Linux Integration Services 3.1 for Hyper-V

For all my skeptism for Twitter, I did come across this announcement on Twitter: the release of Linux Integration Services 3.1 for Hyper-V.

The updates primarily add support for:

• Red Hat Enterprise Linux (RHEL) 6.0 and 6.1 x86 and x64 (Up to 4 vCPU)
• CentOS 6.0 x86 and x64 (Up to 4 vCPU)

The features of V3.1 of the Linux Integration Services are:

• “Driver support: Linux Integration Services supports the network controller and the IDE and SCSI storage controllers that were developed specifically for Hyper-V.
• Fastpath Boot Support for Hyper-V: Boot devices now take advantage of the block Virtualization Service Client (VSC) to provide enhanced performance.
• Timesync: The clock inside the virtual machine will remain synchronized with the clock on the virtualization server with the help of the pluggable time source device.
• Integrated Shutdown: Virtual machines running Linux can be shut down from either Hyper-V Manager or System Center Virtual Machine Manager by using the “Shut Down” command.
• Symmetric Multi-Processing (SMP) Support: Supported Linux distributions can use up to 4 virtual processors (VP) per virtual machine.  SMP support is not available for 32-bit Linux guest operating systems running on Windows Server 2008 Hyper-V or Microsoft Hyper-V Server 2008.
• Heartbeat: Allows the virtualization server to detect whether the virtual machine is running and responsive.
• KVP (Key Value Pair) Exchange: Information about the running Linux virtual machine can be obtained by using the Key Value Pair exchange functionality on the Windows Server 2008 virtualization server”.

…and something else that I have long wished for…the ability to install the drivers using rpm! No more Perl scripts to run! The benefit of this (I think?) is that it should allow a far easier deployment of Linux VMs.

There is a PDF ReadMe to accompany the installer (containing an ISO of the drivers), that has details on how to do the install. It mentions how Linux VMs must have static MAC addresses set in the VM settings for each NIC if used in a Hyper-V cluster, because of the way Linux handles MAC addresses. From a automation perspective, this could be an issue – certainly something I need to look in to.

I am glad this came out now, as I wanted to build a CentOS VM to act as a proxy/firewall, and was going to use CentOS v6.0 x64, but reverted back to v5.6 because the 2.1 version of the Integration Components wasn’t supported.

I am very encouraged by the speed at which these drivers came out, as CentOS v6.0 was realised only a few weeks ago, so this is very promising. I think the next step for Microsoft is to get the drivers built in to the OS, much like Ubuntu. I did an Ubuntu 11.04 install yesterday on Hyper-V, and enabling the drivers is done by simply adding four lines of code to a file and running an update command afterwards!

Install VSFTPD on CentOS v5 x86/64-bit

Following on from my previous posts of installing Apache on CentOS, this post will run through setting up VSFTPD to run an FTP server so you can upload your website files.

As much as I hate FTP because it is archaic and insecure (sending passwords in clear text), it does server it purposes of uploading files to a GUI-less Linux server.

This post will run through installing VSFTPD, and setting up a user to access a restricted location.. See the following posts on how to install CentOS on Hyper-V to get a secure O/S environment setup.

Step one is to create a location that is restricted to this user. I will use a location where we will be storing a website as per the Apache install website:

• /var/www/vhosts/mydomain.com/httpdocs/

We now have a location where can upload a website, now we need to create the user account that will be used to login via FTP, and map this account to the web site root folder as the home location:

• adduser -d /var/www/vhosts/mydomain.com/httpdocs/ mydomain.com
• passwd mydomain.com

With the user created and mapped to the website root folder, we now need to set the owner and permissions on the root folder so that the user can write files and subfolders:

• chown mydomain.com:mydomain.com /var/www/vhosts/mydomain.com/httpdocs/ mydomain.com
• chmod 755 mydomain.com:mydomain.com /var/www/vhosts/mydomain.com/httpdocs/ mydomain.com

If you are running a WordPress site, you will also need to run the following command to make the WP-Content folder writable for Apache:

