Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:ansible:pxe [21.06.2020 09:25. ] – [Aufgabenstellung] django
+++ centos:ansible:pxe [14.09.2022 16:52. ] (aktuell) – Seite umgezogen django
@@ Zeile 1: / Zeile 1: @@
-====== Installation eines Ansible-Orchestrator-Management-Hosts mit Hilfe eines Kickstartfiles für CentOS 8.x (PXE-Server) ======
-<WRAP center round todo 55%>
-**Seite in der Entstehung, noch nicht aktuell! Wird laufend aktualisiert!**
-</WRAP>
-Kurz mal einen Rechner zu installieren, wie im Kapitel **[[centos:pxe_c8:pxe_3|Installation von CentOS 8.x via PXE]]** beschrieben und anschließend manuell dann anschließend Ansible mit Ansible einzurichten, wie **[[https://dokuwiki.tachtler.net/doku.php?id=tachtler:ansible_mit_ansible_einrichten|hier]]** beschrieben, mag auch eine Variante darstellen.
-<WRAP center round tip 80%>
-Wir wollen aber in folgendem Beispiel automatisiert unseren **AOMH**((**A**nsible-**O**rchestrator-**M**anagement-**H**osts)) reproduzierbar vie PXE installieren, so dass wir ohne Umwege direkt mit der Arbeit beginnen und unsere Zielsysteme nach unseren Wünschen automatisiert zu bestücken.
-</WRAP>
-===== Voraussetzungen =====
-==== TFTP-/PXE-Bootserver ====
-Folgende Voraussetzungen müssen hierzu erfüllt werden:
-  - Der [[centos:dhcp_c7|DHCP-Server]] muss für PXE konfiguriert werden und im Netz erreichbar sein.
-  - Ein [[centos:pxe_c7:tftp|TFTP-Server]] muss zur Verfügung stehen und im Netz erreichbar sein.
-  - Eine Definition des [[centos:pxe_c7:pxe_1#graphisches_bootmenue_erstellen|Bootmenüs]] mit entsprechenden Optionen wurde erfolgreich vorgenommen.
-  - Die Netzwerkkarte im Clientrechner __muss__ PXE unterstützen!
-==== SSH-Schlüsselmaterial ====
-Der Grundgedanke bei dieser Vorhaben ist, im Zweifel immer wieder exakt den gleichen **Ansible-Ochestrator-Management-Host** reproduzierbar aufzusetzen, werden wir das benötigte SSH-Schlüsselmaterial zu aller erst erzeugen und dann auch entsprechend sicher im physischen Safe wegsperren, so dass wir im Katastrophenfall darauf zurückgreifen zu können.
-Im Kapitel **[[centos:ansible:first#voraussetzungssh-schluessel|Voraussetzung: SSH-Schlüssel]]** haben wir uns bereits ausführlich mit der Thematik SSH-Schlüssel beschäftigt und auch gezeigt, wie dieser eerstellt wird.
-Wir erstellen uns nun einen **ED25519**-Schlüssel (**''-t''**), mit einer festen Schlüssellänge. Der Parameter (**''-a''**) beschreibt dabei die Anzahl der KDF-Schlüsselableitfunktion (siehe manpage von ssh-keygen). Wir  verwenden wieder als Beschreibung **Ansible Systemuser** (**''-C''**) und als Ziel-/Speicherort **~/.ssh/id_ed25519_ansible** (**''-f''**).
-    $ ssh-keygen -t ed25519 -a 100 -C 'Ansible Systemuser' -f ~/.ssh/id_ed25519_ansible
-<code>Generating public/private ed25519 key pair.
-Enter passphrase (empty for no passphrase):
-Enter same passphrase again:
-Your identification has been saved in ~/.ssh/id_ed25519_ansible.
-Your public key has been saved in ~/.ssh/id_ed25519_ansible.pub.
