The reason for this is that the o/s removes and re-creates the /run/asterisk directory on reboot. The solution is to place a “RuntimeDirectory=” entry in the systemd service script:

/usr/lib/systemd/system/asterisk.service

The “RuntimeDirectory=” needs a directory name relative to /run so you can’t do this:

RuntimeDirectory=/run/asterisk

nor this:

RuntimeDirectory=/var/run/asterisk

You need to do this:

RuntimeDirectory=asterisk

Here is my fully working script (/usr/lib/systemd/system/asterisk.service):

[Unit]
Description=Asterisk PBX and telephony daemon.
Wants=network.target
After=network.target

[Service]
Type=simple
User=asterisk
Group=asterisk
RuntimeDirectory=asterisk
Environment=HOME=/var/lib/asterisk
WorkingDirectory=/var/lib/asterisk

ExecStart=/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf
ExecStop=/usr/sbin/asterisk -rx 'core stop now'
ExecReload=/usr/sbin/asterisk -rx 'core reload'

# safe_asterisk emulation
Restart=always
RestartSec=10

#Nice=0
#UMask=0002
LimitCORE=infinity
#LimitNOFILE=

# Prevent duplication of logs with color codes to /var/log/messages
#StandardOutput=null

PrivateTmp=true

[Install]
WantedBy=multi-user.target

How to setup a single master with one or more readonly slaves

First configure the master by editing the mysql configuration file, this could be /etc/my.cnf or on Centos 7 it is /etc/my.cnf.d/server.cnf

Find the [server] section and add the following lines:

bind-address = 12.34.56.78 # replace 12.34.56.78 with the IP of your server
log_bin
server_id = 1
log_basename = master1
datadir = /var/lib/mysql
binlog-ignore-db = mysql

The binlog-ignore-db line tells the master not to replicate the ‘mysql’ database, you can add additional entries to not replicate other databases if you wish, e.g.

binlog-ignore-db = information_schema
binlog-ignore-db = performance_schema

Adding the following additional entries allows you to tweak the performance of your server:

max_allowed_packet=64M
max_heap_table_size = 64M
tmp_table_size = 128M
join_buffer_size = 128M
innodb_buffer_pool_size = 256M
innodb_doublewrite = OFF
innodb_additional_mem_pool_size = 128M
innodb_flush_log_at_timeout = 4
innodb_read_io_threads = 48
innodb_write_io_threads = 32
max_connections = 128

Following any changes to the config files you will need to restart MySQL (or MariaDB if you use that instead), so you would do one of the following:

systemctl restart mysqld
systemctl restart mariadb

Now login to your local MySQL server, e.g.

mysql -u root -p

Once logged into the MySQL CLI add a user that the slaves will use to replicate:

GRANT REPLICATION SLAVE ON *.* TO 'replication'@'1.2.3.4' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;

Replace 1.2.3.4 with the IP of your slave server. You can run the above command multiple times, once for each slave server. Remember to change ‘password’ to an actual password, a good choice would be 12 (or more) characters consisting of a random mix of upper/lowercase letters, numbers and punctuation characters.

Now we’re ready to take a backup of the master, for this you will need to open a second session on your master server. In the first session, still logged into the MySQL CLI issue the following commands:

FLUSH TABLES WITH READ LOCK;
SHOW MASTER STATUS;

You should see something along these lines:

+--------------------+----------+--------------+------------------+
| File               | Position | Binlog_Do_DB | Binlog_Ignore_DB |
+--------------------+----------+--------------+------------------+
| master1-bin.000001 |   456    |              | mysql            |
+--------------------+----------+--------------+------------------+
1 row in set (0.00 sec)

Leave this session in place whilst you move to the second session to backup the databases you want to replicate by using your preferred method, e.g.

mysqldump -u root -p --all-databases > dump.sql

Now you can go back to the first window and release the lock:

UNLOCK TABLES;
QUIT;

Now copy this backup to your slave server(s). I use scp for this, e.g.

scp dump.sql username@12.34.56.78:.

