====== SL 6 Installation ====== Boot to the Network install boot CD or to the PXE boot installer if available. ===== Network Boot CD ===== select Install or upgrade an existing system * Skip the media test ==== Installation Method ==== URL ==== Configure TCP/IP ==== default are fine OK (if this fails, turn OFF the computer and restart. A cold boot might help. ==== URL Setup ==== ftp://192.168.2.10/linux/scientific/6.4/x86_64/os it should immediately start to download the installer image. SL6 Next language English Next keyboard English Next What type of devices will you installation involve? Basic Storage Devices Next ==== Hostname ==== something.aoe.vt.edu ==== Timezone ==== America/New York Check: System clock uses UTC ==== Root Password ==== Domain root password ==== What type of installation would you like? ==== Use All Space Check: Review and modify partitioning layout ==== Partitioning ==== click on the volume group below LVM Volume Groups vg_ click edit Delete /home click add Mount Point: /var File System Type: ext4 Logical Volume Name: lv_var Size (depends) 51200 click add again /tmp File System Type: ext4 Logical Volume Name: lv_tmp Size (depends) 51200 click add again /l (as in local) File System Type: ext4 Logical Volume Name: lv_local Size (depends) the rest next, Write changes to disk ==== Boot Loader ==== Check Use a boot loader password set to the old crystals password ==== Software ==== Desktop The defaults are fine. Servers might be better with minimal. ===== firstboot ===== ==== Create User ==== Leave the user information blank as this will be set in Advanced... === Use Network Login... === == User Account Configuration == User Account Database: NIS NIS Domain: aoe NIS Server: alexandria.aoe.vt.edu == Authentication Configuration == Authentication Method: Kerberos Password Realm: AOE.VT.EDU KDCs: neptune.aoe.vt.edu Admin Servers: neptune.aoe.vt.edu Leave the "Use DNS" setting unchecked === Advanced === Click "Add User" == Add New User == Fill in the fields as appropriate Change the Home Directory from /home/... to /l/ == To create a user after setup == useradd -u 501 -c "Steve" -d /l/steve -m -s /bin/bash steve yum install -y policycoreutils-python semanage fcontext -a -t home_root_t "/l" semanage fcontext -a -e /home /l restorecon -R -v /l ==== Date and Time ==== Check Synchronize date and time over the network NTP Servers (Delete the old entries) ntp-1.vt.edu ntp-2.vt.edu ntp-3.vt.edu ntp-4.vt.edu Uncheck KDump ====== Post install SL6 Machine Setup ====== Set BIOS password and disable all bootable devices except the hard disk. A password should be required to boot from CD or USB, etc. Set up system email forwarding. cat > /root/.forward root@aoe.vt.edu (Ctrl-d) restorecon .forward yum install yum-conf-sl6x Then disable sl6.1 repos vim /etc/yum.repos.d/sl.repo edit enabled=1 to enabled=0 Note: This is supposed to be another way but it is not quite right: yum --releasever=6x update https://www.scientificlinux.org/documentation/howto/upgrade.6x ===== Point to mirror.aoe.vt.edu ===== edit sl6x.repo (only for machines in Randolph until mirror is available to other machines.) vim /etc/yum.repos.d/sl6x.repo comment out baseurl lines and add mirror.aoe.vt.edu [sl6x] name=Scientific Linux 6x - $basearch baseurl=ftp://mirror.aoe.vt.edu/linux/scientific/6x/$basearch/os/ #baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/os/ # http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/os/ # http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/os/ # ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/os/ #mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-base-6x.txt enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson [sl6x-security] name=Scientific Linux 6x - $basearch - security updates baseurl=ftp://mirror.aoe.vt.edu/linux/scientific/6x/$basearch/updates/security/ #baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/ # http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/ # http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/ # ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/security/ #mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-security-6x.txt enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson [sl6x-fastbugs] name=Scientific Linux 6x - $basearch - fastbug updates baseurl=http://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/ http://ftp1.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/ http://ftp2.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/ ftp://ftp.scientificlinux.org/linux/scientific/6x/$basearch/updates/fastbugs/ #mirrorlist=http://ftp.scientificlinux.org/linux/scientific/mirrorlist/sl-fastbugs-6x.txt enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-sl file:///etc/pki/rpm-gpg/RPM-GPG-KEY-dawson ===== Install local software ===== yum -y install yum-updateonboot chkconfig yum-updateonboot on yum update crontab -e add @daily yum check-update > /dev/null || yum check-update Install extra software yum -y install yum-priorities yum -y install elrepo-release epel-release yum -y install rdesktop lynx vim-X11 gettext-devel denyhosts gnuplot subversion compat-gcc-34-g77 lyx numpy scipy lapack python-matplotlib ksh screen libXp qtwebkit logwatch libXp openmotif colordiff htop octave gsl for roycfd lab machines yum -y groupinstall "Development Tools" yum -y install git gitk emacs yum -y install openmpi-devel yum -y install libXaw for other ?? compat-libstdc++33 emacs For Dakota asking for libXm.so.2, which is in a motif package called lesstif. yum -y install lesstif For compiling OpenFOAM: yum install http://ftp.scientificlinux.org/linux/scientific/6x/external_products/devtoolset/yum-conf-devtoolset-1.0-1.el6.noarch.rpm yum install devtoolset-1.1-runtime devtoolset-1.1-gcc.x86_64 devtoolset-1.1-gcc-c++.x86_64 $ scl enable devtoolset-1.1 bash (CGAL also needed from dl-atrpms) to compile 32 bit code on 64 bit installs: yum install glibc-devel.i686 libgcc.i686 libstdc++-devel.i686 Patran export LCALL=C Add this line to use common modulefiles, which comes with openmpi: cat >> /usr/share/Modules/init/.modulespath /aoe/etc/modulefiles yum --enablerepo epel-testing install scipy (scipy is now available in the main epel repo) yum groupinstall "TeX support" for Xiao yum install scitool* ipython* (Check the wildcard results.) Also for Dr Xiao, EPD, Enthought Python Distribuiton matplotlib ===== Video for SL 6 ===== yum install yum-priorities yum install rpmforge-release yum