centos:pxe_c8:pxe_2

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
centos:pxe_c8:pxe_2 [11.06.2020 21:40. ] – [Überprüfung] djangocentos:pxe_c8:pxe_2 [04.07.2020 15:32. ] (aktuell) – [Links] django
Zeile 40: Zeile 40:
  
 <WRAP center round important 90%> <WRAP center round important 90%>
-Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nich alles lässt sich mittels automatisierter GUIs abbilden!+Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nicht alles lässt sich mittels automatisierter GUIs abbilden!
 </WRAP> </WRAP>
  
Zeile 102: Zeile 102:
 %end %end
 </code> </code>
- 
     - Dort können wir die Datei unseren Wünschen nach entsprechend noch final anpassen.      - Dort können wir die Datei unseren Wünschen nach entsprechend noch final anpassen. 
     - anschließend passen wir dann noch die Konfigurationszeile unseres **PXE-Bootmenüs** passend an und vermerken dort sowohl **''ks''** (Host und Pfad der Kickstartdatei) als auch die Option **''ksdevice''** (Netzwerkgerät über die die Kickstart-Datei geladen werden kann). Bsp.: <code>...      - anschließend passen wir dann noch die Konfigurationszeile unseres **PXE-Bootmenüs** passend an und vermerken dort sowohl **''ks''** (Host und Pfad der Kickstartdatei) als auch die Option **''ksdevice''** (Netzwerkgerät über die die Kickstart-Datei geladen werden kann). Bsp.: <code>... 
Zeile 108: Zeile 107:
    MENU LABEL ^3) Installation von CentOS 8 (64 Bit)    MENU LABEL ^3) Installation von CentOS 8 (64 Bit)
    KERNEL images/centos/8/x86_64/vmlinuz    KERNEL images/centos/8/x86_64/vmlinuz
-   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ SERVERNAME=+   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=ens3 ip=dhcp --hostname=vml007357.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ SERVERNAME=
 ... </code> ... </code>
 +
 +<WRAP center round tip 90%>
 +**HINWEIS**:: \\
 +\\
 +Viele vertiefenden Hinweise und Tips zum Syntax in einer Kickstart-Datei finden sich im übrigen in der originalen CentOS-Dokumentation im Kapitel **[[https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-script-file-format-reference/|Kickstart script file format reference]]** sowie in der **[[https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-commands-and-options-reference/|Kickstart commands and options reference]]**!.
 +</WRAP>
  
 === Überprüfung === === Überprüfung ===
Zeile 126: Zeile 131:
 </code> </code>
  
-<WRAP center round tip 90%>+<WRAP center round important 90%>
 Das Validierungstool selbst kann natürlich nicht garantieren, dass die Installation später auch wirklich erfolgreich sein wird! Es stellt nur sicher, dass die Syntax korrekt ist und dass die Datei keine veralteten Optionen enthält. Es wird dabei __nicht__ versucht, die Abschnitte **''%pre''**, **''%post''** und **''%packages''** der Kickstart-Datei zu validieren! Das Validierungstool selbst kann natürlich nicht garantieren, dass die Installation später auch wirklich erfolgreich sein wird! Es stellt nur sicher, dass die Syntax korrekt ist und dass die Datei keine veralteten Optionen enthält. Es wird dabei __nicht__ versucht, die Abschnitte **''%pre''**, **''%post''** und **''%packages''** der Kickstart-Datei zu validieren!
 </WRAP> </WRAP>
- + 
 ==== Bsp. 2: erste Teilautomation ==== ==== Bsp. 2: erste Teilautomation ====
-FIXME **//do gehds weida!//**+Damit unsere Installationen künftig weitgehend automatisiert ablaufen können, werden wir auf ein **kickstart-file** erstellen und dies später von unserem Webserver, der auch die Auslieferung der Installations-RPMs vornimmt, ausliefern lassen.  
 + 
 +Die Konfigurationsdatei für die automatisierte Installation werden wir, wie im berits skizziert auf Basis einer bestehenden Installation weiter ausbauen.  
 + 
 +Zunächst werden wir im **//Document-Root//** des WEB-Servers unseres Repo-Servers ein Verzeichnis für die Kickstart-Dateien anlegen, in dem wir später die Dateien anlegen werden. 
 +   # mkdir -p/ /srv/kickstart 
 + 
 +Dann kopieren wir die vorhanden Kickstart-Datei in das Zielverzeichnis. 
 +   # cp /root/anaconda-ks.cfg /srv/kickstart/ks_centos_8_x86_64_dmz.cfg 
 + 
 +<WRAP center round tip 90%> 
 +Um später vor unliebsamen Überraschungen gefeit zu sein, passen wir die Userrechte der Kickstart-Datei an, so dass der Benutzer **apache** des Webservers diese auch lesen und somit ausliefern kann! 
 +   # chown apache:apache /srv/kickstart/ks_centos_8_x86_64_dmz.cfg 
 +</WRAP> 
 + 
 + 
 +Abschliessend bearbeiten wir unsere Konfigurationsdatei und vermerken bei Bedarf Hinweise zu den einzelnen Optionen. Eine ausführliche Beschreibung der einzelnen Optionen finden wir im [[https://docs.centos.org/en-US/8-docs/advanced-install/assembly_kickstart-script-file-format-reference/|CentOS 8 Documentation - Kickstart script file format reference]]. 
 + 
 +   # vim /srv/kickstart/ks_centos_8_x86_64_dmz.cfg 
 + 
 +<file bash /srv/kickstart/ks_centos_8_x86_64_dmz.cfg># Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) 
 +# Version=CentOS 8 (RHEL 8) 
 + 
 +# Tastaturlayout definieren 
 +keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' 
 + 
 +# Systemsprache setzen 
 +lang en_US.UTF-8 
 + 
 +# Definition der Netzwerkeinstellungen 
 +network  --bootproto=static --device=ens3 --gateway=10.0.0.17 --ip=10.0.0.254 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate 
 +network  --hostname=vml000254.dmz.nausch.org 
 + 
 +# Zeitzone setzen 
 +timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org 
 +services --enabled="chronyd" 
 + 
 +# Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen 
 +url --url="http://10.0.0.57/centos/8/BaseOS/x86_64/os/" 
 +repo --name="AppStream" --baseurl=http://10.0.0.57/centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/ 
 + 
 +# Root-Passwort verschlüsselt vorgeben 
 +rootpw --iscrypted $6$qKYVPTB/XbETdalD$9KDd5a0O0gIOLyylavv3y3YOkzrQJqAoPrqbLrxGS94/G1Nude5DLLNlsgVyeDXO9l3vaxYqdZfuckGnQbUME0 
 + 
 +# Default-Benutzerkonto anlegen 
 +user --name=django --password=$6$9eYDL2WNf3YXU/VK$ZWa2Ddj1n6GG.Hb8bnNZ/A2MTenEdmfd.jB0qlqyVnLtj55lG/Wn0hdLpvboWWm49oXDEvIXq8bzOx4.LXfq0. --iscrypted --gecos="Bastard Operator from Hell" 
 + 
 +# vorhandene Partitionen löschen 
 +ignoredisk --only-use=vda 
 +clearpart --all --initlabel --drives=vda 
 +# autopart --type=lvm 
 + 
 +# GUI für Installation verwenden 
 +graphical 
 + 
 +# Kein X Window System konfigurieren, da dieses nicht installiert wird 
 +skipx 
 + 
 +# Reboot nach der Installation ausführen 
 +reboot 
 + 
 +# Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen 
 +%packages 
 +@^minimal-environment 
 +vim 
 +bash-completion 
 +bind-utils 
 +wget 
 +telnet 
 +net-tools 
 +lsof 
 +%end 
 + 
 +%addon com_redhat_kdump --disable --reserve-mb='auto' 
 + 
 +%end 
 + 
 +%anaconda 
 +pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok 
 +pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +%end 
 +</file> 
 + 
 +Bei der oben genannten Beispiels-Installation geben wir unter anderem folgende Einstellungen vor: 
 +  * **Systemsprache** : Englisch 
 +  * **Tastaturlayout** : deutsch 
 +  * **Netzwerk** : IP-Adresse temporär fest definieren und zugehörigen Hostnamen setzen. 
