Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:pxe_c8:pxe_2 [14.06.2020 10:53. ] – [Bsp. 3: erweiterte Automatisierung der Installation] django
+++ centos:pxe_c8:pxe_2 [04.07.2020 15:32. ] (aktuell) – [Links] django
@@ Zeile 40: / Zeile 40: @@
 <WRAP center round important 90%>
-Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nich alles lässt sich mittels automatisierter GUIs abbilden!
+Ferner ist zu beachten, dass viele sehr individuelle Konfigurationswünsche, wie z.B. LVM-Konfigurationen bzw, aufwändige Partitionierungen meist nur manuell in einer Kickstart-Datei konfiguriert werden können! Nicht alles lässt sich mittels automatisierter GUIs abbilden!
 </WRAP>
@@ Zeile 268: / Zeile 268: @@
 Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
-<WRAP center round todo 35%>
-\\ FIXME **//... do geds weida!//** FIXME
-</WRAP>
   - **IP-Adresse und Hostname** Durch Angabe des Hostnamens beim Booten des Installationsimages wollen wir diesen setzen und auch die zugehörige IP-Adresse übernehmen lassen. (Der Hostname wir so z.B. auch bei der Definition der VolumeGroup eines LVMs verwendet.)
   - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
@@ Zeile 911: / Zeile 905: @@
    # vim /var/lib/tftpboot/pxelinux.cfg/dmz-64
-Dort tragen wir beim betreffenden **LABEL** die Option **ks** sowie am Ende der Zeile **SERVERNAME=** ein.
+Dort tragen wir beim betreffenden **LABEL** die Optionen **''ks''**, **''net.ifnames''** und **''biosdevname''** sowie am Ende der Zeile **''SERVERNAME=''** ein.
 <code>LABEL 3
-   MENU LABEL ^3) Installation von CentOS 7 (64 Bit)
+   MENU LABEL ^3) Installation von CentOS 8 (64 Bit)
-   KERNEL images/centos/7/x86_64/vmlinuz
+   KERNEL images/centos/8/x86_64/vmlinuz
-   APPEND ks=http://10.0.0.57/kickstart/ks_centos_7_x86_64_dmz.cfg initrd=images/centos/7/x86_64/initrd.img ramdisk_size=128000 ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/7/os/x86_64 SERVERNAME=
+   APPEND ks=http://10.0.0.57/kickstart/ks_centos_8_x86_64_dmz.cfg initrd=images/centos/8/x86_64/initrd.img ksdevice=eth0 ip=dhcp --hostname=vml000250.dmz.nausch.org method=http://10.0.0.57/centos/8/BaseOS/x86_64/os/ net.ifnames=0 biosdevname=0 SERVERNAME=
 </code>
@@ Zeile 921: / Zeile 915: @@
 {{ :centos:pxe_c7:pxe-boot-menue-004.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+<WRAP center round tip 80%>
 Zum Setzen des Hostnamens wählen wir nun wie gewünscht den betreffenden Menüpunkt aus, drücken dann aber **__NICHT__** die **EINGABETASTE**, sondern die Taste **TAB**! Anschliessend geben wir den Hostnamen ein.
+</WRAP>
-{{ :centos:pxe_c7:pxe-boot-menue-007.png?nolink&801 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
+{{ :centos:pxe_c8:pxe-boot-menue-087b.png?nolink&800 |Bild: Bildschirmhardcopy Auswahl PXE Bootmenü}}
-Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System.
+Am Ende des Installationsvorganges werden wir informiert, dass das postinstall-script, welches wir per PXE-Boot bzw. genauer gesagt mit dem Kickstartfile mitgegeben hatten, ausgeführt wird.
-{{ :centos:pxe_c7:pxe-kickstart-installed-newsystem-002.png?nolink&800 |Bild: Bildschirmhardcopy eines neu mit Kickstart vorbereiteten System}}
+{{ :centos:pxe_c8:pxe-boot-menue-087c.png?nolink&800 |Bild: Bildschirmhardcopy Anzeige "Ausführung postinstall script"}}
+Nach kurzer Wartezeit haben wir ein neues, vorkonfiguriertes und vor allem aktuelles System, bei dem wir uns direkt per **''ssh''** verbinden können.
+   $ ssh 10.0.0.50
+<code>The authenticity of host '10.0.0.50 (10.0.0.50)' can't be established.
+ED25519 key fingerprint is SHA256:JKV0iNvjQGMhkWIGEPC1hQH/vzpbeabl1g7s46yhMj6.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+Warning: Permanently added '10.0.0.50' (ED25519) to the list of known hosts.
+##############################################################################
+#                                                                            #
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000050.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################</code>
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
+   # ip a
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 52:54:00:74:80:c2 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.50/24 brd 10.0.0.255 scope global noprefixroute eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe74:80c2/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
+   # dnf update
+<code>Last metadata expiration check: 0:12:20 ago on Sun 14 Jun 2020 01:49:52 PM CEST.
+Dependencies resolved.
+Nothing to do.
+Complete!</code>
-FIXME **//do gehds weida!//**
 ==== Bsp. 4: Kickstart für eigene Installationsimages/-ISOs ====
+Beim letzten Konfigurationsbeispiel gehen wir davon aus, dass wir unseren CentOS 8 Host nicht via PXE-Boot betanken können, sondern über den Umweg eines ISO-Files. Ntürlich wollen wir auch hier den Installations und anschließenden grundlegenden Erstkonfiguirationsaufwand möglichst gering halten.
+Wir werden also unsere Kickstart-Datei in das vorhandene ***[[http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso|CentOS 8 Iso Image]]** packen.
+Zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage**. Zum Validieren der Kickstart-Datei benötigen wir das Programm **''ksvalidator''** aus dem RPM-Paket **pykickstart**, zum Packen des iso-Images benötigen wir das Programm aus dem RPM-Paket **genisoimage** und letztendlich zum Hinzufügen der md5sum zum Iso Image das Programm **''implantisomd5''** aus dem RPM **isomd5sum**.
+Zunächst installieren wir, falls noch nicht im System vorhanden die drei RPM.
+   # dnf install genisoimage pykickstart isomd5sum -y
+Dann holen wir uns das ISO-Image auf unsere Admin-Workstation.
+   # wget http://isoredirect.centos.org/centos/8/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso
+Damit wir den Inhalt dieser ISO-Installations-DVD nach unseren Wünschen anpassen können werden wir diese Datei in unser Dateisystem einbinden. Den entsprechenden Pfad definieren wir uns nun noch.
+   # mkdir /mnt/iso
+Nun mounten wir das ISO-Image.
+   #  mount -o CentOS-8.1.1911-x86_64-dvd1.iso /mnt/iso
+Anschließend wechseln wir in das Verzeichnis **''/mnt/iso''**, also der gemountete ISO-Datei.
+Im Verzeichnis **isolinux** legen wir dann unser Kickstartfile **''ks.cfg''** ab.
+   # vim /mnt/iso/isolinux/ks.cfg
+<file bash /mnt/iso/isolinux.cfg># Django 2020-06-14 Kickstart-Datei zum automatischen Betanken von DMZ-Maschinen (64 Bit) aus einem iso-image
+# Version=CentOS 8 (RHEL 8)#version=RHEL8
+# Tastaturlayout definieren
+keyboard --vckeymap=de-nodeadkeys --xlayouts='de (nodeadkeys)'
+# Systemsprache setzen
+lang en_US.UTF-8
+# Definition der Netzwerkeinstellungen
+network  --bootproto=static --device=eth0 --gateway=10.0.0.17 --ip=10.0.0.250 --nameserver=10.0.0.27 --netmask=255.255.255.0 --ipv6=auto --activate
+network  --hostname=vml000250.dmz.nausch.org
+# Zeitzone setzen
+timezone Europe/Berlin --isUtc --ntpservers=time.dmz.nausch.org
+services --enabled="chronyd"
+# Installationsquelle setzen (eigenes ISO-Image)
+repo --name="AppStream" --baseurl=file:///run/install/repo/AppStream
+cdrom
+# Root-Passwort verschlüsselt vorgeben
+rootpw --iscrypted $6$Z46HtZ/aLHbA19p$WVsutOEqe0m0e97lgEreKUzfkAEFzFSR0Hj8RFN8MHqWjPqk7PkJeQ9mIcTGtdutFnFVdFzFSR0KhrdGwUdAn01
+# Default-Benutzerkonto anlegen
