Domino 10 Swing / Upgrade on CentOS 7.5
Mindwatering Incorporated
Tripp W Black on 03/28 at 09:37 PM


Category: Domino Upgrades / Installations, Linux
Software Installation, Software Upgrade
Domino

Notes:
CentOS was not an officially supported Domino Linux distro until Domino V10. However, we have clients using running it, on their mostly smaller deployments, back through R7, R8, and R8.5. Domino 10 requires CentOS 7.4 or higher because of the GLIC version (See IBM tech note 10735403).

CentOS doesn't do well doing an in-place upgrade. Unlike our Ubuntu server VMs which do in-place upgrades from major release to major release quite well, CentOS hasn't supported it except once, from 6.5 to 7.0, and we experienced little success. Each upgrade had hours of work just to see if we could get all the failed upgrade component working. Therefore, for our RedHat and CentOS VMs running Domino, we have always chosen to "swing" the install.


OS Installation:
The minimal CentOS 7.5 installation would not boot w/vSphere ParaVirtual and the LSI options. The full ISO installed well. We chose the "Server with GUI" option of packages. We then add or remove packages afterwards, as needed.


Post OS installation:
Since almost all the commands require sudo priviledges, I used sudo su:
$ sudo su


1. Configure FirewallD:
# firewall-cmd --zone=public --add-port=1352/tcp --permanent
# firewall-cmd --zone=public --add-port=80/tcp --permanent
# firewall-cmd --zone=public --add-port=443/tcp --permanent
... along with a few ports for internal "friendlier" networks ...
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/24" port protocol="tcp" port="22" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.199.0/24" port protocol="tcp" port="2050" accept"
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.211.0/28" port protocol="tcp" port="25" accept"
# firewall-cmd --reload

Confirm loaded and running:
# firewall-cmd --state


2. Kill postfix
# systemctl stop postfix.service
# systemctl disable postfix.service


3. Disable SELinux
# vi /etc/selinux/config
Change file so that the SELINUX line says:
SELINUX=disabled
--- OR ---
SELINUX=permissive
Save with: <esc>, wq
Note: The former disables, and the latter logs but doesn't enforce. You can also leave it enforced and add exclusions needed for your Domino install.


4. Create the notes user:
# useradd -d /home/notes -m notes
# passwd notes

5. Increase the file limits.conf:
Edit /etc/security/limits.conf:
# vi /etc/security/limits.conf

Add/update the following lines:
notes soft nofile 60000
notes hard nofile 80000 (use 60000 for 32bit for Domino 9, use 65535 for Domino 9)
(where notes is / will be the o/s username for the server.
Save with: <esc>, wq

Note:
If you are using a systemd service, the number of file handles is set inside the systemd script.
See the script section further below.


6. Update the notes user bashrc to set Linux parameters upon start:
# vi /home/notes/.bashrc
Add to the end of the file: export DOMINO_LINUX_SET_PARMS=1
Save with: <esc>, wq


7. Create the Domino data/notesdata folder:
If you have one "big" disk, then create the folder as below
Create the installation data/notesdata folder.
# cd /local
# mkdir notesdata


7 Alternate. Add the second notesdata disk to fstab.
We create two virtual disks, one for OS, and second for the notesdata folder.
We mount the disk to /local/notesdata, and set it to mount on boot. We format it ext4. For this example, the notesdata folder will be mapped to the first partition on the 3rd disk /dev/sdc

# mkfs.ext4 /dev/sdc1
# vi /etc/fstab
fstab line example: /dev/sdc1 /local/notesdata ext4 defaults 1 2
(<esc> & wq to save changes.)
$ sudo mount -a
(Mounts the new disk.)

8. Update the /local/notesdata folder permissions:
# chown -R notes /local/notesdata
# chgrp -R notes /local/notesdata
# chmod -R g+w /local/notesdata


9. Skip installation of specific library packages if you installed "Server with GUI".
The library prerequisites (e.g. glib) will already be installed. :-)


10. Copy Domino 10 Linux Install File and the existing notesdata folder:
We use Filezilla to transfer the new Domino tar to server. We use the root account for this transfer. We used the following for:
Domino 10.0.0 - DOMINO_SERVER_V10.0.64_BIT_LINUX_.tar
or
Domino 10.0.1 - DOM_SVR_V10.0.1_64_BIT_Lnx.tar