 +  * **Installationsquelle** : Unser eigener Repository-Server http://10.0.0.57//centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/ verwenden. 
 +  * **Zeitzone** : Europe/Berlin und UTC nutzen sowie den Zeitserver time.dmz.nausch.org nutzen - **chronyd** zum Zeitabgleich als Daemon verwenden. 
 +  * **Root-Passwort** : //verschlüsselt hinterlegt// 
 +  * **User** : Admin-User-Konto anlegen und Passwort (verschlüsselt) setzen. 
 +  * **Bootloader** : installieren 
 +  * **Deamon** : kdump disablen 
 +  * **Paketauswahl** : //minimal// und ausgewählte Pakete zusätzlich installieren. 
 +  * **Neustart** : Nach der Installation des Systems einen Reboot ausführen. 
 + 
 +Damit nun beim Laden der Menüdatei bei PXE-Boot das richtige Kickstartfile geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers. 
 + 
 +   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64 
 +Dort tragen wir beim betreffenden **LABEL** die Option **ks** ein. 
 +<code>LABEL 3 
 +   MENU LABEL ^3) Installation von CentOS 8 (64 Bit) 
 +   KERNEL images/centos/8/x86_64/vmlinuz 
 +   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=ens3 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ SERVERNAME= 
 +</code> 
 + 
 +Anschliessend können wir unseren ersten virtuellen CentOS 8 Host mit entsprechender Konfigurationsunterstützung an Hand unserer Kickstart-Datei aufsetzen. 
 + 
 +{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy des PXE Bootmenüs}} 
 + 
 +Sobald wir uns im Konfigurationsmodus unserer Installation befinden, sehen wir, dass die gewünschten Optionen, die wir über die Kickstart-Datei definiert hatten, bereits gesetzt sind. 
 + 
 +{{ :centos:pxe_c8:pxe-kickstart-installconfig-081.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +Nun brauchen wir nur noch die Hostspezifische Aufteilung der Festplatten vornehmen! 
 + 
 +{{ :centos:pxe_c8:pxe-kickstart-installconfig-082.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +Zur eigentlichen Installation klicken wir nur noch auf die Schaltfläche **[  Begin Installation  ]** rechts unten im GUI-Fenster. 
 + 
 +{{ :centos:pxe_c8:pxe-kickstart-installconfig-083.png?nolink&800 |Bild: Bildschirmhardcopy der Installation}} 
 + 
 +Auch hier sehen wir,. dass das Root-Paswort und auch der Admin-User-Account bereits definiert wurden. Am Ende der Installation macht unser neuer CentOS 8 Host automatisch einen Neustart und wir können uns anschließend an unserem System anmelden. 
 + 
 +{{ :centos:pxe_c8:pxe-kickstart-installconfig-084.png?nolink&800 |Bild: Bildschirmhardcopy der fertig Installierten CentOS 8 Maschine}} 
 + 
 +==== Bsp. 3: erweiterte Automatisierung der Installation ==== 
 +In aller Regel werden wir eine Gruppe von zu installierenden Hosts immer nach dem gleichen Grundschema aufbauen, konfigurieren und auch härten wollen. Was liegt also näher, als diese Aufgaben zu standardisieren und automatisch abarbeiten zu lassen. 
 + 
 +Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen: 
 +  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.) 
 +  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen. 
 +  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen 
 +  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an. 
 +  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel. 
 +  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.  
 +  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten. 
 + 
 +Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_8_x86_64_dmz.cfg**//
 +   # vim /srv/kickstart/ks_centos_8_x86_64_dmz.cfg 
 + 
 +<file bash /srv/kickstart/ks_centos_8_x86_64_dmz.cfg># Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) 
 +# Version=CentOS 8 (RHEL 8) 
 + 
 +# Tastaturlayout definieren 
 +keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' 
 + 
 +# Systemsprache setzen 
 +lang en_US.UTF-8 
 + 
 +# Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname 
 +# die aus dem Preinstall-Script beim PXE-Boot übernommen wurden. 
 +%include /tmp/networks.cfg 
 + 
 +# Zeitzone setzen 
 +timezone Europe/Berlin --isUtc --ntpservers=vml000027.dmz.nausch.org 
 +services --enabled="chronyd" 
 + 
 +# Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen 
 +url --url="http://10.0.0.57/centos/8/BaseOS/x86_64/os/" 
 +repo --name="AppStream" --baseurl=http://10.0.0.57/centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/ 
 + 
 +# Root-Passwort verschlüsselt vorgeben 
 +rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01 
 + 
 +# Default-Benutzerkonto anlegen 
 +user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell" 
 + 
 +# vorhandene Partitionen löschen 
 +ignoredisk --only-use=vda 
 +clearpart --all --initlabel --drives=vda 
 +# autopart --type=lvm 
 + 
 +# GUI für Installation verwenden 
 +graphical 
 + 
 +# Kein X Window System konfigurieren, da dieses nicht installiert wird 
 +skipx 
 + 
 +# Reboot nach der Installation ausführen 
 +reboot 
 + 
 +# Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen 
 +%packages 
 +@^minimal-environment 
 +-iwl*firmware 
 +vim 
 +bash-completion 
 +bind-utils 
 +wget 
 +telnet 
 +net-tools 
 +lsof 
 +%end 
 + 
 +%addon com_redhat_kdump --disable --reserve-mb='auto' 
 +%end 
 + 
 +%anaconda 
 +pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok 
 +pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +%end 
 + 
 +#%end 
 + 
 +%addon com_redhat_kdump --disable --reserve-mb='auto' 
 + 
 +%end 
 + 
 +# Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen 
 +%pre 
 +#!/bin/bash 
 +echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks 
 +for x in `cat /proc/cmdline`; do 
 +    case $x in SERVERNAME*) 
 +        eval $x 
 +        NULL=${SERVERNAME:6:1} 
 +        if [ "$SERVERNAME" == "" ]; then 
 +            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.250 --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg 
 +        else 
 +            if [ "$NULL" == "0" ]; then 
 +                OCTET=${SERVERNAME:7:2} 
 +            else 
 +                OCTET=${SERVERNAME:6:3} 
 +            fi 
 +            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.${OCTET} --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg 
 +        fi 
 +        ;; 
 +        esac; 
 +    done 
 +%end 
 + 
 +# Postinstall-Anweisungen 
 +%post --log=/root/anaconda-postinstall.log 
 +#!/bin/bash 
 +DATUM=$(date +"%Y-%m-%d"
 +for x in `cat /proc/cmdline`; do 
 +case $x in SERVERNAME*
 +eval $x 
 + 
 +############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ########### 
 +sed -i 's/rhgb//g' /etc/default/grub 
 +grub2-mkconfig -o /boot/grub2/grub.cfg 
 +################################################################################# 
 + 
 +######################## MOTD und ISSUE.NET individualisieren ################### 
 +# /etc/issue.net anlegen 
 +cat <<ISSUE.NET > /etc/issue.net 
 +############################################################################## 
 +#                                                                            # 
 +#                       This is a private home server.                       # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +ISSUE.NET 
 + 
 +chown root:root /etc/issue.net 
 +chmod 644 /etc/issue.net 
 + 
 +# /etc/motd anlegen 
 +cat <<MOTD > /etc/motd 
 +############################################################################## 
 +#                                                                            # 
 +#                 This is the home server of Michael Nausch.                 # 
 +#                                                                            # 
 +#                            $SERVERNAME.nausch.org                            # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +MOTD 
 + 
 +chown root:root /etc/motd 
 +chmod 644 /etc/motd 
 +################################################################################# 
 + 
 +########################### ssh-daemon konfigurieren ############################ 
 +cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig 
 +cat <<SSHD_CONFIG > /etc/ssh/sshd_config 
 +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 
 + 
 +# This is the sshd server system-wide configuration file.  See 
 +# sshd_config(5) for more information. 
