Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung | |||
centos:ansible:pxe [21.06.2020 10:35. ] – [Installation eines Ansible-Orchestrator-Management-Hosts mit Hilfe eines Kickstartfiles für CentOS 8.x (PXE-Server)] django | centos:ansible:pxe [14.09.2022 16:52. ] (aktuell) – Seite umgezogen django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
- | ====== Installation eines Ansible-Orchestrator-Management-Hosts mit Hilfe eines Kickstartfiles für CentOS 8.x (PXE-Server) ====== | ||
- | Kurz mal einen Rechner zu installieren, | ||
- | |||
- | <WRAP center round tip 80%> | ||
- | Wir wollen aber in folgendem Beispiel automatisiert unseren **AOMH**((**A**nsible-**O**rchestrator-**M**anagement-**H**osts)) reproduzierbar vie PXE installieren, | ||
- | </ | ||
- | |||
- | |||
- | ===== Voraussetzungen ===== | ||
- | ==== TFTP-/ | ||
- | Folgende Voraussetzungen müssen hierzu erfüllt werden: | ||
- | - Der [[centos: | ||
- | - Ein [[centos: | ||
- | - Eine Definition des [[centos: | ||
- | - Die Netzwerkkarte im Clientrechner __muss__ PXE unterstützen! | ||
- | |||
- | ==== SSH-Schlüsselmaterial ==== | ||
- | Der Grundgedanke bei dieser Vorhaben ist, im Zweifel immer wieder exakt den gleichen **Ansible-Ochestrator-Management-Host** reproduzierbar aufzusetzen, | ||
- | |||
- | Im Kapitel **[[centos: | ||
- | |||
- | Wir erstellen uns nun einen **ED25519**-Schlüssel (**'' | ||
- | $ ssh-keygen -t ed25519 -a 100 -C ' | ||
- | |||
- | < | ||
- | Enter passphrase (empty for no passphrase): | ||
- | Enter same passphrase again: | ||
- | Your identification has been saved in ~/ | ||
- | Your public key has been saved in ~/ | ||
- | The key fingerprint is: | ||
- | SHA256: | ||
- | The key's randomart image is: | ||
- | +--[ED25519 256]--+ | ||
- | | | ||
- | | .E+ +.+. | | ||
- | | ++.. = * | | ||
- | | +..+ + O . | | ||
- | | | ||
- | | ... o * . | | ||
- | | .oo o + + .| | ||
- | | .... o . = | | ||
- | | | ||
- | +----[SHA256]-----</ | ||
- | |||
- | Die beiden Key-Files kopieren wir dann auf ein vertrauenswürdiges Medium, auf welches wir jederzeit wiieder zurückgreifen können. | ||
- | $ ll .ssh/ | ||
- | < | ||
- | -rw-r--r--. 1 ansible ansible 100 Jun 20 13:08 id_ed25519_ansible.pub</ | ||
- | |||
- | <WRAP center round important 80%> | ||
- | Ob das nun ein sicherer USB-Speicherstick wie der **[[https:// | ||
- | </ | ||
- | |||
- | |||
- | |||
- | ===== Ansible-Orchestrator-Management-Host ===== | ||
- | ==== Aufgabenstellung ==== | ||
- | Wie Eingangs schon angesprochen, | ||
- | |||
- | Folgende Aufgaben wird unser Script für uns reproduzierbar künftig erledigen: | ||
- | - **[[centos: | ||
- | - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.) | ||
- | - **Installations-Logfile** zum Nachvollziehen der erfolgten INstallation unter **''/ | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | - **[[wiki: | ||
- | - Zusätzlich zum Standard soll auch noch das Repository **[[centos: | ||
- | - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten. | ||
- | - **NFS-Client zur Verbindung NAS einrichten**, | ||
- | - **[[centos: | ||
- | - **Ansible System-User** erstellen und zuvor erstelltes **[[# | ||
- | - **[[centos: | ||
- | - **[[centos: | ||
- | |||
- | ==== Kickstartdatei anlegen ==== | ||
- | Zur automatischen Installation und Konfiguration unseres Ansible-Orchestrator-Management-Hosts verwenden wir folgende Kickstart-Datei. | ||
- | # vim / | ||
- | |||
- | <file bash / | ||
- | # Version=CentOS 8 (RHEL 8) | ||
- | |||
- | # 1) Grundinstallation ########################################################################################## | ||
- | |||
- | # Tastaturlayout definieren | ||
- | keyboard --vckeymap=de-nodeadkeys --xlayouts=' | ||
- | |||
- | # Systemsprache setzen | ||
- | lang en_US.UTF-8 | ||
- | |||
- | # Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname | ||
- | # die aus dem Preinstall-Script beim PXE-Boot übernommen wurden. | ||
- | %include / | ||
- | network | ||
- | |||
- | # Zeitzone setzen | ||
- | timezone Europe/ | ||
- | services --enabled=" | ||
- | |||
- | # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen | ||
- | url --url=" | ||
- | repo --name=" | ||
- | |||
- | # Root-Passwort verschlüsselt vorgeben | ||
- | rootpw --iscrypted $6$Z46HtZ/ | ||
- | |||
- | # Default-Benutzerkonto anlegen | ||
- | user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/ | ||
- | |||
- | # vorhandene Partitionen löschen | ||
- | #ignoredisk --only-use=vda | ||
- | #clearpart --all --initlabel --drives=vda | ||
- | # autopart --type=lvm | ||
- | |||
- | # GUI für Installation verwenden | ||
- | graphical | ||
- | |||
- | # Kein X Window System konfigurieren, | ||
- | skipx | ||
- | |||
- | # Reboot nach der Installation ausführen | ||
- | reboot | ||
- | |||
- | # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen | ||
- | %packages | ||
- | @^minimal-environment | ||
- | -iwl*firmware | ||
- | vim | ||
- | bash-completion | ||
- | bind-utils | ||
- | wget | ||
- | telnet | ||
- | net-tools | ||
- | lsof | ||
- | tree | ||
- | %end | ||
- | |||
- | %addon com_redhat_kdump --disable --reserve-mb=' | ||
- | %end | ||
- | |||
- | %anaconda | ||
- | pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty | ||
- | pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok | ||
- | pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty | ||
- | %end | ||
- | |||
- | #%end | ||
- | |||
- | %addon com_redhat_kdump --disable --reserve-mb=' | ||
- | |||
- | %end | ||
- | ################################################################################################################# | ||
- | |||
- | # 2) Preinstall-Anweisungen: | ||
- | %pre | ||
- | #!/bin/bash | ||
- | echo " | ||
- | for x in `cat / | ||
- | case $x in SERVERNAME*) | ||
- | eval $x | ||
- | NULL=${SERVERNAME: | ||
- | if [ " | ||
- | echo " | ||
- | else | ||
- | if [ " | ||
- | OCTET=${SERVERNAME: | ||
- | else | ||
- | OCTET=${SERVERNAME: | ||
- | fi | ||
- | echo " | ||
- | fi | ||
- | ;; | ||
- | esac; | ||
- | done | ||
- | %end | ||
- | ################################################################################################################# | ||
- | |||
- | # 3) Postinstall-Anweisungen: | ||
- | %post --log=/ | ||
- | #!/bin/bash | ||
- | DATUM=$(date +" | ||
- | for x in `cat / | ||
