Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:pxe_c8:pxe_2 [12.06.2020 14:36. ] – [Bsp. 2: erste Teilautomation] django
+++ centos:pxe_c8:pxe_2 [04.07.2020 15:32. ] (aktuell) – [Links] django
@@ Zeile 40: / Zeile 40: @@
 <WRAP center round important 90%>
-Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nich alles lässt sich mittels automatisierter GUIs abbilden!
+Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nicht alles lässt sich mittels automatisierter GUIs abbilden!
 </WRAP>
@@ Zeile 265: / Zeile 265: @@
 ==== Bsp. 3: erweiterte Automatisierung der Installation ====
-In aller Regel werden wir eine Gruppe von intsllierten Hosts immer nach dem gleichen Grundschema aufbauen, konfigurieren und auch härten wollen. Was liegt also näher, als diese Aufgaben zu standardisieren und automatisch abarbeiten zu lassen.
+In aller Regel werden wir eine Gruppe von zu installierenden Hosts immer nach dem gleichen Grundschema aufbauen, konfigurieren und auch härten wollen. Was liegt also näher, als diese Aufgaben zu standardisieren und automatisch abarbeiten zu lassen.
-Neben der Grundinstallation eines CentOS 7 Hosts werden wir nun noch folgende Dinge setzen lassen:
+Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
-  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens wollen wir diesen setzen und auch die zugehörige IP-Adresse gleich setzen lassen. Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.
+  - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.)
-  - **Bootloader** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
+  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
-  - **MOTD und ISSUE.NET** individualisieren inkl. Hostnamen
+  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
-  - **Repositories** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn das plugin **fastest-mirror** aktiviert zu lassen. Zusätzlich zum Standard soll auch noch das Repository **EPEL** und **MAILSERVER.GURU** eingebunden und genutzt werden.
+  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
-  - **Changlogs und YUM** Für spätere Updates aktivieren wir die Anzeige der Changeloginformationen standardmässig aktiviert.
+  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
-  - **SSH-Daemon** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
+  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
-  - **SSH-Publickey** Für unseren Adminaccount **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
+  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
-  - **DNS-Suche** Bei der Suche im DNS passen wir die Suchliste unseren Bedürfnissen an.
-  - **Postfix** Den MTA Postfix statten wir mit einer Grundkonfiguration entsprechend unserer Schutzzone aus.
-  - **chronyd-Zeitserver** Zur Nutzung unseres Zeitservers im Netz definieren wir die passende Konfigurationsdatei.
-Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_7_x86_64_dmz.cfg**//.
+Hierzu erweitern wir die zuvor angelegte Kickstartdatei //**/srv/kickstart/ks_centos_8_x86_64_dmz.cfg**//.
-   # vim /srv/kickstart/ks_centos_7_x86_64_dmz.cfg
+   # vim /srv/kickstart/ks_centos_8_x86_64_dmz.cfg
-<file bash /srv/kickstart/ks_centos_7_x86_64_dmz.cfg># Django 2014-07-13 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit)
+<file bash /srv/kickstart/ks_centos_8_x86_64_dmz.cfg># Django 2020-06-12 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit)
-# Version=CentOS 7
+# Version=CentOS 8 (RHEL 8)
 # Tastaturlayout definieren
-keyboard --vckeymap=de --xlayouts='de (nodeadkeys)'
+keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
 # Systemsprache setzen
 lang en_US.UTF-8
-# Definition der Netzwerkeinstellungen
+# Definition der Netzwerkeinstellungeni - setzen der Netzwerk-Adresse und Hostname
-# Network information
+# die aus dem Preinstall-Script beim PXE-Boot übernommen wurden.
-network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.254 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate
+%include /tmp/networks.cfg
-network  --hostname=vml000254.dmz.nausch.org
 # Zeitzone setzen
-timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org
+timezone Europe/Berlin --isUtc --ntpservers=vml000027.dmz.nausch.org
+services --enabled="chronyd"
 # Netzwerkinstallation aus dem eigenen Repository mit den aktuellen Paketen
-repo --name=installupdates --baseurl=http://10.0.0.57/centos/7/updates/x86_64/
+url --url="http://10.0.0.57/centos/8/BaseOS/x86_64/os/"
+repo --name="AppStream" --baseurl=http://10.0.0.57/centos/8/BaseOS/x86_64/os/../../../AppStream/x86_64/os/
-# Authentifizierungsoptionen für das System definieren
-auth --enableshadow --passalgo=sha512
 # Root-Passwort verschlüsselt vorgeben
-rootpw --iscrypted $6$PZhVKqBb7vE5NgOq$fuqZ6zwDjbK214BUqjEIjxBuR$cH1cK$1nD2V0lLD3PpmfKIlK14b71RsTmkRLqTmxZyr0YmCrl8sgkgIuj7N3B1TG67/6a0
+rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
 # Default-Benutzerkonto anlegen
-user --name=django --password=$6$34os/lDDY2cAEfyW$fqDj4n90d3r40m1nM1703nd1Ck3n313rna7plCieqgeYCWONkaKgYnQKm5iDe7gD4X1/3WtCq89/JZIUyiOv/ --iscrypted
+user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
 # vorhandene Partitionen löschen
-clearpart --all --initlabel --drives=vda
+ignoredisk --only-use=vda
+clearpart --all --initlabel --drives=vda
+# autopart --type=lvm
-# Konfiguration des System Bootloaders
+# GUI für Installation verwenden
-bootloader --location=mbr --boot-drive=vda
+graphical
-# SELinux permissive Modus aktivieren
+# Kein X Window System konfigurieren, da dieses nicht installiert wird
-selinux --permissive
+skipx
-# Disable kdump
-services --disabled=bluetooth,kdump
 # Reboot nach der Installation ausführen
@@ Zeile 328: / Zeile 322: @@
 # Paketauswahl definieren (Minimalinstallation mit zusätzlichen Paketen
 %packages
-@core
+@^minimal-environment
-#-selinux-policy*
 -iwl*firmware
 vim
-mc
+bash-completion
 bind-utils
 wget
 telnet
-yum-priorities
-acpid
 net-tools
-yum-plugin-changelog
 lsof
+%end
+%addon com_redhat_kdump --disable --reserve-mb='auto'
 %end
+%anaconda
+pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+%end
+#%end
 %addon com_redhat_kdump --disable --reserve-mb='auto'
 %end
 # Preinstall-Anweisungen Netzwerk-Adresse und Hostname ermitteln und setzen
 %pre
 #!/bin/bash
 echo "network --device eth0 --bootproto dhcp --hostname vml000XXX.dmz.nausch.org" > /tmp/network.ks
@@ Zeile 355: / Zeile 357: @@
         NULL=${SERVERNAME:6:1}
         if [ "$SERVERNAME" == "" ]; then
-	    echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.250 --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg
+            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.250 --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname vml000250.dmz.nausch.org" > /tmp/networks.cfg
         else
             if [ "$NULL" == "0" ]; then
@@ Zeile 362: / Zeile 364: @@
                 OCTET=${SERVERNAME:6:3}
             fi
-            #IP="10.0.0."${OCTET}
+            echo "network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip 10.0.0.${OCTET} --nameserver=10.0.0.27 --netmask 255.255.255.0 --ipv6=auto --activate --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg
-	    echo "network --device eth0 --bootproto=static --onboot=on --ip 10.0.0.${OCTET} --netmask 255.255.255.0 --gateway 10.0.0.17 --nameserver 10.0.0.20 --noipv6 --hostname ${SERVERNAME}.dmz.nausch.org" > /tmp/networks.cfg
         fi
         ;;
@@ Zeile 384: / Zeile 385: @@
 ######################## MOTD und ISSUE.NET individualisieren ###################
-        # /etc/issue.net anlegen
+# /etc/issue.net anlegen
 cat <<ISSUE.NET > /etc/issue.net
 ##############################################################################
@@ Zeile 397: / Zeile 398: @@
 ##############################################################################
 ISSUE.NET
-        chown root:root /etc/issue.net
-        chmod 644 /etc/issue.net
+chown root:root /etc/issue.net
-        # /etc/motd anlegen
+chmod 644 /etc/issue.net
+# /etc/motd anlegen
 cat <<MOTD > /etc/motd
 ##############################################################################
@@ Zeile 405: / Zeile 408: @@
 #                 This is the home server of Michael Nausch.                 #
 #                                                                            #
-#                        $SERVERNAME.dmz.nausch.org                            #
+#                            $SERVERNAME.nausch.org                            #
 #                                                                            #
 #             Unauthorized access to this system is prohibited !             #
@@ Zeile 414: / Zeile 417: @@
 ##############################################################################
 MOTD
 chown root:root /etc/motd
 chmod 644 /etc/motd
 #################################################################################
-#################### lokales gespiegeltes Repository benutzen ###################
+########################### ssh-daemon konfigurieren ############################
-rm -f /etc/yum.repos.d/CentOS-Base.repo
+cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
-cat <<REPOSITORY > /etc/yum.repos.d/CentOS-Base.repo
+cat <<SSHD_CONFIG > /etc/ssh/sshd_config
-# CentOS-LOCAL.repo
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+# Specifies which address family should be used by sshd(8). Valid arguments
+# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
+#AddressFamily any
+# Specifies the local addresses sshd(8) should listen on. The following
+# forms may be used:
+#                   ListenAddress host|IPv4_addr|IPv6_addr
+#                   ListenAddress host|IPv4_addr:port
+#                   ListenAddress [host|IPv6_addr]:port
+# If port is not specified, sshd will listen on the address and all prior
+# Port options specified. The default is to listen on all local addresses.
+# Multiple ListenAddress options are permitted. Additionally, any Port
+# options must precede this option for non-port qualified addresses.
+#Port 22
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# Specifies a file containing a private host key used by SSH. The default
+# is /etc/ssh/ssh_host_key for protocol version 1, and
+# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol
+# version 2. Note that sshd(8) will refuse to use a file if it is
+# group/world-accessible. It is possible to have multiple host key files.
+# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for
+# version 2 of the SSH protocol.
+HostKey /etc/ssh/ssh_host_ed25519_key
+# Specifies the ciphers allowed for protocol version 2. Multiple ciphers
+# must be comma-separated. The supported ciphers are ''3des-cbc'',
+# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',
+# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',
+# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''.
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+# MACs' Specifies the available MAC (message authentication code)
+# algorithms. The MAC algorithm is used in protocol version 2 for data
+# integrity protection. Multiple algorithms must be comma-separated.