-The key fingerprint is:
-SHA256:jTZQUDbCqZaV648fKVBfx3L4+tBMWL+z+iUCBY3kKMQ Ansible Systemuser
-The key's randomart image is:
-+--[ED25519 256]--+
-|     o+==.oo     |
-|     .E+ +.+.    |
-|     ++.. = *    |
-|    +..+ + O .   |
-|   ...  S + o .  |
-|     ... o *   . |
-|      .oo o + + .|
-|      .... o . = |
-|       ..   ooo  |
-+----[SHA256]-----</code>
-Die beiden Key-Files kopieren wir dann auf ein vertrauenswürdiges Medium, auf welches wir jederzeit wiieder zurückgreifen können.
-   $ ll .ssh/
-<code>-r--------. 1 ansible ansible 411 Jun 20 13:08 id_ed25519_ansible
--rw-r--r--. 1 ansible ansible 100 Jun 20 13:08 id_ed25519_ansible.pub</code>
-<WRAP center round important 80%>
-Ob das nun ein sicherer USB-Speicherstick wie der **[[https://www.nitrokey.com/files/doc/Nitrokey_Storage_Infoblatt.pdf|Nitrokey Storage 2]]**, ein **[[https://de.wikipedia.org/wiki/Network_Attached_Storage|Network Attached Storage]]** oder eine vertrauenswürdige **[[https://cloud.nausch.org|(Next)Cloud]]** ist, muss natürlich jeder für sich selbst entscheiden.
-</WRAP>
-===== Ansible-Orchestrator-Management-Host =====
-==== Aufgabenstellung ====
-Wie Eingangs schon angesprochen, wollen wir unseren Ansible-Orchestrator-Management-Host bei Bedarf immer nach dem gleichen Grundschema aufbauen, konfigurieren und auch härten. Wir werden also diese Aufgaben standardisieren und automatisch abarbeiten lassen.
-Folgende Aufgaben wird unser Script für uns reproduzierbar künftig erledigen:
-  - **[[centos:pxe_c8:pxe_3|Grundinstallation]]** eines CentOS 8 Hosts (Minimalinstallation)
-  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.)
-  - **Installations-Logfile** zum Nachvollziehen der erfolgten INstallation unter **''/root/anaconda-postinstall.log''** anlegen.
-  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
-  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
-  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
-  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
-  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen.
-  - Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
-  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
-  - **NFS-Client zur Verbindung NAS einrichten**, damit später die Playbooks gesichert werden können.
-  - **[[centos:ansible:basics#installation|Ansible installieren]]**
-  - **Ansible System-User** erstellen und zuvor erstelltes **[[#ssh-schluesselmaterial|Schlüsselmaterial]]** hinterlegen
-  - **[[centos:ansible:first#ansibledirectory_layout|Ansible: Directory Layout]]**- Verzeichnisstruktur anlegen
-  - **[[centos:ansible:first#musterkonfiguration|Ansible konfigurieren]]**
-FIXME **//do geds weida ...//**
-==== temporärer ÜBerschrift als Trenner ====
-Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_8_x86_64_dmz.cfg**//.
-   # vim /srv/kickstart/ks_centos_8_x86_64_dmz.cfg
-<file bash /srv/kickstart/ks_centos_8_x86_64_dmz.cfg># Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit)
-# Version=CentOS 8 (RHEL 8)
-# Tastaturlayout definieren
-keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
-# Systemsprache setzen
-lang en_US.UTF-8
-# Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname
-# die aus dem Preinstall-Script beim PXE-Boot übernommen wurden.