install compat-libstdc++-33 libdvdcss libdvdread libdvdplay libdvdnav lsdvd libquicktime yum install flash-plugin mplayer mplayer-gui gstreamer-ffmpeg gstreamer-plugins-ugly yum install ffmpeg ffmpeg-devel mplayer mencoder ===== kernel exclusions (optional if needed) ===== yum autoupdate exclusions are listed here: /etc/sysconfig/yum-autoupdate EXCLUDE="kernel* openafs* *-kmdl-* kmod-* *firmware*" To disable kernel updates when using command line (this was required on typhon and apogee because it broke the graphics), edit /etc/yum.conf and add: /etc/yum.conf EXCLUDE=kernel or specific verions EXCLUDE=kernel-2.6.32-220* or EXCLUDE=kernel-2.6.32-220.2.1.el6.x86_64 To temporarily override the exclusion: yum --disableexclues=all update or a specific kernel: yum --disableexcludes=all update kernel-2.6.32-220.2.1.el6.x86_64 apogee and typhon also needed reboot=pci added to the kernel line in grub.conf kernel /vmlinuz-2.6.32-131.0.15.el6.x86_64 ro root=/dev/mapper/vg_apogee-lv_root rd_LVM_LV=vg_apogee/lv_root rd_LVM_LV=vg_apogee/lv_swap rd_NO_LUKS rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rhgb reboot=pci ===== Disable "show user accounts" ===== edit the file vim /etc/gconf/gconf.xml.defaults/%gconf-tree.xml and change the boolean for disable_user_list from false to true ===== Disable Root Access via ssh ===== vim /etc/ssh/sshd_config PermitRootLogin no service sshd restart ===== ssh login speed and login persistence tweaks(optional) ===== vim /etc/ssh/sshd_conf ClientAliveInterval 120 UseDNS no service sshd restart vim /etc/ssh/ssh_conf ServerAliveInterval 120 vim /etc/resolv.conf options single-request-reopen ===== iptables ===== Copy and paste the file below into /etc/syscofig/iptables using the following command: cat > /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp -s 198.82.0.0/16 -m tcp --sport 1024:65535 --dport 22 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp -s 128.173.0.0/16 -m tcp --sport 1024:65535 --dport 22 -j ACCEPT # Block brute force attacks - interface specific # Drop repeated ssh connection attempts within 20 seconds interval #-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 198.82.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource #-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 128.173.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. #-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 198.82.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource #-A INPUT -p tcp -m tcp -m state -m recent -i eth0 -s 128.173.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource # Block brute force attacks - all interfaces # Drop repeated ssh connection attempts within 20 seconds interval -A INPUT -p tcp -m tcp -m state -m recent -s 198.82.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource -A INPUT -p tcp -m tcp -m state -m recent -s 128.173.0.0/16 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. -A INPUT -p tcp -m tcp -m state -m recent -s 198.82.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource -A INPUT -p tcp -m tcp -m state -m recent -s 128.173.0.0/16 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource # torricelli.cs.wright.edu #-A INPUT -s 130.108.14.110 -j ACCEPT # VT subnet # reject on campus udp 67,68,137,138 without logging -A INPUT -m udp -p udp -s 198.82.0.0/16 -m multiport --dports 67,68,137,138 -j REJECT --reject-with icmp-host-prohibited -A INPUT -m udp -p udp -s 128.173.0.0/16 -m multiport --dports 67,68,137,138 -j REJECT --reject-with icmp-host-prohibited #ignore DHCP requests -A INPUT -s 0.0.0.0 -m udp -p udp --dport 67 --sport 68 -j DROP # reject on campus, logging the rest #-A INPUT -m tcp -p tcp -s 198.82.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-TCP-REJECTED " -A INPUT -m tcp -p tcp -s 198.82.0.0/16 -j REJECT --reject-with icmp-host-prohibited #-A INPUT -m tcp -p tcp -s 128.173.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-TCP-REJECTED " -A INPUT -m tcp -p tcp -s 128.173.0.0/16 -j REJECT --reject-with icmp-host-prohibited #-A INPUT -m udp -p udp -s 198.82.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-UDP-REJECTED " -A INPUT -m udp -p udp -s 198.82.0.0/16 -j REJECT --reject-with icmp-host-prohibited #-A INPUT -m udp -p udp -s 128.173.0.0/16 -j LOG --log-level info --log-prefix "FIREWALL-UDP-REJECTED " -A INPUT -m udp -p udp -s 128.173.0.0/16 -j REJECT --reject-with icmp-host-prohibited # drop off campus requests #-A INPUT -j LOG --log-level info --log-prefix "FIREWALL-DROPPED " -A INPUT -j DROP #-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT service iptables restart ===== ip6tables ===== Copy and paste file the below into /etc/syscofig/ip6tables using the following command: cat > /etc/sysconfig/ip6tables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state INVALID -j LOG --log-prefix "FIREWALL-IPV6-INVALID " -A INPUT -m state --state INVALID -j DROP -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # allow IPsec # # IKE negotiations -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT # ESP encryption and authentication -A INPUT -p 50 -j ACCEPT -A OUTPUT -p 50 -j ACCEPT #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j LOG --log-prefix "FIREWALL-SSH-ACCEPT " #-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # VT subnet -A INPUT -m state --state NEW -m tcp -p tcp -s 2001:468:c80::/48 --dport 22 -j LOG --log-prefix "FIREWALL-IPV6-SSH-ACCEPT " -A INPUT -m state --state NEW -m tcp -p tcp -s 2001:468:c80::/48 --dport 22 -j ACCEPT # Allow domain controllers -A INPUT -m tcp -p tcp -s 2001:0468:0c80:610c:6496:9744:111b:76b6 -j LOG --log-prefix "FIREWALL-IPV6-NEPTUNE-ACCEPT " -A INPUT -m tcp -p tcp -s 2001:0468:0c80:610c:6496:9744:111b:76b6 -j ACCEPT -A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b92c:3f7b:e1c7:76f3 -j LOG --log-prefix "FIREWALL-IPV6-PLUTO-ACCEPT " -A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b92c:3f7b:e1c7:76f3 -j ACCEPT -A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b94f:dde9:482d:f606 -j LOG --log-prefix "FIREWALL-IPV6-TATOOINE-ACCEPT " -A INPUT -m tcp -p tcp -s 2001:468:c80:610c:b94f:dde9:482d:f606 -j ACCEPT # Block brute force attacks # Drop repeated ssh connection attempts within 20 seconds interval -A INPUT -p tcp -m tcp -m state -m recent -s 2001:468:c80::/48 --dport 22 --state NEW -j DROP --rcheck --seconds 20 --name THROTTLE --rsource # Accept ssh connection if not attempted within past 20 sec. -A INPUT -p tcp -m tcp -m state -m recent -s 