centos:pxe_c8:pxe_2

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:pxe_c8:pxe_2 [14.06.2020 12:41. ] – [Bsp. 4: Kickstart für eigene Installationsimages/-ISOs] djangocentos:pxe_c8:pxe_2 [12.10.2024 12:46. ] (aktuell) – Deppenapostroph entfernt django
Zeile 40: Zeile 40:
  
 <WRAP center round important 90%> <WRAP center round important 90%>
-Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nich alles lässt sich mittels automatisierter GUIs abbilden!+Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nicht alles lässt sich mittels automatisierter GUIs abbilden!
 </WRAP> </WRAP>
  
Zeile 748: Zeile 748:
 ################################################################################# #################################################################################
  
-####################### Django'ssh-pubkey hinterlegen #########################+####################### Djangos ssh-pubkey hinterlegen #########################
 mkdir /home/django/.ssh mkdir /home/django/.ssh
 chmod 700 /home/django/.ssh chmod 700 /home/django/.ssh
Zeile 982: Zeile 982:
  
 ==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ==== ==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====
 +Beim letzten Konfigurationsbeispiel gehen wir davon aus, dass wir unseren CentOS 8 Host nicht via PXE-Boot betanken können, sondern über den Umweg eines ISO-Files. Ntürlich wollen wir auch hier den Installations und anschließenden grundlegenden Erstkonfiguirationsaufwand möglichst gering halten.
  
