Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
centos:ansible:pxe [21.06.2020 09:37. ] – [AOMH Installation vie PXE vornehmen] django | centos:ansible:pxe [14.09.2022 16:52. ] (aktuell) – Seite umgezogen django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Installation eines Ansible-Orchestrator-Management-Hosts mit Hilfe eines Kickstartfiles für CentOS 8.x (PXE-Server) ====== | ||
- | <WRAP center round todo 55%> | ||
- | **Seite in der Entstehung, noch nicht aktuell! Wird laufend aktualisiert!** | ||
- | </ | ||
- | |||
- | Kurz mal einen Rechner zu installieren, | ||
- | |||
- | <WRAP center round tip 80%> | ||
- | Wir wollen aber in folgendem Beispiel automatisiert unseren **AOMH**((**A**nsible-**O**rchestrator-**M**anagement-**H**osts)) reproduzierbar vie PXE installieren, | ||
- | </ | ||
- | |||
- | |||
- | ===== Voraussetzungen ===== | ||
- | ==== TFTP-/ | ||
- | Folgende Voraussetzungen müssen hierzu erfüllt werden: | ||
- | - Der [[centos: | ||
- | - Ein [[centos: | ||
- | - Eine Definition des [[centos: | ||
- | - Die Netzwerkkarte im Clientrechner __muss__ PXE unterstützen! | ||
- | |||
- | ==== SSH-Schlüsselmaterial ==== | ||
- | Der Grundgedanke bei dieser Vorhaben ist, im Zweifel immer wieder exakt den gleichen **Ansible-Ochestrator-Management-Host** reproduzierbar aufzusetzen, | ||
- | |||
- | Im Kapitel **[[centos: | ||
- | |||
- | Wir erstellen uns nun einen **ED25519**-Schlüssel (**'' | ||
- | $ ssh-keygen -t ed25519 -a 100 -C ' | ||
- | |||
- | < | ||
- | Enter passphrase (empty for no passphrase): | ||
- | Enter same passphrase again: | ||
- | Your identification has been saved in ~/ | ||
- | Your public key has been saved in ~/ | ||
- | The key fingerprint is: | ||
- | SHA256: | ||
- | The key's randomart image is: | ||
- | +--[ED25519 256]--+ | ||
- | | | ||
- | | .E+ +.+. | | ||
- | | ++.. = * | | ||
- | | +..+ + O . | | ||
- | | | ||
- | | ... o * . | | ||
- | | .oo o + + .| | ||
- | | .... o . = | | ||
- | | | ||
- | +----[SHA256]-----</ | ||
- | |||
- | Die beiden Key-Files kopieren wir dann auf ein vertrauenswürdiges Medium, auf welches wir jederzeit wiieder zurückgreifen können. | ||
- | $ ll .ssh/ | ||
- | < | ||
- | -rw-r--r--. 1 ansible ansible 100 Jun 20 13:08 id_ed25519_ansible.pub</ | ||
- | |||
- | <WRAP center round important 80%> | ||
- | Ob das nun ein sicherer USB-Speicherstick wie der **[[https:// | ||
- | </ | ||
- | |||
- | |||
- | |||
- | ===== Ansible-Orchestrator-Management-Host ===== | ||
- | ==== Aufgabenstellung ==== | ||
- | Wie Eingangs schon angesprochen, | ||
- | |||
- | Folgende Aufgaben wird unser Script für uns reproduzierbar künftig erledigen: | ||
- | - **[[centos: | ||
- | - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.) | ||
- | - **Installations-Logfile** zum Nachvollziehen der erfolgten INstallation unter **''/ | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[wiki: | ||
- | - Zusätzlich zum Standard soll auch noch das Repository **[[centos: | ||
- | - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten. | ||
- | - **NFS-Client zur Verbindung NAS einrichten**, | ||
- | - **[[centos: | ||
- | - **Ansible System-User** erstellen und zuvor erstelltes **[[# | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | |||
- | ==== Kickstartdatei anlegen ==== | ||
- | Zur automatischen Installation und Konfiguration unseres Ansible-Orchestrator-Management-Hosts verwenden wir folgende Kickstart-Datei. | ||
- | # vim / | ||
- | |||
- | <file bash / | ||
- | # Version=CentOS 8 (RHEL 8) | ||
- | |||
- | # 1) Grundinstallation ########################################################################################## | ||
- | |||
- | # Tastaturlayout definieren | ||
- | keyboard --vckeymap=de-nodeadkeys --xlayouts=' | ||
- | |||
- | # Systemsprache setzen | ||
- | lang en_US.UTF-8 | ||
- | |||
- | # Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname | ||
- | # die aus dem Preinstall-Script beim PXE-Boot übernommen wurden. | ||
- | %include / | ||
- | network | ||
- | |||
- | # Zeitzone setzen | ||
- | timezone Europe/ | ||
- | services --enabled=" | ||
- | |||
- | # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen | ||
- | url --url=" | ||
- | repo --name=" | ||
- | |||
- | # Root-Passwort verschlüsselt vorgeben | ||
- | rootpw --iscrypted $6$Z46HtZ/ | ||
- | |||
- | # Default-Benutzerkonto anlegen | ||
- | user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/ | ||
- | |||
- | # vorhandene Partitionen löschen | ||
- | #ignoredisk --only-use=vda | ||
- | #clearpart --all --initlabel --drives=vda | ||
- | # autopart --type=lvm | ||
- | |||
- | # GUI für Installation verwenden | ||
- | graphical | ||
- | |||
- | # Kein X Window System konfigurieren, | ||
- | skipx | ||
- | |||
- | # Reboot nach der Installation ausführen | ||
- | reboot | ||
- | |||
- | # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen | ||
- | %packages | ||
- | @^minimal-environment | ||
- | -iwl*firmware | ||
- | vim | ||
- | bash-completion | ||
- | bind-utils | ||
- | wget | ||
- | telnet | ||
- | net-tools | ||
- | lsof | ||
- | tree | ||
- | %end | ||
- | |||
- | %addon com_redhat_kdump --disable --reserve-mb=' | ||
- | %end | ||
- | |||
- | %anaconda | ||
- | pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty | ||
- | pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok | ||
- | pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty | ||
- | %end | ||
- | |||
- | #%end | ||
- | |||
- | %addon com_redhat_kdump --disable --reserve-mb=' | ||
- | |||
- | %end | ||
- | ################################################################################################################# | ||
- | |||
- | # 2) Preinstall-Anweisungen: | ||
- | %pre | ||
- | #!/bin/bash | ||
- | echo " | ||
- | for x in `cat / | ||
- | case $x in SERVERNAME*) | ||
- | eval $x | ||
- | NULL=${SERVERNAME: | ||
- | if [ " | ||
- | echo " | ||
- | else | ||
- | if [ " | ||
- | OCTET=${SERVERNAME: | ||
- | else | ||