Now login to the slave server and import the dumped databases:

mysql -u root -p < dump.sql

Now configure MySQL (or mariadb) to be a slave by editing it’s configuration file, e.g. /etc/my.cnf.d/server.cnf and add the following to the [server] section:

server-id = 2
datadir = /var/lib/mysql
relay-log = /var/lib/mysql/mysql-relay-bin.log
log_bin = /var/lib/mysql/mysql-bin.log

As per the master server, following any changes to the config files you will need to restart MySQL (or MariaDB if you use that instead), so you would do one of the following:

systemctl restart mysqld
systemctl restart mariadb

The next step is to login to the MySQL CLI and tell it where to find the master along with the login details and the starting position in the log:

CHANGE MASTER TO MASTER_HOST='12.34.56.78',MASTER_USER='replication', MASTER_PASSWORD='password', MASTER_LOG_FILE='master1-bin.000001', MASTER_LOG_POS=456;

The last thing we need to do is start the slave process, and check it is running. Do this by issuing the following commands on the slave MySQL CLI:

START SLAVE;
SHOW SLAVE STATUS\G

You can repeat the slave part on each server you want to setup replication, just remember to give each slave a different server_id

Setup the file structure:

mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Create a config file /root/ca/openssl.cnf

# OpenSSL root CA configuration file.
# Copy to `/root/ca/openssl.cnf`.

[ ca ]
# `man ca`
default_ca = CA_default

[ CA_default ]
# Directory and file locations.
dir               = /root/ca
certs             = $dir/certs
crl_dir           = $dir/crl
new_certs_dir     = $dir/newcerts
database          = $dir/index.txt
serial            = $dir/serial
RANDFILE          = $dir/private/.rand

# The root key and root certificate.
private_key       = $dir/private/ca.key.pem
certificate       = $dir/certs/ca.cert.pem

# For certificate revocation lists.
crlnumber         = $dir/crlnumber
crl               = $dir/crl/ca.crl.pem
crl_extensions    = crl_ext
default_crl_days  = 30

# SHA-1 is deprecated, so use SHA-2 instead.
default_md        = sha256

name_opt          = ca_default
cert_opt          = ca_default
default_days      = 375
preserve          = no
policy            = policy_strict

[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ req ]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only

# SHA-1 is deprecated, so use SHA-2 instead.
default_md          = sha256

# Extension to add when the -x509 option is used.
x509_extensions     = v3_ca

[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName                     = Country Name (2 letter code)
stateOrProvinceName             = State or Province Name
localityName                    = Locality Name
0.organizationName              = Organization Name
organizationalUnitName          = Organizational Unit Name
commonName                      = Common Name
emailAddress                    = Email Address

# Optionally, specify some defaults.
countryName_default             = GB
stateOrProvinceName_default     = Buckinghamshire
localityName_default            = High Wycombe
0.organizationName_default      = The Communication Gateway Ltd
organizationalUnitName_default  = Main Office
emailAddress_default            = postmaster@comgw.co.uk

[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign

[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always

[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning

Now we can generate the root key:

openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem

Create the root certificate:

openssl req -config openssl.cnf \
      -key private/ca.key.pem \
      -new -x509 -days 7300 -sha256 -extensions v3_ca \
      -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem

Verify the root certificate:

openssl x509 -noout -text -in certs/ca.cert.pem

Create the intermediate certificate:

mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial

Add a crlnumber file to the intermediate CA directory tree. crlnumber is used to keep track of certificate revocation lists:

echo 1000 > /root/ca/intermediate/crlnumber

Copy the intermediate CA configuration file: /root/ca/intermediate/openssl.cnf from the main one we created above and alter the following settings:

[ CA_default ]
dir             = /root/ca/intermediate
private_key     = $dir/private/intermediate.key.pem
certificate     = $dir/certs/intermediate.cert.pem
crl             = $dir/crl/intermediate.crl.pem
policy          = policy_loose

