Line 19: |
Line 19: |
| virsh start --console template-fedora13 | | virsh start --console template-fedora13 |
| | | |
− | # set ssh keys of Sugar Labs sysadmins
| + | * Set ssh keys of Sugar Labs sysadmins: |
| + | |
| mkdir ~/.ssh | | mkdir ~/.ssh |
| cat >>~/.ssh/authorized_keys | | cat >>~/.ssh/authorized_keys |
| paste keys | | paste keys |
| + | |
| + | * Configure the SSH daemon: |
| | | |
| vi /etc/ssh/sshd_config | | vi /etc/ssh/sshd_config |
− | PermitRootLogin yes
| + | PermitRootLogin yes |
− | PermitEmptyPasswords no
| + | PermitEmptyPasswords no |
− | PasswordAuthentication no
| + | PasswordAuthentication no |
| service sshd restart | | service sshd restart |
| setsebool -P ssh_sysadm_login on | | setsebool -P ssh_sysadm_login on |
| | | |
− | # Put selinux in permissive mode
| + | * Put selinux in permissive mode (while we patiently wait for the day in which selinux in Fedora will become sort of usable out of the box without major tweaks): |
− | # while we patiently wait for the day in which selinux in Fedora will become
| + | |
− | # sort of usable out of the box without major tweaks.
| |
| vi /etc/sysconfig/selinux | | vi /etc/sysconfig/selinux |
| | | |
− | # remove root password
| + | * Remove root password (this lets us login from the console with no password): |
| + | |
| vipw -s | | vipw -s |
| | | |
− | # enable networking
| + | * Enable traditional networking (no NetworkManager nonsense): |
| + | |
| chkconfig network on | | chkconfig network on |
| start network | | start network |
| | | |
− | # Create sysadmin accounts
| + | * Optimize creation of new users |
| + | |
| mkdir /etc/skel/.ssh | | mkdir /etc/skel/.ssh |
| + | cat >/etc/skel/.ssh.authorized_keys <<__EOF__ |
| + | # Place your ssh public keys here, one per line |
| + | __EOF__ |
| + | chmod g-w -R /etc/skel/.ssh |
| + | |
| + | |
| + | * Create sysadmin accounts: |
| + | |
| useradd -c "Bernie Innocenti" -m bernie | | useradd -c "Bernie Innocenti" -m bernie |
| cat >>/home/bernie/.ssh/authorized_keys | | cat >>/home/bernie/.ssh/authorized_keys |
Line 50: |
Line 63: |
| ... | | ... |
| | | |
− | # add users to wheel group
| + | * Add users to wheel group (no better way in Fedora?): |
| + | |
| vigr | | vigr |
| | | |
− | # uncomment "%wheel ALL=(ALL) NOPASSWD: ALL" line in sudoers
| + | * Edit sudoers with visudo: |
− | visudo | + | ** Uncomment "%wheel ALL=(ALL) NOPASSWD: ALL" |
| + | ** Add these lines |
| + | |
| + | #bernie: forward agent |
| + | Defaults env_keep += "SSH_AUTH_SOCK" |
| + | |
| + | |
| + | * Switch from serial console to ssh |
| | | |
| ssh root@template-fedora13.sugarlabs.org | | ssh root@template-fedora13.sugarlabs.org |
| | | |
− | # install a bunch of useful packages
| + | * Install a bunch of useful rpms: |
| + | |
| yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man | | yum install etckeeper bash-completion git-core strace munin-node duplicity postfix vim devtodo man |
| + | |
| + | * Enable etckeeper: |
| + | |
| + | etckeeper init |
| + | |
| + | * Insert into /etc/munin/munin-node.conf: |
| + | |
| + | #SMParrish |
| + | allow ^140\.186\.70\.53$ # sunjammer.sugarlabs.org |
| + | allow ^10\.3\.3\.1$ # trinity.trilan |
| + | allow ^2001:4830:1100:48::2$ # sunjammer.sugarlabs.org (IPv6) |
| + | |
| + | cd /etc/munin/plugins |
| + | rm if_err_eth0 entropy |
| + | |
| + | * turn on munin-node |
| + | |
| + | chkconfig munin-node on |
| + | service munin-node start |
| + | |
| + | * generate key for root |
| + | |
| + | ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa |
| + | |
| + | * Install our standard scripts |
| + | |
| + | rsync -aP bernie@sunjammer.sugarlabs.org:/usr/src/devtools/ /usr/src/devtools/ |
| + | ln -sf /usr/src/devtools/sysadm/bashrc.sh /etc/skel/.bashrc |
| + | ln -sf /usr/src/devtools/sysadm/bashrc.sh /root/.bashrc |
| + | ln -sf /usr/src/devtools/sysadm/zzz_profile.sh /etc/profile.d/zzz_profile.sh |
| + | ln -sf /usr/src/devtools/conf/vimrc /etc/vimrc |
| + | |
| + | |
| + | * create /etc/system-full-backup.conf |
| + | |
| + | #bernie: This file MUST have permissions 600 |
| + | echo "Please configure /etc/system-full-backup.conf and run" |
| + | echo " ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org" |
| + | echo "then, comment out these lines to enable backups" |
| + | exit 1 |
| + | |
| + | PASSPHRASE=ChangeMe |
| + | TARGET="scp://sugarbackup@backup.sugarlabs.org/backup/`hostname`" |
| + | |
| + | * Install /root/.ssh/id_rsa.pub key on sugarbackup@backup.sugarlabs.org |