 + 
 +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin 
 + 
 +# The strategy used for options in the default sshd_config shipped with 
 +# OpenSSH is to specify options with their default value where 
 +# possible, but leave them commented.  Uncommented options override the 
 +# default value. 
 + 
 +# If you want to change the port on a SELinux system, you have to tell 
 +# SELinux about this change. 
 +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 
 +
 +# Specifies which address family should be used by sshd(8). Valid arguments 
 +# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). 
 +#AddressFamily any 
 + 
 +# Specifies the local addresses sshd(8) should listen on. The following  
 +# forms may be used: 
 +#                   ListenAddress host|IPv4_addr|IPv6_addr 
 +#                   ListenAddress host|IPv4_addr:port 
 +#                   ListenAddress [host|IPv6_addr]:port 
 +# If port is not specified, sshd will listen on the address and all prior  
 +# Port options specified. The default is to listen on all local addresses.  
 +# Multiple ListenAddress options are permitted. Additionally, any Port  
 +# options must precede this option for non-port qualified addresses. 
 +#Port 22 
 +#ListenAddress 0.0.0.0 
 +#ListenAddress :: 
 + 
 +# Specifies a file containing a private host key used by SSH. The default  
 +# is /etc/ssh/ssh_host_key for protocol version 1, and  
 +# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol  
 +# version 2. Note that sshd(8) will refuse to use a file if it is  
 +# group/world-accessible. It is possible to have multiple host key files. 
 +# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for 
 +# version 2 of the SSH protocol.  
 +HostKey /etc/ssh/ssh_host_ed25519_key 
 + 
 +# Specifies the ciphers allowed for protocol version 2. Multiple ciphers  
 +# must be comma-separated. The supported ciphers are ''3des-cbc'',  
 +# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',  
 +# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',  
 +# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''
 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr 
 + 
 +# MACs' Specifies the available MAC (message authentication code)  
 +# algorithms. The MAC algorithm is used in protocol version 2 for data  
 +# integrity protection. Multiple algorithms must be comma-separated. 
 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 
 + 
 +# Specifies the available KEX (Key Exchange) algorithms. Multiple  
 +# algorithms must be comma-separated. For ineroperability with Eclipse  
 +# and WinSCP):  
 +# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 
 +# If needed, open /etc/ssh/moduli if exists, and delete lines where the  
 +# 5th column is less than 2000. 
 +#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" 
 +#   wc -l "${HOME}/moduli" 
 +# make sure there is something left 
 +#   mv "${HOME}/moduli" /etc/ssh/moduli 
 +
 +KexAlgorithms curve25519-sha256@libssh.org 
 + 
 +# Ciphers and keying 
 +#RekeyLimit default none 
 + 
 +# System-wide Crypto policy: 
 +# This system is following system-wide crypto policy. The changes to 
 +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any 
 +# effect here. They will be overridden by command-line options passed on 
 +# the server start up. 
 +# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY= 
 +# variable in  /etc/sysconfig/sshd  to overwrite the policy. 
 +# For more information, see manual page for update-crypto-policies(8). 
 + 
 +# Logging 
 +# Gives the facility code that is used when logging messages from sshd(8).  
 +# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,  
 +# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
 +SyslogFacility AUTHPRIV 
 + 
 +# Gives the verbosity level that is used when logging messages from sshd(8). 
 +# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,  
 +# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are  
 +# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging  
 +# output. Logging with a DEBUG level violates the privacy of users and is  
 +# not recommended. 
 +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a  
 +# clear audit track of which key was using to log in. 
 +LogLevel VERBOSE 
 + 
 +# Authentication: 
 +# The server disconnects after this time if the user has not successfully  
 +# logged in. If the value is 0, there is no time limit. 
 +LoginGraceTime 0 
 + 
 +# Specifies whether root can log in using ssh(1). The argument must be  
 +# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.  
 +# The default is ''yes''. If this option is set to ''without-password'',  
 +# password authentication is disabled for root. If this option is set to 
 +# ''forced-commands-only'', root login with public key authentication will  
 +# be allowed, but only if the command option has been specified (which  
 +# may be useful for taking remote backups even if root login is normally  
 +# not allowed). All other authentication methods are disabled for root. 
 +# If this option is set to ''no'', root is not allowed to log in.   
 +PermitRootLogin no 
 + 
 +# This keyword can be followed by a list of user name patterns, separated  
 +# by spaces. If specified, login is allowed only for user names that match  
 +# one of the patterns. Only user names are valid; a numerical user ID is  
 +# not recognized. By default, login is allowed for all users. If the pattern 
 +# takes the form USER@HOST then USER and HOST are separately checked,  
 +# restricting logins to particular users from particular hosts. The  
 +# allow/deny directives are processed in the following order:  
 +# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.  
 +AllowUsers django 
 + 
 +# Specifies whether sshd(8) should check file modes and ownership of the  
 +# user's files and home directory before accepting login. This is normally  
 +# desirable because novices sometimes accidentally leave their directory  
 +# or files world-writable. 
 +StrictModes yes 
 + 
 +# Specifies the maximum number of authentication attempts permitted per  
 +# connection. Once the number of failures reaches half this value,  
 +# additional failures are logged. 
 +MaxAuthTries 10 
 + 
 +# Specifies the maximum number of open sessions permitted per network  
 +# connection. 
 +MaxSessions 10 
 + 
 +# Specifies the file that contains the public keys that can be used for  
 +# user authentication. AuthorizedKeysFile may contain tokens of the form 
 +# %T which are substituted during connection setup. The following tokens 
 +# are defined: %% is replaced by a literal '%', %h is replaced by the  
 +# home directory of the user being authenticated, and %u is replaced by 
 +# the username of that user. After expansion, AuthorizedKeysFile is 
 +# taken to be an absolute path or one relative to the user's home directory. 
 +AuthorizedKeysFile      .ssh/authorized_keys 
 + 
 +# Specifies whether public key authentication is allowed. The default is  
 +# ''yes''. Note that this option applies to protocol version 2 only. 
 +PubkeyAuthentication yes 
 + 
 + 
 +#AuthorizedPrincipalsFile none 
 +#AuthorizedKeysCommand none 
 +#AuthorizedKeysCommandUser nobody 
 + 
 +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
 +#HostbasedAuthentication no 
 +# Change to yes if you don't trust ~/.ssh/known_hosts for 
 +# HostbasedAuthentication 
 +#IgnoreUserKnownHosts no 
 +# Don't read the user's ~/.rhosts and ~/.shosts files 
 +#IgnoreRhosts yes 
 + 
 +# To disable tunneled clear text passwords, change to no here! 
 +#PasswordAuthentication yes 
 +#PermitEmptyPasswords no 
 + 
 +# Specifies whether password authentication is allowed. To disable tunneled  
 +# clear text passwords, change to no here! 
 +PasswordAuthentication no 
 + 
 +# Specifies whether challenge-response authentication is allowed  
 +# (e.g. via PAM or though authentication styles supported in login.conf(5)) 
 +# Change to no to disable s/key passwords 
 +ChallengeResponseAuthentication no 
 + 
 +# Kerberos options 
 +#KerberosAuthentication no 
 +#KerberosOrLocalPasswd yes 
 +#KerberosTicketCleanup yes 
 +#KerberosGetAFSToken no 
 +#KerberosUseKuserok yes 
 + 
 +# Specifies whether user authentication based on GSSAPI is allowed. 
 +GSSAPIAuthentication yes 
 + 
 +# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key  
 +# exchange doesn't rely on ssh keys to verify host identity.  
 +#GSSAPIKeyExchange no 
 + 
 +# Specifies whether to automatically destroy the user's credentials cache  
 +# on logout. 