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+# Specifies the available KEX (Key Exchange) algorithms. Multiple
+# algorithms must be comma-separated. For ineroperability with Eclipse
+# and WinSCP):
+# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+# If needed, open /etc/ssh/moduli if exists, and delete lines where the
+# 5th column is less than 2000.
+#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
+#   wc -l "${HOME}/moduli"
+# make sure there is something left
+#   mv "${HOME}/moduli" /etc/ssh/moduli
+#
+KexAlgorithms curve25519-sha256@libssh.org
+# Ciphers and keying
+#RekeyLimit default none
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+# Logging
+# Gives the facility code that is used when logging messages from sshd(8).
+# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,
+# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+SyslogFacility AUTHPRIV
+# Gives the verbosity level that is used when logging messages from sshd(8).
+# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
+# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are
+# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging
+# output. Logging with a DEBUG level violates the privacy of users and is
+# not recommended.
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+# clear audit track of which key was using to log in.
+LogLevel VERBOSE
+# Authentication:
+# The server disconnects after this time if the user has not successfully
+# logged in. If the value is 0, there is no time limit.
+LoginGraceTime 0
+# Specifies whether root can log in using ssh(1). The argument must be
+# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.
+# The default is ''yes''. If this option is set to ''without-password'',
+# password authentication is disabled for root. If this option is set to
+# ''forced-commands-only'', root login with public key authentication will
+# be allowed, but only if the command option has been specified (which
+# may be useful for taking remote backups even if root login is normally
+# not allowed). All other authentication methods are disabled for root.
+# If this option is set to ''no'', root is not allowed to log in.
+PermitRootLogin no
+# This keyword can be followed by a list of user name patterns, separated
+# by spaces. If specified, login is allowed only for user names that match
+# one of the patterns. Only user names are valid; a numerical user ID is
+# not recognized. By default, login is allowed for all users. If the pattern
+# takes the form USER@HOST then USER and HOST are separately checked,
+# restricting logins to particular users from particular hosts. The
+# allow/deny directives are processed in the following order:
+# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
+AllowUsers django
+# Specifies whether sshd(8) should check file modes and ownership of the
+# user's files and home directory before accepting login. This is normally
+# desirable because novices sometimes accidentally leave their directory
+# or files world-writable.
+StrictModes yes
+# Specifies the maximum number of authentication attempts permitted per
+# connection. Once the number of failures reaches half this value,
+# additional failures are logged.
+MaxAuthTries 10
+# Specifies the maximum number of open sessions permitted per network
+# connection.
+MaxSessions 10
+# Specifies the file that contains the public keys that can be used for
+# user authentication. AuthorizedKeysFile may contain tokens of the form
+# %T which are substituted during connection setup. The following tokens
+# are defined: %% is replaced by a literal '%', %h is replaced by the
+# home directory of the user being authenticated, and %u is replaced by
+# the username of that user. After expansion, AuthorizedKeysFile is
+# taken to be an absolute path or one relative to the user's home directory.
+AuthorizedKeysFile      .ssh/authorized_keys
+# Specifies whether public key authentication is allowed. The default is
+# ''yes''. Note that this option applies to protocol version 2 only.
+PubkeyAuthentication yes
+#AuthorizedPrincipalsFile none
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+# Specifies whether password authentication is allowed. To disable tunneled
+# clear text passwords, change to no here!
+PasswordAuthentication no
+# Specifies whether challenge-response authentication is allowed
+# (e.g. via PAM or though authentication styles supported in login.conf(5))
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+# Specifies whether user authentication based on GSSAPI is allowed.
+GSSAPIAuthentication yes
+# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
+# exchange doesn't rely on ssh keys to verify host identity.
+#GSSAPIKeyExchange no
+# Specifies whether to automatically destroy the user's credentials cache
+# on logout.
+GSSAPICleanupCredentials no
+# Determines whether to be strict about the identity of the GSSAPI acceptor
+# a client authenticates against. If ''yes'' then the client must authenticate
+# against the host service on the current hostname. If ''no'' then the client
+# may authenticate against any service key stored in the machine's default
+# store. This facility is provided to assist with operation on multi homed
+# machines. The default is ''yes''. Note that this option applies only to
+# protocol version 2 GSSAPI connections, and setting it to ''no'' may only
+# work with recent Kerberos GSSAPI libraries.
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIEnablek5users no
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+# Specifies whether X11 forwarding is permitted. The argument must be
+# ''yes'' or ''no''. The default is ''no''.
+# When X11 forwarding is enabled, there may be additional exposure to the
+# server and to client displays if the sshd(8) proxy display is configured
+# to listen on the wildcard address (see X11UseLocalhost below), though this
+# is not the default. Additionally, the authentication spoofing and
+# authentication data verification and substitution occur on the client side.
+# The security risk of using X11 forwarding is that the client's X11 display
+# server may be exposed to attack when the SSH client requests forwarding
+# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator
+# may have a stance in which they want to protect clients that may expose
+# themselves to attack by unwittingly requesting X11 forwarding, which can
+# warrant a ''no'' setting. Note that disabling X11 forwarding does not
+# prevent users from forwarding X11 traffic, as users can always install
+# their own forwarders. X11 forwarding is automatically disabled if UseLogin
+# is enabled.
+X11Forwarding yes
+# Specifies the first display number available for sshd(8)'s X11 forwarding.
+# This prevents sshd from interfering with real X11 servers.
+# The default is 10.
+#X11DisplayOffset 10
+# Specifies whether sshd(8) should bind the X11 forwarding server to the
+# loopback address or to the wildcard address. By default, sshd binds the
+# forwarding server to the loopback address and sets the hostname part of
+# the DISPLAY environment variable to ''localhost''. This prevents remote
+# hosts from connecting to the proxy display. However, some older X11 clients
+# may not function with this configuration. X11UseLocalhost may be set to
+# ''no'' to specify that the forwarding server should be bound to the
+# wildcard address. The argument must be ''yes'' or ''no''. The default is
+# ''yes''.
+#X11UseLocalhost yes
+# Specifies whether ssh-agent(1) forwarding is permitted. The default is
+# ''yes''. Note that disabling agent forwarding does not improve security
+# unless users are also denied shell access, as they can always install
+# their own forwarders.
+#AllowAgentForwarding yes
+# Specifies whether TCP forwarding is permitted. The default is ''yes''.
+# Note that disabling TCP forwarding does not improve security unless users
+# are also denied shell access, as they can always install their own
+# forwarders.
+#AllowTcpForwarding yes
+# Specifies whether remote hosts are allowed to connect to ports forwarded
+# for the client. By default, sshd(8) binds remote port forwardings to the
+# loopback address. This prevents other remote hosts from connecting to
+# forwarded ports. GatewayPorts can be used to specify that sshd should
+# allow remote port forwardings to bind to non-loopback addresses, thus
+# allowing other hosts to connect. The argument may be ''no'' to force
+# remote port forwardings to be available to the local host only, ''yes''
+# to force remote port forwardings to bind to the wildcard address, or
+# ''clientspecified'' to allow the client to select the address to which
+# the forwarding is bound. The default is ''no''.
+#GatewayPorts no
+#PermitTTY yes
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+# The contents of the specified file are sent to the remote user before
+# authentication is allowed.
+Banner /etc/issue.net
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+# Configures an external subsystem (e.g. file transfer daemon). Arguments
+# should be a subsystem name and a command (with optional arguments) to
+# execute upon subsystem request. Log sftp level file access
+# (read/write/etc.) that would not be easily logged otherwise.
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+SSHD_CONFIG
+chown root:root /etc/ssh/sshd_config
+chmod 600 /etc/ssh/sshd_config
+#################################################################################
+####################### Django's ssh-pubkey hinterlegen #########################
+mkdir /home/django/.ssh
+chmod 700 /home/django/.ssh
+chown django:django /home/django/.ssh
+cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AA/F1CKDicH1n5Kn13+YjpbHqHOkhsMagrrD5dIbkU6ddoBSp django@nausch.org
+AUTHORIZED_KEYS
+chmod 644 /home/django/.ssh/authorized_keys
+chown django:django /home/django/.ssh/authorized_keys
+#################################################################################
+############### lokales gespiegeltes CentOS-Repository benutzen #################
+cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
+cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
+# CentOS-AppStream.repo
 #
-# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
 # The mirror system uses the connecting IP address of the client and the
 # update status of each mirror to pick mirrors that are updated to and
@@ Zeile 429: / Zeile 769: @@
 # unless you are manually picking other mirrors.
 #
 # If the mirrorlist= does not work for you, as a fall back you can try the
 # remarked out baseurl= line instead.
 #
-# Version für den Zugriff auf das lokale Centos-Repository
+#
-[base-LC]
+[AppStream]
-name=CentOS-7 - Base
+name=CentOS-\$releasever - AppStream
-baseurl=http://repository.nausch.org/centos/\$releasever/os/\$basearch/
+baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
-priority=1
-exclude=dovecot*
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-APPSTREAM
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-#released updates
+cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
-[updates-LC]
+cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
-name=CentOS-7 - Updates
+# CentOS-Base.repo
-baseurl=http://repository.nausch.org/centos/\$releasever/updates/\$basearch/
+#
-priority=1
+# The mirror system uses the connecting IP address of the client and the
-exclude=dovecot*
+# update status of each mirror to pick mirrors that are updated to and
-gpgcheck=1
+# geographically close to the client.  You should use this for CentOS updates
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
-#additional packages that may be useful
+[BaseOS]
-[extras-LC]
+name=CentOS-\$releasever - Base
-name=CentOS-7 - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
-baseurl=http://repository.nausch.org/centos/\$releasever/extras/\$basearch/
-priority=1
 gpgcheck=1
-enabled = 1
+enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-BASE
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-#additional packages that extend functionality of existing packages
+cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
-[centosplus-LC]
+cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
-name=CentOS-7 - Plus
+# CentOS-Extras.repo
-baseurl=http://repository.nausch.org/centos/\$releasever/centosplus/\$basearch/
+#
-priority=2
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+#additional packages that may be useful
+[extras]
+name=CentOS-\$releasever - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
 gpgcheck=1
 enabled=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-REPOSITORY
+CENTOS-EXTRAS
-chown root:root /etc/yum.repos.d/CentOS-Base.repo
+chown root:root /etc/yum.repos.d/CentOS-Extras.repo
-chmod 644 /etc/yum.repos.d/CentOS-Base.repo
+chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
-rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
 #################################################################################
-################### eigenes Repository mailserver.guru benutzen #################
+###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
-cat <<MAILSERVER.GURU > /etc/yum.repos.d/mailserver.guru.repo
+dnf install epel-release -y
-[mailserver.guru-os]
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
-name=Extra (Mailserver-)Packages for Enterprise Linux 7 - $basearch
-baseurl=http://repo.mailserver.guru/7/os/\$basearch
+cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
-priority=5
+cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
+[epel-modular]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
 enabled=1
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+[epel-modular-debuginfo]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
-[mailserver.guru-testing]
+[epel-modular-source]
-name=Testing (Mailserver-)Packages for Enterprise Linux 7 - $basearch
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
-baseurl=http://repo.mailserver.guru/7/testing/\$basearch/
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
-priority=5
 enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
-MAILSERVER.GURU
-chown root:root /etc/yum.repos.d/mailserver.guru.repo
-chmod 644 /etc/yum.repos.d/mailserver.guru.repo
-rpm --import http://repo.mailserver.guru/7/MAILSERVER.GURU-RPM-GPG-KEY-CentOS-7
-#################################################################################
-########################### EPEL Repository einbinden ###########################
+EPEL-MODULAR
+chown root:root /etc/yum.repos.d/epel-modular.repo
+chmod 644 /etc/yum.repos.d/epel-modular.repo
+cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
 cat <<EPEL > /etc/yum.repos.d/epel.repo
 [epel]
-name=Extra Packages for Enterprise Linux 7 - \$basearch
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch
-baseurl=http://repository.nausch.org/epel/7/\$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
-#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=\$basearch
-failovermethod=priority
 enabled=1
 gpgcheck=1
-priority = 10
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 [epel-debuginfo]
-name=Extra Packages for Enterprise Linux 7 - \$basearch - Debug
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
-#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/debug
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=\$basearch
-failovermethod=priority
 enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 [epel-source]
-name=Extra Packages for Enterprise Linux 7 - \$basearch - Source
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
-#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch/SRPMS
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=\$basearch
-failovermethod=priority
 enabled=0
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
 gpgcheck=1
 EPEL
 chown root:root /etc/yum.repos.d/epel.repo
 chmod 644 /etc/yum.repos.d/epel.repo
-rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7
 #################################################################################
-####################  yum-changelog auf always-on stellen #######################
+############################ System Updaten #####################################
-rm -f /etc/yum/pluginconf.d/changelog.conf
+dnf update -y
-cat <<CHANGELOG >/etc/yum/pluginconf.d/changelog.conf
+#################################################################################
-[main]
+;;
-enabled=1
+esac;
+done
+%end
-# Set to 'pre' or 'post' to see changes before or after transaction
+</file>
-when=pre
-# Set to true, to always get the output (removes the cmd line arg)
+Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers.
-# Django : $DATUM
-# default: always=false
+   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-always=true
+Dort tragen wir beim betreffenden **LABEL** die Optionen **''ks''**, **''net.ifnames''** und **''biosdevname''** sowie am Ende der Zeile **''SERVERNAME=''** ein.
-CHANGELOG
+<code>LABEL 3
-chown root:root /etc/yum/pluginconf.d/changelog.conf
+   MENU LABEL ^3) Installation von CentOS 8 (64 Bit)
-chmod 644 /etc/yum/pluginconf.d/changelog.conf
+   KERNEL images/centos/8/x86_64/vmlinuz
+   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ net.ifnames=0 biosdevname=0 SERVERNAME=
+</code>
+Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.
+{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+<WRAP center round tip 80%>
+Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
+</WRAP>
+{{ :centos:pxe_c8:pxe-boot-menue-087b.png?nolink&800 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
+Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, welches wir per PXE-Boot bzw. genauer gesagt mit dem Kickstartfile mitgegeben hatten, ausgeführt wird.
+{{ :centos:pxe_c8:pxe-boot-menue-087c.png?nolink&800 |Bild: Bildschirmhardcopy Anzeige "Ausführung postinstall script"}}
+Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **''ssh''** verbinden können.
+   $ ssh 10.0.0.50
+<code>The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
+ED25519 key fingerprint is SHA256:JKV0iNvjQGMhkWIGEPC1hQH/vzpbeabl1g7s46yhMj6.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '10.0.0.50' (ED25519) to the list of known hosts.
+##############################################################################
+#                                                                            #
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000050.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################</code>
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
+   # ip a
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 52:54:00:74:80:c2 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.50/24 brd 10.0.0.255 scope global noprefixroute eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe74:80c2/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
+   # dnf update
+<code>Last metadata expiration check: 0:12:20 ago on Sun 14 Jun 2020 01:49:52 PM CEST.
+Dependencies resolved.
+Nothing to do.
+Complete!</code>
+==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====
+Beim letzten Konfigurationsbeispiel gehen wir davon aus, dass wir unseren CentOS 8 Host nicht via PXE-Boot betanken können, sondern über den Umweg eines ISO-Files. Ntürlich wollen wir auch hier den Installations und anschließenden grundlegenden Erstkonfiguirationsaufwand möglichst gering halten.
+Wir werden also unsere Kickstart-Datei in das vorhandene ***[[http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso|CentOS 8 Iso Image]]** packen.
+Zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage**. Zum Validieren der Kickstart-Datei benötigen wir das Programm **''ksvalidator''** aus dem RPM-Paket **pykickstart**, zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage** und letztendlich zum Hinzufügen der md5sum zum Iso Image das Programm **''implantisomd5''** aus dem RPM **isomd5sum**.
+Zunächst installieren wir, falls noch nicht im System vorhanden die drei RPM.
+   # dnf install genisoimage pykickstart isomd5sum -y
+Dann holen wir uns das ISO-Image auf unsere Admin-Workstation.
+   # wget http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso
+Damit wir den Inhalt dieser ISO-Installations-DVD nach unseren Wünschen anpassen können werden wir diese Datei in unser Dateisystem einbinden. Den entsprechenden Pfad definieren wir uns nun noch.
+   # mkdir /mnt/iso
+Nun mounten wir das ISO-Image.
+   #  mount -o CentOS-8.1.1911-x86_64-dvd1.iso /mnt/iso
+Anschließend wechseln wir in das Verzeichnis **''/mnt/iso''**, also der gemountete ISO-Datei.
+Im Verzeichnis **isolinux** legen wir dann unser Kickstartfile **''ks.cfg''** ab.
+   # vim /mnt/iso/isolinux/ks.cfg
+<file bash /mnt/iso/isolinux.cfg># Django 2020-06-14 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) aus einem iso-image
+# Version=CentOS 8 (RHEL 8)#version=RHEL8
+# Tastaturlayout definieren
+keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
+# Systemsprache setzen
+lang en_US.UTF-8
+# Definition der Netzwerkeinstellungen
+network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.250 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate
+network  --hostname=vml000250.dmz.nausch.org
+# Zeitzone setzen
+timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org
+services --enabled="chronyd"
+# Installationsquelle setzen (eigenes ISO-Image)
+repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream
+cdrom
+# Root-Passwort verschlüsselt vorgeben
+rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
+# Default-Benutzerkonto anlegen
+user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
+# vorhandene Partitionen löschen
+#ignoredisk --only-use=sda
+clearpart --none --initlabel
+# autopart --type=lvm
+# GUI für Installation verwendengraphical
+graphical
+# Kein X Window System konfigurieren, da dieses nicht installiert wird
+skipx
+# Reboot nach der Installation ausführen
+reboot
+%packages
+@^minimal-environment
+-iwl*firmware
+vim
+bash-completion
+bind-utils
+wget
+telnet
+net-tools
+lsof
+%end
+%addon com_redhat_kdump --disable --reserve-mb='auto'
+%end
+%anaconda
+pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+%end
+# Postinstall-Anweisungen
+%post --log=/root/anaconda-postinstall.log
+#!/bin/bash
+#DATUM=$(date +"%Y-%m-%d")
+#for x in `cat /proc/cmdline`; do
+#case $x in SERVERNAME*)
+#eval $x
+############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ###########
+sed -i 's/rhgb//g' /etc/default/grub
+grub2-mkconfig -o /boot/grub2/grub.cfg
 #################################################################################
-######################### yum-plugin-fastestmirror deaktivieren #################
+######################## MOTD und ISSUE.NET individualisieren ###################
-rm -f /etc/yum/pluginconf.d/fastestmirror.conf
+# /etc/issue.net anlegen
-cat <<YUM-PLUGIN-FASTESTMIRROR > /etc/yum/pluginconf.d/fastestmirror.conf
+cat <<ISSUE.NET > /etc/issue.net
-[main]
+##############################################################################
-# Django : $DATUM
+#                                                                            #
-# fastestmirror deaktiviert, da nur das interne Repository genutzt werden soll!
+#                       This is a private home server.                       #
-# default: enabled=1
+#                                                                            #
-enabled=0
+#             Unauthorized access to this system is prohibited !             #
-verbose=0
+#                                                                            #
-always_print_best_host = true
+#    This system is actively monitored and all connections may be logged.    #
-socket_timeout=3
+#         By accessing this system, you consent to this monitoring.          #
-# Relative paths are relative to the cachedir (and so works for users as well
+#                                                                            #
-# as root).
+##############################################################################
-hostfilepath=timedhosts.txt
+ISSUE.NET
-maxhostfileage=10
-maxthreads=15
+chown root:root /etc/issue.net
-#exclude=.gov, facebook
+chmod 644 /etc/issue.net
-#include_only=.nl,.de,.uk,.ie
-YUM-PLUGIN-FASTESTMIRROR
+# /etc/motd anlegen
-chown root:root /etc/yum/pluginconf.d/fastestmirror.conf
+cat <<MOTD > /etc/motd
-chmod 644 /etc/yum/pluginconf.d/fastestmirror.conf
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                             vml00250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+MOTD
+chown root:root /etc/motd
+chmod 644 /etc/motd
 #################################################################################
 ########################### ssh-daemon konfigurieren ############################
-rm -f /etc/ssh/sshd_config
+cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
 cat <<SSHD_CONFIG > /etc/ssh/sshd_config
-#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
-# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
 # The strategy used for options in the default sshd_config shipped with
@@ Zeile 591: / Zeile 1136: @@
 # SELinux about this change.
 # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
 # Specifies which address family should be used by sshd(8). Valid arguments
 # are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
-AddressFamily any
+#AddressFamily any
 # Specifies the local addresses sshd(8) should listen on. The following
@@ Zeile 604: / Zeile 1149: @@
 # Port options specified. The default is to listen on all local addresses.
 # Multiple ListenAddress options are permitted. Additionally, any Port
 # options must precede this option for non-port qualified addresses.
-ListenAddress 0.0.0.0:22
+#Port 22
+#ListenAddress 0.0.0.0
-# Specifies the protocol versions sshd(8) supports. The possible values are
+#ListenAddress ::
-# '1' and '2'. Multiple versions must be comma-separated. The default is
-# ''2,1''. Note that the order of the protocol list does not indicate
-# preference, because the client selects among multiple protocol versions
-# offered by the server. Specifying ''2,1'' is identical to ''1,2''.