| + | |
| + | ssh-copy-id -i /root/.ssh/id_rsa.pub sugarbackup@backup.sugarlabs.org |
| + | |
| + | * log in for the first time on backup server to accept ssh fingerprint |
| + | |
| + | ssh sugarbackup@backup.sugarlabs.org |
| + | |
| + | * create /etc/profile.conf |
| + | |
| + | #SMParrish |
| + | HOST_COLOR='\033[1;33m' |
| + | HOST_CFLAGS='-march=core2' |
| + | HOST_CORES=2 |
| + | |
| + | * Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring. |
| + | |
| + | [VM Name] |
| + | address vmname.sugarlabs.org |
| + | |
| + | * Replace sendmail with postfix |
| + | |
| + | Create /etc/postfix/main.cf and paste the following into it replacing template-fedora13 with the new VM name |
| + | |
| + | smtpd_banner = $myhostname ESMTP $mail_name (Fedora) |
| + | biff = no |
| + | |
| + | # appending .domain is the MUA's job. |
| + | append_dot_mydomain = no |
| + | |
| + | # Uncomment the next line to generate "delayed mail" warnings |
| + | #delay_warning_time = 4h |
| + | |
| + | readme_directory = no |
| + | |
| + | # TLS parameters |
| + | smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem |
| + | smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key |
| + | smtpd_use_tls=yes |
| + | smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache |
| + | smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache |
| + | |
| + | # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for |
| + | # information on enabling SSL in the smtp client. |
| + | |
| + | #bernie |
| + | myhostname = template-fedora13.sugarlabs.org |
| + | alias_maps = hash:/etc/aliases |
| + | alias_database = hash:/etc/aliases |
| + | myorigin = /etc/mailname |
| + | mydestination = |
| + | template-fedora13.sugarlabs.org, |
| + | localhost.sugarlabs.org, |
| + | localhost, |
| + | sugarlabs.org |
| + | relayhost = |
| + | |
| + | mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 |
| + | mailbox_size_limit = 0 |
| + | recipient_delimiter = + |
| + | inet_interfaces = all |
| + | #bernie |
| + | home_mailbox = Maildir/ |
| + | |
| + | #bernie: as suggested by mostro |
| + | smtpd_recipient_restrictions = |
| + | permit_mynetworks |
| + | permit_sasl_authenticated |
| + | reject_unauth_destination |
| + | reject_rbl_client bl.spamcop.net |
| + | reject_rbl_client zen.spamhaus.org |
| + | reject_rbl_client dnsbl.njabl.org |
| + | reject_rbl_client dnsbl.sorbs.net |
| + | reject_rbl_client cbl.abuseat.org |
| + | reject_unknown_recipient_domain |
| + | reject_non_fqdn_recipient |
| + | reject_unlisted_recipient |
| + | |
| + | * Disable sendmail & enable postfix |
| + | |
| + | service sendmail stop |
| + | service postfix start |
| + | chkconfig sendmail off |
| + | chkconfig postfix on |
| + | |
| + | * Get all system mail forwarded to the systems-logs@ list |
| + | |
| + | cat >>/etc/aliases <__EOF__ |
| + | #bernie |
| + | root: systems-logs@lists.sugarlabs.org |
| + | __EOF__ |
| + | newaliases |
| + | |
| + | |
| + | === Clone the VM === |
| + | |
| + | * Login to the host system & clone the VM |
| + | |
| + | sudo virt-clone --connect=qemu:///system -o template-fedora13 -n "new VM name" -f /srv/vm/"new VM name".qcow2 |
| + | |
| + | * Start the new VM and make sure it boots (networking probably will not work, we will fix that later) |
| + | |
| + | sudo virsh start --console "new VM name" |
| + | |
| + | * edit /etc/sysconfig/network and change the hostname |
| + | |
| + | HOSTNAME=''newvm''.sugarlabs.org |
| + | |
| + | * Add the hostname to the sugarlabs zone file in the [[Service/Nameservers|nameservers]]. |
| + | |
| + | * Edit network configuration /etc/sysconfig/network-scripts/ifcfg-eth0 to update IPv4 and IPv6 addresses |
| + | |
| + | * Edit /etc/udeve/rules.d/XX-persistent-net.rules |
| + | |
| + | Remove definition for eth0 it will get regenerated on reboot |
| + | |
| + | * Reboot the system, when it comes back up networking should work |
| + | |
| + | * remove old ssh keys & generate new ones |
| + | |
| + | rm -rf /etc/ssh/ssh_host_* |
| + | |
| + | service sshd restart |
| + | |
| + | * create new key for root |
| + | |
| + | ssh-keygen -N "" -f /root/.ssh/id_rsa -t rsa |
| + | |
| + | * update /etc/system-full-backup.conf |
| + | |
| + | * update the motd |
| + | |
| + | vim /etc/motd |
| + | |
| + | * Add the machine to /etc/munin/munin.conf on Machine/sunjammer for monitoring. |
| + | |
| + | [''newvm''.sugarlabs.org] |
| + | address ''newvm''.sugarlabs.org |