Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:pxe_c8:pxe_2 [12.06.2020 16:24. ] – [Bsp. 3: erweiterte Automatisierung der Installation] django
+++ centos:pxe_c8:pxe_2 [12.10.2024 12:46. ] (aktuell) – Deppenapostroph entfernt django
@@ Zeile 40: / Zeile 40: @@
 <WRAP center round important 90%>
-Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nich alles lässt sich mittels automatisierter GUIs abbilden!
+Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nicht alles lässt sich mittels automatisierter GUIs abbilden!
 </WRAP>
@@ Zeile 268: / Zeile 268: @@
 Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
-  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens wollen wir diesen setzen und auch die zugehörige IP-Adresse gleich setzen lassen. Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.
+  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.)
-  - **Bootloader** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
+  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
-  - **MOTD und ISSUE.NET** individualisieren inkl. Hostnamen
+  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
-  - **Repositories** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn das plugin **fastest-mirror** aktiviert zu lassen. Zusätzlich zum Standard soll auch noch das Repository **EPEL** und **MAILSERVER.GURU** eingebunden und genutzt werden.
+  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
-  - **Changlogs und YUM** Für spätere Updates aktivieren wir die Anzeige der Changeloginformationen standardmässig aktiviert.
+  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
-  - **SSH-Daemon** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
+  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
-  - **SSH-Publickey** Für unseren Adminaccount **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
+  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
-  - **DNS-Suche** Bei der Suche im DNS passen wir die Suchliste unseren Bedürfnissen an.
-  - **Postfix** Den MTA Postfix statten wir mit einer Grundkonfiguration entsprechend unserer Schutzzone aus.
-  - **chronyd-Zeitserver** Zur Nutzung unseres Zeitservers im Netz definieren wir die passende Konfigurationsdatei.
-Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_7_x86_64_dmz.cfg**//.
+Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_8_x86_64_dmz.cfg**//.
-   # vim /srv/kickstart/ks_centos_7_x86_64_dmz.cfg
+   # vim /srv/kickstart/ks_centos_8_x86_64_dmz.cfg
-<file bash /srv/kickstart/ks_centos_7_x86_64_dmz.cfg># Django 2014-07-13 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit)
+<file bash /srv/kickstart/ks_centos_8_x86_64_dmz.cfg># Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit)
-# Version=CentOS 7
+# Version=CentOS 8 (RHEL 8)
 # Tastaturlayout definieren
-keyboard --vckeymap=de --xlayouts='de (nodeadkeys)'
+keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
 # Systemsprache setzen
 lang en_US.UTF-8
-# Definition der Netzwerkeinstellungen
+# Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname
-# Network information
+# die aus dem Preinstall-Script beim PXE-Boot übernommen wurden.
-network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.254 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate
+%include /tmp/networks.cfg
-network  --hostname=vml000254.dmz.nausch.org
 # Zeitzone setzen
-timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org
+timezone Europe/Berlin --isUtc --ntpservers=vml000027.dmz.nausch.org
+services --enabled="chronyd"
 # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen
-repo --name=installupdates --baseurl=http://10.0.0.57/centos/7/updates/x86_64/
+url --url="http://10.0.0.57/centos/8/BaseOS/x86_64/os/"
+repo --name="AppStream" --baseurl=http://10.0.0.57/centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/
-# Authentifizierungsoptionen für das System definieren
-auth --enableshadow --passalgo=sha512
 # Root-Passwort verschlüsselt vorgeben
-rootpw --iscrypted $6$PZhVKqBb7vE5NgOq$fuqZ6zwDjbK214BUqjEIjxBuR$cH1cK$1nD2V0lLD3PpmfKIlK14b71RsTmkRLqTmxZyr0YmCrl8sgkgIuj7N3B1TG67/6a0
+rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
 # Default-Benutzerkonto anlegen
-user --name=django --password=$6$34os/lDDY2cAEfyW$fqDj4n90d3r40m1nM1703nd1Ck3n313rna7plCieqgeYCWONkaKgYnQKm5iDe7gD4X1/3WtCq89/JZIUyiOv/ --iscrypted
+user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
 # vorhandene Partitionen löschen
-clearpart --all --initlabel --drives=vda
+ignoredisk --only-use=vda
+clearpart --all --initlabel --drives=vda
+# autopart --type=lvm
-# Konfiguration des System Bootloaders
+# GUI für Installation verwenden
-bootloader --location=mbr --boot-drive=vda
+graphical
-# SELinux permissive Modus aktivieren
+# Kein X Window System konfigurieren, da dieses nicht installiert wird
-selinux --permissive
+skipx
-# Disable kdump
-services --disabled=bluetooth,kdump
 # Reboot nach der Installation ausführen
@@ Zeile 328: / Zeile 322: @@
 # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen
 %packages
-@core
+@^minimal-environment
-#-selinux-policy*
 -iwl*firmware
 vim
-mc
+bash-completion
 bind-utils
 wget
 telnet
-yum-priorities
-acpid
 net-tools
-yum-plugin-changelog
 lsof
+%end
+%addon com_redhat_kdump --disable --reserve-mb='auto'
 %end
+%anaconda
+pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+%end
+#%end
 %addon com_redhat_kdump --disable --reserve-mb='auto'
 %end
 # Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen
 %pre
 #!/bin/bash
 echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks
@@ Zeile 355: / Zeile 357: @@
         NULL=${SERVERNAME:6:1}
         if [ "$SERVERNAME" == "" ]; then
-	    echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.250 --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg
+            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.250 --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg
         else
             if [ "$NULL" == "0" ]; then
@@ Zeile 362: / Zeile 364: @@
                 OCTET=${SERVERNAME:6:3}
             fi
-            #IP="10.0.0."${OCTET}
+            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.${OCTET} --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg
-	    echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.${OCTET} --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg
         fi
         ;;
@@ Zeile 384: / Zeile 385: @@
 ######################## MOTD und ISSUE.NET individualisieren ###################
-        # /etc/issue.net anlegen
+# /etc/issue.net anlegen
 cat <<ISSUE.NET > /etc/issue.net
 ##############################################################################
@@ Zeile 397: / Zeile 398: @@
 ##############################################################################
 ISSUE.NET
-        chown root:root /etc/issue.net
-        chmod 644 /etc/issue.net
+chown root:root /etc/issue.net
-        # /etc/motd anlegen
+chmod 644 /etc/issue.net
+# /etc/motd anlegen
 cat <<MOTD > /etc/motd
 ##############################################################################
@@ Zeile 405: / Zeile 408: @@
 #                 This is the home server of Michael Nausch.                 #
 #                                                                            #
-#                        $SERVERNAME.dmz.nausch.org                            #
+#                            $SERVERNAME.nausch.org                            #
 #                                                                            #
 #             Unauthorized access to this system is prohibited !             #
@@ Zeile 414: / Zeile 417: @@
 ##############################################################################
 MOTD
 chown root:root /etc/motd
 chmod 644 /etc/motd
 #################################################################################
-#################### lokales gespiegeltes Repository benutzen ###################
+########################### ssh-daemon konfigurieren ############################
-rm -f /etc/yum.repos.d/CentOS-Base.repo
+cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
-cat <<REPOSITORY > /etc/yum.repos.d/CentOS-Base.repo
+cat <<SSHD_CONFIG > /etc/ssh/sshd_config
-# CentOS-LOCAL.repo
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+# Specifies which address family should be used by sshd(8). Valid arguments
+# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
+#AddressFamily any
+# Specifies the local addresses sshd(8) should listen on. The following
+# forms may be used:
+#                   ListenAddress host|IPv4_addr|IPv6_addr
+#                   ListenAddress host|IPv4_addr:port
+#                   ListenAddress [host|IPv6_addr]:port
+# If port is not specified, sshd will listen on the address and all prior
+# Port options specified. The default is to listen on all local addresses.
+# Multiple ListenAddress options are permitted. Additionally, any Port
+# options must precede this option for non-port qualified addresses.
+#Port 22
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# Specifies a file containing a private host key used by SSH. The default
+# is /etc/ssh/ssh_host_key for protocol version 1, and
+# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol
+# version 2. Note that sshd(8) will refuse to use a file if it is
+# group/world-accessible. It is possible to have multiple host key files.
+# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for
+# version 2 of the SSH protocol.
+HostKey /etc/ssh/ssh_host_ed25519_key
+# Specifies the ciphers allowed for protocol version 2. Multiple ciphers
+# must be comma-separated. The supported ciphers are ''3des-cbc'',
+# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',
+# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',
+# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''.
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+# MACs' Specifies the available MAC (message authentication code)
+# algorithms. The MAC algorithm is used in protocol version 2 for data
+# integrity protection. Multiple algorithms must be comma-separated.
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+# Specifies the available KEX (Key Exchange) algorithms. Multiple
+# algorithms must be comma-separated. For ineroperability with Eclipse
+# and WinSCP):
+# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+# If needed, open /etc/ssh/moduli if exists, and delete lines where the
+# 5th column is less than 2000.
+#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
+#   wc -l "${HOME}/moduli"
+# make sure there is something left
+#   mv "${HOME}/moduli" /etc/ssh/moduli
+#
+KexAlgorithms curve25519-sha256@libssh.org
+# Ciphers and keying
+#RekeyLimit default none
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+# Logging
+# Gives the facility code that is used when logging messages from sshd(8).
+# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,
+# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+SyslogFacility AUTHPRIV
+# Gives the verbosity level that is used when logging messages from sshd(8).
+# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
+# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are
+# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging
+# output. Logging with a DEBUG level violates the privacy of users and is
+# not recommended.
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+# clear audit track of which key was using to log in.
+LogLevel VERBOSE
+# Authentication:
+# The server disconnects after this time if the user has not successfully
+# logged in. If the value is 0, there is no time limit.
+LoginGraceTime 0
+# Specifies whether root can log in using ssh(1). The argument must be
+# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.