We use the Notes OS id to transfer the /local/notesdata folders. That way the files are already owned by the Notes user.
If your permissions don't cover over okay. Rerun the chmod command from step 8, like so.
# chmod -R u+rw /local/notesdata
# chmod -R g+rw /local/notesdata


11. Untar and Install Domino 10.0.1:
$ sudo tar -xvf DOM_SVR_V10.0.1_64_BIT_Lnx.tar.tar
$ sudo su
# cd linux64/domino/
# NUI_NOTESDIR=/opt/ibm/domino
# export NUI_NOTESDIR
# ./install
Take the defaults unless you need to change them. The install should auto-detect the folders and the domino user id.
- Install w/ graphic mode [Yes]
- Accept License [Yes/Accept]
- Install Data Directories Only [No]
- Next [Next Btn]
- Verify Program Files install location [/opt/ibm/domino/]
- Partitioned Server [No]
- Next [Next Btn]
- Verify Data Files Directory install location [/local/notesdata/]
- Next [Next Btn]
- User Name [notes]
- Group Name [notes]
- Next [Next Btn]
- Manual (3 - Manual): [Manual Radio Btn]
- Next [Next Btn]
- Installation Type (3): [Enterprise Radio Btn]
- Next [Next Btn]
- Review answer/settings for install.
- Next [Next Btn]
= Watch Progress Bar.
- Finish [Finish Btn]


12. Update the Notes.ini to add the new Create_R10_Databases=1:
# cd/local/domdata/
# vi notes.ini
Add the following line:
Create_R10_Databases=1
( Remove any old Create_R9_Database=1 option. )


13. To update ODS now, run compact:
# su notes
$ /opt/ibm/domino/bin/compact -c /local/notesdata/names.nsf
$ /opt/ibm/domino/bin/compact -c /local/notesdata/admin4.nsf
$ /opt/ibm/domino/bin/compact -c /local/notesdata/log.nsf
$ /opt/ibm/domino/bin/compact -c /local/notesdata/statrep.nsf

Notes:
If you have terabytes of data, this will take a while. Consider doing just the system apps, and doing the others after the system as restarted.
If you have symlinks from an older version of Domino, you can use /opt/ibm/domino/compact directly, bypassing bin.
(We still have that on a few ancillary Domino servers we run on Ubuntu - yes, it unsupported but works, and allows for in-place upgrades of OS.)


14. Start the server manually for any prompts of design updates, etc.:
$ cd /local/notesdata/
$ /opt/ibm/domino/bin/server
Look for any messages to update Directory design, etc.
When done, type quit to stop the server.
> quit


15. install the service scripts. We use the Nashed ones.
Copy the script files. Update the notes username, if necessary and folder paths, if not using the ones above.
rc_domino_script --> /opt/ibm/domino/
rc_domino / domino --> /etc/init.d/
domino.service --> /etc/systemd/system/
rc_domino_config_lotusnotes --> /etc/sysconfig/

Notes:
We renamed our rc_domino to just domino to make it easier to remember.
We updated the /etc/systemd/system/domino.service file with the following:
# vi /etc/systemd/system/domino.service
[Service]
...
LimitNOFILE=65535
LimitNPROC=8000
TasksMax=8000
Save with: <esc>, wq

Enable the new SystemD service:
# systemctl enable domino.service

(To disable: # systemctl disable domino.service

Exit being user Notes and start Domino normally as a service:
$ exit
# systemctl start domino.service
Look for any errors.


_______________________________________________________________________

Important - Post Install TLS Check:

In Domino 9.0.1, the server supported TLS 1.2 by adding notes.ini settings. Those are now IGNORED in Domino 10.0.x.

Make sure you have both a Web Internet Site document and a SMTP Incoming Internet Site document. Enable the ciphers to be used. The Domino server automatically ranks them on strength. If you do not set these up, will see the following error messages:

For the HTTP/Web, Internet Site document, the error message for not setting this up will be:
- TLS/SSL Connection 123.123.123.123 (12345) -> 321.321.321.321 (443) failed with no supported ciphers
- In Firefox, the error will be: SSL_ERROR_NO_CYPHER_OVERLAP

For the Incoming SMTP, Internet Site document, the error message for not setting this up will be:
- TLS Connection Failed - No supported Ciphers. 0 Messages Received.

For the LDAPS, Internet Site document, the error message for not setting this up will be:
- TLS/SSL Connection 123.123.123.123 (12345) -> 321.321.321.321 (636) failed with no supported ciphers

Note:
If you don't use Internet Site docs, then make your cipher selections in the server document.

_______________________________________________________________________





previous page