- | case $x in SERVERNAME*) | ||
- | eval $x | ||
- | ################################################################################################################# | ||
- | |||
- | # 4) Bootloader anpassen, rhgb bei den Bootoptionen entfernen ################################################### | ||
- | sed -i ' | ||
- | grub2-mkconfig -o / | ||
- | ################################################################################################################# | ||
- | |||
- | # 5) MOTD und ISSUE.NET individualisieren ####################################################################### | ||
- | # / | ||
- | cat << | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is a private home server. | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | ISSUE.NET | ||
- | |||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | # /etc/motd anlegen | ||
- | cat << | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is the home server of Michael Nausch. | ||
- | # # | ||
- | # $SERVERNAME.nausch.org | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | MOTD | ||
- | |||
- | chown root: /etc/motd | ||
- | chmod 644 /etc/motd | ||
- | ################################################################################################################# | ||
- | |||
- | # 6) SSH-Daemon konfigurieren ################################################################################### | ||
- | cp -a / | ||
- | cat << | ||
- | # $OpenBSD: sshd_config, | ||
- | |||
- | # This is the sshd server system-wide configuration file. See | ||
- | # sshd_config(5) for more information. | ||
- | |||
- | # This sshd was compiled with PATH=/ | ||
- | |||
- | # The strategy used for options in the default sshd_config shipped with | ||
- | # OpenSSH is to specify options with their default value where | ||
- | # possible, but leave them commented. | ||
- | # default value. | ||
- | |||
- | # If you want to change the port on a SELinux system, you have to tell | ||
- | # SELinux about this change. | ||
- | # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER | ||
- | # | ||
- | # Specifies which address family should be used by sshd(8). Valid arguments | ||
- | # are '' | ||
- | # | ||
- | |||
- | # Specifies the local addresses sshd(8) should listen on. The following | ||
- | # forms may be used: | ||
- | # | ||
- | # | ||
- | # | ||
- | # If port is not specified, sshd will listen on the address and all prior | ||
- | # Port options specified. The default is to listen on all local addresses. | ||
- | # Multiple ListenAddress options are permitted. Additionally, | ||
- | # options must precede this option for non-port qualified addresses. | ||
- | #Port 22 | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies a file containing a private host key used by SSH. The default | ||
- | # is / | ||
- | # / | ||
- | # version 2. Note that sshd(8) will refuse to use a file if it is | ||
- | # group/ | ||
- | # '' | ||
- | # version 2 of the SSH protocol. | ||
- | HostKey / | ||
- | |||
- | # Specifies the ciphers allowed for protocol version 2. Multiple ciphers | ||
- | # must be comma-separated. The supported ciphers are '' | ||
- | # '' | ||
- | # '' | ||
- | # '' | ||
- | Ciphers chacha20-poly1305@openssh.com, | ||
- | |||
- | # MACs' Specifies the available MAC (message authentication code) | ||
- | # algorithms. The MAC algorithm is used in protocol version 2 for data | ||
- | # integrity protection. Multiple algorithms must be comma-separated. | ||
- | MACs hmac-sha2-512-etm@openssh.com, | ||
- | |||
- | # Specifies the available KEX (Key Exchange) algorithms. Multiple | ||
- | # algorithms must be comma-separated. For ineroperability with Eclipse | ||
- | # and WinSCP): | ||
- | # KexAlgorithms curve25519-sha256@libssh.org, | ||
- | # If needed, open / | ||
- | # 5th column is less than 2000. | ||
- | # awk '$5 > 2000' / | ||
- | # wc -l " | ||
- | # make sure there is something left | ||
- | # mv " | ||
- | # | ||
- | KexAlgorithms curve25519-sha256@libssh.org | ||
- | |||
- | # Ciphers and keying | ||
- | #RekeyLimit default none | ||
- | |||
- | # System-wide Crypto policy: | ||
- | # This system is following system-wide crypto policy. The changes to | ||
- | # Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any | ||
- | # effect here. They will be overridden by command-line options passed on | ||
- | # the server start up. | ||
- | # To opt out, uncomment a line with redefinition of CRYPTO_POLICY= | ||
- | # variable in / | ||
- | # For more information, | ||
- | |||
- | # Logging | ||
- | # Gives the facility code that is used when logging messages from sshd(8). | ||
- | # The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, | ||
- | # LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. | ||
- | SyslogFacility AUTHPRIV | ||
- | |||
- | # Gives the verbosity level that is used when logging messages from sshd(8). | ||
- | # The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, | ||
- | # DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are | ||
- | # equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging | ||
- | # output. Logging with a DEBUG level violates the privacy of users and is | ||
- | # not recommended. | ||
- | # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a | ||
- | # clear audit track of which key was using to log in. | ||
- | LogLevel VERBOSE | ||
- | |||
- | # Authentication: | ||
- | # The server disconnects after this time if the user has not successfully | ||
- | # logged in. If the value is 0, there is no time limit. | ||
- | LoginGraceTime 0 | ||
- | |||
- | # Specifies whether root can log in using ssh(1). The argument must be | ||
- | # '' | ||
- | # The default is '' | ||
- | # password authentication is disabled for root. If this option is set to | ||
- | # '' | ||
- | # be allowed, but only if the command option has been specified (which | ||
- | # may be useful for taking remote backups even if root login is normally | ||
- | # not allowed). All other authentication methods are disabled for root. | ||
- | # If this option is set to '' | ||
- | PermitRootLogin no | ||
- | |||
- | # This keyword can be followed by a list of user name patterns, separated | ||
- | # by spaces. If specified, login is allowed only for user names that match | ||
