fedora snapper, tuned, and selinux policies
This commit is contained in:
@@ -2,23 +2,28 @@
|
||||
|
||||
- [Fedora Server](#fedora-server)
|
||||
- [Installation](#installation)
|
||||
- [Power Profiles with Tuned](#power-profiles-with-tuned)
|
||||
- [Setup SSH](#setup-ssh)
|
||||
- [DNF](#dnf)
|
||||
- [Fail2Ban](#fail2ban)
|
||||
- [BTRFS Parent Volumes](#btrfs-parent-volumes)
|
||||
- [BTRFS Snapshots](#btrfs-snapshots)
|
||||
- [Snapper Installation](#snapper-installation)
|
||||
- [Snapper Cleanup](#snapper-cleanup)
|
||||
- [BTRFS Maintenance](#btrfs-maintenance)
|
||||
- [TPM2 Luks Decryption](#tpm2-luks-decryption)
|
||||
- [Change your password](#change-your-password)
|
||||
- [Automatic Updates](#automatic-updates)
|
||||
- [Monitoring](#monitoring)
|
||||
- [Glances](#glances)
|
||||
- [Disk Usage](#disk-usage)
|
||||
- [Disk Wear](#disk-wear)
|
||||
- [Common Storage Mounts](#common-storage-mounts)
|
||||
- [Network Bridge](#network-bridge)
|
||||
- [Virtualization](#virtualization)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Virtualization Troubleshooting](#virtualization-troubleshooting)
|
||||
- [QEMU Images](#qemu-images)
|
||||
- [Shared directory with VM Guest](#shared-directory-with-vm-guest)
|
||||
- [Firewalld](#firewalld)
|
||||
- [Backups](#backups)
|
||||
- [Connect to the ISCSI Backup Target](#connect-to-the-iscsi-backup-target)
|
||||
@@ -28,6 +33,7 @@
|
||||
- [Troubleshooting Backup ISCSI Connection](#troubleshooting-backup-iscsi-connection)
|
||||
- [Quick Backup](#quick-backup)
|
||||
- [Regular Backups with Borg](#regular-backups-with-borg)
|
||||
- [Version Upgrades](#version-upgrades)
|
||||
- [Optional Steps](#optional-steps)
|
||||
- [Disable Swap](#disable-swap)
|
||||
- [Disable Selinux](#disable-selinux)
|
||||
@@ -37,7 +43,7 @@
|
||||
- [LVM Thin Provisioning](#lvm-thin-provisioning)
|
||||
- [Set eui64 on network interface](#set-eui64-on-network-interface)
|
||||
- [Install and Enable Cockpit](#install-and-enable-cockpit)
|
||||
- [Troubleshooting](#troubleshooting-1)
|
||||
- [Troubleshooting](#troubleshooting)
|
||||
- [Cockpit Terminal Unusable or Weird Colors](#cockpit-terminal-unusable-or-weird-colors)
|
||||
- [Chroot into a mounted disk](#chroot-into-a-mounted-disk)
|
||||
- [Resize Last Partition to Fill Available Space](#resize-last-partition-to-fill-available-space)
|
||||
@@ -69,6 +75,12 @@ and the operator will store information about each server.
|
||||
5. Take note of the ipv4 and ipv6 address. Update any DNS records at this time.
|
||||
6. Install and reboot
|
||||
|
||||
## Power Profiles with Tuned
|
||||
|
||||
1. `dnf install tuned`
|
||||
2. `systemctl enable --now tuned`
|
||||
3. `tuned-adm profile virtual-host`
|
||||
|
||||
## Setup SSH
|
||||
|
||||
See [README](/README.md#ssh-setup)
|
||||
@@ -150,6 +162,8 @@ mount -a --mkdir
|
||||
|
||||
<http://snapper.io/manpages/snapper-configs.html>
|
||||
|
||||
### Snapper Installation
|
||||
|
||||
We'll be using snapper, a tool for automating and controlling snapshot behavior.
|
||||
|
||||
```bash
|
||||
@@ -169,13 +183,19 @@ systemctl enable --now snapper-timeline.timer
|
||||
systemctl enable --now snapper-cleanup.timer
|
||||
# Enable snapshots on boot
|
||||
systemctl enable --now snapper-boot.timer
|
||||
```
|
||||
|
||||
### Snapper Cleanup
|
||||
|
||||
```bash
|
||||
# List snapshots
|
||||
snapper -c root list
|
||||
# Create snapshot manually
|
||||
snapper -c root create --description "test snapshot"
|
||||
# Delete first snapshot
|
||||
snapper -c root delete 1
|
||||
# Delete snapshots between 655-857
|
||||
snapper -c root delete 655-857
|
||||
```
|
||||
|
||||
Note - you probably don't want to keep yearly snapshots.
|
||||
@@ -184,8 +204,14 @@ Edit `/etc/snapper/configs/root` and change `TIMELINE_LIMIT_YEARLY=` to `0`.
