Centos 7 for armv7 SOC





Installing the image

This page presents updated steps to get a Centos7 image up and running on Cubieboard2 or CubieTruck SOC.  It should also work for many other armv7 boards.  These instructions were developed in the building of this server.

You can learn the basics and more from:

https://wiki.centos.org/SpecialInterestGroup/AltArch/armhfp
The Centos site is now very good for the basic installation.  It also lists all boards currently supported.  The challenge is getting the proper uboot file.  If you have a Centos or Fedora system, it is easy to install the uboot-images-armv7 or uboot-images-armv8 rpm to source the uboot file.  It is also very easy to make a Fedora arm image for your board and get the uboot file that way.

Alternatively, I have made the whole uboot-tools directory that comes with Centos7-arm available here:
Uboot files here
Cubieboards, with their integrated sata, can boot directly from sata with only uboot on the uSD card.  Use a USB/sata adapter to install Centos directly to a sata drive.  I prefer to use gparted to size the partitions to my likings.  Use the dd command to put the uboot on a uSD card (as small a card as you can find) that you have removed all partitions.  I use fdisk to simply remove any partitions.

Other board's uboot may support booting directly from a usb drive.  Check your board's uboot documentation.

Note: You can run Centos7 from a uSD card.  I recommend at least an 8Gb card.  Many of the later steps will be painfully slow, though.

You are now ready to insert the uSD card, attach the sata drive and power up your Cubie.  I strongly recommend to have a serial console.  Get yourself a USB UART TTL adapter (less than $2 each) and from a terminal window access the console with (assuming it shows up as /dev/ttyUSB0):

sudo screen /dev/ttyUSB0 115200


Booting the image and first steps

Throughout this guide, there are values unique to an installation that have to be provided.  For the most part, these can be handled by first setting some environment variables that will be used in cat and sed commands.  Or you can manually alter the variables.  Special characters (\, $, and / tested) MUST be proceeded by a \

To set date_timezone value.  See

http://php.net/date.timezone

Set the following variables for this guide.  Save your settings somewhere as there is at least one reboot where these variables will have to be set again.

your_domain_tld=
your_host_only=
your_host_tld=$your_host_only.$your_domain_tld
date_timezone=
your_ipv4_dns1=
your_ipv4_dns2=
your_ipv4_address=
your_ipv4_gateway=
your_ipv4_prefix=24
admin_account=
admin_name=
admin_email=
SSHD_Port=

Insert the uSD card, attach the sata drive, USB/TTL adapter, and Ethernet cable (no WiFi or Bluetooth support for the CubieTruck embedded interfaces).  Power up and log in as root (default password is centos, change it!)

Give the system a little time and check that chrony reached its ntp servers with the 'date' command.  If the date stays at Dec 31, 1969, you have connectivity challenges.  set the date with:

date mmddhhmmyyyy

Next you should probably set your timezone.

timedatectl set-timezone $date_timezone

SELinux is now set to Enforcing.  You no longer need to set it!  Unless you want to disable it...

Set your hostname and create your personal user account:

hostnamectl set-hostname $your_host_tld
adduser -c "$admin_name" -G wheel $admin_account
passwd $admin_account


Updating the image

Run yum update.  Then reboot to use the current new kernel.  It is important to pay attention to space in /boot before allowing yum to install a new kernel.  Again, I use gparted to make a larger /boot partition (as well as a larger swap partition) than what comes in the base image.

At this point the system is ready to use.  I like to add:

yum install mlocate wget mutt logwatch policycoreutils-python screen

Screen is very helpful for running remote yum updates.  If the SSH connection drops, it is easy to reconnect to the screen session which survived the disconnect.

To change SSHD's port to $SSHD_Port:

sed -i -e "s/^#Port 22/Port $SSHD_Port/w /dev/stdout" /etc/ssh/sshd_config
semanage port -a -t ssh_port_t -p tcp $SSHD_Port
firewall-cmd --permanent --add-port=$SSHD_Port/tcp
firewall-cmd --permanent --remove-service=ssh
firewall-cmd --reload
firewall-cmd --list-all
systemctl restart sshd

To get the logwatch to my email account:

bind 'set disable-completion on'
cat <<EOF>>/etc/aliases || exit 1
root:	$admin_email
EOF
newaliases
bind 'set disable-completion off'

Since this is a server, you may want a static IP address (IPv6 support TBD):

ifname=eth0
nmcli con delete $ifname
nmcli con add type ethernet con-name $ifname ifname $ifname ip4 $your_ipv4_address/$your_ipv4_prefix gw4 $your_ipv4_gateway
nmcli con mod $ifname ipv4.dns "$your_ipv4_dns1 $your_ipv4_dns2"
# optionally set your MAC address
# your_mac=
# nmcli con mod $ifname ethernet.cloned-mac-address "$your_mac"
nmcli con up $ifname

Finally, you can add an external USB drive to FSTAB.  Find its UUID in /dev/disk/by-uuid, and its label with fdisk or other tool.  Then add to /etc/fstab (if type is not ext4, replace with appropriate type):

UUID=drive-uuid /media/drive-label ext4 nofail,auto,noatime,rw,user 0 0

And that is pretty much it!

