Post-installation

De Wiki de Jordan LE NUFF
Sauter à la navigation Sauter à la recherche

Sommaire

Ajout de l'autorité de certification interne

Initialisation des certificats d'autorité racine : 

update-ca-trust enable

Dépôt du certificat de l'autorité de certification de l'entreprise dans le dossier /etc/pki/ca-trust/source/anchors

Import du certificat précédemment déposé avec la commande : 

update-ca-trust extract

Ajout du dépôt EPEL

yum -y install epel-release
yum makecache
yum -y update
yum -y install yum-utils bind-utils yum-cron wget bash-completion lsof nmon net-tools dos2unix deltarpm vim sg3_utils open-vm-tools sysstat samba-client samba zip
init 6

Préparation de la configuration Samba

cp /etc/samba/smb.conf /etc/samba/smb.conf.default
sed -i -e 's/^\([^#].*\)/#\1/g' /etc/samba/smb.conf
sed -i -e 's/^#\[global\]/[global]\n\tguest account = www\n\tmap to guest = Bad User/' /etc/samba/smb.conf

Modification du umask

sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/bashrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/csh.cshrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/profile
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/init.d/functions
sed -i -e 's@Subsystem\tsftp\t/usr/libexec/openssh/sftp-server@\#Subsystem\tsftp\t/usr/libexec/openssh/sftp-server\nSubsystem\tsftp\tinternal-sftp -u 0007@g' /etc/ssh/sshd_config
systemctl restart sshd

Modification du umask par défaut pour la crontab 

SYSTEMD_EDITOR=tee systemctl edit crond.service <<EOF
[Service]
UMask=0007
EOF
systemctl reload crond

Suppression des pilotes inutiles

yum -y remove alsa-* ivtv-* iwl*firmware aic94xx-firmware

Désactivation de la wifi

nmcli radio all off

Désactivation de l'IPv6

echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
sed -i 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config
systemctl restart sshd
sed -i 's/OPTIONS=""/OPTIONS="-4"/g' /etc/sysconfig/chronyd
systemctl restart chronyd

Désactivation du selinux

setenforce 0
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

Changement du port SSH

sed -i 's@#Port 22@Port 22\nPort XXXXX@g' /etc/ssh/sshd_config
systemctl restart sshd
firewall-cmd --permanent --service=ssh --add-port=XXXXX/tcp
firewall-cmd --reload

Suppression des utilisateurs inutiles

userdel -r adm
userdel -r ftp
userdel -r games
userdel -r lp
groupdel games

Augmenter l'historique des commandes de 1000 à 5000 lignes

sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile

Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet

yum-config-manager --setopt=clean_requirements_on_remove=1 --save

Installation de msmtp

yum -y install msmtp mailx
/etc/msmtprc
chmod o+r /etc/msmtprc

Paramétrage NTP

yum -y install ntpdate && ntpdate ntp.myntpserver.com && systemctl enable ntpdate.service

Ajout d'alias complémentaires

echo "alias vi='vim'" >> /etc/profile.d/sh.local
sed -i "8 i alias ll='ls -al --color=auto'" .bashrc

Préparation à la compilation

mkdir -p /data/builds
yum install -y gcc glibc-devel glibc-headers kernel-headers libmpc mpfr autoconf
yum install -y pcre-devel
yum install -y expat-devel
yum install -y systemd-devel

Ajout du groupe www et des dossiers /data/www /data/logs et /data/build

useradd www -m
mkdir -p /data/{www,logs,builds}
chown www:www /data/{www,logs}
chmod 770 /data/{www,logs}

Compilation et installation d'Apache

export APACHE_VERSION=2.4.46
export APR_VERSION=1.7.0
export APR_UTILS_VERSION=1.6.1
useradd -r apache
usermod -aG www apache
mkdir -p /opt/httpd/httpd-${APACHE_VERSION}
ln -s httpd-${APACHE_VERSION} /opt/httpd/current
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-${APACHE_VERSION}.tar.gz
tar -zxf httpd-${APACHE_VERSION}.tar.gz -C /data/builds
wget https://miroir.univ-lorraine.fr/apache//apr/apr-${APR_VERSION}.tar.gz
tar -zxf apr-${APR_VERSION}.tar.gz
mv apr-${APR_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr
wget https://miroir.univ-lorraine.fr/apache//apr/apr-util-${APR_UTILS_VERSION}.tar.gz
tar -zxf apr-util-${APR_UTILS_VERSION}.tar.gz
mv apr-util-${APR_UTILS_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr-util
cd /data/builds/httpd-${APACHE_VERSION}
./configure \
--prefix=/opt/httpd/current \
--sysconfdir=/opt/httpd/conf \
--enable-proxy \
--enable-proxy-http \
--enable-proxy-wstunnel \
--enable-proxy-fcgi \
--enable-rewrite \
--enable-authz-host \
--enable-mime \
--enable-static-support \
--enable-remoteip \
--enable-status \
--enable-systemd \
--enable-setenvif \
--enable-headers \
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd setenvif headers" \
--disable-so \
--disable-proxy-connect \
--disable-proxy-ftp \
--disable-proxy-scgi \
--disable-proxy-uwsgi \
--disable-proxy-fdpass \
--disable-proxy-ajp \
--disable-proxy-balancer \
--disable-proxy-express \
--disable-proxy-hcheck \
--disable-access-compat \
--disable-auth \
--disable-auth-basic \
--disable-authn-core \
--disable-authn-file \
--disable-authz-groupfile \
--disable-authz-user \
--disable-autoindex \
--disable-env \
--disable-filter \
--disable-reqtimeout \
--disable-version \
--disable-authn-dbm \
--disable-authn-anon \
--disable-authn-dbd \
--disable-authn-socache \
--disable-authz-dbm \
--disable-authz-owner \
--disable-authz-dbd \
--disable-auth-form \
--disable-auth-digest \
--disable-allowmethods \
--disable-cache \
--disable-file-cache \
--disable-cache-disk \
--disable-cache-socache \
--disable-socache-dbm \
--disable-socache-memcache \
--disable-socache-redis \
--disable-socache-shmcb \
&& make -j && make install
chown -R root:apache /opt/httpd
echo "export PATH=\$PATH:/opt/httpd/current/bin" >> /etc/profile.d/sh.local
touch /etc/systemd/system/http.service
chmod 664 /etc/systemd/system/http.service
SYSTEMD_EDITOR=tee systemctl edit --full http.service <<EOF
[Unit]
Description=The Apache HTTP Server
After=network.target

[Service]
Type=notify
ExecStart=/opt/httpd/current/bin/httpd -D FOREGROUND -k start
ExecReload=/opt/httpd/current/bin/httpd -k graceful
ExecStop=/opt/httpd/current/bin/httpd -k stop
KillMode=mixed
TimeoutStopSec=60

[Install]
WantedBy=multi-user.target
EOF
firewall-cmd --add-service=http
firewall-cmd --add-service=http --permanent
mkdir -p /data/logs/www/{localhost,$(hostname -s)}
chmod o+rx /data
chown www:www /data/logs/www/localhost
chmod 770 /data/logs/www/localhost
touch /data/logs/www/localhost/localhost_http_{error,access}.log
touch /data/logs/www/$(hostname -s)/$(hostname -s)_http_{error,access}.log
mkdir /opt/httpd/conf/vhosts
sed -i -e 's/User daemon/User apache/g' -e 's/Group daemon/Group www/g' /opt/httpd/conf/httpd.conf
sed -i -e 's/ServerAdmin you@example.com/ServerAdmin my.great.mail@address.com/g' /opt/httpd/conf/httpd.conf
sed -i -e 's@ErrorLog "logs/error_log"@ErrorLog "/data/logs/www/localhost/localhost_http_error.log"@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@CustomLog "logs/access_log"@CustomLog "/data/logs/www/localhost/localhost_http_access.log"@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-mpm.conf@Include /opt/httpd/conf/extra/httpd-mpm.conf@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-default.conf@Include /opt/httpd/conf/extra/httpd-default.conf@g' /opt/httpd/conf/httpd.conf
cat <<EOF >> /opt/httpd/conf/httpd.conf
# Custom virtual hosts and conf
IncludeOptional /opt/httpd/conf/vhosts/*.conf
EOF
systemctl start http.service
systemctl enable http.service

Installation de CacheTool pour PHP

cd
mkdir /local/php/cachetool
wget -O /local/php/cachetool/cachetool-6.5.0.phar https://github.com/gordalina/cachetool/releases/download/6.5.0/cachetool.phar
wget -O /local/php/cachetool/cachetool-3.2.2.phar https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
chown -R :www /local/php/cachetool
chmod ug+x /local/php/cachetool/*

Compilation et installation de CMake

cd
yum -y install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel gcc-c++ libstdc++-devel
mkdir /opt/cmake
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
tar -zxf cmake-3.18.0-rc3.tar.gz -C /data/builds
cd /data/builds/cmake-3.18.0-rc3
./bootstrap --prefix=/opt/cmake/cmake-3.18.0-rc3
make
make install
ln -s cmake-3.18.0-rc3 /opt/cmake/current
echo "export PATH=\$PATH:/opt/cmake/current/bin" >> /etc/profile.d/sh.local

Compilation et installation de libzip

cd
wget https://libzip.org/download/libzip-1.7.1.tar.gz
tar -zxf libzip-1.7.1.tar.gz -C /data/builds
mkdir /data/builds/libzip-1.7.1/build
cd /data/builds/libzip-1.7.1/build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
make install

Installation des paquets nécessaires à la compilation de PHP

yum -y install zlib-devel
yum -y install bzip2-devel
yum -y install libcurl-devel
yum -y install libpng-devel
yum -y install libicu-devel libicu
yum -y install openldap-devel cyrus-sasl cyrus-sasl-devel
yum -y install oniguruma-devel oniguruma
yum -y install libxml2-devel xz-devel
yum -y install unixODBC unixODBC-devel

Création du user/groupe pour PHP-FPM

useradd -r php-fpm
usermod -g www -G php-fpm php-fpm

Compilation et installation de PHP 7.4.16 avec FPM

export PHP_VERSION=7.4.16
cd
mkdir -p /opt/php/php-${PHP_VERSION}
wget https://www.php.net/distributions/php-${PHP_VERSION}.tar.gz
tar -zxf php-${PHP_VERSION}.tar.gz -C /data/builds
cd /data/builds/php-${PHP_VERSION}
./configure \
--prefix=/opt/php/php-${PHP_VERSION} \
--with-config-file-path=/opt/php/php-${PHP_VERSION} \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--enable-gd \
--enable-intl \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--enable-shared=pdo-mysql \
--enable-phar \
--with-libxml \
--with-iconv \
--enable-dom \
--enable-filter \
--enable-tokenizer \
--enable-json \
--enable-session \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-fileinfo \
--enable-simplexml \
--enable-soap \
--enable-ftp \
--with-zip \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
&& make -j && make install
cp /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf.default /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
cp /data/builds/php-${PHP_VERSION}/php.ini-production /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/www/localhost/localhost_php-${PHP_VERSION}.log@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;sendmail_path =@sendmail_path = "/usr/bin/msmtp -t"@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension='$(grep no-debug-non-zts /opt/php/php-${PHP_VERSION}/bin/php-config|awk -F\' '{print $2}')'/opcache.so@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;pid = run/php-fpm.pid@;pid = run/php-fpm.pid\npid = run/php-fpm.pid@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
sed -i -e 's@;error_log = log/php-fpm.log@;error_log = log/php-fpm.log\nerror_log = syslog@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
/opt/php/php-${PHP_VERSION}/bin/pear config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
/opt/php/php-${PHP_VERSION}/bin/pecl config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
cat <<EOF >/opt/php/php-${PHP_VERSION}/etc/php-fpm.d/localhost.conf
[localhost]
; Socket Unix dédié au pool
listen = ../sockets/php-${PHP_VERSION}-$pool.sock