|
||||
## BTRFS Maintenance
|
||||
|
||||
```bash
|
||||
# Start a scrub in the foreground (-B) at /
|
||||
btrfs scrub start -B /
|
||||
# Start a scrub with low impact/priority at / (good for servers)
|
||||
btrfs scrub start -c idle /
|
||||
|
||||
# Start a scrub in the foreground and monitor
|
||||
btrfs scrub start -c idle -B -d /
|
||||
|
||||
# Check for errors
|
||||
dmesg -T | grep btrfs
|
||||
```
|
||||
|
||||
## TPM2 Luks Decryption
|
||||
@@ -278,9 +304,30 @@ In Cockpit navigate to software updates -> automatic updates -> install -> secur
|
||||
|
||||
In Cockpit: Overview -> View metrics and history -> Install PCP Support -> Metrics settings -> Turn on Collect Metrics
|
||||
|
||||
### Glances
|
||||
|
||||
```bash
|
||||
dnf install -y glances python3-jinja2
|
||||
systemctl enable --now glances
|
||||
firewall-cmd --permanent --zone=FedoraServer --add-port=61208/tcp
|
||||
firewall-cmd --reload
|
||||
```
|
||||
|
||||
### Disk Usage
|
||||
|
||||
TODO
|
||||
```bash
|
||||
# Show size of folder exclude snapshots
|
||||
du --exclude .snapshots -sh .
|
||||
|
||||
# Show size of all files in your current dir
|
||||
for folder in $(ls); do du --exclude .snapshots -sh $folder; done
|
||||
|
||||
# Calculate all folder sizes in current dir
|
||||
alias {dudir,dud}='du -h --max-depth 1 | sort -h'
|
||||
|
||||
# Calculate all file sizes in current dir
|
||||
alias {dufile,duf}='ls -lhSr'
|
||||
```
|
||||
|
||||
### Disk Wear
|
||||
|
||||
@@ -343,7 +390,7 @@ systemctl enable --now libvirtd
|
||||
|
||||
Install the cockpit machines application.
|
||||
|
||||
### Troubleshooting
|
||||
### Virtualization Troubleshooting
|
||||
|
||||
```bash
|
||||
# Oops, I did this after I installed virtualization
|
||||
@@ -369,6 +416,12 @@ qemu-img convert -f vmdk -O raw in.vmdk out.img
|
||||
qemu-img convert -f qcow2 -O raw in.raw out.img
|
||||
```
|
||||
|
||||
### Shared directory with VM Guest
|
||||
|
||||
```bash
|
||||
mount -t virtiofs [mount tag] [mount point]
|
||||
```
|
||||
|
||||
## Firewalld
|
||||
|
||||
Set the default firewalld zone to `public`
|
||||
@@ -381,6 +434,8 @@ Set the default firewalld zone to `public`
|
||||
Firewalld will be on and blocking by default. You can check the zone and allowed ports with:
|
||||
|
||||
```bash
|
||||
firewall-cmd --get-active-zones
|
||||
firewall-cmd --get-default-zone
|
||||
firewall-cmd --zone=public --list-ports
|
||||
firewall-cmd --zone=public --list-services
|
||||
```
|
||||
@@ -392,6 +447,21 @@ firewall-cmd --permanent --zone=public --add-port=9090/tcp
|
||||
firewall-cmd --reload
|
||||
```
|
||||
|
||||
Remove cockpit with
|
||||
|
||||
```bash
|
||||
firewall-cmd --permanent --zone=public --remove-port=9090/tcp
|
||||
```
|
||||
|
||||
Add a custom source for a service
|
||||
|
||||
```bash
|
||||
sudo firewall-cmd --new-zone=home --permanent
|
||||
sudo firewall-cmd --zone=home --add-source=10.2.0.0/24 --permanent
|
||||
sudo firewall-cmd --zone=home --add-port=10700/tcp --permanent
|
||||
sudo firewall-cmd --reload
|
||||
```
|
||||
|
||||
## Backups
|
||||
|
||||
Note: this assumes you've set up [an iscsi backup disk](/active/os_truenas/truenas.md#iscsi-backup-volumes)
|
||||
@@ -483,6 +553,18 @@ rsync -av --progress --exclude '.snapshots' /btrfs/yellow/root /btrfs/backup-yel
|
||||
|
||||
See [borg.md](/active/systemd_borg/borg.md)
|
||||
|
||||
## Version Upgrades
|
||||
|
||||
```bash
|
||||
# Make sure to be fully up to date first
|
||||
dnf upgrade --refresh
|
||||
reboot
|
||||
|
||||
# Set the releasever to the version you want to upgrade to
|
||||
dnf system-upgrade download --releasever=42
|
||||
dnf system-upgrade reboot
|
||||
```
|
||||
|
||||
## Optional Steps
|
||||
|
||||
### Disable Swap
|
||||
|
||||
Reference in New Issue
Block a user