- | # one of the patterns. Only user names are valid; a numerical user ID is | ||
- | # not recognized. By default, login is allowed for all users. If the pattern | ||
- | # takes the form USER@HOST then USER and HOST are separately checked, | ||
- | # restricting logins to particular users from particular hosts. The | ||
- | # allow/deny directives are processed in the following order: | ||
- | # DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. | ||
- | AllowUsers django ansible | ||
- | |||
- | # Specifies whether sshd(8) should check file modes and ownership of the | ||
- | # user's files and home directory before accepting login. This is normally | ||
- | # desirable because novices sometimes accidentally leave their directory | ||
- | # or files world-writable. | ||
- | StrictModes yes | ||
- | |||
- | # Specifies the maximum number of authentication attempts permitted per | ||
- | # connection. Once the number of failures reaches half this value, | ||
- | # additional failures are logged. | ||
- | MaxAuthTries 10 | ||
- | |||
- | # Specifies the maximum number of open sessions permitted per network | ||
- | # connection. | ||
- | MaxSessions 10 | ||
- | |||
- | # Specifies the file that contains the public keys that can be used for | ||
- | # user authentication. AuthorizedKeysFile may contain tokens of the form | ||
- | # %T which are substituted during connection setup. The following tokens | ||
- | # are defined: %% is replaced by a literal ' | ||
- | # home directory of the user being authenticated, | ||
- | # the username of that user. After expansion, AuthorizedKeysFile is | ||
- | # taken to be an absolute path or one relative to the user's home directory. | ||
- | AuthorizedKeysFile | ||
- | |||
- | # Specifies whether public key authentication is allowed. The default is | ||
- | # '' | ||
- | PubkeyAuthentication yes | ||
- | |||
- | |||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # For this to work you will also need host keys in / | ||
- | # | ||
- | # Change to yes if you don't trust ~/ | ||
- | # HostbasedAuthentication | ||
- | # | ||
- | # Don't read the user's ~/.rhosts and ~/.shosts files | ||
- | # | ||
- | |||
- | # To disable tunneled clear text passwords, change to no here! | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies whether password authentication is allowed. To disable tunneled | ||
- | # clear text passwords, change to no here! | ||
- | PasswordAuthentication no | ||
- | |||
- | # Specifies whether challenge-response authentication is allowed | ||
- | # (e.g. via PAM or though authentication styles supported in login.conf(5)) | ||
- | # Change to no to disable s/key passwords | ||
- | ChallengeResponseAuthentication no | ||
- | |||
- | # Kerberos options | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # Specifies whether user authentication based on GSSAPI is allowed. | ||
- | GSSAPIAuthentication yes | ||
- | |||
- | # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key | ||
- | # exchange doesn' | ||
- | # | ||
- | |||
- | # Specifies whether to automatically destroy the user's credentials cache | ||
- | # on logout. | ||
- | GSSAPICleanupCredentials no | ||
- | |||
- | # Determines whether to be strict about the identity of the GSSAPI acceptor | ||
- | # a client authenticates against. If '' | ||
- | # against the host service on the current hostname. If '' | ||
- | # may authenticate against any service key stored in the machine' | ||
- | # store. This facility is provided to assist with operation on multi homed | ||
- | # machines. The default is '' | ||
- | # protocol version 2 GSSAPI connections, | ||
- | # work with recent Kerberos GSSAPI libraries. | ||
- | # | ||
- | |||
- | # | ||
- | |||
- | # Set this to ' | ||
- | # and session processing. If this is enabled, PAM authentication will | ||
- | # be allowed through the ChallengeResponseAuthentication and | ||
- | # PasswordAuthentication. | ||
- | # PAM authentication via ChallengeResponseAuthentication may bypass | ||
- | # the setting of " | ||
- | # If you just want the PAM account and session checks to run without | ||
- | # PAM authentication, | ||
- | # and ChallengeResponseAuthentication to ' | ||
- | # WARNING: ' | ||
- | # problems. | ||
- | UsePAM yes | ||
- | |||
- | # Specifies whether X11 forwarding is permitted. The argument must be | ||
- | # '' | ||
- | # When X11 forwarding is enabled, there may be additional exposure to the | ||
- | # server and to client displays if the sshd(8) proxy display is configured | ||
- | # to listen on the wildcard address (see X11UseLocalhost below), though this | ||
- | # is not the default. Additionally, | ||
- | # authentication data verification and substitution occur on the client side. | ||
- | # The security risk of using X11 forwarding is that the client' | ||
- | # server may be exposed to attack when the SSH client requests forwarding | ||
- | # (see the warnings for ForwardX11 in ssh_config(5)). A system administrator | ||
- | # may have a stance in which they want to protect clients that may expose | ||
- | # themselves to attack by unwittingly requesting X11 forwarding, which can | ||
- | # warrant a '' | ||
- | # prevent users from forwarding X11 traffic, as users can always install | ||
- | # their own forwarders. X11 forwarding is automatically disabled if UseLogin | ||
- | # is enabled. | ||
- | X11Forwarding yes | ||
- | |||
- | # Specifies the first display number available for sshd(8)' | ||
- | # This prevents sshd from interfering with real X11 servers. | ||
- | # The default is 10. | ||
- | # | ||
- | |||
- | # Specifies whether sshd(8) should bind the X11 forwarding server to the | ||
- | # loopback address or to the wildcard address. By default, sshd binds the | ||
- | # forwarding server to the loopback address and sets the hostname part of | ||
- | # the DISPLAY environment variable to '' | ||
- | # hosts from connecting to the proxy display. However, some older X11 clients | ||
- | # may not function with this configuration. X11UseLocalhost may be set to | ||
- | # '' | ||
- | # wildcard address. The argument must be '' | ||
- | # '' | ||
- | # | ||
- | |||
- | # Specifies whether ssh-agent(1) forwarding is permitted. The default is | ||
- | # '' | ||
- | # unless users are also denied shell access, as they can always install | ||