- | OCTET=${SERVERNAME: | ||
- | fi | ||
- | echo " | ||
- | fi | ||
- | ;; | ||
- | esac; | ||
- | done | ||
- | %end | ||
- | ################################################################################################################# | ||
- | |||
- | # 3) Postinstall-Anweisungen: | ||
- | %post --log=/ | ||
- | #!/bin/bash | ||
- | DATUM=$(date +" | ||
- | for x in `cat / | ||
- | case $x in SERVERNAME*) | ||
- | eval $x | ||
- | ################################################################################################################# | ||
- | |||
- | # 4) Bootloader anpassen, rhgb bei den Bootoptionen entfernen ################################################### | ||
- | sed -i ' | ||
- | grub2-mkconfig -o / | ||
- | ################################################################################################################# | ||
- | |||
- | # 5) MOTD und ISSUE.NET individualisieren ####################################################################### | ||
- | # / | ||
- | cat << | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is a private home server. | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | ISSUE.NET | ||
- | |||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | # /etc/motd anlegen | ||
- | cat << | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is the home server of Michael Nausch. | ||
- | # # | ||
- | # $SERVERNAME.nausch.org | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | MOTD | ||
- | |||
- | chown root: /etc/motd | ||
- | chmod 644 /etc/motd | ||
- | ################################################################################################################# | ||
- | |||
- | # 6) SSH-Daemon konfigurieren ################################################################################### | ||
- | cp -a / | ||
- | cat << | ||
- | # $OpenBSD: sshd_config, | ||
- | |||
- | # This is the sshd server system-wide configuration file. See | ||
- | # sshd_config(5) for more information. | ||
- | |||
- | # This sshd was compiled with PATH=/ | ||
- | |||
- | # The strategy used for options in the default sshd_config shipped with | ||
- | # OpenSSH is to specify options with their default value where | ||
- | # possible, but leave them commented. | ||
- | # default value. | ||
- | |||
- | # If you want to change the port on a SELinux system, you have to tell | ||
- | # SELinux about this change. | ||
- | # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER | ||
- | # | ||
- | # Specifies which address family should be used by sshd(8). Valid arguments | ||
- | # are '' | ||
- | # | ||
- | |||
- | # Specifies the local addresses sshd(8) should listen on. The following | ||
- | # forms may be used: | ||
- | # | ||
- | # | ||
- | # | ||
- | # If port is not specified, sshd will listen on the address and all prior | ||
- | # Port options specified. The default is to listen on all local addresses. | ||
- | # Multiple ListenAddress options are permitted. Additionally, | ||
- | # options must precede this option for non-port qualified addresses. | ||
- | #Port 22 | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies a file containing a private host key used by SSH. The default | ||
- | # is / | ||
- | # / | ||
- | # version 2. Note that sshd(8) will refuse to use a file if it is | ||
- | # group/ | ||
- | # '' | ||
- | # version 2 of the SSH protocol. | ||
- | HostKey / | ||
- | |||
- | # Specifies the ciphers allowed for protocol version 2. Multiple ciphers | ||
- | # must be comma-separated. The supported ciphers are '' | ||
- | # '' | ||
- | # '' | ||
- | # '' | ||
- | Ciphers chacha20-poly1305@openssh.com, | ||
- | |||
- | # MACs' Specifies the available MAC (message authentication code) | ||
- | # algorithms. The MAC algorithm is used in protocol version 2 for data | ||
- | # integrity protection. Multiple algorithms must be comma-separated. | ||
- | MACs hmac-sha2-512-etm@openssh.com, | ||
- | |||
- | # Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
- | # algorithms must be comma-separated. For ineroperability with Eclipse | ||
- | # and WinSCP): | ||
- | # KexAlgorithms curve25519-sha256@libssh.org, | ||
- | # If needed, open / | ||
- | # 5th column is less than 2000. | ||
- | # awk '$5 > 2000' / | ||
- | # wc -l " | ||
- | # make sure there is something left | ||
- | # mv " | ||
- | # | ||
- | KexAlgorithms curve25519-sha256@libssh.org | ||
- | |||
- | # Ciphers and keying | ||
- | #RekeyLimit default none | ||
- | |||
- | # System-wide Crypto policy: | ||
- | # This system is following system-wide crypto policy. The changes to | ||
- | # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any | ||
- | # effect here. They will be overridden by command-line options passed on | ||
- | # the server start up. | ||
- | # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= | ||
- | # variable in / | ||
- | # For more information, | ||
- | |||
- | # Logging | ||
- | # Gives the facility code that is used when logging messages from sshd(8). | ||
- | # The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, | ||
- | # LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | ||
- | SyslogFacility AUTHPRIV | ||
- | |||
- | # Gives the verbosity level that is used when logging messages from sshd(8). | ||
- | # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, | ||
- | # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are | ||
- | # equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging | ||
- | # output. Logging with a DEBUG level violates the privacy of users and is | ||
- | # not recommended. | ||
- | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a | ||
- | # clear audit track of which key was using to log in. | ||
- | LogLevel VERBOSE | ||
- | |||
- | # Authentication: | ||
- | # The server disconnects after this time if the user has not successfully | ||
- | # logged in. If the value is 0, there is no time limit. | ||
- | LoginGraceTime 0 | ||
- | |||
