Centos 7 for armv7 SOC

Installing the image

This page presents the steps to get a Centos7 image up and running on Cubieboard2 or CubieTruck SOC.

You can learn the basics from:

First you need to download the CubieTruck image from:
Let us assume you have downloaded:

in your current directory and at least a 4Gb mSD card attached as /dev/sdb.  To build a boot mSD card for the CubieTruck first:

xzcat CentOS-Userland-7-armv7hl-Minimal-1611-CubieTruck.img.xz | sudo dd of=/dev/sdb bs=4M; sync

Then delete ALL the partitions.  You will be left with uboot.

It is not as easy to build the boot mSD card for the Cubieboard2. So I will help, download:
then to an EMPTY mSD card:

sudo dd if=u-boot-C2-sunxi-with-spl.bin of=/dev/sdb bs=1024 seek=8; sync

To build your Centos7 image on your sata drive, mount the sata drive via a USB/sata adapter.  Assuming it is /dev/sbd, repeat the above xzcat line, leaving all the partitions.  I resize the main partition with gparted.
Note: You can run Centos7 from a mSD card.  I recommend at least an 8Gb card.  Many of the later steps will be painfully slow, though.

You are now ready to insert the mSD card, attach the sata drive and power up your Cubie.  I strongly recommend to have a serial console. Get yourself a USB UART TTL adapter (less than $2 each) and from a terminal window access the console with (assuming it shows up as /dev/ttyUSB0):

sudo screen /dev/ttyUSB0 115200

Booting the image and first steps

Throughout this guide, there are values unique to an installation that have to be provided.  For the most part, these can be handled by first setting some environment variables that will be used in cat and sed commands.  Or you can manually alter the variables.  Special characters (\, $, and / tested) MUST be proceeded by a \

To set date_timezone value.  See


Set the following variables for this guide.  Save your settings somewhere as there is at least one reboot where these variables will have to be set again.


Insert the mSD card, attach the sata drive, USB/TTL adapter, and Ethernet cable (no WiFi or Bluetooth support for the CubieTruck embedded interfaces).  Power up and log in as root (default password is centos, change it!)

Give the system a little time and check that chrony reached its ntp servers with the 'date' command.  If the date stays at Dec 31, 1969, you have connectivity challenges.  set the date with:

date mmddhhmmyyyy

Next you should probably set your timezone.

timedatectl set-timezone $date_timezone

Next enable SELinux.

sed -i -e "s/enforcing=0/enforcing=1/w /dev/stdout" /boot/extlinux/extlinux.conf
touch /.autorelabel

Now reboot.  Relabeling will take some time, particularly if you insisted on running from a mSD card instead of your sata drive.  After you log back in as root and reset your variable values from above, finish with SELinux by:

setenforce 1
sed -i -e "s/SELINUX=permissive/SELINUX=enforcing/w /dev/stdout" /etc/sysconfig/selinux

Set your hostname and create your personal user account:

hostnamectl set-hostname $your_host_tld
adduser -c "$admin_name" -G wheel $admin_account
passwd $admin_account

Updating the image

Run yum update.  There is a new kernel in the update but it does not update extlinux.conf.

To update extlinux.conf to the latest kernel, run the command:


As of Juy 31, 2017, update-boot does not trim old kernels out of /boot and thus the partition can easy fill up with old kernels.  It is important to pay attention to space in /boot before allowing yum to install a new kernel.

At this point the system is ready to use.  I like to add:

yum install mlocate wget mutt logwatch policycoreutils-python screen

Screen is very helpful for running remote yum updates.  If the connection drops, it is easy to reconnect to the screen session which survived the disconnect.

To change SSHD's port to $SSHD_Port:

sed -i -e "s/^#Port 22/Port $SSHD_Port/w /dev/stdout" /etc/ssh/sshd_config
semanage port -a -t ssh_port_t -p tcp $SSHD_Port
firewall-cmd --permanent --add-port=$SSHD_Port/tcp
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --reload
firewall-cmd --list-all
systemctl restart sshd

To get the logwatch to my email account:

bind 'set disable-completion on'
cat <<EOF>>/etc/aliases || exit 1
root:	$admin_email
bind 'set disable-completion off'

Since this is a server, you may want a static IP address (IPv6 support TBD):

nmcli con delete $ifname
nmcli con add type ethernet con-name $ifname ifname $ifname ip4 $your_ipv4_address/$your_ipv4_prefix gw4 $your_ipv4_gateway
nmcli con mod $ifname ipv4.dns "$your_ipv4_dns1 $your_ipv4_dns2"
# optionally set your MAC address
# your_mac=
# nmcli con mod $ifname mac "$your_mac"
nmcli con up $ifname

And that is pretty much it!