+user --name=django --password=$6$2.fGKBeQa18GE6XwDMXG6$QX/j.TfZXk0bBuoJ8GE6XMXRZYz/4pEE6PuwkubaDmteRAAerLVKK69EF30d1K/f1d/sUEqbF9FJBulc/ --iscrypted --gecos="Bastard Operator from Hell"
+# vorhandene Partitionen löschen
+#ignoredisk --only-use=sda
+clearpart --none --initlabel
+# autopart --type=lvm
+# GUI für Installation verwendengraphical
+graphical
+# Kein X Window System konfigurieren, da dieses nicht installiert wird
+skipx
+# Reboot nach der Installation ausführen
+reboot
+%packages
+@^minimal-environment
+-iwl*firmware
+vim
+bash-completion
+bind-utils
+wget
+telnet
+net-tools
+lsof
+%end
+%addon com_redhat_kdump --disable --reserve-mb='auto'
+%end
+%anaconda
+pwpolicy root --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+pwpolicy user --minlen=6 --minquality=1 --notstrict --nochanges --emptyok
+pwpolicy luks --minlen=6 --minquality=1 --notstrict --nochanges --notempty
+%end
+# Postinstall-Anweisungen
+%post --log=/root/anaconda-postinstall.log
+#!/bin/bash
+#DATUM=$(date +"%Y-%m-%d")
+#for x in `cat /proc/cmdline`; do
+#case $x in SERVERNAME*)
+#eval $x
+############ bootloader anpassen, rhgb bei den Bootoptionen entfernen ###########
+sed -i 's/rhgb//g' /etc/default/grub
+grub2-mkconfig -o /boot/grub2/grub.cfg
+#################################################################################
+######################## MOTD und ISSUE.NET individualisieren ###################
+# /etc/issue.net anlegen
+cat <<ISSUE.NET > /etc/issue.net
+##############################################################################
+#                                                                            #
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+ISSUE.NET
+chown root:root /etc/issue.net
+chmod 644 /etc/issue.net
+# /etc/motd anlegen
+cat <<MOTD > /etc/motd
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                             vml00250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+MOTD
+chown root:root /etc/motd
+chmod 644 /etc/motd
+#################################################################################
+########################### ssh-daemon konfigurieren ############################
+cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
+cat <<SSHD_CONFIG > /etc/ssh/sshd_config
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+# Specifies which address family should be used by sshd(8). Valid arguments
+# are ''any'', ''inet'' (use IPv4 only), or ''inet6'' (use IPv6 only).
+#AddressFamily any
+# Specifies the local addresses sshd(8) should listen on. The following
+# forms may be used:
+#                   ListenAddress host|IPv4_addr|IPv6_addr
+#                   ListenAddress host|IPv4_addr:port
+#                   ListenAddress [host|IPv6_addr]:port
+# If port is not specified, sshd will listen on the address and all prior
+# Port options specified. The default is to listen on all local addresses.
+# Multiple ListenAddress options are permitted. Additionally, any Port
+# options must precede this option for non-port qualified addresses.
+#Port 22
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+# Specifies a file containing a private host key used by SSH. The default
+# is /etc/ssh/ssh_host_key for protocol version 1, and
+# /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for protocol
+# version 2. Note that sshd(8) will refuse to use a file if it is
+# group/world-accessible. It is possible to have multiple host key files.
+# ''rsa1'' keys are used for version 1 and ''dsa'' or ''rsa'' are used for
+# version 2 of the SSH protocol.
+HostKey /etc/ssh/ssh_host_ed25519_key
+# Specifies the ciphers allowed for protocol version 2. Multiple ciphers
+# must be comma-separated. The supported ciphers are ''3des-cbc'',
+# ''aes128-cbc'', ''aes192-cbc'', ''aes256-cbc'', ''aes128-ctr'',
+# ''aes192-ctr'', ''aes256-ctr'', ''arcfour128'', ''arcfour256'',
+# ''arcfour'', ''blowfish-cbc'', and ''cast128-cbc''.
