating '​rhel7'​ menu-tree (C)
 +--   ​Creating menus for the role(s): "​frontend","​database"​
 +--   ​Renewed the menu tree using the default
 +--   ​Updating '​rhel7'​ encryption keys
 +--   ​Updating scenario syntax highlighting file
 +-- Renewing NMS table permissions
 +-- Updating '​rhel7'​ my.cnf
 +WARNING: psmon copy failed (not running)
 +-- Daemons to restart: yce_psmon mysqld yce_tftpd yce_skulker yce_sched yce_nccmd yce_ibd morbo mojo
 +-- Relaunching NetYCE daemons...
 +-- yce_psmon:
 +     ​start:​ yce_psmon start
 +     wait start '​yce_psmon':​
 +-- mysqld:
 +     ​start:​ mysql start
 +     wait start '​mysqld':​
 +-- yce_tftpd: 3165
 +     stop: /bin/sudo /​opt/​yce/​system/​init/​yce_tftpd stop
 +     wait stop '​yce_tftpd':​
 +     ​start:​ /bin/sudo /​opt/​yce/​system/​init/​yce_tftpd start
 +     wait start '​yce_tftpd':​ 3668
 +-- yce_skulker:​ 3185
 +     stop: /​opt/​yce/​system/​init/​yce_skulker stop
 +     wait stop '​yce_skulker':​ 3185
 +     wait stop '​yce_skulker':​
 +     ​start:​ /​opt/​yce/​system/​init/​yce_skulker start
 +     wait start '​yce_skulker':​ 3691
 +-- yce_sched: 3207
 +     stop: /​opt/​yce/​system/​init/​yce_sched stop
 +     wait stop '​yce_sched':​
 +     ​start:​ /​opt/​yce/​system/​init/​yce_sched start
 +     wait start '​yce_sched':​ 3713
 +-- yce_nccmd:
 +     ​start:​ /​opt/​yce/​system/​init/​yce_nccmd start
 +     wait start '​yce_nccmd':​ 3725
 +-- yce_ibd:
 +     # disabled
 +-- morbo:
 +     # disabled
 +-- mojo: 3305 3306 3307 3308 3309 3310 3311
 +     stop: /​opt/​yce/​system/​init/​yce_mojo stop
 +     wait stop '​mojo':​
 +     ​start:​ /​opt/​yce/​system/​init/​yce_mojo start
 +     wait start '​mojo':​ 3798 3799 3800 3801 3802 3803 3804
 +-- done
 +Relaunching XCH API...
 +  Stopping daemon '​yce_xch':​ 3347
 +  Starting daemon '​yce_xch'​
 +-- Completed
 +SKIPPING PATCH INSTALL
 +  The patches MUST be installed when the YCE database is operational
 +  Patches must be installed using:
 +   '/​opt/​yce/​system/​patches/​patch_install.pl'​
 +Installation completed
 +Exiting installation. Cleanup
 +Cleanup YCEsrc_7.1.1_20190522
 +Completed - 1 Errors detected
 +</​code>​
 +
 +==== Database import ====
 +
 +put database in place, I assume you made a .tgz of the /​var/​opt/​mysql dir of a running NetYCE you want to migrate.
 +
 +<​code>​
 +systemctl disable mariadb
 +sytemctl stop mariadb
 +</​code>​
 +
 +check if there is a .conf file is present in the following dir /​etc/​systemd/​system/​mariadb.service.d/​ ifso delete it:
 +
 +<​code>​rm migrated-from-my.cnf-settings.conf</​code>​
 +
 +Make sure /​var/​opt/​mysql/​ is empty before copying your database into it, in my case I extracted a database in /​home/​yce/​var/​opt/​mysql/:​
 +
 +<​code>​
 +rm -rf /​var/​opt/​mysql/​*
 +cp -a /​home/​yce/​var/​opt/​mysql/​* /​var/​opt/​mysql/​
 +sudo systemctl enable mariadb
 +sudo systemctl start mariadb
 +</​code>​
 +
 +If you see a message like "​Warning:​ mariadb.service changed on disk. Run '​systemctl daemon-reload'​ to reload units."​ check with 
 +
 +<​code>​ps -axuf | grep mysql</​code>​
 +
 +if it's really running or not, because as I am writing this this seems to be a false message and the daemon is actually running.
 +
 +after database is running, as yce user:
 +<​code>​
 +go patches
 +./​patch_install.pl
 +</​code>​
 +you might encounter the following:
 +
 +<​code>​
 +    [18112302] ​  ​ERROR:​ Failed to create Ipv6_map_view Ipv6_map_view:​ "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
 +    [18112302] Adding Mgmt_addr column to Ipv6_map table failed
 +ERROR: Patch '​18112302'​ failed
 +
 +    [19022703] ​ ERROR: Failed to create Ipv6_map_view Ipv6_map_view:​ "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
 +    [19022703] renewing Ipv6_map_view view failed
 +ERROR: Patch '​19022703'​ failed
 +
 +    [19022707] ​ ERROR: Cannot create view '​Ipv6_subnet_view':​ "sql exec err: Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error"
 +    [19022707] Updating Ipv6 subnet view failed
 +ERROR: Patch '​19022707'​ failed
 +</​code>​
 +
 +fix this by doing the following:
 +
 +<​code>​
 +$ mysql_upgrade -u netYCE -p
 +Enter password:
 +
 +Phase 1/7: Checking and upgrading mysql database
 +Processing databases
 +
 +(I will skip all output that says OK, because there'​s a lot of that)
 +
 +Phase 2/7: Installing used storage engines... Skipped
 +Phase 3/7: Fixing views
 +YCE.Ipv6_prefix_view
 +Error    : Column count of mysql.proc is wrong. Expected 21, found 20. Created with MariaDB 100215, now running 100316. Please use mysql_upgrade to fix this error
 +error    : Corrupt
 +</​code>​
 +
 +run 
 +
 +<​code>​
 +yce_setup.pl -r 
 +</​code>​
 +
 +to regenerate the configuration
 +
 +somehow vsftpd doesnt get started at this moment, so for the time being:
 +
 +<​code>​
 +sudo systemctl enable vsftpd
 +sudo systemctl start vsftpd
 +</​code>​
maintenance/general/installing_netyce_on_rhel7.txt ยท Last modified: 2019/11/27 16:41 by yspeerte