- | # their own forwarders. | ||
- | # | ||
- | |||
- | # Specifies whether TCP forwarding is permitted. The default is '' | ||
- | # Note that disabling TCP forwarding does not improve security unless users | ||
- | # are also denied shell access, as they can always install their own | ||
- | # forwarders. | ||
- | # | ||
- | |||
- | # Specifies whether remote hosts are allowed to connect to ports forwarded | ||
- | # for the client. By default, sshd(8) binds remote port forwardings to the | ||
- | # loopback address. This prevents other remote hosts from connecting to | ||
- | # forwarded ports. GatewayPorts can be used to specify that sshd should | ||
- | # allow remote port forwardings to bind to non-loopback addresses, thus | ||
- | # allowing other hosts to connect. The argument may be '' | ||
- | # remote port forwardings to be available to the local host only, '' | ||
- | # to force remote port forwardings to bind to the wildcard address, or | ||
- | # '' | ||
- | # the forwarding is bound. The default is '' | ||
- | # | ||
- | |||
- | #PermitTTY yes | ||
- | |||
- | # It is recommended to use pam_motd in / | ||
- | # as it is more configurable and versatile than the built-in version. | ||
- | PrintMotd no | ||
- | |||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | #UseDNS no | ||
- | #PidFile / | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # The contents of the specified file are sent to the remote user before | ||
- | # authentication is allowed. | ||
- | Banner / | ||
- | |||
- | # Accept locale-related environment variables | ||
- | AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES | ||
- | AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT | ||
- | AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE | ||
- | AcceptEnv XMODIFIERS | ||
- | |||
- | # Configures an external subsystem (e.g. file transfer daemon). Arguments | ||
- | # should be a subsystem name and a command (with optional arguments) to | ||
- | # execute upon subsystem request. Log sftp level file access | ||
- | # (read/ | ||
- | Subsystem sftp / | ||
- | |||
- | # Example of overriding settings on a per-user basis | ||
- | #Match User anoncvs | ||
- | # | ||
- | # | ||
- | # PermitTTY no | ||
- | # | ||
- | SSHD_CONFIG | ||
- | chown root: / | ||
- | chmod 600 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 7) SSH-Publickey des Admin-Accounts hinterlegen ############################################################### | ||
- | mkdir / | ||
- | chmod 700 / | ||
- | chown django: / | ||
- | cat << | ||
- | ssh-ed25519 AAAAC3OkhsMagNI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHrrD5d+IbkzaC1lZDU6ddoBSp django@nausch.org | ||
- | AUTHORIZED_KEYS | ||
- | chmod 644 / | ||
- | chown django: / | ||
- | ################################################################################################################# | ||
- | |||
- | # 8) lokal gespiegeltes CentOS-Repository benutzen ############################################################## | ||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-AppStream.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | [AppStream] | ||
- | name=CentOS-\$releasever - AppStream | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-APPSTREAM | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-Base.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | [BaseOS] | ||
- | name=CentOS-\$releasever - Base | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-BASE | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | # CentOS-Extras.repo | ||
- | # | ||
- | # The mirror system uses the connecting IP address of the client and the | ||
- | # update status of each mirror to pick mirrors that are updated to and | ||
- | # geographically close to the client. | ||
- | # unless you are manually picking other mirrors. | ||
- | # | ||
- | # If the mirrorlist= does not work for you, as a fall back you can try the | ||
- | # remarked out baseurl= line instead. | ||
- | # | ||
- | # | ||
- | |||
- | #additional packages that may be useful | ||
- | [extras] | ||
- | name=CentOS-\$releasever - Extras | ||
- | baseurl=http:// | ||
- | gpgcheck=1 | ||
- | enabled=1 | ||
- | gpgkey=file:/// | ||
- | CENTOS-EXTRAS | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 9) EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######################################## | ||
- | dnf install epel-release -y | ||
- | rpm --import https:// | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | [epel-modular] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch | ||
- | baseurl=http:// | ||
- | enabled=1 | ||
- | gpgcheck=1 | ||
- | gpgkey=file:/// | ||
- | |||
- | [epel-modular-debuginfo] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | [epel-modular-source] | ||
- | name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | EPEL-MODULAR | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | |||
- | cp -a / | ||
- | cat << | ||
- | [epel] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch | ||
- | baseurl=http:// | ||
- | enabled=1 | ||
- | gpgcheck=1 | ||
- | gpgkey=file:/// | ||
- | |||
- | [epel-debuginfo] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | |||
- | [epel-source] | ||
- | name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source | ||
- | baseurl=http:// | ||
- | enabled=0 | ||
- | gpgkey=file:/// | ||
- | gpgcheck=1 | ||
- | EPEL | ||
- | chown root: / | ||
- | chmod 644 / | ||
- | ################################################################################################################# | ||
- | |||
- | # 10) System Updaten ############################################################################################ | ||
- | dnf update -y | ||
- | ################################################################################################################# | ||
- | |||
- | # 11) NFS-Client zur Verbindung NAS einrichten ################################################################## | ||
- | dnf install nfs-utils -y | ||
- | mkdir / | ||
- | cp -a /etc/fstab / | ||
- | cat << | ||
- | 10.20.30.10:/ | ||
- | FSTAB | ||
- | mount / | ||
- | ################################################################################################################# | ||
- | |||