-<WRAP center round todo 35%> +Wir werden also unsere Kickstart-Datei in das vorhandene ***[[http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso|CentOS 8 Iso Image]]** packen. 
-\\ FIXME **//... do geds weida!//** FIXME+ 
 +Zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage**. Zum Validieren der Kickstart-Datei benötigen wir das Programm **''ksvalidator''** aus dem RPM-Paket **pykickstart**, zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage** und letztendlich zum Hinzufügen der md5sum zum Iso Image das Programm **''implantisomd5''** aus dem RPM **isomd5sum**. 
 + 
 +Zunächst installieren wir, falls noch nicht im System vorhanden die drei RPM. 
 +   # dnf install genisoimage pykickstart isomd5sum -y 
 + 
 +Dann holen wir uns das ISO-Image auf unsere Admin-Workstation. 
 +   # wget http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso 
 + 
 +Damit wir den Inhalt dieser ISO-Installations-DVD nach unseren Wünschen anpassen können werden wir diese Datei in unser Dateisystem einbinden. Den entsprechenden Pfad definieren wir uns nun noch. 
 +   # mkdir /mnt/iso 
 + 
 +Nun mounten wir das ISO-Image. 
 +   #  mount -o CentOS-8.1.1911-x86_64-dvd1.iso /mnt/iso 
 + 
 +Anschließend wechseln wir in das Verzeichnis **''/mnt/iso''**, also der gemountete ISO-Datei. 
 + 
 +Im Verzeichnis **isolinux** legen wir dann unser Kickstartfile **''ks.cfg''** ab. 
 +   # vim /mnt/iso/isolinux/ks.cfg 
 +<file bash /mnt/iso/isolinux.cfg># Django 2020-06-14 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) aus einem iso-image 
 +# Version=CentOS 8 (RHEL 8)#version=RHEL8 
 + 
 +# Tastaturlayout definieren 
 +keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' 
 + 
 +# Systemsprache setzen 
 +lang en_US.UTF-8 
 + 
 +# Definition der Netzwerkeinstellungen 
 +network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.250 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate 
 +network  --hostname=vml000250.dmz.nausch.org 
 + 
 +# Zeitzone setzen 
 +timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org 
 +services --enabled="chronyd" 
 + 
 +# Installationsquelle setzen (eigenes ISO-Image) 
 +repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream 
 +cdrom 
 + 
 +# Root-Passwort verschlüsselt vorgeben 
 +rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01 
 + 
 +# Default-Benutzerkonto anlegen 
 +user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell" 
 + 
 +# vorhandene Partitionen löschen 
 +#ignoredisk --only-use=sda 
 +clearpart --none --initlabel 
 +# autopart --type=lvm 
 + 
 +# GUI für Installation verwendengraphical 
 +graphical 
 + 
 +# Kein X Window System konfigurieren, da dieses nicht installiert wird 
 +skipx 
 + 
 +# Reboot nach der Installation ausführen 
 +reboot 
 + 
 +%packages 
 +@^minimal-environment 
 +-iwl*firmware 
 +vim 
 +bash-completion 
 +bind-utils 
 +wget 
 +telnet 
 +net-tools 
 +lsof 
 +%end 
 + 
 +%addon com_redhat_kdump --disable --reserve-mb='auto' 
 + 
 +%end 
 + 
 +%anaconda 
 +pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok 
 +pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +%end 
 + 
 +# Postinstall-Anweisungen 
 +%post --log=/root/anaconda-postinstall.log 
 +#!/bin/bash 
 +#DATUM=$(date +"%Y-%m-%d"
 +#for x in `cat /proc/cmdline`; do 
 +#case $x in SERVERNAME*) 
 +#eval $x 
 + 
 +############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ########### 
 +sed -i 's/rhgb//g' /etc/default/grub 
 +grub2-mkconfig -o /boot/grub2/grub.cfg 
 +################################################################################# 
 + 
 +######################## MOTD und ISSUE.NET individualisieren ################### 
 +# /etc/issue.net anlegen 
 +cat <<ISSUE.NET /etc/issue.net 
 +############################################################################## 
 +#                                                                            # 
 +#                       This is a private home server.                       # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +ISSUE.NET 
 + 
 +chown root:root /etc/issue.net 
 +chmod 644 /etc/issue.net 
 + 
 +# /etc/motd anlegen 
 +cat <<MOTD > /etc/motd 
 +############################################################################## 
 +#                                                                            # 
 +#                 This is the home server of Michael Nausch.                 # 
 +#                                                                            # 
 +#                             vml00250.nausch.org                            # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +MOTD 
 + 
 +chown root:root /etc/motd 
 +chmod 644 /etc/motd 
 +################################################################################# 
 + 
 +########################### ssh-daemon konfigurieren ############################ 
 +cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig 
 +cat <<SSHD_CONFIG > /etc/ssh/sshd_config 
 +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 
 + 
 +# This is the sshd server system-wide configuration file.  See 
 +# sshd_config(5) for more information. 
 + 
 +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin 
 + 
 +# The strategy used for options in the default sshd_config shipped with 
 +# OpenSSH is to specify options with their default value where 
 +# possible, but leave them commented.  Uncommented options override the 
 +# default value. 
 + 
 +# If you want to change the port on a SELinux system, you have to tell 
 +# SELinux about this change. 
 +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 
 +
 +# Specifies which address family should be used by sshd(8). Valid arguments 
 +# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). 
 +#AddressFamily any 
 + 
 +# Specifies the local addresses sshd(8) should listen on. The following  
 +# forms may be used: 
 +#                   ListenAddress host|IPv4_addr|IPv6_addr 
 +#                   ListenAddress host|IPv4_addr:port 
 +#                   ListenAddress [host|IPv6_addr]:port 
 +# If port is not specified, sshd will listen on the address and all prior  
