Jump to content

Machine/template-fedora13: Difference between revisions

From Sugar Labs
← Older edit
Smparrish (talk | contribs)
84 edits
No edit summary
No edit summary
 
(11 intermediate revisions by 2 users not shown)
Line 46: Line 46:
  chkconfig network on
  chkconfig network on
  start network
  start network
* Optimize creation of new users
mkdir /etc/skel/.ssh
cat >/etc/skel/.ssh.authorized_keys <<__EOF__
# Place your ssh public keys here, one per line
__EOF__
chmod g-w -R /etc/skel/.ssh


* Create sysadmin accounts:
* Create sysadmin accounts:


mkdir /etc/skel/.ssh
  useradd -c "Bernie Innocenti" -m bernie
  useradd -c "Bernie Innocenti" -m bernie
  cat >>/home/bernie/.ssh/authorized_keys
  cat >>/home/bernie/.ssh/authorized_keys
Line 59: Line 67:
  vigr
  vigr


* Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL" line in sudoers
* Edit sudoers with visudo:
  visudo
** Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL"
** Add these lines
 
#bernie: forward agent
  Defaults env_keep += "SSH_AUTH_SOCK"
 
 
* Switch from serial console to ssh


  ssh root@template-fedora13.sugarlabs.org
  ssh root@template-fedora13.sugarlabs.org
Line 68: Line 83:
  yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man
  yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man


* insert into /etc/munin/munin-node.conf
* Enable etckeeper:
 
etckeeper init
 
* Insert into /etc/munin/munin-node.conf:


  #SMParrish
  #SMParrish
Line 86: Line 105:


  ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
  ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
* Install our standard scripts
rsync -aP bernie@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/
ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc
ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc
ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh
ln -sf /usr/src/devtools/conf/vimrc /etc/vimrc


* create /etc/system-full-backup.conf
* create /etc/system-full-backup.conf
Line 117: Line 145:
   [VM Name]
   [VM Name]
         address vmname.sugarlabs.org
         address vmname.sugarlabs.org
* Replace sendmail with postfix
Create /etc/postfix/main.cf  and paste the following into it replacing template-fedora13 with the new VM name
smtpd_banner = $myhostname ESMTP $mail_name (Fedora)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
#bernie
myhostname = template-fedora13.sugarlabs.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
        template-fedora13.sugarlabs.org,
        localhost.sugarlabs.org,
        localhost,
        sugarlabs.org
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#bernie
home_mailbox = Maildir/
#bernie: as suggested by mostro
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_rbl_client bl.spamcop.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client dnsbl.njabl.org
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client cbl.abuseat.org
        reject_unknown_recipient_domain
        reject_non_fqdn_recipient
        reject_unlisted_recipient
* Disable sendmail & enable postfix
service sendmail stop
service postfix start
chkconfig sendmail off
chkconfig postfix on
* Get all system mail forwarded to the systems-logs@ list
cat >>/etc/aliases <__EOF__
#bernie
root: systems-logs@lists.sugarlabs.org
__EOF__
newaliases
=== Clone the VM ===
* Login to the host system & clone the VM
sudo virt-clone --connect=qemu:///system -o template-fedora13 -n "new VM name" -f /srv/vm/"new VM name".qcow2
* Start the new VM and make sure it boots (networking probably will not work, we will fix that later)
sudo virsh start --console "new VM name"
* edit /etc/sysconfig/network and change the hostname
HOSTNAME=''newvm''.sugarlabs.org
* Add the hostname to the sugarlabs zone file in the [[Service/Nameservers|nameservers]].
* Edit network configuration /etc/sysconfig/network-scripts/ifcfg-eth0 to update IPv4 and IPv6 addresses
* Edit /etc/udeve/rules.d/XX-persistent-net.rules
Remove definition for eth0 it will get regenerated on reboot
* Reboot the system, when it comes back up networking should work
* remove old ssh keys & generate new ones
rm -rf /etc/ssh/ssh_host_*
service sshd restart
* create new key for root
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
* update /etc/system-full-backup.conf
* update the motd
vim /etc/motd
* Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.
[''newvm''.sugarlabs.org]
      address ''newvm''.sugarlabs.org

Latest revision as of 13:09, 25 April 2011

Guest installation

qemu-img create -f qcow2 /srv/vm/template-fedora13.qcow2 10G
virt-install -v --accelerate --nographics -x console=ttyS0,115200 \
   --name template-fedora13 --vcpus=4 --ram $((1*1024)) \
   --os-type=linux --os-variant=fedora13 \
   --network bridge:br0 \
   --disk /srv/vm/template-fedora13.qcow2 \
   --location http://download.fedora.redhat.com/pub/fedora/linux/releases/13/Fedora/x86_64/os/
  • In Anaconda, select graphical installation over vnc
  • Layout the disk with a single primary partition for root
  • In package selection, choose "minimal system"