2001:468:c80::/48 --dport 22 --state NEW -j ACCEPT --set --name THROTTLE --rsource -A INPUT -j LOG --log-level info --log-prefix "FIREWALL-IPV6-DROPPED " #-A INPUT -j DROP -A INPUT -j REJECT --reject-with icmp6-adm-prohibited -A FORWARD -j REJECT --reject-with icmp6-adm-prohibited # specific to this machine: # COMMIT service ip6tables restart ===== network ===== Stop NetworkManager service NetworkManager stop chkconfig NetworkManager off Stop service avahi-daemon stop chkconfig avahi-daemon off Other services as not needed chkconfig --list |grep :on service bluetooth stop chkconfig bluetooth off Check the /etc/sysconfig/network file cat /etc/sysconfig/network HOSTNAME=apogee.aoe.vt.edu NETWORKING=yes Modify the network adapter. The adapter name will vary. em1 is just an example. vim /etc/sysconfig/network-scripts/ifcfg-em1 DEVICE="em1" HWADDR="??:??:??:??:??:??" IPV6INIT="yes" IPV6_AUTOCONF="yes" ONBOOT="yes" TYPE="Ethernet" NM_CONTROLLED="no" BOOTPROTO=static #Randolph IPADDR=128.173.188.28 BROADCAST=128.173.191.255 NETMASK=255.255.252.0 NETWORK=128.173.188.0 GATEWAY=128.173.188.1 #Hancock #IPADDR=128.173.167.15 #BROADCAST=128.173.167.255 #NETMASK=255.255.252.0 #NETWORK=128.173.164.0 #GATEWAY=128.173.164.1 #Femoyer #IPADDR=128.173.105.33 #BROADCAST=128.173.105.255 #NETMASK=255.255.255.0 #NETWORK=128.173.105.0 #GATEWAY=128.173.105.1 DNS1=128.173.188.25 DNS2=128.173.188.26 DOMAIN=aoe.vt.edu The following step to edit resolv.conf may not be required with the DNS settings above: edit /etc/resolv.conf vim /etc/resolv.conf search aoe.vt.edu nameserver 128.173.188.25 nameserver 128.173.188.26 Put on open network and bounce the interface ifdown eth0 ifup eth0 ===== NIS Domain, etc (Do Not Use NIS)===== If not joined to the domain during setup, join to the AOE nis domain authconfig-tui ==== Authentication Configuration ==== === User Information === Select Use NIS === Authentication === Select Use MD5 Passwords Use Shadow Passwords Use Kerberos Local authorization is sufficient (verify the meaning of this setting) Next ==== NIS or LDAP Settings ==== === NIS === Domain: aoe Server: alexandria.aoe.vt.edu ===== LDAP ===== system-config-authentication User Account Database ldap Download CA Certificate: https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt ===== Kerberos Settings ===== Realm: AOE.VT.EDU KDC: neptune.aoe.vt.edu Admin Server: neptune.aoe.vt.edu Leave the "Use DNS" checkboxes cleared ===== Name Service Switch ===== in /etc/nsswitch.conf vim /etc/nsswitch.conf remove nis in hosts: #hosts: db files nisplus nis dns hosts: files nis dns should be: #hosts: db files nisplus nis dns hosts: files dns ===== Add sudoers ===== visudo After: ## Allow root to run any commands anywhere root ALL=(ALL) ALL (Some items optional for audit data collection) Add: %bigwheel ALL=(ALL) ALL On local user only machines: steve ALL=(ALL) ALL Also add in appropriate sections: aoebackup ALL= NOPASSWD:/usr/bin/rsync stedwar1 ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save steve ALL= NOPASSWD:/bin/netstat,/sbin/iptables,/sbin/iptables-save,/sbin/ip6tables,/sbin/ip6tables-save and Defaults:aoebackup,steve !requiretty or Defaults:aoebackup,stedwar1 !requiretty ===== AOE Domain Software ===== ==== first, add access to alexandria ==== modify as required: Add host to hosts file vim /etc/hosts To modify running iptables: iptables -L --line-numbers Pick a place to insert the rule and add the new rule iptables -I INPUT 56 -s apogee.aoe.vt.edu -j ACCEPT Add the entry to the startup file for iptables vim /etc/sysconfig/iptables the script in /home/sysadmin/bin/exports will generate send the exports text to std out. Pipe the output to the /etc/exports file. vim /home/sysadmin/bin/exports/exports.sh /home/sysadmin/bin/exports/exports.sh > /etc/exports exportfs -ra Old vim replace command that can be used on the /etc/exports file for temporary changes: :%s/aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\n/altus.aoe.vt.edu(rw,sync,root_squash) \\\r aphrodite.aoe.vt.edu(rw,sync,root_squash) \\\r/ ===== then add the mounts in the new Linux machine ===== *** go back to the new Linux box. ***be very careful here! Add the line to /etc/fstab cat >> /etc/fstab alexandria:/export/apps/aoe-linux-x86_64 /aoe nfs tcp 0 0 Then run these commands: mkdir /aoe mount /aoe cd /etc/profile.d ln -s /aoe/etc/aoe_profile.sh ln -s /aoe/etc/aoe_profile.csh ===== Local Directories ===== mkdir /l chown root:root /l chmod 777 /l ===== boot screen ===== plymouth-set-default-theme details --rebuild-initrd ===== Logging ===== yum install openswan Place neptune's CA certificate in openssl's CA list. Use the pem from the authconfig download step. cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0 yum install rsyslog-gnutls cd /etc/pki/rsyslog openssl genrsa -out key.pem 2048 chmod 400 key.pem openssl req -new -key key.pem -out request-$(hostname -s).req -config /aoe/etc/openssl.cnf -nodes openssl req -text -in request-$(hostname -s).req -noout -verify copy the csr to neptune chmod 600 request* scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog perform these steps on neptune ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer If manual approval is required, then find the issued certificate in the CA and open it. Select the Details tab and click "copy to file". Select Base-64 encoded, and click "next". click browse and navigte to the desired folder on the Z: drive to place the certificate. Name it cert- copy cert back to client and rename it scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem From the Linux client. Check the file extenstion as the export may append .cer: scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$( hostname -s ).cer cert.pem Fix selinux on certificate files restorecon -RvF /etc/pki cat >> /etc/rsyslog.d/tls.conf # extra config file for rsyslog to be placed in /etc/rsyslog.d to enable # tls for rsyslog. # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/aoe-ca.pem $DefaultNetstreamDriverCertFile /etc/pki/rsyslog/cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/key.pem $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer artemis.aoe.vt.edu $ActionSendStreamDriverMode 1 # run driver in TLS-only mode #*.