SHIFT-WIKI

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


redhat65management

Red Hat Enterprise Linux 6.5 Management Server

This article is the first, or actually the second in a series of installing Red Hat Enterprise Linux at a company. Right now I work in a Windows based environment, but unfortunately for my colleagues not every application runs on Windows. Especially the ones that are designed to do a lot of math based tasks, in this case risk calculations. In previous versions, these applications were installed on physical hardware with Solaris and a little bit of an ancient Red Hat edition. However, new releases, new chances and I had the chance to recreate everything from scratch, supported and well, on virtualized hardware. So I've already done my homework and got together a best practices for Red Hat on VMware, created a design which included a management server, a NFS server and all required application and database server. This article is about the management server. The idea is that this server will be the central point in the linux environment and will be used as an installation server, as well as the OS as software and patches, the Mercurial versioning master repository and a few more smaller functions. More then that, this is the first server, so it will be installed from scratch, and this is the report.

At the end you can read how to use this management server to install other servers, which is then followed by a Post Install follow-up.

Enjoy.

Update: I also came up with a requirement to mount Windows shares to some of my Linux boxes, I finally opted for Windows NFS and documented that here.

Starting the Installation

Media used: rhel-server-6.5-x86_64-dvd.iso We'll install a system with separate disks for the boot, swap and the root filesystem disk. I Created a VM with three disks:

  • Disk 0: /boot (1 GB)
  • Disk 1: swap (4 GB)
  • Disk 2: / (30 GB)
    • /tmp (5 GB)
    • /var (5 GB)

As you can see, the third disk also provides space for the separate file systems /tmp and /var.

Note: I selected the vmxnet3 nic and the PVSCSI adapter. Both work already during startup and installation.

After booting from the dvd, follow these steps to install the server:

  • install or upgrade an existing system
  • skip the media test
  • Use English as installation language
  • Use US English as keyboard
  • Select Basic Storage Devices
  • Choose to discard the data on the disks if there is any in the storage device warning
  • Set the hostname to rhmgmtsrv
    • In the same screen, click on the “Configure Network” button
    • Select the “System eth0” network card and click edit
    • Make sure to select both the “Available to all users” and the “Connect Automatically” checkboxes and proceed to the IPv4 Settings tab
    • Set the method to Manual and configure the correct IP address, network mask, search domain and DNS servers. You can add multiple DNS servers or search domain by separating them with commas.
    • Save all setting and proceed to the next screen .
  • Set the timezone to Europe/Amsterdam and select the checkbox “System clock uses UTC”
  • Select the “Create Custom Layout” so we can modify our own file system as described above
    • Start by creating the boot file partition on the first disk like this:

redhat65management01.jpg

  • Then create the swap file on the second disk like this:

redhat65management02.jpg

  • Then create a LVM Physical Volume on the third disk like this:

redhat65management03.jpg

  • Then select to create a LVM Volume Group inside the LVM Physical Volume. You'll automatically get the chance to configure the logical volumes:

redhat65management04.jpg

  • Confirm that all existing data will be destroyed by formatting the disks
  • Select to write all changes to disk
  • Keep the defaults for the boot loader options
  • Select the Minimal Installation Package because we will install additional software later. Keep the Red Hat Enterprise Linux repository.
  • After pressing next the actual installation starts. Because the minimal installation was selected this won't take long.
  • Afterwards you'll have to reboot and you're done.

You can now login as root on the console as well as over ssh.

Red Hat Server Registration and Subscriptions

The server needs to be registered with Red Hat to be able to download patches and get support. We first set the proxy settings so the subscription manager can access the Red Het Network (RHN) and the register the system.

[root@rhmgmtsrv ~]# subscription-manager config --server.proxy_hostname=proxy.getshifting.com --server.proxy_port=8080                   
[root@rhmgmtsrv ~]# subscription-manager register --username XXXXXXXX --password XXXXXXXX
The system has been registered with ID: 4c16763e-56f3-4975-9845-34828fhear20
 
[root@rhmgmtsrv ~]# yum update
Loaded plugins: product-id, subscription-manager
This system is registered to Red Hat Subscription Management, but is not receiving updates. You can use subscription-manager to assign subscriptions.
Setting up Update Process
No Packages marked for Update

The username and the password are listed in the password database.

Then we subscribe to the required channels so yum can download patches:

[root@rhmgmtsrv ~]# subscription-manager list --available
+-------------------------------------------+
    Available Subscriptions
+-------------------------------------------+
Subscription Name: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)
Provides:          Red Hat Enterprise Linux Resilient Storage (for RHEL Server) - Extended Update Support
                   Red Hat Software Collections (for RHEL Server)
 
...<cut>...
 
[root@rhmgmtsrv ~]# subscription-manager attach --pool=8a85f56745f132a00145f3c17f7673gg
Successfully attached a subscription for: Red Hat Enterprise Linux Server, Premium (Physical or Virtual Nodes)

Now yum updates will work.

For more information regarding subscription manager see:

VMware Tools

Because the server is a virtual we need the VMware Tools so the server can properly be managed by the VMware hyprvisor. Mount the VMware tools CD through the option in vCenter and issue these commands:

mkdir /mnt/cdrom 
mount /dev/cdrom /mnt/cdrom
cp /mnt/cdrom/VM....gz /tmp
gunzip
tar -xf
cd 
./vmware-install.pl
Note: Keep all defaults during the installation. You'll also need perl for running the script: yum install perl

For more information on installing the tools see: * http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1018392

Create a Repo From the Installation DVD

I want to use this server as an installation server for the other Red Hat servers, so I want to create a repo from the installation DVD so most installs can be done over the local network instead of over the internet. I added an extra disk through the vCenter options.

Configure an Extra Disk

First list the devices of the system so you can locate the new disk:

  • ls /dev/

Partition the new disk with LVM:

  • fdisk -cu /dev/sdd
    • Command: n (Add a new partition)
      • Partition number: 1
      • Keep defaults for sectors (use entire disk)
    • Command: t (change a partition's system id)
      • 8e (for Linux LVM)
    • Command: w (write table to disk and exit)

Show current Volume Groups:

  • vgs

Create new volume group on the partitioned disk:

  • vgcreate vg_rhmgmtsrv_data /dev/sdd1

Create a logical volume in the volume group:

  • lvcreate -n data -l 100%FREE vg_rhmgmtsrv_data

Create the mountpoint:

  • mkdir /data

Format the filesystem on the logical volume:

  • mkfs.ext4 /dev/vg_rhmgmtsrv_data/data

Add the filesystem to the /etc/fstab file:

  • vim /etc/fstab
/dev/mapper/vg_rhmgmtsrv_data-data /data                 ext4    defaults        1 2