Chrony caveats

Since the Cubieboards do not have an RTC (no battery!), Chrony is really great at making that huge time jump quickly on boot up, but it does not step the clock as it drifts.  This may be OK for a workstation, but not all servers.  If you need clock accuracy edit the makestep line in /etc/chrony.conf:

sed -i -e '/^makestep/ a # step the clock at any time if the measured offset is larger than 10 seconds\nmakestep 10 -1' /etc/chrony.conf
sed -i "/^# In first three/,+2 d" /etc/chrony.conf

If you want to serve NTP time to local clients, uncomment the "Allow local access" line.

sed -i -e "s/^#allow/allow/w /dev/stdout" /etc/chrony.conf

Some services, like Postfix and Samba need to delay their startup until the system time is brought current.  This is done via using Chrony-wait:

systemctl enable chrony-wait
systemctl start chrony-wait
service=postfix
mkdir /etc/systemd/system/$service.service.d
cat <<EOF>>/etc/systemd/system/$service.service.d/override.conf || exit 1
[Unit]
EOF
sed -n '/^After=/ s/$/ time-sync.target/p' /usr/lib/systemd/system/$service.service >> /etc/systemd/system/$service.service.d/override.conf

Apply the above commands from setting the service variable, on, to any service needing the delay after enabling the service.

If NTP contact fails, Chronyd will fail to set the time and leave it at ZERO (Dec 31, 1969).  Chrony can use the timestamp from its driftfile by adding the -s option:

cat <<EOF>/etc/sysconfig/chronyd || exit 1
OPTIONS=" -s"
EOF

An alternative tool, that sets the timestamp right after systemd starts can be found at:

https://github.com/kristjanvalur/fake-hwclock

The instructions there are easy to follow.

Named with SELinux caveats

Named wants to use random ports.  SELinux does not like random ports.

You have to limit the range of random ports named will use to keep SELinux happy.  So add the following to your named.conf

use-v4-udp-ports { range 10240 65535; };
use-v6-udp-ports { range 10240 65535; };

This is actually a general Centos7 with SELinux issue, not specific to arm.

Improving Randomness

Randomness, or Entropy, tends to be a little low and slow via software on an ARM SOC.  The Cubieboard does have a hardware RNG, but we have to enable it.

Test the available Entropy with:

cat /proc/sys/kernel/random/entropy_avail
Add the hardware RNG support by installing rng-tools that as of April 20, 2017 did not make it into the repo:

mkdir /root/rpms
cd /root/rpms
wget https://armv7.dev.centos.org/repodir/c7-pass-1/rng-tools/5-2.el7/armv7hl/rng-tools-5-2.el7.armv7hl.rpm
yum install ./rng-tools*

If rng-tools does not bring the available entropy above 2000 bits, consider installing haveged from EPEL:
issihosts.com/haveged

yum -y install haveged
systemctl enable haveged
systemctl start haveged


Managing the server Remotely

Webmin is probably the best interface to monitor and manage the server.  you can access it via yum by adding:

cat <<EOF>/etc/yum.repos.d/webmin.repo || exit 1
[Webmin]
name=Webmin Distribution Neutral
baseurl=http://download.webmin.com/download/yum
enabled=1
gpgcheck=1
gpgkey=http://www.webmin.com/jcameron-key.asc
EOF

Next, install and start the Webmin service.

yum -y install webmin
systemctl enable webmin
firewall-cmd --permanent --add-port=10000/tcp
firewall-cmd --reload
service webmin start

You can now access Webmin via:
https://your_host_tld:10000

VNC to the GNOME desktop is another remote management alternative.  Install the Gnome image (Note: I tried installing Xfce desktop on the minimal image, but critical components are not available yet, as of Aug 7 2018), then follow these steps:

If you will not be accessing the Gnome desktop directly, but only remotely, you can disable gnome session startup.

systemctl set-default multi-user.target

The Gnome session can always be accessed from the local login with startx.

Next install vnc server

yum install tigervnc-server

For those accounts that will be accessed via vnc (e.g. root, user), login to those accounts and run vncpasswd.

For the first remote user:

cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@:1.service

Edit /etc/systemd/system/vncserver@\:1.service, replacing <USER> with the userID.  Then:

systemctl daemon-reload
systemctl start vncserver@:1
systemctl status vncserver@:1
systemctl enable vncserver@:1

firewall-cmd --add-port=5901/tcp --permanent
firewall-cmd --reload

Finally repeat these steps for user2, using @:2 and port 5902, etc.

NOTE: VNC is NOT secure!  It should only be run on a trusted network or over an SSH tunnel:

ssh -v -C -L 590N:localhost:590M hostB


EPEL - Extra Packages for Enterprise Linux

The Centos armfhp site referenced at the beginning of this page is the definitive source for setting up the EPEL repo.

The maintainer said to feel free to have a look at the build logs, submit patch and enjoy!

https://armv7.dev.centos.org/rpmbuild/epel-pass-1/
And if you can fix any of the packages, "You're a better man than I am, Gunga Din!"

You can EMail Robert at mailto:rgm at htt-consult.com  his desk...

Updated


© Robert G. Moskowitz -- 2018