+# The default is ''yes''. If this option is set to ''without-password'',
+# password authentication is disabled for root. If this option is set to
+# ''forced-commands-only'', root login with public key authentication will
+# be allowed, but only if the command option has been specified (which
+# may be useful for taking remote backups even if root login is normally
+# not allowed). All other authentication methods are disabled for root.
+# If this option is set to ''no'', root is not allowed to log in.
+PermitRootLogin no
+# This keyword can be followed by a list of user name patterns, separated
+# by spaces. If specified, login is allowed only for user names that match
+# one of the patterns. Only user names are valid; a numerical user ID is
+# not recognized. By default, login is allowed for all users. If the pattern
+# takes the form USER@HOST then USER and HOST are separately checked,
+# restricting logins to particular users from particular hosts. The
+# allow/deny directives are processed in the following order:
+# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
+AllowUsers django
+# Specifies whether sshd(8) should check file modes and ownership of the
+# user's files and home directory before accepting login. This is normally
+# desirable because novices sometimes accidentally leave their directory
+# or files world-writable.
+StrictModes yes
+# Specifies the maximum number of authentication attempts permitted per
+# connection. Once the number of failures reaches half this value,
+# additional failures are logged.
+MaxAuthTries 10
+# Specifies the maximum number of open sessions permitted per network
+# connection.
+MaxSessions 10
+# Specifies the file that contains the public keys that can be used for
+# user authentication. AuthorizedKeysFile may contain tokens of the form
+# %T which are substituted during connection setup. The following tokens
+# are defined: %% is replaced by a literal '%', %h is replaced by the
+# home directory of the user being authenticated, and %u is replaced by
+# the username of that user. After expansion, AuthorizedKeysFile is
+# taken to be an absolute path or one relative to the user's home directory.
+AuthorizedKeysFile      .ssh/authorized_keys
+# Specifies whether public key authentication is allowed. The default is
+# ''yes''. Note that this option applies to protocol version 2 only.
+PubkeyAuthentication yes
+#AuthorizedPrincipalsFile none
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+# Specifies whether password authentication is allowed. To disable tunneled
+# clear text passwords, change to no here!
+PasswordAuthentication no
+# Specifies whether challenge-response authentication is allowed
+# (e.g. via PAM or though authentication styles supported in login.conf(5))
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+# Specifies whether user authentication based on GSSAPI is allowed.
+GSSAPIAuthentication yes
+# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
+# exchange doesn't rely on ssh keys to verify host identity.
+#GSSAPIKeyExchange no
+# Specifies whether to automatically destroy the user's credentials cache
+# on logout.
+GSSAPICleanupCredentials no
+# Determines whether to be strict about the identity of the GSSAPI acceptor
+# a client authenticates against. If ''yes'' then the client must authenticate
+# against the host service on the current hostname. If ''no'' then the client
+# may authenticate against any service key stored in the machine's default
+# store. This facility is provided to assist with operation on multi homed
+# machines. The default is ''yes''. Note that this option applies only to
+# protocol version 2 GSSAPI connections, and setting it to ''no'' may only
+# work with recent Kerberos GSSAPI libraries.
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIEnablek5users no
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+# Specifies whether X11 forwarding is permitted. The argument must be
+# ''yes'' or ''no''. The default is ''no''.
+# When X11 forwarding is enabled, there may be additional exposure to the
+# server and to client displays if the sshd(8) proxy display is configured
+# to listen on the wildcard address (see X11UseLocalhost below), though this
+# is not the default. Additionally, the authentication spoofing and
+# authentication data verification and substitution occur on the client side.
+# The security risk of using X11 forwarding is that the client's X11 display
+# server may be exposed to attack when the SSH client requests forwarding
+# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator
+# may have a stance in which they want to protect clients that may expose
+# themselves to attack by unwittingly requesting X11 forwarding, which can
+# warrant a ''no'' setting. Note that disabling X11 forwarding does not
+# prevent users from forwarding X11 traffic, as users can always install
+# their own forwarders. X11 forwarding is automatically disabled if UseLogin
+# is enabled.
+X11Forwarding yes
+# Specifies the first display number available for sshd(8)'s X11 forwarding.
+# This prevents sshd from interfering with real X11 servers.
+# The default is 10.
+#X11DisplayOffset 10
+# Specifies whether sshd(8) should bind the X11 forwarding server to the
+# loopback address or to the wildcard address. By default, sshd binds the
+# forwarding server to the loopback address and sets the hostname part of
+# the DISPLAY environment variable to ''localhost''. This prevents remote
+# hosts from connecting to the proxy display. However, some older X11 clients
+# may not function with this configuration. X11UseLocalhost may be set to
+# ''no'' to specify that the forwarding server should be bound to the
+# wildcard address. The argument must be ''yes'' or ''no''. The default is
+# ''yes''.
+#X11UseLocalhost yes
+# Specifies whether ssh-agent(1) forwarding is permitted. The default is
+# ''yes''. Note that disabling agent forwarding does not improve security
+# unless users are also denied shell access, as they can always install
+# their own forwarders.
+#AllowAgentForwarding yes
+# Specifies whether TCP forwarding is permitted. The default is ''yes''.
+# Note that disabling TCP forwarding does not improve security unless users
+# are also denied shell access, as they can always install their own
+# forwarders.
+#AllowTcpForwarding yes
+# Specifies whether remote hosts are allowed to connect to ports forwarded
+# for the client. By default, sshd(8) binds remote port forwardings to the
+# loopback address. This prevents other remote hosts from connecting to
+# forwarded ports. GatewayPorts can be used to specify that sshd should
+# allow remote port forwardings to bind to non-loopback addresses, thus
+# allowing other hosts to connect. The argument may be ''no'' to force
+# remote port forwardings to be available to the local host only, ''yes''
+# to force remote port forwardings to bind to the wildcard address, or
+# ''clientspecified'' to allow the client to select the address to which
+# the forwarding is bound. The default is ''no''.
+#GatewayPorts no
+#PermitTTY yes
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+# The contents of the specified file are sent to the remote user before
+# authentication is allowed.
+Banner /etc/issue.net
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+# Configures an external subsystem (e.g. file transfer daemon). Arguments
+# should be a subsystem name and a command (with optional arguments) to
+# execute upon subsystem request. Log sftp level file access
+# (read/write/etc.) that would not be easily logged otherwise.
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+SSHD_CONFIG
+chown root:root /etc/ssh/sshd_config
+chmod 600 /etc/ssh/sshd_config
+#################################################################################
+####################### Djangos ssh-pubkey hinterlegen #########################
+mkdir /home/django/.ssh
+chmod 700 /home/django/.ssh
+chown django:django /home/django/.ssh
+cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA/F1CKDicH1n5Kn13+YjpbHqHOkhsMagrrD5dIbkU6ddoBSp django@nausch.org
+AUTHORIZED_KEYS
+chmod 644 /home/django/.ssh/authorized_keys
+chown django:django /home/django/.ssh/authorized_keys
+#################################################################################
+############### lokales gespiegeltes CentOS-Repository benutzen #################
+cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
+cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
+# CentOS-AppStream.repo
 #
-# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
 # The mirror system uses the connecting IP address of the client and the
 # update status of each mirror to pick mirrors that are updated to and
@@ Zeile 429: / Zeile 769: @@
 # unless you are manually picking other mirrors.
 #
 # If the mirrorlist= does not work for you, as a fall back you can try the
 # remarked out baseurl= line instead.
 #
-# Version für den Zugriff auf das lokale Centos-Repository
+#
-[base-LC]
+[AppStream]
-name=CentOS-7 - Base
+name=CentOS-\$releasever - AppStream
-baseurl=http://repository.nausch.org/centos/\$releasever/os/\$basearch/
+baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
-priority=1
-exclude=dovecot*
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-APPSTREAM
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-#released updates
+cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
-[updates-LC]
+cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
-name=CentOS-7 - Updates
+# CentOS-Base.repo
-baseurl=http://repository.nausch.org/centos/\$releasever/updates/\$basearch/
+#
-priority=1
+# The mirror system uses the connecting IP address of the client and the
-exclude=dovecot*
+# update status of each mirror to pick mirrors that are updated to and
-gpgcheck=1
+# geographically close to the client.  You should use this for CentOS updates
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
-#additional packages that may be useful
+[BaseOS]
-[extras-LC]
+name=CentOS-\$releasever - Base
-name=CentOS-7 - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
-baseurl=http://repository.nausch.org/centos/\$releasever/extras/\$basearch/
-priority=1
 gpgcheck=1
-enabled = 1
+enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-BASE
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-#additional packages that extend functionality of existing packages
+cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
-[centosplus-LC]
+cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
-name=CentOS-7 - Plus
+# CentOS-Extras.repo
-baseurl=http://repository.nausch.org/centos/\$releasever/centosplus/\$basearch/
+#
-priority=2
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+#additional packages that may be useful
+[extras]
+name=CentOS-\$releasever - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
 gpgcheck=1
 enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-REPOSITORY
+CENTOS-EXTRAS
-chown root:root /etc/yum.repos.d/CentOS-Base.repo
+chown root:root /etc/yum.repos.d/CentOS-Extras.repo
-chmod 644 /etc/yum.repos.d/CentOS-Base.repo
+chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
-rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 #################################################################################
-################### eigenes Repository mailserver.guru benutzen #################
+###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
-cat <<MAILSERVER.GURU > /etc/yum.repos.d/mailserver.guru.repo
+dnf install epel-release -y
-[mailserver.guru-os]
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
-name=Extra (Mailserver-)Packages for Enterprise Linux 7 - $basearch
-baseurl=http://repo.mailserver.guru/7/os/\$basearch
+cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
-priority=5
+cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
+[epel-modular]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
 enabled=1
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+[epel-modular-debuginfo]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
-[mailserver.guru-testing]
+[epel-modular-source]
-name=Testing (Mailserver-)Packages for Enterprise Linux 7 - $basearch
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
-baseurl=http://repo.mailserver.guru/7/testing/\$basearch/
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
-priority=5
 enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
-MAILSERVER.GURU
-chown root:root /etc/yum.repos.d/mailserver.guru.repo
-chmod 644 /etc/yum.repos.d/mailserver.guru.repo
-rpm --import http://repo.mailserver.guru/7/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
-#################################################################################
-########################### EPEL Repository einbinden ###########################
+EPEL-MODULAR
+chown root:root /etc/yum.repos.d/epel-modular.repo
+chmod 644 /etc/yum.repos.d/epel-modular.repo
+cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
 cat <<EPEL > /etc/yum.repos.d/epel.repo
 [epel]
-name=Extra Packages for Enterprise Linux 7 - \$basearch
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch
-baseurl=http://repository.nausch.org/epel/7/\$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
-#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=\$basearch
-failovermethod=priority
 enabled=1
 gpgcheck=1
-priority = 10
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 [epel-debuginfo]
-name=Extra Packages for Enterprise Linux 7 - \$basearch - Debug
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
-#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/debug
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=\$basearch
-failovermethod=priority
 enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 [epel-source]
-name=Extra Packages for Enterprise Linux 7 - \$basearch - Source
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
-#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/SRPMS
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=\$basearch
-failovermethod=priority
 enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 EPEL
 chown root:root /etc/yum.repos.d/epel.repo
 chmod 644 /etc/yum.repos.d/epel.repo
-rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 #################################################################################
-####################  yum-changelog auf always-on stellen #######################
+############################ System Updaten #####################################
-rm -f /etc/yum/pluginconf.d/changelog.conf
+dnf update -y
-cat <<CHANGELOG >/etc/yum/pluginconf.d/changelog.conf
+#################################################################################
-[main]
+;;
-enabled=1
+esac;
+done
+%end
-# Set to 'pre' or 'post' to see changes before or after transaction
+</file>
-when=pre
-# Set to true, to always get the output (removes the cmd line arg)
+Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers.