• chmod 777 mydomain.com:mydomain.com /var/www/vhosts/mydomain.com/httpdocs/wp-content

Now we need to install VSFTPD:

• yum install -y vsftpd
• chkconfig –level 2345 vsftpd on
• service vsftpd start

• anonymous_enable=NO
• ascii_upload_enable=YES
• ftpd_banner=Welcome to mydomain.com FTP Server
• chroot_list_enable=YES
• chroot_list_file=/etc/vsftpd/chroot_list
• ls_recurse_enable=YES
• chroot_local_user=YES
• vi /etc/vsftpd/chroot_list

We now need to create and update the chroot_list of users who are jailed to their home directory (specified when we create our users):

• vi /etc/vsftpd/vsftpd.conf

• #mydomain.com

Now restart the VSFTP service to put the new changes in to effect:

• service vsftpd restart

You will need to open up TCP port 21 on incoming traffic on your firewall. Now test and see if you can log in.

Install Apache on CentOS v5 x86/64-bit

• yum install -y httpd
• chkconfig –level 2345 httpd on
• service httpd start

• yum install php php-mysql php-common php-gd php-mbstring php-mcrypt
  php-devel php-xml

• service httpd restart

• mkdir /var/www/vhosts
• mkdir /var/www/ vhosts/mydomain.com
• mkdir /var/www/ vhosts/mydomain.com/httpdocs
• mkdir /var/www/ vhosts/mydomain.com/logs

• vi /etc/httpd/conf.d/welcome.conf
• <Comment out all the lines with a #>

• vi /etc/httpd/conf/httpd.conf

• AddType application/x-httpd-php .php
• AddType application/x-httpd-php-source .phps

• NameVirtualHost <PublicIPAddress>

• <VirtualHost PublicIPAddress>
• ServerAdmin email@domain.com
• ServerAlias www.mydomain.com
• ServerName mydomain.com:80
• UseCanonicalName Off
• DocumentRoot /var/www/vhosts/mydomain.com/httpdocs
• CustomLog /var/www/vhosts/mydomain.com/logs/access_log common
• ErrorLog /var/www/vhosts/mydomain.com/logs/error_log
• DirectoryIndex index.php
• </VirtualHost>

• service httpd restart

• /usr/sbin/apachectl configtest

Log management is the next step, as unmaintained log files can grow and grow and if your website becomes exceptionally busy then these can eat up in to the server’s disk space:

• vi /etc/logrotate.d/httpd/vhosts

• /var/www/vhosts/somethingisaw.co.za/logs/*log {
• monthly
• rotate 12
• compress
• missingok
• notifempty
• sharedscripts
• postrotate
• /sbin/service httpd reload > /dev/null 2>/dev/null || true
• endscript
• }

Optimise MySQL on CentOS v5 x86/64-bit

The final step in this MySQL series of posts (read the Install and Backup posts), is the regular optimisation of MySQL.

The my.cnf file has a lot of options that will enable you to customise your MySQL environment to the hardware available and the demand it receives. There are some very good performance monitoring scripts available that will run diagnostics against the MySQL server and offer advice on how to enhance your MySQL configuration.

I had MySQL databases running in one database environments and others in Shared Hosting with multiple environments, so I would set these scripts to run weekly and provide me with the necessary advice to continually optimise the performance.

First step, is to download the performance script and set the execute permissions:

• cd /home/scripts
• wget mysqltuner.pl
• chmod u+x mysqltuner.pl.pl

We can run the above script, and it will provide the necessary diagnostics. However, that is a manual task and we want to automate the script to run weekly and send us an email with the results:

• vi mysql_tuner_weekly.sh

• #!/bin/sh
• /home/scripts/mysqltuner.pl –user mysql-local –pass <Password> > /home/scripts/mysqltuner.log
• cat /home/scripts/mysqltuner.log | mail -s “MySQL Tuner Log” email@domain.com
• rm -rf /home/scripts/mysqltuner.log

The above script calls the mysqltuner.pl Perl script, providing the authentication to connect to the local MySQL instance. It will run the diagnostics, outputting the results to the mysqltuner.log file. This file is then emailed off to email@domain.com and the script then does housekeeping by remove the log file.