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+# MACs' Specifies the available MAC (message authentication code)
+# algorithms. The MAC algorithm is used in protocol version 2 for data
+# integrity protection. Multiple algorithms must be comma-separated.
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
+# Specifies the available KEX (Key Exchange) algorithms. Multiple
+# algorithms must be comma-separated. For ineroperability with Eclipse
+# and WinSCP):
+# KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+# If needed, open /etc/ssh/moduli if exists, and delete lines where the
+# 5th column is less than 2000.
+#   awk '$5 > 2000' /etc/ssh/moduli > "${HOME}/moduli"
+#   wc -l "${HOME}/moduli"
+# make sure there is something left
+#   mv "${HOME}/moduli" /etc/ssh/moduli
+#
+KexAlgorithms curve25519-sha256@libssh.org
+# Ciphers and keying
+#RekeyLimit default none
+# System-wide Crypto policy:
+# This system is following system-wide crypto policy. The changes to
+# Ciphers, MACs, KexAlgoritms and GSSAPIKexAlgorithsm will not have any
+# effect here. They will be overridden by command-line options passed on
+# the server start up.
+# To opt out, uncomment a line with redefinition of  CRYPTO_POLICY=
+# variable in  /etc/sysconfig/sshd  to overwrite the policy.
+# For more information, see manual page for update-crypto-policies(8).
+# Logging
+# Gives the facility code that is used when logging messages from sshd(8).
+# The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1,
+# LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+SyslogFacility AUTHPRIV
+# Gives the verbosity level that is used when logging messages from sshd(8).
+# The possible values are: QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG,
+# DEBUG1, DEBUG2, and DEBUG3. The default is INFO. DEBUG and DEBUG1 are
+# equivalent. DEBUG2 and DEBUG3 each specify higher levels of debugging
+# output. Logging with a DEBUG level violates the privacy of users and is
+# not recommended.
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a
+# clear audit track of which key was using to log in.
+LogLevel VERBOSE
+# Authentication:
+# The server disconnects after this time if the user has not successfully
+# logged in. If the value is 0, there is no time limit.
+LoginGraceTime 0
+# Specifies whether root can log in using ssh(1). The argument must be
+# ''yes'', ''without-password'', ''forced-commands-only'', or ''no''.
+# The default is ''yes''. If this option is set to ''without-password'',
+# password authentication is disabled for root. If this option is set to
+# ''forced-commands-only'', root login with public key authentication will
+# be allowed, but only if the command option has been specified (which
+# may be useful for taking remote backups even if root login is normally
+# not allowed). All other authentication methods are disabled for root.
+# If this option is set to ''no'', root is not allowed to log in.
+PermitRootLogin no
+# This keyword can be followed by a list of user name patterns, separated
+# by spaces. If specified, login is allowed only for user names that match
+# one of the patterns. Only user names are valid; a numerical user ID is
+# not recognized. By default, login is allowed for all users. If the pattern
+# takes the form USER@HOST then USER and HOST are separately checked,
+# restricting logins to particular users from particular hosts. The
+# allow/deny directives are processed in the following order:
+# DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups.
+AllowUsers django
+# Specifies whether sshd(8) should check file modes and ownership of the
+# user's files and home directory before accepting login. This is normally
+# desirable because novices sometimes accidentally leave their directory
+# or files world-writable.
+StrictModes yes
+# Specifies the maximum number of authentication attempts permitted per
+# connection. Once the number of failures reaches half this value,
+# additional failures are logged.
+MaxAuthTries 10
+# Specifies the maximum number of open sessions permitted per network
+# connection.
+MaxSessions 10
+# Specifies the file that contains the public keys that can be used for
+# user authentication. AuthorizedKeysFile may contain tokens of the form
+# %T which are substituted during connection setup. The following tokens
+# are defined: %% is replaced by a literal '%', %h is replaced by the
+# home directory of the user being authenticated, and %u is replaced by
+# the username of that user. After expansion, AuthorizedKeysFile is
+# taken to be an absolute path or one relative to the user's home directory.
