CentOS

• 1 network configuration files location
• 2 reload all configuration file
• 3 reload one configuration file
• 4 Put down/up interface
• 5 Create a Network Bridge
• 6 KVM
• 7 SELinux
• 8 install docker container for emby
• 9 Install nginx
• 10 Firewalld
• 11 nginx 502 bad gateway issue (CentOS with KVM and SELinux, nginx with multiple domains and proxy_pass)
• 12 nginx 403 permission denied
• 13 letsencrypt certbot issue

1 network configuration files location

ifcfg files in the etc/sysconfig/network-scripts

2 reload all configuration file

$ nmcli connection reload

3 reload one configuration file

$ nmcli con load /etc/sysconfig/network-scripts/ifcfg-ifname

4 Put down/up interface

Changes made using tools such as nmcli do not require a reload but do require the associated interface to be put down and then up again. That can be done by using commands in the following format:

$ nmcli dev disconnect interface-name

$ nmcli con up interface-name

5 Create a Network Bridge

https://access.redhat.com/documentation/en-US/Red%5FHat%5FEnterprise%5FLinux/7/html/Networking%5FGuide/sec-Network%5FBridging%5FUsing%5Fthe%5FCommand%5FLine%5FInterface.html

https://jamielinux.com/docs/libvirt-networking-handbook/nat-based-network.html

1. To create a network bridge, create a file in the etc/sysconfig/network-scripts directory called ifcfg-brN, replacing N with the number for the interface, such as 0.

   DEVICE=br0
   TYPE=Bridge
   BOOTPROTO=dhcp
   ONBOOT=yes
   DELAY=0
   IPV6INIT="yes"
   IPV6_AUTOCONF="yes"
   

2. Add to your network controller configuration file

   BRIDGE=br0
   

   Old Ethernet interface configuration: /etc/sysconfig/network-scripts/if-eno1

   TYPE=Ethernet
   BOOTPROTO=dhcp
   DEFROUTE=yes
   PEERDNS=yes
   PEERROUTES=yes
   IPV4_FAILURE_FATAL=no
   IPV6INIT=yes
   IPV6_AUTOCONF=yes
   IPV6_DEFROUTE=yes
   IPV6_PEERDNS=yes
   IPV6_PEERROUTES=yes
   IPV6_FAILURE_FATAL=no
   IPV6_ADDR_GEN_MODE=stable-privacy
   NAME=eno1
   UUID=ef9890fd-5289-490a-b49d-bed28c0e9531
   DEVICE=eno1
   ONBOOT=yes
   

3. Enable network forwarding. Add to /etc/sysctl.conf

   net.ipv4.ip_forward = 1
   

   And load the file:

   # sysctl -p /etc/sysctl.conf
   

4. Restart the NetworkManager service so that the bridge you just created can get an IP address:

   # systemctl restart NetworkManager
   

5. Install network tools

6 KVM

1. Check cpu info

   • vmx is for Intel processors
   • svm is for AMD processors

2. Required packages

3. Enable and start the libvirtd service:

7 SELinux

https://linux.dell.com/files/whitepapers/KVM%5FVirtualization%5Fin%5FRHEL%5F7%5FMade%5FEasy.pdf

If you are using SELinux in Enforcing mode, then there are some things to consider. The most common issue is when you use a non - default directory for your VM images . If you use a directory other than /var/lib/libvirt/images , then you must change the security context for that directory . For example, let’s say you select /vm-images to place your VM images. (Run below commands as root)

1. Create the directory

   # mkdir /vm-images
   

2. Install the policycoreutils-python package (which contains the semanage SELinux utility )

   # yum -y install policycoreutils-python
   

3. Set the security context for the directory and everything under it:

   # semanage fcontext --add -t virt_image_t '/vm-images(/.*)?'
   

   Verify it:

   # semanage fcontext -l | grep virt_image_t
   

4. Restore the security context. This will effectively change the context to virt_image_t

   # ls -aZ /vm-images
   

5. If you are going to export the directory /vm-imagesas a samba or NFS share, there are SELinux Booleans that need to be set as well:

   # setsebool -P virt_use_samba 1
   # setsebool -P virt_use_nfs 1
   

   virt-install \
     --network bridge:br0 \
     --name ubuntu-server \
     --ram=1024 \
     --vcpus=1 \
     --disk path=/vm-images/ubuntu-server/ubuntu-server.img,size=10 \
     --os-type linux \
     --os-variant ubuntu16.04 \
     --graphics none \
     --location http://us.archive.ubuntu.com/ubuntu/dists/xenial/main/installer-amd64/ \
     --extra-args='console=tty0 console=ttyS0,115200n8 serial'
   

   virt-install \
     --name ubuntu-video \
     --network network=default \
     --ram=1024 \
     --vcpus=1 \
     --disk path=/vm-images/ubuntu-video/ubuntu-video.img,size=10 \
     --os-type linux \
     --os-variant ubuntu16.04 \
     --graphics none \
     --location http://us.archive.ubuntu.com/ubuntu/dists/xenial/main/installer-amd64/ \
     --extra-args='console=tty0 console=ttyS0,115200n8 serial'
   

   You can get a list of supported operating system variants with the `osinfo-query os` command.

   Pay attention to environment variable LIBVIRT_DEFAULT_URI

   LIBVIRT_DEFAULT_URI=qemu:///system

   
   sudo virsh -c qemu:///system list --all
   
   # virsh list --all
   
   # virsh destroy ubuntu-server
   
   # virsh undefine ubuntu-server
   
   # virsh edit ubuntu-server
   
   # virsh dominfo vm1
   
   # virsh autostart vm1
   
   # virsh net-list
   
   # virsh net-edit default
   
   # virsh net-destroy default
   
   # virsh net-start default
   

Find ip address of kvm guest using nat networking

$ arp -e

1. Change kvm client network to nat

8 install docker container for emby

docker run -it --rm -v /usr/local/bin:/target \
    -e "APP_USER=centos" \
    -e "APP_CONFIG=/home/centos/.embyserver" \
    emby/embyserver instl

Install service

docker run -it --rm -v /etc/systemd/system:/target emby/embyserver instl service

enable service at boot

$ sudo systemctl enable embyserver@username.service

9 Install nginx

$ sudo yum install epel-release # add centos 7 epel repository $ sudo yum install nginx $ sudo systemctl start nginx em

$ sudo firewall-cmd –permanent –zone=public –add-service=http $ sudo firewall-cmd –permanent –zone=public –add-service=https $ sudo firewall-cmd –reload

$ sudo nginx -t

conf.d/example.com.conf

server { listen 80;

server_name DOMAINNAME; # Replace DOMAINNAME with the actual domain

location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;

    proxy\_pass <http://INTERNALIPADDRESS:PORT/>;
}

}

10 Firewalld

Port has to be open in host for kvm client to access host.

To view open ports, use the following command.

see services whose ports are open.

see services whose ports are open and see open ports

For a service to be permanently open, use the following command.

To add a port, use the following command

To run the firewall must be reloaded using the following command.

11 nginx 502 bad gateway issue (CentOS with KVM and SELinux, nginx with multiple domains and proxy_pass)

It turns out issue was due to SELinux.

This should solve the problem:

setsebool -P httpd_can_network_connect 1

Details:

Check for errors in the SELinux logs:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied And found that running the following commands fixed my issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx sudo semodule -i mynginx.pp

12 nginx 403 permission denied

I experienced the same problem and it was due to SELinux.

To check if SELinux is running:

To disable SELinux until next reboot:

Restart Nginx and see if the problem persists. If you would like to permanently alter the settings you can edit /etc/sysconfig/selinux

If SELinux is your problem you can run the following to allow nginx to serve your www directory (make sure you turn SELinux back on before testing this.

i.e,

If you’re still having issues take a look at the boolean flags in getsebool -a, in particular you may need to turn on httpd_can_network_connect for network access

For me it was enough to allow http to serve my www directory.

13 letsencrypt certbot issue

ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.

$ wget http//cbs.centos.org/kojifiles/packages/pyOpenSSL/16.2.0/3.el7/noarch/python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm

$ rpm -Uvh python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm