Post-installation

De Wiki de Jordan LE NUFF
Sauter à la navigation Sauter à la recherche
 
(34 révisions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
Page à l'état de brouillon
+
=== Ajout de l'autorité de certification interne ===
 +
Initialisation des certificats d'autorité racine :
 +
update-ca-trust enable
 +
 
 +
Dépôt du certificat de l'autorité de certification de l'entreprise dans le dossier <code>/etc/pki/ca-trust/source/anchors</code>
 +
 
 +
Import du certificat précédemment déposé avec la commande :
 +
update-ca-trust extract
 +
 
 +
=== Ajout du dépôt EPEL ===
 
<pre>
 
<pre>
 +
yum -y install epel-release
 
yum makecache
 
yum makecache
yum update
+
yum -y update
yum install yum-utils bind-utils yum-cron wget bash-completion
+
yum -y install yum-utils bind-utils yum-cron wget bash-completion lsof nmon net-tools dos2unix deltarpm vim sg3_utils open-vm-tools sysstat samba-client samba zip
# Umask hardening
+
init 6
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/bashrc
+
</pre>
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/csh.cshrc
+
 
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/profile
+
===Préparation de la configuration Samba===
sed -i -e 's/umask 022/umask 027/g' -e 's/umask 002/umask 027/g' /etc/init.d/functions
+
cp /etc/samba/smb.conf /etc/samba/smb.conf.default
# Driver unused
+
sed -i -e 's/^\([^#].*\)/#\1/g' /etc/samba/smb.conf
yum remove alsa-* ivtv-* iwl*firmware aic94xx-firmware
+
sed -i -e 's/^#\[global\]/[global]\n\tguest account = www\n\tmap to guest = Bad User/' /etc/samba/smb.conf
# Disable radio
+
 
nmcli radio all off
+
===Modification du umask===
# Disable IPv6
+
<pre>
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/bashrc
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/csh.cshrc
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/profile
 +
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/init.d/functions
 +
sed -i -e 's@Subsystem\tsftp\t/usr/libexec/openssh/sftp-server@\#Subsystem\tsftp\t/usr/libexec/openssh/sftp-server\nSubsystem\tsftp\tinternal-sftp -u 0007@g' /etc/ssh/sshd_config
 +
systemctl restart sshd
 +
</pre>
 +
Modification du umask par défaut pour la crontab
 +
<pre>
 +
SYSTEMD_EDITOR=tee systemctl edit crond.service <<EOF
 +
[Service]
 +
UMask=0007
 +
EOF
 +
systemctl reload crond
 +
</pre>
 +
 
 +
===Suppression des pilotes inutiles===
 +
yum -y remove alsa-* ivtv-* iwl*firmware aic94xx-firmware
 +
 
 +
===Désactivation de la wifi===
 +
nmcli radio all off
 +
 
 +
===Désactivation de l'IPv6===
 +
<pre>
 
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
 
echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
 
echo "IPV6INIT=no" >> /etc/sysconfig/network
 
echo "IPV6INIT=no" >> /etc/sysconfig/network
# Disable SELINUX
+
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
setenforce 0
+
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
+
sysctl -p
# Delete unused users
+
sed -i 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config
 +
systemctl restart sshd
 +
sed -i 's/OPTIONS=""/OPTIONS="-4"/g' /etc/sysconfig/chronyd
 +
systemctl restart chronyd
 +
</pre>
 +
 
 +
===Désactivation du selinux===
 +
setenforce 0
 +
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
 +
 
 +
===Changement du port SSH===
 +
sed -i 's@#Port 22@Port 22\nPort XXXXX@g' /etc/ssh/sshd_config
 +
systemctl restart sshd
 +
firewall-cmd --permanent --service=ssh --add-port=XXXXX/tcp
 +
firewall-cmd --reload
 +
 
 +
===Suppression des utilisateurs inutiles===
 +
<pre>
 
userdel -r adm
 
userdel -r adm
 
userdel -r ftp
 
userdel -r ftp
Ligne 25 : Ligne 76 :
 
userdel -r lp
 
userdel -r lp
 
groupdel games
 
groupdel games
# Augmenter l'historique des commandes de 1000 à 5000 lignes
+
</pre>
sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
 
# Ajout du dépôt EPEL
 
yum -y install epel-release
 
yum makecache
 
# Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet
 
yum-config-manager --setopt=clean_requirements_on_remove=1 --save
 
# Installation de msmtp
 
yum install msmtp mailx
 
vi /etc/msmtprc
 
# If it exists, it usually defines a default account.
 
# This allows msmtp to be used like /usr/sbin/sendmail.
 
account default
 
  
# The SMTP smarthost
+
===Augmenter l'historique des commandes de 1000 à 5000 lignes===
host smtp.groupegdb.local
+
sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile
  
# Use TLS on port 465
+
===Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet===
port 25
+
yum-config-manager --setopt=clean_requirements_on_remove=1 --save
tls off
 
tls_starttls off
 
  
# Construct envelope-from addresses of the form "user@oursite.example"
+
===Installation de msmtp===
from %U@%H
+
<pre>
 +
yum -y install msmtp mailx
 +
/etc/msmtprc
 +
chmod o+r /etc/msmtprc
 +
</pre>
  
# Syslog logging with facility LOG_MAIL instead of the default LOG_USER
+
===Paramétrage NTP===
syslog LOG_MAIL
+
yum -y install ntpdate && ntpdate ntp.myntpserver.com && systemctl enable ntpdate.service
 +
 
 +
===Ajout d'alias complémentaires===
 +
<pre>
 +
echo "alias vi='vim'" >> /etc/profile.d/sh.local
 +
sed -i "8 i alias ll='ls -al --color=auto'" .bashrc
 +
</pre>
  
mkdir -p /local/exploit
+
===Préparation à la compilation===
scp -r 172.18.20.177:/home/tools/bin /local/exploit
+
mkdir -p /data/builds
echo "export PATH=\$PATH:/local/exploit/bin" >> /etc/profile.d/sh.local
+
yum install -y gcc glibc-devel glibc-headers kernel-headers libmpc mpfr autoconf
 +
yum install -y pcre-devel
 +
yum install -y expat-devel
 +
yum install -y systemd-devel
  
mkdir /local/builds
+
===Ajout du groupe www et des dossiers /data/www /data/logs et /data/build ===
yum install gcc
+
useradd www -m
glibc-devel   
+
  mkdir -p /data/{www,logs,builds}
glibc-headers  
+
chown www:www /data/{www,logs}
kernel-headers
+
chmod 770 /data/{www,logs}
libmpc       
 
mpfr         
 
yum install pcre-devel
 
yum install expat-devel
 
yum install systemd-devel
 
groupadd www
 
mkdir /data/www
 
chown :www /data/www
 
  
mkdir -p /local/httpd/httpd-2.4.43
+
===Compilation et installation d'Apache===
ln -s httpd-2.4.43 /local/httpd/current
+
<pre>
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-2.4.43.tar.gz
+
export APACHE_VERSION=2.4.46
tar -zxf httpd-2.4.43.tar.gz -C /local/builds
+
export APR_VERSION=1.7.0
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-1.7.0.tar.gz
+
export APR_UTILS_VERSION=1.6.1
tar -zxf apr-1.7.0.tar.gz
+
useradd -r apache
mv apr-1.7.0 /local/builds/httpd-2.4.43/srclib/apr
+
usermod -aG www apache
wget http://mirrors.standaloneinstaller.com/apache//apr/apr-util-1.6.1.tar.gz
+
mkdir -p /opt/httpd/httpd-${APACHE_VERSION}
tar -zxf apr-util-1.6.1.tar.gz
+
ln -s httpd-${APACHE_VERSION} /opt/httpd/current
mv apr-util-1.6.1 /local/builds/httpd-2.4.43/srclib/apr-util
+
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-${APACHE_VERSION}.tar.gz
cd /local/builds/httpd-2.4.43
+
tar -zxf httpd-${APACHE_VERSION}.tar.gz -C /data/builds
 +
wget https://miroir.univ-lorraine.fr/apache//apr/apr-${APR_VERSION}.tar.gz
 +
tar -zxf apr-${APR_VERSION}.tar.gz
 +
mv apr-${APR_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr
 +
wget https://miroir.univ-lorraine.fr/apache//apr/apr-util-${APR_UTILS_VERSION}.tar.gz
 +
tar -zxf apr-util-${APR_UTILS_VERSION}.tar.gz
 +
mv apr-util-${APR_UTILS_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr-util
 +
cd /data/builds/httpd-${APACHE_VERSION}
 
./configure \
 
./configure \
--prefix=/local/httpd/current \
+
--prefix=/opt/httpd/current \
--sysconfdir=/local/httpd/conf \
+
--sysconfdir=/opt/httpd/conf \
 
--enable-proxy \
 
--enable-proxy \
 
--enable-proxy-http \
 
--enable-proxy-http \
Ligne 96 : Ligne 145 :
 
--enable-status \
 
--enable-status \
 
--enable-systemd \
 
--enable-systemd \
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd" \
+
--enable-setenvif \
 +
--enable-headers \
 +
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd setenvif headers" \
 
--disable-so \
 
--disable-so \
 
--disable-proxy-connect \
 
--disable-proxy-connect \
Ligne 118 : Ligne 169 :
 
--disable-filter \
 
--disable-filter \
 
--disable-reqtimeout \
 
--disable-reqtimeout \
--disable-setenvif \
 
 
--disable-version \
 
--disable-version \
 
--disable-authn-dbm \
 
--disable-authn-dbm \
Ligne 132 : Ligne 182 :
 
--disable-cache \
 
--disable-cache \
 
--disable-file-cache \
 
--disable-file-cache \
--disable-headers \
 
 
--disable-cache-disk \
 
--disable-cache-disk \
 
--disable-cache-socache \
 
--disable-cache-socache \
Ligne 138 : Ligne 187 :
 
--disable-socache-memcache \
 
--disable-socache-memcache \
 
--disable-socache-redis \
 
--disable-socache-redis \
--disable-socache-shmcb
+
--disable-socache-shmcb \
make -j
+
&& make -j && make install
make install
+
chown -R root:apache /opt/httpd
cd
+
echo "export PATH=\$PATH:/opt/httpd/current/bin" >> /etc/profile.d/sh.local
useradd -r apache
+
touch /etc/systemd/system/http.service
usermod -aG www apache
+
chmod 664 /etc/systemd/system/http.service
chown -R root:apache /local/httpd
+
SYSTEMD_EDITOR=tee systemctl edit --full http.service <<EOF
echo "export PATH=\$PATH:/local/httpd/current/bin" >> /etc/profile.d/sh.local
+
[Unit]
vi /usr/lib/systemd/system/http.service
+
Description=The Apache HTTP Server
[Unit]
+
After=network.target
Description=The Apache HTTP Server
 
After=network.target
 
  
[Service]
+
[Service]
Type=notify
+
Type=notify
ExecStart=/local/httpd/current/bin/httpd -D FOREGROUND -k start
+
ExecStart=/opt/httpd/current/bin/httpd -D FOREGROUND -k start
ExecReload=/local/httpd/current/bin/httpd -k graceful
+
ExecReload=/opt/httpd/current/bin/httpd -k graceful
KillMode=mixed
+
ExecStop=/opt/httpd/current/bin/httpd -k stop
TimeoutStopSec=60
+
KillMode=mixed
 +
TimeoutStopSec=60
  
[Install]
+
[Install]
WantedBy=multi-user.target
+
WantedBy=multi-user.target
systemctl daemon-reload
+
EOF
systemctl enable http
 
systemctl start http
 
 
firewall-cmd --add-service=http
 
firewall-cmd --add-service=http
 
firewall-cmd --add-service=http --permanent
 
firewall-cmd --add-service=http --permanent
mkdir -p /data/logs/{localhost,vmwcentos7}
+
mkdir -p /data/logs/www/{localhost,$(hostname -s)}
 
chmod o+rx /data
 
chmod o+rx /data
touch /data/logs/localhost/localhost_http_{error,access}.log
+
chown www:www /data/logs/www/localhost
touch /data/logs/vmwcentos7/vmwcentos7_http_{error,access}.log
+
chmod 770 /data/logs/www/localhost
mkdir /local/httpd/conf/vhosts
+
touch /data/logs/www/localhost/localhost_http_{error,access}.log
 +
touch /data/logs/www/$(hostname -s)/$(hostname -s)_http_{error,access}.log
 +
mkdir /opt/httpd/conf/vhosts
 +
sed -i -e 's/User daemon/User apache/g' -e 's/Group daemon/Group www/g' /opt/httpd/conf/httpd.conf
 +
sed -i -e 's/ServerAdmin you@example.com/ServerAdmin my.great.mail@address.com/g' /opt/httpd/conf/httpd.conf
 +
sed -i -e 's@ErrorLog "logs/error_log"@ErrorLog "/data/logs/www/localhost/localhost_http_error.log"@g' /opt/httpd/conf/httpd.conf
 +
sed -i -e 's@CustomLog "logs/access_log"@CustomLog "/data/logs/www/localhost/localhost_http_access.log"@g' /opt/httpd/conf/httpd.conf
 +
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-mpm.conf@Include /opt/httpd/conf/extra/httpd-mpm.conf@g' /opt/httpd/conf/httpd.conf
 +
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-default.conf@Include /opt/httpd/conf/extra/httpd-default.conf@g' /opt/httpd/conf/httpd.conf
 +
cat <<EOF >> /opt/httpd/conf/httpd.conf
 +
# Custom virtual hosts and conf
 +
IncludeOptional /opt/httpd/conf/vhosts/*.conf
 +
EOF
 +
systemctl start http.service
 +
systemctl enable http.service
 +
</pre>
 +
 
 +
===Installation de CacheTool pour PHP===
 +
<pre>
 +
cd
 +
mkdir /local/php/cachetool
 +
wget -O /local/php/cachetool/cachetool-6.5.0.phar https://github.com/gordalina/cachetool/releases/download/6.5.0/cachetool.phar
 +
wget -O /local/php/cachetool/cachetool-3.2.2.phar https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
 +
chown -R :www /local/php/cachetool
 +
chmod ug+x /local/php/cachetool/*
 +
</pre>
  
 +
===Compilation et installation de CMake===
 +
<pre>
 
cd
 
cd
yum install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel    
+
yum -y install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel gcc-c++ libstdc++-devel
mkdir /local/cmake
+
mkdir /opt/cmake
 
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
 
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
tar -zxf cmake-3.18.0-rc3.tar.gz -C /local/builds
+
tar -zxf cmake-3.18.0-rc3.tar.gz -C /data/builds
cd /local/builds/cmake-3.18.0-rc3
+
cd /data/builds/cmake-3.18.0-rc3
./bootstrap --prefix=/local/cmake/cmake-3.18.0-rc3
+
./bootstrap --prefix=/opt/cmake/cmake-3.18.0-rc3
 
make
 
make
 
make install
 
make install
ln -s cmake-3.18.0-rc3 /local/cmake/current
+
ln -s cmake-3.18.0-rc3 /opt/cmake/current
echo "export PATH=\$PATH:/local/cmake/current/bin" >> /etc/profile.d/sh.local
+
echo "export PATH=\$PATH:/opt/cmake/current/bin" >> /etc/profile.d/sh.local
 +
</pre>
  
 +
===Compilation et installation de libzip===
 +
<pre>
 
cd
 
cd
 
wget https://libzip.org/download/libzip-1.7.1.tar.gz
 
wget https://libzip.org/download/libzip-1.7.1.tar.gz
tar -zxf libzip-1.7.1.tar.gz -C /local/builds
+
tar -zxf libzip-1.7.1.tar.gz -C /data/builds
mkdir /local/builds/libzip-1.7.1/build
+
mkdir /data/builds/libzip-1.7.1/build
cd /local/builds/libzip-1.7.1/build
+
cd /data/builds/libzip-1.7.1/build
 
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
 
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
 
make
 
make
 
make install
 
make install
 +
</pre>
  
yum install zlib-devel
+
===Installation des paquets nécessaires à la compilation de PHP===
yum install bzip2-devel
+
<pre>
yum install libcurl-devel
+
yum -y install zlib-devel
yum install libpng-devel
+
yum -y install bzip2-devel
yum install libicu-devel libicu
+
yum -y install libcurl-devel
yum install gcc-c++ libstdc++-devel
+
yum -y install libpng-devel
yum install openldap-devel cyrus-sasl cyrus-sasl-devel
+
yum -y install libicu-devel libicu
yum install oniguruma-devel oniguruma
+
yum -y install openldap-devel cyrus-sasl cyrus-sasl-devel
yum install libxml2-devel xz-devel
+
yum -y install oniguruma-devel oniguruma
 +
yum -y install libxml2-devel xz-devel
 +
yum -y install unixODBC unixODBC-devel
 +
</pre>
  
 +
===Création du user/groupe pour PHP-FPM===
 +
useradd -r php-fpm
 +
usermod -g www -G php-fpm php-fpm
 +
 +
===Compilation et installation de PHP 7.4.16 avec FPM===
 +
<pre>
 +
export PHP_VERSION=7.4.16
 
cd
 
cd
useradd -r php-fpm
+
mkdir -p /opt/php/php-${PHP_VERSION}
usermod -aG www php-fpm
+
wget https://www.php.net/distributions/php-${PHP_VERSION}.tar.gz
mkdir -p /local/php/php-7.4.7
+
tar -zxf php-${PHP_VERSION}.tar.gz -C /data/builds
ln -s php-7.4.7 /local/php/current
+
cd /data/builds/php-${PHP_VERSION}
echo "export PATH=\$PATH:/local/php/current/bin" >> /etc/profile.d/sh.local
 
wget https://www.php.net/distributions/php-7.4.7.tar.gz
 
tar -zxf php-7.4.7.tar.gz -C /local/builds
 
cd /local/builds/php-7.4.7
 
 
./configure \
 
./configure \
--prefix=/local/php/php-7.4.7 \
+
--prefix=/opt/php/php-${PHP_VERSION} \
--with-config-file-path=/local/php/php-7.4.7 \
+
--with-config-file-path=/opt/php/php-${PHP_VERSION} \
 
--disable-all \
 
--disable-all \
 
--enable-static \
 
--enable-static \
Ligne 229 : Ligne 312 :
 
--enable-gd \
 
--enable-gd \
 
--enable-intl \
 
--enable-intl \
--disable-json \
 
 
--with-ldap \
 
--with-ldap \
 
--enable-mbstring \
 
--enable-mbstring \
Ligne 237 : Ligne 319 :
 
--enable-phar \
 
--enable-phar \
 
--with-libxml \
 
--with-libxml \
 +
--with-iconv \
 +
--enable-dom \
 +
--enable-filter \
 +
--enable-tokenizer \
 +
--enable-json \
 +
--enable-session \
 
--enable-xml \
 
--enable-xml \
 
--enable-xmlreader \
 
--enable-xmlreader \
 
--enable-xmlwriter \
 
--enable-xmlwriter \
 
--enable-opcache \
 
--enable-opcache \
 +
--enable-fileinfo \
 +
--enable-simplexml \
 +
--enable-soap \
 +
--enable-ftp \
 
--with-zip \
 
--with-zip \
 
--with-pear \
 
--with-pear \
--with-libdir=lib64
+
--with-openssl \
make -j
+
--with-libdir=lib64 \
make install
+
--with-mysqli \
 +
&& make -j && make install
 +
cp /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf.default /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
 +
cp /data/builds/php-${PHP_VERSION}/php.ini-production /opt/php/php-${PHP_VERSION}/php.ini
 +
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/www/localhost/localhost_php-${PHP_VERSION}.log@g' /opt/php/php-${PHP_VERSION}/php.ini
 +
sed -i -e 's@;sendmail_path =@sendmail_path = "/usr/bin/msmtp -t"@g' /opt/php/php-${PHP_VERSION}/php.ini
 +
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-${PHP_VERSION}/php.ini
 +
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension='$(grep no-debug-non-zts /opt/php/php-${PHP_VERSION}/bin/php-config|awk -F\' '{print $2}')'/opcache.so@g' /opt/php/php-${PHP_VERSION}/php.ini
 +
sed -i -e 's@;pid = run/php-fpm.pid@;pid = run/php-fpm.pid\npid = run/php-fpm.pid@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
 +
sed -i -e 's@;error_log = log/php-fpm.log@;error_log = log/php-fpm.log\nerror_log = syslog@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
 +
/opt/php/php-${PHP_VERSION}/bin/pear config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
 +
/opt/php/php-${PHP_VERSION}/bin/pecl config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
 +
cat <<EOF >/opt/php/php-${PHP_VERSION}/etc/php-fpm.d/localhost.conf
 +
[localhost]
 +
; Socket Unix dédié au pool
 +
listen = ../sockets/php-${PHP_VERSION}-$pool.sock
 +
 
 +
; Définition du chemin d'accès des logs
 +
access.log = /data/logs/www/$pool/$pool_php_access.log
 +
slowlog = /data/logs/www/$pool/$pool_log.slow
 +
php_admin_value[error_log] = /data/logs/www/$pool/$pool_php_error.log
 +
php_admin_flag[log_errors] = on
 +
; https://www.php.net/manual/fr/errorfunc.constants.php
 +
php_admin_value[error_reporting] = E_WARNING
 +
php_admin_value[session.save_path] = "/opt/php/sessions/$pool/"
 +
php_value[session.save_path] = "/opt/php/sessions/$pool/"
 +
 
 +
; Tuning du pool php-fpm
 +
pm = dynamic
 +
pm.max_children = 5
 +
pm.start_servers = 2
 +
pm.min_spare_servers = 1
 +
pm.max_spare_servers = 3
 +
pm.status_path = /php-fpm-status
 +
ping.path = /php-fpm-ping
 +
EOF
 +
mkdir -p /opt/php/sockets
 +
mkdir -p /opt/php/sessions/localhost
 +
chown -R php-fpm:www /opt/php
 +
cp /data/builds/php-${PHP_VERSION}/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www\nEnvironment="PHP_VERSION='${PHP_VERSION}'"/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/^ProtectKernelModules/#ProtectKernelModules/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/^ProtectKernelTunables/#ProtectKernelTunables/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/^ProtectControlGroups/#ProtectControlGroups/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/^RestrictRealtime/#RestrictRealtime/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
sed -i -e 's/^RestrictNamespaces/#RestrictNamespaces/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
chmod o+r /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
 +
</pre>
 +
 
 +
Prise en compte des modifications :
 +
<pre>
 +
systemctl daemon-reload
 +
systemctl start php-fpm-${PHP_VERSION}.service
 +
systemctl enable php-fpm-${PHP_VERSION}.service
 +
</pre>
 +
 
 +
Activation de la coloration syntaxique pour les fichiers de configuration de PHP-FPM :
 +
sed -i "s@\" yum conf (close enough to dosini)@\" PHP-FPM conf (close enough to dosini)\nau BufNewFile,BufRead php-fpm.conf,*php-fpm.d/*.conf\t\tcall s:StarSetf('dosini')\n\n\" yum conf (close enough to dosini)@g" /usr/share/vim/vim74/filetype.vim
 +
 
 +
Intégration de CacheTool dans les binaires de PHP :
 +
ln -s /local/php/cachetool/cachetool-6.5.0.phar /local/php/php-7.4.7/bin/cachetool
 +
 
 +
===Compilation et installation de PHP 5.6.40 avec FPM===
 +
<pre>
 +
cd
 +
mkdir -p /opt/php/php-5.6.40
 +
wget https://www.php.net/distributions/php-5.6.40.tar.gz
 +
tar -zxf php-5.6.40.tar.gz -C /data/builds
 +
cd /data/builds/php-5.6.40
 +
./configure \
 +
--prefix=/opt/php/php-5.6.40 \
 +
--with-config-file-path=/opt/php/php-5.6.40 \
 +
--disable-all \
 +
--enable-static \
 +
--enable-fpm \
 +
--with-fpm-user=php-fpm \
 +
--with-fpm-group=php-fpm \
 +
--with-fpm-systemd \
 +
--disable-ipv6 \
 +
--enable-cli \
 +
--with-zlib \
 +
--with-bz2 \
 +
--enable-calendar \
 +
--enable-ctype \
 +
--with-curl \
 +
--with-gd \
 +
--enable-intl \
 +
--enable-filter \
 +
--enable-hash \
 +
--enable-json \
 +
--with-ldap \
 +
--enable-mbstring \
 +
--enable-pdo \
 +
--with-pdo-mysql \
 +
--with-pdo-odbc=unixODBC,/usr \
 +
--enable-shared=pdo-mysql \
 +
--enable-phar \
 +
--enable-libxml \
 +
--enable-xml \
 +
--enable-xmlreader \
 +
--enable-xmlwriter \
 +
--enable-opcache \
 +
--enable-zip \
 +
--enable-soap \
 +
--with-pear \
 +
--with-openssl \
 +
--with-libdir=lib64 \
 +
--with-mysqli \
 +
--enable-dom \
 +
--with-iconv \
 +
--enable-simplexml \
 +
--enable-tokenizer \
 +
--enable-session \
 +
&& make -j && make install
 +
cp /opt/php/php-5.6.40/etc/php-fpm.conf.default /opt/php/php-5.6.40/etc/php-fpm.conf
 +
cp /data/builds/php-5.6.40/php.ini-production /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-5.6.40.log@g' /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-5.6.40/php.ini
 +
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-5.6.40/lib/php/extensions/no-debug-non-zts-20131226/opcache.so@g' /opt/php/php-5.6.40/php.ini
 +
/opt/php/php-5.6.40/bin/pear config-set php_ini /opt/php/php-5.6.40/php.ini system
 +
/opt/php/php-5.6.40/bin/pecl config-set php_ini /opt/php/php-5.6.40/php.ini system
 +
mkdir /opt/php/php-5.6.40/etc/php-fpm.d
 +
echo "[localhost]" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "user = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "group = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen = /opt/php/sockets/php-5.6.40_\$pool.sock" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.owner = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.group = www" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "listen.mode = 0660" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm = dynamic" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_children = 5" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.start_servers = 2" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.min_spare_servers = 1" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.max_spare_servers = 3" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "ping.path = /php-fpm-ping" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "access.log = /data/logs/\$pool/\$pool_php-5.6.40.access.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "slowlog = /data/logs/\$pool/\$pool_php-5.6.40.log.slow" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-5.6.40.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
 +
mkdir -p /opt/php/sockets
 +
chown -R php-fpm:www /opt/php
 +
cp /usr/lib/systemd/system/php-fpm-7.4.7.service /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
sed -i -e 's/7.4.7/5.6.40/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
chmod o+r /usr/lib/systemd/system/php-fpm-5.6.40.service
 +
</pre>
 +
 
 +
Suppression dans le fichier <code>/usr/lib/systemd/system/php-fpm-5.6.40.service</code> des sections surlignées suivantes :
 +
<syntaxhighlight lang="ini" highlight="28-48,53-55">
 +
# It's not recommended to modify this file in-place, because it
 +
# will be overwritten during upgrades.  If you want to customize,
 +
# the best way is to use the "systemctl edit" command.
 +
 
 +
[Unit]
 +
Description=The PHP FastCGI Process Manager
 +
After=network.target
 +
 
 +
[Service]
 +
Type=notify
 +
PIDFile=/opt/php/php-5.6.40/var/run/php-fpm.pid
 +
ExecStart=/opt/php/php-5.6.40/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-5.6.40/etc/php-fpm.conf
 +
ExecReload=/bin/kill -USR2 $MAINPID
 +
 
 +
# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
 +
# so this service cannot access the global directories and other processes cannot
 +
# access this service's directories.
 +
PrivateTmp=true
 +
 
 +
# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
 +
ProtectSystem=full
 +
 
 +
# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
 +
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
 +
# but no physical devices such as /dev/sda.
 +
PrivateDevices=true
 +
 
 +
# Explicit module loading will be denied. This allows to turn off module load and unload
 +
# operations on modular kernels. It is recommended to turn this on for most services that
 +
# do not need special file systems or extra kernel modules to work.
 +
ProtectKernelModules=true
 +
 
 +
# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
 +
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
 +
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
 +
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
 +
# recommended to turn this on for most services.
 +
ProtectKernelTunables=true
 +
 
 +
# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
 +
# made read-only to all processes of the unit. Except for container managers no services should
 +
# require write access to the control groups hierarchies; it is hence recommended to turn this on
 +
# for most services
 +
ProtectControlGroups=true
 +
 
 +
# Any attempts to enable realtime scheduling in a process of the unit are refused.
 +
RestrictRealtime=true
 +
 
 +
# Restricts the set of socket address families accessible to the processes of this unit.
 +
# Protects against vulnerabilities such as CVE-2016-8655
 +
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 +
 
 +
# Takes away the ability to create or manage any kind of namespace
 +
RestrictNamespaces=true
 +
 
 +
[Install]
 +
WantedBy=multi-user.target
 +
</syntaxhighlight>
 +
 
 +
Prise en compte des modifications :
 +
<pre>
 +
systemctl daemon-reload
 +
systemctl start php-fpm-5.6.40.service
 +
systemctl enable php-fpm-5.6.40.service
 +
</pre>
 +
 
 +
Intégration de CacheTool dans les binaires de PHP :
 +
ln -s /local/php/cachetool/cachetool-3.2.2.phar /local/php/php-5.6.40/bin/cachetool
 +
 
 +
===Installation de Webmin===
 +
<pre>
 +
cd
 +
echo "[Webmin]" >> /etc/yum.repos.d/webmin.repo
 +
echo "name=Webmin Distribution Neutral" >> /etc/yum.repos.d/webmin.repo
 +
echo "#baseurl=https://download.webmin.com/download/yum" >> /etc/yum.repos.d/webmin.repo
 +
echo "mirrorlist=https://download.webmin.com/download/yum/mirrorlist" >> /etc/yum.repos.d/webmin.repo
 +
echo "enabled=1" >> /etc/yum.repos.d/webmin.repo
 +
wget https://download.webmin.com/jcameron-key.asc
 +
rpm --import jcameron-key.asc
 +
yum install webmin perl-Authen-PAM
 +
/etc/rc.d/init.d/webmin stop
 +
find /etc -type l -name *webmin -exec unlink {} \;
 +
echo "[Unit]" >> /usr/lib/systemd/system/webmin.service
 +
echo "Description=Webmin" >> /usr/lib/systemd/system/webmin.service
 +
echo "Requires=local-fs.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "After=basic.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "Conflicts=shutdown.target" >> /usr/lib/systemd/system/webmin.service
 +
echo "" >> /usr/lib/systemd/system/webmin.service
 +
echo "[Service]" >> /usr/lib/systemd/system/webmin.service
 +
echo "Type=oneshot" >> /usr/lib/systemd/system/webmin.service
 +
echo "RemainAfterExit=yes" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecStart=/etc/webmin/start" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecStop=/etc/webmin/stop" >> /usr/lib/systemd/system/webmin.service
 +
echo "ExecReload=/etc/webmin/reload" >> /usr/lib/systemd/system/webmin.service
 +
echo "" >> /usr/lib/systemd/system/webmin.service
 +
echo "[Install]" >> /usr/lib/systemd/system/webmin.service
 +
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/webmin.service
 +
chmod o+r /usr/lib/systemd/system/webmin.service
 +
systemctl daemon-reload
 +
sed -i -e 's/ssl=1/ssl=0/g' /etc/webmin/miniserv.conf
 +
sed -i -e 's/ipv6=1/ipv6=0/g' /etc/webmin/miniserv.conf
 +
echo "cookiepath=/webmin" >> /etc/webmin/miniserv.conf
 +
echo "webprefix=/webmin" >> /etc/webmin/config
 +
echo "webprefixnoredir=1" >> /etc/webmin/config
 +
echo "referer=1" >> /etc/webmin/config
 +
systemctl start webmin.service
 +
systemctl enable webmin.service
 +
# Ajout des lignes ci-dessous dans la configuration du vhost local /opt/httpd/conf/vhosts/$(hostname -s).conf
 +
# Configuration Webmin
 +
ProxyPass /webmin http://localhost:10000
 +
ProxyPassReverse /webmin http://localhost:10000
 +
# Fin de configuration Webmin
 +
httpd -k graceful
 +
</pre>
 +
 
 +
===Configuration Shinken===
 +
<pre>
 +
useradd shinken -U -d /home/shinken -m
 +
passwd shinken
 +
mkdir /home/shinken/.ssh
 +
chmod 700 /home/shinken/.ssh
 +
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@oneserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
 +
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@anotherserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
 +
chmod 600 /home/shinken/.ssh/authorized_keys
 +
chown -R shinken:shinken /home/shinken/.ssh
 +
</pre>
 +
 
 +
===Installation de Oracle Instant Client===
 +
<pre>
 +
wget https://yum.oracle.com/RPM-GPG-KEY-oracle-ol7 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
 +
echo "[ol7_latest]" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "name=Oracle Linux \$releasever Latest ($basearch)" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/latest/\$basearch/" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "gpgcheck=1" >> /etc/yum.repos.d/ol7-temp.repo
 +
echo "enabled=1" >> /etc/yum.repos.d/ol7-temp.repo
 +
yum install oraclelinux-release-el7
 +
mv /etc/yum.repos.d/ol7-temp.repo /etc/yum.repos.d/ol7-temp.repo.disabled
 +
yum install oracle-release-el7
 +
yum install oracle-instantclient19.6
 +
mv /etc/yum.repos.d/oracle-linux-ol7.repo{,.disabled}
 +
mv /etc/yum.repos.d/oracle-ol7.repo{,.disabled}
 +
mv /etc/yum.repos.d/uek-ol7.repo{,.disabled}
 +
rm -rf /var/cache/yum/x86_64/7/ol7_*
 +
yum clean all
 +
yum makecache
 +
</pre>
 +
 
 +
===Installation de l'extension oci8 pour PHP 7.4.7===
 +
/opt/php/php-7.4.7/bin/pecl channel-update pecl.php.net
 +
/opt/php/php-7.4.7/bin/pecl install oci8
 +
 
 +
===Installation de l'extension oci8 pour PHP 5.6.40===
 +
/opt/php/php-5.6.40/bin/pecl channel-update pecl.php.net
 +
/opt/php/php-5.6.40/bin/pecl install oci8-2.0.12
 +
 
 +
===Installation du pilote ODBC pour MSSQL===
 +
curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
 +
ACCEPT_EULA=Y yum install msodbcsql17
 +
 
 +
===Installation de l'extension pdo_sqlsrv pour PHP 7.4.7===
 +
/opt/php/php-7.4.7/bin/pecl install pdo_sqlsrv
 +
 
 +
===Programme set_php_version===
 +
Contenu du programme <code>/opt/php/set_php_version</code> :
 +
<syntaxhighlight lang="bash">
 +
#!/bin/bash
 +
# Ce programme doit être sourcé pour modifier le PATH
 +
# . set_php_version
 +
declare -A versions
 +
declare -A bin_dirs
 +
 
 +
get_bin_dirs() {
 +
i=1
 +
for bin_dir in $(find /opt/php -type d -name bin 2> /dev/null);
 +
do
 +
version="$($bin_dir/php -v|head -1|awk '{print $2}')"
 +
versions[$i]=$version
 +
bin_dirs[$version]=$bin_dir
 +
((i++))
 +
done
 +
}
 +
 
 +
pathremove () {
 +
        local IFS=':'
 +
        local NEWPATH
 +
        local DIR
 +
        local PATHVARIABLE=${2:-PATH}
 +
        for DIR in ${!PATHVARIABLE} ; do
 +
                if [ "$DIR" != "$1" ] ; then
 +
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
 +
                fi
 +
        done
 +
        export ${PATHVARIABLE}="$NEWPATH"
 +
}
 +
 
 +
pathprepend () {
 +
        pathremove $1 $2
 +
        local PATHVARIABLE=${2:-PATH}
 +
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
 +
}
 +
 
 +
pathappend () {
 +
        pathremove $1 $2
 +
        local PATHVARIABLE=${2:-PATH}
 +
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
 +
}
 +
 
 +
 
 +
if [ "$#" -eq 0 ];
 +
then
 +
## Récupération des différents dossiers hébergeant les binaires PHP
 +
#########################
 +
get_bin_dirs
 +
 
 +
## Choix de version PHP
 +
#########################
 +
echo -e "Veuillez choisir une version de PHP à utiliser :\n"
 +
i=1
 +
 
 +
# On parcourt le tableau des applications
 +
for iversion in "${!versions[@]}"
 +
do
 +
# On affiche une liste numérotée des versions
 +
echo "$i)  ${versions[${i}]}"
 +
((i++))
 +
done
 +
echo ""
 +
read -p "Choix : " version_choice
 +
echo ""
 +
 
 +
if [[ $version_choice != "" ]]
 +
then
 +
# On peut choisir la version par son numéro
 +
if [[ $version_choice =~ ^[[:digit:]]+$ ]]
 +
then
 +
if [[ ! -z ${versions[$version_choice]} ]]
 +
then
 +
str_bindir=${bin_dirs[${versions[$version_choice]}]}
 +
str_version=${versions[$version_choice]}
 +
fi
 +
# Ou par la version directement
 +
elif [[ ! -z ${bin_dirs[$version_choice]} ]]
 +
then
 +
str_bindir=${bin_dirs[$version_choice]}
 +
str_version=${version_choice}
 +
fi
 +
fi
 +
elif [ "$#" -eq 1 ];
 +
then
 +
## Récupération des dossifférents dossiers hébergeant les binaires PHP
 +
#########################
 +
get_bin_dirs
 +
 
 +
if [[ ! -z ${bin_dirs[$1]} ]]
 +
then
 +
str_bindir=${bin_dirs[$1]}
 +
str_version=$1
 +
elif [[ $1 == "reset" ]]
 +
then
 +
echo "Reset du PATH sans les binaires PHP"
 +
for dir in ${bin_dirs[*]}
 +
do
 +
pathremove "${dir}"
 +
done
 +
if [[ ! -z $oldPS1 ]]
 +
then
 +
PS1=$oldPS1
 +
unset oldPS1
 +
else
 +
PS1="[\u@\h \W]\\$ "
 +
fi
 +
fi
 +
else
 +
echo "Nombre de paramètres attendus : 1"
 +
fi
 +
 
 +
if [[ -z $str_bindir ]]
 +
then
 +
if [[ $1 != "reset" ]]
 +
then
 +
echo "Choix de version invalide !"
 +
get_bin_dirs
 +
echo "Versions disponibles : "${!bin_dirs[*]}
 +
fi
 +
else
 +
echo -e "Version de PHP : $str_version. Path : $str_bindir"
 +
echo -e "Pour retirer les binaires PHP du PATH, utiliser la commande « set_php_version reset »"
 +
for dir in ${bin_dirs[*]}
 +
do
 +
pathremove "${dir}"
 +
done
 +
 
 +
pathprepend ${str_bindir}
 +
 
 +
if [[ -z $oldPS1 ]]
 +
then
 +
oldPS1=$PS1
 +
fi
 +
export PS1="[\u@\h \W|\[\033[0;31m\]PHP ${str_version}\[\033[0m\]]\\$ "
 +
fi
 +
 
 +
unset version versions str_bindir bin_dir bin_dirs pathremove pathprepend pathappend get_bin_dirs version_choice str_version
 +
</syntaxhighlight>
 +
 
 +
Changement des droits d'accès
 +
chmod 555 /opt/php/set_php_version
 +
 
 +
Ajout de l'alias dans le profile par défaut :
 +
echo "alias set_php_version='. /opt/php/set_php_version'" >> /etc/profile.d/sh.local
 +
 
 +
===Installation Zabbix===
 +
====Installation de l'agent====
 +
<pre>
 +
rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
 +
rpm -import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
 +
yum install zabbix-agent
 +
sed -i -e 's/Server=127.0.0.1/Server=myzabbixserver/g' -e 's/ServerActive=127.0.0.1/ServerActive=myzabbixserver/g' -e 's/Hostname=Zabbix server/Hostname=$(hostname -s)/g' -e 's@PidFile=/var/run/zabbix/zabbix_agentd.pid@PidFile=/run/zabbix/zabbix_agentd.pid@g' /etc/zabbix/zabbix_agentd.conf
 +
</pre>
 +
 
 +
====Ajout du service dans le pare-feu====
 +
<pre>
 +
firewall-cmd --permanent --new-service=zabbixclient
 +
firewall-cmd --permanent --service=zabbixclient --set-description="Zabbix Client Service"
 +
firewall-cmd --permanent --service=zabbixclient --set-short=zabbixclient
 +
firewall-cmd --permanent --service=zabbixclient --add-port=10050/tcp
 +
firewall-cmd --reload
 +
</pre>
 +
 
 +
====Installation du template PHP-FPM====
 +
Installation des prérequis :
 +
yum -y install grep gawk lsof jq fcgi unzip bc
 +
 
 +
Téléchargement de la dernière version :
 +
curl -L $(curl -s https://api.github.com/repos/rvalitov/zabbix-php-fpm/releases/latest | grep 'zipball_' | cut -d\" -f4) --output /tmp/zabbix-php-fpm.zip
 +
 
 +
Extraction des fichiers :
 +
unzip -j /tmp/zabbix-php-fpm.zip "*/zabbix/*" "*/ispconfig/*" -d /tmp/zabbix-php-fpm
 +
 
 +
Copie des fichiers dans la configuration Zabbix :
 +
cp /tmp/zabbix-php-fpm/userparameter_php_fpm.conf $(find /etc/zabbix/ -name zabbix_agentd*.d -type d | head -n1)
 +
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_discovery.sh /etc/zabbix/
 +
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_status.sh /etc/zabbix/
 +
 
 +
Ajout du droit d’exécution sur les scripts :
 +
chown zabbix /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf
 +
chmod +x /etc/zabbix/zabbix_php_fpm_discovery.sh
 +
chmod +x /etc/zabbix/zabbix_php_fpm_status.sh
 +
 
 +
Ajouter les droits nécessaires dans sudoers pour Zabbix :
 +
echo 'zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh,/etc/zabbix/zabbix_php_fpm_status.sh' | EDITOR='tee -a' visudo -f /etc/sudoers.d/sudo_zabbix
 +
 
 +
Augmentation du seuil de connexion par socket sur le serveur :
 +
echo "net.core.somaxconn=1024" | tee -a /etc/sysctl.conf
 +
sysctl -p
 +
 
 +
Supprimer les fichiers temporaires :
 +
rm /tmp/zabbix-php-fpm.zip
 +
rm -rf /tmp/zabbix-php-fpm
 +
 
 +
===Ajout de l'outil cachetool===
 +
====Pour PHP 7====
 +
curl -sLO https://github.com/gordalina/cachetool/releases/latest/download/cachetool.phar
 +
chmod o+rx cachetool.phar
 +
mv cachetool.phar /usr/local/bin/cachetool
 +
 
 +
====Pour PHP 5====
 +
curl -sLO https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
 +
chmod o+rx cachetool-3.2.2.phar
 +
mv cachetool-3.2.2.phar /usr/local/bin/cachetool_for_PHP5
 +
 
 +
==Pour MySQL==
 +
 
 +
 
 +
===Ajout du dépôt MySQL===
 +
<pre>
 +
yum -y install https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
 +
yum makecache
 +
yum-config-manager --disable mysql80-community
 +
yum-config-manager --enable mysql57-community
 +
yum makecache
 +
</pre>
 +
 
 +
===Installation de MySQL===
 +
yum -y install mysql-community-server
 +
 
 +
===Configuration de MySQL===
 +
Création des dossiers hébergeant les logs et les bases :
 +
<pre>
 +
mkdir -p /data/{mysql,logs}
 +
chown mysql:mysql /data/mysql
 +
chmod 770 /data/logs
 +
</pre>
 +
 
 +
Personnalisation de la configuration MySQL :
 +
<pre>
 +
sed -i -e 's@datadir=/var/lib/mysql@datadir=/data/mysql@g' -e 's@log-error=/var/log/mysqld.log@log-error=/data/logs/mysqld.log@g' /etc/my.cnf
 +
echo "explicit_defaults_for_timestamp=1" >> /etc/my.cnf
 +
echo "skip-ssl=1" >> /etc/my.cnf
 +
echo "bind_address=0.0.0.0" >> /etc/my.cnf
 +
echo "skip-name-resolve=1" >> /etc/my.cnf
 +
echo "query_cache_size=0" >> /etc/my.cnf
 +
echo "innodb_log_file_size=16777216" >> /etc/my.cnf
 +
echo "character-set-server=utf8" >> /etc/my.cnf
 +
echo "collation-server=utf8mb4_general_ci" >> /etc/my.cnf
 +
</pre>
 +
 
 +
Ouverture du port MySQL dans le pare-feu :
 +
firewall-cmd --add-service=mysql
 +
firewall-cmd --add-service=mysql --permanent
 +
 
 +
Démarrage et réinitialisation du mot de passe root de MySQL :
 +
systemctl start mysqld
 +
export MYSQL_PWD=$(grep 'temporary password' /data/logs/mysqld.log | awk '{print $NF}')
 +
export MYSQL_NEW_PWD="xxxxxxxxxxxxx"
 +
mysql --connect-expired-password -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_NEW_PWD';"
 +
 
 +
Ajout des comptes d'exploitation :
 +
<pre>
 +
export MYSQL_PWD=$MYSQL_NEW_PWD
 +
mysql -uroot -e "UNINSTALL PLUGIN validate_password;"
 +
mysql -uroot -e "GRANT ALL PRIVILEGES ON *.* TO 'pma_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx' WITH GRANT OPTION;"
 +
mysql -uroot -e "GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma_controluser_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx';"
 +
mysql -uroot -e "GRANT USAGE,REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'zbx_monitor'@'localhost' IDENTIFIED BY 'xxxxxxxxxxxxx';"
 +
</pre>
 +
 
 +
Ajout des tables pour le stockage de configurations PhpMyAdmin :
 +
<pre>
 +
wget -q https://raw.githubusercontent.com/phpmyadmin/phpmyadmin/RELEASE_4_9_4/sql/create_tables.sql
 +
mysql -uroot < create_tables.sql
 +
rm -f create_tables.sql
 +
</pre>
 +
 
 +
===Ajout de l'outil mysqltuner===
 +
<pre>
 +
yum -y install perl-Data-Dumper
 +
wget http://mysqltuner.pl/ -O /usr/bin/mysqltuner
 +
chmod u+x /usr/bin/mysqltuner
 +
</pre>
 +
 
  
 +
===Installation Zabbix===
 +
====Installation du template MySQL Zabbix====
 +
<pre>
 +
mkdir -p $(grep zabbix /etc/passwd|awk -F: '{print $6}')
 +
chown zabbix:zabbix $(grep zabbix /etc/passwd|awk -F: '{print $6}')
 +
sudo -u zabbix mysql_config_editor set --user=zbx_monitor
 +
echo "MYSQL_PWD=xxxxxxxxxxxxxxxx" >> /etc/sysconfig/zabbix-agent
 +
wget -q https://git.zabbix.com/projects/ZBX/repos/zabbix/raw/templates/db/mysql_agent/template_db_mysql.conf?at=refs%2Fheads%2Fmaster -O /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf
 +
chmod o+r /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf
 
</pre>
 
</pre>
 +
 +
===Suppression des informations sensibles===
 +
>/root/.bash_history
 +
 +
[[Category:MySQL]]
 +
[[Category:MySQL 5.7]]
 +
[[Category:Apache]]
 +
[[Category:Apache 2.4]]
 +
[[Category:Apache 2.4.43]]
 +
[[Category:Webmin]]
 +
[[Category:Shinken]]
 +
[[Category:Zabbix]]
 +
[[Category:PHP]]
 +
[[Category:PHP 5]]
 +
[[Category:PHP 5.6.40]]
 +
[[Category:PHP 7]]
 +
[[Category:PHP 7.4.7]]
 +
[[Category:PHP-FPM]]
 +
[[Category:CentOS]]
 +
[[Category:CentOS 7]]

Version actuelle datée du 27 juin 2021 à 13:54

Sommaire

Ajout de l'autorité de certification interne

Initialisation des certificats d'autorité racine : 

update-ca-trust enable

Dépôt du certificat de l'autorité de certification de l'entreprise dans le dossier /etc/pki/ca-trust/source/anchors

Import du certificat précédemment déposé avec la commande : 

update-ca-trust extract

Ajout du dépôt EPEL

yum -y install epel-release
yum makecache
yum -y update
yum -y install yum-utils bind-utils yum-cron wget bash-completion lsof nmon net-tools dos2unix deltarpm vim sg3_utils open-vm-tools sysstat samba-client samba zip
init 6

Préparation de la configuration Samba

cp /etc/samba/smb.conf /etc/samba/smb.conf.default
sed -i -e 's/^\([^#].*\)/#\1/g' /etc/samba/smb.conf
sed -i -e 's/^#\[global\]/[global]\n\tguest account = www\n\tmap to guest = Bad User/' /etc/samba/smb.conf

Modification du umask

sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/bashrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/csh.cshrc
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/profile
sed -i -e 's/umask 022/umask 007/g' -e 's/umask 002/umask 007/g' /etc/init.d/functions
sed -i -e 's@Subsystem\tsftp\t/usr/libexec/openssh/sftp-server@\#Subsystem\tsftp\t/usr/libexec/openssh/sftp-server\nSubsystem\tsftp\tinternal-sftp -u 0007@g' /etc/ssh/sshd_config
systemctl restart sshd

Modification du umask par défaut pour la crontab 

SYSTEMD_EDITOR=tee systemctl edit crond.service <<EOF
[Service]
UMask=0007
EOF
systemctl reload crond

Suppression des pilotes inutiles

yum -y remove alsa-* ivtv-* iwl*firmware aic94xx-firmware

Désactivation de la wifi

nmcli radio all off

Désactivation de l'IPv6

echo "NETWORKING_IPV6=no" >> /etc/sysconfig/network
echo "IPV6INIT=no" >> /etc/sysconfig/network
echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
sysctl -p
sed -i 's/#AddressFamily any/AddressFamily inet/g' /etc/ssh/sshd_config
systemctl restart sshd
sed -i 's/OPTIONS=""/OPTIONS="-4"/g' /etc/sysconfig/chronyd
systemctl restart chronyd

Désactivation du selinux

setenforce 0
sed -i -e 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config

Changement du port SSH

sed -i 's@#Port 22@Port 22\nPort XXXXX@g' /etc/ssh/sshd_config
systemctl restart sshd
firewall-cmd --permanent --service=ssh --add-port=XXXXX/tcp
firewall-cmd --reload

Suppression des utilisateurs inutiles

userdel -r adm
userdel -r ftp
userdel -r games
userdel -r lp
groupdel games

Augmenter l'historique des commandes de 1000 à 5000 lignes

sed -i 's/HISTSIZE=.*/HISTSIZE=5000/g' /etc/profile

Ajout de l'option "clean_requirements_on_remove=1" pour supprimer automatiquement les dépendances non-utilisées lors de la désinstallation d'un paquet

yum-config-manager --setopt=clean_requirements_on_remove=1 --save

Installation de msmtp

yum -y install msmtp mailx
/etc/msmtprc
chmod o+r /etc/msmtprc

Paramétrage NTP

yum -y install ntpdate && ntpdate ntp.myntpserver.com && systemctl enable ntpdate.service

Ajout d'alias complémentaires

echo "alias vi='vim'" >> /etc/profile.d/sh.local
sed -i "8 i alias ll='ls -al --color=auto'" .bashrc

Préparation à la compilation

mkdir -p /data/builds
yum install -y gcc glibc-devel glibc-headers kernel-headers libmpc mpfr autoconf
yum install -y pcre-devel
yum install -y expat-devel
yum install -y systemd-devel

Ajout du groupe www et des dossiers /data/www /data/logs et /data/build

useradd www -m
mkdir -p /data/{www,logs,builds}
chown www:www /data/{www,logs}
chmod 770 /data/{www,logs}

Compilation et installation d'Apache

export APACHE_VERSION=2.4.46
export APR_VERSION=1.7.0
export APR_UTILS_VERSION=1.6.1
useradd -r apache
usermod -aG www apache
mkdir -p /opt/httpd/httpd-${APACHE_VERSION}
ln -s httpd-${APACHE_VERSION} /opt/httpd/current
wget https://mirror.ibcp.fr/pub/apache//httpd/httpd-${APACHE_VERSION}.tar.gz
tar -zxf httpd-${APACHE_VERSION}.tar.gz -C /data/builds
wget https://miroir.univ-lorraine.fr/apache//apr/apr-${APR_VERSION}.tar.gz
tar -zxf apr-${APR_VERSION}.tar.gz
mv apr-${APR_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr
wget https://miroir.univ-lorraine.fr/apache//apr/apr-util-${APR_UTILS_VERSION}.tar.gz
tar -zxf apr-util-${APR_UTILS_VERSION}.tar.gz
mv apr-util-${APR_UTILS_VERSION} /data/builds/httpd-${APACHE_VERSION}/srclib/apr-util
cd /data/builds/httpd-${APACHE_VERSION}
./configure \
--prefix=/opt/httpd/current \
--sysconfdir=/opt/httpd/conf \
--enable-proxy \
--enable-proxy-http \
--enable-proxy-wstunnel \
--enable-proxy-fcgi \
--enable-rewrite \
--enable-authz-host \
--enable-mime \
--enable-static-support \
--enable-remoteip \
--enable-status \
--enable-systemd \
--enable-setenvif \
--enable-headers \
--enable-mods-static="proxy rewrite authz-core authz-host log-config alias dir unixd mime remoteip status systemd setenvif headers" \
--disable-so \
--disable-proxy-connect \
--disable-proxy-ftp \
--disable-proxy-scgi \
--disable-proxy-uwsgi \
--disable-proxy-fdpass \
--disable-proxy-ajp \
--disable-proxy-balancer \
--disable-proxy-express \
--disable-proxy-hcheck \
--disable-access-compat \
--disable-auth \
--disable-auth-basic \
--disable-authn-core \
--disable-authn-file \
--disable-authz-groupfile \
--disable-authz-user \
--disable-autoindex \
--disable-env \
--disable-filter \
--disable-reqtimeout \
--disable-version \
--disable-authn-dbm \
--disable-authn-anon \
--disable-authn-dbd \
--disable-authn-socache \
--disable-authz-dbm \
--disable-authz-owner \
--disable-authz-dbd \
--disable-auth-form \
--disable-auth-digest \
--disable-allowmethods \
--disable-cache \
--disable-file-cache \
--disable-cache-disk \
--disable-cache-socache \
--disable-socache-dbm \
--disable-socache-memcache \
--disable-socache-redis \
--disable-socache-shmcb \
&& make -j && make install
chown -R root:apache /opt/httpd
echo "export PATH=\$PATH:/opt/httpd/current/bin" >> /etc/profile.d/sh.local
touch /etc/systemd/system/http.service
chmod 664 /etc/systemd/system/http.service
SYSTEMD_EDITOR=tee systemctl edit --full http.service <<EOF
[Unit]
Description=The Apache HTTP Server
After=network.target

[Service]
Type=notify
ExecStart=/opt/httpd/current/bin/httpd -D FOREGROUND -k start
ExecReload=/opt/httpd/current/bin/httpd -k graceful
ExecStop=/opt/httpd/current/bin/httpd -k stop
KillMode=mixed
TimeoutStopSec=60

[Install]
WantedBy=multi-user.target
EOF
firewall-cmd --add-service=http
firewall-cmd --add-service=http --permanent
mkdir -p /data/logs/www/{localhost,$(hostname -s)}
chmod o+rx /data
chown www:www /data/logs/www/localhost
chmod 770 /data/logs/www/localhost
touch /data/logs/www/localhost/localhost_http_{error,access}.log
touch /data/logs/www/$(hostname -s)/$(hostname -s)_http_{error,access}.log
mkdir /opt/httpd/conf/vhosts
sed -i -e 's/User daemon/User apache/g' -e 's/Group daemon/Group www/g' /opt/httpd/conf/httpd.conf
sed -i -e 's/ServerAdmin you@example.com/ServerAdmin my.great.mail@address.com/g' /opt/httpd/conf/httpd.conf
sed -i -e 's@ErrorLog "logs/error_log"@ErrorLog "/data/logs/www/localhost/localhost_http_error.log"@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@CustomLog "logs/access_log"@CustomLog "/data/logs/www/localhost/localhost_http_access.log"@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-mpm.conf@Include /opt/httpd/conf/extra/httpd-mpm.conf@g' /opt/httpd/conf/httpd.conf
sed -i -e 's@#Include /opt/httpd/conf/extra/httpd-default.conf@Include /opt/httpd/conf/extra/httpd-default.conf@g' /opt/httpd/conf/httpd.conf
cat <<EOF >> /opt/httpd/conf/httpd.conf
# Custom virtual hosts and conf
IncludeOptional /opt/httpd/conf/vhosts/*.conf
EOF
systemctl start http.service
systemctl enable http.service

Installation de CacheTool pour PHP

cd
mkdir /local/php/cachetool
wget -O /local/php/cachetool/cachetool-6.5.0.phar https://github.com/gordalina/cachetool/releases/download/6.5.0/cachetool.phar
wget -O /local/php/cachetool/cachetool-3.2.2.phar https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
chown -R :www /local/php/cachetool
chmod ug+x /local/php/cachetool/*

Compilation et installation de CMake

cd
yum -y install openssl-devel keyutils-libs-devel krb5-devel libcom_err-devel libkadm5 libselinux-devel libsepol-devel libverto-devel gcc-c++ libstdc++-devel
mkdir /opt/cmake
wget https://github.com/Kitware/CMake/releases/download/v3.18.0-rc3/cmake-3.18.0-rc3.tar.gz
tar -zxf cmake-3.18.0-rc3.tar.gz -C /data/builds
cd /data/builds/cmake-3.18.0-rc3
./bootstrap --prefix=/opt/cmake/cmake-3.18.0-rc3
make
make install
ln -s cmake-3.18.0-rc3 /opt/cmake/current
echo "export PATH=\$PATH:/opt/cmake/current/bin" >> /etc/profile.d/sh.local

Compilation et installation de libzip

cd
wget https://libzip.org/download/libzip-1.7.1.tar.gz
tar -zxf libzip-1.7.1.tar.gz -C /data/builds
mkdir /data/builds/libzip-1.7.1/build
cd /data/builds/libzip-1.7.1/build
cmake -DCMAKE_INSTALL_PREFIX=/usr ..
make
make install

Installation des paquets nécessaires à la compilation de PHP

yum -y install zlib-devel
yum -y install bzip2-devel
yum -y install libcurl-devel
yum -y install libpng-devel
yum -y install libicu-devel libicu
yum -y install openldap-devel cyrus-sasl cyrus-sasl-devel
yum -y install oniguruma-devel oniguruma
yum -y install libxml2-devel xz-devel
yum -y install unixODBC unixODBC-devel

Création du user/groupe pour PHP-FPM

useradd -r php-fpm
usermod -g www -G php-fpm php-fpm

Compilation et installation de PHP 7.4.16 avec FPM

export PHP_VERSION=7.4.16
cd
mkdir -p /opt/php/php-${PHP_VERSION}
wget https://www.php.net/distributions/php-${PHP_VERSION}.tar.gz
tar -zxf php-${PHP_VERSION}.tar.gz -C /data/builds
cd /data/builds/php-${PHP_VERSION}
./configure \
--prefix=/opt/php/php-${PHP_VERSION} \
--with-config-file-path=/opt/php/php-${PHP_VERSION} \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--enable-gd \
--enable-intl \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--enable-shared=pdo-mysql \
--enable-phar \
--with-libxml \
--with-iconv \
--enable-dom \
--enable-filter \
--enable-tokenizer \
--enable-json \
--enable-session \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-fileinfo \
--enable-simplexml \
--enable-soap \
--enable-ftp \
--with-zip \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
&& make -j && make install
cp /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf.default /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
cp /data/builds/php-${PHP_VERSION}/php.ini-production /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/www/localhost/localhost_php-${PHP_VERSION}.log@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;sendmail_path =@sendmail_path = "/usr/bin/msmtp -t"@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension='$(grep no-debug-non-zts /opt/php/php-${PHP_VERSION}/bin/php-config|awk -F\' '{print $2}')'/opcache.so@g' /opt/php/php-${PHP_VERSION}/php.ini
sed -i -e 's@;pid = run/php-fpm.pid@;pid = run/php-fpm.pid\npid = run/php-fpm.pid@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
sed -i -e 's@;error_log = log/php-fpm.log@;error_log = log/php-fpm.log\nerror_log = syslog@g' /opt/php/php-${PHP_VERSION}/etc/php-fpm.conf
/opt/php/php-${PHP_VERSION}/bin/pear config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
/opt/php/php-${PHP_VERSION}/bin/pecl config-set php_ini /opt/php/php-${PHP_VERSION}/php.ini system
cat <<EOF >/opt/php/php-${PHP_VERSION}/etc/php-fpm.d/localhost.conf
[localhost]
; Socket Unix dédié au pool
listen = ../sockets/php-${PHP_VERSION}-$pool.sock

; Définition du chemin d'accès des logs
access.log = /data/logs/www/$pool/$pool_php_access.log
slowlog = /data/logs/www/$pool/$pool_log.slow
php_admin_value[error_log] = /data/logs/www/$pool/$pool_php_error.log
php_admin_flag[log_errors] = on
; https://www.php.net/manual/fr/errorfunc.constants.php
php_admin_value[error_reporting] = E_WARNING
php_admin_value[session.save_path] = "/opt/php/sessions/$pool/"
php_value[session.save_path] = "/opt/php/sessions/$pool/"

; Tuning du pool php-fpm
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
pm.status_path = /php-fpm-status
ping.path = /php-fpm-ping
EOF
mkdir -p /opt/php/sockets
mkdir -p /opt/php/sessions/localhost
chown -R php-fpm:www /opt/php
cp /data/builds/php-${PHP_VERSION}/sapi/fpm/php-fpm.service /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www\nEnvironment="PHP_VERSION='${PHP_VERSION}'"/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectKernelModules/#ProtectKernelModules/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectKernelTunables/#ProtectKernelTunables/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^ProtectControlGroups/#ProtectControlGroups/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^RestrictRealtime/#RestrictRealtime/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
sed -i -e 's/^RestrictNamespaces/#RestrictNamespaces/g' /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service
chmod o+r /usr/lib/systemd/system/php-fpm-${PHP_VERSION}.service

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-${PHP_VERSION}.service
systemctl enable php-fpm-${PHP_VERSION}.service

Activation de la coloration syntaxique pour les fichiers de configuration de PHP-FPM : 

sed -i "s@\" yum conf (close enough to dosini)@\" PHP-FPM conf (close enough to dosini)\nau BufNewFile,BufRead php-fpm.conf,*php-fpm.d/*.conf\t\tcall s:StarSetf('dosini')\n\n\" yum conf (close enough to dosini)@g" /usr/share/vim/vim74/filetype.vim

Intégration de CacheTool dans les binaires de PHP : 

ln -s /local/php/cachetool/cachetool-6.5.0.phar /local/php/php-7.4.7/bin/cachetool

Compilation et installation de PHP 5.6.40 avec FPM

cd
mkdir -p /opt/php/php-5.6.40
wget https://www.php.net/distributions/php-5.6.40.tar.gz
tar -zxf php-5.6.40.tar.gz -C /data/builds
cd /data/builds/php-5.6.40
./configure \
--prefix=/opt/php/php-5.6.40 \
--with-config-file-path=/opt/php/php-5.6.40 \
--disable-all \
--enable-static \
--enable-fpm \
--with-fpm-user=php-fpm \
--with-fpm-group=php-fpm \
--with-fpm-systemd \
--disable-ipv6 \
--enable-cli \
--with-zlib \
--with-bz2 \
--enable-calendar \
--enable-ctype \
--with-curl \
--with-gd \
--enable-intl \
--enable-filter \
--enable-hash \
--enable-json \
--with-ldap \
--enable-mbstring \
--enable-pdo \
--with-pdo-mysql \
--with-pdo-odbc=unixODBC,/usr \
--enable-shared=pdo-mysql \
--enable-phar \
--enable-libxml \
--enable-xml \
--enable-xmlreader \
--enable-xmlwriter \
--enable-opcache \
--enable-zip \
--enable-soap \
--with-pear \
--with-openssl \
--with-libdir=lib64 \
--with-mysqli \
--enable-dom \
--with-iconv \
--enable-simplexml \
--enable-tokenizer \
--enable-session \
&& make -j && make install
cp /opt/php/php-5.6.40/etc/php-fpm.conf.default /opt/php/php-5.6.40/etc/php-fpm.conf
cp /data/builds/php-5.6.40/php.ini-production /opt/php/php-5.6.40/php.ini
sed -i -e 's@;error_log = syslog@;error_log = syslog\nerror_log = /data/logs/localhost/localhost_php-5.6.40.log@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@;date.timezone =@date.timezone = "Europe/Paris"@g' /opt/php/php-5.6.40/php.ini
sed -i -e 's@\[opcache\]@\[opcache\]\nzend_extension=/opt/php/php-5.6.40/lib/php/extensions/no-debug-non-zts-20131226/opcache.so@g' /opt/php/php-5.6.40/php.ini
/opt/php/php-5.6.40/bin/pear config-set php_ini /opt/php/php-5.6.40/php.ini system
/opt/php/php-5.6.40/bin/pecl config-set php_ini /opt/php/php-5.6.40/php.ini system
mkdir /opt/php/php-5.6.40/etc/php-fpm.d
echo "[localhost]" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "user = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "group = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen = /opt/php/sockets/php-5.6.40_\$pool.sock" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.owner = php-fpm" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.group = www" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "listen.mode = 0660" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm = dynamic" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_children = 5" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.start_servers = 2" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.min_spare_servers = 1" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.max_spare_servers = 3" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "pm.status_path = /php-fpm-status" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "ping.path = /php-fpm-ping" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "access.log = /data/logs/\$pool/\$pool_php-5.6.40.access.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "slowlog = /data/logs/\$pool/\$pool_php-5.6.40.log.slow" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_log] = /data/logs/\$pool/\$pool_php-5.6.40.log" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_flag[log_errors] = on" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[error_reporting] = E_ALL" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_admin_value[session.save_path] = \"/opt/php/sessions/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
echo "php_value[session.save_path] = \"/opt/php/\$pool/\"" >> /opt/php/php-5.6.40/etc/php-fpm.d/localhost.conf
mkdir -p /opt/php/sockets
chown -R php-fpm:www /opt/php
cp /usr/lib/systemd/system/php-fpm-7.4.7.service /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/7.4.7/5.6.40/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
sed -i -e 's/\[Service\]/\[Service\]\nUMask=0007\nUser=php-fpm\nGroup=www/g' /usr/lib/systemd/system/php-fpm-5.6.40.service
chmod o+r /usr/lib/systemd/system/php-fpm-5.6.40.service

Suppression dans le fichier /usr/lib/systemd/system/php-fpm-5.6.40.service des sections surlignées suivantes : 

# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=network.target

[Service]
Type=notify
PIDFile=/opt/php/php-5.6.40/var/run/php-fpm.pid
ExecStart=/opt/php/php-5.6.40/sbin/php-fpm --nodaemonize --fpm-config /opt/php/php-5.6.40/etc/php-fpm.conf
ExecReload=/bin/kill -USR2 $MAINPID

# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
# so this service cannot access the global directories and other processes cannot
# access this service's directories.
PrivateTmp=true

# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
ProtectSystem=full

# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
# but no physical devices such as /dev/sda.
PrivateDevices=true

# Explicit module loading will be denied. This allows to turn off module load and unload
# operations on modular kernels. It is recommended to turn this on for most services that
# do not need special file systems or extra kernel modules to work.
ProtectKernelModules=true

# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
# recommended to turn this on for most services.
ProtectKernelTunables=true

# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
# made read-only to all processes of the unit. Except for container managers no services should
# require write access to the control groups hierarchies; it is hence recommended to turn this on
# for most services
ProtectControlGroups=true

# Any attempts to enable realtime scheduling in a process of the unit are refused.
RestrictRealtime=true

# Restricts the set of socket address families accessible to the processes of this unit.
# Protects against vulnerabilities such as CVE-2016-8655
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX

# Takes away the ability to create or manage any kind of namespace
RestrictNamespaces=true

[Install]
WantedBy=multi-user.target

Prise en compte des modifications : 

systemctl daemon-reload
systemctl start php-fpm-5.6.40.service
systemctl enable php-fpm-5.6.40.service

Intégration de CacheTool dans les binaires de PHP : 

ln -s /local/php/cachetool/cachetool-3.2.2.phar /local/php/php-5.6.40/bin/cachetool

Installation de Webmin

cd
echo "[Webmin]" >> /etc/yum.repos.d/webmin.repo
echo "name=Webmin Distribution Neutral" >> /etc/yum.repos.d/webmin.repo
echo "#baseurl=https://download.webmin.com/download/yum" >> /etc/yum.repos.d/webmin.repo
echo "mirrorlist=https://download.webmin.com/download/yum/mirrorlist" >> /etc/yum.repos.d/webmin.repo
echo "enabled=1" >> /etc/yum.repos.d/webmin.repo
wget https://download.webmin.com/jcameron-key.asc
rpm --import jcameron-key.asc
yum install webmin perl-Authen-PAM
/etc/rc.d/init.d/webmin stop
find /etc -type l -name *webmin -exec unlink {} \;
echo "[Unit]" >> /usr/lib/systemd/system/webmin.service
echo "Description=Webmin" >> /usr/lib/systemd/system/webmin.service
echo "Requires=local-fs.target" >> /usr/lib/systemd/system/webmin.service
echo "After=basic.target" >> /usr/lib/systemd/system/webmin.service
echo "Conflicts=shutdown.target" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Service]" >> /usr/lib/systemd/system/webmin.service
echo "Type=oneshot" >> /usr/lib/systemd/system/webmin.service
echo "RemainAfterExit=yes" >> /usr/lib/systemd/system/webmin.service
echo "ExecStart=/etc/webmin/start" >> /usr/lib/systemd/system/webmin.service
echo "ExecStop=/etc/webmin/stop" >> /usr/lib/systemd/system/webmin.service
echo "ExecReload=/etc/webmin/reload" >> /usr/lib/systemd/system/webmin.service
echo "" >> /usr/lib/systemd/system/webmin.service
echo "[Install]" >> /usr/lib/systemd/system/webmin.service
echo "WantedBy=multi-user.target" >> /usr/lib/systemd/system/webmin.service
chmod o+r /usr/lib/systemd/system/webmin.service
systemctl daemon-reload
sed -i -e 's/ssl=1/ssl=0/g' /etc/webmin/miniserv.conf
sed -i -e 's/ipv6=1/ipv6=0/g' /etc/webmin/miniserv.conf
echo "cookiepath=/webmin" >> /etc/webmin/miniserv.conf
echo "webprefix=/webmin" >> /etc/webmin/config
echo "webprefixnoredir=1" >> /etc/webmin/config
echo "referer=1" >> /etc/webmin/config
systemctl start webmin.service
systemctl enable webmin.service
# Ajout des lignes ci-dessous dans la configuration du vhost local /opt/httpd/conf/vhosts/$(hostname -s).conf
	# Configuration Webmin
	ProxyPass /webmin http://localhost:10000
	ProxyPassReverse /webmin http://localhost:10000
	# Fin de configuration Webmin
httpd -k graceful

Configuration Shinken

useradd shinken -U -d /home/shinken -m
passwd shinken
mkdir /home/shinken/.ssh
chmod 700 /home/shinken/.ssh
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@oneserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
echo "ssh-rsa xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx yyyyyyyyy@anotherserver.mydomain.local" >> /home/shinken/.ssh/authorized_keys
chmod 600 /home/shinken/.ssh/authorized_keys
chown -R shinken:shinken /home/shinken/.ssh

Installation de Oracle Instant Client

wget https://yum.oracle.com/RPM-GPG-KEY-oracle-ol7 -O /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
echo "[ol7_latest]" >> /etc/yum.repos.d/ol7-temp.repo
echo "name=Oracle Linux \$releasever Latest ($basearch)" >> /etc/yum.repos.d/ol7-temp.repo
echo "baseurl=https://yum.oracle.com/repo/OracleLinux/OL7/latest/\$basearch/" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle" >> /etc/yum.repos.d/ol7-temp.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/ol7-temp.repo
echo "enabled=1" >> /etc/yum.repos.d/ol7-temp.repo
yum install oraclelinux-release-el7
mv /etc/yum.repos.d/ol7-temp.repo /etc/yum.repos.d/ol7-temp.repo.disabled
yum install oracle-release-el7
yum install oracle-instantclient19.6
mv /etc/yum.repos.d/oracle-linux-ol7.repo{,.disabled}
mv /etc/yum.repos.d/oracle-ol7.repo{,.disabled}
mv /etc/yum.repos.d/uek-ol7.repo{,.disabled}
rm -rf /var/cache/yum/x86_64/7/ol7_*
yum clean all
yum makecache

Installation de l'extension oci8 pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl channel-update pecl.php.net
/opt/php/php-7.4.7/bin/pecl install oci8

Installation de l'extension oci8 pour PHP 5.6.40

/opt/php/php-5.6.40/bin/pecl channel-update pecl.php.net
/opt/php/php-5.6.40/bin/pecl install oci8-2.0.12

Installation du pilote ODBC pour MSSQL

curl https://packages.microsoft.com/config/rhel/7/prod.repo > /etc/yum.repos.d/mssql-release.repo
ACCEPT_EULA=Y yum install msodbcsql17

Installation de l'extension pdo_sqlsrv pour PHP 7.4.7

/opt/php/php-7.4.7/bin/pecl install pdo_sqlsrv

Programme set_php_version

Contenu du programme /opt/php/set_php_version : 

#!/bin/bash
# Ce programme doit être sourcé pour modifier le PATH
# . set_php_version
declare -A versions
declare -A bin_dirs

get_bin_dirs() {
	i=1
	for bin_dir in $(find /opt/php -type d -name bin 2> /dev/null);
	do
		version="$($bin_dir/php -v|head -1|awk '{print $2}')"
		versions[$i]=$version
		bin_dirs[$version]=$bin_dir
		((i++))
	done
}

pathremove () {
        local IFS=':'
        local NEWPATH
        local DIR
        local PATHVARIABLE=${2:-PATH}
        for DIR in ${!PATHVARIABLE} ; do
                if [ "$DIR" != "$1" ] ; then
                  NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
                fi
        done
        export ${PATHVARIABLE}="$NEWPATH"
}

pathprepend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}

pathappend () {
        pathremove $1 $2
        local PATHVARIABLE=${2:-PATH}
        export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}


if [ "$#" -eq 0 ];
then
	## Récupération des différents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	## Choix de version PHP
	#########################
	echo -e "Veuillez choisir une version de PHP à utiliser :\n"
	i=1

	# On parcourt le tableau des applications
	for iversion in "${!versions[@]}"
	do
		# On affiche une liste numérotée des versions
		echo "$i)  ${versions[${i}]}"
		((i++))
	done
	echo ""
	read -p "Choix : " version_choice
	echo ""

	if [[ $version_choice != "" ]]
	then
		# On peut choisir la version par son numéro
		if [[ $version_choice =~ ^[[:digit:]]+$ ]]
		then
			if [[ ! -z ${versions[$version_choice]} ]]
			then
				str_bindir=${bin_dirs[${versions[$version_choice]}]}
				str_version=${versions[$version_choice]}
			fi
		# Ou par la version directement
		elif [[ ! -z ${bin_dirs[$version_choice]} ]]
		then
			str_bindir=${bin_dirs[$version_choice]}
			str_version=${version_choice}
		fi
	fi
elif [ "$#" -eq 1 ];
then
	## Récupération des dossifférents dossiers hébergeant les binaires PHP
	#########################
	get_bin_dirs

	if [[ ! -z ${bin_dirs[$1]} ]]
	then
		str_bindir=${bin_dirs[$1]}
		str_version=$1
	elif [[ $1 == "reset" ]]
	then
		echo "Reset du PATH sans les binaires PHP"
		for dir in ${bin_dirs[*]}
		do
			pathremove "${dir}"
		done
		if [[ ! -z $oldPS1 ]]
		then
			PS1=$oldPS1
			unset oldPS1
		else
			PS1="[\u@\h \W]\\$ "
		fi
	fi
else
	echo "Nombre de paramètres attendus : 1"
fi

if [[ -z $str_bindir ]]
then
	if [[ $1 != "reset" ]]
	then
		echo "Choix de version invalide !"
		get_bin_dirs
		echo "Versions disponibles : "${!bin_dirs[*]}
	fi
else
	echo -e "Version de PHP : $str_version. Path : $str_bindir"
	echo -e "Pour retirer les binaires PHP du PATH, utiliser la commande « set_php_version reset »"
	for dir in ${bin_dirs[*]}
	do
		pathremove "${dir}"
	done

	pathprepend ${str_bindir}

	if [[ -z $oldPS1 ]]
	then
		oldPS1=$PS1
	fi
	export PS1="[\u@\h \W|\[\033[0;31m\]PHP ${str_version}\[\033[0m\]]\\$ "
fi

unset version versions str_bindir bin_dir bin_dirs pathremove pathprepend pathappend get_bin_dirs version_choice str_version

Changement des droits d'accès 

chmod 555 /opt/php/set_php_version

Ajout de l'alias dans le profile par défaut : 

echo "alias set_php_version='. /opt/php/set_php_version'" >> /etc/profile.d/sh.local

Installation Zabbix

Installation de l'agent

rpm -Uvh https://repo.zabbix.com/zabbix/4.4/rhel/7/x86_64/zabbix-release-4.4-1.el7.noarch.rpm
rpm -import http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX-A14FE591
yum install zabbix-agent
sed -i -e 's/Server=127.0.0.1/Server=myzabbixserver/g' -e 's/ServerActive=127.0.0.1/ServerActive=myzabbixserver/g' -e 's/Hostname=Zabbix server/Hostname=$(hostname -s)/g' -e 's@PidFile=/var/run/zabbix/zabbix_agentd.pid@PidFile=/run/zabbix/zabbix_agentd.pid@g' /etc/zabbix/zabbix_agentd.conf

Ajout du service dans le pare-feu

firewall-cmd --permanent --new-service=zabbixclient
firewall-cmd --permanent --service=zabbixclient --set-description="Zabbix Client Service"
firewall-cmd --permanent --service=zabbixclient --set-short=zabbixclient
firewall-cmd --permanent --service=zabbixclient --add-port=10050/tcp
firewall-cmd --reload

Installation du template PHP-FPM

Installation des prérequis : 

yum -y install grep gawk lsof jq fcgi unzip bc

Téléchargement de la dernière version : 

curl -L $(curl -s https://api.github.com/repos/rvalitov/zabbix-php-fpm/releases/latest | grep 'zipball_' | cut -d\" -f4) --output /tmp/zabbix-php-fpm.zip

Extraction des fichiers : 

unzip -j /tmp/zabbix-php-fpm.zip "*/zabbix/*" "*/ispconfig/*" -d /tmp/zabbix-php-fpm

Copie des fichiers dans la configuration Zabbix : 

cp /tmp/zabbix-php-fpm/userparameter_php_fpm.conf $(find /etc/zabbix/ -name zabbix_agentd*.d -type d | head -n1)
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_discovery.sh /etc/zabbix/
cp /tmp/zabbix-php-fpm/zabbix_php_fpm_status.sh /etc/zabbix/

Ajout du droit d’exécution sur les scripts : 

chown zabbix /etc/zabbix/zabbix_agentd.d/userparameter_php_fpm.conf
chmod +x /etc/zabbix/zabbix_php_fpm_discovery.sh
chmod +x /etc/zabbix/zabbix_php_fpm_status.sh

Ajouter les droits nécessaires dans sudoers pour Zabbix : 

echo 'zabbix ALL = NOPASSWD: /etc/zabbix/zabbix_php_fpm_discovery.sh,/etc/zabbix/zabbix_php_fpm_status.sh' | EDITOR='tee -a' visudo -f /etc/sudoers.d/sudo_zabbix

Augmentation du seuil de connexion par socket sur le serveur : 

echo "net.core.somaxconn=1024" | tee -a /etc/sysctl.conf
sysctl -p

Supprimer les fichiers temporaires : 

rm /tmp/zabbix-php-fpm.zip
rm -rf /tmp/zabbix-php-fpm

Ajout de l'outil cachetool

Pour PHP 7

curl -sLO https://github.com/gordalina/cachetool/releases/latest/download/cachetool.phar
chmod o+rx cachetool.phar
mv cachetool.phar /usr/local/bin/cachetool

Pour PHP 5

curl -sLO https://gordalina.github.io/cachetool/downloads/cachetool-3.2.2.phar
chmod o+rx cachetool-3.2.2.phar
mv cachetool-3.2.2.phar /usr/local/bin/cachetool_for_PHP5

Pour MySQL

Ajout du dépôt MySQL

yum -y install https://dev.mysql.com/get/mysql80-community-release-el7-3.noarch.rpm
yum makecache
yum-config-manager --disable mysql80-community
yum-config-manager --enable mysql57-community
yum makecache

Installation de MySQL

yum -y install mysql-community-server

Configuration de MySQL

Création des dossiers hébergeant les logs et les bases : 

mkdir -p /data/{mysql,logs}
chown mysql:mysql /data/mysql
chmod 770 /data/logs

Personnalisation de la configuration MySQL : 

sed -i -e 's@datadir=/var/lib/mysql@datadir=/data/mysql@g' -e 's@log-error=/var/log/mysqld.log@log-error=/data/logs/mysqld.log@g' /etc/my.cnf
echo "explicit_defaults_for_timestamp=1" >> /etc/my.cnf
echo "skip-ssl=1" >> /etc/my.cnf
echo "bind_address=0.0.0.0" >> /etc/my.cnf
echo "skip-name-resolve=1" >> /etc/my.cnf
echo "query_cache_size=0" >> /etc/my.cnf
echo "innodb_log_file_size=16777216" >> /etc/my.cnf
echo "character-set-server=utf8" >> /etc/my.cnf
echo "collation-server=utf8mb4_general_ci" >> /etc/my.cnf

Ouverture du port MySQL dans le pare-feu : 

firewall-cmd --add-service=mysql
firewall-cmd --add-service=mysql --permanent

Démarrage et réinitialisation du mot de passe root de MySQL : 

systemctl start mysqld
export MYSQL_PWD=$(grep 'temporary password' /data/logs/mysqld.log | awk '{print $NF}')
export MYSQL_NEW_PWD="xxxxxxxxxxxxx"
mysql --connect-expired-password -uroot -e "ALTER USER 'root'@'localhost' IDENTIFIED BY '$MYSQL_NEW_PWD';"

Ajout des comptes d'exploitation : 

export MYSQL_PWD=$MYSQL_NEW_PWD
mysql -uroot -e "UNINSTALL PLUGIN validate_password;"
mysql -uroot -e "GRANT ALL PRIVILEGES ON *.* TO 'pma_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx' WITH GRANT OPTION;"
mysql -uroot -e "GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma_controluser_user'@'172.19.0.71' IDENTIFIED BY 'xxxxxxxxxxxxx';"
mysql -uroot -e "GRANT USAGE,REPLICATION CLIENT,PROCESS,SHOW DATABASES,SHOW VIEW ON *.* TO 'zbx_monitor'@'localhost' IDENTIFIED BY 'xxxxxxxxxxxxx';"

Ajout des tables pour le stockage de configurations PhpMyAdmin : 

wget -q https://raw.githubusercontent.com/phpmyadmin/phpmyadmin/RELEASE_4_9_4/sql/create_tables.sql
mysql -uroot < create_tables.sql
rm -f create_tables.sql

Ajout de l'outil mysqltuner

yum -y install perl-Data-Dumper
wget http://mysqltuner.pl/ -O /usr/bin/mysqltuner
chmod u+x /usr/bin/mysqltuner


Installation Zabbix

Installation du template MySQL Zabbix

mkdir -p $(grep zabbix /etc/passwd|awk -F: '{print $6}')
chown zabbix:zabbix $(grep zabbix /etc/passwd|awk -F: '{print $6}')
sudo -u zabbix mysql_config_editor set --user=zbx_monitor
echo "MYSQL_PWD=xxxxxxxxxxxxxxxx" >> /etc/sysconfig/zabbix-agent
wget -q https://git.zabbix.com/projects/ZBX/repos/zabbix/raw/templates/db/mysql_agent/template_db_mysql.conf?at=refs%2Fheads%2Fmaster -O /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf
chmod o+r /etc/zabbix/zabbix_agentd.d/template_db_mysql.conf

Suppression des informations sensibles

>/root/.bash_history
Récupérée de « https://wiki.jordan-lenuff.com/index.php?title=Technique/Systèmes_d%27exploitation/CentOS/Installer_CentOS_7/Post-installation&oldid=1187 »