; Définition du chemin d'accès des logs
access.log = /data/logs/www/$pool/$pool_php_access.log
slowlog = /data/logs/www/$pool/$pool_log.slow
php_admin_value[error_log] = /data/logs/www/$pool/$pool_php_error.log
php_admin_flag[log_errors] = on
; https://www.php.net/manual/fr/errorfunc.constants.php
php_admin_value[error_reporting] = E_WARNING
php_admin_value[session.save_path] = "/opt/php/sessions/$pool/"
php_value[session.save_path] = "/opt/php/sessions/$pool/"

; Tuning du pool php-fpm
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.status_path = /php-fpm-status
ping.path = /php-fpm-ping
EOF
mkdir -p /opt/php/sockets
mkdir -p /opt/php/sessions/localhost
chown -R php-fpm:www /opt/php
cp /data/builds/php-${PHP_VERSION}/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www\nEnvironment="PHP_VERSION='${PHP_VERSION}'"/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectKernelModules/#ProtectKernelModules/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectKernelTunables/#ProtectKernelTunables/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectControlGroups/#ProtectControlGroups/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^RestrictRealtime/#RestrictRealtime/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^RestrictNamespaces/#RestrictNamespaces/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
chmod o+r /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-${PHP_VERSION}.service
systemctl enable php-fpm-${PHP_VERSION}.service

Activation de la coloration syntaxique pour les fichiers de configuration de PHP-FPM : 

sed -i "s@\" yum conf (close enough to dosini)@\" PHP-FPM conf (close enough to dosini)\nau BufNewFile,BufRead php-fpm.conf,*php-fpm.d/*.conf\t\tcall s:StarSetf('dosini')\n\n\" yum conf (close enough to dosini)@g" /usr/share/vim/vim74/filetype.vim

Intégration de CacheTool dans les binaires de PHP : 

ln -s /local/php/cachetool/cachetool-6.5.0.phar /local/php/php-7.4.7/bin/cachetool

Compilation et installation de PHP 5.6.40 avec FPM

cd
mkdir -p /opt/php/php-5.6.40
wget https://www.php.net/distributions/php-5.6.40.tar.gz
tar -zxf php-5.6.40.tar.gz -C /data/builds
cd /data/builds/php-5.6.40
./configure \
--prefix=/opt/php/php-5.6.40 \
--with-config-file-path=/opt/php/php-5.6.40 \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--with-gd \
--enable-intl \
--enable-filter \
--enable-hash \
--enable-json \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--with-pdo-odbc=unixODBC,/usr \
--enable-shared=pdo-mysql \
--enable-phar \
--enable-libxml \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-zip \
--enable-soap \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
--enable-dom \
--with-iconv \
--enable-simplexml \
--enable-tokenizer \
--enable-session \
&& make -j && make install
cp /opt/php/php-5.6.40/etc/php-fpm.conf.default /opt/php/php-5.6.40/etc/php-fpm.conf
cp /data/builds/php-5.6.40/php.ini-production /opt/php/php-5.6.40/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-5.6.40.log@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-5.6.40/lib/php/extensions/no-debug-non-zts-20131226/opcache.so@g' /opt/php/php-5.6.40/php.ini
/opt/php/php-5.6.40/bin/pear config-set php_ini /opt/php/php-5.6.40/php.ini system
/opt/php/php-5.6.40/bin/pecl config-set php_ini /opt/php/php-5.6.40/php.ini system
mkdir /opt/php/php-5.6.40/etc/php-fpm.d
echo "[localhost]" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "user = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "group = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen = /opt/php/sockets/php-5.6.40_\$pool.sock" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-5.6.40.access.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-5.6.40.log.slow" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-5.6.40.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
mkdir -p /opt/php/sockets
chown -R php-fpm:www /opt/php
cp /usr/lib/systemd/system/php-fpm-7.4.7.service /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/7.4.7/5.6.40/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
chmod o+r /usr/lib/systemd/system/php-fpm-5.6.40.service