Create the intermediate key:

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem

Create the intermediate certificate:
Use the intermediate key to create a certificate signing request (CSR). The details should generally match the root CA. The Common Name, however, must be different.

cd /root/ca
openssl req -config intermediate/openssl.cnf -new -sha256 \
      -key intermediate/private/intermediate.key.pem \
      -out intermediate/csr/intermediate.csr.pem

To create an intermediate certificate, use the root CA with the v3_intermediate_ca extension to sign the intermediate CSR. The intermediate certificate should be valid for a shorter period than the root certificate.

cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca \
      -days 3650 -notext -md sha256 \
      -in intermediate/csr/intermediate.csr.pem \
      -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem

The index.txt file is where the OpenSSL ca tool stores the certificate database. Do not delete or edit this file by hand. It should now contain a line that refers to the intermediate certificate.

Verify the intermediate certificate:

openssl x509 -noout -text \
      -in intermediate/certs/intermediate.cert.pem

Verify the intermediate certificate against the root certificate. An OK indicates that the chain of trust is intact.

openssl verify -CAfile certs/ca.cert.pem \
      intermediate/certs/intermediate.cert.pem

Create the certificate chain file:

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

NOTE: Our certificate chain file must include the root certificate because no client application knows about it yet. A better option, particularly if you’re administrating an intranet, is to install your root certificate on every client that needs to connect. In that case, the chain file need only contain your intermediate certificate.

We can now sign client and server certificates!

Create a key:

cd /root/ca
openssl genrsa -aes256 \
      -out intermediate/private/www.example.com.key.pem 2048
chmod 400 intermediate/private/www.example.com.key.pem

If you don’t want a prompt for a password each time the certificate is used leave out the -aes256 parameter.

Create a certificate Signing Request:

cd /root/ca
openssl req -config intermediate/openssl.cnf \
      -key intermediate/private/www.example.com.key.pem \
      -new -sha256 -out intermediate/csr/www.example.com.csr.pem

Sign the CSR:

cd /root/ca
openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/www.example.com.csr.pem \
      -out intermediate/certs/www.example.com.cert.pem
chmod 444 intermediate/certs/www.example.com.cert.pem

Verify the certificate:

openssl x509 -noout -text \
      -in intermediate/certs/www.example.com.cert.pem

Verify the chain of trust:

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem \
      intermediate/certs/www.example.com.cert.pem

Deploy the certificate:
ca-chain.cert.pem
www.example.com.key.pem
www.example.com.cert.pem

Reference:
https://jamielinux.com/docs/openssl-certificate-authority/introduction.html

1. Just in case, remove sendmail and install postfix:

yum remove sendmail
yum install postfix

Make sure it starts on reboot:

systemctl enable postfix

Install amavis and clamav and make sure it starts on reboot:

yum install amvisd-new clamav clamav-scanner-systemd
systemctl enable amavisd

Fix the issue with clamd not starting:

cd /usr/lib/systemd/system
cp clamd\@scan.service clamd\@amavisd.service

systemctl start clamd@amavisd
systemctl enable clamd@amavisd
systemctl restart amavisd

Install OpenDKIM:

yum install opendkim

Create keys and check:

opendkim-default-keygen
cd /etc/opendkim/keys/
ll

Edit the following files:
/etc/opendkim.conf (Main configuration file for opendkim)
/etc/opendkim/KeyTable (Defines the path of private key for the domain)
/etc/opendkim/SigningTable (Tells OpenDKIM how to apply the keys)
/etc/opendkim/TrustedHosts (Defines which hosts are allowed to use keys)

If you’re just verifying incoming mail you don’t actually need to edit any of the above files, the defaults are fine.

Start and enable on reboot:

systemctl start opendkim
systemctl enable opendkim

Next you need to add the following lines to your Postfix main.cf

smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

and restart Postfix.