Mount the filesystem:

  • mount /data

Create the Repo

Creating the repo is quite simple. We create a directory and copy the packages to that directory and run a command to generate metadata. Because we want to use the smae directory structure as an installation server we also copy the images and the repodata directories. These are not required for creating the repo, just for the installation server:

Mount the installation dvd:

  • mount /dev/cdrom /mnt/cdrom/

Make the repo directory:

  • mkdir /data/repo-dvd65

Change directory to the cdrom root:

  • cd /mnt/cdrom

Copy all required data:

  • cp -R Packages/* /data/repo-dvd65/Packages
  • cp -R images/* /data/repo-dvd65/images
  • cp -R repodata/* /data/repo-dvd65/repodata

Then install the createrepo package:

  • yum install createrepo

Now find the <hash>-comps-rhel6-Server.xml file in the repodata directory and copy it to the Packages directory. You need the xml file so groupinfo is included in the repo and groupinstalls are possible as well:

  • cd /mnt/cdrom/repodata
  • cp 6221039e7e3dabf7d538c76571d82aaf42b6292b8f6fe6cf56b8fcf1cff3d3ab-comps-rhel6-Server.xml /data/repo-dvd65/Packages

Run the createrepo command:

  • createrepo -g 6221039e7e3dabf7d538c76571d82aaf42b6292b8f6fe6cf56b8fcf1cff3d3ab-comps-rhel6-Server.xml /data/repo-dvd65/Packages

Now you can add the repo to install packages and groups of packages.

Add the Repo for Usage

Add a file called dvd.repo in the /etc/yum.repos.d directory and add the following lines:

[dvd]
name=Red Hat 6.5 Installation DVD
baseurl=file:///data/repo-dvd65/Packages
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
enabled=1

You can now use the repo. If you run into any problem try running the yum clean all command. Run this command to see the available groups:

  • yum –disablerepo=“*” –enablerepo=“dvd” grouplist

Install Desktop Group from DVD Repo

Run the following command to disable the Red Hat repos and just use the dvd repo to install the Desktop group:

  • yum –disablerepo=“*” –enablerepo=“dvd” groupinstall “Desktop”

AD Authentication

We want to be able to logon using our AD accounts. For this to work you first need the UNIX services for AD to be installed as decribed here: AD Identity Management for Unix.

Note that in this setup we use a double label domain called getshifting.local. The NETBIOS name of the domain is GETSHIFTING All AD services are divided over different server so read very closely. The domain controller is called dcserver, and is also the DNS server (IP 10.10.10.53). You can recognize IP addresses because the IP address is most times the default port the service runs on. Note that all kerberos and AD related configurations are capital sensitive. Don't mix them up.

You also need to setup some other services to make sure everything works correctly:

  • Make sure SElinux is set to enforcing
  • configure ntp:
    • yum install ntp
    • edit /etc/ntp.conf:
tinker panic 0
driftfile /var/lib/ntp/drift
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server 10.10.10.123
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys

service ntpd start chkconfig ntpd on

  • DNS is setup like this in /etc/resolv.conf:
# Generated by NetworkManager
search getshifting.local
nameserver 10.10.10.53
nameserver 10.10.10.153
  • the host is configured with it's FQDN in /etc/sysconfig/network:
NETWORKING=yes
HOSTNAME=rhmgmtsrv.getshifting.local
GATEWAY=10.10.10.254
  • Install required software:
    • yum groupinstall directory-client
    • yum install openldap-clients
    • yum install authconfig-gtk

Configuration

For now we'll use the graphical tool for the initial setup. If you're interested in the commandline to do the same check the kickstart files below, the same command are listed there as well.

Setup kerberos in the /etc/krb5.conf file like this:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
default_realm = GETSHIFTING.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
 
[realms]
GETSHIFTING.LOCAL = {
  kdc = dcserver.getshifting.local
  admin_server = dcserver.getshifting.local
}
 
[domain_realm]
.getshifting.local = GETSHIFTING.LOCAL
getshifting.local = GETSHIFTING.LOCAL

Start the graphical tool from the graphical environment:

  • system-config-authentication

Configure like this:
redhat65management05.jpg
And this:
redhat65management06.jpg
Check if you can get a kerberos ticket with these commands:

  • kdestroy
  • klist
  • kinit adminsjoerd@GETSHIFTING.LOCAL

Then create a computer object in AD like this
redhat65management07.jpg
And like this:
redhat65management08.jpg
Then, on a domain controller as a domain admin, enter these commands to create a keytab file:

  • setspn -A host/rhmgmtsrv.getshifting.local@getshifting.local rhmgmtsrv
    • Check with: setspn -L rhmgmtsrv
  • ktpass /princ host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL /out rhmgmtsrv.keytab /crypto all /ptype KRB5_NT_PRINCIPAL -desonly /mapuser GETSHIFTING\rhmgmtsrv$ +rndPass
    • Confirm to reset the password with “y”
    • Note that these commands are case sensitive, what is listed with capitals should be entered like that

Now upload the created rhmgmtsrv.keytab to the rhmgmtsrv using sftp and make the following changes:

  • mv /tmp/rhmgmtsrv.keytab /etc/krb5.keytab
  • chmod 0600 /etc/krb5.keytab
  • restorecon /etc/krb5.keytab
    • You can check the SELinux type with ls -lZ *.keytab from the /etc directory

Check if the keytab file can be used:

  • kinit -k -t /etc/krb5.keytab host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL
  • klist

Check if a LDAP search can be done:

  • ldapsearch -H ldap://dcserver/ -Y GSSAPI -N -b DC=GETSHIFTING,DC=LOCAL “(&(objectclass=user)(sAMAccountName=sjoerd))”
    • This will generate a lot of output if successful, but check the second line. It shoud read:
      • SASL username: host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL
  • Modify the /etc/sssd/sssd.conf file like this:
[domain/default]
 
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=getshifting,dc=local
krb5_realm = GETSHIFTING.LOCAL
krb5_server = DCSERVER.GETSHIFTING.LOCAL
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://10.10.10.53/
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_kpasswd = DCSERVER.GETSHIFTING.LOCAL
access_provider = ldap
 
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/rhmgmtsrv.getshifting.local@GETSHIFTING.LOCAL
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
 
[sssd]
services = nss, pam
config_file_version = 2
domains = default
 
[nss]
 
[pam]
 
[sudo]
 
[autofs]
 
[ssh]
 
[pac]

Now restart the sssd service:

  • service sssd restart

You can now logon using the AD accounts that you have configured like this:
redhat65management09.jpg

[sjoerd.NL0W5884]ssh adminsjoerd@rhmgmtsrv
adminsjoerd@rhmgmtsrv's password:
Creating home directory for adminsjoerd.
/usr/bin/xauth:  creating new authority file /home/adminsjoerd/.Xauthority
[adminsjoerd@rhmgmtsrv ~]$ pwd
/home/adminsjoerd
[adminsjoerd@rhmgmtsrv ~]$ id
uid=24584(adminsjoerd) gid=10000(UNIX-Server-AdminGroup) groups=10000(UNIX-Server-AdminGroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Note that later on the location of the homedir will change due to autofs


Also note that the username is case sensitive on unix, meaning that if your AD account is created with capitals you'll also need to logon using capitals. I checked and so far you can change the AD username to non-capitals without any issue.