 +GSSAPICleanupCredentials no 
 + 
 +# Determines whether to be strict about the identity of the GSSAPI acceptor  
 +# a client authenticates against. If ''yes'' then the client must authenticate 
 +# against the host service on the current hostname. If ''no'' then the client  
 +# may authenticate against any service key stored in the machine's default 
 +# store. This facility is provided to assist with operation on multi homed  
 +# machines. The default is ''yes''. Note that this option applies only to  
 +# protocol version 2 GSSAPI connections, and setting it to ''no'' may only  
 +# work with recent Kerberos GSSAPI libraries. 
 +#GSSAPIStrictAcceptorCheck yes 
 + 
 +#GSSAPIEnablek5users no 
 + 
 +# Set this to 'yes' to enable PAM authentication, account processing, 
 +# and session processing. If this is enabled, PAM authentication will 
 +# be allowed through the ChallengeResponseAuthentication and 
 +# PasswordAuthentication.  Depending on your PAM configuration, 
 +# PAM authentication via ChallengeResponseAuthentication may bypass 
 +# the setting of "PermitRootLogin without-password"
 +# If you just want the PAM account and session checks to run without 
 +# PAM authentication, then enable this but set PasswordAuthentication 
 +# and ChallengeResponseAuthentication to 'no'
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
 +# problems. 
 +UsePAM yes 
 + 
 +# Specifies whether X11 forwarding is permitted. The argument must be  
 +# ''yes'' or ''no''. The default is ''no''
 +# When X11 forwarding is enabled, there may be additional exposure to the 
 +# server and to client displays if the sshd(8) proxy display is configured 
 +# to listen on the wildcard address (see X11UseLocalhost below), though this 
 +# is not the default. Additionally, the authentication spoofing and  
 +# authentication data verification and substitution occur on the client side. 
 +# The security risk of using X11 forwarding is that the client's X11 display 
 +# server may be exposed to attack when the SSH client requests forwarding  
 +# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator 
 +# may have a stance in which they want to protect clients that may expose 
 +# themselves to attack by unwittingly requesting X11 forwarding, which can  
 +# warrant a ''no'' setting. Note that disabling X11 forwarding does not  
 +# prevent users from forwarding X11 traffic, as users can always install  
 +# their own forwarders. X11 forwarding is automatically disabled if UseLogin 
 +# is enabled.  
 +X11Forwarding yes 
 + 
 +# Specifies the first display number available for sshd(8)'s X11 forwarding. 
 +# This prevents sshd from interfering with real X11 servers.  
 +# The default is 10. 
 +#X11DisplayOffset 10 
 + 
 +# Specifies whether sshd(8) should bind the X11 forwarding server to the  
 +# loopback address or to the wildcard address. By default, sshd binds the 
 +# forwarding server to the loopback address and sets the hostname part of 
 +# the DISPLAY environment variable to ''localhost''. This prevents remote 
 +# hosts from connecting to the proxy display. However, some older X11 clients 
 +# may not function with this configuration. X11UseLocalhost may be set to  
 +# ''no'' to specify that the forwarding server should be bound to the  
 +# wildcard address. The argument must be ''yes'' or ''no''. The default is  
 +# ''yes''
 +#X11UseLocalhost yes 
 + 
 +# Specifies whether ssh-agent(1) forwarding is permitted. The default is  
 +# ''yes''. Note that disabling agent forwarding does not improve security  
 +# unless users are also denied shell access, as they can always install  
 +# their own forwarders. 
 +#AllowAgentForwarding yes 
 + 
 +# Specifies whether TCP forwarding is permitted. The default is ''yes''.  
 +# Note that disabling TCP forwarding does not improve security unless users 
 +# are also denied shell access, as they can always install their own  
 +# forwarders.  
 +#AllowTcpForwarding yes 
 + 
 +# Specifies whether remote hosts are allowed to connect to ports forwarded 
 +# for the client. By default, sshd(8) binds remote port forwardings to the 
 +# loopback address. This prevents other remote hosts from connecting to  
 +# forwarded ports. GatewayPorts can be used to specify that sshd should  
 +# allow remote port forwardings to bind to non-loopback addresses, thus  
 +# allowing other hosts to connect. The argument may be ''no'' to force  
 +# remote port forwardings to be available to the local host only, ''yes'' 
 +# to force remote port forwardings to bind to the wildcard address, or  
 +# ''clientspecified'' to allow the client to select the address to which  
 +# the forwarding is bound. The default is ''no''.  
 +#GatewayPorts no 
 + 
 +#PermitTTY yes 
 + 
 +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, 
 +# as it is more configurable and versatile than the built-in version. 
 +PrintMotd no 
 + 
 +#PrintLastLog yes 
 +#TCPKeepAlive yes 
 +#PermitUserEnvironment no 
 +#Compression delayed 
 +#ClientAliveInterval 0 
 +#ClientAliveCountMax 3 
 +#ShowPatchLevel no 
 +#UseDNS no 
 +#PidFile /var/run/sshd.pid 
 +#MaxStartups 10:30:100 
 +#PermitTunnel no 
 +#ChrootDirectory none 
 +#VersionAddendum none 
 + 
 +# The contents of the specified file are sent to the remote user before  
 +# authentication is allowed.  
 +Banner /etc/issue.net 
 + 
 +# Accept locale-related environment variables 
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
 +AcceptEnv XMODIFIERS 
 + 
 +# Configures an external subsystem (e.g. file transfer daemon). Arguments  
 +# should be a subsystem name and a command (with optional arguments) to  
 +# execute upon subsystem request. Log sftp level file access  
 +# (read/write/etc.) that would not be easily logged otherwise. 
 +Subsystem sftp /usr/libexec/openssh/sftp-server 
 + 
 +# Example of overriding settings on a per-user basis 
 +#Match User anoncvs 
 +# X11Forwarding no 
 +# AllowTcpForwarding no 
 +# PermitTTY no 
 +# ForceCommand cvs server 
 +SSHD_CONFIG 
 +chown root:root /etc/ssh/sshd_config 
 +chmod 600 /etc/ssh/sshd_config 
 +################################################################################# 
 + 
 +####################### Django's ssh-pubkey hinterlegen ######################### 
 +mkdir /home/django/.ssh 
 +chmod 700 /home/django/.ssh 
 +chown django:django /home/django/.ssh 
 +cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys 
 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA/F1CKDicH1n5Kn13+YjpbHqHOkhsMagrrD5dIbkU6ddoBSp django@nausch.org 
 +AUTHORIZED_KEYS 
 +chmod 644 /home/django/.ssh/authorized_keys 
 +chown django:django /home/django/.ssh/authorized_keys 
 +################################################################################# 
 + 
 +############### lokales gespiegeltes CentOS-Repository benutzen ################# 
 +cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig 
 +cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo 
 +# CentOS-AppStream.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[AppStream] 
 +name=CentOS-\$releasever - AppStream 
 +baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-APPSTREAM 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig 
 +cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo 
 +# CentOS-Base.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[BaseOS] 
 +name=CentOS-\$releasever - Base 
 +baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-BASE 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig 
 +cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo 
 +# CentOS-Extras.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +#additional packages that may be useful 
 +[extras] 
 +name=CentOS-\$releasever - Extras 
 +baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-EXTRAS 
 +chown root:root /etc/yum.repos.d/CentOS-Extras.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-Extras.repo 
 +################################################################################# 
 + 
 +###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ###### 
 +dnf install epel-release -y 
 +rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL- 
 + 
 +cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig 
 +cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo 
 +[epel-modular] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-modular-debuginfo] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-modular-source] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +EPEL-MODULAR 
 +chown root:root /etc/yum.repos.d/epel-modular.repo 
 +chmod 644 /etc/yum.repos.d/epel-modular.repo 
 + 
 +cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig 
 +cat <<EPEL > /etc/yum.repos.d/epel.repo 
 +[epel] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-debuginfo] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-source] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 +EPEL 
 +chown root:root /etc/yum.repos.d/epel.repo 
 +chmod 644 /etc/yum.repos.d/epel.repo 
 +################################################################################# 
 + 
 +############################ System Updaten ##################################### 
 +dnf update -y 
 +################################################################################# 
 +;; 
 +esac; 
 +done 
 +%end 
 + 
 +</file> 
 + 
 +Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers. 
