Table of Contents
Red Hat Enterprise Linux 6.5 Management Server
This article is the first, or actually the second in a series of installing Red Hat Enterprise Linux at a company. Right now I work in a Windows based environment, but unfortunately for my colleagues not every application runs on Windows. Especially the ones that are designed to do a lot of math based tasks, in this case risk calculations. In previous versions, these applications were installed on physical hardware with Solaris and a little bit of an ancient Red Hat edition. However, new releases, new chances and I had the chance to recreate everything from scratch, supported and well, on virtualized hardware. So I've already done my homework and got together a best practices for Red Hat on VMware, created a design which included a management server, a NFS server and all required application and database server. This article is about the management server. The idea is that this server will be the central point in the linux environment and will be used as an installation server, as well as the OS as software and patches, the Mercurial versioning master repository and a few more smaller functions. More then that, this is the first server, so it will be installed from scratch, and this is the report.
At the end you can read how to use this management server to install other servers, which is then followed by a Post Install follow-up.
Enjoy.
Update: I also came up with a requirement to mount Windows shares to some of my Linux boxes, I finally opted for Windows NFS and documented that here.
Starting the Installation
Media used: rhel-server-6.5-x86_64-dvd.iso We'll install a system with separate disks for the boot, swap and the root filesystem disk. I Created a VM with three disks:
- Disk 0: /boot (1 GB)
- Disk 1: swap (4 GB)
- Disk 2: / (30 GB)
- /tmp (5 GB)
- /var (5 GB)
As you can see, the third disk also provides space for the separate file systems /tmp and /var.
Note: I selected the vmxnet3 nic and the PVSCSI adapter. Both work already during startup and installation.
After booting from the dvd, follow these steps to install the server:
- install or upgrade an existing system
- skip the media test
- Use English as installation language
- Use US English as keyboard
- Select Basic Storage Devices
- Choose to discard the data on the disks if there is any in the storage device warning
- Set the hostname to rhmgmtsrv
- In the same screen, click on the “Configure Network” button
- Select the “System eth0” network card and click edit
- Make sure to select both the “Available to all users” and the “Connect Automatically” checkboxes and proceed to the IPv4 Settings tab
- Set the method to Manual and configure the correct IP address, network mask, search domain and DNS servers. You can add multiple DNS servers or search domain by separating them with commas.
- Save all setting and proceed to the next screen .
- Set the timezone to Europe/Amsterdam and select the checkbox “System clock uses UTC”
- Select the “Create Custom Layout” so we can modify our own file system as described above
- Start by creating the boot file partition on the first disk like this:
- Then create the swap file on the second disk like this:
- Then create a LVM Physical Volume on the third disk like this:
- Then select to create a LVM Volume Group inside the LVM Physical Volume. You'll automatically get the chance to configure the logical volumes:
- Confirm that all existing data will be destroyed by formatting the disks
- Select to write all changes to disk
- Keep the defaults for the boot loader options
- Select the Minimal Installation Package because we will install additional software later. Keep the Red Hat Enterprise Linux repository.
- After pressing next the actual installation starts. Because the minimal installation was selected this won't take long.
- Afterwards you'll have to reboot and you're done.
You can now login as root on the console as well as over ssh.
Red Hat Server Registration and Subscriptions
The server needs to be registered with Red Hat to be able to download patches and get support. We first set the proxy settings so the subscription manager can access the Red Het Network (RHN) and the register the system.
[root@rhmgmtsrv ~]# subscription-manager config --server.proxy_hostname=proxy.getshifting.com --server.proxy_port=8080 [root@rhmgmtsrv ~]# subscription-manager register --username XXXXXXXX --password XXXXXXXX The system has been registered with ID: 4c16763e-56f3-4975-9845-34828fhear20 [root@rhmgmtsrv ~]# yum update Loaded plugins: product-id, subscription-manager This system is registered to Red Hat Subscription Management, but is not receiving updates. You can use subscription-manager to assign subscriptions. Setting up Update Process No Packages marked for Update
The username and the password are listed in the password database.
Then we subscribe to the required channels so yum can download patches:
[root@rhmgmtsrv ~]# subscription-manager list --available +-------------------------------------------+ Available Subscriptions +-------------------------------------------+ Subscription Name: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes) Provides: Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support Red Hat Software Collections (for RHEL Server) ...<cut>... [root@rhmgmtsrv ~]# subscription-manager attach --pool=8a85f56745f132a00145f3c17f7673gg Successfully attached a subscription for: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)
Now yum updates will work.
For more information regarding subscription manager see:
VMware Tools
Because the server is a virtual we need the VMware Tools so the server can properly be managed by the VMware hyprvisor. Mount the VMware tools CD through the option in vCenter and issue these commands:
mkdir /mnt/cdrom mount /dev/cdrom /mnt/cdrom cp /mnt/cdrom/VM....gz /tmp gunzip tar -xf cd ./vmware-install.pl
Note: Keep all defaults during the installation. You'll also need perl for running the script:yum install perl
For more information on installing the tools see: * http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1018392
Create a Repo From the Installation DVD
I want to use this server as an installation server for the other Red Hat servers, so I want to create a repo from the installation DVD so most installs can be done over the local network instead of over the internet. I added an extra disk through the vCenter options.