-# Django : $DATUM
-# default: always=false
+   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-always=true
+Dort tragen wir beim betreffenden **LABEL** die Optionen **''ks''**, **''net.ifnames''** und **''biosdevname''** sowie am Ende der Zeile **''SERVERNAME=''** ein.
-CHANGELOG
+<code>LABEL 3
-chown root:root /etc/yum/pluginconf.d/changelog.conf
+   MENU LABEL ^3) Installation von CentOS 8 (64 Bit)
-chmod 644 /etc/yum/pluginconf.d/changelog.conf
+   KERNEL images/centos/8/x86_64/vmlinuz
+   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ net.ifnames=0 biosdevname=0 SERVERNAME=
+</code>
+Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.
+{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+<WRAP center round tip 80%>
+Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
+</WRAP>
+{{ :centos:pxe_c8:pxe-boot-menue-087b.png?nolink&800 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
+Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, welches wir per PXE-Boot bzw. genauer gesagt mit dem Kickstartfile mitgegeben hatten, ausgeführt wird.
+{{ :centos:pxe_c8:pxe-boot-menue-087c.png?nolink&800 |Bild: Bildschirmhardcopy Anzeige "Ausführung postinstall script"}}
+Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **''ssh''** verbinden können.
+   $ ssh 10.0.0.50
+<code>The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
+ED25519 key fingerprint is SHA256:JKV0iNvjQGMhkWIGEPC1hQH/vzpbeabl1g7s46yhMj6.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '10.0.0.50' (ED25519) to the list of known hosts.
+##############################################################################
+#                                                                            #
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000050.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################</code>
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
+   # ip a
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 52:54:00:74:80:c2 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.50/24 brd 10.0.0.255 scope global noprefixroute eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe74:80c2/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
+   # dnf update
+<code>Last metadata expiration check: 0:12:20 ago on Sun 14 Jun 2020 01:49:52 PM CEST.
+Dependencies resolved.
+Nothing to do.
+Complete!</code>
+==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====
+Beim letzten Konfigurationsbeispiel gehen wir davon aus, dass wir unseren CentOS 8 Host nicht via PXE-Boot betanken können, sondern über den Umweg eines ISO-Files. Ntürlich wollen wir auch hier den Installations und anschließenden grundlegenden Erstkonfiguirationsaufwand möglichst gering halten.
+Wir werden also unsere Kickstart-Datei in das vorhandene ***[[http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso|CentOS 8 Iso Image]]** packen.
+Zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage**. Zum Validieren der Kickstart-Datei benötigen wir das Programm **''ksvalidator''** aus dem RPM-Paket **pykickstart**, zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage** und letztendlich zum Hinzufügen der md5sum zum Iso Image das Programm **''implantisomd5''** aus dem RPM **isomd5sum**.
+Zunächst installieren wir, falls noch nicht im System vorhanden die drei RPM.
+   # dnf install genisoimage pykickstart isomd5sum -y
+Dann holen wir uns das ISO-Image auf unsere Admin-Workstation.
+   # wget http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso
+Damit wir den Inhalt dieser ISO-Installations-DVD nach unseren Wünschen anpassen können werden wir diese Datei in unser Dateisystem einbinden. Den entsprechenden Pfad definieren wir uns nun noch.
+   # mkdir /mnt/iso
+Nun mounten wir das ISO-Image.
+   #  mount -o CentOS-8.1.1911-x86_64-dvd1.iso /mnt/iso
+Anschließend wechseln wir in das Verzeichnis **''/mnt/iso''**, also der gemountete ISO-Datei.
+Im Verzeichnis **isolinux** legen wir dann unser Kickstartfile **''ks.cfg''** ab.
+   # vim /mnt/iso/isolinux/ks.cfg
+<file bash /mnt/iso/isolinux.cfg># Django 2020-06-14 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) aus einem iso-image
+# Version=CentOS 8 (RHEL 8)#version=RHEL8
+# Tastaturlayout definieren
+keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
+# Systemsprache setzen
+lang en_US.UTF-8
+# Definition der Netzwerkeinstellungen
+network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.250 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate
+network  --hostname=vml000250.dmz.nausch.org
+# Zeitzone setzen
+timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org
+services --enabled="chronyd"
+# Installationsquelle setzen (eigenes ISO-Image)
+repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream
+cdrom
+# Root-Passwort verschlüsselt vorgeben
+rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
+# Default-Benutzerkonto anlegen
+user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
+# vorhandene Partitionen löschen
+#ignoredisk --only-use=sda
+clearpart --none --initlabel
+# autopart --type=lvm
+# GUI für Installation verwendengraphical
+graphical
+# Kein X Window System konfigurieren, da dieses nicht installiert wird
+skipx
+# Reboot nach der Installation ausführen
+reboot
+%packages
+@^minimal-environment
+-iwl*firmware
+vim
+bash-completion
+bind-utils
+wget
+telnet
+net-tools
+lsof
+%end
+%addon com_redhat_kdump --disable --reserve-mb='auto'
+%end
+%anaconda
+pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+%end
+# Postinstall-Anweisungen
+%post --log=/root/anaconda-postinstall.log
+#!/bin/bash
+#DATUM=$(date +"%Y-%m-%d")
+#for x in `cat /proc/cmdline`; do
+#case $x in SERVERNAME*)
+#eval $x
+############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ###########
+sed -i 's/rhgb//g' /etc/default/grub
+grub2-mkconfig -o /boot/grub2/grub.cfg
 #################################################################################
-######################### yum-plugin-fastestmirror deaktivieren #################
+######################## MOTD und ISSUE.NET individualisieren ###################
-rm -f /etc/yum/pluginconf.d/fastestmirror.conf
+# /etc/issue.net anlegen
-cat <<YUM-PLUGIN-FASTESTMIRROR > /etc/yum/pluginconf.d/fastestmirror.conf
+cat <<ISSUE.NET > /etc/issue.net
-[main]
+##############################################################################
-# Django : $DATUM
+#                                                                            #
-# fastestmirror deaktiviert, da nur das interne Repository genutzt werden soll!
+#                       This is a private home server.                       #
-# default: enabled=1
+#                                                                            #
-enabled=0
+#             Unauthorized access to this system is prohibited !             #
-verbose=0
+#                                                                            #
-always_print_best_host = true
+#    This system is actively monitored and all connections may be logged.    #
-socket_timeout=3
+#         By accessing this system, you consent to this monitoring.          #
-# Relative paths are relative to the cachedir (and so works for users as well
+#                                                                            #
-# as root).
+##############################################################################
-hostfilepath=timedhosts.txt
+ISSUE.NET
-maxhostfileage=10
-maxthreads=15
+chown root:root /etc/issue.net
-#exclude=.gov, facebook
+chmod 644 /etc/issue.net
-#include_only=.nl,.de,.uk,.ie
-YUM-PLUGIN-FASTESTMIRROR
+# /etc/motd anlegen
-chown root:root /etc/yum/pluginconf.d/fastestmirror.conf
+cat <<MOTD > /etc/motd
-chmod 644 /etc/yum/pluginconf.d/fastestmirror.conf
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                             vml00250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+MOTD
+chown root:root /etc/motd
+chmod 644 /etc/motd
 #################################################################################
 ########################### ssh-daemon konfigurieren ############################
-rm -f /etc/ssh/sshd_config
+cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cat <<SSHD_CONFIG > /etc/ssh/sshd_config
-#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
 # The strategy used for options in the default sshd_config shipped with
@@ Zeile 591: / Zeile 1136: @@
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
 # Specifies which address family should be used by sshd(8). Valid arguments
 # are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
-AddressFamily any
+#AddressFamily any
 # Specifies the local addresses sshd(8) should listen on. The following
@@ Zeile 604: / Zeile 1149: @@
 # Port options specified. The default is to listen on all local addresses.
 # Multiple ListenAddress options are permitted. Additionally, any Port
 # options must precede this option for non-port qualified addresses.
-ListenAddress 0.0.0.0:22
+#Port 22
+#ListenAddress 0.0.0.0
-# Specifies the protocol versions sshd(8) supports. The possible values are
+#ListenAddress ::
-# '1' and '2'. Multiple versions must be comma-separated. The default is
-# ''2,1''. Note that the order of the protocol list does not indicate
-# preference, because the client selects among multiple protocol versions
-# offered by the server. Specifying ''2,1'' is identical to ''1,2''.