- | # 12) Ansible installieren ###################################################################################### | ||
- | dnf install ansible-doc ansible -y | ||
- | ################################################################################################################# | ||
- | |||
- | # 13) Ansible System-User erstellen und zuvor erstelltes Schlüsselmaterial hinterlegen ########################## | ||
- | groupadd --gid 65533 ansible && useradd ansible --create-home --home-dir / | ||
- | mkdir / | ||
- | chmod 700 / | ||
- | chown ansible: / | ||
- | cat <<KEY > / | ||
- | -----BEGIN OPENSSH PRIVATE KEY----- | ||
- | QyNTUxOQAAACC7YuO2mTknrX7zRcVVapCQH0il48r3pgd5EWREOav5HwAAAJhJEdo0SRHa | ||
- | b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW | ||
- | AAAEBTt8W5ylj51xHums6dfdjpPM5qpgCVHIGJV8W5leF5Brti47aZOSetfvNFxVVqkJAf | ||
- | SKXjyvemB3kRZEQ5q/ | ||
- | -----END OPENSSH PRIVATE KEY----- | ||
- | KEY | ||
- | chmod 400 / | ||
- | chown ansible: | ||
- | cat << | ||
- | ssh-ed25519 AAAAC3NzaC1lZDemB3kRZEQI1NTE5A7aZOSetfvNFxVVqkJAfSKXjAAAILti4yv5q/ | ||
- | KEY_PUB | ||
- | chmod 644 / | ||
- | chown ansible: | ||
- | cp / | ||
- | chmod 644 / | ||
- | chown ansible: | ||
- | usermod -aG wheel ansible | ||
- | ################################################################################################################# | ||
- | |||
- | # 14) Ansible: Directory Layout - Verzeichnisstruktur anlegen #################################################### | ||
- | mkdir -p / | ||
- | mkdir -p / | ||
- | touch / | ||
- | mkdir -p / | ||
- | touch / | ||
- | chown -R ansible: / | ||
- | cat << | ||
- | --- #YAML start syntax (optional) | ||
- | centos8: | ||
- | hosts: | ||
- | ansible: | ||
- | ansible_ssh_host: | ||
- | #demo: | ||
- | # ansible_ssh_host: | ||
- | # ansible_ssh_port: | ||
- | ... #YAML ende syntax (optional) | ||
- | HOSTS | ||
- | chmod 644 / | ||
- | chown ansible: / | ||
- | ################################################################################################################# | ||
- | |||
- | # 15) Ansible konfigurieren ##################################################################################### | ||
- | cat << | ||
- | # config file for ansible -- https:// | ||
- | # =============================================== | ||
- | |||
- | # nearly all parameters can be overridden in ansible-playbook | ||
- | # or with command line flags. ansible will read ANSIBLE_CONFIG, | ||
- | # ansible.cfg in the current working directory, .ansible.cfg in | ||
- | # the home directory or / | ||
- | # finds first | ||
- | |||
- | [defaults] | ||
- | |||
- | # some basic default values... | ||
- | |||
- | # Django : 2020-06-19 | ||
- | # default: # | ||
- | inventory = / | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # plays will gather facts by default, which contain information about | ||
- | # the remote system. | ||
- | # | ||
- | # smart - gather by default, but don't regather if already gathered | ||
- | # implicit - gather by default, turn off with gather_facts: | ||
- | # explicit - do not gather by default, must say gather_facts: | ||
- | #gathering = implicit | ||
- | |||
- | # This only affects the gathering done by a play's gather_facts directive, | ||
- | # by default gathering retrieves all facts subsets | ||
- | # all - gather all subsets | ||
- | # network - gather min and network facts | ||
- | # hardware - gather hardware facts (longest facts to retrieve) | ||
- | # virtual - gather min and virtual facts | ||
- | # facter - import facts from facter | ||
- | # ohai - import facts from ohai | ||
- | # You can combine them using comma (ex: network, | ||
- | # You can negate them using ! (ex: !hardware, | ||
- | # A minimal set of facts is always gathered. | ||
- | # | ||
- | |||
- | # some hardware related facts are collected | ||
- | # with a maximum timeout of 10 seconds. This | ||
- | # option lets you increase or decrease that | ||
- | # timeout to something more suitable for the | ||
- | # environment. | ||
- | # gather_timeout = 10 | ||
- | |||
- | # Ansible facts are available inside the ansible_facts.* dictionary | ||
- | # namespace. This setting maintains the behaviour which was the default prior | ||
- | # to 2.5, duplicating these variables into the main namespace, each with a | ||
- | # prefix of ' | ||
- | # This variable is set to True by default for backwards compatibility. It | ||
- | # will be changed to a default of ' | ||
- | # ansible_facts. | ||
- | # inject_facts_as_vars = True | ||
- | |||
- | # additional paths to search for roles in, colon separated | ||
- | # | ||
- | |||
- | # uncomment this to disable SSH key host checking | ||
- | # | ||
- | |||
- | # change the default callback, you can only have one ' | ||
- | # | ||
- | |||
- | |||
- | ## Ansible ships with some plugins that require whitelisting, | ||
- | ## this is done to avoid running all of a type by default. | ||
- | ## These setting lists those that you want enabled for your system. | ||
- | ## Custom plugins should not need this unless plugin author specifies it. | ||
- | |||
- | # enable callback plugins, they can output to stdout but cannot be ' | ||
- | # | ||
- | |||
- | # Determine whether includes in tasks and handlers are " | ||
- | # default. As of 2.0, includes are dynamic by default. Setting these | ||
- | # values to True will make includes behave more like they did in the | ||
- | # 1.x versions. | ||
- | # | ||
- | # | ||
- | |||
- | # Controls if a missing handler for a notification event is an error or a warning | ||
- | # | ||
- | |||
- | # change this for alternative sudo implementations | ||
- | #sudo_exe = sudo | ||
- | |||
- | # What flags to pass to sudo | ||
- | # WARNING: leaving out the defaults might create unexpected behaviours | ||
- | #sudo_flags = -H -S -n | ||
- | |||
- | # SSH timeout | ||
- | #timeout = 10 | ||
- | |||
- | # default user to use for playbooks if user is not specified | ||
- | # (/ | ||
- | # | ||
- | # Django : 2020-06-19 | ||
- | # default: unset | ||
- | remote_user = ansible | ||
- | |||
- | # logging is off by default unless this path is defined | ||
- | # if so defined, consider logrotate | ||
- | #log_path = / | ||
- | |||
- | # default module name for / | ||
- | # | ||
- | |||
- | # use this shell for commands executed under sudo | ||
