Consider performing a You need to install a "minimal install" of Rocky 9.x, using the minimal install CD.
This is for 9.x: https://download.rockylinux.org/pub/rocky/9/isos/x86_64/Rocky-9-latest-x86_64-minimal.iso
If using binarylane, directly upload the image by keying in the URL and creating "a new backup file"
If the normal install crashes, you need to go into "rescue" mode and partition it using "parted", then use Text mode install
****** if anaconda is not fixed, we need to include instructions for text mode install here *******
Select a language, click continue.
Hostname should be called xxxx. Configure Network for DHCP and to "Connect Automatically"
Partition sizes should be as follows (Create Custom Layout):.
/ 20-50GB, depending on size of drive, format as EXT4 swap 2-32GB, the same size as physical RAM /u with the rest of available space (Fill to maximum available size), formatted as EXT4
Make sure you tell us what the root password is set to.
Lock root account, and do not allow ssh with password.
Add a user "ccc" called "Control ERP", make this user administrator, and require a password (funky).
After install is finished click restart. If using binarylane, now is the time to detach CD.
When rebooted, you have to log in as ccc, then run su -i to get root.
Next, turn off firewall and selinux.
systemctl disable firewalld
edit /etc/sysconfig/selinux and make sure the SELINUX line is as follows:
SELINUX=disabled
For linode only:
edit /etc/resolv.conf and add:
nameserver 8.8.8.8
Then make the file immutable
chattr +i /etc/resolv.conf
install wget and ppp:
dnf install wget ppp openssh-clients tar
download the following file into the server:
http://customers.creativecomputing.com.au/concare/vpn.tgz
untar the file into /etc/
cd wget http://customers.creativecomputing.com.au/concare/vpn3.tgz cd / tar xvzf ~/vpn3.tgz update-crypto-policies --set DEFAULT:SHA1
Note that this tar file also includes the systemd files for dumpodbc.
modify ~/.ssh/config to say:
Host sam.creativecomputing.com.au muppets.crecom.com.au
RequiredRSASize 1024then as root, accept the fingerprint:
****** update with new ip's and have to ssh to all 3 hosts ******
# ssh 220.233.135.250 The authenticity of host '220.233.135.250 (220.233.135.250)' can't be established. RSA key fingerprint is f6:f0:5c:21:74:0e:03:db:fc:71:e6:21:63:b5:c0:43. Are you sure you want to continue connecting (yes/no)? systemctl enable ppp@crecom systemctl enable ppp@waldorf systemctl enable ppp@sam
Type "yes" and cancel the connection (ctrl-c).
***** need to add root's authorized_keys somewhere in there ******
Reboot to connect the vpn. This connects to old router, new sam, and new webserver.
- After rebooting, watch out, do a "stat /" make sure it is root:root. If not, do a "chown 0:0 /" Symptom of above is error messages saying "Detected unsafe path transition" Possibly caused by untarring something in the root directory (vpn3.tgz above)
Make sure all existing packages are up to date
dnf upgrade --refresh
Add epel repository:
dnf config-manager --set-enabled crb
dnf install \
https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm \
https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpmDownload fixed copy of polkit:
****** polkit no longer install properly ***** fixme
cd wget http://customers.crecom.com.au/concare/polkit-0.96-12.el6.1.x86_64.rpm yum install ./polkit-0.96-12.el6.1.x86_64.rpm
use yum to install additional packages
******libpng12.i686 is no longer supplied ****** need to test if libpng15.i686 works
dnf groupinstall "Workstation" dnf install fail2ban tigervnc tigervnc-server glibc.i686 libstdc++.i686 unixODBC.i686 libcurl.i686 openssl-libs.i686 expat.i686 glib2.i686 freetype.i686 libSM.i686 libXrender.i686 fontconfig.i686 libXext.i686 libxcrypt-compat.i686 libnsl.i686 gnome-flashback guacd pdftk tomcat-webapps mysql-server libguac-client-vnc libpng15.i686 c-ares.i686 nspr.i686 qrencode libreoffice-calc rxvt-unicode
*****libreoffice-calc used to be part of Workstation.... but not anymore?******
Turn on fail2ban
systemctl enable fail2ban
Load the /u partition:
Download the following tar file: http://customers.creativecomputing.com.au/concare/rel15_u_partition2.tgz
untar it into /u
cd wget https://customers.creativecomputing.com.au/concare/rel16_u_partition.tgz cd /u tar xvzf ~/rel16_u_partition.tgz #********** Need to add instructions to update .qss files (or should just update the contents of tar file)**********
Add "control" group
groupadd -g 3232 control
*********************Need to document how to build custom tigervnc if/when new version is available************************
*********************custom tigervnc no longer required option not to honour screen resize command************************
start tigervnc:
cd #wget https://customers.creativecomputing.com.au/concare/tigervnc_RPM_pack2.tgz tar xvzf tigervnc_RPM_pack.tgz #cd RPMS/x86_64/ #dnf install ./tigervnc-1.13.1-2.el9.x86_64.rpm ./tigervnc-server-1.13.1-2.el9.x86_64.rpm ./tigervnc-server-minimal-1.13.1-2.el9.x86_64.rpm #wget https://customers.creativecomputing.com.au/concare/turbovnc-2.2.5.x86_64.rpm #yum install turbovnc-2.2.5.x86_64.rpm wget https://customers.creativecomputing.com.au/concare/tigerstartup4.tgz cd /etc tar xvzf ~/tigerstartup4.tgz cd #wget http://customers.creativecomputing.com.au/concare/vncserver wget https://customers.creativecomputing.com.au/concare/deletelocks.sh wget https://customers.creativecomputing.com.au/concare/orbit-cleanup wget https://customers.creativecomputing.com.au/concare/org.freedesktop.login1.policy #incorporated into RPM file #wget https://customers.creativecomputing.com.au/concare/vncserver@.service wget https://customers.creativecomputing.com.au/concare/arial.tgz #mv vncserver /opt/TurboVNC/bin/ mv deletelocks.sh /usr/local/bin/ mv orbit-cleanup /usr/local/sbin/ mv org.freedesktop.login1.policy /usr/share/polkit-1/actions/ #mv vncserver@.service /usr/lib/systemd/system/ #chmod 755 /opt/TurboVNC/bin/vncserver cd / tar xvzf ~/arial.tgz
Edit /etc/X11/xinit/Xsession and add ". /u/cc/usr/commonx11.sh" and ". ~/.vnc/xstartup before the line for SWITCHDESKPATH=. Note there is a space between "." and "/".
#this is also incorporated into the RPM file #Edit /usr/libexec/vncsession-start and add "export NODEID="vnc$DISPLAY" before the final exec line.
#This is to stop dnf from updating over our custom tigervnc. Edit /etc/dnf/dnf.conf and add "exclude=tigervnc tigervnc-server-minimal tigervnc-server" at the end of the file.
Modify the ccc user and start up its vnc session
#adduser -m ccc #passwd ccc usermod -m -d /u/cc/usr/ccc ccc cd ~ccc rsync -av /etc/skel/ ./ chown -R ccc:control ./ systemctl start vncserver@:5 systemctl enable vncserver@:5
If you do not see Control running on vnc:5 (Just an empty desktop) check ~ccc/.config/autostart/control.desktop . This file does not take environment variables and need the full path. Also check out /etc/skel/.config/autostart/control.desktop
If you need to override the resolution (such as for control mini). Create a file in their home directory ~/.vnc/config and add a line:
geometry=1080x1920
Create a new file ~ccc/.profile with the following lines (may need #!/bin/bash in first line)
xhost +
This procedure also installs a strict preconfigured firewall. if upgrading from a current system (centos 6) compare the old /etc/sysconfig/iptables if you are having connectivity issues.
Install guacamole:
systemctl enable guacd cd wget --no-check-certificate https://archive.apache.org/dist/guacamole/1.5.0/binary/guacamole-1.5.0.war mv ~/guacamole-1.5.0.war /var/lib/tomcat/webapps/guacamole.war wget http://customers.creativecomputing.com.au/concare/guacdb4.sql systemctl enable mysqld systemctl start mysqld mysql CREATE DATABASE guacamole_db; \q mysql guacamole_db< ~/guacdb4.sql mysql CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY '33EEdd##'; grant all privileges on guacamole_db.* to 'guacamole_user'@'localhost'; \q systemctl enable tomcat cd wget https://apache.org/dyn/closer.lua/guacamole/1.5.0/binary/guacamole-auth-jdbc-1.5.0.tar.gz?action=download tar xvzf guacamole-auth-jdbc-1.5.0.tar.gz\?action\=download cd /etc/guacamole/extensions rm -f * mv /root/guacamole-auth-jdbc-1.5.0/mysql/guacamole-auth-jdbc-mysql-1.5.0.jar ./ cd wget https://customers.creativecomputing.com.au/concare/mysql-connector-j-8.0.32-1.el9.noarch.rpm dnf install ./mysql-connector-j-8.0.32-1.el9.noarch.rpm cd /etc/guacamole/lib rm -f * ln -s /usr/share/java/mysql-connector-j.jar ./ cd /etc mv guacd.conf guacamole/
Restart once more. guacadmin password is gu4c4dm1n
Try logging into guacamole on "http://<ip address>:8080/guacamole/" and connect to the pre configured "ccc" session. If you see a menu on top, go to System->log out ccc, then say "Log out" to the dialog box that comes up. This will close the session and start it over. If the screen has been locked out and screen saver has activated, forcibly restart the vnc session:
systemctl restart vncserver@:5
***************************************need to add proper http forwarding so users don't have to keep using the :8080 url**************************************************
Install java printing:
cd dnf install httpd
Add the following to the end of /etc/httpd/conf/httpd.conf
Alias /printers /var/www/html/printers
<Directory /var/www/html/printers>
Options Indexes FollowSymLinks MultiViews ExecCGI
AllowOverride Options
Order allow,deny
Allow from all
</Directory>Uncomment the following line
AddHandler cgi-script .cgi
Add the following line just after "DocumentRoot"
SetEnv LD_LIBRARY_PATH lib:/usr/lib:/u/ccr.16/lib
Add apache to the "control" group (in /etc/group)
control:3232:apache
Create the following directoriy /var/www/html/printers/
And copy 2 files from sam
/u/ccdev/std/internet/cgi/deviceservice.cgi /u/ccdev/std/binl/printer
Important: make sure you set the above 2 files to be executable and never use binx11 printer executable
Add a new file .htaccess containing the following:
Options -Indexes
enable and start the httpd service
systemctl enable httpd systemctl start httpd
use your browser to test http://<blah>.bnr.la/printers/deviceservice.cgi and see if you see <! printer_details="no"> in the page source.
Set up chroot sftp
In /etc/ssh/sshd_config change the following near the bottom:
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Match Group sftpusers
ChrootDirectory /sftp/%u
ForceCommand internal-sftpAdd a new group sftpusers and create a chroot subdirectory
groupadd -g 3255 sftpusers mkdir /sftp/
Restart sshd if you want to use it straight away
service sshd restart
Set up OpenVPN
Install the OpenVPN package
yum install openvpn easy-rsa cd /usr/share/easy-rsa/3.0 cp /usr/share/doc/easy-rsa/vars.example ./vars
Edit the file "vars" and change the items near the end (this is just an example, you can use your real location details):
set_var EASYRSA_KEY_SIZE 4096 set_var EASYRSA_CRL_DAYS 3650 set_var EASYRSA_DIGEST "sha512"
build the certificate authority (just accept all the defaults and say yes to sign the certificate and commit):
./easyrsa init-pki ./easyrsa build-ca nopass
It will ask you for a password that can no longer be blank. Use "creative" as password.
Then it will ask for your Common name, this is just for display, but better if you put the hostname (or customer company)
./easyrsa gen-req server nopass ./easyrsa sign-req server server ./easyrsa gen-crl openssl dhparam -out ./pki/dh4096.pem 4096
This will generate a secure key, it usually takes a long time.
openvpn --genkey secret ./pki/ta.key wget http://customers.creativecomputing.com.au/concare/server.conf mv server.conf /etc/openvpn/server/ systemctl enable openvpn-server@server mkdir /var/log/openvpn systemctl start openvpn-server@server
Setting up PPTP VPN server
Make sure pptpd and ppp are loaded:
cd wget https://customers.creativecomputing.com.au/concare/pptpd-1.4.0-1.el9.x86_64.rpm dnf install ppp initscripts ./pptpd-1.4.0-1.el9.x86_64.rpm
configure /etc/pptpd.conf and make sure you have a "local" ip
localip 192.168.128.1
start pptpd and add it to auto start list
service pptpd start chkconfig pptpd on
Add the login/password/IP to /etc/ppp/chap-secrets
<username> * <password> <IP_Address>
setting up window vpn client
in the search box, typ vpn
then add a vpn
use window build-in driver
type in the server url or ip adress.
put the <username> and <password> that get setup in the server and save .
then connect.
Reset the vnc password for ccc (vnc session number 5) to control. Do not set a view-only password.
/opt/TurboVNC/bin/vncpasswd ~ccc/.vnc/passwd
At this point the OS is installed and a very rudimentary version of Control (based on what's installed in the original test VM) is now installed in the system. The following instructions are for adding sessions and printers which I will do a live demo for.
***************************************************************updated up to here**********************************************************
To Add a new session:
This section moved to Installing Control
For users of previous release (upgrade):
populate:
/u/cc/usr/vncusers.sh
based on the lines that start with v in:
/etc/inittab
take a copy of the untarer.sh and lockdown.tgz:
cd wget http://customers.creativecomputing.com.au/concare/lockdown.tgz wget http://customers.creativecomputing.com.au/concare/untarer.sh chmod 755 untarer.sh
Get a list of users from inittab:
cat /etc/inittab|grep ^v|cut -d: -f4| cut -d\- -f2|xargs
run untarer.sh using the output of the above as parameters
./untarer.sh <paste-output-of-above-command>
you can skip over users that you dont think need a vnc session in the new release.
Set up a Printer:
These instructions are mostly just an outline.
If using a printer that will be hooked up to a windows PC, We will need to make sure that the windows printer driver is installed and a test page can be printed.