-Protocol 2
 # Specifies a file containing a private host key used by SSH. The default
@@ Zeile 646: / Zeile 1186: @@
 #   mv "${HOME}/moduli" /etc/ssh/moduli
 #
-# CentOS 6
-# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-# CentOS 7 / Fedora >21 "only"
 KexAlgorithms curve25519-sha256@libssh.org
+# Ciphers and keying
+#RekeyLimit default none
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
 # Logging
@@ Zeile 666: / Zeile 1215: @@
 # clear audit track of which key was using to log in.
 LogLevel VERBOSE
-# Configures an external subsystem (e.g. file transfer daemon). Arguments
-# should be a subsystem name and a command (with optional arguments) to
-# execute upon subsystem request. Log sftp level file access
-# (read/write/etc.) that would not be easily logged otherwise.
-Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
 # Authentication:
@@ Zeile 708: / Zeile 1251: @@
 # connection. Once the number of failures reaches half this value,
 # additional failures are logged.
-MaxAuthTries 6
+MaxAuthTries 10
 # Specifies the maximum number of open sessions permitted per network
@@ Zeile 722: / Zeile 1265: @@
 # taken to be an absolute path or one relative to the user's home directory.
 AuthorizedKeysFile      .ssh/authorized_keys
-# Specifies whether pure RSA authentication is allowed. The default is
-# ''yes''. This option applies to protocol version 1 only.
-RSAAuthentication no
 # Specifies whether public key authentication is allowed. The default is
@@ Zeile 731: / Zeile 1270: @@
 PubkeyAuthentication yes
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-RhostsRSAAuthentication no
-# Specifies whether rhosts or /etc/hosts.equiv authentication together
+#AuthorizedPrincipalsFile none
-# with successful public key client host authentication is allowed
+#AuthorizedKeysCommand none
-# (host-based authentication). This option is similar to
+#AuthorizedKeysCommandUser nobody
-# RhostsRSAAuthentication and applies to protocol version 2 only.
-HostbasedAuthentication no
-# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-# during RhostsRSAAuthentication or HostbasedAuthentication.
+#HostbasedAuthentication no
-IgnoreUserKnownHosts no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
-# Specifies that .rhosts and .shosts files will not be used in
+# To disable tunneled clear text passwords, change to no here!
-# RhostsRSAAuthentication or HostbasedAuthentication.
+#PasswordAuthentication yes
-# /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
+#PermitEmptyPasswords no
-IgnoreRhosts yes
 # Specifies whether password authentication is allowed. To disable tunneled
 # clear text passwords, change to no here!
 PasswordAuthentication no
-# When password authentication is allowed, it specifies whether the server
-# allows login to accounts with empty password strings. The default is ''no''.
-PermitEmptyPasswords no
 # Specifies whether challenge-response authentication is allowed
@@ Zeile 763: / Zeile 1295: @@
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
 # Specifies whether user authentication based on GSSAPI is allowed.
-GSSAPIAuthentication no
+GSSAPIAuthentication yes
 # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
 # exchange doesn't rely on ssh keys to verify host identity.
-GSSAPIKeyExchange no
+#GSSAPIKeyExchange no
 # Specifies whether to automatically destroy the user's credentials cache
 # on logout.
-GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
 # Determines whether to be strict about the identity of the GSSAPI acceptor
@@ Zeile 782: / Zeile 1321: @@
 # machines. The default is ''yes''. Note that this option applies only to
 # protocol version 2 GSSAPI connections, and setting it to ''no'' may only
 # work with recent Kerberos GSSAPI libraries.
-GSSAPIStrictAcceptorCheck yes
+#GSSAPIStrictAcceptorCheck yes
-# Controls whether the user's GSSAPI credentials should be updated following
+#GSSAPIEnablek5users no
-# a successful connection rekeying. This option can be used to accepted
-# renewed or updated credentials from a compatible client.
-GSSAPIStoreCredentialsOnRekey no
-# Specifies whether ssh-agent(1) forwarding is permitted. The default is
+# Set this to 'yes' to enable PAM authentication, account processing,
-# ''yes''. Note that disabling agent forwarding does not improve security
+# and session processing. If this is enabled, PAM authentication will
-# unless users are also denied shell access, as they can always install
+# be allowed through the ChallengeResponseAuthentication and
-# their own forwarders.
+# PasswordAuthentication.  Depending on your PAM configuration,
-AllowAgentForwarding yes
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
-# Specifies whether TCP forwarding is permitted. The default is ''yes''.
+# If you just want the PAM account and session checks to run without
-# Note that disabling TCP forwarding does not improve security unless users
+# PAM authentication, then enable this but set PasswordAuthentication
-# are also denied shell access, as they can always install their own
+# and ChallengeResponseAuthentication to 'no'.
-# forwarders.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
-AllowTcpForwarding yes
+# problems.
+UsePAM yes
-# Specifies whether remote hosts are allowed to connect to ports forwarded
-# for the client. By default, sshd(8) binds remote port forwardings to the
-# loopback address. This prevents other remote hosts from connecting to
-# forwarded ports. GatewayPorts can be used to specify that sshd should
-# allow remote port forwardings to bind to non-loopback addresses, thus
-# allowing other hosts to connect. The argument may be ''no'' to force
-# remote port forwardings to be available to the local host only, ''yes''
-# to force remote port forwardings to bind to the wildcard address, or
-# ''clientspecified'' to allow the client to select the address to which
-# the forwarding is bound. The default is ''no''.
-GatewayPorts no
 # Specifies whether X11 forwarding is permitted. The argument must be
@@ Zeile 834: / Zeile 1359: @@
 # Specifies the first display number available for sshd(8)'s X11 forwarding.
 # This prevents sshd from interfering with real X11 servers.
 # The default is 10.
-X11DisplayOffset 10
+#X11DisplayOffset 10
 # Specifies whether sshd(8) should bind the X11 forwarding server to the
@@ Zeile 845: / Zeile 1370: @@
 # ''no'' to specify that the forwarding server should be bound to the
 # wildcard address. The argument must be ''yes'' or ''no''. The default is
 # ''yes''.
-X11UseLocalhost yes
+#X11UseLocalhost yes
-# Specifies whether sshd(8) should print /etc/motd when a user logs in
+# Specifies whether ssh-agent(1) forwarding is permitted. The default is
-# interactively. (On some systems it is also printed by the shell,
+# ''yes''. Note that disabling agent forwarding does not improve security
-# /etc/profile, or equivalent.) The default is ''yes''.
+# unless users are also denied shell access, as they can always install
-PrintMotd yes
+# their own forwarders.
+#AllowAgentForwarding yes
-# Specifies whether sshd(8) should print the date and time of the last user
+# Specifies whether TCP forwarding is permitted. The default is ''yes''.
-# login when a user logs in interactively. The default is ''yes''.
+# Note that disabling TCP forwarding does not improve security unless users
-PrintLastLog yes
+# are also denied shell access, as they can always install their own
+# forwarders.
+#AllowTcpForwarding yes
-# Specifies whether login(1) is used for interactive login sessions. The
+# Specifies whether remote hosts are allowed to connect to ports forwarded
-# default is ''no''. Note that login(1) is never used for remote command
+# for the client. By default, sshd(8) binds remote port forwardings to the
-# execution. Note also, that if this is enabled, X11Forwarding will be
+# loopback address. This prevents other remote hosts from connecting to
-# disabled because login(1) does not know how to handle xauth(1) cookies.
+# forwarded ports. GatewayPorts can be used to specify that sshd should
-# If UsePrivilegeSeparation is specified, it will be disabled after
+# allow remote port forwardings to bind to non-loopback addresses, thus
-# authentication.
+# allowing other hosts to connect. The argument may be ''no'' to force
-UseLogin no
+# remote port forwardings to be available to the local host only, ''yes''
+# to force remote port forwardings to bind to the wildcard address, or
+# ''clientspecified'' to allow the client to select the address to which
+# the forwarding is bound. The default is ''no''.
+#GatewayPorts no
-# Set this to 'yes' to enable PAM authentication, account processing,
+#PermitTTY yes
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux
-# and may cause several problems.
-UsePAM yes
-# Specifies whether sshd(8) separates privileges by creating an unprivileged
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
-# child process to deal with incoming network traffic. After successful
+# as it is more configurable and versatile than the built-in version.
-# authentication, another process will be created that has the privilege of
+PrintMotd no
-# the authenticated user. The goal of privilege separation is to prevent
-# privilege escalation by containing any corruption within the unprivileged
-# processes.
-UsePrivilegeSeparation sandbox
-# Sets a timeout interval in seconds after which if no data has been
+#PrintLastLog yes
-# received from the client, sshd(8) will send a message through the
+#TCPKeepAlive yes
-# encrypted channel to request a response from the client. The default is 0,
+#PermitUserEnvironment no
-# indicating that these messages will not be sent to the client. This option
+#Compression delayed
-# applies to protocol version 2 only.
+#ClientAliveInterval 0
-ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
-# Sets the number of client alive messages (see below) which may be sent
+#UseDNS no
-# without sshd(8) receiving any messages back from the client. If this
+#PidFile /var/run/sshd.pid
-# threshold is reached while client alive messages are being sent, sshd will
+#MaxStartups 10:30:100
-# disconnect the client, terminating the session. It is important to note
+#PermitTunnel no
-# that the use of client alive messages is very different from TCPKeepAlive
+#ChrootDirectory none
-# (below). The client alive messages are sent through the encrypted channel
+#VersionAddendum none
-# and therefore will not be spoofable. The TCP keepalive option enabled by
-# TCPKeepAlive is spoofable. The client alive mechanism is valuable when the
-# client or server depend on knowing when a connection has become inactive.
-# The default value is 3. If ClientAliveInterval (see below) is set to 15,
-# and ClientAliveCountMax is left at the default, unresponsive SSH clients
-# will be disconnected after approximately 45 seconds. This option applies
-# to protocol version 2 only.