-%include /tmp/networks.cfg
-# Zeitzone setzen
-timezone Europe/Berlin --isUtc --ntpservers=vml000027.dmz.nausch.org
-services --enabled="chronyd"
-# Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen
-url --url="http://10.0.0.57/centos/8/BaseOS/x86_64/os/"
-repo --name="AppStream" --baseurl=http://10.0.0.57/centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/
-# Root-Passwort verschlüsselt vorgeben
-rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
-# Default-Benutzerkonto anlegen
-user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
-# vorhandene Partitionen löschen
-ignoredisk --only-use=vda
-clearpart --all --initlabel --drives=vda
-# autopart --type=lvm
-# GUI für Installation verwenden
-graphical
-# Kein X Window System konfigurieren, da dieses nicht installiert wird
-skipx
-# Reboot nach der Installation ausführen
-reboot
-# Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen
-%packages
-@^minimal-environment
--iwl*firmware
-vim
-bash-completion
-bind-utils
-wget
-telnet
-net-tools
-lsof
-%end
-%addon com_redhat_kdump --disable --reserve-mb='auto'
-%end
-%anaconda
-pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
-pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
-pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
-%end
-#%end
-%addon com_redhat_kdump --disable --reserve-mb='auto'
-%end
-# Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen
-%pre
-#!/bin/bash
-echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks
-for x in `cat /proc/cmdline`; do
-    case $x in SERVERNAME*)
-        eval $x
-        NULL=${SERVERNAME:6:1}
-        if [ "$SERVERNAME" == "" ]; then
-            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.250 --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg
-        else
-            if [ "$NULL" == "0" ]; then
-                OCTET=${SERVERNAME:7:2}
-            else
-                OCTET=${SERVERNAME:6:3}
-            fi
-            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.${OCTET} --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg
-        fi
-        ;;
-        esac;
-    done
-%end
-# Postinstall-Anweisungen
-%post --log=/root/anaconda-postinstall.log
-#!/bin/bash
-DATUM=$(date +"%Y-%m-%d")
-for x in `cat /proc/cmdline`; do
-case $x in SERVERNAME*)
-eval $x
-############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ###########
-sed -i 's/rhgb//g' /etc/default/grub
-grub2-mkconfig -o /boot/grub2/grub.cfg
-#################################################################################
-######################## MOTD und ISSUE.NET individualisieren ###################
-# /etc/issue.net anlegen
-cat <<ISSUE.NET > /etc/issue.net
-##############################################################################
-#                                                                            #
-#                       This is a private home server.                       #
-#                                                                            #
-#             Unauthorized access to this system is prohibited !             #
-#                                                                            #
-#    This system is actively monitored and all connections may be logged.    #
-#         By accessing this system, you consent to this monitoring.          #
-#                                                                            #
-##############################################################################
-ISSUE.NET
-chown root:root /etc/issue.net
-chmod 644 /etc/issue.net
-# /etc/motd anlegen
-cat <<MOTD > /etc/motd
-##############################################################################
-#                                                                            #
-#                 This is the home server of Michael Nausch.                 #
-#                                                                            #
-#                            $SERVERNAME.nausch.org                            #
-#                                                                            #
-#             Unauthorized access to this system is prohibited !             #
-#                                                                            #
-#    This system is actively monitored and all connections may be logged.    #
-#         By accessing this system, you consent to this monitoring.          #
-#                                                                            #
-##############################################################################
-MOTD
-chown root:root /etc/motd
-chmod 644 /etc/motd
-#################################################################################
-########################### ssh-daemon konfigurieren ############################
-cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
-cat <<SSHD_CONFIG > /etc/ssh/sshd_config
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-# If you want to change the port on a SELinux system, you have to tell
-# SELinux about this change.
-# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
-#
-# Specifies which address family should be used by sshd(8). Valid arguments
-# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
-#AddressFamily any
-# Specifies the local addresses sshd(8) should listen on. The following
-# forms may be used:
-#                   ListenAddress host|IPv4_addr|IPv6_addr
-#                   ListenAddress host|IPv4_addr:port
-#                   ListenAddress [host|IPv6_addr]:port
-# If port is not specified, sshd will listen on the address and all prior
-# Port options specified. The default is to listen on all local addresses.
-# Multiple ListenAddress options are permitted. Additionally, any Port
-# options must precede this option for non-port qualified addresses.