Suppression dans le fichier /usr/lib/systemd/system/php-fpm-5.6.40.service des sections surlignées suivantes : 

# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service]
Type=notify
PIDFile=/opt/php/php-5.6.40/var/run/php-fpm.pid
ExecStart=/opt/php/php-5.6.40/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-5.6.40/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-5.6.40.service
systemctl enable php-fpm-5.6.40.service

Intégration de CacheTool dans les binaires de PHP : 

ln -s /local/php/cachetool/cachetool-3.2.2.phar /local/php/php-5.6.40/bin/cachetool

Installation de Webmin

cd
echo "[Webmin]" >> /etc/yum.repos.d/webmin.repo
echo "name=Webmin Distribution Neutral" >> /etc/yum.repos.d/webmin.repo
echo "#baseurl=https://download.webmin.com/download/yum" >> /etc/yum.repos.d/webmin.repo
echo "mirrorlist=https://download.webmin.com/download/yum/mirrorlist" >> /etc/yum.repos.d/webmin.repo
echo "enabled=1" >> /etc/yum.repos.d/webmin.repo
wget https://download.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc
yum install webmin perl-Authen-PAM
/etc/rc.d/init.d/webmin stop
find /etc -type l -name *webmin -exec unlink {} \;
echo "[Unit]" >> /usr/lib/systemd/system/webmin.service
echo "Description=Webmin" >> /usr/lib/systemd/system/webmin.service
echo "Requires=local-fs.target" >> /usr/lib/systemd/system/webmin.service
echo "After=basic.target" >> /usr/lib/systemd/system/webmin.service
echo "Conflicts=shutdown.target" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Service]" >> /usr/lib/systemd/system/webmin.service
echo "Type=oneshot" >> /usr/lib/systemd/system/webmin.service
echo "RemainAfterExit=yes" >> /usr/lib/systemd/system/webmin.service
echo "ExecStart=/etc/webmin/start" >> /usr/lib/systemd/system/webmin.service
echo "ExecStop=/etc/webmin/stop" >> /usr/lib/systemd/system/webmin.service
echo "ExecReload=/etc/webmin/reload" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Install]" >> /usr/lib/systemd/system/webmin.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/webmin.service
chmod o+r /usr/lib/systemd/system/webmin.service
systemctl daemon-reload
sed -i -e 's/ssl=1/ssl=0/g' /etc/webmin/miniserv.conf
sed -i -e 's/ipv6=1/ipv6=0/g' /etc/webmin/miniserv.conf
echo "cookiepath=/webmin" >> /etc/webmin/miniserv.conf
echo "webprefix=/webmin" >> /etc/webmin/config
echo "webprefixnoredir=1" >> /etc/webmin/config
echo "referer=1" >> /etc/webmin/config
systemctl start webmin.service
systemctl enable webmin.service
# Ajout des lignes ci-dessous dans la configuration du vhost local /opt/httpd/conf/vhosts/$(hostname -s).conf
	# Configuration Webmin
	ProxyPass /webmin http://localhost:10000
	ProxyPassReverse /webmin http://localhost:10000
	# Fin de configuration Webmin
httpd -k graceful

Configuration Shinken

useradd shinken -U -d /home/shinken -m
passwd shinken
mkdir /home/shinken/.ssh
chmod 700 /home/shinken/.ssh
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@oneserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@anotherserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
chmod 600 /home/shinken/.ssh/authorized_keys
chown -R shinken:shinken /home/shinken/.ssh