Configure an Extra Disk
First list the devices of the system so you can locate the new disk:
- ls /dev/
Partition the new disk with LVM:
- fdisk -cu /dev/sdd
- Command: n (Add a new partition)
- Partition number: 1
- Keep defaults for sectors (use entire disk)
- Command: t (change a partition's system id)
- 8e (for Linux LVM)
- Command: w (write table to disk and exit)
Show current Volume Groups:
- vgs
Create new volume group on the partitioned disk:
- vgcreate vg_rhmgmtsrv_data /dev/sdd1
Create a logical volume in the volume group:
- lvcreate -n data -l 100%FREE vg_rhmgmtsrv_data
Create the mountpoint:
- mkdir /data
Format the filesystem on the logical volume:
- mkfs.ext4 /dev/vg_rhmgmtsrv_data/data
Add the filesystem to the /etc/fstab file:
- vim /etc/fstab
/dev/mapper/vg_rhmgmtsrv_data-data /data ext4 defaults 1 2
Mount the filesystem:
- mount /data
Create the Repo
Creating the repo is quite simple. We create a directory and copy the packages to that directory and run a command to generate metadata. Because we want to use the smae directory structure as an installation server we also copy the images
and the repodata
directories. These are not required for creating the repo, just for the installation server:
Mount the installation dvd:
- mount /dev/cdrom /mnt/cdrom/
Make the repo directory:
- mkdir /data/repo-dvd65
Change directory to the cdrom root:
- cd /mnt/cdrom
Copy all required data:
- cp -R Packages/* /data/repo-dvd65/Packages
- cp -R images/* /data/repo-dvd65/images
- cp -R repodata/* /data/repo-dvd65/repodata
Then install the createrepo package:
- yum install createrepo
Now find the <hash>-comps-rhel6-Server.xml file in the repodata directory and copy it to the Packages directory. You need the xml file so groupinfo is included in the repo and groupinstalls are possible as well:
- cd /mnt/cdrom/repodata
- cp 6221039e7e3dabf7d538c76571d82aaf42b6292b8f6fe6cf56b8fcf1cff3d3ab-comps-rhel6-Server.xml /data/repo-dvd65/Packages
Run the createrepo command:
- createrepo -g 6221039e7e3dabf7d538c76571d82aaf42b6292b8f6fe6cf56b8fcf1cff3d3ab-comps-rhel6-Server.xml /data/repo-dvd65/Packages
Now you can add the repo to install packages and groups of packages.
Add the Repo for Usage
Add a file called dvd.repo in the /etc/yum.repos.d
directory and add the following lines:
[dvd] name=Red Hat 6.5 Installation DVD baseurl=file:///data/repo-dvd65/Packages gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release enabled=1
You can now use the repo. If you run into any problem try running the yum clean all
command. Run this command to see the available groups:
- yum –disablerepo=“*” –enablerepo=“dvd” grouplist
Install Desktop Group from DVD Repo
Run the following command to disable the Red Hat repos and just use the dvd repo to install the Desktop group:
- yum –disablerepo=“*” –enablerepo=“dvd” groupinstall “Desktop”
AD Authentication
We want to be able to logon using our AD accounts. For this to work you first need the UNIX services for AD to be installed as decribed here: AD Identity Management for Unix.
Note that in this setup we use a double label domain called getshifting.local. The NETBIOS name of the domain is GETSHIFTING All AD services are divided over different server so read very closely. The domain controller is called dcserver, and is also the DNS server (IP 10.10.10.53). You can recognize IP addresses because the IP address is most times the default port the service runs on. Note that all kerberos and AD related configurations are capital sensitive. Don't mix them up.
You also need to setup some other services to make sure everything works correctly:
- Make sure SElinux is set to enforcing
- configure ntp:
- yum install ntp
- edit /etc/ntp.conf:
tinker panic 0 driftfile /var/lib/ntp/drift restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery restrict 127.0.0.1 restrict -6 ::1 server 10.10.10.123 includefile /etc/ntp/crypto/pw keys /etc/ntp/keys
service ntpd start chkconfig ntpd on
- DNS is setup like this in /etc/resolv.conf:
# Generated by NetworkManager
search getshifting.local
nameserver 10.10.10.53
nameserver 10.10.10.153
- the host is configured with it's FQDN in /etc/sysconfig/network:
NETWORKING=yes HOSTNAME=rhmgmtsrv.getshifting.local GATEWAY=10.10.10.254
- Install required software:
- yum groupinstall directory-client
- yum install openldap-clients
- yum install authconfig-gtk
Configuration
For now we'll use the graphical tool for the initial setup. If you're interested in the commandline to do the same check the kickstart files below, the same command are listed there as well.
Setup kerberos in the /etc/krb5.conf file like this:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = GETSHIFTING.LOCAL dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] GETSHIFTING.LOCAL = { kdc = dcserver.getshifting.local admin_server = dcserver.getshifting.local } [domain_realm] .getshifting.local = GETSHIFTING.LOCAL getshifting.local = GETSHIFTING.LOCAL
Start the graphical tool from the graphical environment:
- system-config-authentication
Configure like this:
And this:
Check if you can get a kerberos ticket with these commands:
- kdestroy
- klist
- kinit adminsjoerd@GETSHIFTING.LOCAL
Then create a computer object in AD like this
And like this:
Then, on a domain controller as a domain admin, enter these commands to create a keytab file:
- setspn -A host/rhmgmtsrv.getshifting.local@getshifting.local rhmgmtsrv
- Check with: setspn -L rhmgmtsrv
- ktpass /princ host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL /out rhmgmtsrv.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser GETSHIFTING\rhmgmtsrv$ +rndPass
- Confirm to reset the password with “y”
- Note that these commands are case sensitive, what is listed with capitals should be entered like that
Now upload the created rhmgmtsrv.keytab to the rhmgmtsrv using sftp and make the following changes:
- mv /tmp/rhmgmtsrv.keytab /etc/krb5.keytab
- chmod 0600 /etc/krb5.keytab
- restorecon /etc/krb5.keytab
- You can check the SELinux type with
ls -lZ *.keytab
from the /etc directory
Check if the keytab file can be used:
- kinit -k -t /etc/krb5.keytab host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL
- klist
Check if a LDAP search can be done:
- ldapsearch -H ldap://dcserver/ -Y GSSAPI -N -b DC=GETSHIFTING,DC=LOCAL “(&(objectclass=user)(sAMAccountName=sjoerd))”
- This will generate a lot of output if successful, but check the second line. It shoud read:
- SASL username: host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL
- Modify the /etc/sssd/sssd.conf file like this:
[domain/default] ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = dc=getshifting,dc=local krb5_realm = GETSHIFTING.LOCAL krb5_server = DCSERVER.GETSHIFTING.LOCAL id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://10.10.10.53/ ldap_tls_cacertdir = /etc/openldap/cacerts krb5_kpasswd = DCSERVER.GETSHIFTING.LOCAL access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true [sssd] services = nss, pam config_file_version = 2 domains = default [nss] [pam] [sudo] [autofs] [ssh] [pac]
Now restart the sssd service:
- service sssd restart
You can now logon using the AD accounts that you have configured like this:
[sjoerd.NL0W5884] ➤ ssh adminsjoerd@rhmgmtsrv adminsjoerd@rhmgmtsrv's password: Creating home directory for adminsjoerd. /usr/bin/xauth: creating new authority file /home/adminsjoerd/.Xauthority [adminsjoerd@rhmgmtsrv ~]$ pwd /home/adminsjoerd [adminsjoerd@rhmgmtsrv ~]$ id uid=24584(adminsjoerd) gid=10000(UNIX-Server-AdminGroup) groups=10000(UNIX-Server-AdminGroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Note that later on the location of the homedir will change due to autofs
Also note that the username is case sensitive on unix, meaning that if your AD account is created with capitals you'll also need to logon using capitals. I checked and so far you can change the AD username to non-capitals without any issue.