-Protocol 2
 # Specifies a file containing a private host key used by SSH. The default
@@ Zeile 646: / Zeile 1186: @@
 #   mv "${HOME}/moduli" /etc/ssh/moduli
 #
-# CentOS 6
-# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-# CentOS 7 / Fedora >21 "only"
 KexAlgorithms curve25519-sha256@libssh.org
+# Ciphers and keying
+#RekeyLimit default none
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
 # Logging
@@ Zeile 666: / Zeile 1215: @@
 # clear audit track of which key was using to log in.
 LogLevel VERBOSE
-# Configures an external subsystem (e.g. file transfer daemon). Arguments
-# should be a subsystem name and a command (with optional arguments) to
-# execute upon subsystem request. Log sftp level file access
-# (read/write/etc.) that would not be easily logged otherwise.
-Subsystem sftp /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO
 # Authentication:
@@ Zeile 708: / Zeile 1251: @@
 # connection. Once the number of failures reaches half this value,
 # additional failures are logged.
-MaxAuthTries 6
+MaxAuthTries 10
 # Specifies the maximum number of open sessions permitted per network
@@ Zeile 722: / Zeile 1265: @@
 # taken to be an absolute path or one relative to the user's home directory.
 AuthorizedKeysFile      .ssh/authorized_keys
-# Specifies whether pure RSA authentication is allowed. The default is
-# ''yes''. This option applies to protocol version 1 only.
-RSAAuthentication no
 # Specifies whether public key authentication is allowed. The default is
@@ Zeile 731: / Zeile 1270: @@
 PubkeyAuthentication yes
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-RhostsRSAAuthentication no
-# Specifies whether rhosts or /etc/hosts.equiv authentication together
+#AuthorizedPrincipalsFile none
-# with successful public key client host authentication is allowed
+#AuthorizedKeysCommand none
-# (host-based authentication). This option is similar to
+#AuthorizedKeysCommandUser nobody
-# RhostsRSAAuthentication and applies to protocol version 2 only.
-HostbasedAuthentication no
-# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-# during RhostsRSAAuthentication or HostbasedAuthentication.
+#HostbasedAuthentication no
-IgnoreUserKnownHosts no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
-# Specifies that .rhosts and .shosts files will not be used in
+# To disable tunneled clear text passwords, change to no here!
-# RhostsRSAAuthentication or HostbasedAuthentication.
+#PasswordAuthentication yes
-# /etc/hosts.equiv and /etc/ssh/shosts.equiv are still used.
+#PermitEmptyPasswords no
-IgnoreRhosts yes
 # Specifies whether password authentication is allowed. To disable tunneled
 # clear text passwords, change to no here!
 PasswordAuthentication no
-# When password authentication is allowed, it specifies whether the server
-# allows login to accounts with empty password strings. The default is ''no''.
-PermitEmptyPasswords no
 # Specifies whether challenge-response authentication is allowed
@@ Zeile 763: / Zeile 1295: @@
 # Change to no to disable s/key passwords
 ChallengeResponseAuthentication no
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
 # Specifies whether user authentication based on GSSAPI is allowed.
-GSSAPIAuthentication no
+GSSAPIAuthentication yes
 # Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
 # exchange doesn't rely on ssh keys to verify host identity.
-GSSAPIKeyExchange no
+#GSSAPIKeyExchange no
 # Specifies whether to automatically destroy the user's credentials cache
 # on logout.
-GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
 # Determines whether to be strict about the identity of the GSSAPI acceptor
@@ Zeile 782: / Zeile 1321: @@
 # machines. The default is ''yes''. Note that this option applies only to
 # protocol version 2 GSSAPI connections, and setting it to ''no'' may only
 # work with recent Kerberos GSSAPI libraries.
-GSSAPIStrictAcceptorCheck yes
+#GSSAPIStrictAcceptorCheck yes
-# Controls whether the user's GSSAPI credentials should be updated following
+#GSSAPIEnablek5users no
-# a successful connection rekeying. This option can be used to accepted
-# renewed or updated credentials from a compatible client.
-GSSAPIStoreCredentialsOnRekey no
-# Specifies whether ssh-agent(1) forwarding is permitted. The default is
+# Set this to 'yes' to enable PAM authentication, account processing,
-# ''yes''. Note that disabling agent forwarding does not improve security
+# and session processing. If this is enabled, PAM authentication will
-# unless users are also denied shell access, as they can always install
+# be allowed through the ChallengeResponseAuthentication and
-# their own forwarders.
+# PasswordAuthentication.  Depending on your PAM configuration,
-AllowAgentForwarding yes
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
-# Specifies whether TCP forwarding is permitted. The default is ''yes''.
+# If you just want the PAM account and session checks to run without
-# Note that disabling TCP forwarding does not improve security unless users
+# PAM authentication, then enable this but set PasswordAuthentication
-# are also denied shell access, as they can always install their own
+# and ChallengeResponseAuthentication to 'no'.
-# forwarders.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
-AllowTcpForwarding yes
+# problems.
+UsePAM yes
-# Specifies whether remote hosts are allowed to connect to ports forwarded
-# for the client. By default, sshd(8) binds remote port forwardings to the
-# loopback address. This prevents other remote hosts from connecting to
-# forwarded ports. GatewayPorts can be used to specify that sshd should
-# allow remote port forwardings to bind to non-loopback addresses, thus
-# allowing other hosts to connect. The argument may be ''no'' to force
-# remote port forwardings to be available to the local host only, ''yes''
-# to force remote port forwardings to bind to the wildcard address, or
-# ''clientspecified'' to allow the client to select the address to which
-# the forwarding is bound. The default is ''no''.
-GatewayPorts no
 # Specifies whether X11 forwarding is permitted. The argument must be
@@ Zeile 834: / Zeile 1359: @@
 # Specifies the first display number available for sshd(8)'s X11 forwarding.
 # This prevents sshd from interfering with real X11 servers.
 # The default is 10.
-X11DisplayOffset 10
+#X11DisplayOffset 10
 # Specifies whether sshd(8) should bind the X11 forwarding server to the
@@ Zeile 845: / Zeile 1370: @@
 # ''no'' to specify that the forwarding server should be bound to the
 # wildcard address. The argument must be ''yes'' or ''no''. The default is
 # ''yes''.
-X11UseLocalhost yes
+#X11UseLocalhost yes
-# Specifies whether sshd(8) should print /etc/motd when a user logs in
+# Specifies whether ssh-agent(1) forwarding is permitted. The default is
-# interactively. (On some systems it is also printed by the shell,
+# ''yes''. Note that disabling agent forwarding does not improve security
-# /etc/profile, or equivalent.) The default is ''yes''.
+# unless users are also denied shell access, as they can always install
-PrintMotd yes
+# their own forwarders.
+#AllowAgentForwarding yes
-# Specifies whether sshd(8) should print the date and time of the last user
+# Specifies whether TCP forwarding is permitted. The default is ''yes''.
-# login when a user logs in interactively. The default is ''yes''.
+# Note that disabling TCP forwarding does not improve security unless users
-PrintLastLog yes
+# are also denied shell access, as they can always install their own
+# forwarders.
+#AllowTcpForwarding yes
-# Specifies whether login(1) is used for interactive login sessions. The
+# Specifies whether remote hosts are allowed to connect to ports forwarded
-# default is ''no''. Note that login(1) is never used for remote command
+# for the client. By default, sshd(8) binds remote port forwardings to the
-# execution. Note also, that if this is enabled, X11Forwarding will be
+# loopback address. This prevents other remote hosts from connecting to
-# disabled because login(1) does not know how to handle xauth(1) cookies.
+# forwarded ports. GatewayPorts can be used to specify that sshd should
-# If UsePrivilegeSeparation is specified, it will be disabled after
+# allow remote port forwardings to bind to non-loopback addresses, thus
-# authentication.
+# allowing other hosts to connect. The argument may be ''no'' to force
-UseLogin no
+# remote port forwardings to be available to the local host only, ''yes''
+# to force remote port forwardings to bind to the wildcard address, or
+# ''clientspecified'' to allow the client to select the address to which
+# the forwarding is bound. The default is ''no''.
+#GatewayPorts no
-# Set this to 'yes' to enable PAM authentication, account processing,
+#PermitTTY yes
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux
-# and may cause several problems.
-UsePAM yes
-# Specifies whether sshd(8) separates privileges by creating an unprivileged
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
-# child process to deal with incoming network traffic. After successful
+# as it is more configurable and versatile than the built-in version.
-# authentication, another process will be created that has the privilege of
+PrintMotd no
-# the authenticated user. The goal of privilege separation is to prevent
-# privilege escalation by containing any corruption within the unprivileged
-# processes.
-UsePrivilegeSeparation sandbox
-# Sets a timeout interval in seconds after which if no data has been
+#PrintLastLog yes
-# received from the client, sshd(8) will send a message through the
+#TCPKeepAlive yes
-# encrypted channel to request a response from the client. The default is 0,
+#PermitUserEnvironment no
-# indicating that these messages will not be sent to the client. This option
+#Compression delayed
-# applies to protocol version 2 only.
+#ClientAliveInterval 0
-ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
-# Sets the number of client alive messages (see below) which may be sent
+#UseDNS no
-# without sshd(8) receiving any messages back from the client. If this
+#PidFile /var/run/sshd.pid
-# threshold is reached while client alive messages are being sent, sshd will
+#MaxStartups 10:30:100
-# disconnect the client, terminating the session. It is important to note
+#PermitTunnel no
-# that the use of client alive messages is very different from TCPKeepAlive
+#ChrootDirectory none
-# (below). The client alive messages are sent through the encrypted channel
+#VersionAddendum none
-# and therefore will not be spoofable. The TCP keepalive option enabled by
-# TCPKeepAlive is spoofable. The client alive mechanism is valuable when the
-# client or server depend on knowing when a connection has become inactive.