 + 
 +   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64 
 +Dort tragen wir beim betreffenden **LABEL** die Optionen **''ks''**, **''net.ifnames''** und **''biosdevname''** sowie am Ende der Zeile **''SERVERNAME=''** ein. 
 +<code>LABEL 3 
 +   MENU LABEL ^3) Installation von CentOS 8 (64 Bit) 
 +   KERNEL images/centos/8/x86_64/vmlinuz 
 +   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ net.ifnames=0 biosdevname=0 SERVERNAME= 
 +</code> 
 + 
 +Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.   
 + 
 +{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +<WRAP center round tip 80%> 
 + 
 +Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein. 
 +</WRAP> 
 + 
 +{{ :centos:pxe_c8:pxe-boot-menue-087b.png?nolink&800 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}  
 + 
 +Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, welches wir per PXE-Boot bzw. genauer gesagt mit dem Kickstartfile mitgegeben hatten, ausgeführt wird. 
 + 
 +{{ :centos:pxe_c8:pxe-boot-menue-087c.png?nolink&800 |Bild: Bildschirmhardcopy Anzeige "Ausführung postinstall script"}}  
 + 
 +Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **''ssh''** verbinden können. 
 +   $ ssh 10.0.0.50 
 + 
 +<code>The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established. 
 +ED25519 key fingerprint is SHA256:JKV0iNvjQGMhkWIGEPC1hQH/vzpbeabl1g7s46yhMj6. 
 +Are you sure you want to continue connecting (yes/no/[fingerprint])? yes 
 +Warning: Permanently added '10.0.0.50' (ED25519) to the list of known hosts. 
 +############################################################################## 
 +#                                                                            # 
 +#                       This is a private home server.                       # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +############################################################################## 
 +#                                                                            # 
 +#                 This is the home server of Michael Nausch.                 # 
 +#                                                                            # 
 +#                            vml000050.nausch.org                            # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +##############################################################################</code> 
 + 
 +Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten. 
 +   # ip a 
 + 
 +<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
 +    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
 +    inet 127.0.0.1/8 scope host lo 
 +       valid_lft forever preferred_lft forever 
 +    inet6 ::1/128 scope host  
 +       valid_lft forever preferred_lft forever 
 +2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 
 +    link/ether 52:54:00:74:80:c2 brd ff:ff:ff:ff:ff:ff 
 +    inet 10.0.0.50/24 brd 10.0.0.255 scope global noprefixroute eth0 
 +       valid_lft forever preferred_lft forever 
 +    inet6 fe80::5054:ff:fe74:80c2/64 scope link noprefixroute  
 +       valid_lft forever preferred_lft forever</code> 
 + 
 +Das System ist auch mit den aktuellesten Programmpaketen bestückt. 
 +   # dnf update 
 + 
 +<code>Last metadata expiration check: 0:12:20 ago on Sun 14 Jun 2020 01:49:52 PM CEST. 
 +Dependencies resolved. 
 +Nothing to do. 
 +Complete!</code> 
 + 
 +==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ==== 
 +Beim letzten Konfigurationsbeispiel gehen wir davon aus, dass wir unseren CentOS 8 Host nicht via PXE-Boot betanken können, sondern über den Umweg eines ISO-Files. Ntürlich wollen wir auch hier den Installations und anschließenden grundlegenden Erstkonfiguirationsaufwand möglichst gering halten. 
 + 
 +Wir werden also unsere Kickstart-Datei in das vorhandene ***[[http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso|CentOS 8 Iso Image]]** packen. 
 + 
 +Zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage**. Zum Validieren der Kickstart-Datei benötigen wir das Programm **''ksvalidator''** aus dem RPM-Paket **pykickstart**, zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage** und letztendlich zum Hinzufügen der md5sum zum Iso Image das Programm **''implantisomd5''** aus dem RPM **isomd5sum**. 
 + 
 +Zunächst installieren wir, falls noch nicht im System vorhanden die drei RPM. 
 +   # dnf install genisoimage pykickstart isomd5sum -y 
 + 
 +Dann holen wir uns das ISO-Image auf unsere Admin-Workstation. 
 +   # wget http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso 
 + 
 +Damit wir den Inhalt dieser ISO-Installations-DVD nach unseren Wünschen anpassen können werden wir diese Datei in unser Dateisystem einbinden. Den entsprechenden Pfad definieren wir uns nun noch. 
 +   # mkdir /mnt/iso 
 + 
 +Nun mounten wir das ISO-Image. 
 +   #  mount -o CentOS-8.1.1911-x86_64-dvd1.iso /mnt/iso 
 + 
 +Anschließend wechseln wir in das Verzeichnis **''/mnt/iso''**, also der gemountete ISO-Datei. 
 + 
 +Im Verzeichnis **isolinux** legen wir dann unser Kickstartfile **''ks.cfg''** ab. 
 +   # vim /mnt/iso/isolinux/ks.cfg 
 +<file bash /mnt/iso/isolinux.cfg># Django 2020-06-14 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) aus einem iso-image 
 +# Version=CentOS 8 (RHEL 8)#version=RHEL8 
 + 
 +# Tastaturlayout definieren 
 +keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)' 
 + 
 +# Systemsprache setzen 
 +lang en_US.UTF-8 
 + 
 +# Definition der Netzwerkeinstellungen 
 +network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.250 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate 
 +network  --hostname=vml000250.dmz.nausch.org 
 + 
 +# Zeitzone setzen 
 +timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org 
 +services --enabled="chronyd" 
 + 
 +# Installationsquelle setzen (eigenes ISO-Image) 
 +repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream 
 +cdrom 
 + 
 +# Root-Passwort verschlüsselt vorgeben 
 +rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01 
 + 
 +# Default-Benutzerkonto anlegen 
 +user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell" 
 + 
 +# vorhandene Partitionen löschen 
 +#ignoredisk --only-use=sda 
 +clearpart --none --initlabel 
 +# autopart --type=lvm 
 + 
 +# GUI für Installation verwendengraphical 
 +graphical 
 + 
 +# Kein X Window System konfigurieren, da dieses nicht installiert wird 
 +skipx 
 + 
 +# Reboot nach der Installation ausführen 
 +reboot 
 + 
 +%packages 
 +@^minimal-environment 
 +-iwl*firmware 
 +vim 
 +bash-completion 
 +bind-utils 
 +wget 
 +telnet 
 +net-tools 
 +lsof 
 +%end 
 + 
 +%addon com_redhat_kdump --disable --reserve-mb='auto' 
 + 
 +%end 
 + 
 +%anaconda 
 +pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok 
 +pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty 
 +%end 
 + 
 +# Postinstall-Anweisungen 
 +%post --log=/root/anaconda-postinstall.log 
 +#!/bin/bash 
 +#DATUM=$(date +"%Y-%m-%d"
 +#for x in `cat /proc/cmdline`; do 
 +#case $x in SERVERNAME*) 
 +#eval $x 
 + 
 +############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ########### 
 +sed -i 's/rhgb//g' /etc/default/grub 
 +grub2-mkconfig -o /boot/grub2/grub.cfg 
 +################################################################################# 
 + 
 +######################## MOTD und ISSUE.NET individualisieren ################### 
 +# /etc/issue.net anlegen 
 +cat <<ISSUE.NET > /etc/issue.net 
 +############################################################################## 
 +#                                                                            # 
 +#                       This is a private home server.                       # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +ISSUE.NET 
 + 
 +chown root:root /etc/issue.net 
 +chmod 644 /etc/issue.net 
 + 
 +# /etc/motd anlegen 
 +cat <<MOTD > /etc/motd 
 +############################################################################## 
 +#                                                                            # 
 +#                 This is the home server of Michael Nausch.                 # 
 +#                                                                            # 
 +#                             vml00250.nausch.org                            # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +MOTD 
 + 
 +chown root:root /etc/motd 
 +chmod 644 /etc/motd 
 +################################################################################# 
 + 
 +########################### ssh-daemon konfigurieren ############################ 
 +cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig 
 +cat <<SSHD_CONFIG > /etc/ssh/sshd_config 
 +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ 
 + 
 +# This is the sshd server system-wide configuration file.  See 
 +# sshd_config(5) for more information. 