Restrict SSH Access

I wanto restrict SSH access to just the Server Admins and the Server TAM members. Therefore I need to add the following line to the /etc/ssh/sshd_config file:

AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt

Configure SUDO

I want the members of the Server Admins group to be able to use sudo. Use the visudo command to add this line to the /etc/sudoers file:

%UNIX-Server-AdminGroup     ALL=(ALL)       NOPASSWD: ALL

Configure XRDP

I want my Windows oriented collegues to also be able to logon using rdp/mstsc. Therefore I will install xrdp, which is part of the EPEL repo. Download the EPEL repo package and key from http://mirror.serverbeheren.nl/epel/6/i386/repoview/epel-release.html . Then install the package and import the key like this:

  • rpm -i epel-release-6-8.noarch.rpm
  • rpm –import RPM-GPG-KEY-EPEL-6

Configure yum to be able to use a proxy by adding this line to the /etc/yum.conf file:

proxy=http://proxy.getshifting.com:8080

Then install and enable the xrdp package:

  • yum install xrdp
  • chkconfig xrdp on
  • service xrdp start

Then allow connections through the firewall:

  • iptables -I INPUT -p tcp –dport 3389 -j ACCEPT
  • service iptables save

Install Other Software

Just like this:

  • yum install man nfs-util telnet vim-enhanced lsof ftp zip unzip setroubleshoot-server -y -q

Configure AutoFS for HomeDirs

This will require you to create a NFS server first. Then setup these two files:

  • vi /etc/auto.master
/home/GETSHIFTING /etc/auto.homedir -nobrowse
  • vi /etc/auto.homedir
* redhatnfsserver:/data/all-servers-home/&

Then restart the autofs service:

  • service autofs restart
Note that you need to cd to the complete path, you can't use <TAB>

Syslog Server

I also want my management server to function as a syslog server. I want all clients to forward any message of priority warning of higher towards the management server, so that in case of a failure at least some message are saved for investigation.

Setup Syslog Server

Because the rsyslog package has already been installed this is quite an easy setup. Edit the /etc/rsyslog.conf file to uncomment these lines:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
 
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Then restart the rsyslog daemon:

sudo service rsyslog restart

Now open the udp/tcp ports for syslog:

sudo iptables -I INPUT -p tcp --dport 514 -j ACCEPT
sudo iptables -I INPUT -p udp --dport 514 -j ACCEPT
service iptables save

Now the server part is done.

Setup Syslog Client

Setting up the syslog client is even more easy. Edit again the /etc/rsyslog.conf file and add these lines:

# SIEM Forwarding
*.debug @10.10.10.93
# Management Server syslog forwarding
*.warning @rhmgmtsrv.getshifting.local
Note that the first part is for a SIEM appliance and requires all messages for security analyzing

Test Client

Since we configured that only warning messages and higher will be sent to the management server we should test that with logger, a syslog test utility:

logger -p error "Test from redhatnfsserver for an error message"
logger -p warning "Test from redhatnfsserver for a warning message"

This will show the following lines on the /var/log/messages file on the management server:

Aug  7 14:16:41 redhatnfsserver adminsjoerd: Test from redhatnfsserver for an error message
Aug  7 14:16:41 redhatnfsserver adminsjoerd: Test from redhatnfsserver for a warning message

It works!

Create Syslog Report

Of course I want to receive a report from all these messages, all sorted out nicely, so I created this scheduled report.

KickStart Installation Server

Kickstart is the redhat installation service. I want to be able to install custom servers using kickstart. To do so I will use a webserver and custom kickstart files.

Deploy Web Server

Deploy the required webserver like this, start with the installation, then enable the webserver:

  • yum install httpd
  • service httpd start
  • chkconfig httpd on

Then open the firewall ports:

  • iptables -I INPUT -p tcp –dport 80 -j ACCEPT
  • service iptables save

Then configure the webserver with aliases so the required data can be accessed. Add this info to the appropriate section in /etc/httpd/conf/httpd.conf:

Alias /dvdinstall/ "/data/repo-dvd65/"
 
<Directory "/data/repo-dvd65/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
 
Alias /getshiftinginstall/ "/data/repo-getshifting/"
 
<Directory "/data/repo-getshifting/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

Then set the SELinux context correct:

  • semanage fcontext -a -t httpd_sys_content_t '/data(/.*)?'
  • restorecon -Rv /data/

And restart the webserver:

  • service httpd restart

Add VMware Tools to WebServer

Because we will use this later for automated installation add the tools file you used to install the tools on the server with in the following directory. If you already deleted it you can get it again from the tools CD after mounting it:

  • mount /dev/cdrom /mnt
  • mkdir -p /data/repo-getshifting
  • cp /mnt/VMwareTools-9.0.5-1065307.tar.gz /data/repo-getshifting/
  • restorecon -Rv /data/

Custom Kickstart File

# Kickstart file created by sjoerd
# Version: 0.8 - 7 august 2014
# Added SCOM configuration, SYSLOG and variables for redhat subscription manager
# Version: 0.7 - 6 august 2014
# Added Oracle and Mercurial Client
# Version: 0.6 - 25 july 2014
# Added NetBackup client and configuration
# Note:
# The disk setup in this kickstart file is like this:
# Disk 0 : /boot (disk size preferred 1 GB)
# Disk 1 : swap (disk size minimum of RAM up to 4 GB)
# Disk 2 : LVM for / (20 GB), /var (5 GB) and /tmp (remaining disk space)
 