This script will not run on Windows, so if you want to optimise a Windows instance of MySQL, you need to use the following script:

• #!/bin/sh
• /home/scripts/mysqltuner.pl –host <RemoteServerFQDN> –port <RemoteMySQLPort> –forcemem <RemoteServerRAM> –user mysql-public –pass <Password> > /home/scripts/mysqltuner.log
• cat /home/scripts/mysqltuner.log | mail -s “<RemoteServerFQDN> MySQL Tuner Log” email@domain.com
• rm -rf /home/scripts/mysqltuner.log

I actually had a management server that had one script, connecting to all the Windows instances of MySQL and a script running locally on all the Linux instances.

Final step is to now schedule the script to run daily at 21:30:

• vi /etc/crontab

• 0 6 * * 0 root /home/scripts/mysql_tuner_weekly.sh

I would allow your MySQL server to run for a few days before you first run the script, so that MySQL can generate some stats for the scripts to analye. You will find that the first time it runs, you will get a lot of options to update in my.cnf, but after that, it die down.

Another performance script is available:

• wget http://www.day32.com/MySQL/tuning-primer.sh

However, it only ever ran it locally because the output to email was too messy and I couldn’t get clean results. However, it is very useful to keep and run when running heavy performance diagnostics on the local MySQL server.

Backup MySQL on CentOS v5 x86/64-bit

My previous post ran through the steps to install, configure and secure MySQL on CentOS. This post will run through some steps to keep your MySQL installation backed up.

First up, login as root and create a location to store local backups as well as a location to store our backup scripts:

• mkdir /home/backups
• mkdir /home/backups/mysql
• mkdir /home/scripts

We don’t need to reinvent the wheel and there are excellent backup scripts available with regular backup rotation features built in, freely available on the Internet:

• cd /home/scripts
• wget “http://sourceforge.net/projects/automysqlbackup/files/AutoMySQLBackup/AutoMySQLBackup
  VER 2.5/automysqlbackup-2.5.1-01.sh”
• mv automysqlbackup-2.5.1-01.sh mysql_backup_all_daily.sh
• chmod u+x *.sh

The last two commands above rename the backup script to something a little more friendly, and then set the required permissions for the script to be executed.

We can now customise the script to connect to our MySQL instance and back up the databases:

• vi mysql_backup_all_daily.sh

• USERNAME=mysql-local
• PASSWORD=<Password>
• BACKUPDIR=”/home/backups/mysql”
• MAILADDR=”email@domain.com

The above configurations will essentially back up the local MySQL instance to /home/backups/mysql and then send an email to you, informing you of the completion success/failure of the backup. The script has notes inside that will allow you to customise more features such as emailing you the backups, selecting databases to backup, etc.

Final step is to now schedule the script to run daily at 21:30:

• vi /etc/crontab

• 30 21 * * * root /home/scripts/mysql_backup_all_daily.sh

The script will retain a backup for every day, a week and a month, and will rotate these backups for you. Nice!

You can run this script from a remote backup server, but you will need to ensure you open the necessary firewall ports and use the mysql-public account for remote access.

Install MySQL on CentOS v5 x86/64-bit

I have built a few Linux web servers, running on CentOS with the LAMP design – the M being MySQL. Any server running database software needs to have security in mind, right from the install, configuration and use.

Here is my breakdown of the install, configuration and hardening that might be of use to others. See the following posts on how to install CentOS on Hyper-V to get a secure O/S environment setup.

Step one is to obviously get MySQL installed and started up:

• yum install -y mysql-server
• chkconfig –level 2345 mysqld on
• service mysqld start

MySQL is now installed and the service is started. Now we need to configure the MySQL my.cnf configuration file:

• vi /etc/my.cnf

• [client]
• port=3306
• socket=/var/lib/mysql/mysql.sock

• [mysqld]
• port=3306
• datadir=/var/lib/mysql
• socket=/var/lib/mysql/mysql.sock
• old_passwords=1
• default-storage-engine=INNODB
• skip-locking
• skip-bdb

• [mysqld-safe]
• log-error=/var/log/mysqld.log
• pid-file=/var/run/mysqld/mysql.pid

The above configuration is very basic and uses all the default values, but I will show you how to run tools that will enhance the configuration file for optimal performance.