-# The default value is 3. If ClientAliveInterval (see below) is set to 15,
-# and ClientAliveCountMax is left at the default, unresponsive SSH clients
-# will be disconnected after approximately 45 seconds. This option applies
-# to protocol version 2 only.
-ClientAliveCountMax 3
-# Specifies whether the system should send TCP keepalive messages to the
-# other side. If they are sent, death of the connection or crash of one of
-# the machines will be properly noticed. However, this means that
-# connections will die if the route is down temporarily, and some people
-# find it annoying. On the other hand, if TCP keepalives are not sent,
-# sessions may hang indefinitely on the server, leaving ''ghost'' users
-# and consuming server resources. The default is ''yes'' (to send TCP
-# keepalive messages), and the server will notice if the network goes down
-# or the client host crashes. This avoids infinitely hanging sessions.
-# To disable TCP keepalive messages, the value should be set to ''no''.
-TCPKeepAlive yes
-# Specifies whether sshd(8) should look up the remote host name and check
-# that the resolved host name for the remote IP address maps back to the
-# very same IP address.
-UseDNS yes
-# Specifies the file that contains the process ID of the SSH daemon.
-# The default is /var/run/sshd.pid.
-PidFile /var/run/sshd.pid
-# Specifies the maximum number of concurrent unauthenticated connections
-# to the SSH daemon. Additional connections will be dropped until
-# authentication succeeds or the LoginGraceTime expires for a connection.
-# The default is 10.
-# Alternatively, random early drop can be enabled by specifying the three
-# colon separated values ''start:rate:full'' (e.g. "10:30:60"). sshd(8)
-# will refuse connection attempts with a probability of ''rate/100'' (30%)
-# if there are currently ''start'' (10) unauthenticated connections. The
-# probability increases linearly and all connection attempts are refused
-# if the number of unauthenticated connections reaches ''full'' (60).
-MaxStartups 10:30:100
-# Specifies whether tun(4) device forwarding is allowed. The argument must
-# be ''yes'', ''point-to-point'' (layer 3), ''ethernet'' (layer 2), or
-# ''no''. Specifying ''yes'' permits both ''point-to-point'' and
-# ''ethernet''. The default is ''no''.
-PermitTunnel no
-# Specifies a path to chroot(2) to after authentication. This path, and all
-# its components, must be root-owned directories that are not writable by
-# any other user or group. After the chroot, sshd(8) changes the working
-# directory to the user's home directory.
-# The path may contain the following tokens that are expanded at runtime
-# once the connecting user has been authenticated: %% is replaced by a
-# literal '%', %h is replaced by the home directory of the user being
-# authenticated, and %u is replaced by the username of that user.
-# The ChrootDirectory must contain the necessary files and directories to
-# support the user's session. For an interactive session this requires at
-# least a shell, typically sh(1), and basic /dev nodes such as null(4),
-# zero(4), stdin(4), stdout(4), stderr(4), arandom(4) and tty(4) devices.
-# For file transfer sessions using ''sftp'', no additional configuration
-# of the environment is necessary if the in-process sftp server is used,
-# though sessions which use logging do require /dev/log inside the chroot
-# directory (see sftp-server(8) for details).
-ChrootDirectory none
 # The contents of the specified file are sent to the remote user before
@@ Zeile 974: / Zeile 1426: @@
 AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 AcceptEnv XMODIFIERS
+# Configures an external subsystem (e.g. file transfer daemon). Arguments
+# should be a subsystem name and a command (with optional arguments) to
+# execute upon subsystem request. Log sftp level file access
+# (read/write/etc.) that would not be easily logged otherwise.
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
-#       X11Forwarding no
+#	X11Forwarding no
-#       AllowTcpForwarding no
+#	AllowTcpForwarding no
-#       PermitTTY no
+#	PermitTTY no
-#       ForceCommand cvs server
+#	ForceCommand cvs server
 SSHD_CONFIG
 chown root:root /etc/ssh/sshd_config
-chmod 644 /etc/ssh/sshd_config
+chmod 600 /etc/ssh/sshd_config
 #################################################################################
@@ Zeile 991: / Zeile 1449: @@
 chown django:django /home/django/.ssh
 cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
-ssh-ed25519 AAAAC3NzaC1lZDF1NTE5AAAAIDYjDCtBTfrpb04x0135CHl4M93sMagrrD5d+IbkU6ddBSp django@nausch.org
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org
 AUTHORIZED_KEYS
 chmod 644 /home/django/.ssh/authorized_keys
@@ Zeile 997: / Zeile 1455: @@
 #################################################################################
-####################### Nameserver Suchliste festlegen ##########################
+############### lokales gespiegeltes CentOS-Repository benutzen #################
-echo 'DOMAIN="dmz.nausch.org nausch.org"' >> /etc/sysconfig/network-scripts/ifcfg-eth0
+cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
-#################################################################################
+cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
+# CentOS-AppStream.repo
-############################# IPv6 deaktivieren ##################################
-#echo "# Django : $DATUM
-## default: unset (IPv6 aktiv)
-#net.ipv6.conf.all.disable_ipv6 = 1
-#net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
-##################################################################################
-########################### Postfix Basis-Konfiguration #########################
-rm -f /etc/postfix/main.cf
-cat <<MAIN.CF > /etc/postfix/main.cf
-# Global Postfix configuration file. This file lists only a subset
-# of all parameters. For the syntax, and for a complete parameter
-# list, see the postconf(5) manual page (command: "man 5 postconf").
 #
-# For common configuration examples, see BASIC_CONFIGURATION_README
+# The mirror system uses the connecting IP address of the client and the
-# and STANDARD_CONFIGURATION_README. To find these documents, use
+# update status of each mirror to pick mirrors that are updated to and
-# the command "postconf html_directory readme_directory", or go to
+# geographically close to the client.  You should use this for CentOS updates
-# http://www.postfix.org/.
+# unless you are manually picking other mirrors.
 #
-# For best results, change no more than 2-3 parameters at a time,
+# If the mirrorlist= does not work for you, as a fall back you can try the
-# and test if Postfix still works after every change.
+# remarked out baseurl= line instead.
-# SOFT BOUNCE
 #
-# The soft_bounce parameter provides a limited safety net for
-# testing.  When soft_bounce is enabled, mail will remain queued that
-# would otherwise bounce. This parameter disables locally-generated
-# bounces, and prevents the SMTP server from rejecting mail permanently
-# (by changing 5xx replies into 4xx replies). However, soft_bounce
-# is no cure for address rewriting mistakes or mail routing mistakes.
 #
-#soft_bounce = no
-# LOCAL PATHNAME INFORMATION
+[AppStream]
-#
+name=CentOS-\$releasever - AppStream
-# The queue_directory specifies the location of the Postfix queue.
+baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
-# This is also the root directory of Postfix daemons that run chrooted.
+gpgcheck=1
-# See the files in examples/chroot-setup for setting up Postfix chroot
+enabled=1
-# environments on different UNIX systems.
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-#
+CENTOS-APPSTREAM
-queue_directory = /var/spool/postfix
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-# The command_directory parameter specifies the location of all
+cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
-# postXXX commands.
+cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
+# CentOS-Base.repo
 #
-command_directory = /usr/sbin
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
-# The daemon_directory parameter specifies the location of all Postfix
+# geographically close to the client.  You should use this for CentOS updates
-# daemon programs (i.e. programs listed in the master.cf file). This
+# unless you are manually picking other mirrors.
-# directory must be owned by root.
 #
-daemon_directory = /usr/libexec/postfix
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
-# The data_directory parameter specifies the location of Postfix-writable
-# data files (caches, random numbers). This directory must be owned
-# by the mail_owner account (see below).
 #
-data_directory = /var/lib/postfix
-# QUEUE AND PROCESS OWNERSHIP
 #
-# The mail_owner parameter specifies the owner of the Postfix queue
-# and of most Postfix daemon processes.  Specify the name of a user
-# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
-# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
-# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
-# USER.
-#
-mail_owner = postfix
-# The default_privs parameter specifies the default rights used by
+[BaseOS]
-# the local delivery agent for delivery to external file or command.
+name=CentOS-\$releasever - Base
-# These rights are used in the absence of a recipient user context.
+baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
-# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+gpgcheck=1
-#
+enabled=1
-#default_privs = nobody
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-BASE
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
-# INTERNET HOST AND DOMAIN NAMES
+cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
-#
+cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
-# The myhostname parameter specifies the internet hostname of this
+# CentOS-Extras.repo
-# mail system. The default is to use the fully-qualified domain name
-# from gethostname(). \$myhostname is used as a default value for many
-# other configuration parameters.
 #
-#myhostname = host.domain.tld
+# The mirror system uses the connecting IP address of the client and the
-#myhostname = virtual.domain.tld
+# update status of each mirror to pick mirrors that are updated to and
-# Django : $DATUM - Hostname setzen
+# geographically close to the client.  You should use this for CentOS updates
-# default: unset
+# unless you are manually picking other mirrors.
-myhostname = $HOSTNAME
-# The mydomain parameter specifies the local internet domain name.
-# The default is to use \$myhostname minus the first component.
-# \$mydomain is used as a default value for many other configuration
-# parameters.
 #
-#mydomain = domain.tld
+# If the mirrorlist= does not work for you, as a fall back you can try the
-# Django : $DATUM - Domainname setzen
+# remarked out baseurl= line instead.
-# default: unset
-mydomain = nausch.org
-# SENDING MAIL
-#
-# The myorigin parameter specifies the domain that locally-posted
-# mail appears to come from. The default is to append \$myhostname,
-# which is fine for small sites.  If you run a domain with multiple
-# machines, you should (1) change this to \$mydomain and (2) set up
-# a domain-wide alias database that aliases each user to
-# user@that.users.mailhost.
 #
-# For the sake of consistency between sender and recipient addresses,
-# myorigin also specifies the default domain name that is appended
-# to recipient addresses that have no @domain part.