-ClientAliveCountMax 3
-# Specifies whether the system should send TCP keepalive messages to the
-# other side. If they are sent, death of the connection or crash of one of
-# the machines will be properly noticed. However, this means that
-# connections will die if the route is down temporarily, and some people
-# find it annoying. On the other hand, if TCP keepalives are not sent,
-# sessions may hang indefinitely on the server, leaving ''ghost'' users
-# and consuming server resources. The default is ''yes'' (to send TCP
-# keepalive messages), and the server will notice if the network goes down
-# or the client host crashes. This avoids infinitely hanging sessions.
-# To disable TCP keepalive messages, the value should be set to ''no''.
-TCPKeepAlive yes
-# Specifies whether sshd(8) should look up the remote host name and check
-# that the resolved host name for the remote IP address maps back to the
-# very same IP address.
-UseDNS yes
-# Specifies the file that contains the process ID of the SSH daemon.
-# The default is /var/run/sshd.pid.
-PidFile /var/run/sshd.pid
-# Specifies the maximum number of concurrent unauthenticated connections
-# to the SSH daemon. Additional connections will be dropped until
-# authentication succeeds or the LoginGraceTime expires for a connection.
-# The default is 10.
-# Alternatively, random early drop can be enabled by specifying the three
-# colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8)
-# will refuse connection attempts with a probability of ''rate/100'' (30%)
-# if there are currently ''start'' (10) unauthenticated connections. The
-# probability increases linearly and all connection attempts are refused
-# if the number of unauthenticated connections reaches ''full'' (60).
-MaxStartups 10:30:100
-# Specifies whether tun(4) device forwarding is allowed. The argument must
-# be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or
-# ''no''. Specifying ''yes'' permits both ''point-to-point'' and
-# ''ethernet''. The default is ''no''.
-PermitTunnel no
-# Specifies a path to chroot(2) to after authentication. This path, and all
-# its components, must be root-owned directories that are not writable by
-# any other user or group. After the chroot, sshd(8) changes the working
-# directory to the user's home directory.
-# The path may contain the following tokens that are expanded at runtime
-# once the connecting user has been authenticated: %% is replaced by a
-# literal '%', %h is replaced by the home directory of the user being
-# authenticated, and %u is replaced by the username of that user.
-# The ChrootDirectory must contain the necessary files and directories to
-# support the user's session. For an interactive session this requires at
-# least a shell, typically sh(1), and basic /dev nodes such as null(4),
-# zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.
-# For file transfer sessions using ''sftp'', no additional configuration
-# of the environment is necessary if the in-process sftp server is used,
-# though sessions which use logging do require /dev/log inside the chroot
-# directory (see sftp-server(8) for details).
-ChrootDirectory none
 # The contents of the specified file are sent to the remote user before
@@ Zeile 974: / Zeile 1426: @@
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
+# Configures an external subsystem (e.g. file transfer daemon). Arguments
+# should be a subsystem name and a command (with optional arguments) to
+# execute upon subsystem request. Log sftp level file access
+# (read/write/etc.) that would not be easily logged otherwise.
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
-#       X11Forwarding no
+#	X11Forwarding no
-#       AllowTcpForwarding no
+#	AllowTcpForwarding no
-#       PermitTTY no
+#	PermitTTY no
-#       ForceCommand cvs server
+#	ForceCommand cvs server
 SSHD_CONFIG
 chown root:root /etc/ssh/sshd_config
-chmod 644 /etc/ssh/sshd_config
+chmod 600 /etc/ssh/sshd_config
 #################################################################################
-####################### Django's ssh-pubkey hinterlegen #########################
+####################### Djangos ssh-pubkey hinterlegen #########################
 mkdir /home/django/.ssh
 chmod 700 /home/django/.ssh
 chown django:django /home/django/.ssh
 cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
-ssh-ed25519 AAAAC3NzaC1lZDF1NTE5AAAAIDYjDCtBTfrpb04x0135CHl4M93sMagrrD5d+IbkU6ddBSp django@nausch.org
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org
 AUTHORIZED_KEYS
 chmod 644 /home/django/.ssh/authorized_keys
@@ Zeile 997: / Zeile 1455: @@
 #################################################################################
-####################### Nameserver Suchliste festlegen ##########################
+############### lokales gespiegeltes CentOS-Repository benutzen #################
-echo 'DOMAIN="dmz.nausch.org nausch.org"' >> /etc/sysconfig/network-scripts/ifcfg-eth0
+cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
-#################################################################################
+cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
+# CentOS-AppStream.repo
-############################# IPv6 deaktivieren ##################################
-#echo "# Django : $DATUM
-## default: unset (IPv6 aktiv)
-#net.ipv6.conf.all.disable_ipv6 = 1
-#net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
-##################################################################################
-########################### Postfix Basis-Konfiguration #########################
-rm -f /etc/postfix/main.cf
-cat <<MAIN.CF > /etc/postfix/main.cf
-# Global Postfix configuration file. This file lists only a subset
-# of all parameters. For the syntax, and for a complete parameter
-# list, see the postconf(5) manual page (command: "man 5 postconf").
 #
-# For common configuration examples, see BASIC_CONFIGURATION_README
+# The mirror system uses the connecting IP address of the client and the
-# and STANDARD_CONFIGURATION_README. To find these documents, use
+# update status of each mirror to pick mirrors that are updated to and
-# the command "postconf html_directory readme_directory", or go to
+# geographically close to the client.  You should use this for CentOS updates
-# http://www.postfix.org/.
+# unless you are manually picking other mirrors.
 #
-# For best results, change no more than 2-3 parameters at a time,
+# If the mirrorlist= does not work for you, as a fall back you can try the
-# and test if Postfix still works after every change.
+# remarked out baseurl= line instead.
-# SOFT BOUNCE
 #
-# The soft_bounce parameter provides a limited safety net for
-# testing.  When soft_bounce is enabled, mail will remain queued that
-# would otherwise bounce. This parameter disables locally-generated
-# bounces, and prevents the SMTP server from rejecting mail permanently
-# (by changing 5xx replies into 4xx replies). However, soft_bounce
-# is no cure for address rewriting mistakes or mail routing mistakes.
 #
-#soft_bounce = no
-# LOCAL PATHNAME INFORMATION
+[AppStream]
-#
+name=CentOS-\$releasever - AppStream
-# The queue_directory specifies the location of the Postfix queue.
+baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
-# This is also the root directory of Postfix daemons that run chrooted.
+gpgcheck=1
-# See the files in examples/chroot-setup for setting up Postfix chroot
+enabled=1
-# environments on different UNIX systems.
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-#
+CENTOS-APPSTREAM
-queue_directory = /var/spool/postfix
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-# The command_directory parameter specifies the location of all
+cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
-# postXXX commands.
+cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
+# CentOS-Base.repo
 #
-command_directory = /usr/sbin
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
-# The daemon_directory parameter specifies the location of all Postfix
+# geographically close to the client.  You should use this for CentOS updates
-# daemon programs (i.e. programs listed in the master.cf file). This
+# unless you are manually picking other mirrors.
-# directory must be owned by root.
 #
-daemon_directory = /usr/libexec/postfix
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
-# The data_directory parameter specifies the location of Postfix-writable
-# data files (caches, random numbers). This directory must be owned
-# by the mail_owner account (see below).
 #
-data_directory = /var/lib/postfix
-# QUEUE AND PROCESS OWNERSHIP
 #
-# The mail_owner parameter specifies the owner of the Postfix queue
-# and of most Postfix daemon processes.  Specify the name of a user
-# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
-# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
-# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
-# USER.
-#
-mail_owner = postfix
-# The default_privs parameter specifies the default rights used by
+[BaseOS]
-# the local delivery agent for delivery to external file or command.
+name=CentOS-\$releasever - Base
-# These rights are used in the absence of a recipient user context.
+baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
-# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+gpgcheck=1
-#
+enabled=1
-#default_privs = nobody
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-BASE
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-# INTERNET HOST AND DOMAIN NAMES
+cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
-#
+cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
-# The myhostname parameter specifies the internet hostname of this
+# CentOS-Extras.repo
-# mail system. The default is to use the fully-qualified domain name
-# from gethostname(). \$myhostname is used as a default value for many
-# other configuration parameters.
 #
-#myhostname = host.domain.tld
+# The mirror system uses the connecting IP address of the client and the
-#myhostname = virtual.domain.tld
+# update status of each mirror to pick mirrors that are updated to and
-# Django : $DATUM - Hostname setzen
+# geographically close to the client.  You should use this for CentOS updates
-# default: unset
+# unless you are manually picking other mirrors.
-myhostname = $HOSTNAME
-# The mydomain parameter specifies the local internet domain name.
-# The default is to use \$myhostname minus the first component.
-# \$mydomain is used as a default value for many other configuration
-# parameters.
 #
-#mydomain = domain.tld
+# If the mirrorlist= does not work for you, as a fall back you can try the
-# Django : $DATUM - Domainname setzen
+# remarked out baseurl= line instead.
-# default: unset
-mydomain = nausch.org
-# SENDING MAIL
-#
-# The myorigin parameter specifies the domain that locally-posted
-# mail appears to come from. The default is to append \$myhostname,
-# which is fine for small sites.  If you run a domain with multiple
-# machines, you should (1) change this to \$mydomain and (2) set up
-# a domain-wide alias database that aliases each user to
-# user@that.users.mailhost.
 #
-# For the sake of consistency between sender and recipient addresses,
-# myorigin also specifies the default domain name that is appended
-# to recipient addresses that have no @domain part.
 #
-#myorigin = \$myhostname
-#myorigin = \$mydomain
-# Django : $DATUM Origin gesetzt
-# default: unset
-myorigin = \$mydomain
-# RECEIVING MAIL
+#additional packages that may be useful
+[extras]
+name=CentOS-\$releasever - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
+gpgcheck=1
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-EXTRAS
+chown root:root /etc/yum.repos.d/CentOS-Extras.repo
+chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
+#################################################################################
-# The inet_interfaces parameter specifies the network interface
+###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
-# addresses that this mail system receives mail on.  By default,
+dnf install epel-release -y
-# the software claims all active interfaces on the machine. The
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
-# parameter also controls delivery of mail to user@[ip.address].