* @@central.example.net:10514 # forward everything to remote server After the following lines to /etc/rsyslog.conf # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages vim /etc/rsyslog.conf add vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv the whole line! #*.info;authpriv.none @loghost *.info;authpriv.none @@artemis.aoe.vt.edu:6514 From artemis, watch the log: [root@artemis ~]# watch 'tail -1000 /var/log/messages|grep -v FIREWALL|grep -v last|tail -30' on the client: service rsyslog restart logger test ===== ldap/kerberos ===== Append the following to /etc/openldap/ldap.conf cat >> /etc/openldap/ldap.conf sasl_secprops maxssf=0 TLS_REQCERT never URI ldaps://neptune.aoe.vt.edu Modify to add ca to certs: vim /etc/openldap/ldap.conf TLS_CACERTDIR /etc/openldap/cacerts Enter computer name in DNS and make sure reverse lookups get updated. ==== Method 1 ==== Only good for a single spn Create a computer account in the UnixOU/Unix-computers OU, then set the service principal setspn -A host/centos-test.aoe.vt.edu@AOE.VT.EDU centos-test setspn -L centos-test ktpass /princ host/centos-test.aoe.vt.edu@AOE.VT.EDU /out centos-test.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser AOE\centos-test$ +rndPass Securely copy the key to /etc/krb5.keytab with root:root 600 permissions. chmod 600 /etc/krb5.keytab chown root:root /etc/krb5.keytab restorecon /etc/krb5.keytab klist ==== Method 2 ==== creates multiple spn's per computer account. yum install msktutil kinit stedwar1 export host=$(hostname -s) msktutil -u --server neptune --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu Move the computer into the Unix OU from Active Directory Comment out this line in /etc/openldap/ldap.conf: vim /etc/openldap/ldap.conf #TLS_REQCERT never ==== Verify new keytab file ==== kinit -k -t /etc/krb5.keytab $host$ This requires upn be specified when requesting the computer account with msktutil kinit -k -t /etc/krb5.keytab host/$host.aoe.vt.edu@AOE.VT.EDU yum install openldap-clients kinit stedwar1 (if not already done) ldapsearch -H ldaps://neptune.aoe.vt.edu -Y GSSAPI -N -b dc=aoe,dc=vt,dc=edu "(&(objectClass=user)(sAMAccountName=stedwar1))" ==== Configure sssd ==== cp -a /etc/sssd/sssd.conf /etc/sssd/sssd.conf.back vim /etc/sssd/sssd.conf For SL5, Use these contents, but change the name for ldap_sasl_authid ldap/kerberos version - for SL5 or SL6(not prefered) [domain/default] #debug_level = 9 cache_credentials = false enumerate = false id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_uri = ldaps://neptune.aoe.vt.edu #ldap_search_base = dc=aoe,dc=vt,dc=edu ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/changeme.aoe.vt.edu@AOE.VT.EDU ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true krb5_realm = AOE.VT.EDU krb5_canonicalize = false ldap_force_upper_case_realm = true ldap_tls_reqcert = never #ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem ldap_id_use_start_tls = False krb5_server = neptune.aoe.vt.edu krb5_kpasswd = neptune.aoe.vt.edu ldap_tls_cacertdir = /etc/openldap/cacerts ldap_krb5_keytab = /etc/krb5.keytab ldap_referrals = false #Try setting ldap_group_nesting_level=1 [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] Active Directory version - for SL6 only(prefered) For SL6, Use these contents cat > /etc/sssd/sssd.conf [domain/default] #debug_level = 9 cache_credentials = false enumerate = false ldap_id_mapping = False id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad ad_domain = aoe.vt.edu ad_server = neptune,pluto ldap_schema = ad ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true ldap_tls_reqcert = never #ldap_tls_cacert = /etc/openldap/cacerts/authconfig_downloaded.pem #ldap_id_use_start_tls = False ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_referrals = false #Try setting ldap_group_nesting_level=1 [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] ===== Automount ===== vim /etc/sysconfig/autofs # # MOUNT_NFS_DEFAULT_PROTOCOL - specify the default protocol used by # mount.nfs(8). Since we can't identify # the default automatically we need to # set it in our configuration. # MOUNT_NFS_DEFAULT_PROTOCOL=3 #MOUNT_NFS_DEFAULT_PROTOCOL=4 ... LDAP_URI="ldaps://neptune.aoe.vt.edu" SEARCH_BASE="CN=ypServ30,CN=RpcServices,CN=System,dc=aoe,dc=vt,dc=edu" ... # If no schema is set autofs will check each of the schemas # below in the order given to try and locate an appropriate # basdn for lookups. If you want to minimize the number of # queries to the server set the values here. # MAP_OBJECT_CLASS="nisMap" MAP_ATTRIBUTE="nisMapName" ENTRY_OBJECT_CLASS="nisObject" ENTRY_ATTRIBUTE="cn" VALUE_ATTRIBUTE="nisMapEntry" ... # AUTH_CONF_FILE - set the default location for the SASL # authentication configuration file. # AUTH_CONF_FILE="/etc/autofs_ldap_auth.conf" vim /etc/autofs_ldap_auth.conf Note: TLS/SSL automount can be achieved with either the above method using ldaps://neptune.aoe.vt.edu or setting usetls="yes" tlsrequired="yes" in /etc/autofs_ldap_auth.conf and using ldap://neptune.aoe.vt.edu (without the "ldaps" since start TLS uses the standard 389 port to start the ssl session.) ===== start service ===== service sssd restart service autofs restart Make sure the DNS name is entered correctly, or maybe adjust /etc/idmap.conf so the domain names match. vim /etc/idmap.conf Workaround: vim /etc/nfsmount.conf Defaultvers=3 ===== Test ===== as a user, run: matlab patran ===== Troubleshooting ===== ==== nfs permissions nobody:nobody ==== Symptom: Key login was not working. Check permissions on nfs mounted directory Investigation showed permissions on mounted nfs volumes as nobody:nobody. Verify that the /etc/hosts file on alexandria is correct. It had an incorrect short name that messed it up on pegasus. restart rpcidmapd on both machines service rpcidmapd restart Possible selinux interference? Possible /etc/idmapd.conf needed DOMAIN=aoe.vt.edu /etc/hosts needs ip address and hostname entry on nfs client for alexandria and the client. Possible /etc/resolv.conf problem Error processing keytab file [/etc/krb5.keytab]: Principal [host/columbia.aoe.vt.edu@AOE.VT.EDU] was not found. Unable to create GSSAPI-encrypted LDAP connection. Answer?: Check case and name with klist -k -t /etc/krb5.keytab I changed host to HOST in sssd config and autofs config. ===== convert from nis to LDAP/SSSD ===== vim /etc/openldap/ldap.conf TLS_REQCERT never sasl_secprops maxssf=0 Then start at method 2 Then system-config-authentication User Account Database ldap Download CA Certificate: https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt ===== Kickstart file for superstations ===== [root@riccioli ks]# cat ks-superstation.cfg #platform=x86, AMD64, or Intel EM64T #version=DEVEL # Firewall