# Installation Source is the rhmgmtsrv/10.10.10.80
install
url --url http://10.10.10.80/dvdinstall/
# Language and KeyBoard Settings
lang en_US.UTF-8
keyboard us
# Network Configuration; keep default on dhcp or create custom kickstart file with network already configured
# network --device eth0 --bootproto dhcp
network --onboot yes --device eth0 --bootproto static --ip 10.10.10.100 --netmask 255.255.0.0 --gateway 10.10.10.254 --noipv6 --nameserver 10.10.10.53,10.10.10.153 --hostname clientname.getshifting.local
# Security Settings
rootpw  --iscrypted $6$OE0oJEAUjSVc.ft1$njQ9HO7LAZo18iABAXKMc8uNp5ONhmY/qvstu7/VngxYG60cPoHI5Ta2NKYt/kABhYSIjn1eDcMtw9AkFYHvx1
# Enable firewall and open ports for xrdp and netbackup
firewall --service=ssh --port=3389:tcp,1556:tcp,13722:tcp,13724:tcp,13782:tcp
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Amsterdam
# Where should the bootdisk be placed
bootloader --location=mbr --driveorder=sda,sdb,sdc --append="crashkernel=auto rhgb quiet"
# Partitioning
zerombr yes
clearpart --all --initlabel
# Create boot disk, minimum size 200 MB, grow to maximum, primary partition
part /boot --fstype=ext4 --grow --asprimary --size=200
# create swap disk
part swap --grow --asprimary --size=200
# Use LVM partition on third disk for remaining file systems
part pv.008033 --grow --asprimary --size=200
volgroup vg_linuxbox --pesize=4096 pv.008033
logvol / --fstype=ext4 --name=LogVol00 --vgname=vg_linuxbox --size=20480
logvol /var --fstype=ext4 --name=LogVol01 --vgname=vg_linuxbox --size=5120
logvol /tmp --fstype=ext4 --name=LogVol02 --vgname=vg_linuxbox --size=200 --grow
# Reboot after installation
reboot --eject
 
# Package(groups) to be installed
%packages
@core
@server-policy
@desktop
@directory-client
authconfig-gtk
createrepo
dos2unix
ftp
ksh
lsof
mailx
man
nfs-utils
ntp
oddjob-mkhomedir
openldap-clients
perl
policycoreutils-gui
setroubleshoot-server
system-config-firewall
telnet
unzip
vim-enhanced
xorg-x11-apps
zip
# Required packages for business application
openmotif
%end
 
# Post installation scripts
%post --log=/root/post_install.log
# ==========================================================================
# Set Installation Variables
HOSTF=`hostname -f`
HOST=`hostname -s`
NTPSERVER=10.10.10.123
INSTALLSERVER=rhmgmtsrv
LDAPIP=10.10.10.53
LDAPBASE=dc=getshifting,dc=local
KRBSERVER=DCSERVER.GETSHIFTING.LOCAL
KRBREALM=GETSHIFTING.LOCAL
NFSSERVER=redhatnfsserver
PROXYSERVER=proxy.getshifting.com
PROXYPORT=8080
REDHATUSER=rhgetshifting
REDHATPASS=XXXXXXXXX
SCOMUSER=sa-linux-scom
SYSLOGSERVER=rhmgmtsrv.getshifting.local
SYSLOGSIEM=10.10.10.93
RELAYHOST=relaysmtphost.getshifting.local
MAILDOMAIN=getshifting.com
# ==========================================================================
# Overwrite NTP config
mv /etc/ntp.conf /etc/ntp.orig
echo "# GETSHIFTING NTP Config" > /etc/ntp.conf
echo "tinker panic 0" >> /etc/ntp.conf
echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf
echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
echo "restrict 127.0.0.1" >> /etc/ntp.conf
echo "restrict -6 ::1" >> /etc/ntp.conf
echo "server ${NTPSERVER}" >> /etc/ntp.conf
echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf
echo "keys /etc/ntp/keys" >> /etc/ntp.conf
chkconfig ntpd on
# ==========================================================================
# Add DVD Repo
echo "[dvd]" > /etc/yum.repos.d/dvd.repo
echo "name=Red Hat 6.5 Installation DVD" >> /etc/yum.repos.d/dvd.repo
echo "baseurl=http://${INSTALLSERVER}/dvdinstall/" >> /etc/yum.repos.d/dvd.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/dvd.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" >> /etc/yum.repos.d/dvd.repo
echo "enabled=1" >> /etc/yum.repos.d/dvd.repo
# ==========================================================================
# Automate VMware Tools Installation
wget -O /tmp/tools.tar.gz http://${INSTALLSERVER}/getshiftinginstall/VMwareTools-9.0.5-1065307.tar.gz
cd /tmp
tar xzf /tmp/tools.tar.gz
cd /tmp/vmware-tools-distrib
./vmware-install.pl -d
# ==========================================================================
# Automate NetBackup Installation
mkdir -p /usr/openv/netbackup
echo "SERVER = backupserver01.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver001b.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver401a.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver405.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver005.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "CLIENT_NAME = ${HOSTF}" >> /usr/openv/netbackup/bp.conf
wget -O /tmp/NB7601RH.tar http://${INSTALLSERVER}/getshiftinginstall/NB7601RH.tar
cd /tmp
tar -xf /tmp/NB7601RH.tar
sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/install
sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/NBClients/catalog/anb/client.inst
cd /tmp/NetBackup_7.6.0.1_CLIENTS2
./install
# ==========================================================================
# Set Default Runlevel to 3
sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab
# ==========================================================================
# Configure AD Authentication
## Set AD Authentication Settings
authconfig --enableldap --ldapserver=ldap://${LDAPIP} --ldapbasedn="${LDAPBASE}" --update
authconfig --enablekrb5 --krb5realm ${KRBREALM} --krb5kdc ${KRBSERVER} --krb5adminserver ${KRBSERVER} --update
authconfig --enablemkhomedir --update
## Download AD kerberos keytab
## Change keytab name to match new one
wget -O /etc/krb5.keytab http://${INSTALLSERVER}/getshiftinginstall/${HOST}.keytab
chmod 0600 /etc/krb5.keytab
restorecon /etc/krb5.keytab
## Set SSSD Config file
cp -p /etc/sssd/sssd.conf /etc/sssd/sssd.orig
echo "[domain/default]" > /etc/sssd/sssd.conf
echo "ldap_id_use_start_tls = False" >> /etc/sssd/sssd.conf
echo "cache_credentials = True" >> /etc/sssd/sssd.conf
echo "ldap_search_base = dc=getshifting,dc=local" >> /etc/sssd/sssd.conf
echo "krb5_realm = ${KRBREALM}" >> /etc/sssd/sssd.conf
echo "krb5_server = ${KRBSERVER}" >> /etc/sssd/sssd.conf
echo "id_provider = ldap" >> /etc/sssd/sssd.conf
echo "auth_provider = krb5" >> /etc/sssd/sssd.conf
echo "chpass_provider = krb5" >> /etc/sssd/sssd.conf
echo "ldap_uri = ldap://${LDAPIP}/" >> /etc/sssd/sssd.conf
echo "ldap_tls_cacertdir = /etc/openldap/cacerts" >> /etc/sssd/sssd.conf
echo "krb5_kpasswd = ${KRBSERVER}" >> /etc/sssd/sssd.conf
echo "access_provider = ldap" >> /etc/sssd/sssd.conf
echo "ldap_sasl_mech = GSSAPI" >> /etc/sssd/sssd.conf
## Match servername to new one
echo "ldap_sasl_authid = host/${HOSTF}@${KRBREALM}" >> /etc/sssd/sssd.conf
echo "ldap_schema = rfc2307bis" >> /etc/sssd/sssd.conf
echo "ldap_user_object_class = user" >> /etc/sssd/sssd.conf
echo "ldap_user_home_directory = unixHomeDirectory" >> /etc/sssd/sssd.conf
echo "ldap_user_principal = userPrincipalName" >> /etc/sssd/sssd.conf
echo "ldap_user_name = sAMAccountName" >> /etc/sssd/sssd.conf
echo "ldap_group_object_class = group" >> /etc/sssd/sssd.conf
echo "ldap_access_order = expire" >> /etc/sssd/sssd.conf
echo "ldap_account_expire_policy = ad" >> /etc/sssd/sssd.conf
echo "ldap_force_upper_case_realm = true" >> /etc/sssd/sssd.conf
echo "ldap_disable_referrals = true" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[sssd]" >> /etc/sssd/sssd.conf
echo "services = nss, pam" >> /etc/sssd/sssd.conf
echo "config_file_version = 2" >> /etc/sssd/sssd.conf
echo "domains = default" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[nss]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[pam]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[sudo]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[autofs]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[ssh]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[pac]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
service sssd restart
## Add permissions in sshd_config file
echo " " >> /etc/ssh/sshd_config
echo "# Only allow users in these groups to access over ssh" >> /etc/ssh/sshd_config
echo "AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt" >> /etc/ssh/sshd_config
## Add permissions into sudoers file
echo " " >> /etc/sudoers
echo "# GETSHIFTING Specific Permissions" >> /etc/sudoers
echo "%UNIX-Server-AdminGroup     ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
# ==========================================================================
# Install and configure xRDP
wget -O /tmp/xrdp.rpm http://${INSTALLSERVER}/getshiftinginstall/xrdp-0.5.0-0.13.el6.x86_64.rpm
yum localinstall /tmp/xrdp.rpm -y
chkconfig xrdp on
# ==========================================================================
# Install Mercurial
# Note that the mercurial version included in the Red Hat installation dvd is outdated and cannot be used
wget -O /tmp/mercurial.rpm http://${INSTALLSERVER}/getshiftinginstall/mercurial-2.2.2-1.el6.rfx.x86_64.rpm
yum localinstall /tmp/mercurial.rpm -y 
# ==========================================================================
# Install Oracle Instant Client - all packages
wget -O /tmp/oraclebasic.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-basic-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oraclebasic.rpm -y
wget -O /tmp/oracledevel.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-devel-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oracledevel.rpm -y
wget -O /tmp/oraclejdbc.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-jdbc-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oraclejdbc.rpm -y
wget -O /tmp/oracleodbc.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-odbc-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oracleodbc.rpm -y
wget -O /tmp/oracleprecomp.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-precomp-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oracleprecomp.rpm -y
wget -O /tmp/oraclesqlplus.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-sqlplus-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oraclesqlplus.rpm -y
wget -O /tmp/oracletools.rpm http://${INSTALLSERVER}/getshiftinginstall/oracle-instantclient11.2-tools-11.2.0.3.0-1.x86_64.rpm
yum localinstall /tmp/oracletools.rpm -y
# ==========================================================================
# SCOM Monitoring configuration
echo " " >> /etc/sudoers
echo "#General requirements for OpsMgr service account " >> /etc/sudoers
echo "Defaults:${SCOMUSER}" '!requiretty' >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Agent discovery, installation, certificate signing, and maintenance tasks " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-${SCOMUSER}/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-${SCOMUSER}; /opt/microsoft/scx/bin/tools/scxadmin -restart " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-${SCOMUSER}/GetOSVersion.sh; EC=\$?; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Log file monitoring " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p" >> /etc/sudoers
echo " " >> /etc/sudoers
#echo "#Custom shell command monitoring example. Replace <shell command> with the correct command string " >> /etc/sudoers
#echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/bash -c su" >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Add sudo logging " >> /etc/sudoers
echo "Defaults logfile=/var/log/sudolog" >> /etc/sudoers
echo " " >> /etc/sudoers
# ==========================================================================
# SYSLOG configuration
echo " " >> /etc/rsyslog.conf
echo "# Qradar Forwarding" >> /etc/rsyslog.conf
echo "*.debug @${SYSLOGSIEM}" >> /etc/rsyslog.conf
echo "# Management Server syslog forwarding" >> /etc/rsyslog.conf
echo "*.warning @${SYSLOGSERVER}" >> /etc/rsyslog.conf
# ==========================================================================
# MAIL configuration
echo " " >> /etc/postfix/main.cf
echo "# GetShifting Mail configuration" >> /etc/postfix/main.cf
echo "mydomain = ${MAILDOMAIN}" >> /etc/postfix/main.cf
echo "myhostname = ${HOSTF}" >> /etc/postfix/main.cf
echo "relayhost = ${RELAYHOST}" >> /etc/postfix/main.cf
# ==========================================================================
# Add Red Hat Registration without adding the red hat repositories
subscription-manager config --rhsm.manage_repos=0
subscription-manager config --server.proxy_hostname=${PROXYSERVER} --server.proxy_port=${PROXYPORT}
subscription-manager register --username ${REDHATUSER} --password ${REDHATPASS}
# ==========================================================================
# Disable all repos from red hat - does not work during kickstart
# sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/redhat.repo
# ==========================================================================
# Add automount config
mv /etc/auto.master /etc/auto.master.orig
echo '/home/GETSHIFTING /etc/auto.homedir -nobrowse' > /etc/auto.master
echo "* ${NFSSERVER}:/data/all-servers-home/&" > /etc/auto.homedir
# ==========================================================================
%end

Custom Kickstart File for Oracle Servers

# Kickstart file created by sjoerd
# Version: 0.8 - 7 august 2014
# Added SCOM configuration, SYSLOG and variables for redhat subscription manager
# Note:
# The disk setup in this kickstart file is like this:
# Disk 0 : /boot (disk size preferred 1 GB)
# Disk 1 : swap (disk size minimum of RAM up to 4 GB)
# Disk 2 : LVM for / (20 GB), /var (5 GB) and /tmp (remaining disk space)
 