 + 
 +# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin 
 + 
 +# The strategy used for options in the default sshd_config shipped with 
 +# OpenSSH is to specify options with their default value where 
 +# possible, but leave them commented.  Uncommented options override the 
 +# default value. 
 + 
 +# If you want to change the port on a SELinux system, you have to tell 
 +# SELinux about this change. 
 +# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER 
 +
 +# Specifies which address family should be used by sshd(8). Valid arguments 
 +# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only). 
 +#AddressFamily any 
 + 
 +# Specifies the local addresses sshd(8) should listen on. The following  
 +# forms may be used: 
 +#                   ListenAddress host|IPv4_addr|IPv6_addr 
 +#                   ListenAddress host|IPv4_addr:port 
 +#                   ListenAddress [host|IPv6_addr]:port 
 +# If port is not specified, sshd will listen on the address and all prior  
 +# Port options specified. The default is to listen on all local addresses.  
 +# Multiple ListenAddress options are permitted. Additionally, any Port  
 +# options must precede this option for non-port qualified addresses. 
 +#Port 22 
 +#ListenAddress 0.0.0.0 
 +#ListenAddress :: 
 + 
 +# Specifies a file containing a private host key used by SSH. The default  
 +# is /etc/ssh/ssh_host_key for protocol version 1, and  
 +# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol  
 +# version 2. Note that sshd(8) will refuse to use a file if it is  
 +# group/world-accessible. It is possible to have multiple host key files. 
 +# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for 
 +# version 2 of the SSH protocol.  
 +HostKey /etc/ssh/ssh_host_ed25519_key 
 + 
 +# Specifies the ciphers allowed for protocol version 2. Multiple ciphers  
 +# must be comma-separated. The supported ciphers are ''3des-cbc'',  
 +# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',  
 +# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',  
 +# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''
 +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr 
 + 
 +# MACs' Specifies the available MAC (message authentication code)  
 +# algorithms. The MAC algorithm is used in protocol version 2 for data  
 +# integrity protection. Multiple algorithms must be comma-separated. 
 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256 
 + 
 +# Specifies the available KEX (Key Exchange) algorithms. Multiple  
 +# algorithms must be comma-separated. For ineroperability with Eclipse  
 +# and WinSCP):  
 +# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 
 +# If needed, open /etc/ssh/moduli if exists, and delete lines where the  
 +# 5th column is less than 2000. 
 +#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli" 
 +#   wc -l "${HOME}/moduli" 
 +# make sure there is something left 
 +#   mv "${HOME}/moduli" /etc/ssh/moduli 
 +
 +KexAlgorithms curve25519-sha256@libssh.org 
 + 
 +# Ciphers and keying 
 +#RekeyLimit default none 
 + 
 +# System-wide Crypto policy: 
 +# This system is following system-wide crypto policy. The changes to 
 +# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any 
 +# effect here. They will be overridden by command-line options passed on 
 +# the server start up. 
 +# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY= 
 +# variable in  /etc/sysconfig/sshd  to overwrite the policy. 
 +# For more information, see manual page for update-crypto-policies(8). 
 + 
 +# Logging 
 +# Gives the facility code that is used when logging messages from sshd(8).  
 +# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,  
 +# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.  
 +SyslogFacility AUTHPRIV 
 + 
 +# Gives the verbosity level that is used when logging messages from sshd(8). 
 +# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,  
 +# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are  
 +# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging  
 +# output. Logging with a DEBUG level violates the privacy of users and is  
 +# not recommended. 
 +# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a  
 +# clear audit track of which key was using to log in. 
 +LogLevel VERBOSE 
 + 
 +# Authentication: 
 +# The server disconnects after this time if the user has not successfully  
 +# logged in. If the value is 0, there is no time limit. 
 +LoginGraceTime 0 
 + 
 +# Specifies whether root can log in using ssh(1). The argument must be  
 +# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.  
 +# The default is ''yes''. If this option is set to ''without-password'',  
 +# password authentication is disabled for root. If this option is set to 
 +# ''forced-commands-only'', root login with public key authentication will  
 +# be allowed, but only if the command option has been specified (which  
 +# may be useful for taking remote backups even if root login is normally  
 +# not allowed). All other authentication methods are disabled for root. 
 +# If this option is set to ''no'', root is not allowed to log in.   
 +PermitRootLogin no 
 + 
 +# This keyword can be followed by a list of user name patterns, separated  
 +# by spaces. If specified, login is allowed only for user names that match  
 +# one of the patterns. Only user names are valid; a numerical user ID is  
 +# not recognized. By default, login is allowed for all users. If the pattern 
 +# takes the form USER@HOST then USER and HOST are separately checked,  
 +# restricting logins to particular users from particular hosts. The  
 +# allow/deny directives are processed in the following order:  
 +# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.  
 +AllowUsers django 
 + 
 +# Specifies whether sshd(8) should check file modes and ownership of the  
 +# user's files and home directory before accepting login. This is normally  
 +# desirable because novices sometimes accidentally leave their directory  
 +# or files world-writable. 
 +StrictModes yes 
 + 
 +# Specifies the maximum number of authentication attempts permitted per  
 +# connection. Once the number of failures reaches half this value,  
 +# additional failures are logged. 
 +MaxAuthTries 10 
 + 
 +# Specifies the maximum number of open sessions permitted per network  
 +# connection. 
 +MaxSessions 10 
 + 
 +# Specifies the file that contains the public keys that can be used for  
 +# user authentication. AuthorizedKeysFile may contain tokens of the form 
 +# %T which are substituted during connection setup. The following tokens 
 +# are defined: %% is replaced by a literal '%', %h is replaced by the  
 +# home directory of the user being authenticated, and %u is replaced by 
 +# the username of that user. After expansion, AuthorizedKeysFile is 
 +# taken to be an absolute path or one relative to the user's home directory. 
 +AuthorizedKeysFile      .ssh/authorized_keys 
 + 
 +# Specifies whether public key authentication is allowed. The default is  
 +# ''yes''. Note that this option applies to protocol version 2 only. 
 +PubkeyAuthentication yes 
 + 
 + 
 +#AuthorizedPrincipalsFile none 
 +#AuthorizedKeysCommand none 
 +#AuthorizedKeysCommandUser nobody 
 + 
 +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
 +#HostbasedAuthentication no 
 +# Change to yes if you don't trust ~/.ssh/known_hosts for 
 +# HostbasedAuthentication 
 +#IgnoreUserKnownHosts no 
 +# Don't read the user's ~/.rhosts and ~/.shosts files 
 +#IgnoreRhosts yes 
 + 
 +# To disable tunneled clear text passwords, change to no here! 
 +#PasswordAuthentication yes 
 +#PermitEmptyPasswords no 
 + 
 +# Specifies whether password authentication is allowed. To disable tunneled  
 +# clear text passwords, change to no here! 
 +PasswordAuthentication no 
 + 
 +# Specifies whether challenge-response authentication is allowed  
 +# (e.g. via PAM or though authentication styles supported in login.conf(5)) 
 +# Change to no to disable s/key passwords 
 +ChallengeResponseAuthentication no 
 + 
 +# Kerberos options 
 +#KerberosAuthentication no 
 +#KerberosOrLocalPasswd yes 
 +#KerberosTicketCleanup yes 
 +#KerberosGetAFSToken no 
 +#KerberosUseKuserok yes 
 + 
 +# Specifies whether user authentication based on GSSAPI is allowed. 