configuration firewall --enabled --ssh # Install OS instead of upgrade install # Use network installation url --url="ftp://192.168.2.10/linux/scientific/6.5/x86_64/os" # Root password rootpw --iscrypted $6$xi4xSBxAYmyH6gpb$GPGKSG4GDe2Z6WeqdVQB208pntHS8nYlpoK9OIywpkB.FKZ4uHaAvh27ikxGZY89BZTiRzpQ1.2yGmMk/KOKB0 # System authorization information auth --useshadow --passalgo=sha512 --enableldap --enableldaptls --enablesssd --ldapserver=neptune.aoe.vt.edu --ldapbasedn=dc=aoe,dc=vt,dc=edu --ldaploadcacert=https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt --enablekrb5 --krb5realm=AOE.VT.EDU --krb5kdc=neptune.aoe.vt.edu --krb5adminserver=neptune.aoe.vt.edu # Use text mode install #text cmdline # Run the Setup Agent on first boot #firstboot --enable # Use interactive kickstart installation method #interactive # System keyboard keyboard us # System language lang en_US.UTF-8 # SELinux configuration selinux --enforcing # Installation logging level logging --level=debug # System timezone timezone --isUtc America/New_York # Network information %include /tmp/network.ks # System bootloader configuration bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet" --iscrypted --password=$6$lJ8K61J9Ad4gldMi$17LLCDpPN1CJ9b1ytswZajjkmxpR9pQLMEuZEVVSfIRNeN3dr2F/yJr7QvWRs2avuODr8KRLDlLJLIyv3m2nd/ # Clear the Master Boot Record zerombr # Partition clearing information clearpart --all --initlabel --drives=sda # Disk partitioning information part /boot --asprimary --fstype="ext4" --size=1000 part pv.008002 --grow --size=1 volgroup vg_superstation --pesize=4096 pv.008002 logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_superstation --size=51200 logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_superstation --size=51200 logvol / --fstype=ext4 --name=lv_root --vgname=vg_superstation --size=51200 logvol swap --name=lv_swap --vgname=vg_superstation --size=8192 #logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100 logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --grow --size=1 repo --name="Scientific Linux" --baseurl=ftp://192.168.2.10/linux/scientific/6.5/x86_64/os --cost=100 # XWindows configuration information xconfig --startxonboot reboot %packages @base @client-mgmt-tools @core @debugging @basic-desktop @desktop-debugging @desktop-platform @directory-client @fonts @general-desktop @graphical-admin-tools @input-methods @internet-applications @internet-browser @java-platform @legacy-x @misc-sl @network-file-system-client @office-suite @print-client @remote-desktop-clients @scalable-file-systems @server-platform @x11 mtools oddjob wodim sgpio genisoimage device-mapper-persistent-data pax #samba-winbind certmonger pam_krb5 krb5-workstation libXmu SL_desktop_tweaks pam_ldap yum-priorities yum-updateonboot elrepo-release epel-release rdesktop lynx vim-X11 gettext-devel gnuplot subversion compat-gcc-34-g77 numpy scipy lapack python-matplotlib ksh screen libXp logwatch libXp openmotif gsl @ Development Tools git gitk openmpi-devel libXaw compat-libstdc++-33 @ TeX support policycoreutils-python openswan rsyslog-gnutls openldap-clients #devtoolset-1.1-runtime #devtoolset-1.1-gcc.x86_64 #devtoolset-1.1-gcc-c++.x86_64 %end %pre #!/bin/sh for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks echo "${SERVERNAME}" > /tmp/servername.ks ;; AOEIP4*) eval $x echo "${AOEIP4}" > /tmp/ip4.ks ;; esac; done %end %post --nochroot cp /tmp/*.ks /mnt/sysimage/tmp # /mnt/sysimage/tmp is /tmp in chrooted env %post #!/bin/bash ## redirect the output to the log file. Interaction is confusing since input has to happen on tty1.... ## This would be best if no interaction is needed with the post installation or for debugging ks. #exec >/root/ks-post-anaconda.log 2>&1 ## show the output on the 7th console #tail -f /root/ks-post-anaconda.log >/dev/tty7 & ## changing to VT 7 that we can see what's going on.... #/usr/bin/chvt 7 #this allows interaction with the postinstall portion on the current tty curTTY=`tty` exec < $curTTY > $curTTY 2> $curTTY clear read aoeip4 < /tmp/ip4.ks #read the var echo $aoeip4 # print its value, should be SOMEVAL #rm -rf /tmp/ip4.ks # cleanup read servername < /tmp/servername.ks #read the var echo $servername # print its value, should be SOMEVAL #rm -rf /tmp/servername.ks # cleanup # set log forwarding to root@aoe echo 'root@aoe.vt.edu' >> /root/.forward restorecon /root/.forward # grab the setup files and replace the contents of the existing files wget ftp://192.168.2.10/linux/scientific/ks/postinstallsetup.tgz if [ $? -eq 0 ]; then tar xzf postinstallsetup.tgz # replace the contents of these files [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet." cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo else echo "Could not get tar file" fi # setup update on boot chkconfig yum-updateonboot on yum -y update # install packages from epel and elrepo yum -y install lyx denyhosts qtwebkit colordiff htop octave emacs msktutil #set up yum check-update in cron job - even though it is not a great implementation crontab -l | { cat ; echo '@daily yum check-update > /dev/null || yum check-update'; } | crontab - #append aoe modulefiles echo '/aoe/etc/modulefiles' >> /usr/share/Modules/init/.modulespath # turn off unused services service bluetooth stop chkconfig bluetooth off chkconfig NetworkManager off chkconfig avahi-daemon off chkconfig kdump off chkconfig ntpd on # set up new user useradd -u 501 -c "Steve" -d /l/steve -m -s /bin/bash steve semanage fcontext -a -t home_root_t "/l" semanage fcontext -a -e /home /l restorecon -R -v /l # grab the setup files and replace the contents of the existing files if [ -d postinstallsetup ]; then # replace the contents of these files [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet." cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo [ -f /etc/ssh/sshd_config ] && cat postinstallsetup/sshd_config > /etc/ssh/sshd_config || echo "sshd_config does not exist yet." cat postinstallsetup/sshd_config > /etc/ssh/sshd_config [ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] && cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 || echo "ifcfg-eth1 does not exist yet." cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] && cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0 || echo "ifcfg-eth0 does not exist yet." cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0 [ -f /etc/sysconfig/network-scripts/ifcfg-eth2 ] && cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 || echo "ifcfg-eth2 does