 #
-#myorigin = \$myhostname
-#myorigin = \$mydomain
-# Django : $DATUM Origin gesetzt
-# default: unset
-myorigin = \$mydomain
-# RECEIVING MAIL
+#additional packages that may be useful
+[extras]
+name=CentOS-\$releasever - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
+gpgcheck=1
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-EXTRAS
+chown root:root /etc/yum.repos.d/CentOS-Extras.repo
+chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
+#################################################################################
-# The inet_interfaces parameter specifies the network interface
+###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
-# addresses that this mail system receives mail on.  By default,
+dnf install epel-release -y
-# the software claims all active interfaces on the machine. The
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
-# parameter also controls delivery of mail to user@[ip.address].
-#
-# See also the proxy_interfaces parameter, for network addresses that
-# are forwarded to us via a proxy or network address translator.
-#
-# Note: you need to stop/start Postfix when this parameter changes.
-#
-#inet_interfaces = all
-#inet_interfaces = \$myhostname
-#inet_interfaces = \$myhostname, localhost
-inet_interfaces = localhost
-# Enable IPv4, and IPv6 if supported
+cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
-# Django  : $DATUM IPv6-Support deaktiviert
+cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
-# default : inet_protocols = all
+[epel-modular]
-##inet_protocols = ipv4
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
-inet_protocols = all
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# The proxy_interfaces parameter specifies the network interface
+[epel-modular-debuginfo]
-# addresses that this mail system receives mail on by way of a
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
-# proxy or network address translation unit. This setting extends
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
-# the address list specified with the inet_interfaces parameter.
+enabled=0
-#
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# You must specify your proxy/NAT addresses when your system is a
+gpgcheck=1
-# backup MX host for other domains, otherwise mail delivery loops
-# will happen when the primary MX host is down.
-#
-#proxy_interfaces =
-#proxy_interfaces = 1.2.3.4
-# The mydestination parameter specifies the list of domains that this
+[epel-modular-source]
-# machine considers itself the final destination for.
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
-# These domains are routed to the delivery agent specified with the
+enabled=0
-# local_transport parameter setting. By default, that is the UNIX
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# compatible delivery agent that lookups all recipients in /etc/passwd
+gpgcheck=1
-# and /etc/aliases or their equivalent.
-#
-# The default is \$myhostname + localhost.\$mydomain.  On a mail domain
-# gateway, you should also include \$mydomain.
-#
-# Do not specify the names of virtual domains - those domains are
-# specified elsewhere (see VIRTUAL_README).
-#
-# Do not specify the names of domains that this machine is backup MX
-# host for. Specify those names via the relay_domains settings for
-# the SMTP server, or use permit_mx_backup if you are lazy (see
-# STANDARD_CONFIGURATION_README).
-#
-# The local machine is always the final destination for mail addressed
-# to user@[the.net.work.address] of an interface that the mail system
-# receives mail on (see the inet_interfaces parameter).
-#
-# Specify a list of host or domain names, /file/name or type:table
-# patterns, separated by commas and/or whitespace. A /file/name
-# pattern is replaced by its contents; a type:table is matched when
-# a name matches a lookup key (the right-hand side is ignored).
-# Continue long lines by starting the next line with whitespace.
-#
-# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
-#
-mydestination = \$myhostname, localhost.\$mydomain, localhost
-#mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain
-#mydestination = \$myhostname, localhost.\$mydomain, localhost, \$mydomain,
-#	mail.\$mydomain, www.\$mydomain, ftp.\$mydomain
-# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+EPEL-MODULAR
-#
+chown root:root /etc/yum.repos.d/epel-modular.repo
-# The local_recipient_maps parameter specifies optional lookup tables
+chmod 644 /etc/yum.repos.d/epel-modular.repo
-# with all names or addresses of users that are local with respect
-# to \$mydestination, \$inet_interfaces or \$proxy_interfaces.
-#
-# If this parameter is defined, then the SMTP server will reject
-# mail for unknown local users. This parameter is defined by default.
-#
-# To turn off local recipient checking in the SMTP server, specify
-# local_recipient_maps = (i.e. empty).
-#
-# The default setting assumes that you use the default Postfix local
-# delivery agent for local delivery. You need to update the
-# local_recipient_maps setting if:
-#
-# - You define \$mydestination domain recipients in files other than
-#   /etc/passwd, /etc/aliases, or the \$virtual_alias_maps files.
-#   For example, you define \$mydestination domain recipients in
-#   the \$virtual_mailbox_maps files.
-#
-# - You redefine the local delivery agent in master.cf.
-#
-# - You redefine the "local_transport" setting in main.cf.
-#
-# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
-#   feature of the Postfix local delivery agent (see local(8)).
-#
-# Details are described in the LOCAL_RECIPIENT_README file.
-#
-# Beware: if the Postfix SMTP server runs chrooted, you probably have
-# to access the passwd file via the proxymap service, in order to
-# overcome chroot restrictions. The alternative, having a copy of
-# the system passwd file in the chroot jail is just not practical.
-#
-# The right-hand side of the lookup tables is conveniently ignored.
-# In the left-hand side, specify a bare username, an @domain.tld
-# wild-card, or specify a user@domain.tld address.
-#
-#local_recipient_maps = unix:passwd.byname \$alias_maps
-#local_recipient_maps = proxy:unix:passwd.byname \$alias_maps
-#local_recipient_maps =
-# The unknown_local_recipient_reject_code specifies the SMTP server
+cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
-# response code when a recipient domain matches \$mydestination or
+cat <<EPEL > /etc/yum.repos.d/epel.repo
-# \${proxy,inet}_interfaces, while \$local_recipient_maps is non-empty
+[epel]
-# and the recipient address or address local-part is not found.
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
-# The default setting is 550 (reject mail) but it is safer to start
+enabled=1
-# with 450 (try again later) until you are certain that your
+gpgcheck=1
-# local_recipient_maps settings are OK.
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-#
-unknown_local_recipient_reject_code = 550
-# TRUST AND RELAY CONTROL
+[epel-debuginfo]
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
-# The mynetworks parameter specifies the list of "trusted" SMTP
+[epel-source]
-# clients that have more privileges than "strangers".
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
-#
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
-# In particular, "trusted" SMTP clients are allowed to relay mail
+enabled=0
-# through Postfix.  See the smtpd_recipient_restrictions parameter
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
-# in postconf(5).
+gpgcheck=1
-#
+EPEL
-# You can specify the list of "trusted" network addresses by hand
+chown root:root /etc/yum.repos.d/epel.repo
-# or you can let Postfix do it for you (which is the default).
+chmod 644 /etc/yum.repos.d/epel.repo
-#
+#################################################################################
-# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
-# clients in the same IP subnetworks as the local machine.
-# On Linux, this does works correctly only with interfaces specified
-# with the "ifconfig" command.
-#
-# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
-# clients in the same IP class A/B/C networks as the local machine.
-# Don't do this with a dialup site - it would cause Postfix to "trust"
-# your entire provider's network.  Instead, specify an explicit
-# mynetworks list by hand, as described below.
-#
-# Specify "mynetworks_style = host" when Postfix should "trust"
-# only the local machine.
-#
-#mynetworks_style = class
-#mynetworks_style = subnet
-#mynetworks_style = host
-# Alternatively, you can specify the mynetworks list by hand, in
+############################ System Updaten #####################################
-# which case Postfix ignores the mynetworks_style setting.
+dnf update -y
-#
+#################################################################################
-# Specify an explicit list of network/netmask patterns, where the
+;;
-# mask specifies the number of bits in the network part of a host
+esac;
-# address.
+done
-#
+%end
-# You can also specify the absolute pathname of a pattern file instead
+</file>
-# of listing the patterns here. Specify type:table for table-based lookups
-# (the value on the table right-hand side is not used).
-#
-#mynetworks = 168.100.189.0/28, 127.0.0.0/8
-#mynetworks = \$config_directory/mynetworks
-#mynetworks = hash:/etc/postfix/network_table
-# The relay_domains parameter restricts what destinations this system will
+Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
-# relay mail to.  See the smtpd_recipient_restrictions description in
+  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
-# postconf(5) for detailed information.
+  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
-#
+  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
-# By default, Postfix relays mail
+  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
-# - from "trusted" clients (IP address matches \$mynetworks) to any destination,
+  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
-# - from "untrusted" clients to destinations that match \$relay_domains or
+  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
-#   subdomains thereof, except addresses with sender-specified routing.
-# The default relay_domains value is \$mydestination.
-#
-# In addition to the above, the Postfix SMTP server by default accepts mail
-# that Postfix is final destination for:
-# - destinations that match \$inet_interfaces or \$proxy_interfaces,
-# - destinations that match \$mydestination
-# - destinations that match \$virtual_alias_domains,
-# - destinations that match \$virtual_mailbox_domains.
-# These destinations do not need to be listed in \$relay_domains.
-#
-# Specify a list of hosts or domains, /file/name patterns or type:name
-# lookup tables, separated by commas and/or whitespace.  Continue
-# long lines by starting the next line with whitespace. A file name
-# is replaced by its contents; a type:name table is matched when a
-# (parent) domain appears as lookup key.
-#
-# NOTE: Postfix will not automatically forward mail for domains that
-# list this system as their primary or backup MX host. See the
-# permit_mx_backup restriction description in postconf(5).
-#
-#relay_domains = \$mydestination
-# INTERNET OR INTRANET
+Der Form halber setzen wir dann die Dateiberechtigungen auf **444**
+   # chmod 444 /mnt/iso/isolinux/ks.cfg
-# The relayhost parameter specifies the default host to send mail to
+Damit wir die beim Booten verwendete Datei **''isolinux.cfg''** bearbeiten können passen wir die Dateiberechtigung tempüorär an.
-# when no entry is matched in the optional transport(5) table. When
+   # chmod 644 /mnt/iso/isolinux/isolinux.cfg
-# no relayhost is given, mail is routed directly to the destination.
-#
-# On an intranet, specify the organizational domain name. If your
-# internal DNS uses no MX records, specify the name of the intranet
-# gateway host instead.
-#
-# In the case of SMTP, specify a domain, host, host:port, [host]:port,
-# [address] or [address]:port; the form [host] turns off MX lookups.
-#
-# If you're connected via UUCP, see also the default_transport parameter.