Restrict SSH Access
I wanto restrict SSH access to just the Server Admins and the Server TAM members. Therefore I need to add the following line to the /etc/ssh/sshd_config file:
AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt
Configure SUDO
I want the members of the Server Admins group to be able to use sudo. Use the visudo
command to add this line to the /etc/sudoers file:
%UNIX-Server-AdminGroup ALL=(ALL) NOPASSWD: ALL
Configure XRDP
I want my Windows oriented collegues to also be able to logon using rdp/mstsc. Therefore I will install xrdp, which is part of the EPEL repo. Download the EPEL repo package and key from http://mirror.serverbeheren.nl/epel/6/i386/repoview/epel-release.html . Then install the package and import the key like this:
- rpm -i epel-release-6-8.noarch.rpm
- rpm –import RPM-GPG-KEY-EPEL-6
Configure yum to be able to use a proxy by adding this line to the /etc/yum.conf file:
proxy=http://proxy.getshifting.com:8080
Then install and enable the xrdp package:
- yum install xrdp
- chkconfig xrdp on
- service xrdp start
Then allow connections through the firewall:
- iptables -I INPUT -p tcp –dport 3389 -j ACCEPT
- service iptables save
Install Other Software
Just like this:
- yum install man nfs-util telnet vim-enhanced lsof ftp zip unzip setroubleshoot-server -y -q
Configure AutoFS for HomeDirs
This will require you to create a NFS server first. Then setup these two files:
- vi /etc/auto.master
/home/GETSHIFTING /etc/auto.homedir -nobrowse
- vi /etc/auto.homedir
* redhatnfsserver:/data/all-servers-home/&
Then restart the autofs service:
- service autofs restart
Note that you need to cd to the complete path, you can't use <TAB>
Syslog Server
I also want my management server to function as a syslog server. I want all clients to forward any message of priority warning of higher towards the management server, so that in case of a failure at least some message are saved for investigation.
Setup Syslog Server
Because the rsyslog package has already been installed this is quite an easy setup. Edit the /etc/rsyslog.conf
file to uncomment these lines:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Then restart the rsyslog daemon:
sudo service rsyslog restart
Now open the udp/tcp ports for syslog:
sudo iptables -I INPUT -p tcp --dport 514 -j ACCEPT sudo iptables -I INPUT -p udp --dport 514 -j ACCEPT service iptables save
Now the server part is done.
Setup Syslog Client
Setting up the syslog client is even more easy. Edit again the /etc/rsyslog.conf
file and add these lines:
# SIEM Forwarding *.debug @10.10.10.93 # Management Server syslog forwarding *.warning @rhmgmtsrv.getshifting.local
Note that the first part is for a SIEM appliance and requires all messages for security analyzing
Test Client
Since we configured that only warning messages and higher will be sent to the management server we should test that with logger, a syslog test utility:
logger -p error "Test from redhatnfsserver for an error message" logger -p warning "Test from redhatnfsserver for a warning message"
This will show the following lines on the /var/log/messages
file on the management server:
Aug 7 14:16:41 redhatnfsserver adminsjoerd: Test from redhatnfsserver for an error message Aug 7 14:16:41 redhatnfsserver adminsjoerd: Test from redhatnfsserver for a warning message
It works!
Create Syslog Report
Of course I want to receive a report from all these messages, all sorted out nicely, so I created this scheduled report.
KickStart Installation Server
Kickstart is the redhat installation service. I want to be able to install custom servers using kickstart. To do so I will use a webserver and custom kickstart files.
Deploy Web Server
Deploy the required webserver like this, start with the installation, then enable the webserver:
- yum install httpd
- service httpd start
- chkconfig httpd on
Then open the firewall ports:
- iptables -I INPUT -p tcp –dport 80 -j ACCEPT
- service iptables save
Then configure the webserver with aliases so the required data can be accessed. Add this info to the appropriate section in /etc/httpd/conf/httpd.conf:
Alias /dvdinstall/ "/data/repo-dvd65/" <Directory "/data/repo-dvd65/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> Alias /getshiftinginstall/ "/data/repo-getshifting/" <Directory "/data/repo-getshifting/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory>
Then set the SELinux context correct:
- semanage fcontext -a -t httpd_sys_content_t '/data(/.*)?'