 +GSSAPIAuthentication yes 
 + 
 +# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key  
 +# exchange doesn't rely on ssh keys to verify host identity.  
 +#GSSAPIKeyExchange no 
 + 
 +# Specifies whether to automatically destroy the user's credentials cache  
 +# on logout. 
 +GSSAPICleanupCredentials no 
 + 
 +# Determines whether to be strict about the identity of the GSSAPI acceptor  
 +# a client authenticates against. If ''yes'' then the client must authenticate 
 +# against the host service on the current hostname. If ''no'' then the client  
 +# may authenticate against any service key stored in the machine's default 
 +# store. This facility is provided to assist with operation on multi homed  
 +# machines. The default is ''yes''. Note that this option applies only to  
 +# protocol version 2 GSSAPI connections, and setting it to ''no'' may only  
 +# work with recent Kerberos GSSAPI libraries. 
 +#GSSAPIStrictAcceptorCheck yes 
 + 
 +#GSSAPIEnablek5users no 
 + 
 +# Set this to 'yes' to enable PAM authentication, account processing, 
 +# and session processing. If this is enabled, PAM authentication will 
 +# be allowed through the ChallengeResponseAuthentication and 
 +# PasswordAuthentication.  Depending on your PAM configuration, 
 +# PAM authentication via ChallengeResponseAuthentication may bypass 
 +# the setting of "PermitRootLogin without-password"
 +# If you just want the PAM account and session checks to run without 
 +# PAM authentication, then enable this but set PasswordAuthentication 
 +# and ChallengeResponseAuthentication to 'no'
 +# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
 +# problems. 
 +UsePAM yes 
 + 
 +# Specifies whether X11 forwarding is permitted. The argument must be  
 +# ''yes'' or ''no''. The default is ''no''
 +# When X11 forwarding is enabled, there may be additional exposure to the 
 +# server and to client displays if the sshd(8) proxy display is configured 
 +# to listen on the wildcard address (see X11UseLocalhost below), though this 
 +# is not the default. Additionally, the authentication spoofing and  
 +# authentication data verification and substitution occur on the client side. 
 +# The security risk of using X11 forwarding is that the client's X11 display 
 +# server may be exposed to attack when the SSH client requests forwarding  
 +# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator 
 +# may have a stance in which they want to protect clients that may expose 
 +# themselves to attack by unwittingly requesting X11 forwarding, which can  
 +# warrant a ''no'' setting. Note that disabling X11 forwarding does not  
 +# prevent users from forwarding X11 traffic, as users can always install  
 +# their own forwarders. X11 forwarding is automatically disabled if UseLogin 
 +# is enabled.  
 +X11Forwarding yes 
 + 
 +# Specifies the first display number available for sshd(8)'s X11 forwarding. 
 +# This prevents sshd from interfering with real X11 servers.  
 +# The default is 10. 
 +#X11DisplayOffset 10 
 + 
 +# Specifies whether sshd(8) should bind the X11 forwarding server to the  
 +# loopback address or to the wildcard address. By default, sshd binds the 
 +# forwarding server to the loopback address and sets the hostname part of 
 +# the DISPLAY environment variable to ''localhost''. This prevents remote 
 +# hosts from connecting to the proxy display. However, some older X11 clients 
 +# may not function with this configuration. X11UseLocalhost may be set to  
 +# ''no'' to specify that the forwarding server should be bound to the  
 +# wildcard address. The argument must be ''yes'' or ''no''. The default is  
 +# ''yes''
 +#X11UseLocalhost yes 
 + 
 +# Specifies whether ssh-agent(1) forwarding is permitted. The default is  
 +# ''yes''. Note that disabling agent forwarding does not improve security  
 +# unless users are also denied shell access, as they can always install  
 +# their own forwarders. 
 +#AllowAgentForwarding yes 
 + 
 +# Specifies whether TCP forwarding is permitted. The default is ''yes''.  
 +# Note that disabling TCP forwarding does not improve security unless users 
 +# are also denied shell access, as they can always install their own  
 +# forwarders.  
 +#AllowTcpForwarding yes 
 + 
 +# Specifies whether remote hosts are allowed to connect to ports forwarded 
 +# for the client. By default, sshd(8) binds remote port forwardings to the 
 +# loopback address. This prevents other remote hosts from connecting to  
 +# forwarded ports. GatewayPorts can be used to specify that sshd should  
 +# allow remote port forwardings to bind to non-loopback addresses, thus  
 +# allowing other hosts to connect. The argument may be ''no'' to force  
 +# remote port forwardings to be available to the local host only, ''yes'' 
 +# to force remote port forwardings to bind to the wildcard address, or  
 +# ''clientspecified'' to allow the client to select the address to which  
 +# the forwarding is bound. The default is ''no''.  
 +#GatewayPorts no 
 + 
 +#PermitTTY yes 
 + 
 +# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd, 
 +# as it is more configurable and versatile than the built-in version. 
 +PrintMotd no 
 + 
 +#PrintLastLog yes 
 +#TCPKeepAlive yes 
 +#PermitUserEnvironment no 
 +#Compression delayed 
 +#ClientAliveInterval 0 
 +#ClientAliveCountMax 3 
 +#ShowPatchLevel no 
 +#UseDNS no 
 +#PidFile /var/run/sshd.pid 
 +#MaxStartups 10:30:100 
 +#PermitTunnel no 
 +#ChrootDirectory none 
 +#VersionAddendum none 
 + 
 +# The contents of the specified file are sent to the remote user before  
 +# authentication is allowed.  
 +Banner /etc/issue.net 
 + 
 +# Accept locale-related environment variables 
 +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
 +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
 +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
 +AcceptEnv XMODIFIERS 
 + 
 +# Configures an external subsystem (e.g. file transfer daemon). Arguments  
 +# should be a subsystem name and a command (with optional arguments) to  
 +# execute upon subsystem request. Log sftp level file access  
 +# (read/write/etc.) that would not be easily logged otherwise. 
 +Subsystem sftp /usr/libexec/openssh/sftp-server 
 + 
 +# Example of overriding settings on a per-user basis 
 +#Match User anoncvs 
 +# X11Forwarding no 
 +# AllowTcpForwarding no 
 +# PermitTTY no 
 +# ForceCommand cvs server 
 +SSHD_CONFIG 
 +chown root:root /etc/ssh/sshd_config 
 +chmod 600 /etc/ssh/sshd_config 
 +################################################################################# 
 + 
 +####################### Django's ssh-pubkey hinterlegen ######################### 
 +mkdir /home/django/.ssh 
 +chmod 700 /home/django/.ssh 
 +chown django:django /home/django/.ssh 
 +cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys 
 +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org 
 +AUTHORIZED_KEYS 
 +chmod 644 /home/django/.ssh/authorized_keys 
 +chown django:django /home/django/.ssh/authorized_keys 
 +################################################################################# 
 + 
 +############### lokales gespiegeltes CentOS-Repository benutzen ################# 
 +cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig 
 +cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo 
 +# CentOS-AppStream.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[AppStream] 
 +name=CentOS-\$releasever - AppStream 
 +baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-APPSTREAM 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig 
 +cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo 
 +# CentOS-Base.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +[BaseOS] 
 +name=CentOS-\$releasever - Base 
 +baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-BASE 
 +chown root:root /etc/yum.repos.d/CentOS-AppStream.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo 
 + 
 +cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig 
 +cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo 
 +# CentOS-Extras.repo 
 +
 +# The mirror system uses the connecting IP address of the client and the 
 +# update status of each mirror to pick mirrors that are updated to and 
 +# geographically close to the client.  You should use this for CentOS updates 
 +# unless you are manually picking other mirrors. 
 +
 +# If the mirrorlist= does not work for you, as a fall back you can try the 
 +# remarked out baseurl= line instead. 