- | # Specifies whether root can log in using ssh(1). The argument must be | ||
- | # '' | ||
- | # The default is '' | ||
- | # password authentication is disabled for root. If this option is set to | ||
- | # '' | ||
- | # be allowed, but only if the command option has been specified (which | ||
- | # may be useful for taking remote backups even if root login is normally | ||
- | # not allowed). All other authentication methods are disabled for root. | ||
- | # If this option is set to '' | ||
- | PermitRootLogin no | ||
- | |||
- | # This keyword can be followed by a list of user name patterns, separated | ||
- | # by spaces. If specified, login is allowed only for user names that match | ||
- | # one of the patterns. Only user names are valid; a numerical user ID is | ||
- | # not recognized. By default, login is allowed for all users. If the pattern | ||
- | # takes the form USER@HOST then USER and HOST are separately checked, | ||
- | # restricting logins to particular users from particular hosts. The | ||
- | # allow/deny directives are processed in the following order: | ||
- | # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
- | AllowUsers django ansible | ||
- | |||
- | # Specifies whether sshd(8) should check file modes and ownership of the | ||
- | # user's files and home directory before accepting login. This is normally | ||
- | # desirable because novices sometimes accidentally leave their directory | ||
- | # or files world-writable. | ||
- | StrictModes yes | ||
- | |||
- | # Specifies the maximum number of authentication attempts permitted per | ||
- | # connection. Once the number of failures reaches half this value, | ||
- | # additional failures are logged. | ||
- | MaxAuthTries 10 | ||
- | |||
- | # Specifies the maximum number of open sessions permitted per network | ||
- | # connection. | ||
- | MaxSessions 10 | ||
- | |||
- | # Specifies the file that contains the public keys that can be used for | ||
- | # user authentication. AuthorizedKeysFile may contain tokens of the form | ||
- | # %T which are substituted during connection setup. The following tokens | ||
- | # are defined: %% is replaced by a literal ' | ||
- | # home directory of the user being authenticated, | ||
- | # the username of that user. After expansion, AuthorizedKeysFile is | ||
- | # taken to be an absolute path or one relative to the user's home directory. | ||
- | AuthorizedKeysFile | ||
- | |||
- | # Specifies whether public key authentication is allowed. The default is | ||
- | # '' | ||
- | PubkeyAuthentication yes | ||
- | |||
- | |||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # For this to work you will also need host keys in / | ||
- | # | ||
- | # Change to yes if you don't trust ~/ | ||
- | # HostbasedAuthentication | ||
- | # | ||
- | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
- | # | ||
- | |||
- | # To disable tunneled clear text passwords, change to no here! | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies whether password authentication is allowed. To disable tunneled | ||
- | # clear text passwords, change to no here! | ||
- | PasswordAuthentication no | ||
- | |||
- | # Specifies whether challenge-response authentication is allowed | ||
- | # (e.g. via PAM or though authentication styles supported in login.conf(5)) | ||
- | # Change to no to disable s/key passwords | ||
- | ChallengeResponseAuthentication no | ||
- | |||
- | # Kerberos options | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies whether user authentication based on GSSAPI is allowed. | ||
- | GSSAPIAuthentication yes | ||
- | |||
- | # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key | ||
- | # exchange doesn' | ||
- | # | ||
- | |||
- | # Specifies whether to automatically destroy the user's credentials cache | ||
- | # on logout. | ||
- | GSSAPICleanupCredentials no | ||
- | |||
- | # Determines whether to be strict about the identity of the GSSAPI acceptor | ||
- | # a client authenticates against. If '' | ||
- | # against the host service on the current hostname. If '' | ||
- | # may authenticate against any service key stored in the machine' | ||
- | # store. This facility is provided to assist with operation on multi homed | ||
- | # machines. The default is '' | ||
- | # protocol version 2 GSSAPI connections, | ||
- | # work with recent Kerberos GSSAPI libraries. | ||
- | # | ||
- | |||
- | # | ||
- | |||
- | # Set this to ' | ||
- | # and session processing. If this is enabled, PAM authentication will | ||
- | # be allowed through the ChallengeResponseAuthentication and | ||
- | # PasswordAuthentication. | ||
- | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
- | # the setting of " | ||
- | # If you just want the PAM account and session checks to run without | ||
- | # PAM authentication, | ||
- | # and ChallengeResponseAuthentication to ' | ||
- | # WARNING: ' | ||
- | # problems. | ||
- | UsePAM yes | ||
- | |||
- | # Specifies whether X11 forwarding is permitted. The argument must be | ||
- | # '' | ||
- | # When X11 forwarding is enabled, there may be additional exposure to the | ||
- | # server and to client displays if the sshd(8) proxy display is configured | ||
- | # to listen on the wildcard address (see X11UseLocalhost below), though this | ||
- | # is not the default. Additionally, | ||
- | # authentication data verification and substitution occur on the client side. | ||
- | # The security risk of using X11 forwarding is that the client' | ||
- | # server may be exposed to attack when the SSH client requests forwarding | ||
- | # (see the warnings for ForwardX11 in ssh_config(5)). A system administrator | ||
- | # may have a stance in which they want to protect clients that may expose | ||
- | # themselves to attack by unwittingly requesting X11 forwarding, which can | ||
- | # warrant a '' | ||
- | # prevent users from forwarding X11 traffic, as users can always install | ||
- | # their own forwarders. X11 forwarding is automatically disabled if UseLogin | ||