Installation de Oracle Instant Client

wget https://yum.oracle.com/RPM-GPG-KEY-oracle-ol7 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
echo "[ol7_latest]" >> /etc/yum.repos.d/ol7-temp.repo
echo "name=Oracle Linux \$releasever Latest ($basearch)" >> /etc/yum.repos.d/ol7-temp.repo
echo "baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/latest/\$basearch/" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/ol7-temp.repo
echo "enabled=1" >> /etc/yum.repos.d/ol7-temp.repo
yum install oraclelinux-release-el7
mv /etc/yum.repos.d/ol7-temp.repo /etc/yum.repos.d/ol7-temp.repo.disabled
yum install oracle-release-el7
yum install oracle-instantclient19.6
mv /etc/yum.repos.d/oracle-linux-ol7.repo{,.disabled}
mv /etc/yum.repos.d/oracle-ol7.repo{,.disabled}
mv /etc/yum.repos.d/uek-ol7.repo{,.disabled}
rm -rf /var/cache/yum/x86_64/7/ol7_*
yum clean all
yum makecache

Installation de l'extension oci8 pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl channel-update pecl.php.net
/opt/php/php-7.4.7/bin/pecl install oci8

Installation de l'extension oci8 pour PHP 5.6.40

/opt/php/php-5.6.40/bin/pecl channel-update pecl.php.net
/opt/php/php-5.6.40/bin/pecl install oci8-2.0.12

Installation du pilote ODBC pour MSSQL

curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
ACCEPT_EULA=Y yum install msodbcsql17

Installation de l'extension pdo_sqlsrv pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl install pdo_sqlsrv

Programme set_php_version

Contenu du programme /opt/php/set_php_version : 

#!/bin/bash
# Ce programme doit être sourcé pour modifier le PATH
# . set_php_version
declare -A versions
declare -A bin_dirs

get_bin_dirs() {
	i=1
	for bin_dir in $(find /opt/php -type d -name bin 2> /dev/null);
	do
		version="$($bin_dir/php -v|head -1|awk '{print $2}')"
		versions[$i]=$version
		bin_dirs[$version]=$bin_dir
		((i++))
	done
}

pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
                fi
        done
        export ${PATHVARIABLE}="$NEWPATH"
}

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}


if [ "$#" -eq 0 ];
then
	## Récupération des différents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	## Choix de version PHP
	#########################
	echo -e "Veuillez choisir une version de PHP à utiliser :\n"
	i=1

	# On parcourt le tableau des applications
	for iversion in "${!versions[@]}"
	do
		# On affiche une liste numérotée des versions
		echo "$i)  ${versions[${i}]}"
		((i++))
	done
	echo ""
	read -p "Choix : " version_choice
	echo ""

	if [[ $version_choice != "" ]]
	then
		# On peut choisir la version par son numéro
		if [[ $version_choice =~ ^[[:digit:]]+$ ]]
		then
			if [[ ! -z ${versions[$version_choice]} ]]
			then
				str_bindir=${bin_dirs[${versions[$version_choice]}]}
				str_version=${versions[$version_choice]}
			fi
		# Ou par la version directement
		elif [[ ! -z ${bin_dirs[$version_choice]} ]]
		then
			str_bindir=${bin_dirs[$version_choice]}
			str_version=${version_choice}
		fi
	fi
elif [ "$#" -eq 1 ];
then
	## Récupération des dossifférents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	if [[ ! -z ${bin_dirs[$1]} ]]
	then
		str_bindir=${bin_dirs[$1]}
		str_version=$1
	elif [[ $1 == "reset" ]]
	then
		echo "Reset du PATH sans les binaires PHP"
		for dir in ${bin_dirs[*]}
		do
			pathremove "${dir}"
		done
		if [[ ! -z $oldPS1 ]]
		then
			PS1=$oldPS1
			unset oldPS1
		else
			PS1="[\u@\h \W]\\$ "
		fi
	fi
else
	echo "Nombre de paramètres attendus : 1"
fi

