- 1 network configuration files location
- 2 reload all configuration file
- 3 reload one configuration file
- 4 Put down/up interface
- 5 Create a Network Bridge
- 6 KVM
- 7 SELinux
- 8 install docker container for emby
- 9 Install nginx
- 10 Firewalld
- 11 nginx 502 bad gateway issue (CentOS with KVM and SELinux, nginx with multiple domains and proxy_pass)
- 12 nginx 403 permission denied
- 13 letsencrypt certbot issue
1 network configuration files location
ifcfg files in the etc/sysconfig/network-scripts
2 reload all configuration file
$ nmcli connection reload
3 reload one configuration file
$ nmcli con load /etc/sysconfig/network-scripts/ifcfg-ifname
4 Put down/up interface
Changes made using tools such as nmcli do not require a reload but do require the associated interface to be put down and then up again. That can be done by using commands in the following format:
$ nmcli dev disconnect interface-name
$ nmcli con up interface-name
5 Create a Network Bridge
https://jamielinux.com/docs/libvirt-networking-handbook/nat-based-network.html
-
To create a network bridge, create a file in the etc/sysconfig/network-scripts directory called ifcfg-brN, replacing N with the number for the interface, such as 0.
DEVICE=br0 TYPE=Bridge BOOTPROTO=dhcp ONBOOT=yes DELAY=0 IPV6INIT="yes" IPV6_AUTOCONF="yes"
-
Add to your network controller configuration file
BRIDGE=br0
Old Ethernet interface configuration: /etc/sysconfig/network-scripts/if-eno1
TYPE=Ethernet BOOTPROTO=dhcp DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=eno1 UUID=ef9890fd-5289-490a-b49d-bed28c0e9531 DEVICE=eno1 ONBOOT=yes
-
Enable network forwarding. Add to /etc/sysctl.conf
net.ipv4.ip_forward = 1
And load the file:
# sysctl -p /etc/sysctl.conf
-
Restart the NetworkManager service so that the bridge you just created can get an IP address:
# systemctl restart NetworkManager
-
Install network tools
6 KVM
-
Check cpu info
- vmx is for Intel processors
- svm is for AMD processors
-
Required packages
-
Enable and start the libvirtd service:
7 SELinux
https://linux.dell.com/files/whitepapers/KVM%5FVirtualization%5Fin%5FRHEL%5F7%5FMade%5FEasy.pdf
If you are using SELinux in Enforcing mode, then there are some things to consider. The most common issue is when you use a non - default directory for your VM images . If you use a directory other than /var/lib/libvirt/images , then you must change the security context for that directory . For example, let’s say you select /vm-images to place your VM images. (Run below commands as root)
-
Create the directory
# mkdir /vm-images
-
Install the policycoreutils-python package (which contains the semanage SELinux utility )
# yum -y install policycoreutils-python
-
Set the security context for the directory and everything under it:
# semanage fcontext --add -t virt_image_t '/vm-images(/.*)?'
Verify it:
# semanage fcontext -l | grep virt_image_t
-
Restore the security context. This will effectively change the context to virt_image_t
# ls -aZ /vm-images
-
If you are going to export the directory /vm-imagesas a samba or NFS share, there are SELinux Booleans that need to be set as well:
# setsebool -P virt_use_samba 1 # setsebool -P virt_use_nfs 1
virt-install \ --network bridge:br0 \ --name ubuntu-server \ --ram=1024 \ --vcpus=1 \ --disk path=/vm-images/ubuntu-server/ubuntu-server.img,size=10 \ --os-type linux \ --os-variant ubuntu16.04 \ --graphics none \ --location http://us.archive.ubuntu.com/ubuntu/dists/xenial/main/installer-amd64/ \ --extra-args='console=tty0 console=ttyS0,115200n8 serial'
virt-install \ --name ubuntu-video \ --network network=default \ --ram=1024 \ --vcpus=1 \ --disk path=/vm-images/ubuntu-video/ubuntu-video.img,size=10 \ --os-type linux \ --os-variant ubuntu16.04 \ --graphics none \ --location http://us.archive.ubuntu.com/ubuntu/dists/xenial/main/installer-amd64/ \ --extra-args='console=tty0 console=ttyS0,115200n8 serial'
You can get a list of supported operating system variants with the `osinfo-query os` command.
Pay attention to environment variable LIBVIRT_DEFAULT_URI
LIBVIRT_DEFAULT_URI=qemu:///system
sudo virsh -c qemu:///system list --all # virsh list --all # virsh destroy ubuntu-server # virsh undefine ubuntu-server # virsh edit ubuntu-server # virsh dominfo vm1 # virsh autostart vm1 # virsh net-list # virsh net-edit default # virsh net-destroy default # virsh net-start default
Find ip address of kvm guest using nat networking
$ arp -e
- Change kvm client network to nat
8 install docker container for emby
docker run -it --rm -v /usr/local/bin:/target \
-e "APP_USER=centos" \
-e "APP_CONFIG=/home/centos/.embyserver" \
emby/embyserver instl
Install service
docker run -it --rm -v /etc/systemd/system:/target emby/embyserver instl service
enable service at boot
$ sudo systemctl enable embyserver@username.service
9 Install nginx
$ sudo yum install epel-release # add centos 7 epel repository $ sudo yum install nginx $ sudo systemctl start nginx em
$ sudo firewall-cmd –permanent –zone=public –add-service=http $ sudo firewall-cmd –permanent –zone=public –add-service=https $ sudo firewall-cmd –reload
$ sudo nginx -t
conf.d/example.com.conf
server { listen 80;
server_name DOMAINNAME; # Replace DOMAINNAME with the actual domain
location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr;
proxy\_pass <http://INTERNALIPADDRESS:PORT/>;
}
}
10 Firewalld
Port has to be open in host for kvm client to access host.
To view open ports, use the following command.
see services whose ports are open.
see services whose ports are open and see open ports
For a service to be permanently open, use the following command.
To add a port, use the following command
To run the firewall must be reloaded using the following command.
11 nginx 502 bad gateway issue (CentOS with KVM and SELinux, nginx with multiple domains and proxy_pass)
It turns out issue was due to SELinux.
This should solve the problem:
setsebool -P httpd_can_network_connect 1
Details:
Check for errors in the SELinux logs:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied And found that running the following commands fixed my issue:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx sudo semodule -i mynginx.pp
12 nginx 403 permission denied
I experienced the same problem and it was due to SELinux.
To check if SELinux is running:
To disable SELinux until next reboot:
Restart Nginx and see if the problem persists. If you would like to permanently alter the settings you can edit /etc/sysconfig/selinux
If SELinux is your problem you can run the following to allow nginx to serve your www directory (make sure you turn SELinux back on before testing this.
i.e,
If you’re still having issues take a look at the boolean flags in getsebool -a, in particular you may need to turn on httpd_can_network_connect for network access
For me it was enough to allow http to serve my www directory.
13 letsencrypt certbot issue
ImportError: ‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer.
$ wget http//cbs.centos.org/kojifiles/packages/pyOpenSSL/16.2.0/3.el7/noarch/python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm
$ rpm -Uvh python2-pyOpenSSL-16.2.0-3.el7.noarch.rpm