-#Port 22
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-# Specifies a file containing a private host key used by SSH. The default
-# is /etc/ssh/ssh_host_key for protocol version 1, and
-# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol
-# version 2. Note that sshd(8) will refuse to use a file if it is
-# group/world-accessible. It is possible to have multiple host key files.
-# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for
-# version 2 of the SSH protocol.
-HostKey /etc/ssh/ssh_host_ed25519_key
-# Specifies the ciphers allowed for protocol version 2. Multiple ciphers
-# must be comma-separated. The supported ciphers are ''3des-cbc'',
-# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',
-# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',
-# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''.
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-# MACs' Specifies the available MAC (message authentication code)
-# algorithms. The MAC algorithm is used in protocol version 2 for data
-# integrity protection. Multiple algorithms must be comma-separated.
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-# Specifies the available KEX (Key Exchange) algorithms. Multiple
-# algorithms must be comma-separated. For ineroperability with Eclipse
-# and WinSCP):
-# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-# If needed, open /etc/ssh/moduli if exists, and delete lines where the
-# 5th column is less than 2000.
-#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
-#   wc -l "${HOME}/moduli"
-# make sure there is something left
-#   mv "${HOME}/moduli" /etc/ssh/moduli
-#
-KexAlgorithms curve25519-sha256@libssh.org
-# Ciphers and keying
-#RekeyLimit default none
-# System-wide Crypto policy:
-# This system is following system-wide crypto policy. The changes to
-# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
-# effect here. They will be overridden by command-line options passed on
-# the server start up.
-# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
-# variable in  /etc/sysconfig/sshd  to overwrite the policy.
-# For more information, see manual page for update-crypto-policies(8).
-# Logging
-# Gives the facility code that is used when logging messages from sshd(8).
-# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,
-# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-SyslogFacility AUTHPRIV
-# Gives the verbosity level that is used when logging messages from sshd(8).
-# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
-# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are
-# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging
-# output. Logging with a DEBUG level violates the privacy of users and is
-# not recommended.
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
-# clear audit track of which key was using to log in.
-LogLevel VERBOSE
-# Authentication:
-# The server disconnects after this time if the user has not successfully
-# logged in. If the value is 0, there is no time limit.
-LoginGraceTime 0
-# Specifies whether root can log in using ssh(1). The argument must be
-# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.
-# The default is ''yes''. If this option is set to ''without-password'',
-# password authentication is disabled for root. If this option is set to
-# ''forced-commands-only'', root login with public key authentication will
-# be allowed, but only if the command option has been specified (which
-# may be useful for taking remote backups even if root login is normally
-# not allowed). All other authentication methods are disabled for root.
-# If this option is set to ''no'', root is not allowed to log in.
-PermitRootLogin no
-# This keyword can be followed by a list of user name patterns, separated
-# by spaces. If specified, login is allowed only for user names that match
-# one of the patterns. Only user names are valid; a numerical user ID is
-# not recognized. By default, login is allowed for all users. If the pattern
-# takes the form USER@HOST then USER and HOST are separately checked,
-# restricting logins to particular users from particular hosts. The
-# allow/deny directives are processed in the following order:
-# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
-AllowUsers django
-# Specifies whether sshd(8) should check file modes and ownership of the
-# user's files and home directory before accepting login. This is normally
-# desirable because novices sometimes accidentally leave their directory
-# or files world-writable.
-StrictModes yes
-# Specifies the maximum number of authentication attempts permitted per
-# connection. Once the number of failures reaches half this value,
-# additional failures are logged.
-MaxAuthTries 10
-# Specifies the maximum number of open sessions permitted per network
-# connection.
-MaxSessions 10
-# Specifies the file that contains the public keys that can be used for
-# user authentication. AuthorizedKeysFile may contain tokens of the form
-# %T which are substituted during connection setup. The following tokens
-# are defined: %% is replaced by a literal '%', %h is replaced by the
-# home directory of the user being authenticated, and %u is replaced by
-# the username of that user. After expansion, AuthorizedKeysFile is
-# taken to be an absolute path or one relative to the user's home directory.