 +# Port options specified. The default is to listen on all local addresses.  
 +# Multiple ListenAddress options are permitted. Additionally, any Port  
 +# options must precede this option for non-port qualified addresses. 
 +#Port 22 
 +#ListenAddress 0.0.0.0 
 +#ListenAddress :: 
 + 
 +# Specifies a file containing a private host key used by SSH. The default  
 +# is /etc/ssh/ssh_host_key for protocol version 1, and  
 +# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol  
 +# version 2. Note that sshd(8) will refuse to use a file if it is  
 +# group/world-accessible. It is possible to have multiple host key files. 
 +# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for 
 +# version 2 of the SSH protocol.  
 +HostKey /etc/ssh/ssh_host_ed25519_key 
 + 
 +# Specifies the ciphers allowed for protocol version 2. Multiple ciphers  
 +# must be comma-separated. The supported ciphers are ''3des-cbc'',  
 +# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',  
 +# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',  
 +# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''
 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr 
 + 
 +# MACs' Specifies the available MAC (message authentication code)  
 +# algorithms. The MAC algorithm is used in protocol version 2 for data  
 +# integrity protection. Multiple algorithms must be comma-separated. 
 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 
 + 
 +# Specifies the available KEX (Key Exchange) algorithms. Multiple  
 +# algorithms must be comma-separated. For ineroperability with Eclipse  
 +# and WinSCP):  
 +# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 
 +# If needed, open /etc/ssh/moduli if exists, and delete lines where the  
 +# 5th column is less than 2000. 
 +#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" 
 +#   wc -l "${HOME}/moduli" 
 +# make sure there is something left 
 +#   mv "${HOME}/moduli" /etc/ssh/moduli 
 +
 +KexAlgorithms curve25519-sha256@libssh.org 
 + 
 +# Ciphers and keying 
 +#RekeyLimit default none 
 + 
 +# System-wide Crypto policy: 
 +# This system is following system-wide crypto policy. The changes to 
 +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any 
 +# effect here. They will be overridden by command-line options passed on 
 +# the server start up. 
 +# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY= 
 +# variable in  /etc/sysconfig/sshd  to overwrite the policy. 
 +# For more information, see manual page for update-crypto-policies(8). 
 + 
 +# Logging 
 +# Gives the facility code that is used when logging messages from sshd(8).  
 +# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,  
 +# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
 +SyslogFacility AUTHPRIV 
 + 
 +# Gives the verbosity level that is used when logging messages from sshd(8). 
 +# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,  
 +# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are  
 +# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging  
 +# output. Logging with a DEBUG level violates the privacy of users and is  
 +# not recommended. 
 +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a  
 +# clear audit track of which key was using to log in. 
 +LogLevel VERBOSE 
 + 
 +# Authentication: 
 +# The server disconnects after this time if the user has not successfully  
 +# logged in. If the value is 0, there is no time limit. 
 +LoginGraceTime 0 
 + 
 +# Specifies whether root can log in using ssh(1). The argument must be  
 +# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.  
 +# The default is ''yes''. If this option is set to ''without-password'',  
 +# password authentication is disabled for root. If this option is set to 
 +# ''forced-commands-only'', root login with public key authentication will  
 +# be allowed, but only if the command option has been specified (which  
 +# may be useful for taking remote backups even if root login is normally  
 +# not allowed). All other authentication methods are disabled for root. 
 +# If this option is set to ''no'', root is not allowed to log in.   
 +PermitRootLogin no 
 + 
 +# This keyword can be followed by a list of user name patterns, separated  
 +# by spaces. If specified, login is allowed only for user names that match  
 +# one of the patterns. Only user names are valid; a numerical user ID is  
 +# not recognized. By default, login is allowed for all users. If the pattern 
 +# takes the form USER@HOST then USER and HOST are separately checked,  
 +# restricting logins to particular users from particular hosts. The  
 +# allow/deny directives are processed in the following order:  
 +# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.  
 +AllowUsers django 
 + 
 +# Specifies whether sshd(8) should check file modes and ownership of the  
 +# user's files and home directory before accepting login. This is normally  
 +# desirable because novices sometimes accidentally leave their directory  
 +# or files world-writable. 
 +StrictModes yes 
 + 
 +# Specifies the maximum number of authentication attempts permitted per  
 +# connection. Once the number of failures reaches half this value,  
 +# additional failures are logged. 
 +MaxAuthTries 10 
 + 
 +# Specifies the maximum number of open sessions permitted per network  
 +# connection. 
 +MaxSessions 10 
 + 
 +# Specifies the file that contains the public keys that can be used for  
 +# user authentication. AuthorizedKeysFile may contain tokens of the form 
 +# %T which are substituted during connection setup. The following tokens 
 +# are defined: %% is replaced by a literal '%', %h is replaced by the  
 +# home directory of the user being authenticated, and %u is replaced by 
 +# the username of that user. After expansion, AuthorizedKeysFile is 
 +# taken to be an absolute path or one relative to the user's home directory. 
 +AuthorizedKeysFile      .ssh/authorized_keys 
 + 
 +# Specifies whether public key authentication is allowed. The default is  
 +# ''yes''. Note that this option applies to protocol version 2 only. 
 +PubkeyAuthentication yes 
 + 
 + 
 +#AuthorizedPrincipalsFile none 
 +#AuthorizedKeysCommand none 