- | # you may need to change this to bin/bash in rare instances | ||
- | # if sudo is constrained | ||
- | #executable = /bin/sh | ||
- | |||
- | # if inventory variables overlap, does the higher precedence one win | ||
- | # or are hash values merged together? | ||
- | # this can also be set to ' | ||
- | # | ||
- | |||
- | # by default, variables from roles will be visible in the global variable | ||
- | # scope. To prevent this, the following option can be enabled, and only | ||
- | # tasks and handlers within the role will see the variables there | ||
- | # | ||
- | |||
- | # list any Jinja2 extensions to enable here: | ||
- | # | ||
- | |||
- | # if set, always use this private key file for authentication, | ||
- | # if passing --private-key to ansible or ansible-playbook | ||
- | # | ||
- | # Django : 2020-06-19 | ||
- | # default: unset | ||
- | private_key_file = / | ||
- | |||
- | # If set, configures the path to the Vault password file as an alternative to | ||
- | # specifying --vault-password-file on the command line. | ||
- | # | ||
- | |||
- | # format of string {{ ansible_managed }} available within Jinja2 | ||
- | # templates indicates to users editing templates files will be replaced. | ||
- | # replacing {file}, {host} and {uid} and strftime codes with proper values. | ||
- | # | ||
- | # {file}, {host}, {uid}, and the timestamp can all interfere with idempotence | ||
- | # in some situations so the default is a static string: | ||
- | # | ||
- | |||
- | # by default, ansible-playbook will display " | ||
- | # should not be run on a host. Set this to " | ||
- | # messages. NOTE: the task header will still be shown regardless of whether or not the | ||
- | # task is skipped. | ||
- | # | ||
- | |||
- | # by default, if a task in a playbook does not include a name: field then | ||
- | # ansible-playbook will construct a header that includes the task's action but | ||
- | # not the task's args. This is a security feature because ansible cannot know | ||
- | # if the *module* considers an argument to be no_log at the time that the | ||
- | # header is printed. | ||
- | # stdout from ansible-playbook (or you have manually specified no_log in your | ||
- | # playbook on all of the tasks where you have secret information) then you can | ||
- | # safely set this to True to get more informative messages. | ||
- | # | ||
- | |||
- | # by default (as of 1.3), Ansible will raise errors when attempting to dereference | ||
- | # Jinja2 variables that are not set in templates or action lines. Uncomment this line | ||
- | # to revert the behavior to pre-1.3. | ||
- | # | ||
- | |||
- | # by default (as of 1.6), Ansible may display warnings based on the configuration of the | ||
- | # system running ansible itself. This may include warnings about 3rd party packages or | ||
- | # other conditions that should be resolved if possible. | ||
- | # to disable these warnings, set the following value to False: | ||
- | # | ||
- | |||
- | # by default (as of 1.4), Ansible may display deprecation warnings for language | ||
- | # features that should no longer be used and will be removed in future versions. | ||
- | # to disable these warnings, set the following value to False: | ||
- | # | ||
- | |||
- | # (as of 1.8), Ansible can optionally warn when usage of the shell and | ||
- | # command module appear to be simplified by using a default Ansible module | ||
- | # instead. | ||
- | # setting or adding warn=yes or warn=no to the end of the command line | ||
- | # parameter string. | ||
- | # instead of shelling out to the git command. | ||
- | # command_warnings = False | ||
- | |||
- | |||
- | # set plugin path directories here, separate with colons | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | |||
- | # by default, ansible will use the ' | ||
- | # another one | ||
- | #strategy = free | ||
- | |||
- | # by default callbacks are not loaded for / | ||
- | # want, for example, a notification or logging callback to also apply to | ||
- | # / | ||
- | # | ||
- | |||
- | |||
- | # don't like cows? that's unfortunate. | ||
- | # set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 | ||
- | #nocows = 1 | ||
- | |||
- | # set which cowsay stencil you'd like to use by default. When set to ' | ||
- | # a random stencil will be selected for each task. The selection will be filtered | ||
- | # against the option below. | ||
- | # | ||
- | # | ||
- | |||
- | # when using the ' | ||
- | # it should be formatted as a comma-separated list with no spaces between names. | ||
- | # NOTE: line continuations here are for formatting purposes only, as the INI parser | ||
- | # in python does not support them. | ||
- | # | ||
- | |||
- | # don't like colors either? | ||
- | # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1 | ||
- | #nocolor = 1 | ||
- | |||
- | # if set to a persistent type (not ' | ||
- | # from previous runs in Ansible will be stored. | ||
- | # wanting to use, for example, IP information from one group of servers | ||
- | # without having to talk to them in the same playbook run to get their | ||
- | # current IP information. | ||
- | # | ||
- | |||
- | #This option tells Ansible where to cache facts. The value is plugin dependent. | ||
- | #For the jsonfile plugin, it should be a path to a local directory. | ||
- | #For the redis plugin, the value is a host: | ||
- | |||
- | # | ||
- | |||
- | |||
- | |||
- | # retry files | ||
- | # When a playbook fails a .retry file can be created that will be placed in ~/ | ||
- | # You can enable this feature by setting retry_files_enabled to True | ||
- | # and you can change the location of the files by setting retry_files_save_path | ||
- | |||
- | # | ||
- | # | ||
- | |||
- | # squash actions | ||
- | # Ansible can optimise actions that call modules with list parameters | ||
- | # when looping. Instead of calling the module once per with_ item, the | ||
- | # module is called once with all items at once. Currently this only works | ||
- | # under limited circumstances, | ||
- | # | ||
- | |||
- | # prevents logging of task data, off by default | ||
- | #no_log = False | ||
- | |||
- | # prevents logging of tasks, but only on the targets, data is still logged on the master/ | ||
- | # | ||
- | |||
- | # controls whether Ansible will raise an error or warning if a task has no | ||
- | # choice but to create world readable temporary files to execute a module on | ||
- | # the remote machine. | ||
- | # turn this on to have behaviour more like Ansible prior to 2.1.x. | ||
- | # https:// | ||
- | # for more secure ways to fix this than enabling this option. | ||
- | # | ||
- | |||
- | # controls the compression level of variables sent to | ||
- | # worker processes. At the default of 0, no compression | ||
- | # is used. This value must be an integer from 0 to 9. | ||
- | # | ||
- | |||
- | # controls what compression method is used for new-style ansible modules when | ||
- | # they are sent to the remote system. | ||
- | # support compiled into both the controller' | ||
- | # The names should match with the python Zipfile compression types: | ||
- | # * ZIP_STORED (no compression. available everywhere) | ||
- | # * ZIP_DEFLATED (uses zlib, the default) | ||
- | # These values may be set per host via the ansible_module_compression inventory | ||
- | # variable | ||
- | # | ||
- | |||
- | # This controls the cutoff point (in bytes) on --diff for files | ||
- | # set to 0 for unlimited (RAM may suffer!). | ||
- | # | ||
- | |||
- | # This controls how ansible handles multiple --tags and --skip-tags arguments | ||
- | # on the CLI. If this is True then multiple arguments are merged together. | ||
- | # it is False, then the last specified argument is used and the others are ignored. | ||
- | # This option will be removed in 2.8. | ||
- | # | ||
- | |||
- | # Controls showing custom stats at the end, off by default | ||
- | # | ||
- | |||
- | # Controls which files to ignore when using a directory as inventory with | ||
- | # possibly multiple sources (both static and dynamic) | ||
- | # | ||
- | |||
- | # This family of modules use an alternative execution path optimized for network appliances | ||
- | # only update this setting if you know how this works, otherwise it can break module execution | ||
- | # | ||
- | |||
- | # When enabled, this option allows lookups (via variables like {{lookup(' | ||
- | # a loop with ) to return data that is not marked " | ||
- | # jinja2 templating language which will be run through the templating engine. | ||
- | # ENABLING THIS COULD BE A SECURITY RISK | ||
- | # | ||
- | |||
- | # set default errors for all plays | ||
- | # | ||
- | |||
- | [inventory] | ||
- | # enable inventory plugins, default: ' | ||
- | # | ||
- | |||
- | # ignore these extensions when parsing a directory as inventory source | ||
- | # | ||
- | |||
- | # ignore files matching these patterns when parsing a directory as inventory source | ||
- | # | ||
- | |||
- | # If ' | ||
- | # | ||
- | |||
- | [privilege_escalation] | ||
- | # Django : 2020-06-19 | ||
- | # default: # | ||
- | # # | ||
- | # # | ||
- | # # | ||
- | become=True | ||
- | become_method=sudo | ||
- | become_user=root | ||
- | become_ask_pass=True | ||
- | |||
- | [paramiko_connection] | ||
- | |||
- | # uncomment this line to cause the paramiko connection plugin to not record new host | ||
- | # keys encountered. | ||
- | # host key checking setting above. | ||
- | # | ||
- | |||
- | # by default, Ansible requests a pseudo-terminal for commands executed under sudo. Uncomment this | ||
- | # line to disable this behaviour. | ||
- | #pty=False | ||
- | |||
- | # paramiko will default to looking for SSH keys initially when trying to | ||
- | # authenticate to remote devices. | ||
- | # that close the connection after a key failure. | ||
- | # disable the Paramiko look for keys function | ||
- | # | ||
- | |||
- | # When using persistent connections with Paramiko, the connection runs in a | ||
- | # background process. | ||
- | # default Ansible will prompt to add the host key. This will cause connections | ||
- | # running in background processes to fail. Uncomment this line to have | ||
- | # Paramiko automatically add host keys. | ||
- | # | ||
- | |||
- | [ssh_connection] | ||
- | |||
- | # ssh arguments to use | ||
- | # Leaving off ControlPersist will result in poor performance, | ||
- | # paramiko on older platforms rather than removing it, -C controls compression use | ||
- | #ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s | ||
- | |||
- | # The base directory for the ControlPath sockets. | ||
- | # This is the " | ||
- | # | ||
- | # Example: | ||
- | # control_path_dir = / | ||
- | # | ||
- | |||
- | # The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname, | ||
- | # port and username (empty string in the config). The hash mitigates a common problem users | ||
- | # found with long hostnames and the conventional %(directory)s/ | ||
- | # In those cases, a "too long for Unix domain socket" | ||
- | # | ||
- | # Example: | ||
- | # control_path = %(directory)s/ | ||
- | # | ||
- | |||
- | # Enabling pipelining reduces the number of SSH operations required to | ||
- | # execute a module on the remote server. This can result in a significant | ||
- | # performance improvement when enabled, however when using " | ||
- | # first disable ' | ||
- | # | ||
- | # By default, this option is disabled to preserve compatibility with | ||
- | # sudoers configurations that have requiretty (the default on many distros). | ||
- | # | ||
- | #pipelining = False | ||
- | |||
- | # Control the mechanism for transferring files (old) | ||
- | # * smart = try sftp and then try scp [default] | ||
- | # * True = use scp only | ||
- | # * False = use sftp only | ||
- | #scp_if_ssh = smart | ||
- | |||
- | # Control the mechanism for transferring files (new) | ||
- | # If set, this will override the scp_if_ssh option | ||
- | # * sftp = use sftp to transfer files | ||
- | # * scp = use scp to transfer files | ||
- | # * piped = use ' | ||
- | # * smart = try sftp, scp, and piped, in that order [default] | ||
- | # | ||
- | |||
- | # if False, sftp will not use batch mode to transfer files. This may cause some | ||
- | # types of file transfer failures impossible to catch however, and should | ||
- | # only be disabled if your sftp version has problems with batch mode | ||
- | # | ||
- | |||
- | # The -tt argument is passed to ssh when pipelining is not enabled because sudo | ||
- | # requires a tty by default. | ||
- | #usetty = True | ||
- | |||