-AuthorizedKeysFile      .ssh/authorized_keys
-# Specifies whether public key authentication is allowed. The default is
-# ''yes''. Note that this option applies to protocol version 2 only.
-PubkeyAuthentication yes
-#AuthorizedPrincipalsFile none
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-# Specifies whether password authentication is allowed. To disable tunneled
-# clear text passwords, change to no here!
-PasswordAuthentication no
-# Specifies whether challenge-response authentication is allowed
-# (e.g. via PAM or though authentication styles supported in login.conf(5))
-# Change to no to disable s/key passwords
-ChallengeResponseAuthentication no
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-#KerberosUseKuserok yes
-# Specifies whether user authentication based on GSSAPI is allowed.
-GSSAPIAuthentication yes
-# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
-# exchange doesn't rely on ssh keys to verify host identity.
-#GSSAPIKeyExchange no
-# Specifies whether to automatically destroy the user's credentials cache
-# on logout.
-GSSAPICleanupCredentials no
-# Determines whether to be strict about the identity of the GSSAPI acceptor
-# a client authenticates against. If ''yes'' then the client must authenticate
-# against the host service on the current hostname. If ''no'' then the client
-# may authenticate against any service key stored in the machine's default
-# store. This facility is provided to assist with operation on multi homed
-# machines. The default is ''yes''. Note that this option applies only to
-# protocol version 2 GSSAPI connections, and setting it to ''no'' may only
-# work with recent Kerberos GSSAPI libraries.
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIEnablek5users no
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
-# problems.
-UsePAM yes
-# Specifies whether X11 forwarding is permitted. The argument must be
-# ''yes'' or ''no''. The default is ''no''.
-# When X11 forwarding is enabled, there may be additional exposure to the
-# server and to client displays if the sshd(8) proxy display is configured
-# to listen on the wildcard address (see X11UseLocalhost below), though this
-# is not the default. Additionally, the authentication spoofing and
-# authentication data verification and substitution occur on the client side.
-# The security risk of using X11 forwarding is that the client's X11 display
-# server may be exposed to attack when the SSH client requests forwarding
-# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator
-# may have a stance in which they want to protect clients that may expose
-# themselves to attack by unwittingly requesting X11 forwarding, which can
-# warrant a ''no'' setting. Note that disabling X11 forwarding does not
-# prevent users from forwarding X11 traffic, as users can always install
-# their own forwarders. X11 forwarding is automatically disabled if UseLogin
-# is enabled.
-X11Forwarding yes
-# Specifies the first display number available for sshd(8)'s X11 forwarding.
-# This prevents sshd from interfering with real X11 servers.
-# The default is 10.
-#X11DisplayOffset 10
-# Specifies whether sshd(8) should bind the X11 forwarding server to the
-# loopback address or to the wildcard address. By default, sshd binds the
-# forwarding server to the loopback address and sets the hostname part of
-# the DISPLAY environment variable to ''localhost''. This prevents remote
-# hosts from connecting to the proxy display. However, some older X11 clients
-# may not function with this configuration. X11UseLocalhost may be set to
-# ''no'' to specify that the forwarding server should be bound to the
-# wildcard address. The argument must be ''yes'' or ''no''. The default is
-# ''yes''.
-#X11UseLocalhost yes
-# Specifies whether ssh-agent(1) forwarding is permitted. The default is
-# ''yes''. Note that disabling agent forwarding does not improve security
-# unless users are also denied shell access, as they can always install
-# their own forwarders.
-#AllowAgentForwarding yes
-# Specifies whether TCP forwarding is permitted. The default is ''yes''.
-# Note that disabling TCP forwarding does not improve security unless users
-# are also denied shell access, as they can always install their own
-# forwarders.