If you intend to access this MySQL server remotely and you have the option available, it is often ideal to change hte [client] and [mysqld] ports from 3306 to something else to further reduce your attack surface.

Now restart the MySQL service to put the new changes in to effect:

• service mysqld restart

If the service fails to restart then you probably have a spelling mistake in your configuration, so use the following command to view the MySQL log file for help:

• vi /var/log/mysqld.log

Now we need to harden MySQL,  so lets get rid of any guest databases, user accounts:

• mysql –u root
• drop database test;
• use mysql;
• delete from mysql.user where user =”;
• delete from mysql.user where Host=’127.0.0.1′;
• delete from mysql.user where Host=’<ComputerName>’;

The last three commands will leave only ‘root’@'localhost’ as the only user who will be able to access MySQL; which does mean that no one can access your MySQL whilst you continue with your configuration.

The MySQL root user has full system access, and it is a commonly used in via brute force dictionary attacks, so we are going to rename it to mysql-local and give the account a password:

• update user set user=’mysql-local’ where user=’root’;
• update user set password=’<Password>‘ where user=’mysql-local’;
• grant all on *.* to  ‘mysql-local’@'localhost’ identified by ‘<Password>‘ with grant option;

I normally create two root/super-user accounts:

• mysql-local = a root user that can only be used locally on the MySQL server with terminal access, and not be used from a remote machine
• mysql-public = a root user that can only be used from a remote machine, and can not be used locally with terminal access.

If you don’t want anyone to access the root account from a remote machine, then you can ignore this step. Otherwise we can create our remote root user

• insert into user (Host,User,Password) values (‘%’,'mysql-public’,
  ‘<Password>‘);
• grant all on *.* to  ‘mysql-public’@'%’ identified by ‘<Password>’ with grant option;

The final step before finishing off, is to flush any existing permissions and apply the new changes:

• flush privileges;

Time to log off, restart MySQL (just for good measure) and verify we can re-login with the new mysql-local user account:

• exit;
• service mysqld restart
• mysql –u mysql-local -p<Password>
• exit;

The following command is very useful as it clears the history of all the work we have done above and we don’t want someone to login to the server and be able to view the history of the work we have done:

• cat /dev/null > ~/.mysql_history

And that is that. If you need remote access, then you will need to open TCP port 3306 in your firewall for incoming traffic. If you decide to change this port number (which you should if you can), then you will need to open up that port instead.

Please also note that MySQL is a Linux application, so it is case-sensitive. This applies to both the username, password, and databases!

Even though the Windows installation procedure for MySQL will differ, you can still apply the same configuration steps.

Configuring CentOS v5 x86/64-bit on Hyper-V 2008 R2

I have already posted the three part mini series on how to create a VM on Hyper-V 2008 R2, install CentOS on the VM and install the Hyper-V 2008 R2 Integration Components.

Now that we a CentOS VM up and running, it’s now time to configure the base OS, before we start installing any applications. The purpose of this task is to further secure the OS as well as provide basic remote monitoring and connectivity tools.

The following instructions will go cover:

• Creating home directories
• Installing the APF Firewall
• Disabling unnecessary services
• Installing SNMP for remote monitoring
• Forwarding the daily Logwatch emails
• Create a local user
• Configuring SSH

1. Creating home directories is for storing scripts, backups and other useful tools in the root home directory.

mkdir /home/backups

mkdir /home/scripts

mkdir /home/software-library

Backups is for application/configuration backups. Scripts is for any scheduled scripts we wish to run on the machine. Software-Library is for storing any application installers – I normally remove the installers once I am done with them.

2. Installing the APF Firewall will provide a much more feature reach software firewall than the built-in CentOS offering.

cd /home/software-library

wget http://www.rfxn.com/downloads/apf-current.tar.gz

tar -zxvf apf-current.tar.gz

cd apf-9.7-1

sh ./install.sh

cd -

rm  -rf apf-9.7-1

You may see an error during the install, saying that it can’t findeth0 – this is not an issue as the default configuration file for APF specifies the default NIC as eth01; we will be changing this below. Now that we have installed APF and removed it’s installer, we can configure it (I am basing the current setup on a BIND DNS server I run, with SNMP monitoring):

vi /etc/apf/conf.apf

• DEVEL_MODE=”0”
• IFACE_IN=”seth0”
•  IFACE_OUT=”seth0”
• SET_TRIM=”0”
• TOS_8=”53”
• IG_TCP_PORTS=”22,53”
• IG_UDP_PORTS=”53, 161”
• EGF=”1”
• EG_TCP_PORTS=”21,25,53,80,443”
• EG_UDP_PORTS=”20,21,53,162”

The above bulletpoints indicate the following:

• DEVEL_MODE = When set to 1, the firewall starts based on the configuration and runs for 5 minutes then turns itself off – incase you lock yourself out! Set this to 0 when you are satisfied with your configuration
• IFACE_IN = The name of your external NIC, where traffic comes in
• IFACE_OUT = The name of your external NIC, where traffic goes out
• SET_TRIM = Controls the max allowed entries in the deny trust system, defaults to 50 lines with older entries
• TOS_8 = Ports for maximum throughput and minimum delay
• IG_TCP_PORTS = Incoming TCP ports to open
• IG_UDP_PORTS = Incoming UDP ports to open
• EGF = When set to 1, allows the firewall to lock outbound traffic. Set this to 0 if you want to allow all outbound traffic
• EG_TCP_PORTS = Outgoing TCP ports to open
• EG_UDP_PORTS = Outgoing UDP ports to open

Now, we have started out configuration, we need to start APF:

/usr/local/sbin/apf –s

You will see APF generate all the rules – now it is a good time to test.

3. Disabling unnecessary services can be done either via the commandline or via Setup. Seeing as we installed the base package, setup is a quicker process. Type setup to enter the Firstboot/Setup wizard

• Select System services
• Use the spacebar to unselect the following services:
  • anacron
  • atd
  • autofs
  • avahi-daemon
  • bluetooth
  • cups
  • firstboot
  • gpm
  • hidd
  • mdmonitor
  • netfs
  • nfslock
  • pcscd
  • portmap
  • rpcgssd
  • rpcidmapd
  • smartd

Here is a list of services (daemons) to help you decide what to disable. Here is another list. Even if you do disable a service from startup, the system can still start it if need be. If you chose not to install base, you can use the following command lines to disable a service, using chkconfig <ServiceName> off:

chkconfig anacron off

It is worth doing a reboot soon afterwards to make sure the system starts up without all the unnecessary services still running.

4. Installing SNMP for remote monitoring is a simple process using yum:

yum install net-snmp net-snmp-utils

Now we need to configure SNMP:

mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.orig

vi /etc/snmp/snmpd.conf

• rocommunity public
• syslocation MyDataCentre
• syscontact me@email.com

Once we have finished our configuration, we need to set the service to auto start, and start it up:

chkconfig –level 2345 snmpd on

service snmpd start

 5. Forwarding the daily Logwatch emails is a very simple process:

vi /etc/aliases

• root      me@email.com

/usr/bin/newaliases

The next lines will send any messages that are currently in the root mail spool (if any), and then delete the mail spool for root.

cat /var/spool/mail/root | mail -s “Old Root Emails” me@email.com

rm /var/spool/mail/root

6. Create a local user and set a password, so that we can disable remote root access:

adduser username

passwd username

• <Password>

7. Configure SSH for remote access if terminal access is not available or you need to remote work. We will also be disabling root from logging in via SSH and locking down SSH to only allow logins, using the username we created above:

vi /etc/ssh/sshd_config

• AllowUsers     username
• DisableRootLogin    yes

service sshd restart

That’s now CentOS configured, and ready for setting to a specific role. I normally do a reboot right about now, and take a snapshot of the VM or backup the VHD so that I have a pre-configured base layer to work from.

Installing Integration Components 2.1 in CentOS v5 x86/64-bit on Hyper-V 2008 R2

In Part One of this mini-series, I described how to correctly configure a VM to install CentOS v5 x86/64-bit. Part Two documented the process to install a minimal install of CentOS. By now, you should have CentOS updated and running on your Hyper-V box, ready to install the Integration Components – this will allows the VM to make full use of the the hardware resources available.

Before we get started with the actual Integration Components installation, we need to install a few additional extras.

1. First off, we need some useful tools to work with, and to compile the Integration Components.

yum install kernel-devel

yum install gcc

yum install make

yum install vim-enhanced.x86_64

2. As our version of Linux is 64-bit, we also need to install adjtimex. This is used to counter systematic drift in the system clock. You won’t need this if you installed the i386 version of CentOS.

yum install adjtimex

3. We need to download and install dkms – this allows us to update the linux kernel without the need to recompile it with the Integration Component modules. If you run a yum update kernel* after installing the Integration Components (without dkms installed), then the VM will boot up with the error:

“Unable to mount root file system”

You would need to boot in to the previous kernel to get the VM up. This Microsoft Support article will give a much clearer run down.

wget http://linux.dell.com/dkms/permalink/dkms-2.1.1.2-1.noarch.rpm

rpm -ivh dkms-2.1.1.2-1.noarch.rpm

4. With dkms installed, we need to download the Integration Components 2.1 ISO from Microsoft and load it into the VM.

mkdir –p /mnt/cdrom

mount /dev/cdrom /mnt/cdrom

cp –rp /mnt/cdrom /usr/src/linuxic-2.1

umount /mnt/cdrom

cp /usr/src/linuxic-2.1/scripts/dkms.conf /usr/src/linuxic-2.1/

5. Edit modprobe.conf to load Integration Component modules. Open /etc/modprobe.conf, and add the following lines:

 alias scsi_hostadapter1 vmbus

 alias scsi_hostadapter2 blkvsc

alias scsi_hostadapter3 storvsc

alias scsi_hostadapter4 netvsc

6. Compile and install the Integration Components

dkms add -m linuxic -v 2.1

dkms build -m linuxic -v 2.1

dkms install –force -m linuxic -v 2.1

shutdown –h now

7. With the VM now shutdown, we can remove our Legacy Network Card and install a fully integrated Network Card. We can also increase the processor count if we wish.

• Open Hyper-V Manager
• Right click your VM and select Settings
• Select Processor and set this to the value of logical processors you require
• Select DVD Drive under IDE Controller 1 and eject the Integration Components ISO
• Select Legacy Network Adapter and select Remove
• Select Add Hardware, highlight Network Adapter and select Add
• Select the new Network Adapter, and set the Virtual Network that the VM will be connecting to. I have read that Dynamic MAC Addresses can cause confusion on Linux VMs when Live Migrating in a cluster – so I always set the MAC Address to a static value
• Select Apply to make sure all new changes are applied then select OK to get started
• Select the Start button

Your VM should now start up, and you will see the modules loading, before any of the services start. You will see the startup status of seth0 flag as “Failed” – ignore this as it doenst have any details configured – unless you are running a DHCP server.

If the CentOS doesn’t detect seth0, do a further reboot. I find that I have to close the VM terminal window, and access the VM’s settings direct from Hyper-V Manager to avoid the this.

8. Once the server has started up, we can remove the backup file of the Legacy Network Adapter.

rm /etc/sysconfig/network-scripts/ifcfg-eth0.bak

9. Now we need to configure our new synthetic network adapter. Type setup to enter the Firstboot/Setup wizard

• Select Network configuration
• Select Edit Devices
• Select seth0 (seth0)
• Enter the IP address and Prefix (Netmask), the Gateway
• Select OK
• Select Save
• Select Save & Quit

10. Final step is to now restart the network service to bring up seth0 with the new settings.

service network restart

And that is it. It is a bit of a long process, but it does the job! When you next update the kernel, you will see some warnings about vmbus, storvsc, blkvsc and netvsc not being loaded as the new kernel is being installed – just ignore them.