-#
-# See also the proxy_interfaces parameter, for network addresses that
-# are forwarded to us via a proxy or network address translator.
-#
-# Note: you need to stop/start Postfix when this parameter changes.
-#
-#inet_interfaces = all
-#inet_interfaces = \$myhostname
-#inet_interfaces = \$myhostname, localhost
-inet_interfaces = localhost
-# Enable IPv4, and IPv6 if supported
+cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
-# Django  : $DATUM IPv6-Support deaktiviert
+cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
-# default : inet_protocols = all
+[epel-modular]
-##inet_protocols = ipv4
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
-inet_protocols = all
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# The proxy_interfaces parameter specifies the network interface
+[epel-modular-debuginfo]
-# addresses that this mail system receives mail on by way of a
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
-# proxy or network address translation unit. This setting extends
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
-# the address list specified with the inet_interfaces parameter.
+enabled=0
-#
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# You must specify your proxy/NAT addresses when your system is a
+gpgcheck=1
-# backup MX host for other domains, otherwise mail delivery loops
-# will happen when the primary MX host is down.
-#
-#proxy_interfaces =
-#proxy_interfaces = 1.2.3.4
-# The mydestination parameter specifies the list of domains that this
+[epel-modular-source]
-# machine considers itself the final destination for.
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
-# These domains are routed to the delivery agent specified with the
+enabled=0
-# local_transport parameter setting. By default, that is the UNIX
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# compatible delivery agent that lookups all recipients in /etc/passwd
+gpgcheck=1
-# and /etc/aliases or their equivalent.
-#
-# The default is \$myhostname + localhost.\$mydomain.  On a mail domain
-# gateway, you should also include \$mydomain.
-#
-# Do not specify the names of virtual domains - those domains are
-# specified elsewhere (see VIRTUAL_README).
-#
-# Do not specify the names of domains that this machine is backup MX
-# host for. Specify those names via the relay_domains settings for
-# the SMTP server, or use permit_mx_backup if you are lazy (see
-# STANDARD_CONFIGURATION_README).
-#
-# The local machine is always the final destination for mail addressed
-# to user@[the.net.work.address] of an interface that the mail system
-# receives mail on (see the inet_interfaces parameter).
-#
-# Specify a list of host or domain names, /file/name or type:table
-# patterns, separated by commas and/or whitespace. A /file/name
-# pattern is replaced by its contents; a type:table is matched when
-# a name matches a lookup key (the right-hand side is ignored).
-# Continue long lines by starting the next line with whitespace.
-#
-# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
-#
-mydestination = \$myhostname, localhost.\$mydomain, localhost
-#mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain
-#mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain,
-#	mail.\$mydomain, www.\$mydomain, ftp.\$mydomain
-# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+EPEL-MODULAR
-#
+chown root:root /etc/yum.repos.d/epel-modular.repo
-# The local_recipient_maps parameter specifies optional lookup tables
+chmod 644 /etc/yum.repos.d/epel-modular.repo
-# with all names or addresses of users that are local with respect
-# to \$mydestination, \$inet_interfaces or \$proxy_interfaces.
-#
-# If this parameter is defined, then the SMTP server will reject
-# mail for unknown local users. This parameter is defined by default.
-#
-# To turn off local recipient checking in the SMTP server, specify
-# local_recipient_maps = (i.e. empty).
-#
-# The default setting assumes that you use the default Postfix local
-# delivery agent for local delivery. You need to update the
-# local_recipient_maps setting if:
-#
-# - You define \$mydestination domain recipients in files other than
-#   /etc/passwd, /etc/aliases, or the \$virtual_alias_maps files.
-#   For example, you define \$mydestination domain recipients in
-#   the \$virtual_mailbox_maps files.
-#
-# - You redefine the local delivery agent in master.cf.
-#
-# - You redefine the "local_transport" setting in main.cf.
-#
-# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-#   feature of the Postfix local delivery agent (see local(8)).
-#
-# Details are described in the LOCAL_RECIPIENT_README file.
-#
-# Beware: if the Postfix SMTP server runs chrooted, you probably have
-# to access the passwd file via the proxymap service, in order to
-# overcome chroot restrictions. The alternative, having a copy of
-# the system passwd file in the chroot jail is just not practical.
-#
-# The right-hand side of the lookup tables is conveniently ignored.
-# In the left-hand side, specify a bare username, an @domain.tld
-# wild-card, or specify a user@domain.tld address.
-#
-#local_recipient_maps = unix:passwd.byname \$alias_maps
-#local_recipient_maps = proxy:unix:passwd.byname \$alias_maps
-#local_recipient_maps =
-# The unknown_local_recipient_reject_code specifies the SMTP server
+cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
-# response code when a recipient domain matches \$mydestination or
+cat <<EPEL > /etc/yum.repos.d/epel.repo
-# \${proxy,inet}_interfaces, while \$local_recipient_maps is non-empty
+[epel]
-# and the recipient address or address local-part is not found.
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
-# The default setting is 550 (reject mail) but it is safer to start
+enabled=1
-# with 450 (try again later) until you are certain that your
+gpgcheck=1
-# local_recipient_maps settings are OK.
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-#
-unknown_local_recipient_reject_code = 550
-# TRUST AND RELAY CONTROL
+[epel-debuginfo]
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
-# The mynetworks parameter specifies the list of "trusted" SMTP
+[epel-source]
-# clients that have more privileges than "strangers".
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
-# In particular, "trusted" SMTP clients are allowed to relay mail
+enabled=0
-# through Postfix.  See the smtpd_recipient_restrictions parameter
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# in postconf(5).
+gpgcheck=1
-#
+EPEL
-# You can specify the list of "trusted" network addresses by hand
+chown root:root /etc/yum.repos.d/epel.repo
-# or you can let Postfix do it for you (which is the default).
+chmod 644 /etc/yum.repos.d/epel.repo
-#
+#################################################################################
-# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
-# clients in the same IP subnetworks as the local machine.
-# On Linux, this does works correctly only with interfaces specified
-# with the "ifconfig" command.
-#
-# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
-# clients in the same IP class A/B/C networks as the local machine.
-# Don't do this with a dialup site - it would cause Postfix to "trust"
-# your entire provider's network.  Instead, specify an explicit
-# mynetworks list by hand, as described below.
-#
-# Specify "mynetworks_style = host" when Postfix should "trust"
-# only the local machine.
-#
-#mynetworks_style = class
-#mynetworks_style = subnet
-#mynetworks_style = host
-# Alternatively, you can specify the mynetworks list by hand, in
+############################ System Updaten #####################################
-# which case Postfix ignores the mynetworks_style setting.
+dnf update -y
-#
+#################################################################################
-# Specify an explicit list of network/netmask patterns, where the
+;;
-# mask specifies the number of bits in the network part of a host
+esac;
-# address.
+done
-#
+%end
-# You can also specify the absolute pathname of a pattern file instead
+</file>
-# of listing the patterns here. Specify type:table for table-based lookups
-# (the value on the table right-hand side is not used).
-#
-#mynetworks = 168.100.189.0/28, 127.0.0.0/8
-#mynetworks = \$config_directory/mynetworks
-#mynetworks = hash:/etc/postfix/network_table
-# The relay_domains parameter restricts what destinations this system will
+Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
-# relay mail to.  See the smtpd_recipient_restrictions description in
+  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
-# postconf(5) for detailed information.
+  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
-#
+  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
-# By default, Postfix relays mail
+  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
-# - from "trusted" clients (IP address matches \$mynetworks) to any destination,
+  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
-# - from "untrusted" clients to destinations that match \$relay_domains or
+  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
-#   subdomains thereof, except addresses with sender-specified routing.
-# The default relay_domains value is \$mydestination.
-#
-# In addition to the above, the Postfix SMTP server by default accepts mail
-# that Postfix is final destination for:
-# - destinations that match \$inet_interfaces or \$proxy_interfaces,
-# - destinations that match \$mydestination
-# - destinations that match \$virtual_alias_domains,
-# - destinations that match \$virtual_mailbox_domains.
-# These destinations do not need to be listed in \$relay_domains.
-#
-# Specify a list of hosts or domains, /file/name patterns or type:name
-# lookup tables, separated by commas and/or whitespace.  Continue
-# long lines by starting the next line with whitespace. A file name
-# is replaced by its contents; a type:name table is matched when a
-# (parent) domain appears as lookup key.
-#
-# NOTE: Postfix will not automatically forward mail for domains that
-# list this system as their primary or backup MX host. See the
-# permit_mx_backup restriction description in postconf(5).
-#
-#relay_domains = \$mydestination
-# INTERNET OR INTRANET
+Der Form halber setzen wir dann die Dateiberechtigungen auf **444**
+   # chmod 444 /mnt/iso/isolinux/ks.cfg
-# The relayhost parameter specifies the default host to send mail to
+Damit wir die beim Booten verwendete Datei **''isolinux.cfg''** bearbeiten können passen wir die Dateiberechtigung tempüorär an.
-# when no entry is matched in the optional transport(5) table. When
+   # chmod 644 /mnt/iso/isolinux/isolinux.cfg
-# no relayhost is given, mail is routed directly to the destination.
-#
-# On an intranet, specify the organizational domain name. If your
-# internal DNS uses no MX records, specify the name of the intranet
-# gateway host instead.
-#
-# In the case of SMTP, specify a domain, host, host:port, [host]:port,
-# [address] or [address]:port; the form [host] turns off MX lookups.
-#
-# If you're connected via UUCP, see also the default_transport parameter.
-#
-#relayhost = \$mydomain
-#relayhost = [gateway.my.domain]
-#relayhost = [mailserver.isp.tld]
-#relayhost = uucphost
-#relayhost = [an.ip.add.ress]
-# Django : $DATUM Relayhost auf mx01.nausch.org gesetzt
-# default: unset
-relayhost = dmz.nausch.org
-# REJECTING UNKNOWN RELAY USERS
+Nun können wir den Bootparameter anpassen und die Kickstart-Datei angeben. Dabei setzen wir **''inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg''** also den Pafd zur Kickstart-Datei wie auch die beiden nötigen Parameter **''net.ifnames=0''** und **''biosdevname=0''** für die Rückumbenennungh der Netzwerkinterfaces in **ethX**.