 +#AuthorizedKeysCommandUser nobody 
 + 
 +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
 +#HostbasedAuthentication no 
 +# Change to yes if you don't trust ~/.ssh/known_hosts for 
 +# HostbasedAuthentication 
 +#IgnoreUserKnownHosts no 
 +# Don't read the user's ~/.rhosts and ~/.shosts files 
 +#IgnoreRhosts yes 
 + 
 +# To disable tunneled clear text passwords, change to no here! 
 +#PasswordAuthentication yes 
 +#PermitEmptyPasswords no 
 + 
 +# Specifies whether password authentication is allowed. To disable tunneled  
 +# clear text passwords, change to no here! 
 +PasswordAuthentication no 
 + 
 +# Specifies whether challenge-response authentication is allowed  
 +# (e.g. via PAM or though authentication styles supported in login.conf(5)) 
 +# Change to no to disable s/key passwords 
 +ChallengeResponseAuthentication no 
 + 
 +# Kerberos options 
 +#KerberosAuthentication no 
 +#KerberosOrLocalPasswd yes 
 +#KerberosTicketCleanup yes 
 +#KerberosGetAFSToken no 
 +#KerberosUseKuserok yes 
 + 
 +# Specifies whether user authentication based on GSSAPI is allowed. 
 +GSSAPIAuthentication yes 
 + 
 +# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key  
 +# exchange doesn't rely on ssh keys to verify host identity.  
 +#GSSAPIKeyExchange no 
 + 
 +# Specifies whether to automatically destroy the user's credentials cache  
 +# on logout. 
 +GSSAPICleanupCredentials no 
 + 
 +# Determines whether to be strict about the identity of the GSSAPI acceptor  
 +# a client authenticates against. If ''yes'' then the client must authenticate 
 +# against the host service on the current hostname. If ''no'' then the client  
 +# may authenticate against any service key stored in the machine's default 
 +# store. This facility is provided to assist with operation on multi homed  
 +# machines. The default is ''yes''. Note that this option applies only to  
 +# protocol version 2 GSSAPI connections, and setting it to ''no'' may only  
 +# work with recent Kerberos GSSAPI libraries. 
 +#GSSAPIStrictAcceptorCheck yes 
 + 
 +#GSSAPIEnablek5users no 
 + 
 +# Set this to 'yes' to enable PAM authentication, account processing, 
 +# and session processing. If this is enabled, PAM authentication will 
 +# be allowed through the ChallengeResponseAuthentication and 
 +# PasswordAuthentication.  Depending on your PAM configuration, 
 +# PAM authentication via ChallengeResponseAuthentication may bypass 
 +# the setting of "PermitRootLogin without-password"
 +# If you just want the PAM account and session checks to run without 
 +# PAM authentication, then enable this but set PasswordAuthentication 
 +# and ChallengeResponseAuthentication to 'no'
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
 +# problems. 
 +UsePAM yes 
 + 
 +# Specifies whether X11 forwarding is permitted. The argument must be  
 +# ''yes'' or ''no''. The default is ''no''
 +# When X11 forwarding is enabled, there may be additional exposure to the 
 +# server and to client displays if the sshd(8) proxy display is configured 
 +# to listen on the wildcard address (see X11UseLocalhost below), though this 
 +# is not the default. Additionally, the authentication spoofing and  
 +# authentication data verification and substitution occur on the client side. 
 +# The security risk of using X11 forwarding is that the client's X11 display 
 +# server may be exposed to attack when the SSH client requests forwarding  
 +# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator 
 +# may have a stance in which they want to protect clients that may expose 
 +# themselves to attack by unwittingly requesting X11 forwarding, which can  
 +# warrant a ''no'' setting. Note that disabling X11 forwarding does not  
 +# prevent users from forwarding X11 traffic, as users can always install  
 +# their own forwarders. X11 forwarding is automatically disabled if UseLogin 
 +# is enabled.  
 +X11Forwarding yes 
 + 
 +# Specifies the first display number available for sshd(8)'s X11 forwarding. 
 +# This prevents sshd from interfering with real X11 servers.  
 +# The default is 10. 
 +#X11DisplayOffset 10 
 + 
 +# Specifies whether sshd(8) should bind the X11 forwarding server to the  
 +# loopback address or to the wildcard address. By default, sshd binds the 
 +# forwarding server to the loopback address and sets the hostname part of 
 +# the DISPLAY environment variable to ''localhost''. This prevents remote 
 +# hosts from connecting to the proxy display. However, some older X11 clients 
 +# may not function with this configuration. X11UseLocalhost may be set to  
 +# ''no'' to specify that the forwarding server should be bound to the  
 +# wildcard address. The argument must be ''yes'' or ''no''. The default is  
 +# ''yes''
 +#X11UseLocalhost yes 
 + 
 +# Specifies whether ssh-agent(1) forwarding is permitted. The default is  
 +# ''yes''. Note that disabling agent forwarding does not improve security  
 +# unless users are also denied shell access, as they can always install  
 +# their own forwarders. 
 +#AllowAgentForwarding yes 
 + 
 +# Specifies whether TCP forwarding is permitted. The default is ''yes''.  
 +# Note that disabling TCP forwarding does not improve security unless users 
 +# are also denied shell access, as they can always install their own  
 +# forwarders.  
 +#AllowTcpForwarding yes 
 + 
 +# Specifies whether remote hosts are allowed to connect to ports forwarded 
 +# for the client. By default, sshd(8) binds remote port forwardings to the 
 +# loopback address. This prevents other remote hosts from connecting to  
 +# forwarded ports. GatewayPorts can be used to specify that sshd should  
 +# allow remote port forwardings to bind to non-loopback addresses, thus  
 +# allowing other hosts to connect. The argument may be ''no'' to force  
 +# remote port forwardings to be available to the local host only, ''yes'' 
 +# to force remote port forwardings to bind to the wildcard address, or  
 +# ''clientspecified'' to allow the client to select the address to which  
 +# the forwarding is bound. The default is ''no''.  
 +#GatewayPorts no 
 + 
 +#PermitTTY yes 