Chrony caveats

Since the Cubieboards do not have an RTC (no battery!), Chrony is really great at making that hugh time jump quickly on boot up, but it does not step the clock as it drifts.  This may be OK for a workstation, but not all servers.  If you need clock accuracy edit the makestep line in /etc/chrony.conf:

sed -i -e '/^makestep/ a # step the clock at any time if the measured offset is larger than 10 seconds\nmakestep 10 -1' /etc/chrony.conf
sed -i "/^# In first three/,+2 d" /etc/chrony.conf

If you want to serve NTP time to local clients, uncomment the "Allow local access" line.

sed -i -e "s/^#allow/allow/w /dev/stdout" /etc/chrony.conf

Some services, like Postfix and Samba need to delay their startup until the system time is brought current.  This is done via using Chrony-wait:

systemctl enable chrony-wait
systemctl start chrony-wait
mkdir /etc/systemd/system/$service.service.d
cat <<EOF>>/etc/systemd/system/$service.service.d/override.conf || exit 1
sed -n '/^After=/ s/$/ time-sync.target/p' /usr/lib/systemd/system/$service.service >> /etc/systemd/system/$service.service.d/override.conf

Apply the above commands from setting the service variable, on, to any service needing the delay after enabling the service.

If NTP contact fails, Chronyd will fail to set the time and leave it at ZERO (Dec 31, 1969).  There are two steps to getting Chrony to use the timestamp from its driftfile.  First is to use the -s option:

cat <<EOF>/etc/sysconfig/chronyd || exit 1

And Centos' Chronyd at version 2.1.1 needs a little hack to tell it to ignore the RTC that lacks a battery:

cat <<EOF>>/etc/chrony.conf || exit 1
rtcdevice /dev/doesnotexist

Named with SELinux caveats

Named wants to use random ports.  SELinux does not like random ports.

You have to limit the range of random ports named will use to keep SELinux happy.  So add the following to your named.conf

use-v4-udp-ports { range 10240 65535; };
use-v6-udp-ports { range 10240 65535; };

This is actually a general Centos7 with SELinux issue, not specific to arm.

Improving Randomness

Randomness, or Entropy, tends to be a little low and slow via software on an ARM SOC.  The Cubieboard does have a hardware RNG, but we have to enable it.

Test the available Entropy with:

cat /proc/sys/kernel/random/entropy_avail
Add the hardware RNG support by installing rng-tools that as of April 20, 2017 did not make it into the repo:

mkdir /root/rpms
cd /root/rpms
wget https://armv7.dev.centos.org/repodir/c7-pass-1/rng-tools/5-2.el7/armv7hl/rng-tools-5-2.el7.armv7hl.rpm
yum install ./rng-tools*

If rng-tools does not bring the available entropy above 2000 bits, consider installing haveged from EPEL:

yum install haveged
systemctl enable haveged
systemctl start haveged

Managing the server with Webmin

Webmin is probably the best interface to monitor and manage the server.  you can access it via yum by adding:

cat <<EOF>/etc/yum.repos.d/webmin.repo || exit 1
name=Webmin Distribution Neutral

Next, install and start the Webmin service.

yum install webmin
systemctl enable webmin
firewall-cmd --permanent --add-port=10000/tcp
firewall-cmd --reload
service webmin start

You can now access Webmin via:

EPEL - Extra Packages for Enterprise Linux

An unsigned test EPEL is now available for armv7.  It is still test, as not all the packages built successfully (thus YMMV).  you can access it via yum by adding:

cat <<EOF>/etc/yum.repos.d/epel.repo || exit 1
name=Epel rebuild for armhfp

The maintainer said to feel free to have a look at the build logs, submit patch and enjoy!
And if you can fix any of the packages, "You're a better man than I am, Gunga Din!"

You can EMail Robert at mailto:rgm at htt-consult.com  his desk...


© Robert G. Moskowitz -- 2017