- | # is enabled. | ||
- | X11Forwarding yes | ||
- | |||
- | # Specifies the first display number available for sshd(8)' | ||
- | # This prevents sshd from interfering with real X11 servers. | ||
- | # The default is 10. | ||
- | # | ||
- | |||
- | # Specifies whether sshd(8) should bind the X11 forwarding server to the | ||
- | # loopback address or to the wildcard address. By default, sshd binds the | ||
- | # forwarding server to the loopback address and sets the hostname part of | ||
- | # the DISPLAY environment variable to '' | ||
- | # hosts from connecting to the proxy display. However, some older X11 clients | ||
- | # may not function with this configuration. X11UseLocalhost may be set to | ||
- | # '' | ||
- | # wildcard address. The argument must be '' | ||
- | # '' | ||
- | # | ||
- | |||
- | # Specifies whether ssh-agent(1) forwarding is permitted. The default is | ||
- | # '' | ||
- | # unless users are also denied shell access, as they can always install | ||
- | # their own forwarders. | ||
- | # | ||
- | |||
- | # Specifies whether TCP forwarding is permitted. The default is '' | ||
- | # Note that disabling TCP forwarding does not improve security unless users | ||
- | # are also denied shell access, as they can always install their own | ||
- | # forwarders. | ||
- | # | ||
- | |||
- | # Specifies whether remote hosts are allowed to connect to ports forwarded | ||
- | # for the client. By default, sshd(8) binds remote port forwardings to the | ||
- | # loopback address. This prevents other remote hosts from connecting to | ||
- | # forwarded ports. GatewayPorts can be used to specify that sshd should | ||
- | # allow remote port forwardings to bind to non-loopback addresses, thus | ||
- | # allowing other hosts to connect. The argument may be '' | ||
- | # remote port forwardings to be available to the local host only, '' | ||
- | # to force remote port forwardings to bind to the wildcard address, or | ||
- | # '' | ||
- | # the forwarding is bound. The default is '' | ||
- | # | ||
- | |||
- | #PermitTTY yes | ||
- | |||
- | # It is recommended to use pam_motd in / | ||
- | # as it is more configurable and versatile than the built-in version. | ||
- | PrintMotd no | ||
- | |||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | #UseDNS no | ||
- | #PidFile / | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # The contents of the specified file are sent to the remote user before | ||
- | # authentication is allowed. | ||
- | Banner / | ||
- | |||
- | # Accept locale-related environment variables | ||
- | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
- | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
- | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | ||
- | AcceptEnv XMODIFIERS | ||
- | |||
- | # Configures an external subsystem (e.g. file transfer daemon). Arguments | ||
- | # should be a subsystem name and a command (with optional arguments) to | ||
- | # execute upon subsystem request. Log sftp level file access | ||
- | # (read/ | ||
- | Subsystem sftp / | ||
- | |||
- | # Example of overriding settings on a per-user basis | ||
- | #Match User anoncvs | ||
- | # | ||
- | # | ||
- | # PermitTTY no | ||
- | # | ||
- | SSHD_CONFIG | ||
- | chown root: / | ||
- | chmod 600 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 7) SSH-Publickey des Admin-Accounts hinterlegen ############################################################### | ||
- | mkdir / | ||
- | chmod 700 / | ||
- | chown django: / | ||
- | cat << | ||
- | ssh-ed25519 AAAAC3OkhsMagNI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHrrD5d+IbkzaC1lZDU6ddoBSp django@nausch.org | ||
- | AUTHORIZED_KEYS | ||
- | chmod 644 / | ||
- | chown django: / | ||
- | ################################################################################################################# | ||
- | |||
- | # 8) lokal gespiegeltes CentOS-Repository benutzen ############################################################## | ||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-AppStream.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | [AppStream] | ||
- | name=CentOS-\$releasever - AppStream | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-APPSTREAM | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-Base.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | [BaseOS] | ||
- | name=CentOS-\$releasever - Base | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-BASE | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-Extras.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | #additional packages that may be useful | ||
- | [extras] | ||
- | name=CentOS-\$releasever - Extras | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-EXTRAS | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 9) EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######################################## | ||
- | dnf install epel-release -y | ||
- | rpm --import https:// | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | [epel-modular] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch | ||
- | baseurl=http:// | ||
- | enabled=1 | ||
- | gpgcheck=1 | ||
- | gpgkey=file:/// | ||
- | |||
- | [epel-modular-debuginfo] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | [epel-modular-source] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | EPEL-MODULAR | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | [epel] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch | ||
- | baseurl=http:// | ||
- | enabled=1 | ||
- | gpgcheck=1 | ||
- | gpgkey=file:/// | ||
- | |||
- | [epel-debuginfo] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | [epel-source] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | EPEL | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 10) System Updaten ############################################################################################ | ||
- | dnf update -y | ||