-#
-#relayhost = \$mydomain
-#relayhost = [gateway.my.domain]
-#relayhost = [mailserver.isp.tld]
-#relayhost = uucphost
-#relayhost = [an.ip.add.ress]
-# Django : $DATUM Relayhost auf mx01.nausch.org gesetzt
-# default: unset
-relayhost = dmz.nausch.org
-# REJECTING UNKNOWN RELAY USERS
+Nun können wir den Bootparameter anpassen und die Kickstart-Datei angeben. Dabei setzen wir **''inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg''** also den Pafd zur Kickstart-Datei wie auch die beiden nötigen Parameter **''net.ifnames=0''** und **''biosdevname=0''** für die Rückumbenennungh der Netzwerkinterfaces in **ethX**.
-#
+   # vim /mnt/iso/isolinux/isolinux.cfg
-# The relay_recipient_maps parameter specifies optional lookup tables
-# with all addresses in the domains that match \$relay_domains.
-#
-# If this parameter is defined, then the SMTP server will reject
-# mail for unknown relay users. This feature is off by default.
-#
-# The right-hand side of the lookup tables is conveniently ignored.
-# In the left-hand side, specify an @domain.tld wild-card, or specify
-# a user@domain.tld address.
-#
-#relay_recipient_maps = hash:/etc/postfix/relay_recipients
-# INPUT RATE CONTROL
+<code>...
-#
-# The in_flow_delay configuration parameter implements mail input
-# flow control. This feature is turned on by default, although it
-# still needs further development (it's disabled on SCO UNIX due
-# to an SCO bug).
-#
-# A Postfix process will pause for \$in_flow_delay seconds before
-# accepting a new message, when the message arrival rate exceeds the
-# message delivery rate. With the default 100 SMTP server process
-# limit, this limits the mail inflow to 100 messages a second more
-# than the number of messages delivered per second.
-#
-# Specify 0 to disable the feature. Valid delays are 0..10.
-#
-#in_flow_delay = 1s
-# ADDRESS REWRITING
+label linux
-#
+  menu label ^Install CentOS Linux 8.0.1905
-# The ADDRESS_REWRITING_README document gives information about
+  kernel vmlinuz
-# address masquerading or other forms of address rewriting including
+  append initrd=initrd.img inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg inst.stage2=hd:LABEL=CentOS-8-BaseOS-x86_64 quiet net.ifnames=0 biosdevname=0
-# username->Firstname.Lastname mapping.
-# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+...
-#
+<</code>
-# The VIRTUAL_README document gives information about the many forms
-# of domain hosting that Postfix supports.
-# "USER HAS MOVED" BOUNCE MESSAGES
+<WRAP center round important 75%>
-#
+Wichtig ist dabei der Parameter **''LABEL=CentOS-8-BaseOS-x86_64''** \\
-# See the discussion in the ADDRESS_REWRITING_README document.
+Diesen Wert müssen wir später beim Erstellen des eigenen Boot-ISO-Image genau gleich angeben!
+</WRAP>
-# TRANSPORT MAP
+Nun können wir die Dateiberechtigung dieser DAte wieder auf **444** zhurücksetzen.
-#
+   # chmod 444 /mnt/iso/isolinux/isolinux.cfg
-# See the discussion in the ADDRESS_REWRITING_README document.
-# ALIAS DATABASE
+Anschließend packen wir den Inhalt des ursprünglichen ISO-Images mit unserem Kickstart-File wie auch unseren Ändewrungen neu ein. Das LAbel, welches wir zuvor in der Konfigurationsdatei **''isolinux.cfg''** verwendet hatten geben wir hier exakt gleich an!
-#
+   # mkisofs -o ~/CentOS-8-x86_64-1905-local.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V 'CentOS-8-BaseOS-x86_64' .
-# The alias_maps parameter specifies the list of alias databases used
-# by the local delivery agent. The default list is system dependent.
-#
-# On systems with NIS, the default is to search the local alias
-# database, then the NIS alias database. See aliases(5) for syntax
-# details.
-#
-# If you change the alias database, run "postalias /etc/aliases" (or
-# wherever your system stores the mail alias file), or simply run
-# "newaliases" to build the necessary DBM or DB file.
-#
-# It will take a minute or so before changes become visible.  Use
-# "postfix reload" to eliminate the delay.
-#
-#alias_maps = dbm:/etc/aliases
-alias_maps = hash:/etc/aliases
-#alias_maps = hash:/etc/aliases, nis:mail.aliases
-#alias_maps = netinfo:/aliases
-# The alias_database parameter specifies the alias database(s) that
+Bevor wir nun das neu erstellte ISO-IMage verwenden können, ist es noch notwendig diese Date mit einer MD5-Prüfsumme zu versehen.
-# are built with "newaliases" or "sendmail -bi".  This is a separate
+   # implantisomd5 /var/lib/libvirt/boot/CentOS-8-x86_64-1905-local.iso
-# configuration parameter, because alias_maps (see above) may specify
-# tables that are not necessarily all under control by Postfix.
-#
-#alias_database = dbm:/etc/aliases
-#alias_database = dbm:/etc/mail/aliases
-alias_database = hash:/etc/aliases
-#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
-# ADDRESS EXTENSIONS (e.g., user+foo)
+Nun können wir unser eigenes ISO-Image verenden.
-#
-# The recipient_delimiter parameter specifies the separator between
-# user names and address extensions (user+foo). See canonical(5),
-# local(8), relocated(5) and virtual(5) for the effects this has on
-# aliases, canonical, virtual, relocated and .forward file lookups.
-# Basically, the software tries user+foo and .forward+foo before
-# trying user and .forward.
-#
-#recipient_delimiter = +
-# DELIVERY TO MAILBOX
+{{ :centos:pxe_c8:kickstart-iso-8-1.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-#
-# The home_mailbox parameter specifies the optional pathname of a
-# mailbox file relative to a user's home directory. The default
-# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
-# "Maildir/" for qmail-style delivery (the / is required).
-#
-#home_mailbox = Mailbox
-#home_mailbox = Maildir/
-# The mail_spool_directory parameter specifies the directory where
-# UNIX-style mailboxes are kept. The default setting depends on the
-# system type.
-#
-#mail_spool_directory = /var/mail
-#mail_spool_directory = /var/spool/mail
-# The mailbox_command parameter specifies the optional external
+<WRAP center round tip 80%>
-# command to use instead of mailbox delivery. The command is run as
-# the recipient with proper HOME, SHELL and LOGNAME environment settings.
-# Exception:  delivery for root is done as \$default_user.
-#
-# Other environment variables of interest: USER (recipient username),
-# EXTENSION (address extension), DOMAIN (domain part of address),
-# and LOCAL (the address localpart).
-#
-# Unlike other Postfix configuration parameters, the mailbox_command
-# parameter is not subjected to \$parameter substitutions. This is to
-# make it easier to specify shell syntax (see example below).
-#
-# Avoid shell meta characters because they will force Postfix to run
-# an expensive shell process. Procmail alone is expensive enough.
-#
-# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
-# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
-#
-#mailbox_command = /some/where/procmail
-#mailbox_command = /some/where/procmail -a "\$EXTENSION"
-# The mailbox_transport specifies the optional transport in master.cf
+Nachdem wir die Festplattenkonfiguration vorgenommen haben, können wir mit einem Klick auf die Schaltfläche **[  Begin Installation  ]** den Installationsvorgang in Gang setzen.
-# to use after processing aliases and .forward files. This parameter
-# has precedence over the mailbox_command, fallback_transport and
-# luser_relay parameters.
-#
-# Specify a string of the form transport:nexthop, where transport is
-# the name of a mail delivery transport defined in master.cf.  The
-# :nexthop part is optional. For more details see the sample transport
-# configuration file.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
-# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
-#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+{{ :centos:pxe_c8:kickstart-iso-8-2.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-# server using LMTP (Local Mail Transport Protocol), this is prefered
-# over the older cyrus deliver program by setting the
-# mailbox_transport as below:
-#
-# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-#
-# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
-# these settings.
-#
-# local_destination_recipient_limit = 300
-# local_destination_concurrency_limit = 5
-#
-# Of course you should adjust these settings as appropriate for the
-# capacity of the hardware you are using. The recipient limit setting
-# can be used to take advantage of the single instance message store
-# capability of Cyrus. The concurrency limit can be used to control
-# how many simultaneous LMTP sessions will be permitted to the Cyrus
-# message store.
-#
-# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
-# subsequent line in master.cf.
-#mailbox_transport = cyrus
-# The fallback_transport specifies the optional transport in master.cf
+Wir sehen nun auch, dass dasroot-Passwort wie auch unser Admin-Acccount bereits gesetzt sind.
-# to use for recipients that are not found in the UNIX passwd database.
-# This parameter has precedence over the luser_relay parameter.
-#
-# Specify a string of the form transport:nexthop, where transport is
-# the name of a mail delivery transport defined in master.cf.  The
-# :nexthop part is optional. For more details see the sample transport
-# configuration file.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must update the "local_recipient_maps" setting in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
-#fallback_transport =
-# The luser_relay parameter specifies an optional destination address
+{{ :centos:pxe_c8:kickstart-iso-8-3.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-# for unknown recipients.  By default, mail for unknown@\$mydestination,
-# unknown@[\$inet_interfaces] or unknown@[\$proxy_interfaces] is returned
-# as undeliverable.
-#
-# The following expansions are done on luser_relay: \$user (recipient
-# username), \$shell (recipient shell), \$home (recipient home directory),
-# \$recipient (full recipient address), \$extension (recipient address
-# extension), \$domain (recipient domain), \$local (entire recipient
-# localpart), \$recipient_delimiter. Specify \${name?value} or
-# \${name:value} to expand value only when \$name does (does not) exist.
-#
-# luser_relay works only for the default Postfix local delivery agent.
-#
-# NOTE: if you use this feature for accounts not in the UNIX password
-# file, then you must specify "local_recipient_maps =" (i.e. empty) in
-# the main.cf file, otherwise the SMTP server will reject mail for
-# non-UNIX accounts with "User unknown in local recipient table".
-#
-#luser_relay = \$user@other.host
-#luser_relay = \$local@other.host
-#luser_relay = admin+\$local
-# JUNK MAIL CONTROLS
-#
-# The controls listed here are only a very small subset. The file
-# SMTPD_ACCESS_README provides an overview.
-# The header_checks parameter specifies an optional table with patterns
+Kurz vor dem Ende, also dem Neustart unseres neuen **CentOS 8** Systems bekommen wir auch noch den Hinweis, dass unsere Postinstall-Anweisungen ausgeführt werden.
-# that each logical message header is matched against, including
-# headers that span multiple physical lines.