 + 
 +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, 
 +# as it is more configurable and versatile than the built-in version. 
 +PrintMotd no 
 + 
 +#PrintLastLog yes 
 +#TCPKeepAlive yes 
 +#PermitUserEnvironment no 
 +#Compression delayed 
 +#ClientAliveInterval 0 
 +#ClientAliveCountMax 3 
 +#ShowPatchLevel no 
 +#UseDNS no 
 +#PidFile /var/run/sshd.pid 
 +#MaxStartups 10:30:100 
 +#PermitTunnel no 
 +#ChrootDirectory none 
 +#VersionAddendum none 
 + 
 +# The contents of the specified file are sent to the remote user before  
 +# authentication is allowed.  
 +Banner /etc/issue.net 
 + 
 +# Accept locale-related environment variables 
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
 +AcceptEnv XMODIFIERS 
 + 
 +# Configures an external subsystem (e.g. file transfer daemon). Arguments  
 +# should be a subsystem name and a command (with optional arguments) to  
 +# execute upon subsystem request. Log sftp level file access  
 +# (read/write/etc.) that would not be easily logged otherwise. 
 +Subsystem sftp /usr/libexec/openssh/sftp-server 
 + 
 +# Example of overriding settings on a per-user basis 
 +#Match User anoncvs 
 +# X11Forwarding no 
 +# AllowTcpForwarding no 
 +# PermitTTY no 
 +# ForceCommand cvs server 
 +SSHD_CONFIG 
 +chown root:root /etc/ssh/sshd_config 
 +chmod 600 /etc/ssh/sshd_config 
 +################################################################################# 
 + 
 +####################### Djangos ssh-pubkey hinterlegen ######################### 
 +mkdir /home/django/.ssh 
 +chmod 700 /home/django/.ssh 
 +chown django:django /home/django/.ssh 
 +cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys 
 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org 
 +AUTHORIZED_KEYS 
 +chmod 644 /home/django/.ssh/authorized_keys 
 +chown django:django /home/django/.ssh/authorized_keys 
 +################################################################################# 
 + 
 +############### lokales gespiegeltes CentOS-Repository benutzen ################# 
 +cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig 
 +cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo 
 +# CentOS-AppStream.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[AppStream] 
 +name=CentOS-\$releasever - AppStream 
 +baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-APPSTREAM 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig 
 +cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo 
 +# CentOS-Base.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[BaseOS] 
 +name=CentOS-\$releasever - Base 
 +baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-BASE 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig 
 +cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo 
 +# CentOS-Extras.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +#additional packages that may be useful 
 +[extras] 
 +name=CentOS-\$releasever - Extras 
 +baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-EXTRAS 
 +chown root:root /etc/yum.repos.d/CentOS-Extras.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-Extras.repo 
 +################################################################################# 
 + 
 +###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ###### 
 +dnf install epel-release -y 
 +rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL- 
 + 
 +cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig 
 +cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo 
 +[epel-modular] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-modular-debuginfo] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-modular-source] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +EPEL-MODULAR 
 +chown root:root /etc/yum.repos.d/epel-modular.repo 
 +chmod 644 /etc/yum.repos.d/epel-modular.repo 
 + 
 +cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig 
 +cat <<EPEL > /etc/yum.repos.d/epel.repo 
 +[epel] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-debuginfo] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-source] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 +EPEL 
 +chown root:root /etc/yum.repos.d/epel.repo 
 +chmod 644 /etc/yum.repos.d/epel.repo 
 +################################################################################# 
 + 
 +############################ System Updaten ##################################### 
 +dnf update -y 
 +################################################################################# 
 +;; 
 +esac; 
 +done 
 +%end 
 +</file> 
 + 
 +Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen: 
 +  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen. 
 +  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen 
 +  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an. 
 +  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel. 
 +  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.  
 +  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten. 
 + 
 +Der Form halber setzen wir dann die Dateiberechtigungen auf **444** 
 +   # chmod 444 /mnt/iso/isolinux/ks.cfg 
 + 
 +Damit wir die beim Booten verwendete Datei **''isolinux.cfg''** bearbeiten können passen wir die Dateiberechtigung tempüorär an. 
 +   # chmod 644 /mnt/iso/isolinux/isolinux.cfg 
 + 
 +Nun können wir den Bootparameter anpassen und die Kickstart-Datei angeben. Dabei setzen wir **''inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg''** also den Pafd zur Kickstart-Datei wie auch die beiden nötigen Parameter **''net.ifnames=0''** und **''biosdevname=0''** für die Rückumbenennungh der Netzwerkinterfaces in **ethX**. 
 +   # vim /mnt/iso/isolinux/isolinux.cfg 
 + 
 +<code>... 
 + 
 +label linux 
 +  menu label ^Install CentOS Linux 8.0.1905 
 +  kernel vmlinuz 
 +  append initrd=initrd.img inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg inst.stage2=hd:LABEL=CentOS-8-BaseOS-x86_64 quiet net.ifnames=0 biosdevname=0 
 + 
 +... 
 +<</code>   
 + 
 +<WRAP center round important 75%> 
 +Wichtig ist dabei der Parameter **''LABEL=CentOS-8-BaseOS-x86_64''** \\ 
 +Diesen Wert müssen wir später beim Erstellen des eigenen Boot-ISO-Image genau gleich angeben!
 </WRAP> </WRAP>
  