- | ################################################################################################################# | ||
- | |||
- | # 11) NFS-Client zur Verbindung NAS einrichten ################################################################## | ||
- | dnf install nfs-utils -y | ||
- | mkdir / | ||
- | cp -a /etc/fstab / | ||
- | cat << | ||
- | 10.20.30.10:/ | ||
- | FSTAB | ||
- | mount / | ||
- | ################################################################################################################# | ||
- | |||
- | # 12) Ansible installieren ###################################################################################### | ||
- | dnf install ansible-doc ansible -y | ||
- | ################################################################################################################# | ||
- | |||
- | # 13) Ansible System-User erstellen und zuvor erstelltes Schlüsselmaterial hinterlegen ########################## | ||
- | groupadd --gid 65533 ansible && useradd ansible --create-home --home-dir / | ||
- | mkdir / | ||
- | chmod 700 / | ||
- | chown ansible: / | ||
- | cat <<KEY > / | ||
- | -----BEGIN OPENSSH PRIVATE KEY----- | ||
- | QyNTUxOQAAACC7YuO2mTknrX7zRcVVapCQH0il48r3pgd5EWREOav5HwAAAJhJEdo0SRHa | ||
- | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW | ||
- | AAAEBTt8W5ylj51xHums6dfdjpPM5qpgCVHIGJV8W5leF5Brti47aZOSetfvNFxVVqkJAf | ||
- | SKXjyvemB3kRZEQ5q/ | ||
- | -----END OPENSSH PRIVATE KEY----- | ||
- | KEY | ||
- | chmod 400 / | ||
- | chown ansible: | ||
- | cat << | ||
- | ssh-ed25519 AAAAC3NzaC1lZDemB3kRZEQI1NTE5A7aZOSetfvNFxVVqkJAfSKXjAAAILti4yv5q/ | ||
- | KEY_PUB | ||
- | chmod 644 / | ||
- | chown ansible: | ||
- | cp / | ||
- | chmod 644 / | ||
- | chown ansible: | ||
- | usermod -aG wheel ansible | ||
- | ################################################################################################################# | ||
- | |||
- | # 14) Ansible: Directory Layout - Verzeichnisstruktur anlegen #################################################### | ||
- | mkdir -p / | ||
- | mkdir -p / | ||
- | touch / | ||
- | mkdir -p / | ||
- | touch / | ||
- | chown -R ansible: / | ||
- | cat << | ||
- | --- #YAML start syntax (optional) | ||
- | centos8: | ||
- | hosts: | ||
- | ansible: | ||
- | ansible_ssh_host: | ||
- | #demo: | ||
- | # ansible_ssh_host: | ||
- | # ansible_ssh_port: | ||
- | ... #YAML ende syntax (optional) | ||
- | HOSTS | ||
- | chmod 644 / | ||
- | chown ansible: / | ||
- | ################################################################################################################# | ||
- | |||
- | # 15) Ansible konfigurieren ##################################################################################### | ||
- | cat << | ||
- | # config file for ansible -- https:// | ||
- | # =============================================== | ||
- | |||
- | # nearly all parameters can be overridden in ansible-playbook | ||
- | # or with command line flags. ansible will read ANSIBLE_CONFIG, | ||
- | # ansible.cfg in the current working directory, .ansible.cfg in | ||
- | # the home directory or / | ||
- | # finds first | ||
- | |||
- | [defaults] | ||
- | |||
- | # some basic default values... | ||
- | |||
- | # Django : 2020-06-19 | ||
- | # default: # | ||
- | inventory = / | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # plays will gather facts by default, which contain information about | ||
- | # the remote system. | ||
- | # | ||
- | # smart - gather by default, but don't regather if already gathered | ||
- | # implicit - gather by default, turn off with gather_facts: | ||
- | # explicit - do not gather by default, must say gather_facts: | ||
- | #gathering = implicit | ||
- | |||
- | # This only affects the gathering done by a play's gather_facts directive, | ||
- | # by default gathering retrieves all facts subsets | ||
- | # all - gather all subsets | ||
- | # network - gather min and network facts | ||
- | # hardware - gather hardware facts (longest facts to retrieve) | ||
- | # virtual - gather min and virtual facts | ||
- | # facter - import facts from facter | ||
- | # ohai - import facts from ohai | ||
- | # You can combine them using comma (ex: network, | ||
- | # You can negate them using ! (ex: !hardware, | ||
- | # A minimal set of facts is always gathered. | ||
- | # | ||
- | |||
- | # some hardware related facts are collected | ||
- | # with a maximum timeout of 10 seconds. This | ||
- | # option lets you increase or decrease that | ||
- | # timeout to something more suitable for the | ||
- | # environment. | ||
- | # gather_timeout = 10 | ||
- | |||
- | # Ansible facts are available inside the ansible_facts.* dictionary | ||
- | # namespace. This setting maintains the behaviour which was the default prior | ||
- | # to 2.5, duplicating these variables into the main namespace, each with a | ||
- | # prefix of ' | ||
- | # This variable is set to True by default for backwards compatibility. It | ||
- | # will be changed to a default of ' | ||
- | # ansible_facts. | ||
- | # inject_facts_as_vars = True | ||
- | |||
- | # additional paths to search for roles in, colon separated | ||
- | # | ||
- | |||
- | # uncomment this to disable SSH key host checking | ||
- | # | ||
- | |||
- | # change the default callback, you can only have one ' | ||
- | # | ||
- | |||
- | |||
- | ## Ansible ships with some plugins that require whitelisting, | ||
- | ## this is done to avoid running all of a type by default. | ||
- | ## These setting lists those that you want enabled for your system. | ||
- | ## Custom plugins should not need this unless plugin author specifies it. | ||
- | |||
- | # enable callback plugins, they can output to stdout but cannot be ' | ||
- | # | ||
- | |||
- | # Determine whether includes in tasks and handlers are " | ||
- | # default. As of 2.0, includes are dynamic by default. Setting these | ||
- | # values to True will make includes behave more like they did in the | ||
- | # 1.x versions. | ||
- | # | ||
- | # | ||