-#
-# By default, these patterns also apply to MIME headers and to the
-# headers of attached messages. With older Postfix versions, MIME and
-# attached message headers were treated as body text.
-#
-# For details, see "man header_checks".
-#
-#header_checks = regexp:/etc/postfix/header_checks
-# FAST ETRN SERVICE
+{{ :centos:pxe_c8:kickstart-iso-8-5.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-#
-# Postfix maintains per-destination logfiles with information about
-# deferred mail, so that mail can be flushed quickly with the SMTP
-# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
-# See the ETRN_README document for a detailed description.
-#
-# The fast_flush_domains parameter controls what destinations are
-# eligible for this service. By default, they are all domains that
-# this server is willing to relay mail to.
-#
-#fast_flush_domains = \$relay_domains
-# SHOW SOFTWARE VERSION OR NOT
+Anschließend ist das System unseren Wunschen nach vorbereitet und wir können uns anmelden.
-#
-# The smtpd_banner parameter specifies the text that follows the 220
-# code in the SMTP server's greeting banner. Some people like to see
-# the mail version advertised. By default, Postfix shows no version.
-#
-# You MUST specify \$myhostname at the start of the text. That is an
-# RFC requirement. Postfix itself does not care.
-#
-#smtpd_banner = \$myhostname ESMTP \$mail_name
-#smtpd_banner = \$myhostname ESMTP \$mail_name (\$mail_version)
-# PARALLEL DELIVERY TO THE SAME DESTINATION
+{{ :centos:pxe_c8:kickstart-iso-8-6.png?nolink&400 |Bild: Bildschirmhardcopy CentOS 8 Anmeldebildschirm}}
-#
-# How many parallel deliveries to the same user or domain? With local
-# delivery, it does not make sense to do massively parallel delivery
-# to the same user, because mailbox updates must happen sequentially,
-# and expensive pipelines in .forward files can cause disasters when
-# too many are run at the same time. With SMTP deliveries, 10
-# simultaneous connections to the same domain could be sufficient to
-# raise eyebrows.
-#
-# Each message delivery transport has its XXX_destination_concurrency_limit
-# parameter.  The default is \$default_destination_concurrency_limit for
-# most delivery transports. For the local delivery agent the default is 2.
-#local_destination_concurrency_limit = 2
+Wir können uns nun auch direkt an unserem Host per **''ssh''** verbinden.
-#default_destination_concurrency_limit = 20
+   $ ssh 10.0.0.250
-# DEBUGGING CONTROL
+<code>The authenticity of host '10.0.0.250 (10.0.0.250)' can't be established.
-#
+ED25519 key fingerprint is SHA256:1iT2VKq949WlZrCZ6wQjJggbxKRzEX6F9P+XGkrGx0M.
-# The debug_peer_level parameter specifies the increment in verbose
+Are you sure you want to continue connecting (yes/no)? yes
-# logging level when an SMTP client or server host name or address
+Warning: Permanently added '10.0.0.250' (ED25519) to the list of known hosts.
-# matches a pattern in the debug_peer_list parameter.
+##############################################################################
-#
+#                                                                            #
-debug_peer_level = 2
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+Last login: Sun Jun 14 22:06:00 2020 from 10.0.0.27</code>
-# The debug_peer_list parameter specifies an optional list of domain
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
-# or network patterns, /file/name patterns or type:name tables. When
+   # ip a
-# an SMTP client or server host name or address matches a pattern,
-# increase the verbose logging level by the amount specified in the
-# debug_peer_level parameter.
-#
-#debug_peer_list = 127.0.0.1
-#debug_peer_list = some.domain
-# The debugger_command specifies the external command that is executed
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
-# when a Postfix daemon program is run with the -D option.
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
-#
+    inet 127.0.0.1/8 scope host lo
-# Use "command .. & sleep 5" so that the debugger can attach before
+       valid_lft forever preferred_lft forever
-# the process marches on. If you use an X-based debugger, be sure to
+    inet6 ::1/128 scope host
-# set up your XAUTHORITY environment variable before starting Postfix.
+       valid_lft forever preferred_lft forever
-#
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
-debugger_command =
+    link/ether 52:54:00:2a:20:c9 brd ff:ff:ff:ff:ff:ff
-	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+    inet 10.0.0.250/24 brd 10.0.0.255 scope global noprefixroute eth0
-	 ddd \$daemon_directory/\$process_name \$process_id & sleep 5
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe2a:20c9/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
-# If you can't use X, use this to capture the call stack when a
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
-# daemon crashes. The result is in a file in the configuration
+   # dnf update
-# directory, and is named after the process name and the process ID.
-#
-# debugger_command =
-#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
-#	echo where) | gdb \$daemon_directory/\$process_name \$process_id 2>&1
-#	>\$config_directory/\$process_name.\$process_id.log & sleep 5
-#
-# Another possibility is to run gdb under a detached screen session.
-# To attach to the screen sesssion, su root and run "screen -r
-# <id_string>" where <id_string> uniquely matches one of the detached
-# sessions (from "screen -list").
-#
-# debugger_command =
-#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
-#	-dmS \$process_name gdb \$daemon_directory/\$process_name
-#	\$process_id & sleep 1
-# INSTALL-TIME CONFIGURATION INFORMATION
+<code>Last metadata expiration check: 0:58:52 ago on Sun 14 Jun 2020 10:17:48 PM CEST.
-#
+Dependencies resolved.
-# The following parameters are used when installing a new Postfix version.
+Nothing to do.
-#
+Complete!</code>
-# sendmail_path: The full pathname of the Postfix sendmail command.
-# This is the Sendmail-compatible mail posting interface.
-#
-sendmail_path = /usr/sbin/sendmail.postfix
-# newaliases_path: The full pathname of the Postfix newaliases command.
+====== Links ======
-# This is the Sendmail-compatible command to build alias databases.
+  * **[[centos:pxe_c8:start|Zurück zum Kapitel >>PXE-Boot-Server unter CentOS 8.x einrichten<<]]**
-#
+  * **[[wiki:start|Zurück zu Projekte und Themenkapitel]]**
-newaliases_path = /usr/bin/newaliases.postfix
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-# mailq_path: The full pathname of the Postfix mailq command.  This
-# is the Sendmail-compatible mail queue listing command.
-#
-mailq_path = /usr/bin/mailq.postfix
-# setgid_group: The group for mail submission and queue management
-# commands.  This must be a group name with a numerical group ID that
-# is not shared with other accounts, not even with the Postfix account.
-#
-setgid_group = postdrop
-# html_directory: The location of the Postfix HTML documentation.
-#
-html_directory = no
-# manpage_directory: The location of the Postfix on-line manual pages.
-#
-manpage_directory = /usr/share/man
-# sample_directory: The location of the Postfix sample configuration files.
-# This parameter is obsolete as of Postfix 2.1.
-#
-sample_directory = /usr/share/doc/postfix-2.10.1/samples
-# readme_directory: The location of the Postfix README files.
-#
-readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
-MAIN.CF
-chown root:root /etc/postfix/main.cf
-chmod 644 /etc/postfix/main.cf
-#################################################################################
-######################### chrony-Clientkonfigurationn ###########################
-rm -f /etc/chrony.conf
-cat <<CHRONY.CONF >/etc/chrony.conf
-# These servers were defined in the installation:
-# Django : $DATUM
-# Definition des hauseigenen NTP-Servers:
-server time.dmz.nausch.org iburst
-# Use public servers from the pool.ntp.org project.
-# Please consider joining the pool (http://www.pool.ntp.org/join.html).
-# Ignore stratum in source selection.
-stratumweight 0
-# Record the rate at which the system clock gains/losses time.
-driftfile /var/lib/chrony/drift
-# Enable kernel RTC synchronization.
-rtcsync
-# In first three updates step the system clock instead of slew
-# if the adjustment is larger than 10 seconds.
-makestep 10 3
-# Allow NTP client access from local network.
-#allow 192.168/16
-# Listen for commands only on localhost.
-bindcmdaddress 127.0.0.1
-# Django : $DATUM
-# default: bindcmdaddress ::1
-# This option allows you to configure the port on which chronyd will listen for NTP requests.
-#
-# The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not
-# open the server socket and will operate strictly in a client-only mode. The source port
-# used in NTP client requests can be set by the acquisitionport directive.
-# Django : $DATUM
-# default: unset
-port 0
-# Serve time even if not synchronized to any NTP server.
-#local stratum 10
-keyfile /etc/chrony.keys
-# Specify the key used as password for chronyc.
-commandkey 1
-# Generate command key if missing.
-generatecommandkey
-# Disable logging of client accesses.
-noclientlog
-# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
-logchange 0.5
-logdir /var/log/chrony
-#log measurements statistics tracking
-CHRONY.CONF
-chown root:root /etc/chrony.conf
-chmod 644 /etc/chrony.conf
-cat <<CHRONYD >/etc/sysconfig/chronyd
-# Django : $DATUM
-# disable IPv6 support
-OPTIONS=-4
-CHRONYD
-chown root:root /etc/sysconfig/chronyd
-chmod 644 /etc/sysconfig/chronyd
-#################################################################################
-;;
-esac;
-done
-%end
-</file>
-Damit nun beim Laden der Menüdatei bei PXE-Boot die überarbeitete Kickstart-Datei geladen werden kann, erweitern wir nun die Menü-Datei unseres PXE-Bootservers.
-   # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-Dort tragen wir beim betreffenden **LABEL** die Option **ks** sowie am Ende der Zeile **SERVERNAME=** ein.
-<code>LABEL 3
-   MENU LABEL ^3) Installation von CentOS 7 (64 Bit)
-   KERNEL images/centos/7/x86_64/vmlinuz
-   APPEND ks=http://10.0.0.57/kickstart/ks_centos_7_x86_64_dmz.cfg initrd=images/centos/7/x86_64/initrd.img ramdisk_size=128000 ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/7/os/x86_64 SERVERNAME=
-</code>
-Anschliessend starten wir wie gewohnt unsere virtuelle Maschine.
-{{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
-Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
-{{ :centos:pxe_c7:pxe-boot-menue-007.png?nolink&801 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
-Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System.
-{{ :centos:pxe_c7:pxe-kickstart-installed-newsystem-002.png?nolink&800 |Bild: Bildschirmhardcopy eines neu mit Kickstart vorbereiteten System}}
-FIXME **//do gehds weida!//**
-==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====