-/*+Nun können wir die Dateiberechtigung dieser DAte wieder auf **444** zhurücksetzen. 
 +   # chmod 444 /mnt/iso/isolinux/isolinux.cfg
  
-   mkdir -/srv/kickstart/build/isolinux/{images,ks,LiveOS,Packages,postinstall}+Anschließend packen wir den Inhalt des ursprünglichen ISO-Images mit unserem Kickstart-File wie auch unseren Ändewrungen neu ein. Das LAbel, welches wir zuvor in der Konfigurationsdatei **''isolinux.cfg''** verwendet hatten geben wir hier exakt gleich an! 
 +   mkisofs -o ~/CentOS-8-x86_64-1905-local.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V 'CentOS-8-BaseOS-x86_64'
  
-   # mkdir -/srv/kickstart/build/iso+Bevor wir nun das neu erstellte ISO-IMage verwenden können, ist es noch notwendig diese Date mit einer MD5-Prüfsumme zu versehen.    
 +   # implantisomd5 /var/lib/libvirt/boot/CentOS-8-x86_64-1905-local.iso
  
-   # mount -o loop /srv/centos/8/isos/x86_64/CentOS-8-x86_64-1905-dvd1.iso /srv/kickstart/build/iso+Nun können wir unser eigenes ISO-Image verenden.
  