- restorecon -Rv /data/
And restart the webserver:
- service httpd restart
Add VMware Tools to WebServer
Because we will use this later for automated installation add the tools file you used to install the tools on the server with in the following directory. If you already deleted it you can get it again from the tools CD after mounting it:
- mount /dev/cdrom /mnt
- mkdir -p /data/repo-getshifting
- cp /mnt/VMwareTools-9.0.5-1065307.tar.gz /data/repo-getshifting/
- restorecon -Rv /data/
Custom Kickstart File
# Kickstart file created by sjoerd # Version: 0.8 - 7 august 2014 # Added SCOM configuration, SYSLOG and variables for redhat subscription manager # Version: 0.7 - 6 august 2014 # Added Oracle and Mercurial Client # Version: 0.6 - 25 july 2014 # Added NetBackup client and configuration # Note: # The disk setup in this kickstart file is like this: # Disk 0 : /boot (disk size preferred 1 GB) # Disk 1 : swap (disk size minimum of RAM up to 4 GB) # Disk 2 : LVM for / (20 GB), /var (5 GB) and /tmp (remaining disk space) # Installation Source is the rhmgmtsrv/10.10.10.80 install url --url http://10.10.10.80/dvdinstall/ # Language and KeyBoard Settings lang en_US.UTF-8 keyboard us # Network Configuration; keep default on dhcp or create custom kickstart file with network already configured # network --device eth0 --bootproto dhcp network --onboot yes --device eth0 --bootproto static --ip 10.10.10.100 --netmask 255.255.0.0 --gateway 10.10.10.254 --noipv6 --nameserver 10.10.10.53,10.10.10.153 --hostname clientname.getshifting.local # Security Settings rootpw --iscrypted $6$OE0oJEAUjSVc.ft1$njQ9HO7LAZo18iABAXKMc8uNp5ONhmY/qvstu7/VngxYG60cPoHI5Ta2NKYt/kABhYSIjn1eDcMtw9AkFYHvx1 # Enable firewall and open ports for xrdp and netbackup firewall --service=ssh --port=3389:tcp,1556:tcp,13722:tcp,13724:tcp,13782:tcp authconfig --enableshadow --passalgo=sha512 selinux --enforcing timezone --utc Europe/Amsterdam # Where should the bootdisk be placed bootloader --location=mbr --driveorder=sda,sdb,sdc --append="crashkernel=auto rhgb quiet" # Partitioning zerombr yes clearpart --all --initlabel # Create boot disk, minimum size 200 MB, grow to maximum, primary partition part /boot --fstype=ext4 --grow --asprimary --size=200 # create swap disk part swap --grow --asprimary --size=200 # Use LVM partition on third disk for remaining file systems part pv.008033 --grow --asprimary --size=200 volgroup vg_linuxbox --pesize=4096 pv.008033 logvol / --fstype=ext4 --name=LogVol00 --vgname=vg_linuxbox --size=20480 logvol /var --fstype=ext4 --name=LogVol01 --vgname=vg_linuxbox --size=5120 logvol /tmp --fstype=ext4 --name=LogVol02 --vgname=vg_linuxbox --size=200 --grow # Reboot after installation reboot --eject # Package(groups) to be installed %packages @core @server-policy @desktop @directory-client authconfig-gtk createrepo dos2unix ftp ksh lsof mailx man nfs-utils ntp oddjob-mkhomedir openldap-clients perl policycoreutils-gui setroubleshoot-server system-config-firewall telnet unzip vim-enhanced xorg-x11-apps zip # Required packages for business application openmotif %end # Post installation scripts %post --log=/root/post_install.log # ========================================================================== # Set Installation Variables HOSTF=`hostname -f` HOST=`hostname -s` NTPSERVER=10.10.10.123 INSTALLSERVER=rhmgmtsrv LDAPIP=10.10.10.53 LDAPBASE=dc=getshifting,dc=local KRBSERVER=DCSERVER.GETSHIFTING.LOCAL KRBREALM=GETSHIFTING.LOCAL NFSSERVER=redhatnfsserver PROXYSERVER=proxy.getshifting.com PROXYPORT=8080 REDHATUSER=rhgetshifting REDHATPASS=XXXXXXXXX SCOMUSER=sa-linux-scom SYSLOGSERVER=rhmgmtsrv.getshifting.local SYSLOGSIEM=10.10.10.93 RELAYHOST=relaysmtphost.getshifting.local MAILDOMAIN=getshifting.com # ========================================================================== # Overwrite NTP config mv /etc/ntp.conf /etc/ntp.orig echo "# GETSHIFTING NTP Config" > /etc/ntp.conf echo "tinker panic 0" >> /etc/ntp.conf echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf echo "restrict 127.0.0.1" >> /etc/ntp.conf echo "restrict -6 ::1" >> /etc/ntp.conf echo "server ${NTPSERVER}" >> /etc/ntp.conf echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf echo "keys /etc/ntp/keys" >> /etc/ntp.conf chkconfig ntpd on # ========================================================================== # Add DVD Repo echo "[dvd]" > /etc/yum.repos.d/dvd.repo echo "name=Red Hat 6.5 Installation DVD" >> /etc/yum.repos.d/dvd.repo echo "baseurl=http://${INSTALLSERVER}/dvdinstall/" >> /etc/yum.repos.d/dvd.repo echo "gpgcheck=1" >> /etc/yum.repos.d/dvd.repo echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" >> /etc/yum.repos.d/dvd.repo echo "enabled=1" >> /etc/yum.repos.d/dvd.repo # ========================================================================== # Automate VMware Tools Installation wget -O /tmp/tools.tar.gz http://${INSTALLSERVER}/getshiftinginstall/VMwareTools-9.0.5-1065307.tar.gz cd /tmp tar xzf /tmp/tools.tar.gz cd /tmp/vmware-tools-distrib ./vmware-install.pl -d # ========================================================================== # Automate NetBackup Installation mkdir -p /usr/openv/netbackup echo "SERVER = backupserver01.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver001b.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver401a.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver405.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver005.