+AuthorizedKeysFile      .ssh/authorized_keys
+# Specifies whether public key authentication is allowed. The default is
+# ''yes''. Note that this option applies to protocol version 2 only.
+PubkeyAuthentication yes
+#AuthorizedPrincipalsFile none
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+# Specifies whether password authentication is allowed. To disable tunneled
+# clear text passwords, change to no here!
+PasswordAuthentication no
+# Specifies whether challenge-response authentication is allowed
+# (e.g. via PAM or though authentication styles supported in login.conf(5))
+# Change to no to disable s/key passwords
+ChallengeResponseAuthentication no
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+# Specifies whether user authentication based on GSSAPI is allowed.
+GSSAPIAuthentication yes
+# Specifies whether key exchange based on GSSAPI is allowed. GSSAPI key
+# exchange doesn't rely on ssh keys to verify host identity.
+#GSSAPIKeyExchange no
+# Specifies whether to automatically destroy the user's credentials cache
+# on logout.
+GSSAPICleanupCredentials no
+# Determines whether to be strict about the identity of the GSSAPI acceptor
+# a client authenticates against. If ''yes'' then the client must authenticate
+# against the host service on the current hostname. If ''no'' then the client
+# may authenticate against any service key stored in the machine's default
+# store. This facility is provided to assist with operation on multi homed
+# machines. The default is ''yes''. Note that this option applies only to
+# protocol version 2 GSSAPI connections, and setting it to ''no'' may only
+# work with recent Kerberos GSSAPI libraries.
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIEnablek5users no
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
+UsePAM yes
+# Specifies whether X11 forwarding is permitted. The argument must be
+# ''yes'' or ''no''. The default is ''no''.
+# When X11 forwarding is enabled, there may be additional exposure to the
+# server and to client displays if the sshd(8) proxy display is configured
+# to listen on the wildcard address (see X11UseLocalhost below), though this
+# is not the default. Additionally, the authentication spoofing and
+# authentication data verification and substitution occur on the client side.
+# The security risk of using X11 forwarding is that the client's X11 display
+# server may be exposed to attack when the SSH client requests forwarding
+# (see the warnings for ForwardX11 in ssh_config(5)). A system administrator
+# may have a stance in which they want to protect clients that may expose
+# themselves to attack by unwittingly requesting X11 forwarding, which can
+# warrant a ''no'' setting. Note that disabling X11 forwarding does not
+# prevent users from forwarding X11 traffic, as users can always install
+# their own forwarders. X11 forwarding is automatically disabled if UseLogin
+# is enabled.
+X11Forwarding yes
+# Specifies the first display number available for sshd(8)'s X11 forwarding.
+# This prevents sshd from interfering with real X11 servers.
+# The default is 10.
+#X11DisplayOffset 10
+# Specifies whether sshd(8) should bind the X11 forwarding server to the
+# loopback address or to the wildcard address. By default, sshd binds the
+# forwarding server to the loopback address and sets the hostname part of
+# the DISPLAY environment variable to ''localhost''. This prevents remote
+# hosts from connecting to the proxy display. However, some older X11 clients
+# may not function with this configuration. X11UseLocalhost may be set to
+# ''no'' to specify that the forwarding server should be bound to the
+# wildcard address. The argument must be ''yes'' or ''no''. The default is
+# ''yes''.
+#X11UseLocalhost yes
+# Specifies whether ssh-agent(1) forwarding is permitted. The default is
+# ''yes''. Note that disabling agent forwarding does not improve security
+# unless users are also denied shell access, as they can always install
+# their own forwarders.
+#AllowAgentForwarding yes
+# Specifies whether TCP forwarding is permitted. The default is ''yes''.
+# Note that disabling TCP forwarding does not improve security unless users
+# are also denied shell access, as they can always install their own
+# forwarders.
+#AllowTcpForwarding yes
+# Specifies whether remote hosts are allowed to connect to ports forwarded
+# for the client. By default, sshd(8) binds remote port forwardings to the
+# loopback address. This prevents other remote hosts from connecting to
+# forwarded ports. GatewayPorts can be used to specify that sshd should
+# allow remote port forwardings to bind to non-loopback addresses, thus
+# allowing other hosts to connect. The argument may be ''no'' to force
+# remote port forwardings to be available to the local host only, ''yes''
+# to force remote port forwardings to bind to the wildcard address, or
+# ''clientspecified'' to allow the client to select the address to which
+# the forwarding is bound. The default is ''no''.