if [[ -z $str_bindir ]]
then
	if [[ $1 != "reset" ]]
	then
		echo "Choix de version invalide !"
		get_bin_dirs
		echo "Versions disponibles : "${!bin_dirs[*]}
	fi
else
	echo -e "Version de PHP : $str_version. Path : $str_bindir"
	echo -e "Pour retirer les binaires PHP du PATH, utiliser la commande « set_php_version reset »"
	for dir in ${bin_dirs[*]}
	do
		pathremove "${dir}"
	done

	pathprepend ${str_bindir}

	if [[ -z $oldPS1 ]]
	then
		oldPS1=$PS1
	fi
	export PS1="[\u@\h \W|\[\033[0;31m\]PHP ${str_version}\[\033[0m\]]\\$ "
fi

unset version versions str_bindir bin_dir bin_dirs pathremove pathprepend pathappend get_bin_dirs version_choice str_version

Changement des droits d'accès 

chmod 555 /opt/php/set_php_version

Ajout de l'alias dans le profile par défaut : 

echo "alias set_php_version='. /opt/php/set_php_version'" >> /etc/profile.d/sh.local

Installation Zabbix

Installation de l'agent

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
rpm -import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
yum install zabbix-agent
sed -i -e 's/Server=127.0.0.1/Server=myzabbixserver/g' -e 's/ServerActive=127.0.0.1/ServerActive=myzabbixserver/g' -e 's/Hostname=Zabbix server/Hostname=$(hostname -s)/g' -e 's@PidFile=/var/run/zabbix/zabbix_agentd.pid@PidFile=/run/zabbix/zabbix_agentd.pid@g' /etc/zabbix/zabbix_agentd.conf

Ajout du service dans le pare-feu

firewall-cmd --permanent --new-service=zabbixclient
firewall-cmd --permanent --service=zabbixclient --set-description="Zabbix Client Service"
firewall-cmd --permanent --service=zabbixclient --set-short=zabbixclient
firewall-cmd --permanent --service=zabbixclient --add-port=10050/tcp
firewall-cmd --reload

Installation du template PHP-FPM

Installation des prérequis : 

yum -y install grep gawk lsof jq fcgi unzip bc

Téléchargement de la dernière version : 

curl -L $(curl -s https://api.github.com/repos/rvalitov/zabbix-php-fpm/releases/latest | grep 'zipball_' | cut -d\" -f4) --output /tmp/zabbix-php-fpm.zip

Extraction des fichiers : 

unzip -j /tmp/zabbix-php-fpm.zip "*/zabbix/*" "*/ispconfig/*" -d /tmp/zabbix-php-fpm

Copie des fichiers dans la configuration Zabbix : 

cp /tmp/zabbix-php-fpm/userparameter_php_fpm.conf $(find /etc/zabbix/ -name zabbix_agentd*.d -type d | head -n1)
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_discovery.sh /etc/zabbix/
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_status.sh /etc/zabbix/

Ajout du droit d’exécution sur les scripts : 

chown zabbix /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf
chmod +x /etc/zabbix/zabbix_php_fpm_discovery.sh
chmod +x /etc/zabbix/zabbix_php_fpm_status.sh

Ajouter les droits nécessaires dans sudoers pour Zabbix : 

echo 'zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh,/etc/zabbix/zabbix_php_fpm_status.sh' | EDITOR='tee -a' visudo -f /etc/sudoers.d/sudo_zabbix

Augmentation du seuil de connexion par socket sur le serveur : 

echo "net.core.somaxconn=1024" | tee -a /etc/sysctl.conf
sysctl -p

Supprimer les fichiers temporaires : 

rm /tmp/zabbix-php-fpm.zip
rm -rf /tmp/zabbix-php-fpm

Ajout de l'outil cachetool

Pour PHP 7

curl -sLO https://github.com/gordalina/cachetool/releases/latest/download/cachetool.phar
chmod o+rx cachetool.phar
mv cachetool.phar /usr/local/bin/cachetool

