Machine/template-fedora13

From Sugar Labs
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Guest installation

qemu-img create -f qcow2 /srv/vm/template-fedora13.qcow2 10G
virt-install -v --accelerate --nographics -x console=ttyS0,115200 \
   --name template-fedora13 --vcpus=4 --ram $((1*1024)) \
   --os-type=linux --os-variant=fedora13 \
   --network bridge:br0 \
   --disk /srv/vm/template-fedora13.qcow2 \
   --location http://download.fedora.redhat.com/pub/fedora/linux/releases/13/Fedora/x86_64/os/
  • In Anaconda, select graphical installation over vnc
  • Layout the disk with a single primary partition for root
  • In package selection, choose "minimal system"

Initial configuration

At the end of installation, boot with: 

virsh start --console template-fedora13
  • Set ssh keys of Sugar Labs sysadmins:
mkdir ~/.ssh
cat >>~/.ssh/authorized_keys
paste keys
  • Configure the SSH daemon:
vi /etc/ssh/sshd_config
  PermitRootLogin yes
  PermitEmptyPasswords no
  PasswordAuthentication no
service sshd restart
setsebool -P ssh_sysadm_login on
  • Put selinux in permissive mode (while we patiently wait for the day in which selinux in Fedora will become sort of usable out of the box without major tweaks):
vi /etc/sysconfig/selinux
  • Remove root password (this lets us login from the console with no password):
vipw -s
  • Enable traditional networking (no NetworkManager nonsense):
chkconfig network on
start network
  • Optimize creation of new users
mkdir /etc/skel/.ssh
cat >/etc/skel/.ssh.authorized_keys <<__EOF__
# Place your ssh public keys here, one per line
__EOF__
chmod g-w -R /etc/skel/.ssh


  • Create sysadmin accounts:
useradd -c "Bernie Innocenti" -m bernie
cat >>/home/bernie/.ssh/authorized_keys
chown -R bernie:bernie /home/bernie/.ssh
...
  • Add users to wheel group (no better way in Fedora?):
vigr
  • Edit sudoers with visudo:
    • Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL"
    • Add these lines
#bernie: forward agent
Defaults env_keep += "SSH_AUTH_SOCK"


  • Switch from serial console to ssh
ssh root@template-fedora13.sugarlabs.org
  • Install a bunch of useful rpms:
yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man
  • Enable etckeeper:
etckeeper init
  • Insert into /etc/munin/munin-node.conf:
#SMParrish
allow ^140\.186\.70\.53$      # sunjammer.sugarlabs.org
allow ^10\.3\.3\.1$           # trinity.trilan
allow ^2001:4830:1100:48::2$  # sunjammer.sugarlabs.org (IPv6)

cd /etc/munin/plugins
rm if_err_eth0 entropy
  • turn on munin-node
chkconfig munin-node on
service munin-node start
  • generate key for root
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
  • Install our standard scripts
rsync -aP bernie@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/
ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc
ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc
ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh
ln -sf /usr/src/devtools/conf/vimrc /etc/vimrc


  • create /etc/system-full-backup.conf
#bernie: This file MUST have permissions 600
echo "Please configure /etc/system-full-backup.conf and run"
echo "  ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org"
echo "then, comment out these lines to enable backups"
exit 1

PASSPHRASE=ChangeMe
TARGET="scp://sugarbackup@backup.sugarlabs.org/backup/`hostname`"
  • Install /root/.ssh/id_rsa.pub key on sugarbackup@backup.sugarlabs.org
ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org
  • log in for the first time on backup server to accept ssh fingerprint
ssh sugarbackup@backup.sugarlabs.org
  • create /etc/profile.conf
#SMParrish
HOST_COLOR='\033[1;33m'
HOST_CFLAGS='-march=core2'
HOST_CORES=2
  • Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.
 [VM Name]
        address vmname.sugarlabs.org
  • Replace sendmail with postfix

Create /etc/postfix/main.cf and paste the following into it replacing template-fedora13 with the new VM name 

smtpd_banner = $myhostname ESMTP $mail_name (Fedora)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

#bernie
myhostname = template-fedora13.sugarlabs.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
       template-fedora13.sugarlabs.org,
       localhost.sugarlabs.org,
       localhost,
       sugarlabs.org
relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#bernie
home_mailbox = Maildir/

#bernie: as suggested by mostro
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_rbl_client bl.spamcop.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client dnsbl.njabl.org
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client cbl.abuseat.org
        reject_unknown_recipient_domain
        reject_non_fqdn_recipient
        reject_unlisted_recipient
  • Disable sendmail & enable postfix
service sendmail stop
service postfix start
chkconfig sendmail off
chkconfig postfix on
  • Get all system mail forwarded to the systems-logs@ list
cat >>/etc/aliases <__EOF__
#bernie
root: systems-logs@lists.sugarlabs.org
__EOF__
newaliases


Clone the VM

  • Login to the host system & clone the VM
sudo virt-clone --connect=qemu:///system -o template-fedora13 -n "new VM name" -f /srv/vm/"new VM name".qcow2
  • Start the new VM and make sure it boots (networking probably will not work, we will fix that later)
sudo virsh start --console "new VM name"
  • edit /etc/sysconfig/network and change the hostname
HOSTNAME=newvm.sugarlabs.org
  • Add the hostname to the sugarlabs zone file in the nameservers.
  • Edit network configuration /etc/sysconfig/network-scripts/ifcfg-eth0 to update IPv4 and IPv6 addresses
  • Edit /etc/udeve/rules.d/XX-persistent-net.rules
Remove definition for eth0 it will get regenerated on reboot
  • Reboot the system, when it comes back up networking should work
  • remove old ssh keys & generate new ones
rm -rf /etc/ssh/ssh_host_*

service sshd restart
  • create new key for root
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
  • update /etc/system-full-backup.conf
  • update the motd
vim /etc/motd
  • Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.

[newvm.sugarlabs.org] 

      address newvm.sugarlabs.org
Retrieved from "https://wiki.sugarlabs.org/index.php?title=Machine/template-fedora13&oldid=65128"