-#
+   # vim /mnt/iso/isolinux/isolinux.cfg
-# The relay_recipient_maps parameter specifies optional lookup tables
-# with all addresses in the domains that match \$relay_domains.
-#
-# If this parameter is defined, then the SMTP server will reject
-# mail for unknown relay users. This feature is off by default.
-#
-# The right-hand side of the lookup tables is conveniently ignored.
-# In the left-hand side, specify an @domain.tld wild-card, or specify
-# a user@domain.tld address.
-#
-#relay_recipient_maps = hash:/etc/postfix/relay_recipients
-# INPUT RATE CONTROL
+<code>...
-#
-# The in_flow_delay configuration parameter implements mail input
-# flow control. This feature is turned on by default, although it
-# still needs further development (it's disabled on SCO UNIX due
-# to an SCO bug).
-#
-# A Postfix process will pause for \$in_flow_delay seconds before
-# accepting a new message, when the message arrival rate exceeds the
-# message delivery rate. With the default 100 SMTP server process
-# limit, this limits the mail inflow to 100 messages a second more
-# than the number of messages delivered per second.
-#
-# Specify 0 to disable the feature. Valid delays are 0..10.
-#
-#in_flow_delay = 1s
-# ADDRESS REWRITING
+label linux
-#
+  menu label ^Install CentOS Linux 8.0.1905
-# The ADDRESS_REWRITING_README document gives information about
+  kernel vmlinuz
-# address masquerading or other forms of address rewriting including
+  append initrd=initrd.img inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg inst.stage2=hd:LABEL=CentOS-8-BaseOS-x86_64 quiet net.ifnames=0 biosdevname=0
-# username->Firstname.Lastname mapping.
-# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+...
-#
+<</code>
-# The VIRTUAL_README document gives information about the many forms
-# of domain hosting that Postfix supports.
-# "USER HAS MOVED" BOUNCE MESSAGES
+<WRAP center round important 75%>
-#
+Wichtig ist dabei der Parameter **''LABEL=CentOS-8-BaseOS-x86_64''** \\
-# See the discussion in the ADDRESS_REWRITING_README document.
+Diesen Wert müssen wir später beim Erstellen des eigenen Boot-ISO-Image genau gleich angeben!
+</WRAP>
-# TRANSPORT MAP
+Nun können wir die Dateiberechtigung dieser DAte wieder auf **444** zhurücksetzen.
-#
+   # chmod 444 /mnt/iso/isolinux/isolinux.cfg
-# See the discussion in the ADDRESS_REWRITING_README document.
-# ALIAS DATABASE
+Anschließend packen wir den Inhalt des ursprünglichen ISO-Images mit unserem Kickstart-File wie auch unseren Ändewrungen neu ein. Das LAbel, welches wir zuvor in der Konfigurationsdatei **''isolinux.cfg''** verwendet hatten geben wir hier exakt gleich an!
-#
+   # mkisofs -o ~/CentOS-8-x86_64-1905-local.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V 'CentOS-8-BaseOS-x86_64' .
-# The alias_maps parameter specifies the list of alias databases used
-# by the local delivery agent. The default list is system dependent.
-#
-# On systems with NIS, the default is to search the local alias
-# database, then the NIS alias database. See aliases(5) for syntax
-# details.
-#
-# If you change the alias database, run "postalias /etc/aliases" (or
-# wherever your system stores the mail alias file), or simply run
-# "newaliases" to build the necessary DBM or DB file.
-#
-# It will take a minute or so before changes become visible.  Use
-# "postfix reload" to eliminate the delay.
-#
-#alias_maps = dbm:/etc/aliases
-alias_maps = hash:/etc/aliases
-#alias_maps = hash:/etc/aliases, nis:mail.aliases
-#alias_maps = netinfo:/aliases
-# The alias_database parameter specifies the alias database(s) that
+Bevor wir nun das neu erstellte ISO-IMage verwenden können, ist es noch notwendig diese Date mit einer MD5-Prüfsumme zu versehen.
-# are built with "newaliases" or "sendmail -bi".  This is a separate
+   # implantisomd5 /var/lib/libvirt/boot/CentOS-8-x86_64-1905-local.iso
-# configuration parameter, because alias_maps (see above) may specify
-# tables that are not necessarily all under control by Postfix.
-#
-#alias_database = dbm:/etc/aliases
-#alias_database = dbm:/etc/mail/aliases
-alias_database = hash:/etc/aliases
-#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
-# ADDRESS EXTENSIONS (e.g., user+foo)
+Nun können wir unser eigenes ISO-Image verenden.
-#
-# The recipient_delimiter parameter specifies the separator between
-# user names and address extensions (user+foo). See canonical(5),
-# local(8), relocated(5) and virtual(5) for the effects this has on
-# aliases, canonical, virtual, relocated and .forward file lookups.
-# Basically, the software tries user+foo and .forward+foo before
-# trying user and .forward.
-#
-#recipient_delimiter = +
-# DELIVERY TO MAILBOX
+{{ :centos:pxe_c8:kickstart-iso-8-1.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-#
-# The home_mailbox parameter specifies the optional pathname of a
-# mailbox file relative to a user's home directory. The default
-# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
-# "Maildir/" for qmail-style delivery (the / is required).
-#
-#home_mailbox = Mailbox
-#home_mailbox = Maildir/
-# The mail_spool_directory parameter specifies the directory where
-# UNIX-style mailboxes are kept. The default setting depends on the
-# system type.
-#
-#mail_spool_directory = /var/mail
-#mail_spool_directory = /var/spool/mail
-# The mailbox_command parameter specifies the optional external
+<WRAP center round tip 80%>
-# command to use instead of mailbox delivery. The command is run as
-# the recipient with proper HOME, SHELL and LOGNAME environment settings.
-# Exception:  delivery for root is done as \$default_user.
-#
-# Other environment variables of interest: USER (recipient username),
-# EXTENSION (address extension), DOMAIN (domain part of address),
-# and LOCAL (the address localpart).
-#
-# Unlike other Postfix configuration parameters, the mailbox_command
-# parameter is not subjected to \$parameter substitutions. This is to
-# make it easier to specify shell syntax (see example below).
-#
-# Avoid shell meta characters because they will force Postfix to run
-# an expensive shell process. Procmail alone is expensive enough.
-#
-# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
-# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
-#
-#mailbox_command = /some/where/procmail
-#mailbox_command = /some/where/procmail -a "\$EXTENSION"
-# The mailbox_transport specifies the optional transport in master.cf
+Nachdem wir die Festplattenkonfiguration vorgenommen haben, können wir mit einem Klick auf die Schaltfläche **[  Begin Installation  ]** den Installationsvorgang in Gang setzen.
-# to use after processing aliases and .forward files. This parameter
-# has precedence over the mailbox_command, fallback_transport and
-# luser_relay parameters.
-#
-# Specify a string of the form transport:nexthop, where transport is
-# the name of a mail delivery transport defined in master.cf.  The
-# :nexthop part is optional. For more details see the sample transport
-# configuration file.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
-# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
-#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+{{ :centos:pxe_c8:kickstart-iso-8-2.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-# server using LMTP (Local Mail Transport Protocol), this is prefered
-# over the older cyrus deliver program by setting the
-# mailbox_transport as below:
-#
-# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-#
-# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
-# these settings.
-#
-# local_destination_recipient_limit = 300
-# local_destination_concurrency_limit = 5
-#
-# Of course you should adjust these settings as appropriate for the
-# capacity of the hardware you are using. The recipient limit setting
-# can be used to take advantage of the single instance message store
-# capability of Cyrus. The concurrency limit can be used to control
-# how many simultaneous LMTP sessions will be permitted to the Cyrus
-# message store.
-#
-# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
-# subsequent line in master.cf.
-#mailbox_transport = cyrus
-# The fallback_transport specifies the optional transport in master.cf
+Wir sehen nun auch, dass dasroot-Passwort wie auch unser Admin-Acccount bereits gesetzt sind.
-# to use for recipients that are not found in the UNIX passwd database.
-# This parameter has precedence over the luser_relay parameter.
-#
-# Specify a string of the form transport:nexthop, where transport is
-# the name of a mail delivery transport defined in master.cf.  The
-# :nexthop part is optional. For more details see the sample transport
-# configuration file.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-#fallback_transport =
-# The luser_relay parameter specifies an optional destination address
+{{ :centos:pxe_c8:kickstart-iso-8-3.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-# for unknown recipients.  By default, mail for unknown@\$mydestination,
-# unknown@[\$inet_interfaces] or unknown@[\$proxy_interfaces] is returned
-# as undeliverable.
-#
-# The following expansions are done on luser_relay: \$user (recipient
-# username), \$shell (recipient shell), \$home (recipient home directory),
-# \$recipient (full recipient address), \$extension (recipient address
-# extension), \$domain (recipient domain), \$local (entire recipient
-# localpart), \$recipient_delimiter. Specify \${name?value} or
-# \${name:value} to expand value only when \$name does (does not) exist.
-#
-# luser_relay works only for the default Postfix local delivery agent.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must specify "local_recipient_maps =" (i.e. empty) in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-#luser_relay = \$user@other.host
-#luser_relay = \$local@other.host
-#luser_relay = admin+\$local
-# JUNK MAIL CONTROLS
-#
-# The controls listed here are only a very small subset. The file
-# SMTPD_ACCESS_README provides an overview.
-# The header_checks parameter specifies an optional table with patterns
+Kurz vor dem Ende, also dem Neustart unseres neuen **CentOS 8** Systems bekommen wir auch noch den Hinweis, dass unsere Postinstall-Anweisungen ausgeführt werden.
-# that each logical message header is matched against, including
-# headers that span multiple physical lines.