not exist yet." cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 [ -f /etc/sysconfig/network-scripts/ifcfg-eth3 ] && cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 || echo "ifcfg-eth3 does not exist yet." cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 [ -f /etc/sysconfig/autofs ] && cat postinstallsetup/autofs > /etc/sysconfig/autofs || echo "autofs does not exist yet." cat postinstallsetup/autofs > /etc/sysconfig/autofs [ -f /etc/autofs_ldap_auth.conf ] && cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf || echo "autofs_ldap_auth.conf does not exist yet." cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf [ -f /etc/ntp.conf ] && cat postinstallsetup/ntp.conf > /etc/ntp.conf || echo "ntp.conf does not exist yet." cat postinstallsetup/ntp.conf > /etc/npt.conf [ -f /etc/sudoers ] && cat postinstallsetup/sudoers > /etc/sudoers || echo "sudoers does not exist yet." cat postinstallsetup/sudoers > /etc/sudoers [ -f /etc/sysconfig/iptables ] && cat postinstallsetup/iptables > /etc/sysconfig/iptables || echo "iptables does not exist yet." cat postinstallsetup/iptables > /etc/sysconfig/iptables [ -f /etc/sysconfig/ip6tables ] && cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables || echo "ip6tables does not exist yet." cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables [ -f /etc/sssd/sssd.conf ] && cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf || echo "sssd.conf does not exist yet." cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf [ -f /etc/rsyslog.d/tls.conf ] && cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf || echo "tls.conf does not exist yet." cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf chmod 600 /etc/rsyslog.d/tls.conf # Modify these files [ -f /etc/openldap/ldap.conf ] && tail -2 postinstallsetup/ldap.conf >> /etc/openldap/ldap.conf || cat postinstallsetup/ldap.conf > /etc/openldap/ldap.conf [ -f /etc/gconf/gconf.xml.defaults/%gconf-tree.xml ] && cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml || echo "%gconf-tree.xml does not exist yet." cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml else echo "Could not get tar file" fi hwaddr=$( ifconfig eth0 | grep eth0| awk '{print $5}' ) sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth0 hwaddr=$( ifconfig eth1 | grep eth1| awk '{print $5}' ) sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth1 hwaddr=$( ifconfig eth2 | grep eth2| awk '{print $5}' ) sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth2 hwaddr=$( ifconfig eth3 | grep eth3| awk '{print $5}' ) sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth3 sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth1 #bounce the network ifdown eth0 ifdown eth1 echo -n "switch to the open network. Enter a username: " read ksuser ifup eth1 echo 'alexandria:/export/apps/aoe-linux-x86_64 /aoe nfs tcp 0 0' >> /etc/fstab mkdir /aoe mount /aoe if [ $? -eq 0 ]; then cd /etc/profile.d ln -s /aoe/etc/aoe_profile.sh ln -s /aoe/etc/aoe_profile.csh fi #mkdir /l chown root:root /l chmod 777 /l plymouth-set-default-theme details --rebuild-initrd cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0 # # Set the correct time # /usr/sbin/ntpdate -bus ntp-1.vt.edu ntp-2.vt.edu ntp-3.vt.edu ntp-4.vt.edu /sbin/clock --systohc cd /etc/pki/rsyslog openssl genrsa -out key.pem 2048 chmod 400 key.pem export HOSTNAME=$servername.aoe.vt.edu openssl req -new -key key.pem -out request-$servername.req -config /aoe/etc/openssl.cnf -nodes openssl req -text -in request-$servername.req -noout -verify chmod 600 request* #scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog scp request* $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog echo " run this on neptune:" echo 'ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-traininglt.req training.cer' echo "press enter when complete" read waithere echo " scp may want a password here--wait for it to ask: " #scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem scp $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem restorecon -RvF /etc/pki sed -i "\/var\/log\/messages/a *.info;authpriv.none @@artemis.aoe.vt.edu:6514" /etc/rsyslog.conf sed -i "\/var\/log\/messages/a #*.info;authpriv.none @loghost" /etc/rsyslog.conf service rsyslog start logger test echo -n " user credentials: " #kinit stedwar1 kinit $ksuser export host=$servername msktutil -u --server neptune --computer-name $host --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu if [ $? -ne 0 ]; then echo " There was a problem adding computer to domain. Hit return to continue. " read waithere else echo " looks like the domain join worked. press return to continue " read waithere fi #change ldap.conf back sed -i "s/TLS_REQCERT never/#TLS_REQCERT never/" /etc/openldap/ldap.conf sed -i "s/^URI ldap/#URI ldap/" /etc/openldap/ldap.conf #change the hostname in autofs_ldap_auth.conf sed -i "s/changeme/$servername/" /etc/autofs_ldap_auth.conf #Set default NFS version to 3 because file ownership does not work with v4 [ -f /etc/nfsmount.conf ] && sed -i "/# Defaultvers=4/a Defaultvers=3" /etc/nfsmount.conf || echo "nfsmount.conf does not exist" %end ===== Kickstart file for single network computers ===== #platform=x86, AMD64, or Intel EM64T #version=DEVEL # Firewall configuration firewall --enabled --ssh # Install OS instead of upgrade install # Use network installation url --url="ftp://192.168.2.10/linux/scientific/6.5/x86_64/os" # Root password rootpw --iscrypted $6$xi4xSBxAYmyH6gpb$GPGKSG4GDe2Z6WeqdVQB208pntHS8nYlpoK9OIywpkB.FKZ4uHaAvh27ikxGZY89BZTiRzpQ1.2yGmMk/KOKB0 # System authorization information auth --useshadow --passalgo=sha512 --enableldap --enableldaptls --enablesssd --ldapserver=neptune.aoe.vt.edu --ldapbasedn=dc=aoe,dc=vt,dc=edu --ldaploadcacert=https://www.dept.aoe.vt.edu/~stedwar1/aoe-neptune.crt --enablekrb5 --krb5realm=AOE.VT.EDU --krb5kdc=neptune.aoe.vt.edu --krb5adminserver=neptune.aoe.vt.edu # Use text mode install #text cmdline # Run the Setup Agent on first boot #firstboot --enable # Use interactive kickstart installation method #interactive # System keyboard keyboard us # System language lang en_US.UTF-8 # SELinux configuration selinux --enforcing # Installation logging level logging --level=debug # System timezone timezone --isUtc America/New_York # Network information %include /tmp/network.ks # System bootloader configuration bootloader --location=mbr --driveorder=sda --append="crashkernel=auto rhgb quiet" --iscrypted --password=$6$D4nAyc/Bl1bTjcDl$q3JkiI58Akk3USPcCqhN04K1P1xMjQuyATFGsCUgpDJzF/gog9B4ypIkaNMeKer9GXbnOXYdAebuFNp3NKKQl. # Clear the Master Boot Record zerombr # Partition clearing information clearpart --all --initlabel --drives=sda # Disk partitioning information part /boot --asprimary --fstype="ext4" --size=1000 part pv.008002 --grow --size=1 volgroup vg_aoelocal --pesize=4096 pv.008002 logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_aoelocal --size=10240 logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_aoelocal --size=10240 logvol / --fstype=ext4 --name=lv_root --vgname=vg_aoelocal --size=10240 logvol swap --name=lv_swap --vgname=vg_aoelocal --size=8192 #logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100 logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_aoelocal --grow --size=1 #volgroup vg_superstation --pesize=4096 pv.008002 #logvol /tmp --fstype=ext4 --name=LogVolTmp --vgname=vg_superstation --size=51200 #logvol /var --fstype=ext4 --name=LogVolVar --vgname=vg_superstation --size=51200 #logvol / --fstype=ext4 --name=lv_root --vgname=vg_superstation --size=51200 #logvol swap --name=lv_swap --vgname=vg_superstation --size=8192 ##logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --size=100 #logvol /l --fstype=ext4 --name=LogVolLocal --vgname=vg_superstation --grow --size=1 repo --name="Scientific Linux" --baseurl=ftp://192.168.2.10/linux/scientific/6.5/x86_64/os --cost=100 # XWindows configuration information xconfig --startxonboot reboot %packages @base @client-mgmt-tools @core @debugging @basic-desktop @desktop-debugging @desktop-platform @directory-client @fonts @general-desktop @graphical-admin-tools @input-methods @internet-applications @internet-browser @java-platform @legacy-x @misc-sl @network-file-system-client @office-suite @print-client @remote-desktop-clients @scalable-file-systems @server-platform @x11 mtools oddjob wodim sgpio genisoimage device-mapper-persistent-data pax #samba-winbind certmonger pam_krb5 krb5-workstation libXmu SL_desktop_tweaks pam_ldap yum-priorities yum-updateonboot elrepo-release epel-release rdesktop lynx vim-X11 gettext-devel gnuplot subversion compat-gcc-34-g77 numpy scipy lapack python-matplotlib ksh screen libXp logwatch libXp openmotif gsl @ Development Tools git gitk openmpi-devel libXaw compat-libstdc++-33 @ TeX support policycoreutils-python openswan rsyslog-gnutls openldap-clients #devtoolset-1.1-runtime #devtoolset-1.1-gcc.x86_64 #devtoolset-1.1-gcc-c++.x86_64 %end %pre #!/bin/sh for x in `cat /proc/cmdline`; do case $x in SERVERNAME*) eval $x echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks echo "${SERVERNAME}" > /tmp/servername.ks ;; AOEIP4*) eval $x echo "${AOEIP4}" > /tmp/ip4.ks ;; esac; done if [ ! -f /tmp/network.ks ] ; then curTTY=`tty` exec < $curTTY > $curTTY 2> $curTTY #clear echo -n "Not enough cmd line args. Enter a Hostname: " read SERVERNAME echo "network --onboot yes --device eth0 --bootproto dhcp --ipv6 auto --hostname ${SERVERNAME}.aoe.vt.edu" > /tmp/network.ks echo "${SERVERNAME}" > /tmp/servername.ks fi %end %post --nochroot cp /tmp/*.ks /mnt/sysimage/tmp # /mnt/sysimage/tmp is /tmp in chrooted env killall NetworkManager echo 'nameserver 128.173.188.25' > /etc/resolv.conf echo 'nameserver 128.173.188.26' >> /etc/resolv.conf echo 'search aoe.vt.edu' >> /etc/resolv.conf %post #!/bin/bash ## redirect the output to the log file. Interaction is confusing since input has to happen on tty1.... ## This would be best if no interaction is needed with the post installation or for debugging ks. #exec >/root/ks-post-anaconda.log 2>&1 ## show the output on the 7th console #tail -f /root/ks-post-anaconda.log >/dev/tty7 & ## changing to VT 7 that we can see what's going on.... #/usr/bin/chvt 7 #this allows interaction with the postinstall portion on the current tty curTTY=`tty` exec < $curTTY > $curTTY 2> $curTTY clear if [ -f /tmp/ip4.ks ] ; then read aoeip4 < /tmp/ip4.ks #read the var echo $aoeip4 # print its value, should be SOMEVAL #rm -rf /tmp/ip4.ks # cleanup else echo -n "enter an ipv4 address: " read aoeip4 fi if [ -f /tmp/servername.ks ] ; then read servername < /tmp/servername.ks #read the var echo $servername # print its value, should be SOMEVAL #rm -rf /tmp/servername.ks # cleanup else echo -n "Enter a hostname: " read servername fi # set log forwarding to root@aoe echo 'root@aoe.vt.edu' >> /root/.forward restorecon /root/.forward # grab the setup files and replace the contents of the existing files wget ftp://192.168.2.10/linux/scientific/ks/postinstallsetup.tgz if [ $? -eq 0 ]; then tar xzf postinstallsetup.tgz # replace the contents of these files [ -f /etc/yum.repos.d/sl.repo ] && cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo || echo "sl.repo does not exist yet." cat postinstallsetup/sl.repo > /etc/yum.repos.d/sl.repo [ -f /etc/yum.repos.d/sl6x.repo ] && cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo || echo "sl6x.repo does not exist yet." cat postinstallsetup/sl6x.repo > /etc/yum.repos.d/sl6x.repo else echo "Could not get tar file" read waithere fi # setup update on boot chkconfig yum-updateonboot on yum -y update # install packages from epel and elrepo yum -y install lyx denyhosts qtwebkit colordiff htop octave emacs msktutil #set up yum check-update in cron job - even though it is not a great implementation crontab -l | { cat ; echo '@daily yum check-update > /dev/null || yum check-update'; } | crontab - #append aoe modulefiles echo '/aoe/etc/modulefiles' >> /usr/share/Modules/init/.modulespath # turn off unused services service bluetooth stop chkconfig bluetooth off chkconfig NetworkManager off service NetworkManager stop chkconfig avahi-daemon off chkconfig kdump off chkconfig ntpd on # set up new user useradd -u 501 -c "Steve" -d /l/steve -m -s /bin/bash steve semanage fcontext -a -t home_root_t "/l" semanage fcontext -a -e /home /l restorecon -R -v /l # grab the setup files and replace the contents of the existing files if [ -d postinstallsetup ]; then # replace the contents of these files [ -f /etc/ssh/sshd_config ] && cat postinstallsetup/sshd_config > /etc/ssh/sshd_config || echo "sshd_config does not exist yet." cat postinstallsetup/sshd_config > /etc/ssh/sshd_config # [ -f /etc/sysconfig/network-scripts/ifcfg-eth1 ] && cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 || echo "ifcfg-eth1 does not exist yet." # cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth1 [ -f /etc/sysconfig/network-scripts/ifcfg-eth0 ] && cat