Now we can install OpenDMARC:

yum install opendmarc

Edit the file /etc/opendmarc.conf and uncomment the line
# AuthservID name
and set “name” to the hostname of your server.

Now enable it on reboot and fire it up:

systemctl enable opendmarc
systemctl start opendmarc

Now we need to hook it into Postfix, just add the port in main.cf as for opendkim above, i.e. the line in main.cf should now read:

smtpd_milters = inet:127.0.0.1:8891, inet:127.0.0.1:8893

This will pass incoming mail through OpenDKIM first, then OpenDMARC.

It’s a good idea to enable the PublicSuffixList in the opendmarc.conf file and create a weekly cronjob to keep the list up to date, so create the file /etc/cron.weekly/opendmarc

#!/bin/sh
#
#Get latest effective_tld_names for OpenDMARC
/usr/bin/wget --no-check-certificate -q -N -P /etc/opendmarc https://publicsuffix.org/list/effective_tld_names.dat

and restart Postfix.

Remove any existing packages:

yum remove maria*

Update:

yum update

Add the official repo for MariaDB by creating the file /etc/yum.repos.d/MariaDB.repo

[mariadb]
name = MariaDB
baseurl = http://yum.mariadb.org/10.1/centos7-amd64
gpgkey=https://yum.mariadb.org/RPM-GPG-KEY-MariaDB
gpgcheck=1

Now install MariaDB:

yum install -y MariaDB-server MariaDB-client MariaDB-compat galera socat jemalloc

Setup MariaDB:

systemctl start mariadb
mysql_secure_installation
systemctl stop mariadb

To generate the CA certificate:

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca.pem

To generate the server certificate, remove passphrase, and sign it:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial -1 -out server-cert.pem

(Optional) To generate the client certificate, remove passphrase, and sign it:

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout client-key.pem -out client-req.pem
openssl rsa -in client-key.pem -out client-key.pem
openssl x509 -req -in client-req.pem -days 3600 -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

Edit the file: /etc/my.cnf.d/server.cnf

[sst]
encrypt=4
ssl-ca=/etc/pki/ca.pem
ssl-cert=/etc/pki/server-cert.pem
ssl-key=/etc/pki/server-key.pem

[galera]
wsrep_on=ON
wsrep_provider=/usr/lib64/galera/libgalera_smm.so
wsrep_cluster_address='gcomm://a.a.a.a,b.b.b.b,c.c.c.c'
wsrep_cluster_name='cluster.name'
wsrep_node_address='10.0.0.11'
wsrep_node_name='node1'
wsrep_sst_method=rsync
wsrep_sst_receive_address='x.x.x.x'
wsrep_provider_options='socket.ssl_key=/etc/pki/server-key.pem;socket.ssl_cert=/etc/pki/server-cert.pem;socket.ssl_ca=/etc/pki/ca.pem;evs.inactive_timeout=PT45S;evs.install_timeout=PT45S;evs.keepalive_period=PT3S;evs.max_install_timeouts=8;evs.send_window=512;evs.suspect_timeout=PT30S;evs.user_send_window=256;'
binlog_format=row
default_storage_engine=InnoDB
innodb_autoinc_lock_mode=2

In the file above the line “wsrep_sst_receive_address=’x.x.x.x'” is required if any of the nodes are behind a NAT router on private IP addresses, where x.x.x.x is the public IP address of the router. Without this SST donors will try to send snapshot data to the nodes private IP address which will invariably fail.

The “wsrep_provider_options” are tailored to for nodes that talk to each other over a WAN (i.e. the internet). If your nodes are all on the same LAN then you can leave this option out completely – it adjusts some timeout default values to better cope with varying connectivity quality across a WAN.

Start the primary node:

galera_new_cluster

Start the other nodes:

systemctl start mariadb

Login to any of the nodes and check status:

show status like 'wsrep%';

Put wiki into readonly mode by editing the LocalSettings.php file and adding the line:

$wgReadOnly = 'Wiki is currently undergoing maintenance, as a result it is in read only mode for a while';

Backup the SQL database, e.g. mysqldump -h host -u wiki -p wiki > wiki.sql

Backup the entire wiki folder:

mkdir backups/20170218
cp -rp http/* backups/20170218/.