-#AllowTcpForwarding yes
-# Specifies whether remote hosts are allowed to connect to ports forwarded
-# for the client. By default, sshd(8) binds remote port forwardings to the
-# loopback address. This prevents other remote hosts from connecting to
-# forwarded ports. GatewayPorts can be used to specify that sshd should
-# allow remote port forwardings to bind to non-loopback addresses, thus
-# allowing other hosts to connect. The argument may be ''no'' to force
-# remote port forwardings to be available to the local host only, ''yes''
-# to force remote port forwardings to bind to the wildcard address, or
-# ''clientspecified'' to allow the client to select the address to which
-# the forwarding is bound. The default is ''no''.
-#GatewayPorts no
-#PermitTTY yes
-# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
-# as it is more configurable and versatile than the built-in version.
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#ShowPatchLevel no
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-# The contents of the specified file are sent to the remote user before
-# authentication is allowed.
-Banner /etc/issue.net
-# Accept locale-related environment variables
-AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
-AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
-AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
-AcceptEnv XMODIFIERS
-# Configures an external subsystem (e.g. file transfer daemon). Arguments
-# should be a subsystem name and a command (with optional arguments) to
-# execute upon subsystem request. Log sftp level file access
-# (read/write/etc.) that would not be easily logged otherwise.
-Subsystem	sftp	/usr/libexec/openssh/sftp-server
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-SSHD_CONFIG
-chown root:root /etc/ssh/sshd_config
-chmod 600 /etc/ssh/sshd_config
-#################################################################################
-####################### Django's ssh-pubkey hinterlegen #########################
-mkdir /home/django/.ssh
-chmod 700 /home/django/.ssh
-chown django:django /home/django/.ssh
-cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA/F1CKDicH1n5Kn13+YjpbHqHOkhsMagrrD5dIbkU6ddoBSp django@nausch.org
-AUTHORIZED_KEYS
-chmod 644 /home/django/.ssh/authorized_keys
-chown django:django /home/django/.ssh/authorized_keys
-#################################################################################
-############### lokales gespiegeltes CentOS-Repository benutzen #################
-cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
-cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
-# CentOS-AppStream.repo
-#
-# The mirror system uses the connecting IP address of the client and the
-# update status of each mirror to pick mirrors that are updated to and
-# geographically close to the client.  You should use this for CentOS updates
-# unless you are manually picking other mirrors.
-#
-# If the mirrorlist= does not work for you, as a fall back you can try the
-# remarked out baseurl= line instead.
-#
-#
-[AppStream]
-name=CentOS-\$releasever - AppStream
-baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
-gpgcheck=1
-enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-CENTOS-APPSTREAM
-chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
-chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
-cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
-# CentOS-Base.repo
-#
-# The mirror system uses the connecting IP address of the client and the
-# update status of each mirror to pick mirrors that are updated to and
-# geographically close to the client.  You should use this for CentOS updates
-# unless you are manually picking other mirrors.
-#
-# If the mirrorlist= does not work for you, as a fall back you can try the
-# remarked out baseurl= line instead.
-#
-#
-[BaseOS]
-name=CentOS-\$releasever - Base
-baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
-gpgcheck=1
-enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-CENTOS-BASE
-chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
-chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
-cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
-# CentOS-Extras.repo
-#
-# The mirror system uses the connecting IP address of the client and the
-# update status of each mirror to pick mirrors that are updated to and
-# geographically close to the client.  You should use this for CentOS updates
-# unless you are manually picking other mirrors.
-#
-# If the mirrorlist= does not work for you, as a fall back you can try the
-# remarked out baseurl= line instead.