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "CLIENT_NAME = ${HOSTF}" >> /usr/openv/netbackup/bp.conf wget -O /tmp/NB7601RH.tar http://${INSTALLSERVER}/getshiftinginstall/NB7601RH.tar cd /tmp tar -xf /tmp/NB7601RH.tar sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/install sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/NBClients/catalog/anb/client.inst cd /tmp/NetBackup_7.6.0.1_CLIENTS2 ./install # ========================================================================== # Set Default Runlevel to 3 sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab # ========================================================================== # Configure AD Authentication ## Set AD Authentication Settings authconfig --enableldap --ldapserver=ldap://${LDAPIP} --ldapbasedn="${LDAPBASE}" --update authconfig --enablekrb5 --krb5realm ${KRBREALM} --krb5kdc ${KRBSERVER} --krb5adminserver ${KRBSERVER} --update authconfig --enablemkhomedir --update ## Download AD kerberos keytab ## Change keytab name to match new one wget -O /etc/krb5.keytab http://${INSTALLSERVER}/getshiftinginstall/${HOST}.keytab chmod 0600 /etc/krb5.keytab restorecon /etc/krb5.keytab ## Set SSSD Config file cp -p /etc/sssd/sssd.conf /etc/sssd/sssd.orig echo "[domain/default]" > /etc/sssd/sssd.conf echo "ldap_id_use_start_tls = False" >> /etc/sssd/sssd.conf echo "cache_credentials = True" >> /etc/sssd/sssd.conf echo "ldap_search_base = dc=getshifting,dc=local" >> /etc/sssd/sssd.conf echo "krb5_realm = ${KRBREALM}" >> /etc/sssd/sssd.conf echo "krb5_server = ${KRBSERVER}" >> /etc/sssd/sssd.conf echo "id_provider = ldap" >> /etc/sssd/sssd.conf echo "auth_provider = krb5" >> /etc/sssd/sssd.conf echo "chpass_provider = krb5" >> /etc/sssd/sssd.conf echo "ldap_uri = ldap://${LDAPIP}/" >> /etc/sssd/sssd.conf echo "ldap_tls_cacertdir = /etc/openldap/cacerts" >> /etc/sssd/sssd.conf echo "krb5_kpasswd = ${KRBSERVER}" >> /etc/sssd/sssd.conf echo "access_provider = ldap" >> /etc/sssd/sssd.conf echo "ldap_sasl_mech = GSSAPI" >> /etc/sssd/sssd.conf ## Match servername to new one echo "ldap_sasl_authid = host/${HOSTF}@${KRBREALM}" >> /etc/sssd/sssd.conf echo "ldap_schema = rfc2307bis" >> /etc/sssd/sssd.conf echo "ldap_user_object_class = user" >> /etc/sssd/sssd.conf echo "ldap_user_home_directory = unixHomeDirectory" >> /etc/sssd/sssd.conf echo "ldap_user_principal = userPrincipalName" >> /etc/sssd/sssd.conf echo "ldap_user_name = sAMAccountName" >> /etc/sssd/sssd.conf echo "ldap_group_object_class = group" >> /etc/sssd/sssd.conf echo "ldap_access_order = expire" >> /etc/sssd/sssd.conf echo "ldap_account_expire_policy = ad" >> /etc/sssd/sssd.conf echo "ldap_force_upper_case_realm = true" >> /etc/sssd/sssd.conf echo "ldap_disable_referrals = true" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[sssd]" >> /etc/sssd/sssd.conf echo "services = nss, pam" >> /etc/sssd/sssd.conf echo "config_file_version = 2" >> /etc/sssd/sssd.conf echo "domains = default" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[nss]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[pam]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[sudo]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[autofs]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[ssh]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[pac]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf service sssd restart ## Add permissions in sshd_config file echo " " >> /etc/ssh/sshd_config echo "# Only allow users in these groups to access over ssh" >> /etc/ssh/sshd_config echo "AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt" >> /etc/ssh/sshd_config ## Add permissions into sudoers file echo " " >> /etc/sudoers echo "# GETSHIFTING Specific Permissions" >> /etc/sudoers echo "%UNIX-Server-AdminGroup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers # ========================================================================== # Install and configure xRDP wget -O /tmp/xrdp.rpm http://${INSTALLSERVER}/getshiftinginstall/xrdp-0.5.0-0.13.el6.x86_64.rpm yum localinstall /tmp/xrdp.rpm -y chkconfig xrdp on # ========================================================================== # Install Mercurial # Note that the mercurial version included in the Red Hat installation dvd is outdated and cannot be used wget -O /tmp/mercurial.rpm http://${INSTALLSERVER}/getshiftinginstall/mercurial-2.2.2-1.el6.rfx.x86_64.rpm yum localinstall /tmp/mercurial.rpm -y # ========================================================================== # Install Oracle Instant Client - all packages wget -O /tmp/oraclebasic.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oraclebasic.rpm -y wget -O /tmp/oracledevel.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oracledevel.rpm -y wget -O /tmp/oraclejdbc.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-jdbc-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oraclejdbc.rpm -y wget -O /tmp/oracleodbc.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-odbc-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oracleodbc.rpm -y wget -O /tmp/oracleprecomp.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-precomp-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oracleprecomp.rpm -y wget -O /tmp/oraclesqlplus.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oraclesqlplus.rpm -y wget -O /tmp/oracletools.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-tools-11.2.0.3.0-1.x86_64.rpm yum localinstall /tmp/oracletools.rpm -y # ========================================================================== # SCOM Monitoring configuration echo " " >> /etc/sudoers echo "#General requirements for OpsMgr service account " >> /etc/sudoers echo "Defaults:${SCOMUSER}" '!requiretty' >> /etc/sudoers echo " " >> /etc/sudoers echo "#Agent discovery, installation, certificate signing, and maintenance tasks " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-${SCOMUSER}/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-${SCOMUSER}; /opt/microsoft/scx/bin/tools/scxadmin -restart " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-${SCOMUSER}/GetOSVersion.sh; EC=\$?; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers echo " " >> /etc/sudoers echo "#Log file monitoring " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p" >> /etc/sudoers echo " " >> /etc/sudoers #echo "#Custom shell command monitoring example. Replace <shell command> with the correct command string " >> /etc/sudoers #echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/bash -c su" >> /etc/sudoers echo " " >> /etc/sudoers echo "#Add sudo logging " >> /etc/sudoers echo "Defaults logfile=/var/log/sudolog" >> /etc/sudoers echo " " >> /etc/sudoers # ========================================================================== # SYSLOG configuration echo " " >> /etc/rsyslog.conf echo "# Qradar Forwarding" >> /etc/rsyslog.conf echo "*.debug @${SYSLOGSIEM}" >> /etc/rsyslog.conf echo "# Management Server syslog forwarding" >> /etc/rsyslog.conf echo "*.warning @${SYSLOGSERVER}" >> /etc/rsyslog.conf # ========================================================================== # MAIL configuration echo " " >> /etc/postfix/main.cf echo "# GetShifting