+#GatewayPorts no
+#PermitTTY yes
+# It is recommended to use pam_motd in /etc/pam.d/sshd instead of PrintMotd,
+# as it is more configurable and versatile than the built-in version.
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+# The contents of the specified file are sent to the remote user before
+# authentication is allowed.
+Banner /etc/issue.net
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+# Configures an external subsystem (e.g. file transfer daemon). Arguments
+# should be a subsystem name and a command (with optional arguments) to
+# execute upon subsystem request. Log sftp level file access
+# (read/write/etc.) that would not be easily logged otherwise.
+Subsystem	sftp	/usr/libexec/openssh/sftp-server
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+SSHD_CONFIG
+chown root:root /etc/ssh/sshd_config
+chmod 600 /etc/ssh/sshd_config
+#################################################################################
+####################### Django's ssh-pubkey hinterlegen #########################
+mkdir /home/django/.ssh
+chmod 700 /home/django/.ssh
+chown django:django /home/django/.ssh
+cat <<AUTHORIZED_KEYS >/home/django/.ssh/authorized_keys
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYjDCtBTfrpbHHkRrqHOkhsMagrrD5d+IbkU6ddoBSp django@nausch.org
+AUTHORIZED_KEYS
+chmod 644 /home/django/.ssh/authorized_keys
+chown django:django /home/django/.ssh/authorized_keys
+#################################################################################
+############### lokales gespiegeltes CentOS-Repository benutzen #################
+cp -a /etc/yum.repos.d/CentOS-AppStream.repo /etc/yum.repos.d/CentOS-AppStream.repo.orig
+cat <<CENTOS-APPSTREAM > /etc/yum.repos.d/epel-modular.repo
+# CentOS-AppStream.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+[AppStream]
+name=CentOS-\$releasever - AppStream
+baseurl=http://10.0.0.57/centos/\$releasever/AppStream/\$basearch/os/
+gpgcheck=1
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-APPSTREAM
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
+cp -a /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.orig
+cat <<CENTOS-BASE > /etc/yum.repos.d/CentOS-Base.repo
+# CentOS-Base.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+[BaseOS]
+name=CentOS-\$releasever - Base
+baseurl=http://10.0.0.57/centos/\$releasever/BaseOS/\$basearch/os/
+gpgcheck=1
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-BASE
+chown root:root /etc/yum.repos.d/CentOS-AppStream.repo
+chmod 644 /etc/yum.repos.d/CentOS-AppStream.repo
+cp -a /etc/yum.repos.d/CentOS-Extras.repo /etc/yum.repos.d/CentOS-Extras.repo.orig
+cat <<CENTOS-EXTRAS > /etc/yum.repos.d/CentOS-Extras.repo
+# CentOS-Extras.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+#additional packages that may be useful
+[extras]
+name=CentOS-\$releasever - Extras
+baseurl=http://10.0.0.57/centos/\$releasever/extras/\$basearch/os/
+gpgcheck=1
+enabled=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+CENTOS-EXTRAS
+chown root:root /etc/yum.repos.d/CentOS-Extras.repo
+chmod 644 /etc/yum.repos.d/CentOS-Extras.repo
+#################################################################################
+###### EPEL installieren und lokales gespiegeltes EPEL-Repository benutzen ######
+dnf install epel-release -y
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-
+cp -a /etc/yum.repos.d/epel-modular.repo /etc/yum.repos.d/epel-modular.repo.orig
+cat <<EPEL-MODULAR > /etc/yum.repos.d/epel-modular.repo
+[epel-modular]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+[epel-modular-debuginfo]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
+[epel-modular-source]
+name=Extra Packages for Enterprise Linux Modular \$releasever - \$basearch - Source
+baseurl=http://10.0.0.57/epel/\$releasever/Modular/\$basearch/SRPMS
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
+EPEL-MODULAR
+chown root:root /etc/yum.repos.d/epel-modular.repo
+chmod 644 /etc/yum.repos.d/epel-modular.repo
+cp -a /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.orig
+cat <<EPEL > /etc/yum.repos.d/epel.repo
+[epel]
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch
+enabled=1
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+[epel-debuginfo]
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Debug
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/\$basearch/debug
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
+[epel-source]
+name=Extra Packages for Enterprise Linux \$releasever - \$basearch - Source
+baseurl=http://10.0.0.57/epel/\$releasever/Everything/SRPMS
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
+gpgcheck=1
+EPEL
+chown root:root /etc/yum.repos.d/epel.repo
+chmod 644 /etc/yum.repos.d/epel.repo
+#################################################################################
+############################ System Updaten #####################################
+dnf update -y
+#################################################################################
+;;
+esac;
+done
+%end
+</file>
+Neben der Grundinstallation eines CentOS 8 Hosts werden wir nun noch folgende Dinge setzen lassen:
+  - **[[centos:rename_nic_c8#grub_bootloader|Bootloader]]** Da wir beim Booten der Maschine detailierte Informationen sehen wollen werden wir die Option **rhgb** in der GRUB-Definition entfernen.