# Installation Source is the rhmgmtsrv/10.10.10.80
install
url --url http://10.10.10.80/dvdinstall/
# Language and KeyBoard Settings
lang en_US.UTF-8
keyboard us
# Network Configuration; keep default on dhcp or create custom kickstart file with network already configured
# network --device eth0 --bootproto dhcp
network --onboot yes --device eth0 --bootproto static --ip 10.10.10.110 --netmask 255.255.0.0 --gateway 10.10.10.254 --noipv6 --nameserver 10.10.10.53,10.10.10.153 --hostname dboracleserver.getshifting.local
# Security Settings
rootpw  --iscrypted $6$OE0oJEAUjSVc.ft1$njQ9HO7LAZo18iABAXKMc8uNp5ONhmZ/qvstu7/VngxYG60cPoHI5Ta2NKYt/kABhYSIjn1eDcMtw9AkFYHvx1
# Enable firewall and open ports for oracle, xrdp and netbackup
firewall --service=ssh --port=1158:tcp,1521:tcp,3389:tcp,1556:tcp,13722:tcp,13724:tcp,13782:tcp
authconfig --enableshadow --passalgo=sha512
selinux --enforcing
timezone --utc Europe/Amsterdam
# Where should the bootdisk be placed
bootloader --location=mbr --driveorder=sda,sdb,sdc --append="crashkernel=auto rhgb quiet"
# Partitioning
zerombr yes
clearpart --all --initlabel
# Create boot disk, minimum size 200 MB, grow to maximum, primary partition
part /boot --fstype=ext4 --grow --asprimary --size=200
# create swap disk
part swap --grow --asprimary --size=200
# Use LVM partition on third disk for remaining file systems
part pv.008033 --grow --asprimary --size=200
volgroup vg_linuxbox --pesize=4096 pv.008033
logvol / --fstype=ext4 --name=LogVol00 --vgname=vg_linuxbox --size=20480
logvol /var --fstype=ext4 --name=LogVol01 --vgname=vg_linuxbox --size=5120
logvol /tmp --fstype=ext4 --name=LogVol02 --vgname=vg_linuxbox --size=200 --grow
# Reboot after installation
reboot --eject
 
# Package(groups) to be installed
%packages
@core
@server-policy
@desktop
@directory-client
authconfig-gtk
createrepo
dos2unix
ftp
ksh
lsof
mailx
man
nfs-utils
ntp
oddjob-mkhomedir
openldap-clients
perl
policycoreutils-gui
setroubleshoot-server
system-config-firewall
telnet
unzip
vim-enhanced
xorg-x11-apps
zip
# Required packages for oracle
binutils
cloog-ppl
compat-libcap1
compat-libstdc++-33
cpp
gcc
gcc-c++
glibc
glibc-devel
glibc-headers
kernel-headers
ksh
libaio
libaio-devel
libdmx
libgcc
libstdc++
libstdc++-devel
libXmu
libXt
libXv
libXxf86dga
libXxf86misc
libXxf86vm
make
mpfr
ppl
sysstat
xorg-x11-utils
xorg-x11-xauth
%end
 