- | # Number of times to retry an SSH connection to a host, in case of UNREACHABLE. | ||
- | # For each retry attempt, there is an exponential backoff, | ||
- | # so after the first attempt there is 1s wait, then 2s, 4s etc. up to 30s (max). | ||
- | #retries = 3 | ||
- | |||
- | [persistent_connection] | ||
- | |||
- | # Configures the persistent connection timeout value in seconds. | ||
- | # how long the persistent connection will remain idle before it is destroyed. | ||
- | # If the connection doesn' | ||
- | # expires, the connection is shutdown. The default value is 30 seconds. | ||
- | # | ||
- | |||
- | # The command timeout value defines the amount of time to wait for a command | ||
- | # or RPC call before timing out. The value for the command timeout must | ||
- | # be less than the value of the persistent connection idle timeout (connect_timeout) | ||
- | # The default value is 30 second. | ||
- | # | ||
- | |||
- | [accelerate] | ||
- | # | ||
- | # | ||
- | # | ||
- | |||
- | # The daemon timeout is measured in minutes. This time is measured | ||
- | # from the last activity to the accelerate daemon. | ||
- | # | ||
- | |||
- | # If set to yes, accelerate_multi_key will allow multiple | ||
- | # private keys to be uploaded to it, though each user must | ||
- | # have access to the system via SSH to add a new key. The default | ||
- | # is " | ||
- | # | ||
- | |||
- | [selinux] | ||
- | # file systems that require special treatment when dealing with security context | ||
- | # the default behaviour that copies the existing context or uses the user default | ||
- | # needs to be changed to use the file system dependent context. | ||
- | # | ||
- | |||
- | # Set this to yes to allow libvirt_lxc connections to work without SELinux. | ||
- | # | ||
- | |||
- | [colors] | ||
- | #highlight = white | ||
- | #verbose = blue | ||
- | #warn = bright purple | ||
- | #error = red | ||
- | #debug = dark gray | ||
- | #deprecate = purple | ||
- | #skip = cyan | ||
- | # | ||
- | #ok = green | ||
- | #changed = yellow | ||
- | #diff_add = green | ||
- | # | ||
- | #diff_lines = cyan | ||
- | |||
- | |||
- | [diff] | ||
- | # Always print diff when running ( same as always running with -D/--diff ) | ||
- | # always = no | ||
- | |||
- | # Set how many context lines to show in diff | ||
- | # context = 3 | ||
- | ANSIBLE_CFG | ||
- | chown ansible: / | ||
- | ################################################################################################################# | ||
- | |||
- | ;; | ||
- | esac; | ||
- | done | ||
- | %end | ||
- | </ | ||
- | |||
- | ==== PXE-Bootmenü-Datei anpassen ==== | ||
- | Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei **''/ | ||
- | # vim / | ||
- | |||
- | Dort tragen wir beim betreffenden **LABEL** die Optionen **'' | ||
- | < | ||
- | MENU LABEL ^3) Installation der CentOS 8 (64 Bit) Ansible-Startup | ||
- | | ||
- | | ||
- | |||
- | ==== Installation AOMH via PXE ==== | ||
- | Anschliessend starten wir wie gewohnt unsere virtuelle Maschine via PXE-Boot. | ||
- | |||
- | {{ : | ||
- | |||
- | Da schon alle relevanten **[[# | ||
- | Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, | ||
- | |||
- | {{ : | ||
- | |||
- | Ist die Installation abgeschlossen startet unser neuer Host. | ||
- | |||
- | {{ : | ||
- | |||
- | Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **'' | ||
- | $ ssh 10.0.0.40 | ||
- | |||
- | < | ||
- | ED25519 key fingerprint is SHA256: | ||
- | Are you sure you want to continue connecting (yes/no)? yes | ||
- | Warning: Permanently added ' | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is a private home server. | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | ############################################################################## | ||
- | # # | ||
- | # This is the home server of Michael Nausch. | ||
- | # # | ||
- | # vml000040.nausch.org | ||
- | # # | ||
- | # | ||
- | # # | ||
- | # This system is actively monitored and all connections may be logged. | ||
- | # By accessing this system, you consent to this monitoring. | ||
- | # # | ||
- | ############################################################################## | ||
- | </ | ||
- | |||
- | Wir können dann natürlich auch sofort zu unserem Ansible-Administrationsaccount **ansible** wechseln. | ||
- | $ su - ansible | ||
- | |||
- | Nach eingabe des zugehörigen Passwortes befinden wir uns im Homeverzeichnis des Ansible-Administrationsaccounts | ||
- | Password: | ||
- | [ansible@vml000040 ~]$ | ||
- | |||
- | Dot können wir uns z.B. vergewissern dass das **[[centos: | ||
- | $ tree ansible/ | ||
- | |||
- | < | ||
- | ├── filter_plugins | ||
- | ├── inventories | ||
- | │ ├── production | ||
- | │ │ ├── group_vars | ||
- | │ │ ├── hosts.yml | ||
- | │ │ └── host_vars | ||
- | │ └── staging | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | ├── library | ||
- | ├── module_utils | ||
- | ├── roles | ||
- | │ └── common | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | │ | ||
- | └── site.yml | ||
- | |||
- | 22 directories, | ||
- | |||
- | Zum Schluss lassen wir uns mit Hilfe des Befehls die aktuell installierte CentOS-Version anzeigen. | ||
- | $ ansible centos8 -m shell -a "/ | ||
- | |||
- | Da wir uns das erste mal mit dem Host ansible verbinden werden wir nach der Eingabe des Passwortes gefragt, ob der Fingerprint des ED25519 Schlüssel stimmt. Nachdem wir das gewissenhaft überprüft habenbestätigen wir diese Frage mit einem **'' | ||
- | < | ||
- | <font style=" | ||
- | The authenticity of host ' | ||
- | ED25519 key fingerprint is SHA256: | ||
- | Are you sure you want to continue connecting (yes/ | ||
- | <font style=" | ||
- | CentOS Linux release 8.2.2004 (Core)</ | ||
- | </ | ||
- | |||
- | <WRAP center round tip 75%> | ||
- | Wir haben also nunmehr die Möglichkeit stets bei Bedarf immer eine gleiche Installation unseres \\ | ||
- | **A**nsible-**O**rchestrator-**M**anagement-**H**ost //from the scratch// zu Installieren. \\ | ||
- | Letztendlich brauchen wir dann nur noch unsere individuellen **playbooks**-, | ||
- | in die zugehörigen Verzeichnisse zurück sichern! | ||
- | </ | ||
- | |||
- | ====== Links ====== | ||
- | * **[[centos: | ||
- | * **=> [[centos: | ||
- | * **[[centos: | ||
- | * **[[wiki: | ||
- | * **[[http:// | ||
- | |||
- | |||
- | |||
- | |||