+  - **[[centos:logins_individuell_anpassen|MOTD und ISSUE.NET]]** individualisieren inkl. Hostnamen
+  - **[[centos:ssh_c7#ssh-daemon|SSH-Daemon]]** Den SSH Daemon härten wir und passen die Konfigurationsdatei entsprechend an.
+  - **[[centos:ssh_c7#zielverzeichnis_anlegen_und_oeffentlichen_schluessel_kopieren|SSH-Publickey]]** Für unseren Admin-Account **django** hinterlegen wir den zugehörigen öffentlichen SSH-Schlüssel.
+  - **[[wiki:start#repos|Repositories]]** Statt der öffentlichen, sollen nur noch die lokal gesyncten Repositories verwendet werden; daher macht es auch keinen Sinn die Einträge **''mirrorlist=''** in den entsprechenden repo-filers stehen zu lassen. Zusätzlich zum Standard soll auch noch das Repository **[[centos:epel8|EPEL]]** eingebunden und genutzt werden.
+  - **Update** Zum Schluss stellen wir noch sicher dass alle installierten Pakete in der aktuellsten Version vorliegen und lassen dann das System neu starten.
+Der Form halber setzen wir dann die Dateiberechtigungen auf **444**
+   # chmod 444 /mnt/iso/isolinux/ks.cfg
+Damit wir die beim Booten verwendete Datei **''isolinux.cfg''** bearbeiten können passen wir die Dateiberechtigung tempüorär an.
+   # chmod 644 /mnt/iso/isolinux/isolinux.cfg
+Nun können wir den Bootparameter anpassen und die Kickstart-Datei angeben. Dabei setzen wir **''inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg''** also den Pafd zur Kickstart-Datei wie auch die beiden nötigen Parameter **''net.ifnames=0''** und **''biosdevname=0''** für die Rückumbenennungh der Netzwerkinterfaces in **ethX**.
+   # vim /mnt/iso/isolinux/isolinux.cfg
+<code>...
+label linux
+  menu label ^Install CentOS Linux 8.0.1905
+  kernel vmlinuz
+  append initrd=initrd.img inst.ks=hd:LABEL=CentOS-8-BaseOS-x86_64:/isolinux/ks.cfg inst.stage2=hd:LABEL=CentOS-8-BaseOS-x86_64 quiet net.ifnames=0 biosdevname=0
+...
+<</code>
+<WRAP center round important 75%>
+Wichtig ist dabei der Parameter **''LABEL=CentOS-8-BaseOS-x86_64''** \\
+Diesen Wert müssen wir später beim Erstellen des eigenen Boot-ISO-Image genau gleich angeben!
+</WRAP>
+Nun können wir die Dateiberechtigung dieser DAte wieder auf **444** zhurücksetzen.
+   # chmod 444 /mnt/iso/isolinux/isolinux.cfg
+Anschließend packen wir den Inhalt des ursprünglichen ISO-Images mit unserem Kickstart-File wie auch unseren Ändewrungen neu ein. Das LAbel, welches wir zuvor in der Konfigurationsdatei **''isolinux.cfg''** verwendet hatten geben wir hier exakt gleich an!