 +
 +
 + 
 +#additional packages that may be useful 
 +[extras] 
 +name=CentOS-\$releasever - Extras 
 +baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/ 
 +gpgcheck=1 
 +enabled=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial 
 +CENTOS-EXTRAS 
 +chown root:root /etc/yum.repos.d/CentOS-Extras.repo 
 +chmod 644 /etc/yum.repos.d/CentOS-Extras.repo 
 +################################################################################# 
 + 
 +###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ###### 
 +dnf install epel-release -y 
 +rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL- 
 + 
 +cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig 
 +cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo 
 +[epel-modular] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-modular-debuginfo] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-modular-source] 
 +name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +EPEL-MODULAR 
 +chown root:root /etc/yum.repos.d/epel-modular.repo 
 +chmod 644 /etc/yum.repos.d/epel-modular.repo 
 + 
 +cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig 
 +cat <<EPEL > /etc/yum.repos.d/epel.repo 
 +[epel] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch 
 +enabled=1 
 +gpgcheck=1 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 + 
 +[epel-debuginfo] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 + 
 +[epel-source] 
 +name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source 
 +baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS 
 +enabled=0 
 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8 
 +gpgcheck=1 
 +EPEL 
 +chown root:root /etc/yum.repos.d/epel.repo 
 +chmod 644 /etc/yum.repos.d/epel.repo 
 +################################################################################# 
 + 
 +############################ System Updaten ##################################### 
 +dnf update -y 
 +################################################################################# 
 +;; 
 +esac; 
 +done 
 +%end 
 +</file> 
 + 
 +Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen: 
 +  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen. 
 +  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen 
 +  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an. 
 +  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel. 
 +  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.  
 +  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten. 
 + 
 +Der Form halber setzen wir dann die Dateiberechtigungen auf **444** 
 +   # chmod 444 /mnt/iso/isolinux/ks.cfg 
 + 
 +Damit wir die beim Booten verwendete Datei **''isolinux.cfg''** bearbeiten können passen wir die Dateiberechtigung tempüorär an. 
 +   # chmod 644 /mnt/iso/isolinux/isolinux.cfg 
 + 
 +Nun können wir den Bootparameter anpassen und die Kickstart-Datei angeben. Dabei setzen wir **''inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg''** also den Pafd zur Kickstart-Datei wie auch die beiden nötigen Parameter **''net.ifnames=0''** und **''biosdevname=0''** für die Rückumbenennungh der Netzwerkinterfaces in **ethX**. 
 +   # vim /mnt/iso/isolinux/isolinux.cfg 
 + 
 +<code>... 
 + 
 +label linux 
 +  menu label ^Install CentOS Linux 8.0.1905 
 +  kernel vmlinuz 
 +  append initrd=initrd.img inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg inst.stage2=hd:LABEL=CentOS-8-BaseOS-x86_64 quiet net.ifnames=0 biosdevname=0 
 + 
 +... 
 +<</code>   
 + 
 +<WRAP center round important 75%> 
 +Wichtig ist dabei der Parameter **''LABEL=CentOS-8-BaseOS-x86_64''** \\ 
 +Diesen Wert müssen wir später beim Erstellen des eigenen Boot-ISO-Image genau gleich angeben! 
 +</WRAP> 
 + 
 +Nun können wir die Dateiberechtigung dieser DAte wieder auf **444** zhurücksetzen. 
 +   # chmod 444 /mnt/iso/isolinux/isolinux.cfg 
 + 
 +Anschließend packen wir den Inhalt des ursprünglichen ISO-Images mit unserem Kickstart-File wie auch unseren Ändewrungen neu ein. Das LAbel, welches wir zuvor in der Konfigurationsdatei **''isolinux.cfg''** verwendet hatten geben wir hier exakt gleich an! 
 +   # mkisofs -o ~/CentOS-8-x86_64-1905-local.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V 'CentOS-8-BaseOS-x86_64' .  
 + 
 +Bevor wir nun das neu erstellte ISO-IMage verwenden können, ist es noch notwendig diese Date mit einer MD5-Prüfsumme zu versehen.    
 +   # implantisomd5 /var/lib/libvirt/boot/CentOS-8-x86_64-1905-local.iso 
 + 
 +Nun können wir unser eigenes ISO-Image verenden. 
 + 
 +{{ :centos:pxe_c8:kickstart-iso-8-1.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +<WRAP center round tip 80%> 
 + 
 +Nachdem wir die Festplattenkonfiguration vorgenommen haben, können wir mit einem Klick auf die Schaltfläche **[  Begin Installation  ]** den Installationsvorgang in Gang setzen. 
 + 
 +{{ :centos:pxe_c8:kickstart-iso-8-2.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +Wir sehen nun auch, dass dasroot-Passwort wie auch unser Admin-Acccount bereits gesetzt sind. 
 + 
 +{{ :centos:pxe_c8:kickstart-iso-8-3.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +Kurz vor dem Ende, also dem Neustart unseres neuen **CentOS 8** Systems bekommen wir auch noch den Hinweis, dass unsere Postinstall-Anweisungen ausgeführt werden. 
 + 
 +{{ :centos:pxe_c8:kickstart-iso-8-5.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}} 
 + 
 +Anschließend ist das System unseren Wunschen nach vorbereitet und wir können uns anmelden. 
 + 
 +{{ :centos:pxe_c8:kickstart-iso-8-6.png?nolink&400 |Bild: Bildschirmhardcopy CentOS 8 Anmeldebildschirm}} 
 + 
 +Wir können uns nun auch direkt an unserem Host per **''ssh''** verbinden. 
 +   $ ssh 10.0.0.250 
 + 
 +<code>The authenticity of host '10.0.0.250 (10.0.0.250)' can't be established. 
 +ED25519 key fingerprint is SHA256:1iT2VKq949WlZrCZ6wQjJggbxKRzEX6F9P+XGkrGx0M. 
 +Are you sure you want to continue connecting (yes/no)? yes 
 +Warning: Permanently added '10.0.0.250' (ED25519) to the list of known hosts. 
 +############################################################################## 
 +#                                                                            # 
 +#                       This is a private home server.                       # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +############################################################################## 
 +#                                                                            # 
 +#                 This is the home server of Michael Nausch.                 # 
 +#                                                                            # 
 +#                            vml000250.nausch.org                            # 
 +#                                                                            # 
 +#             Unauthorized access to this system is prohibited !             # 
 +#                                                                            # 
 +#    This system is actively monitored and all connections may be logged.    # 
 +#         By accessing this system, you consent to this monitoring.          # 
 +#                                                                            # 
 +############################################################################## 
 +Last login: Sun Jun 14 22:06:00 2020 from 10.0.0.27</code> 
 + 
 +Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten. 
 +   # ip a 
 + 
 +<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 
 +    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 
 +    inet 127.0.0.1/8 scope host lo 
 +       valid_lft forever preferred_lft forever 
 +    inet6 ::1/128 scope host  
 +       valid_lft forever preferred_lft forever 
 +2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 
 +    link/ether 52:54:00:2a:20:c9 brd ff:ff:ff:ff:ff:ff 
 +    inet 10.0.0.250/24 brd 10.0.0.255 scope global noprefixroute eth0 
 +       valid_lft forever preferred_lft forever 
 +    inet6 fe80::5054:ff:fe2a:20c9/64 scope link noprefixroute  
 +       valid_lft forever preferred_lft forever</code> 
 + 
 +Das System ist auch mit den aktuellesten Programmpaketen bestückt. 
 +   # dnf update 
 + 
 +<code>Last metadata expiration check: 0:58:52 ago on Sun 14 Jun 2020 10:17:48 PM CEST. 
 +Dependencies resolved. 
 +Nothing to do. 
 +Complete!</code>
  
 +====== Links ======
 +  * **[[centos:pxe_c8:start|Zurück zum Kapitel >>PXE-Boot-Server unter CentOS 8.x einrichten<<]]**
 +  * **[[wiki:start|Zurück zu Projekte und Themenkapitel]]**
 +  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
  
  • centos/pxe_c8/pxe_2.1591911658.txt.gz
  • Zuletzt geändert: 11.06.2020 21:40.
  • von django