# Post installation scripts
%post --log=/root/post_install.log
# ==========================================================================
# Set Installation Variables
HOSTF=`hostname -f`
HOST=`hostname -s`
NTPSERVER=10.10.10.123
INSTALLSERVER=rhmgmtsrv
LDAPIP=10.10.10.53
LDAPBASE=dc=getshifting,dc=local
KRBSERVER=DCSERVER.GETSHIFTING.LOCAL
KRBREALM=GETSHIFTING.LOCAL
NFSSERVER=redhatnfsserver
PROXYSERVER=proxy.getshifting.com
PROXYPORT=8080
REDHATUSER=rhgetshifting
REDHATPASS=XXXXXXXXX
SCOMUSER=sa-linux-scom
SYSLOGSERVER=rhmgmtsrv.getshifting.local
SYSLOGSIEM=10.10.10.93
RELAYHOST=relaysmtphost.getshifting.local
MAILDOMAIN=getshifting.com
ORACLEUSER=sa-acp-oracle
# ==========================================================================
# Overwrite NTP config
mv /etc/ntp.conf /etc/ntp.orig
echo "# GETSHIFTING NTP Config" > /etc/ntp.conf
echo "tinker panic 0" >> /etc/ntp.conf
echo "driftfile /var/lib/ntp/drift" >> /etc/ntp.conf
echo "restrict default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
echo "restrict -6 default kod nomodify notrap nopeer noquery" >> /etc/ntp.conf
echo "restrict 127.0.0.1" >> /etc/ntp.conf
echo "restrict -6 ::1" >> /etc/ntp.conf
echo "server ${NTPSERVER}" >> /etc/ntp.conf
echo "includefile /etc/ntp/crypto/pw" >> /etc/ntp.conf
echo "keys /etc/ntp/keys" >> /etc/ntp.conf
chkconfig ntpd on
# ==========================================================================
# Add DVD Repo
echo "[dvd]" > /etc/yum.repos.d/dvd.repo
echo "name=Red Hat 6.5 Installation DVD" >> /etc/yum.repos.d/dvd.repo
echo "baseurl=http://${INSTALLSERVER}/dvdinstall/" >> /etc/yum.repos.d/dvd.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/dvd.repo
echo "gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" >> /etc/yum.repos.d/dvd.repo
echo "enabled=1" >> /etc/yum.repos.d/dvd.repo
# ==========================================================================
# Automate VMware Tools Installation
wget -O /tmp/tools.tar.gz http://${INSTALLSERVER}/getshiftinginstall/VMwareTools-9.0.5-1065307.tar.gz
cd /tmp
tar xzf /tmp/tools.tar.gz
cd /tmp/vmware-tools-distrib
./vmware-install.pl -d
# ==========================================================================
# Automate NetBackup Installation
mkdir -p /usr/openv/netbackup
echo "SERVER = backupserver01.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver001b.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver401a.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver405.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "SERVER = backupserver005.getshifting.local" >> /usr/openv/netbackup/bp.conf
echo "CLIENT_NAME = ${HOSTF}" >> /usr/openv/netbackup/bp.conf
wget -O /tmp/NB7601RH.tar http://${INSTALLSERVER}/getshiftinginstall/NB7601RH.tar
cd /tmp
tar -xf /tmp/NB7601RH.tar
sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/install
sed -i 's/read ans/#read ans/g' /tmp/NetBackup_7.6.0.1_CLIENTS2/NBClients/catalog/anb/client.inst
cd /tmp/NetBackup_7.6.0.1_CLIENTS2
./install
# Exclude oracle directory from backup
echo "/opt/oracle" >> /usr/openv/netbackup/exclude_list
# ==========================================================================
# Set Default Runlevel to 3
sed -i 's/id:5:initdefault:/id:3:initdefault:/g' /etc/inittab
# ==========================================================================
# Configure AD Authentication
## Set AD Authentication Settings
authconfig --enableldap --ldapserver=ldap://${LDAPIP} --ldapbasedn="${LDAPBASE}" --update
authconfig --enablekrb5 --krb5realm ${KRBREALM} --krb5kdc ${KRBSERVER} --krb5adminserver ${KRBSERVER} --update
authconfig --enablemkhomedir --update
## Download AD kerberos keytab
## Change keytab name to match new one
wget -O /etc/krb5.keytab http://${INSTALLSERVER}/getshiftinginstall/${HOST}.keytab
chmod 0600 /etc/krb5.keytab
restorecon /etc/krb5.keytab
## Set SSSD Config file
cp -p /etc/sssd/sssd.conf /etc/sssd/sssd.orig
echo "[domain/default]" > /etc/sssd/sssd.conf
echo "ldap_id_use_start_tls = False" >> /etc/sssd/sssd.conf
echo "cache_credentials = True" >> /etc/sssd/sssd.conf
echo "ldap_search_base = dc=getshifting,dc=local" >> /etc/sssd/sssd.conf
echo "krb5_realm = ${KRBREALM}" >> /etc/sssd/sssd.conf
echo "krb5_server = ${KRBSERVER}" >> /etc/sssd/sssd.conf
echo "id_provider = ldap" >> /etc/sssd/sssd.conf
echo "auth_provider = krb5" >> /etc/sssd/sssd.conf
echo "chpass_provider = krb5" >> /etc/sssd/sssd.conf
echo "ldap_uri = ldap://${LDAPIP}/" >> /etc/sssd/sssd.conf
echo "ldap_tls_cacertdir = /etc/openldap/cacerts" >> /etc/sssd/sssd.conf
echo "krb5_kpasswd = ${KRBSERVER}" >> /etc/sssd/sssd.conf
echo "access_provider = ldap" >> /etc/sssd/sssd.conf
echo "ldap_sasl_mech = GSSAPI" >> /etc/sssd/sssd.conf
## Match servername to new one
echo "ldap_sasl_authid = host/${HOSTF}@${KRBREALM}" >> /etc/sssd/sssd.conf
echo "ldap_schema = rfc2307bis" >> /etc/sssd/sssd.conf
echo "ldap_user_object_class = user" >> /etc/sssd/sssd.conf
echo "ldap_user_home_directory = unixHomeDirectory" >> /etc/sssd/sssd.conf
echo "ldap_user_principal = userPrincipalName" >> /etc/sssd/sssd.conf
echo "ldap_user_name = sAMAccountName" >> /etc/sssd/sssd.conf
echo "ldap_group_object_class = group" >> /etc/sssd/sssd.conf
echo "ldap_access_order = expire" >> /etc/sssd/sssd.conf
echo "ldap_account_expire_policy = ad" >> /etc/sssd/sssd.conf
echo "ldap_force_upper_case_realm = true" >> /etc/sssd/sssd.conf
echo "ldap_disable_referrals = true" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[sssd]" >> /etc/sssd/sssd.conf
echo "services = nss, pam" >> /etc/sssd/sssd.conf
echo "config_file_version = 2" >> /etc/sssd/sssd.conf
echo "domains = default" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[nss]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[pam]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[sudo]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[autofs]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[ssh]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
echo "[pac]" >> /etc/sssd/sssd.conf
echo " " >> /etc/sssd/sssd.conf
service sssd restart
## Add permissions in sshd_config file
echo " " >> /etc/ssh/sshd_config
echo "# Only allow users in these groups to access over ssh" >> /etc/ssh/sshd_config
echo "AllowGroups UNIX-Server-AdminGroup UNIX-Server-AppMgmt" >> /etc/ssh/sshd_config
## Add permissions into sudoers file
echo " " >> /etc/sudoers
echo "# GETSHIFTING Specific Permissions" >> /etc/sudoers
echo "%UNIX-Server-AdminGroup     ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers
# ==========================================================================
# Install and configure xRDP
wget -O /tmp/xrdp.rpm http://${INSTALLSERVER}/getshiftinginstall/xrdp-0.5.0-0.13.el6.x86_64.rpm
yum localinstall /tmp/xrdp.rpm -y
chkconfig xrdp on
# ==========================================================================
# Install Mercurial
# Note that the mercurial version included in the Red Hat installation dvd is outdated and cannot be used
wget -O /tmp/mercurial.rpm http://${INSTALLSERVER}/getshiftinginstall/mercurial-2.2.2-1.el6.rfx.x86_64.rpm
yum localinstall /tmp/mercurial.rpm -y 
# ==========================================================================
# SCOM Monitoring configuration
echo " " >> /etc/sudoers
echo "#General requirements for OpsMgr service account " >> /etc/sudoers
echo "Defaults:${SCOMUSER}" '!requiretty' >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Agent discovery, installation, certificate signing, and maintenance tasks " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c cp /tmp/scx-${SCOMUSER}/scx.pem /etc/opt/microsoft/scx/ssl/scx.pem; rm -rf /tmp/scx-${SCOMUSER}; /opt/microsoft/scx/bin/tools/scxadmin -restart " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c sh /tmp/scx-${SCOMUSER}/GetOSVersion.sh; EC=\$?; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c  cat /etc/opt/microsoft/scx/ssl/scx.pem " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c  rpm -e scx " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -F --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/sh -c /bin/rpm -U --force /tmp/scx-${SCOMUSER}/scx-1.[0-9].[0-9]-[0-9][0-9][0-9].rhel.[0-9].x[6-8][4-6].rpm; EC=\$?; cd /tmp; rm -rf /tmp/scx-${SCOMUSER}; exit \$EC" >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Log file monitoring " >> /etc/sudoers
echo "${SCOMUSER} ALL=(root) NOPASSWD: /opt/microsoft/scx/bin/scxlogfilereader -p" >> /etc/sudoers
echo " " >> /etc/sudoers
#echo "#Custom shell command monitoring example. Replace <shell command> with the correct command string " >> /etc/sudoers
#echo "${SCOMUSER} ALL=(root) NOPASSWD: /bin/bash -c su" >> /etc/sudoers
echo " " >> /etc/sudoers
echo "#Add sudo logging " >> /etc/sudoers
echo "Defaults logfile=/var/log/sudolog" >> /etc/sudoers
echo " " >> /etc/sudoers
# ==========================================================================
# SYSLOG configuration
echo " " >> /etc/rsyslog.conf
echo "# Qradar Forwarding" >> /etc/rsyslog.conf
echo "*.debug @${SYSLOGSIEM}" >> /etc/rsyslog.conf
echo "# Management Server syslog forwarding" >> /etc/rsyslog.conf
echo "*.warning @${SYSLOGSERVER}" >> /etc/rsyslog.conf
# ==========================================================================
# MAIL configuration
echo " " >> /etc/postfix/main.cf
echo "# GetShifting Mail configuration" >> /etc/postfix/main.cf
echo "mydomain = ${MAILDOMAIN}" >> /etc/postfix/main.cf
echo "myhostname = ${HOSTF}" >> /etc/postfix/main.cf
echo "relayhost = ${RELAYHOST}" >> /etc/postfix/main.cf
# ==========================================================================
# Add Red Hat Registration without adding the red hat repositories
subscription-manager config --rhsm.manage_repos=0
subscription-manager config --server.proxy_hostname=${PROXYSERVER} --server.proxy_port=${PROXYPORT}
subscription-manager register --username ${REDHATUSER} --password ${REDHATPASS}
# ==========================================================================
# Disable all repos from red hat - does not work during kickstart
# sed -i 's/enabled = 1/enabled = 0/g' /etc/yum.repos.d/redhat.repo
# ==========================================================================
# Add automount config
mv /etc/auto.master /etc/auto.master.orig
echo '/home/GETSHIFTING /etc/auto.homedir -nobrowse' > /etc/auto.master
echo "* ${NFSSERVER}:/data/all-servers-home/&" > /etc/auto.homedir
# ==========================================================================
# ## Add kernel parameters to sysctl.conf
## Kernel parameters kernel.shmmax and kernel.shmall have to be calculated depending on RAM and SWAP
## Kernel parameter fs.file-max has to be calculated depending on processes but minimum of 6815744
echo " " >> /etc/sysctl.conf
echo "# Set GETSHIFTING Oracle kernel tuning parameters" >> /etc/sysctl.conf
echo "vm.swappiness = 0" >> /etc/sysctl.conf
echo "vm.dirty_background_ratio =3" >> /etc/sysctl.conf
echo "vm.dirty_ratio = 80" >> /etc/sysctl.conf
echo "vm.dirty_expire_centisecs = 500" >> /etc/sysctl.conf
echo "vm.dirty_writeback_centisecs = 100" >> /etc/sysctl.conf
echo "kernel.shmmni = 4096" >> /etc/sysctl.conf
echo "kernel.sem = 250 32000 100 128" >> /etc/sysctl.conf
echo "net.ipv4.ip_local_port_range = 9000 65500" >> /etc/sysctl.conf
echo "net.core.wmem_max = 1048576" >> /etc/sysctl.conf
echo "net.core.wmem_default = 262144" >> /etc/sysctl.conf
echo "net.core.rmem_max = 4194304" >> /etc/sysctl.conf
echo "net.core.rmem_default = 262144" >> /etc/sysctl.conf
echo "fs.aio-max-nr = 1048576" >> /etc/sysctl.conf
echo "fs.file-max = 6815744" >> /etc/sysctl.conf
sysctl -p
# ==========================================================================
# Oracle GROUPS and users:
groupadd --gid 55321 oinstall
groupadd --gid 55322 dba
groupadd --gid 55323 oper
# Oracle user
useradd --uid 55321 --gid oinstall --groups dba,oper -p '$1$xwPEp1$FN.6fopSG6/FaDYcrdkMh/' -d /opt/oracle -m ${ORACLEUSER}
# Set Shell Limits for oracle user
echo "# Set Oracle user limits" > /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} soft nproc 2047" >> /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} hard nproc 16384" >> /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} soft nofile 1024" >> /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} hard nofile 65536" >> /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} soft stack 10240" >> /etc/security/limits.d/99-oracle-limits.conf
echo "${ORACLEUSER} hard stack 32768" >> /etc/security/limits.d/99-oracle-limits.conf
# Set correct ulimit for oracle user
echo "#Setting the appropriate ulimits for oracle and grid user" > /etc/profile.d/oracle.sh
echo "if [ \$USER = ${ORACLEUSER} ]; then" >> /etc/profile.d/oracle.sh
echo 'if [ $SHELL = "/bin/ksh" ]; then' >> /etc/profile.d/oracle.sh
echo 'ulimit -u 16384' >> /etc/profile.d/oracle.sh
echo 'ulimit -n 65536' >> /etc/profile.d/oracle.sh
echo 'else' >> /etc/profile.d/oracle.sh
echo 'ulimit -u 16384 -n 65536' >> /etc/profile.d/oracle.sh
echo 'fi' >> /etc/profile.d/oracle.sh
echo 'fi' >> /etc/profile.d/oracle.sh
%end