Download latest version of MediaWiki from www.mediawiki.org/wiki/Download e.g.

wget https://releases.wikimedia.org/mediawiki/1.28/mediawiki-1.28.2.tar.gz

Unpack the file over the existing installation:

tar zxvf mediawiki-1.28.2.tar.gz -C http/w --strip-components=1

Now run the update:

cd http/w/maintenance
php update.php

Don’t forget to take it out of readonly mode by removing or commenting out the $wgReadOnly line in LocalSettings.php

The letsencrypt python script called cartbot does all the hard work for you, it can request a new certificate, renew existing certificates, revoke and delete certificates. It can do ths from the command line interactively, i.e. asking you questions when it needs to, or non-interactively so you can use it in scripts. Here are some useful commands in the non-interactive mode:

Revoke a certificate

certbot -n revoke --cert-path /etc/letsencrypt/live/www.example.com/cert.pem

Request a new certificate

certbot certonly -d www.g1fef.co.uk --webroot --webroot-path /path/to/web/docs/

Delete a certificate

certbot -n delete --cert-name www.example.com

Don’t forget to restart your webserver, especially after you revoke or delete a certificate!

Here we are assuming that the current installation in in the directory ‘https’ and the new version we are installing is cacti-1.1.3

First of all download the latest version:

http://www.cacti.net/downloads/cacti-latest.tar.gz

Unpack it:

tar zxvf cati-latest.tar.gz

Edit the config file to set the database access correctly:

cd cacti-1.1.3/include

vim config.php

1. $database_type = "mysql";
   $database_default = "cacti";
   $database_hostname = "localhost";
   $database_username = "cactiuser";
   $database_password = "cacti";
   

2. $url_path = '/';
   

Copy the *.rrd files from the old Cacti directory to the new one.

cp -rp https/rra/* cacti-1.1.3/rra/

Copy any relevant custom scripts from the old Cacti directory to the new one.

cp -u https/scripts/* cacti-1.1.3/scripts/

Copy any relevant custom resource XML files from the old Cacti directory to the new one.

cp -u -R https/resource/* cacti-1.1.3/resource/

Set the appropriate permissions on Cacti’s directories for graph/log generation.

cd cacti-1.1.3
chown -R cactiuser rra/ log/
cd ..

Move your old installation away:

mv https https-old

Move your new installation in:

mv cacti-1.1.3 https

Point your web browser to your cacti URL and follow the instructions.

The GNU screen program has some useful navigation facilities. To enter COPY MODE you need to press CTRL + A + [

Once in copy mode use the keys below to navigate:

When starting screen you can set the size of the scrollback buffer by using the -h command line argument, for example to set the scrollback buffer to 1000 lines:

screen -h 1000

This can also be set in .screenrc with defscrollback

If you need to update the software:

wget http://resources.ovirt.org/pub/yum-repo/ovirt-release36.rpm
yum localinstall ovirt-release36.rpm
yum update -y

Backup the VM:

Assuming a guest called “test”, list location of VM:

virsh domblklist test

Export the XML data that defines the VM:

virsh dumpxml test > test.xml

Take the snapshot:

virsh snapshot-create-as --domain test NAME_OF_SNAPSHOT --diskspec vda,file=/tmp/snapshot_test.qcow2 --disk-only --atomic --no-metadata

Guest is now running in /tmp/snapshot_test.qcow2

Copy XML and original data file to where you need it.

Pivot back to original:

virsh blockcommit test vda --active --verbose --pivot

Restore the VM:

Copy the .qcow2 file into place.

Creating a new vm:

virsh define /path/to/your/xml/test.xml

Check it is present:

virsh list --all

Start the vm:

virsh start test