-#
-#
-#additional packages that may be useful
-[extras]
-name=CentOS-\$releasever - Extras
-baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
-gpgcheck=1
-enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-CENTOS-EXTRAS
-chown root:root /etc/yum.repos.d/CentOS-Extras.repo
-chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
-#################################################################################
-###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
-dnf install epel-release -y
-rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
-cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
-cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
-[epel-modular]
-name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
-baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
-enabled=1
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-[epel-modular-debuginfo]
-name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
-baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
-enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgcheck=1
-[epel-modular-source]
-name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
-baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
-enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgcheck=1
-EPEL-MODULAR
-chown root:root /etc/yum.repos.d/epel-modular.repo
-chmod 644 /etc/yum.repos.d/epel-modular.repo
-cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
-cat <<EPEL > /etc/yum.repos.d/epel.repo
-[epel]
-name=Extra Packages for Enterprise Linux \$releasever - \$basearch
-baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
-enabled=1
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-[epel-debuginfo]
-name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
-baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
-enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgcheck=1
-[epel-source]
-name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
-baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
-enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgcheck=1
-EPEL
-chown root:root /etc/yum.repos.d/epel.repo
-chmod 644 /etc/yum.repos.d/epel.repo
-#################################################################################
-############################ System Updaten #####################################
-dnf update -y
-#################################################################################
-;;
-esac;
-done
-%end
-</file>
-Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers.
-   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-Dort tragen wir beim betreffenden **LABEL** die Optionen **''ks''**, **''net.ifnames''** und **''biosdevname''** sowie am Ende der Zeile **''SERVERNAME=''** ein.
-<code>LABEL 3
-   MENU LABEL ^3) Installation von CentOS 8 (64 Bit)
-   KERNEL images/centos/8/x86_64/vmlinuz
-   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ net.ifnames=0 biosdevname=0 SERVERNAME=
-</code>
-Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.
-{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-<WRAP center round tip 80%>
-Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
-</WRAP>
-{{ :centos:pxe_c8:pxe-boot-menue-087b.png?nolink&800 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
-Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, welches wir per PXE-Boot bzw. genauer gesagt mit dem Kickstartfile mitgegeben hatten, ausgeführt wird.
-{{ :centos:pxe_c8:pxe-boot-menue-087c.png?nolink&800 |Bild: Bildschirmhardcopy Anzeige "Ausführung postinstall script"}}
-Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **''ssh''** verbinden können.
-   $ ssh 10.0.0.50
-<code>The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
-ED25519 key fingerprint is SHA256:JKV0iNvjQGMhkWIGEPC1hQH/vzpbeabl1g7s46yhMj6.
-Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
-Warning: Permanently added '10.0.0.50' (ED25519) to the list of known hosts.
-##############################################################################
-#                                                                            #
-#                       This is a private home server.                       #
-#                                                                            #
-#             Unauthorized access to this system is prohibited !             #
-#                                                                            #
-#    This system is actively monitored and all connections may be logged.    #
-#         By accessing this system, you consent to this monitoring.          #
-#                                                                            #
-##############################################################################
-##############################################################################
-#                                                                            #
-#                 This is the home server of Michael Nausch.                 #
-#                                                                            #
-#                            vml000050.nausch.org                            #
-#                                                                            #
-#             Unauthorized access to this system is prohibited !             #
-#                                                                            #
-#    This system is actively monitored and all connections may be logged.    #
-#         By accessing this system, you consent to this monitoring.          #
-#                                                                            #
-##############################################################################</code>
-Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
-   # ip a
-<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
-    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-    inet 127.0.0.1/8 scope host lo
-       valid_lft forever preferred_lft forever
-    inet6 ::1/128 scope host
-       valid_lft forever preferred_lft forever
-: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
-    link/ether 52:54:00:74:80:c2 brd ff:ff:ff:ff:ff:ff
-    inet 10.0.0.50/24 brd 10.0.0.255 scope global noprefixroute eth0
-       valid_lft forever preferred_lft forever
-    inet6 fe80::5054:ff:fe74:80c2/64 scope link noprefixroute
-       valid_lft forever preferred_lft forever</code>
-Das System ist auch mit den aktuellesten Programmpaketen bestückt.
-   # dnf update
-<code>Last metadata expiration check: 0:12:20 ago on Sun 14 Jun 2020 01:49:52 PM CEST.
-Dependencies resolved.
-Nothing to do.
-Complete!</code>