Mail configuration" >> /etc/postfix/main.cf echo "mydomain = ${MAILDOMAIN}" >> /etc/postfix/main.cf echo "myhostname = ${HOSTF}" >> /etc/postfix/main.cf echo "relayhost = ${RELAYHOST}" >> /etc/postfix/main.cf # ========================================================================== # Add Red Hat Registration without adding the red hat repositories subscription-manager config --rhsm.manage_repos=0 subscription-manager config --server.proxy_hostname=${PROXYSERVER} --server.proxy_port=${PROXYPORT} subscription-manager register --username ${REDHATUSER} --password ${REDHATPASS} # ========================================================================== # Disable all repos from red hat - does not work during kickstart # sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/redhat.repo # ========================================================================== # Add automount config mv /etc/auto.master /etc/auto.master.orig echo '/home/GETSHIFTING /etc/auto.homedir -nobrowse' > /etc/auto.master echo "* ${NFSSERVER}:/data/all-servers-home/&" > /etc/auto.homedir # ========================================================================== %end
Custom Kickstart File for Oracle Servers
# Kickstart file created by sjoerd # Version: 0.8 - 7 august 2014 # Added SCOM configuration, SYSLOG and variables for redhat subscription manager # Note: # The disk setup in this kickstart file is like this: # Disk 0 : /boot (disk size preferred 1 GB) # Disk 1 : swap (disk size minimum of RAM up to 4 GB) # Disk 2 : LVM for / (20 GB), /var (5 GB) and /tmp (remaining disk space) # Installation Source is the rhmgmtsrv/10.10.10.80 install url --url http://10.10.10.80/dvdinstall/ # Language and KeyBoard Settings lang en_US.UTF-8 keyboard us # Network Configuration; keep default on dhcp or create custom kickstart file with network already configured # network --device eth0 --bootproto dhcp network --onboot yes --device eth0 --bootproto static --ip 10.10.10.110 --netmask 255.255.0.0 --gateway 10.10.10.254 --noipv6 --nameserver 10.10.10.53,10.10.10.153 --hostname dboracleserver.getshifting.local # Security Settings rootpw --iscrypted $6$OE0oJEAUjSVc.ft1$njQ9HO7LAZo18iABAXKMc8uNp5ONhmZ/qvstu7/VngxYG60cPoHI5Ta2NKYt/kABhYSIjn1eDcMtw9AkFYHvx1 # Enable firewall and open ports for oracle, xrdp and netbackup firewall --service=ssh --port=1158:tcp,1521:tcp,3389:tcp,1556:tcp,13722:tcp,13724:tcp,13782:tcp authconfig --enableshadow --passalgo=sha512 selinux --enforcing timezone --utc Europe/Amsterdam # Where should the bootdisk be placed bootloader --location=mbr --driveorder=sda,sdb,sdc --append="crashkernel=auto rhgb quiet" # Partitioning zerombr yes clearpart --all --initlabel # Create boot disk, minimum size 200 MB, grow to maximum, primary partition part /boot --fstype=ext4 --grow --asprimary --size=200 # create swap disk part swap --grow --asprimary --size=200 # Use LVM partition on third disk for remaining file systems part pv.008033 --grow --asprimary --size=200 volgroup vg_linuxbox --pesize=4096 pv.008033 logvol / --fstype=ext4 --name=LogVol00 --vgname=vg_linuxbox --size=20480 logvol /var --fstype=ext4 --name=LogVol01 --vgname=vg_linuxbox --size=5120 logvol /tmp --fstype=ext4 --name=LogVol02 --vgname=vg_linuxbox --size=200 --grow # Reboot after installation reboot --eject # Package(groups) to be installed %packages @core @server-policy @desktop @directory-client authconfig-gtk createrepo dos2unix ftp ksh lsof mailx man nfs-utils ntp oddjob-mkhomedir openldap-clients perl policycoreutils-gui setroubleshoot-server system-config-firewall telnet unzip vim-enhanced xorg-x11-apps zip # Required packages for oracle binutils cloog-ppl compat-libcap1 compat-libstdc++-33 cpp gcc gcc-c++ glibc glibc-devel glibc-headers kernel-headers ksh libaio libaio-devel libdmx libgcc libstdc++ libstdc++-devel libXmu libXt libXv libXxf86dga libXxf86misc libXxf86vm make mpfr ppl sysstat xorg-x11-utils xorg-x11-xauth %end # Post installation scripts %post --log=/root/post_install.log # ========================================================================== # Set Installation Variables HOSTF=`hostname -f` HOST=`hostname -s` NTPSERVER=10.10.10.123 INSTALLSERVER=rhmgmtsrv LDAPIP=10.10.10.53 LDAPBASE=dc=getshifting,dc=local KRBSERVER=DCSERVER.GETSHIFTING.LOCAL KRBREALM=GETSHIFTING.LOCAL NFSSERVER=redhatnfsserver PROXYSERVER=proxy.getshifting.com PROXYPORT=8080 REDHATUSER=rhgetshifting REDHATPASS=XXXXXXXXX SCOMUSER=sa-linux-scom SYSLOGSERVER=rhmgmtsrv.getshifting.local SYSLOGSIEM=10.10.10.93 RELAYHOST=relaysmtphost.getshifting.local MAILDOMAIN=getshifting.com ORACLEUSER=sa-acp-oracle # ========================================================================== # Overwrite NTP config mv /etc/ntp.conf /etc/ntp.orig echo "# GETSHIFTING NTP Config" > /etc/ntp.conf echo "tinker panic 0" >> /etc/ntp.conf echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf echo "restrict 127.0.0.1" >> /etc/ntp.conf echo "restrict -6 ::1" >> /etc/ntp.conf echo "server ${NTPSERVER}" >> /etc/ntp.conf echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf echo "keys /etc/ntp/keys" >> /etc/ntp.conf chkconfig ntpd on # ========================================================================== # Add DVD Repo echo "[dvd]" > /etc/yum.repos.d/dvd.repo echo "name=Red Hat 6.5 Installation DVD" >> /etc/yum.repos.d/dvd.repo echo "baseurl=http://${INSTALLSERVER}/dvdinstall/" >> /etc/yum.repos.d/dvd.repo echo "gpgcheck=1" >> /etc/yum.repos.d/dvd.repo echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" >> /etc/yum.repos.d/dvd.repo echo "enabled=1" >> /etc/yum.repos.d/dvd.repo # ========================================================================== # Automate VMware Tools Installation wget -O /tmp/tools.tar.gz http://${INSTALLSERVER}/getshiftinginstall/VMwareTools-9.0.5-1065307.tar.gz cd /tmp tar xzf /tmp/tools.tar.gz cd /tmp/vmware-tools-distrib ./vmware-install.pl -d # ========================================================================== # Automate NetBackup Installation mkdir -p /usr/openv/netbackup echo "SERVER = backupserver01.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver001b.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver401a.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver405.