-  mount/dev/loop0 is write-protected, mounting read-only+{{ :centos:pxe_c8:kickstart-iso-8-1.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
  
-   # cp /srv/kickstart/build/iso/.discinfo /srv/kickstart/build/isolinux/+<WRAP center round tip 80%>
  
-   # cp /srv/kickstart/build/iso/isolinux//srv/kickstart/build/isolinux/+Nachdem wir die Festplattenkonfiguration vorgenommen haben, können wir mit einem Klick auf die Schaltfläche **[  Begin Installation  ]** den Installationsvorgang in Gang setzen.
  
-   # rsync -av /srv/kickstart/build/iso/images/ /srv/kickstart/build/isolinux/images/+{{ :centos:pxe_c8:kickstart-iso-8-2.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
  
-*/+Wir sehen nun auch, dass dasroot-Passwort wie auch unser Admin-Acccount bereits gesetzt sind.
  
 +{{ :centos:pxe_c8:kickstart-iso-8-3.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
  
 +Kurz vor dem Ende, also dem Neustart unseres neuen **CentOS 8** Systems bekommen wir auch noch den Hinweis, dass unsere Postinstall-Anweisungen ausgeführt werden.
  
 +{{ :centos:pxe_c8:kickstart-iso-8-5.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
  
 +Anschließend ist das System unseren Wunschen nach vorbereitet und wir können uns anmelden.
 +
 +{{ :centos:pxe_c8:kickstart-iso-8-6.png?nolink&400 |Bild: Bildschirmhardcopy CentOS 8 Anmeldebildschirm}}
 +
 +Wir können uns nun auch direkt an unserem Host per **''ssh''** verbinden.
 +   $ ssh 10.0.0.250
 +
 +<code>The authenticity of host '10.0.0.250 (10.0.0.250)' can't be established.
 +ED25519 key fingerprint is SHA256:1iT2VKq949WlZrCZ6wQjJggbxKRzEX6F9P+XGkrGx0M.
 +Are you sure you want to continue connecting (yes/no)? yes
 +Warning: Permanently added '10.0.0.250' (ED25519) to the list of known hosts.
 +##############################################################################
 +#                                                                            #
 +#                       This is a private home server.                       #
 +#                                                                            #
 +#             Unauthorized access to this system is prohibited !             #
 +#                                                                            #
 +#    This system is actively monitored and all connections may be logged.    #
 +#         By accessing this system, you consent to this monitoring.          #
 +#                                                                            #
 +##############################################################################
 +##############################################################################
 +#                                                                            #
 +#                 This is the home server of Michael Nausch.                 #
 +#                                                                            #
 +#                            vml000250.nausch.org                            #
 +#                                                                            #
 +#             Unauthorized access to this system is prohibited !             #
 +#                                                                            #
 +#    This system is actively monitored and all connections may be logged.    #
 +#         By accessing this system, you consent to this monitoring.          #
 +#                                                                            #
 +##############################################################################
 +Last login: Sun Jun 14 22:06:00 2020 from 10.0.0.27</code>
 +
 +Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
 +   # ip a
 +
 +<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 +    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 +    inet 127.0.0.1/8 scope host lo
 +       valid_lft forever preferred_lft forever
 +    inet6 ::1/128 scope host 
 +       valid_lft forever preferred_lft forever
 +2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
 +    link/ether 52:54:00:2a:20:c9 brd ff:ff:ff:ff:ff:ff
 +    inet 10.0.0.250/24 brd 10.0.0.255 scope global noprefixroute eth0
 +       valid_lft forever preferred_lft forever
 +    inet6 fe80::5054:ff:fe2a:20c9/64 scope link noprefixroute 
 +       valid_lft forever preferred_lft forever</code>
 +
 +Das System ist auch mit den aktuellesten Programmpaketen bestückt.
 +   # dnf update
 +
 +<code>Last metadata expiration check: 0:58:52 ago on Sun 14 Jun 2020 10:17:48 PM CEST.
 +Dependencies resolved.
 +Nothing to do.
 +Complete!</code>
  
 +====== Links ======
 +  * **[[centos:pxe_c8:start|Zurück zum Kapitel >>PXE-Boot-Server unter CentOS 8.x einrichten<<]]**
 +  * **[[wiki:start|Zurück zu Projekte und Themenkapitel]]**
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
  
  • centos/pxe_c8/pxe_2.1592138477.txt.gz
  • Zuletzt geändert: 14.06.2020 12:41.
  • von django