If using cloudprint, a google account should be created solely for printing.
If using cloud print (A4 printers):
On native cloudprint printer
set up cloudprint on device (this is device specific)
https://support.google.com/cloudprint/answer/1686197?hl=en
On classic printer
set up cloudprint on attached windows PC and Chrome.
https://support.google.com/cloudprint/answer/1686197?hl=en
for both of the above: set up cups-cloudprint using python script
/usr/share/cloudprint-cups/setupcloudprint.py
If direct printing (40 column thermal receipt printers and label printers)
set up openvpn account on the server:
cd /usr/share/easy-rsa/3.0 ./easyrsa gen-req <session name> nopass
Then we sign our own request:
./easyrsa sign-req client <session name>
If signing the request fails, check the file /usr/share/easy-rsa/3.0/index.txt and make sure you have not used this common name before. If you have and you are sure you want to reuse it, erase the line from the above file
It will then ask you a series of questions, similar to the ones asked when you built the server key. You should only need to answer the "Common Name" field and "Confirm request details:"
In the pki directory under current a configuration file <session_name>.ovpn similar to openvpn.conf must be created.
# Configuration for connecting into Creative computing internal network tls-client dev tap proto udp remote <server_hostname> 1194 resolv-retry infinite nobind ifconfig <assigned_IP> 255.255.255.0 ca ca.crt cert <session_name>.crt key <session_name>.key verb 3 mute 10 cipher AES-256-CBC auth SHA512 tls-auth ta.key 1 tls-version-min 1.2 tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
Then zip all these file you just created ( .crt, .key,.opvn and etc may be 6 or so files)
cd pki zip -j <session_name>.zip <session_name>.ovpn private/<session_name>.key issued/<session_name>.crt dh4096.pem ca.crt ta.key
Load into client machine. An external method may be needed to load the OpenVPN files into the client computer.
Use the latest stable installer (whether 32 bit or 64 bit) from the following:
https://openvpn.net/index.php/open-source/downloads.html
Unzip all the files into the config directory under where OpenVPN is installed (Usually C:\Program Files\OpenVPN\config). Create a shortcut to OpenVPN on the desktop if the installer has not done so.
set up windows driver and make sure test page works.
turn on Unix printing for windows and make sure it auto starts the service.
use system-config-printer to set up cups
At this point, you have a cups printer, either to a cloud printer device, or a direct printing device.
run printer management from inside Control:
prnaad (as end user)
cloud print printer use "graphics" printing, the rest choose appropriate printer model.
Go to Control "terminal details" screen to set up printers.
yum install sendmail
chkconfig --levels 235 sendmail on
chmod 755 -R /etc/mail
service sendmail restart
update all the binaries to the latest:
From SAM:
rsync -avzk --delete /u/ccstandard/ root@<server IP>:/u/ccstandard/
ssh to the server.
cd /u/ccr.15/ rsync -av /u/ccstandard/ ./
Copy the <standard company> to <company name>
chmod a+w -R /u/ccr.15/<company> /u/ccr.15/adm
./contrl =>put address and phone
/u/cc/std/localbin/brarep
Setting up CRON
ln -s /u/cc /cc crontab -e * * * * * /u/cc/binl/auto_postal > /u/cc/LOG/auto_postal.out 2>&1 0 1 * * * /u/cc/binl/post_sum > /u/cc/LOG/post_sum.out 2>&1 0 1 1 * * /u/cc/binl/auto_eom > /u/cc/LOG/auto_eom.out 2>&1 su - <enter root password> crontab -e 1 2 * * * /usr/local/sbin/orbit-cleanup > /cc/LOG/orbit-cleanup.out 2>&1 30 1 * * * /u/cc/binl/initda > /u/cc/LOG/initda.out
be sure to modify $CCDIR/binl/auto_eom with the correct CCDIR so that it will run for the correct company (specially if you have custom CCDIR)
Setting up printers
system-config-printer prnaad
Makesure /u/cc/std/ have the qtsdk-2010.05/ thing
and "qtx11-4.7.0 -> qtsdk-2010.05/" is placed in /u/cc/std/
cp /u/ccdev/binl/email_pdf to the new server as well.
If using postfix (no reason other than if already set up before)
increase default message size limit:
postconf -e message_size_limit=102400000 postconf -e mailbox_size_limit=819200000
If you need to see catalina.out
Edit /etc/systemd/system/multi-user.target.wants/tomcat.service and add these 2 lines under [service]
If guacamole does not try connecting
Check using netstat -tnlp where guacd is listening on. It may be listening on ipv6 only (default). Fix is to create /etc/guacamole/guacd.conf that contains:
[server] bind_host = 127.0.0.1 bind_port = 4822
The above is already part of tigerstartup2.tgz so this is only if you manually upgraded guacamole.