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "SERVER = backupserver005.getshifting.local" >> /usr/openv/netbackup/bp.conf echo "CLIENT_NAME = ${HOSTF}" >> /usr/openv/netbackup/bp.conf wget -O /tmp/NB7601RH.tar http://${INSTALLSERVER}/getshiftinginstall/NB7601RH.tar cd /tmp tar -xf /tmp/NB7601RH.tar sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/install sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/NBClients/catalog/anb/client.inst cd /tmp/NetBackup_7.6.0.1_CLIENTS2 ./install # Exclude oracle directory from backup echo "/opt/oracle" >> /usr/openv/netbackup/exclude_list # ========================================================================== # Set Default Runlevel to 3 sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab # ========================================================================== # Configure AD Authentication ## Set AD Authentication Settings authconfig --enableldap --ldapserver=ldap://${LDAPIP} --ldapbasedn="${LDAPBASE}" --update authconfig --enablekrb5 --krb5realm ${KRBREALM} --krb5kdc ${KRBSERVER} --krb5adminserver ${KRBSERVER} --update authconfig --enablemkhomedir --update ## Download AD kerberos keytab ## Change keytab name to match new one wget -O /etc/krb5.keytab http://${INSTALLSERVER}/getshiftinginstall/${HOST}.keytab chmod 0600 /etc/krb5.keytab restorecon /etc/krb5.keytab ## Set SSSD Config file cp -p /etc/sssd/sssd.conf /etc/sssd/sssd.orig echo "[domain/default]" > /etc/sssd/sssd.conf echo "ldap_id_use_start_tls = False" >> /etc/sssd/sssd.conf echo "cache_credentials = True" >> /etc/sssd/sssd.conf echo "ldap_search_base = dc=getshifting,dc=local" >> /etc/sssd/sssd.conf echo "krb5_realm = ${KRBREALM}" >> /etc/sssd/sssd.conf echo "krb5_server = ${KRBSERVER}" >> /etc/sssd/sssd.conf echo "id_provider = ldap" >> /etc/sssd/sssd.conf echo "auth_provider = krb5" >> /etc/sssd/sssd.conf echo "chpass_provider = krb5" >> /etc/sssd/sssd.conf echo "ldap_uri = ldap://${LDAPIP}/" >> /etc/sssd/sssd.conf echo "ldap_tls_cacertdir = /etc/openldap/cacerts" >> /etc/sssd/sssd.conf echo "krb5_kpasswd = ${KRBSERVER}" >> /etc/sssd/sssd.conf echo "access_provider = ldap" >> /etc/sssd/sssd.conf echo "ldap_sasl_mech = GSSAPI" >> /etc/sssd/sssd.conf ## Match servername to new one echo "ldap_sasl_authid = host/${HOSTF}@${KRBREALM}" >> /etc/sssd/sssd.conf echo "ldap_schema = rfc2307bis" >> /etc/sssd/sssd.conf echo "ldap_user_object_class = user" >> /etc/sssd/sssd.conf echo "ldap_user_home_directory = unixHomeDirectory" >> /etc/sssd/sssd.conf echo "ldap_user_principal = userPrincipalName" >> /etc/sssd/sssd.conf echo "ldap_user_name = sAMAccountName" >> /etc/sssd/sssd.conf echo "ldap_group_object_class = group" >> /etc/sssd/sssd.conf echo "ldap_access_order = expire" >> /etc/sssd/sssd.conf echo "ldap_account_expire_policy = ad" >> /etc/sssd/sssd.conf echo "ldap_force_upper_case_realm = true" >> /etc/sssd/sssd.conf echo "ldap_disable_referrals = true" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[sssd]" >> /etc/sssd/sssd.conf echo "services = nss, pam" >> /etc/sssd/sssd.conf echo "config_file_version = 2" >> /etc/sssd/sssd.conf echo "domains = default" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[nss]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[pam]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[sudo]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[autofs]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[ssh]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf echo "[pac]" >> /etc/sssd/sssd.conf echo " " >> /etc/sssd/sssd.conf service sssd restart ## Add permissions in sshd_config file echo " " >> /etc/ssh/sshd_config echo "# Only allow users in these groups to access over ssh" >> /etc/ssh/sshd_config echo "AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt" >> /etc/ssh/sshd_config ## Add permissions into sudoers file echo " " >> /etc/sudoers echo "# GETSHIFTING Specific Permissions" >> /etc/sudoers echo "%UNIX-Server-AdminGroup ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers # ========================================================================== # Install and configure xRDP wget -O /tmp/xrdp.rpm http://${INSTALLSERVER}/getshiftinginstall/xrdp-0.5.0-0.13.el6.x86_64.rpm yum localinstall /tmp/xrdp.rpm -y chkconfig xrdp on # ========================================================================== # Install Mercurial # Note that the mercurial version included in the Red Hat installation dvd is outdated and cannot be used wget -O /tmp/mercurial.rpm http://${INSTALLSERVER}/getshiftinginstall/mercurial-2.2.2-1.el6.rfx.x86_64.rpm yum localinstall /tmp/mercurial.rpm -y # ========================================================================== # SCOM Monitoring configuration echo " " >> /etc/sudoers echo "#General requirements for OpsMgr service account " >> /etc/sudoers echo "Defaults:${SCOMUSER}" '!requiretty' >> /etc/sudoers echo " " >> /etc/sudoers echo "#Agent discovery, installation, certificate signing, and maintenance tasks " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-${SCOMUSER}/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-${SCOMUSER}; /opt/microsoft/scx/bin/tools/scxadmin -restart " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-${SCOMUSER}/GetOSVersion.sh; EC=\$?; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cat /etc/opt/microsoft/scx/ssl/scx.pem " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c rpm -e scx " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers echo " " >> /etc/sudoers echo "#Log file monitoring " >> /etc/sudoers echo "${SCOMUSER} ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p" >> /etc/sudoers echo " " >> /etc/sudoers #echo "#Custom shell command monitoring example. Replace <shell command> with the correct command string " >> /etc/sudoers #echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/bash -c su" >> /etc/sudoers echo " " >> /etc/sudoers echo "#Add sudo logging " >> /etc/sudoers echo "Defaults logfile=/var/log/sudolog" >> /etc/sudoers echo " " >> /etc/sudoers # ========================================================================== # SYSLOG configuration echo " " >> /etc/rsyslog.conf echo "# Qradar Forwarding" >> /etc/rsyslog.conf echo "*.debug @${SYSLOGSIEM}" >> /etc/rsyslog.conf echo "# Management Server syslog forwarding" >> /etc/rsyslog.conf echo "*.warning @${SYSLOGSERVER}" >> /etc/rsyslog.conf # ========================================================================== # MAIL configuration echo " " >> /etc/postfix/main.cf echo "# GetShifting Mail configuration" >> /etc/postfix/main.cf echo "mydomain = ${MAILDOMAIN}" >> /etc/postfix/main.cf echo "myhostname = ${HOSTF}" >> /etc/postfix/main.cf echo "relayhost = ${RELAYHOST}" >> /etc/postfix/main.cf # ========================================================================== # Add Red Hat Registration without adding the red hat repositories subscription-manager config --rhsm.manage_repos=0 subscription-manager config --server.proxy_hostname=${PROXYSERVER} --server.proxy_port=${PROXYPORT} subscription-manager register --username ${REDHATUSER} --password ${REDHATPASS} # ========================================================================== # Disable all repos from red hat - does not work during kickstart # sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/redhat.repo # ========================================================================== # Add automount config mv /etc/auto.master /etc/auto.master.orig echo '/home/GETSHIFTING /etc/auto.homedir -nobrowse' > /etc/auto.master echo "* ${NFSSERVER}:/data/all-servers-home/&" > /etc/auto.homedir # ========================================================================== # ## Add kernel parameters to sysctl.conf ## Kernel parameters kernel.shmmax and kernel.shmall have to be calculated depending on RAM and SWAP ## Kernel parameter fs.file-max has to be calculated depending on processes but minimum of 6815744 echo " " >> /etc/sysctl.conf echo "# Set GETSHIFTING Oracle kernel tuning parameters" >> /etc/sysctl.conf echo "vm.swappiness = 0" >> /etc/sysctl.conf echo "vm.dirty_background_ratio =3" >> /etc/sysctl.conf echo "vm.dirty_ratio = 80" >> /etc/sysctl.conf echo "vm.dirty_expire_centisecs = 500" >> /etc/sysctl.conf echo "vm.dirty_writeback_centisecs = 100" >> /etc/sysctl.conf echo "kernel.shmmni = 4096" >> /etc/sysctl.conf echo "kernel.sem = 250 32000 100 128" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 9000 65500" >> /etc/sysctl.conf echo "net.core.wmem_max = 1048576" >> /etc/sysctl.conf echo "net.core.wmem_default = 262144" >> /etc/sysctl.conf echo "net.core.rmem_max = 4194304" >> /etc/sysctl.conf echo "net.core.rmem_default = 262144" >> /etc/sysctl.conf echo "fs.aio-max-nr = 1048576" >> /etc/sysctl.conf echo "fs.file-max = 6815744" >> /etc/sysctl.conf sysctl -p # ========================================================================== # Oracle GROUPS and users: groupadd --gid 55321 oinstall groupadd --gid 55322 dba groupadd --gid 55323 oper # Oracle user useradd --uid 55321 --gid oinstall --groups dba,oper -p '$1$xwPEp1$FN.6fopSG6/FaDYcrdkMh/' -d /opt/oracle -m ${ORACLEUSER} # Set Shell Limits for oracle user echo "# Set Oracle user limits" > /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} soft nproc 2047" >> /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} hard nproc 16384" >> /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} soft nofile 1024" >> /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} hard nofile 65536" >> /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} soft stack 10240" >> /etc/security/limits.d/99-oracle-limits.conf echo "${ORACLEUSER} hard stack 32768" >> /etc/security/limits.d/99-oracle-limits.conf # Set correct ulimit for oracle user echo "#Setting the appropriate ulimits for oracle and grid user" > /etc/profile.d/oracle.sh echo "if [ \$USER = ${ORACLEUSER} ]; then" >> /etc/profile.d/oracle.sh echo 'if [ $SHELL = "/bin/ksh" ]; then' >> /etc/profile.d/oracle.sh echo 'ulimit -u 16384' >> /etc/profile.d/oracle.sh echo 'ulimit -n 65536' >> /etc/profile.d/oracle.sh echo 'else' >> /etc/profile.d/oracle.sh echo 'ulimit -u 16384 -n 65536' >> /etc/profile.d/oracle.sh echo 'fi' >> /etc/profile.d/oracle.sh echo 'fi' >> /etc/profile.d/oracle.sh %end
Create Password Hash for Local Users
As you can see in the kickstart file a local user gets created using a password hash. This is how to make one:
- Start grub-md5-crypt as root and enter the password to be encypted twice:
$ sudo grub-md5-crypt Password: Retype password: $1$kaxqk1$2sroXlnsz0Xh6JwTbPCoI/
As you can see, a hash is being returned. As shown above, this can now be used like this:
- sudo useradd –uid 33333 -p '$1$kaxqk1$2sroXlnsz0Xh6JwTbPCoI/' sjoerdh
Delete User
If you want to delete the user later on make sure you use the -r switch to also remove the homedir:
- sudo userdel -r sjoerdh
Netbackup Software
As you can see in the kickstart files I perform some tricks on the NetBackup Client software to have it installed automatically. Since there is no way to manually install the software automatically I replace the read
part of the installation script with an outcommented version: #read
. This way it will assume the default which is y
. So there you have it, an automated way of installing the unix/linux/standard client of Symantec Netbackup.
SCOM Post Installation
The setup in the kickstart file only sets permissions for the scom user. The scom administrator can now add the Linux server without root permissions and set everything up.
Start an Automated Installation
Make sure to make a custom kickstart file and make the following changes:
- IP address
- hostname
- oracle user name and password
- username and password for the red hat subscription manager
Then place the kickstart file in /var/www/html/kickstarts and name it correctly.
Then add the server to AD and make sure you:
- Make a DNS record
- Add the serverobject and make it UNIX available
- Set Server Principal Name (setspn)
- Create keytab
- place the keytab in /data/repo-getshifting/servername.keytab
- Delete it again afterwards
- Perform a restorecon -R /data
Then start the installation like this:
- vmlinuz initrd=initrd.img ks=http://10.10.10.80/kickstarts/kickstart-standard01.cfg
Note: * If search domain is not added to resolv.conf make sure you set the hostname in FQDN format * If disk confirmation is requested for disks make sure zerombr and initlabel are included * Adding firewall rules in kickstart does not work yet * Using variables in kickstart does not work yet * Disabling the Red Hat repo does not work in kickstart yet
After creating the server check Post Install follow-up to see what more you can do.