- | |||
- | # Controls if a missing handler for a notification event is an error or a warning | ||
- | # | ||
- | |||
- | # change this for alternative sudo implementations | ||
- | #sudo_exe = sudo | ||
- | |||
- | # What flags to pass to sudo | ||
- | # WARNING: leaving out the defaults might create unexpected behaviours | ||
- | #sudo_flags = -H -S -n | ||
- | |||
- | # SSH timeout | ||
- | #timeout = 10 | ||
- | |||
- | # default user to use for playbooks if user is not specified | ||
- | # (/ | ||
- | # | ||
- | # Django : 2020-06-19 | ||
- | # default: unset | ||
- | remote_user = ansible | ||
- | |||
- | # logging is off by default unless this path is defined | ||
- | # if so defined, consider logrotate | ||
- | #log_path = / | ||
- | |||
- | # default module name for / | ||
- | # | ||
- | |||
- | # use this shell for commands executed under sudo | ||
- | # you may need to change this to bin/bash in rare instances | ||
- | # if sudo is constrained | ||
- | #executable = /bin/sh | ||
- | |||
- | # if inventory variables overlap, does the higher precedence one win | ||
- | # or are hash values merged together? | ||
- | # this can also be set to ' | ||
- | # | ||
- | |||
- | # by default, variables from roles will be visible in the global variable | ||
- | # scope. To prevent this, the following option can be enabled, and only | ||
- | # tasks and handlers within the role will see the variables there | ||
- | # | ||
- | |||
- | # list any Jinja2 extensions to enable here: | ||
- | # | ||
- | |||
- | # if set, always use this private key file for authentication, | ||
- | # if passing --private-key to ansible or ansible-playbook | ||
- | # | ||
- | # Django : 2020-06-19 | ||
- | # default: unset | ||
- | private_key_file = / | ||
- | |||
- | # If set, configures the path to the Vault password file as an alternative to | ||
- | # specifying --vault-password-file on the command line. | ||
- | # | ||
- | |||
- | # format of string {{ ansible_managed }} available within Jinja2 | ||
- | # templates indicates to users editing templates files will be replaced. | ||
- | # replacing {file}, {host} and {uid} and strftime codes with proper values. | ||
- | # | ||
- | # {file}, {host}, {uid}, and the timestamp can all interfere with idempotence | ||
- | # in some situations so the default is a static string: | ||
- | # | ||
- | |||
- | # by default, ansible-playbook will display " | ||
- | # should not be run on a host. Set this to " | ||
- | # messages. NOTE: the task header will still be shown regardless of whether or not the | ||
- | # task is skipped. | ||
- | # | ||
- | |||
- | # by default, if a task in a playbook does not include a name: field then | ||
- | # ansible-playbook will construct a header that includes the task's action but | ||
- | # not the task's args. This is a security feature because ansible cannot know | ||
- | # if the *module* considers an argument to be no_log at the time that the | ||
- | # header is printed. | ||
- | # stdout from ansible-playbook (or you have manually specified no_log in your | ||
- | # playbook on all of the tasks where you have secret information) then you can | ||
- | # safely set this to True to get more informative messages. | ||
- | # | ||
- | |||
- | # by default (as of 1.3), Ansible will raise errors when attempting to dereference | ||
- | # Jinja2 variables that are not set in templates or action lines. Uncomment this line | ||
- | # to revert the behavior to pre-1.3. | ||
- | # | ||
- | |||
- | # by default (as of 1.6), Ansible may display warnings based on the configuration of the | ||
- | # system running ansible itself. This may include warnings about 3rd party packages or | ||
- | # other conditions that should be resolved if possible. | ||
- | # to disable these warnings, set the following value to False: | ||
- | # | ||
- | |||
- | # by default (as of 1.4), Ansible may display deprecation warnings for language | ||
- | # features that should no longer be used and will be removed in future versions. | ||
- | # to disable these warnings, set the following value to False: | ||
- | # | ||
- | |||
- | # (as of 1.8), Ansible can optionally warn when usage of the shell and | ||
- | # command module appear to be simplified by using a default Ansible module | ||
- | # instead. | ||
- | # setting or adding warn=yes or warn=no to the end of the command line | ||
- | # parameter string. | ||
- | # instead of shelling out to the git command. | ||
- | # command_warnings = False | ||
- | |||
- | |||
- | # set plugin path directories here, separate with colons | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | |||
- | # by default, ansible will use the ' | ||
- | # another one | ||
- | #strategy = free | ||
- | |||
- | # by default callbacks are not loaded for / | ||
- | # want, for example, a notification or logging callback to also apply to | ||
- | # / | ||
- | # | ||
- | |||
- | |||
- | # don't like cows? that's unfortunate. | ||
- | # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 | ||
- | #nocows = 1 | ||
- | |||
- | # set which cowsay stencil you'd like to use by default. When set to ' | ||
- | # a random stencil will be selected for each task. The selection will be filtered | ||
- | # against the option below. | ||
- | # | ||
- | # | ||
- | |||
- | # when using the ' | ||
- | # it should be formatted as a comma-separated list with no spaces between names. | ||
- | # NOTE: line continuations here are for formatting purposes only, as the INI parser | ||
- | # in python does not support them. | ||
- | # | ||
- | |||
- | # don't like colors either? | ||
- | # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 | ||
- | #nocolor = 1 | ||
- | |||
- | # if set to a persistent type (not ' | ||
- | # from previous runs in Ansible will be stored. | ||
- | # wanting to use, for example, IP information from one group of servers | ||
- | # without having to talk to them in the same playbook run to get their | ||