Create Password Hash for Local Users

As you can see in the kickstart file a local user gets created using a password hash. This is how to make one:

  • Start grub-md5-crypt as root and enter the password to be encypted twice:
$ sudo grub-md5-crypt
Password:
Retype password:
$1$kaxqk1$2sroXlnsz0Xh6JwTbPCoI/

As you can see, a hash is being returned. As shown above, this can now be used like this:

  • sudo useradd –uid 33333 -p '$1$kaxqk1$2sroXlnsz0Xh6JwTbPCoI/' sjoerdh

Delete User

If you want to delete the user later on make sure you use the -r switch to also remove the homedir:

  • sudo userdel -r sjoerdh

Netbackup Software

As you can see in the kickstart files I perform some tricks on the NetBackup Client software to have it installed automatically. Since there is no way to manually install the software automatically I replace the read part of the installation script with an outcommented version: #read. This way it will assume the default which is y. So there you have it, an automated way of installing the unix/linux/standard client of Symantec Netbackup.

SCOM Post Installation

The setup in the kickstart file only sets permissions for the scom user. The scom administrator can now add the Linux server without root permissions and set everything up.

Start an Automated Installation

Make sure to make a custom kickstart file and make the following changes:

  • IP address
  • hostname
  • oracle user name and password
  • username and password for the red hat subscription manager

Then place the kickstart file in /var/www/html/kickstarts and name it correctly.

Then add the server to AD and make sure you:

  • Make a DNS record
  • Add the serverobject and make it UNIX available
  • Set Server Principal Name (setspn)
  • Create keytab
  • place the keytab in /data/repo-getshifting/servername.keytab
    • Delete it again afterwards
  • Perform a restorecon -R /data

Then start the installation like this:

Note: * If search domain is not added to resolv.conf make sure you set the hostname in FQDN format * If disk confirmation is requested for disks make sure zerombr and initlabel are included * Adding firewall rules in kickstart does not work yet * Using variables in kickstart does not work yet * Disabling the Red Hat repo does not work in kickstart yet

After creating the server check Post Install follow-up to see what more you can do.

redhat65management.txt · Last modified: 2021/09/24 00:25 by 127.0.0.1