-#
-# By default, these patterns also apply to MIME headers and to the
-# headers of attached messages. With older Postfix versions, MIME and
-# attached message headers were treated as body text.
-#
-# For details, see "man header_checks".
-#
-#header_checks = regexp:/etc/postfix/header_checks
-# FAST ETRN SERVICE
+{{ :centos:pxe_c8:kickstart-iso-8-5.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-#
-# Postfix maintains per-destination logfiles with information about
-# deferred mail, so that mail can be flushed quickly with the SMTP
-# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
-# See the ETRN_README document for a detailed description.
-#
-# The fast_flush_domains parameter controls what destinations are
-# eligible for this service. By default, they are all domains that
-# this server is willing to relay mail to.
-#
-#fast_flush_domains = \$relay_domains
-# SHOW SOFTWARE VERSION OR NOT
+Anschließend ist das System unseren Wunschen nach vorbereitet und wir können uns anmelden.
-#
-# The smtpd_banner parameter specifies the text that follows the 220
-# code in the SMTP server's greeting banner. Some people like to see
-# the mail version advertised. By default, Postfix shows no version.
-#
-# You MUST specify \$myhostname at the start of the text. That is an
-# RFC requirement. Postfix itself does not care.
-#
-#smtpd_banner = \$myhostname ESMTP \$mail_name
-#smtpd_banner = \$myhostname ESMTP \$mail_name (\$mail_version)
-# PARALLEL DELIVERY TO THE SAME DESTINATION
+{{ :centos:pxe_c8:kickstart-iso-8-6.png?nolink&400 |Bild: Bildschirmhardcopy CentOS 8 Anmeldebildschirm}}
-#
-# How many parallel deliveries to the same user or domain? With local
-# delivery, it does not make sense to do massively parallel delivery
-# to the same user, because mailbox updates must happen sequentially,
-# and expensive pipelines in .forward files can cause disasters when
-# too many are run at the same time. With SMTP deliveries, 10
-# simultaneous connections to the same domain could be sufficient to
-# raise eyebrows.
-#
-# Each message delivery transport has its XXX_destination_concurrency_limit
-# parameter.  The default is \$default_destination_concurrency_limit for
-# most delivery transports. For the local delivery agent the default is 2.
-#local_destination_concurrency_limit = 2
+Wir können uns nun auch direkt an unserem Host per **''ssh''** verbinden.
-#default_destination_concurrency_limit = 20
+   $ ssh 10.0.0.250
-# DEBUGGING CONTROL
+<code>The authenticity of host '10.0.0.250 (10.0.0.250)' can't be established.
-#
+ED25519 key fingerprint is SHA256:1iT2VKq949WlZrCZ6wQjJggbxKRzEX6F9P+XGkrGx0M.
-# The debug_peer_level parameter specifies the increment in verbose
+Are you sure you want to continue connecting (yes/no)? yes
-# logging level when an SMTP client or server host name or address
+Warning: Permanently added '10.0.0.250' (ED25519) to the list of known hosts.
-# matches a pattern in the debug_peer_list parameter.
+##############################################################################
-#
+#                                                                            #
-debug_peer_level = 2
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+Last login: Sun Jun 14 22:06:00 2020 from 10.0.0.27</code>
-# The debug_peer_list parameter specifies an optional list of domain
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
-# or network patterns, /file/name patterns or type:name tables. When
+   # ip a
-# an SMTP client or server host name or address matches a pattern,
-# increase the verbose logging level by the amount specified in the
-# debug_peer_level parameter.
-#
-#debug_peer_list = 127.0.0.1
-#debug_peer_list = some.domain
-# The debugger_command specifies the external command that is executed
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
-# when a Postfix daemon program is run with the -D option.
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-#
+    inet 127.0.0.1/8 scope host lo
-# Use "command .. & sleep 5" so that the debugger can attach before
+       valid_lft forever preferred_lft forever
-# the process marches on. If you use an X-based debugger, be sure to
+    inet6 ::1/128 scope host
-# set up your XAUTHORITY environment variable before starting Postfix.
+       valid_lft forever preferred_lft forever
-#
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
-debugger_command =
+    link/ether 52:54:00:2a:20:c9 brd ff:ff:ff:ff:ff:ff
-	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+    inet 10.0.0.250/24 brd 10.0.0.255 scope global noprefixroute eth0
-	 ddd \$daemon_directory/\$process_name \$process_id & sleep 5
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe2a:20c9/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
-# If you can't use X, use this to capture the call stack when a
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
-# daemon crashes. The result is in a file in the configuration
+   # dnf update
-# directory, and is named after the process name and the process ID.
-#
-# debugger_command =
-#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
-#	echo where) | gdb \$daemon_directory/\$process_name \$process_id 2>&1
-#	>\$config_directory/\$process_name.\$process_id.log & sleep 5
-#
-# Another possibility is to run gdb under a detached screen session.
-# To attach to the screen sesssion, su root and run "screen -r
-# <id_string>" where <id_string> uniquely matches one of the detached
-# sessions (from "screen -list").
-#
-# debugger_command =
-#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
-#	-dmS \$process_name gdb \$daemon_directory/\$process_name
-#	\$process_id & sleep 1
-# INSTALL-TIME CONFIGURATION INFORMATION
+<code>Last metadata expiration check: 0:58:52 ago on Sun 14 Jun 2020 10:17:48 PM CEST.
-#
+Dependencies resolved.
-# The following parameters are used when installing a new Postfix version.
+Nothing to do.
-#
+Complete!</code>
-# sendmail_path: The full pathname of the Postfix sendmail command.
-# This is the Sendmail-compatible mail posting interface.
-#
-sendmail_path = /usr/sbin/sendmail.postfix
-# newaliases_path: The full pathname of the Postfix newaliases command.
+====== Links ======
-# This is the Sendmail-compatible command to build alias databases.
+  * **[[centos:pxe_c8:start|Zurück zum Kapitel >>PXE-Boot-Server unter CentOS 8.x einrichten<<]]**
-#
+  * **[[wiki:start|Zurück zu Projekte und Themenkapitel]]**
-newaliases_path = /usr/bin/newaliases.postfix
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-# mailq_path: The full pathname of the Postfix mailq command.  This
-# is the Sendmail-compatible mail queue listing command.
-#
-mailq_path = /usr/bin/mailq.postfix
-# setgid_group: The group for mail submission and queue management
-# commands.  This must be a group name with a numerical group ID that
-# is not shared with other accounts, not even with the Postfix account.
-#
-setgid_group = postdrop
-# html_directory: The location of the Postfix HTML documentation.
-#
-html_directory = no
-# manpage_directory: The location of the Postfix on-line manual pages.
-#
-manpage_directory = /usr/share/man
-# sample_directory: The location of the Postfix sample configuration files.
-# This parameter is obsolete as of Postfix 2.1.
-#
-sample_directory = /usr/share/doc/postfix-2.10.1/samples
-# readme_directory: The location of the Postfix README files.
-#
-readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
-MAIN.CF
-chown root:root /etc/postfix/main.cf
-chmod 644 /etc/postfix/main.cf
-#################################################################################
-######################### chrony-Clientkonfigurationn ###########################
-rm -f /etc/chrony.conf
-cat <<CHRONY.CONF >/etc/chrony.conf
-# These servers were defined in the installation:
-# Django : $DATUM
-# Definition des hauseigenen NTP-Servers:
-server time.dmz.nausch.org iburst
-# Use public servers from the pool.ntp.org project.
-# Please consider joining the pool (http://www.pool.ntp.org/join.html).
-# Ignore stratum in source selection.
-stratumweight 0
-# Record the rate at which the system clock gains/losses time.
-driftfile /var/lib/chrony/drift
-# Enable kernel RTC synchronization.
-rtcsync
-# In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
-makestep 10 3
-# Allow NTP client access from local network.
-#allow 192.168/16
-# Listen for commands only on localhost.
-bindcmdaddress 127.0.0.1
-# Django : $DATUM
-# default: bindcmdaddress ::1
-# This option allows you to configure the port on which chronyd will listen for NTP requests.
-#
-# The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not
-# open the server socket and will operate strictly in a client-only mode. The source port
-# used in NTP client requests can be set by the acquisitionport directive.
-# Django : $DATUM
-# default: unset
-port 0
-# Serve time even if not synchronized to any NTP server.
-#local stratum 10
-keyfile /etc/chrony.keys
-# Specify the key used as password for chronyc.
-commandkey 1
-# Generate command key if missing.
-generatecommandkey
-# Disable logging of client accesses.
-noclientlog
-# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
-logchange 0.5
-logdir /var/log/chrony
-#log measurements statistics tracking
-CHRONY.CONF
-chown root:root /etc/chrony.conf
-chmod 644 /etc/chrony.conf
-cat <<CHRONYD >/etc/sysconfig/chronyd
-# Django : $DATUM
-# disable IPv6 support
-OPTIONS=-4
-CHRONYD
-chown root:root /etc/sysconfig/chronyd
-chmod 644 /etc/sysconfig/chronyd
-#################################################################################
-;;
-esac;
-done
-%end
-</file>
-Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers.
-   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-Dort tragen wir beim betreffenden **LABEL** die Option **ks** sowie am Ende der Zeile **SERVERNAME=** ein.
-<code>LABEL 3
-   MENU LABEL ^3) Installation von CentOS 7 (64 Bit)
-   KERNEL images/centos/7/x86_64/vmlinuz
-   APPEND ks=http://10.0.0.57/kickstart/ks_centos_7_x86_64_dmz.cfg initrd=images/centos/7/x86_64/initrd.img ramdisk_size=128000 ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/7/os/x86_64 SERVERNAME=
-</code>
-Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.
-{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
-{{ :centos:pxe_c7:pxe-boot-menue-007.png?nolink&801 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
-Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System.
-{{ :centos:pxe_c7:pxe-kickstart-installed-newsystem-002.png?nolink&800 |Bild: Bildschirmhardcopy eines neu mit Kickstart vorbereiteten System}}
-FIXME **//do gehds weida!//**
-==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====