- | # current IP information. | ||
- | # | ||
- | |||
- | #This option tells Ansible where to cache facts. The value is plugin dependent. | ||
- | #For the jsonfile plugin, it should be a path to a local directory. | ||
- | #For the redis plugin, the value is a host: | ||
- | |||
- | # | ||
- | |||
- | |||
- | |||
- | # retry files | ||
- | # When a playbook fails a .retry file can be created that will be placed in ~/ | ||
- | # You can enable this feature by setting retry_files_enabled to True | ||
- | # and you can change the location of the files by setting retry_files_save_path | ||
- | |||
- | # | ||
- | # | ||
- | |||
- | # squash actions | ||
- | # Ansible can optimise actions that call modules with list parameters | ||
- | # when looping. Instead of calling the module once per with_ item, the | ||
- | # module is called once with all items at once. Currently this only works | ||
- | # under limited circumstances, | ||
- | # | ||
- | |||
- | # prevents logging of task data, off by default | ||
- | #no_log = False | ||
- | |||
- | # prevents logging of tasks, but only on the targets, data is still logged on the master/ | ||
- | # | ||
- | |||
- | # controls whether Ansible will raise an error or warning if a task has no | ||
- | # choice but to create world readable temporary files to execute a module on | ||
- | # the remote machine. | ||
- | # turn this on to have behaviour more like Ansible prior to 2.1.x. | ||
- | # https:// | ||
- | # for more secure ways to fix this than enabling this option. | ||
- | # | ||
- | |||
- | # controls the compression level of variables sent to | ||
- | # worker processes. At the default of 0, no compression | ||
- | # is used. This value must be an integer from 0 to 9. | ||
- | # | ||
- | |||
- | # controls what compression method is used for new-style ansible modules when | ||
- | # they are sent to the remote system. | ||
- | # support compiled into both the controller' | ||
- | # The names should match with the python Zipfile compression types: | ||
- | # * ZIP_STORED (no compression. available everywhere) | ||
- | # * ZIP_DEFLATED (uses zlib, the default) | ||
- | # These values may be set per host via the ansible_module_compression inventory | ||
- | # variable | ||
- | # | ||
- | |||
- | # This controls the cutoff point (in bytes) on --diff for files | ||
- | # set to 0 for unlimited (RAM may suffer!). | ||
- | # | ||
- | |||
- | # This controls how ansible handles multiple --tags and --skip-tags arguments | ||
- | # on the CLI. If this is True then multiple arguments are merged together. | ||
- | # it is False, then the last specified argument is used and the others are ignored. | ||
- | # This option will be removed in 2.8. | ||
- | # | ||
- | |||
- | # Controls showing custom stats at the end, off by default | ||
- | # | ||
- | |||
- | # Controls which files to ignore when using a directory as inventory with | ||
- | # possibly multiple sources (both static and dynamic) | ||
- | # | ||
- | |||
- | # This family of modules use an alternative execution path optimized for network appliances | ||
- | # only update this setting if you know how this works, otherwise it can break module execution | ||
- | # | ||
- | |||
- | # When enabled, this option allows lookups (via variables like {{lookup(' | ||
- | # a loop with ) to return data that is not marked " | ||
- | # jinja2 templating language which will be run through the templating engine. | ||
- | # ENABLING THIS COULD BE A SECURITY RISK | ||
- | # | ||
- | |||
- | # set default errors for all plays | ||
- | # | ||
- | |||
- | [inventory] | ||
- | # enable inventory plugins, default: ' | ||
- | # | ||
- | |||
- | # ignore these extensions when parsing a directory as inventory source | ||
- | # | ||
- | |||
- | # ignore files matching these patterns when parsing a directory as inventory source | ||
- | # | ||
- | |||
- | # If ' | ||
- | # | ||
- | |||
- | [privilege_escalation] | ||
- | # Django : 2020-06-19 | ||
- | # default: # | ||
- | # # | ||
- | # # | ||
- | # # | ||
- | become=True | ||
- | become_method=sudo | ||
- | become_user=root | ||
- | become_ask_pass=True | ||
- | |||
- | [paramiko_connection] | ||
- | |||
- | # uncomment this line to cause the paramiko connection plugin to not record new host | ||
- | # keys encountered. | ||
- | # host key checking setting above. | ||
- | # | ||
- | |||
- | # by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this | ||
- | # line to disable this behaviour. | ||
- | #pty=False | ||
- | |||
- | # paramiko will default to looking for SSH keys initially when trying to | ||
- | # authenticate to remote devices. | ||
- | # that close the connection after a key failure. | ||
- | # disable the Paramiko look for keys function | ||
- | # | ||
- | |||
- | # When using persistent connections with Paramiko, the connection runs in a | ||
- | # background process. | ||
- | # default Ansible will prompt to add the host key. This will cause connections | ||
- | # running in background processes to fail. Uncomment this line to have | ||
- | # Paramiko automatically add host keys. | ||
- | # | ||
- | |||
- | [ssh_connection] | ||
- | |||
- | # ssh arguments to use | ||
- | # Leaving off ControlPersist will result in poor performance, | ||
- | # paramiko on older platforms rather than removing it, -C controls compression use | ||
- | #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s | ||
- | |||
- | # The base directory for the ControlPath sockets. | ||
- | # This is the " | ||
- | # | ||
- | # Example: | ||
- | # control_path_dir = / | ||
- | # | ||
- | |||
- | # The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, | ||
- | # port and username (empty string in the config). The hash mitigates a common problem users | ||
- | # found with long hostnames and the conventional %(directory)s/ | ||
- | # In those cases, a "too long for Unix domain socket" | ||
- | # | ||
- | # Example: | ||
- | # control_path = %(directory)s/ | ||
- | # | ||