Installing CentOS v5 x86/64-bit on Hyper-V 2008 R2

In Part One of this mini-series, I described how to correctly configure a VM to install CentOS v5 x86/64-bit. The next part will explain how to install CentOS and get it ready for installing the Hyper-V Integration Components. I always choose to install the least minimal amount, and install additional features later on, using yum.

Minimal installs are essential to increasing security, as it reduces the attack surface to the outside world. Logistically, minimal installs cut down the bandwidth used and time taken to run a yum update directly after the install; as well as their being less packages to maintain and update in future. I will provide How-Tos on installing Web Servers, DNS Servers and MySQL Database Servers later on, so we don’t need to install those packages just yet.

Install CentOS:

• Open Hyper-V Manager, right click your new VM and select Connect
• Select the Start button
• Type  linux text to To install or upgrade in text mode
• Select Skip to testing the CD media
• Select OK to Welcome screen
• Select English for Language Selection
• Select us for Keyboard Selection
• Select Yes to initialize this drive
• Select Remove all partitions on selected drives and create default layout
• Select No to Review and modify partitioning layout
• For eth0, select Activate on boot and select Enable IPv4 support
• Select Manual address configuration, and enter the IP address and Prefix (Netmask)
• Enter the Gateway and Primary DNS and/or Secondary DNS
• Select Manually for Hostname Configuration, and enter a computer name
• Select Africa/Johannesburg for Time Zone Selection and unselect System clock uses UTC
• Enter the root password
• For Package selection, unselect Desktop – Gnome and select Customise software selection
• In Package Group Selection, select only Base and unselect Dialup Networking Support, Editors, and Text-based Internet
• Select OK for Installation to begin
• Select Reboot when the installation completes

Depending on your (virtual) hardware, the install will take around 10-15 minutes to complete. THe VM will now reboot and startup all the system services (some of which we will be disabling later, to increase performance).

Now that CentOS is installed, we need to initially configure it:

• When CentOS starts for the first time, you will see the Firstboot/Setup wizard
• Select Firewall configuration – for SELinux, select Permissive and then select Customise to close ALL firewall ports (we have terminal access so we don’t need SSH open just yet!)
• Select Exit to return to the login prompt. Login using root and the password provided during the install
• In the Hyper-V window, select Media and Eject the CentOS ISO if it is still mounted
• Type yum update to update all kernel and all system packages
• Once the download and installation is complete, type reboot to restart the system and load up the latest kernel and system packages
• Check all system services start up after the reboot

CentOS is now updated and locked off for us to safely work on. Next post will describe how to do install the Hyper-V Integration Components.

BIND Warning: max open files (1024) is smaller than max sockets (4096)

After recently applying the latest kernel (2.6.18-194.26.1.el5) and BIND DNS update (BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3)  to our CentOS DNS servers, the daily logwatch printed the following error:

Warning: max open files (1024) is smaller than max sockets (4096)

RedHat points it to a Low Severity bug. Although fixed, they mention that a resolution won’t be available until the next release. I haven’t found an answer to why this happened, and am assuming there must be some sort of clash somewhere between the kernel and/or BIND somewhere.

Bit of searching around the web, and have found the following workaround:

1. Open your named.conf and add the following line to the Options section:

files 4096;

2. Open /etc/security/limits.conf and add the following line:

named   soft   nofile   4096

3. Restart BIND for the change to take effect (rndc reload is not enough for the workaround to take effect):

service named restart

4. Check your messages file to see if the Warning returns:

vi /var/log/messages

tail -f /var/log/messages | grep named

You can increase the 4096, but I don’t think our DNS servers would be busy enough to need a higher value.

I have applied this to one of our DNS servers to trial and see how it goes before applying to the rest. I am not sure how much of a performance impact the applying/omitting workaround does, so will be monitoring that over the next few days.

UPDATE: I have been running with this setting on one server for over a week now, and the error has gone from the daily Logwatch and it hasnt impacted performance that I can see.