postinstallsetup/ifcfg-eth1 > /etc/sysconfig/network-scripts/ifcfg-eth0 || echo "ifcfg-eth0 does not exist yet." sed -i 's/eth1/eth0/' /etc/sysconfig/network-scripts/ifcfg-eth0 # cat postinstallsetup/ifcfg-eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0 # [ -f /etc/sysconfig/network-scripts/ifcfg-eth2 ] && cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 || echo "ifcfg-eth2 does not exist yet." # cat postinstallsetup/ifcfg-eth2 > /etc/sysconfig/network-scripts/ifcfg-eth2 # [ -f /etc/sysconfig/network-scripts/ifcfg-eth3 ] && cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 || echo "ifcfg-eth3 does not exist yet." # cat postinstallsetup/ifcfg-eth3 > /etc/sysconfig/network-scripts/ifcfg-eth3 [ -f /etc/sysconfig/autofs ] && cat postinstallsetup/autofs > /etc/sysconfig/autofs || echo "autofs does not exist yet." cat postinstallsetup/autofs > /etc/sysconfig/autofs [ -f /etc/autofs_ldap_auth.conf ] && cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf || echo "autofs_ldap_auth.conf does not exist yet." cat postinstallsetup/autofs_ldap_auth.conf > /etc/autofs_ldap_auth.conf [ -f /etc/ntp.conf ] && cat postinstallsetup/ntp.conf > /etc/ntp.conf || echo "ntp.conf does not exist yet." cat postinstallsetup/sudoers > /etc/sudoers [ -f /etc/sysconfig/iptables ] && cat postinstallsetup/iptables > /etc/sysconfig/iptables || echo "iptables does not exist yet." cat postinstallsetup/iptables > /etc/sysconfig/iptables [ -f /etc/sysconfig/ip6tables ] && cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables || echo "ip6tables does not exist yet." cat postinstallsetup/ip6tables > /etc/sysconfig/ip6tables [ -f /etc/sssd/sssd.conf ] && cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf || echo "sssd.conf does not exist yet." cat postinstallsetup/sssd.conf > /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf [ -f /etc/rsyslog.d/tls.conf ] && cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf || echo "tls.conf does not exist yet." cat postinstallsetup/tls.conf > /etc/rsyslog.d/tls.conf chmod 600 /etc/rsyslog.d/tls.conf # Modify these files [ -f /etc/openldap/ldap.conf ] && tail -2 postinstallsetup/ldap.conf >> /etc/openldap/ldap.conf || cat postinstallsetup/ldap.conf > /etc/openldap/ldap.conf #This is done at the end of this ks with sed # [ -f /etc/gconf/gconf.xml.defaults/%gconf-tree.xml ] && cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml || echo "%gconf-tree.xml does not exist yet." # cat postinstallsetup/%gconf-tree.xml > /etc/gconf/gconf.xml.defaults/%gconf-tree.xml else echo "Could not get tar file" fi hwaddr=$( ifconfig eth0 | grep eth0| awk '{print $5}' ) sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth0 #hwaddr=$( ifconfig eth1 | grep eth1| awk '{print $5}' ) #sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth1 #hwaddr=$( ifconfig eth2 | grep eth2| awk '{print $5}' ) #sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth2 #hwaddr=$( ifconfig eth3 | grep eth3| awk '{print $5}' ) #sed -i "s/xx:xx:xx:xx:xx:xx/$hwaddr/" /etc/sysconfig/network-scripts/ifcfg-eth3 #sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth1 sed -i "s/128.173.188.28/$aoeip4/" /etc/sysconfig/network-scripts/ifcfg-eth0 #bounce the network ifdown eth0 ifdown eth1 sed -i 's/NM_CONTROLLED="yes"/NM_CONTROLLED="no"/' /etc/sysconfig/network-scripts/ifcfg-* echo -n "switch to the open network. Enter a username: " read ksuser ifup eth0 sleep 10 echo 'alexandria:/export/apps/aoe-linux-x86_64 /aoe nfs tcp 0 0' >> /etc/fstab mkdir /aoe mount /aoe if [ $? -eq 0 ]; then cd /etc/profile.d ln -s /aoe/etc/aoe_profile.sh ln -s /aoe/etc/aoe_profile.csh else echo " /aoe not mounted " read waithere fi #mkdir /l chown root:root /l chmod 777 /l plymouth-set-default-theme details --rebuild-initrd cp /etc/openldap/cacerts/authconfig_downloaded.pem /etc/pki/tls/certs/aoe-ca.pem ln -s /etc/pki/tls/certs/aoe-ca.pem /etc/pki/tls/certs/`openssl x509 -hash -noout -in /etc/pki/tls/certs/aoe-ca.pem`.0 # # Set the correct time # sed -i 's/0.rhel.pool.ntp.org/ntp-1.vt.edu/' /etc/ntp.conf sed -i 's/1.rhel.pool.ntp.org/ntp-2.vt.edu/' /etc/ntp.conf sed -i 's/2.rhel.pool.ntp.org/ntp-3.vt.edu/' /etc/ntp.conf sed -i 's/3.rhel.pool.ntp.org/ntp-4.vt.edu/' /etc/ntp.conf /usr/sbin/ntpdate -bus ntp-1.vt.edu ntp-2.vt.edu ntp-3.vt.edu ntp-4.vt.edu /sbin/clock --systohc cd /etc/pki/rsyslog openssl genrsa -out key.pem 2048 chmod 400 key.pem export HOSTNAME=$servername.aoe.vt.edu openssl req -new -key key.pem -out request-$servername.req -config /aoe/etc/openssl.cnf -nodes openssl req -text -in request-$servername.req -noout -verify chmod 600 request* #scp request* stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog scp request* $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog echo " run this on neptune:" echo 'ps > certreq.exe -submit -attrib "CertificateTemplate:WebServerLoghostIPSec" ./request-'$servername'.req '$servername'.cer' echo "press enter when complete" read waithere echo " scp may want a password here--wait for it to ask: " #scp stedwar1@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem scp $ksuser@alexandria.aoe.vt.edu:~/sandbox/openssl/rsyslog/cert-$servername.cer cert.pem restorecon -RvF /etc/pki sed -i "\/var\/log\/messages/a *.info;authpriv.none @@artemis.aoe.vt.edu:6514" /etc/rsyslog.conf sed -i "\/var\/log\/messages/a #*.info;authpriv.none @loghost" /etc/rsyslog.conf service rsyslog start logger test echo -n " user credentials: " #kinit stedwar1 kinit $ksuser export host=$servername msktutil -u --server neptune --computer-name $host --user-creds-only -s host/$host.aoe.vt.edu -s host/$host --upn host/$host.aoe.vt.edu if [ $? -ne 0 ]; then echo " There was a problem adding computer to domain. Hit return to continue. " read waithere else echo " looks like the domain join worked. press return to continue " read waithere fi #change ldap.conf back sed -i "s/TLS_REQCERT never/#TLS_REQCERT never/" /etc/openldap/ldap.conf sed -i "s/^URI ldap/#URI ldap/" /etc/openldap/ldap.conf #change the hostname in autofs_ldap_auth.conf sed -i "s/changeme/$servername/" /etc/autofs_ldap_auth.conf #Set default NFS version to 3 because file ownership does not work with v4 [ -f /etc/nfsmount.conf ] && sed -i "/# Defaultvers=4/a Defaultvers=3" /etc/nfsmount.conf || echo "nfsmount.conf does not exist" #change default logon screen to disable user list sed -i '/disable_user_list/ { N ; /disable_user_list/ { N ; s/false/true/ } }' /etc/gconf/gconf.xml.defaults/%gconf-tree.xml %end