Initial configuration

At the end of installation, boot with: 

virsh start --console template-fedora13
  • Set ssh keys of Sugar Labs sysadmins:
mkdir ~/.ssh
cat >>~/.ssh/authorized_keys
paste keys
  • Configure the SSH daemon:
vi /etc/ssh/sshd_config
  PermitRootLogin yes
  PermitEmptyPasswords no
  PasswordAuthentication no
service sshd restart
setsebool -P ssh_sysadm_login on
  • Put selinux in permissive mode (while we patiently wait for the day in which selinux in Fedora will become sort of usable out of the box without major tweaks):
vi /etc/sysconfig/selinux
  • Remove root password (this lets us login from the console with no password):
vipw -s
  • Enable traditional networking (no NetworkManager nonsense):
chkconfig network on
start network
  • Optimize creation of new users
mkdir /etc/skel/.ssh
cat >/etc/skel/.ssh.authorized_keys <<__EOF__
# Place your ssh public keys here, one per line
__EOF__
chmod g-w -R /etc/skel/.ssh


  • Create sysadmin accounts:
useradd -c "Bernie Innocenti" -m bernie
cat >>/home/bernie/.ssh/authorized_keys
chown -R bernie:bernie /home/bernie/.ssh
...
  • Add users to wheel group (no better way in Fedora?):
vigr
  • Edit sudoers with visudo:
    • Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL"
    • Add these lines
#bernie: forward agent
Defaults env_keep += "SSH_AUTH_SOCK"


  • Switch from serial console to ssh
ssh root@template-fedora13.sugarlabs.org
  • Install a bunch of useful rpms:
yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man
  • Enable etckeeper:
etckeeper init
  • Insert into /etc/munin/munin-node.conf:
#SMParrish
allow ^140\.186\.70\.53$      # sunjammer.sugarlabs.org
allow ^10\.3\.3\.1$           # trinity.trilan
allow ^2001:4830:1100:48::2$  # sunjammer.sugarlabs.org (IPv6)

cd /etc/munin/plugins
rm if_err_eth0 entropy
  • turn on munin-node
chkconfig munin-node on
service munin-node start
  • generate key for root
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
  • Install our standard scripts
rsync -aP bernie@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/
ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc
ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc
ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh
ln -sf /usr/src/devtools/conf/vimrc /etc/vimrc


  • create /etc/system-full-backup.conf
#bernie: This file MUST have permissions 600
echo "Please configure /etc/system-full-backup.conf and run"
echo "  ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org"
echo "then, comment out these lines to enable backups"
exit 1

PASSPHRASE=ChangeMe
TARGET="scp://sugarbackup@backup.sugarlabs.org/backup/`hostname`"
  • Install /root/.ssh/id_rsa.pub key on sugarbackup@backup.sugarlabs.org
ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org
  • log in for the first time on backup server to accept ssh fingerprint
ssh sugarbackup@backup.sugarlabs.org
  • create /etc/profile.conf
#SMParrish
HOST_COLOR='\033[1;33m'
HOST_CFLAGS='-march=core2'
HOST_CORES=2
  • Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.
 [VM Name]
        address vmname.sugarlabs.org
  • Replace sendmail with postfix

Create /etc/postfix/main.cf and paste the following into it replacing template-fedora13 with the new VM name 

smtpd_banner = $myhostname ESMTP $mail_name (Fedora)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

#bernie
myhostname = template-fedora13.sugarlabs.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =
       template-fedora13.sugarlabs.org,
       localhost.sugarlabs.org,
       localhost,
       sugarlabs.org
relayhost =

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#bernie
home_mailbox = Maildir/

#bernie: as suggested by mostro
smtpd_recipient_restrictions =
        permit_mynetworks
        permit_sasl_authenticated
        reject_unauth_destination
        reject_rbl_client bl.spamcop.net
        reject_rbl_client zen.spamhaus.org
        reject_rbl_client dnsbl.njabl.org
        reject_rbl_client dnsbl.sorbs.net
        reject_rbl_client cbl.abuseat.org
        reject_unknown_recipient_domain
        reject_non_fqdn_recipient
        reject_unlisted_recipient
  • Disable sendmail & enable postfix
service sendmail stop
service postfix start
chkconfig sendmail off
chkconfig postfix on
  • Get all system mail forwarded to the systems-logs@ list
cat >>/etc/aliases <__EOF__
#bernie
root: systems-logs@lists.sugarlabs.org
__EOF__
newaliases


Clone the VM

  • Login to the host system & clone the VM
sudo virt-clone --connect=qemu:///system -o template-fedora13 -n "new VM name" -f /srv/vm/"new VM name".qcow2
  • Start the new VM and make sure it boots (networking probably will not work, we will fix that later)
sudo virsh start --console "new VM name"
  • edit /etc/sysconfig/network and change the hostname
HOSTNAME=newvm.sugarlabs.org
  • Add the hostname to the sugarlabs zone file in the nameservers.
  • Edit network configuration /etc/sysconfig/network-scripts/ifcfg-eth0 to update IPv4 and IPv6 addresses
  • Edit /etc/udeve/rules.d/XX-persistent-net.rules
Remove definition for eth0 it will get regenerated on reboot
  • Reboot the system, when it comes back up networking should work
  • remove old ssh keys & generate new ones
rm -rf /etc/ssh/ssh_host_*

service sshd restart
  • create new key for root
ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa
  • update /etc/system-full-backup.conf
  • update the motd
vim /etc/motd
  • Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring.

[newvm.sugarlabs.org] 

      address newvm.sugarlabs.org
Retrieved from "https://wiki.sugarlabs.org/index.php?title=Machine/template-fedora13&oldid=65128"