Machine/template-fedora13

Guest installation
qemu-img create -f qcow2 /srv/vm/template-fedora13.qcow2 10G virt-install -v --accelerate --nographics -x console=ttyS0,115200 \ --name template-fedora13 --vcpus=4 --ram $((1*1024)) \ --os-type=linux --os-variant=fedora13 \ --network bridge:br0 \ --disk /srv/vm/template-fedora13.qcow2 \ --location http://download.fedora.redhat.com/pub/fedora/linux/releases/13/Fedora/x86_64/os/


 * In Anaconda, select graphical installation over vnc
 * Layout the disk with a single primary partition for root
 * In package selection, choose "minimal system"

Initial configuration
At the end of installation, boot with:

virsh start --console template-fedora13


 * Set ssh keys of Sugar Labs sysadmins:

mkdir ~/.ssh cat >>~/.ssh/authorized_keys paste keys


 * Configure the SSH daemon:

vi /etc/ssh/sshd_config PermitRootLogin yes PermitEmptyPasswords no  PasswordAuthentication no service sshd restart setsebool -P ssh_sysadm_login on


 * Put selinux in permissive mode (while we patiently wait for the day in which selinux in Fedora will become sort of usable out of the box without major tweaks):

vi /etc/sysconfig/selinux


 * Remove root password (this lets us login from the console with no password):

vipw -s


 * Enable traditional networking (no NetworkManager nonsense):

chkconfig network on start network


 * Optimize creation of new users

mkdir /etc/skel/.ssh cat >/etc/skel/.ssh.authorized_keys <<__EOF__ __EOF__ chmod g-w -R /etc/skel/.ssh
 * 1) Place your ssh public keys here, one per line


 * Create sysadmin accounts:

useradd -c "Bernie Innocenti" -m bernie cat >>/home/bernie/.ssh/authorized_keys chown -R bernie:bernie /home/bernie/.ssh ...


 * Add users to wheel group (no better way in Fedora?):

vigr


 * Edit sudoers with visudo:
 * Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL"
 * Add these lines

Defaults env_keep += "SSH_AUTH_SOCK"
 * 1) bernie: forward agent


 * Switch from serial console to ssh

ssh root@template-fedora13.sugarlabs.org


 * Install a bunch of useful rpms:

yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man


 * Enable etckeeper:

etckeeper init


 * Insert into /etc/munin/munin-node.conf:

allow ^140\.186\.70\.53$     # sunjammer.sugarlabs.org allow ^10\.3\.3\.1$          # trinity.trilan allow ^2001:4830:1100:48::2$ # sunjammer.sugarlabs.org (IPv6)
 * 1) SMParrish

cd /etc/munin/plugins rm if_err_eth0 entropy


 * turn on munin-node

chkconfig munin-node on service munin-node start


 * generate key for root

ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa


 * Install our standard scripts

rsync -aP bernie@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/ ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh ln -sf /usr/src/devtools/conf/vimrc /etc/vimrc


 * create /etc/system-full-backup.conf

echo "Please configure /etc/system-full-backup.conf and run" echo " ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org" echo "then, comment out these lines to enable backups" exit 1
 * 1) bernie: This file MUST have permissions 600

PASSPHRASE=ChangeMe TARGET="scp://sugarbackup@backup.sugarlabs.org/backup/`hostname`"


 * Install /root/.ssh/id_rsa.pub key on sugarbackup@backup.sugarlabs.org

ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org

ssh sugarbackup@backup.sugarlabs.org
 * log in for the first time on backup server to accept ssh fingerprint


 * create /etc/profile.conf

HOST_COLOR='\033[1;33m' HOST_CFLAGS='-march=core2' HOST_CORES=2
 * 1) SMParrish


 * Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.

[VM Name] address vmname.sugarlabs.org


 * Replace sendmail with postfix

Create /etc/postfix/main.cf and paste the following into it replacing template-fedora13 with the new VM name

smtpd_banner = $myhostname ESMTP $mail_name (Fedora) biff = no append_dot_mydomain = no readme_directory = no smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache myhostname = template-fedora13.sugarlabs.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = template-fedora13.sugarlabs.org, localhost.sugarlabs.org, localhost, sugarlabs.org relayhost = mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all home_mailbox = Maildir/ smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_rbl_client bl.spamcop.net reject_rbl_client zen.spamhaus.org reject_rbl_client dnsbl.njabl.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client cbl.abuseat.org reject_unknown_recipient_domain reject_non_fqdn_recipient reject_unlisted_recipient
 * 1) appending .domain is the MUA's job.
 * 1) Uncomment the next line to generate "delayed mail" warnings
 * 2) delay_warning_time = 4h
 * 1) TLS parameters
 * 1) See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 * 2) information on enabling SSL in the smtp client.
 * 1) bernie
 * 1) bernie
 * 1) bernie: as suggested by mostro


 * Disable sendmail & enable postfix

service sendmail stop service postfix start chkconfig sendmail off chkconfig postfix on


 * Get all system mail forwarded to the systems-logs@ list

cat >>/etc/aliases <__EOF__ root: systems-logs@lists.sugarlabs.org __EOF__ newaliases
 * 1) bernie

Clone the VM

 * Login to the host system & clone the VM

sudo virt-clone --connect=qemu:///system -o template-fedora13 -n "new VM name" -f /srv/vm/"new VM name".qcow2


 * Start the new VM and make sure it boots (networking probably will not work, we will fix that later)

sudo virsh start --console "new VM name"


 * edit /etc/sysconfig/network and change the hostname

HOSTNAME=newvm.sugarlabs.org


 * Add the hostname to the sugarlabs zone file in the nameservers.


 * Edit network configuration /etc/sysconfig/network-scripts/ifcfg-eth0 to update IPv4 and IPv6 addresses


 * Edit /etc/udeve/rules.d/XX-persistent-net.rules

Remove definition for eth0 it will get regenerated on reboot


 * Reboot the system, when it comes back up networking should work


 * remove old ssh keys & generate new ones

rm -rf /etc/ssh/ssh_host_*

service sshd restart


 * create new key for root

ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa


 * update /etc/system-full-backup.conf


 * update the motd

vim /etc/motd


 * Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.

[newvm.sugarlabs.org] address newvm.sugarlabs.org