Pour PHP 5

curl -sLO https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
chmod o+rx cachetool-3.2.2.phar
mv cachetool-3.2.2.phar /usr/local/bin/cachetool_for_PHP5

Pour MySQL

Ajout du dépôt MySQL

yum -y install https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
yum makecache
yum-config-manager --disable mysql80-community
yum-config-manager --enable mysql57-community
yum makecache

Installation de MySQL

yum -y install mysql-community-server

Configuration de MySQL

Création des dossiers hébergeant les logs et les bases : 

mkdir -p /data/{mysql,logs}
chown mysql:mysql /data/mysql
chmod 770 /data/logs

Personnalisation de la configuration MySQL : 

sed -i -e 's@datadir=/var/lib/mysql@datadir=/data/mysql@g' -e 's@log-error=/var/log/mysqld.log@log-error=/data/logs/mysqld.log@g' /etc/my.cnf
echo "explicit_defaults_for_timestamp=1" >> /etc/my.cnf
echo "skip-ssl=1" >> /etc/my.cnf
echo "bind_address=0.0.0.0" >> /etc/my.cnf
echo "skip-name-resolve=1" >> /etc/my.cnf
echo "query_cache_size=0" >> /etc/my.cnf
echo "innodb_log_file_size=16777216" >> /etc/my.cnf
echo "character-set-server=utf8" >> /etc/my.cnf
echo "collation-server=utf8mb4_general_ci" >> /etc/my.cnf

Ouverture du port MySQL dans le pare-feu : 

firewall-cmd --add-service=mysql
firewall-cmd --add-service=mysql --permanent

Démarrage et réinitialisation du mot de passe root de MySQL : 

systemctl start mysqld
export MYSQL_PWD=$(grep 'temporary password' /data/logs/mysqld.log | awk '{print $NF}')
export MYSQL_NEW_PWD="xxxxxxxxxxxxx"
mysql --connect-expired-password -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_NEW_PWD';"

Ajout des comptes d'exploitation : 

export MYSQL_PWD=$MYSQL_NEW_PWD
mysql -uroot -e "UNINSTALL PLUGIN validate_password;"
mysql -uroot -e "GRANT ALL PRIVILEGES ON *.* TO 'pma_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx' WITH GRANT OPTION;"
mysql -uroot -e "GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma_controluser_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx';"
mysql -uroot -e "GRANT USAGE,REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'zbx_monitor'@'localhost' IDENTIFIED BY 'xxxxxxxxxxxxx';"

Ajout des tables pour le stockage de configurations PhpMyAdmin : 

wget -q https://raw.githubusercontent.com/phpmyadmin/phpmyadmin/RELEASE_4_9_4/sql/create_tables.sql
mysql -uroot < create_tables.sql
rm -f create_tables.sql

Ajout de l'outil mysqltuner

yum -y install perl-Data-Dumper
wget http://mysqltuner.pl/ -O /usr/bin/mysqltuner
chmod u+x /usr/bin/mysqltuner


Installation Zabbix

Installation du template MySQL Zabbix

mkdir -p $(grep zabbix /etc/passwd|awk -F: '{print $6}')
chown zabbix:zabbix $(grep zabbix /etc/passwd|awk -F: '{print $6}')
sudo -u zabbix mysql_config_editor set --user=zbx_monitor
echo "MYSQL_PWD=xxxxxxxxxxxxxxxx" >> /etc/sysconfig/zabbix-agent
wget -q https://git.zabbix.com/projects/ZBX/repos/zabbix/raw/templates/db/mysql_agent/template_db_mysql.conf?at=refs%2Fheads%2Fmaster -O /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf
chmod o+r /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf

Suppression des informations sensibles

>/root/.bash_history
Récupérée de « https://wiki.jordan-lenuff.com/index.php?title=Technique/Systèmes_d%27exploitation/CentOS/Installer_CentOS_7/Post-installation&oldid=1187 »