+   # mkisofs -o ~/CentOS-8-x86_64-1905-local.iso -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -J -R -V 'CentOS-8-BaseOS-x86_64' .
+Bevor wir nun das neu erstellte ISO-IMage verwenden können, ist es noch notwendig diese Date mit einer MD5-Prüfsumme zu versehen.
+   # implantisomd5 /var/lib/libvirt/boot/CentOS-8-x86_64-1905-local.iso
+Nun können wir unser eigenes ISO-Image verenden.
+{{ :centos:pxe_c8:kickstart-iso-8-1.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+<WRAP center round tip 80%>
+Nachdem wir die Festplattenkonfiguration vorgenommen haben, können wir mit einem Klick auf die Schaltfläche **[  Begin Installation  ]** den Installationsvorgang in Gang setzen.
+{{ :centos:pxe_c8:kickstart-iso-8-2.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+Wir sehen nun auch, dass dasroot-Passwort wie auch unser Admin-Acccount bereits gesetzt sind.
+{{ :centos:pxe_c8:kickstart-iso-8-3.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+Kurz vor dem Ende, also dem Neustart unseres neuen **CentOS 8** Systems bekommen wir auch noch den Hinweis, dass unsere Postinstall-Anweisungen ausgeführt werden.
+{{ :centos:pxe_c8:kickstart-iso-8-5.png?nolink&800 |Bild: Bildschirmhardcopy der Installationskonfiguration}}
+Anschließend ist das System unseren Wunschen nach vorbereitet und wir können uns anmelden.
+{{ :centos:pxe_c8:kickstart-iso-8-6.png?nolink&400 |Bild: Bildschirmhardcopy CentOS 8 Anmeldebildschirm}}
+Wir können uns nun auch direkt an unserem Host per **''ssh''** verbinden.
+   $ ssh 10.0.0.250
+<code>The authenticity of host '10.0.0.250 (10.0.0.250)' can't be established.
+ED25519 key fingerprint is SHA256:1iT2VKq949WlZrCZ6wQjJggbxKRzEX6F9P+XGkrGx0M.
+Are you sure you want to continue connecting (yes/no)? yes
+Warning: Permanently added '10.0.0.250' (ED25519) to the list of known hosts.
+##############################################################################
+#                                                                            #
+#                       This is a private home server.                       #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+##############################################################################
+#                                                                            #
+#                 This is the home server of Michael Nausch.                 #
+#                                                                            #
+#                            vml000250.nausch.org                            #
+#                                                                            #
+#             Unauthorized access to this system is prohibited !             #
+#                                                                            #
+#    This system is actively monitored and all connections may be logged.    #
+#         By accessing this system, you consent to this monitoring.          #
+#                                                                            #
+##############################################################################
+Last login: Sun Jun 14 22:06:00 2020 from 10.0.0.27</code>
+Die Netzwerkschnittstelle hat entsprechend die gewünschte Bezeichnung erhalten.
+   # ip a
+<code>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
+    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
+    inet 127.0.0.1/8 scope host lo
+       valid_lft forever preferred_lft forever
+    inet6 ::1/128 scope host
+       valid_lft forever preferred_lft forever
+: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
+    link/ether 52:54:00:2a:20:c9 brd ff:ff:ff:ff:ff:ff
+    inet 10.0.0.250/24 brd 10.0.0.255 scope global noprefixroute eth0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::5054:ff:fe2a:20c9/64 scope link noprefixroute
+       valid_lft forever preferred_lft forever</code>
+Das System ist auch mit den aktuellesten Programmpaketen bestückt.
+   # dnf update
+<code>Last metadata expiration check: 0:58:52 ago on Sun 14 Jun 2020 10:17:48 PM CEST.
+Dependencies resolved.
+Nothing to do.
+Complete!</code>
+====== Links ======
+  * **[[centos:pxe_c8:start|Zurück zum Kapitel >>PXE-Boot-Server unter CentOS 8.x einrichten<<]]**
+  * **[[wiki:start|Zurück zu Projekte und Themenkapitel]]**
+  * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**