- | |||
- | # Enabling pipelining reduces the number of SSH operations required to | ||
- | # execute a module on the remote server. This can result in a significant | ||
- | # performance improvement when enabled, however when using " | ||
- | # first disable ' | ||
- | # | ||
- | # By default, this option is disabled to preserve compatibility with | ||
- | # sudoers configurations that have requiretty (the default on many distros). | ||
- | # | ||
- | #pipelining = False | ||
- | |||
- | # Control the mechanism for transferring files (old) | ||
- | # * smart = try sftp and then try scp [default] | ||
- | # * True = use scp only | ||
- | # * False = use sftp only | ||
- | #scp_if_ssh = smart | ||
- | |||
- | # Control the mechanism for transferring files (new) | ||
- | # If set, this will override the scp_if_ssh option | ||
- | # * sftp = use sftp to transfer files | ||
- | # * scp = use scp to transfer files | ||
- | # * piped = use ' | ||
- | # * smart = try sftp, scp, and piped, in that order [default] | ||
- | # | ||
- | |||
- | # if False, sftp will not use batch mode to transfer files. This may cause some | ||
- | # types of file transfer failures impossible to catch however, and should | ||
- | # only be disabled if your sftp version has problems with batch mode | ||
- | # | ||
- | |||
- | # The -tt argument is passed to ssh when pipelining is not enabled because sudo | ||
- | # requires a tty by default. | ||
- | #usetty = True | ||
- | |||
- | # Number of times to retry an SSH connection to a host, in case of UNREACHABLE. | ||
- | # For each retry attempt, there is an exponential backoff, | ||
- | # so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). | ||
- | #retries = 3 | ||
- | |||
- | [persistent_connection] | ||
- | |||
- | # Configures the persistent connection timeout value in seconds. | ||
- | # how long the persistent connection will remain idle before it is destroyed. | ||
- | # If the connection doesn' | ||
- | # expires, the connection is shutdown. The default value is 30 seconds. | ||
- | # | ||
- | |||
- | # The command timeout value defines the amount of time to wait for a command | ||
- | # or RPC call before timing out. The value for the command timeout must | ||
- | # be less than the value of the persistent connection idle timeout (connect_timeout) | ||
- | # The default value is 30 second. | ||
- | # | ||
- | |||
- | [accelerate] | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # The daemon timeout is measured in minutes. This time is measured | ||
- | # from the last activity to the accelerate daemon. | ||
- | # | ||
- | |||
- | # If set to yes, accelerate_multi_key will allow multiple | ||
- | # private keys to be uploaded to it, though each user must | ||
- | # have access to the system via SSH to add a new key. The default | ||
- | # is " | ||
- | # | ||
- | |||
- | [selinux] | ||
- | # file systems that require special treatment when dealing with security context | ||
- | # the default behaviour that copies the existing context or uses the user default | ||
- | # needs to be changed to use the file system dependent context. | ||
- | # | ||
- | |||
- | # Set this to yes to allow libvirt_lxc connections to work without SELinux. | ||
- | # | ||
- | |||
- | [colors] | ||
- | #highlight = white | ||
- | #verbose = blue | ||
- | #warn = bright purple | ||
- | #error = red | ||
- | #debug = dark gray | ||
- | #deprecate = purple | ||
- | #skip = cyan | ||
- | # | ||
- | #ok = green | ||
- | #changed = yellow | ||
- | #diff_add = green | ||
- | # | ||
- | #diff_lines = cyan | ||
- | |||
- | |||
- | [diff] | ||
- | # Always print diff when running ( same as always running with -D/--diff ) | ||
- | # always = no | ||
- | |||
- | # Set how many context lines to show in diff | ||
- | # context = 3 | ||
- | ANSIBLE_CFG | ||
- | chown ansible: / | ||
- | ################################################################################################################# | ||
- | |||
- | ;; | ||
- | esac; | ||
- | done | ||
- | %end | ||
- | </ | ||
- | |||
- | ==== PXE-Bootmenü-Datei anpassen ==== | ||
- | Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei **''/ | ||
- | # vim / | ||
- | |||
- | Dort tragen wir beim betreffenden **LABEL** die Optionen **'' | ||
- | < | ||
- | MENU LABEL ^3) Installation der CentOS 8 (64 Bit) Ansible-Startup | ||
- | | ||
- | | ||
- | |||
- | ==== Installation AOMH via PXE ==== | ||
- | Anschliessend starten wir wie gewohnt unsere virtuelle Maschine. | ||
- | |||
- | |||
- | FIXME **//do geds weida ...//** | ||
- | |||
- | |||
- | {{ : | ||
- | |||
- | <WRAP center round tip 80%> | ||
- | |||
- | Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, | ||
- | </ | ||
- | |||
- | {{ : | ||
- | |||
- | Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, | ||
- | |||
- | {{ : | ||
- | |||
- | Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **'' | ||
- | $ ssh 10.0.0.50 | ||
- | |||
- | < | ||
- | ED25519 key fingerprint is SHA256: | ||
- | Are you sure you want to continue connecting (yes/ | ||
- | Warning: Permanently added ' | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is a private home server. | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is the home server of Michael Nausch. | ||
- | # # | ||
- | # vml000050.nausch.org | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ##############################################################################</ | ||
- | |||
- | Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten. | ||
- | # ip a | ||
- | |||
- | < | ||
- | link/ | ||
- | inet 127.0.0.1/8 scope host lo | ||
- | | ||
- | inet6 ::1/128 scope host | ||
- | | ||
- | 2: eth0: < | ||
- | link/ether 52: | ||
- | inet 10.0.0.50/ | ||
- | | ||
- | inet6 fe80:: | ||
- | | ||
- | |||
- | Das System ist auch mit den aktuellesten Programmpaketen bestückt. | ||
- | # dnf update | ||
- | |||
- | < | ||
- | Dependencies resolved. | ||
- | Nothing to do. | ||
- | Complete!</ | ||