Difference between revisions of "Xen2 Setup Process"

From CSLabsWiki
m (Added Custom PATH Variables)
 
(39 intermediate revisions by one other user not shown)
Line 1: Line 1:
  +
{{archived}}
  +
 
This page summarizes how [[Xen2]] was set up in Spring 2009.
 
This page summarizes how [[Xen2]] was set up in Spring 2009.
   
Line 4: Line 6:
 
*Installed CentOS 5.3 x64 with Virtualization Support.
 
*Installed CentOS 5.3 x64 with Virtualization Support.
 
**Partition Scheme
 
**Partition Scheme
  +
***100 MB /boot - Software RAID 1
***
 
  +
***73 GB root_lvg - Logical Volume Group Software RAID 1
***
 
  +
****59 GB / (root_lvg-root_lv)
***
 
  +
****4 GB /var (root_lvg-var_lv)
  +
****10 GB swap (root_lvg-swap_lv)
  +
***452 GB /xen - Software RAID 1
  +
  +
===Kickstart File===
  +
<code><pre>
  +
# Kickstart file automatically generated by anaconda.
  +
  +
install
  +
cdrom
  +
lang en_US.UTF-8
  +
keyboard us
  +
network --device eth0 --bootproto static --ip 128.153.145.42 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
  +
network --device eth1 --bootproto static --ip 10.0.1.38 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
  +
network --device eth2 --bootproto static --ip 10.0.0.17 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
  +
rootpw --iscrypted ENCRYPTED-PASSWORD-GOES-HERE
  +
firewall --enabled --port=22:tcp
  +
authconfig --enableshadow --enablemd5
  +
selinux --enforcing
  +
timezone --utc America/New_York
  +
bootloader --location=partition --driveorder=sda,sdb,sdc,sdd --md5pass=ENCRYPTED-PASSWORD-GOES-HERE
  +
# The following is the partition information you requested
  +
# Note that any partitions you deleted are not expressed
  +
# here so unless you clear all partitions first, this is
  +
# not guaranteed to work
  +
clearpart --linux
  +
part raid.16 --size=100 --ondisk=sda
  +
part raid.19 --size=100 --ondisk=sdb
  +
part raid.20 --size=100 --grow --ondisk=sdd
  +
part raid.18 --size=100 --grow --ondisk=sdb
  +
part raid.17 --size=100 --grow --ondisk=sda
  +
part raid.14 --size=100 --grow --ondisk=sdc
  +
raid /boot --fstype ext3 --level=RAID1 --device=md0 raid.16 raid.19
  +
raid pv.22 --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.17 raid.18
  +
raid /xen --fstype ext3 --level=RAID1 --device=md2 raid.14 raid.20
  +
volgroup root_lvg --pesize=32768 pv.22
  +
logvol / --fstype ext3 --name=root_lv --vgname=root_lvg --size=61856
  +
logvol swap --fstype swap --name=swap_lv --vgname=root_lvg --size=10240
  +
logvol /var --fstype ext3 --name=var_lv --vgname=root_lvg --size=4096
  +
  +
%packages
  +
@virtualization
  +
@core
  +
@base
  +
bridge-utils
  +
device-mapper-multipath
  +
-gnome-applet-vm
  +
-NetworkManager
  +
-bluez-utils
  +
</pre></code>
   
 
==Configuration==
 
==Configuration==
===Updated VM===
+
===Updated System===
*Added RPMForge Yum Repository
+
*Added Extra Repositories
  +
**RPMForge Yum Repository
**<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
 
  +
***<code>rpm -Uhv http://apt.sw.be/redhat/el5/en/x86_64/rpmforge/RPMS//rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm</code>
***From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
 
  +
****From [http://dag.wieers.com/rpm/FAQ.php#B2 Dag Wieers]
  +
**Fedora EPEL Yum Repository
  +
***<code>rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-3.noarch.rpm</code>
  +
****From [http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/epel-release.html Fedora]
  +
  +
*Configured Yum Priorities & to use our mirror
  +
**Edited <code>/etc/yum.repos.d/CentOS-Base.repo</code>
  +
<code><pre>
  +
# CentOS-Base.repo
  +
#
  +
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
  +
# The mirror system uses the connecting IP address of the client and the
  +
# update status of each mirror to pick mirrors that are updated to and
  +
# geographically close to the client. You should use this for CentOS updates
  +
# unless you are manually picking other mirrors.
  +
#
  +
# If the mirrorlist= does not work for you, as a fall back you can try the
  +
# remarked out baseurl= line instead.
  +
#
  +
#
  +
  +
[base]
  +
name=CentOS-$releasever - Base
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
  +
#released updates
  +
[updates]
  +
name=CentOS-$releasever - Updates
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
  +
#packages used/produced in the build but not released
  +
[addons]
  +
name=CentOS-$releasever - Addons
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
  +
#additional packages that may be useful
  +
[extras]
  +
name=CentOS-$releasever - Extras
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=1
  +
  +
#additional packages that extend functionality of existing packages
  +
[centosplus]
  +
name=CentOS-$releasever - Plus
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
  +
gpgcheck=1
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=2
  +
  +
#contrib - packages by Centos Users
  +
[contrib]
  +
name=CentOS-$releasever - Contrib
  +
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
  +
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
  +
gpgcheck=1
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
  +
priority=2
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/rpmforge.repo</code>
  +
<code><pre>
  +
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
  +
# URL: http://rpmforge.net/
  +
[rpmforge]
  +
name = Red Hat Enterprise $releasever - RPMforge.net - dag
  +
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
  +
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
  +
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
  +
enabled = 1
  +
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
  +
gpgcheck = 1
  +
priority=15
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/epel.repo</code>
  +
<code><pre>
  +
[epel]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=1
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
priority=30
  +
  +
[epel-debuginfo]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
  +
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=30
  +
  +
[epel-source]
  +
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
  +
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=30
  +
</pre></code>
  +
  +
**Edited <code>/etc/yum.repos.d/epel-testing.repo</code>
  +
<code><pre>
  +
[epel-testing]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgcheck=1
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
priority=40
  +
  +
[epel-testing-debuginfo]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=40
  +
  +
[epel-testing-source]
  +
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
  +
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
  +
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
  +
failovermethod=priority
  +
enabled=0
  +
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
  +
gpgcheck=1
  +
priority=40
  +
</pre></code>
  +
  +
*Disabled Yum FastestMirror since using local mirror
  +
**<code>sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf</code>
  +
  +
*Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
  +
**<code>yum install yum-priorities</code>
  +
  +
*Configured Yum Priorities to check for obsoletes
  +
**<code>echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf</code>
   
*<code>yum install yum-fastestmirror vim-enhanced gcc emacs-nox screen</code>
+
*<code>yum install vim-enhanced gcc emacs-nox screen pwgen dialog</code>
 
*<code>yum update</code>
 
*<code>yum update</code>
   
Line 75: Line 293:
 
root ALL=(ALL) ALL
 
root ALL=(ALL) ALL
 
%wheel ALL=(ALL) ALL
 
%wheel ALL=(ALL) ALL
%admins localhost=/sbin/shutdown -h now
+
%admins ALL=(root) ALL, !SHELLS
%admins ALL=/usr/sbin/xm
+
%xenadmins ALL=/usr/sbin/xm
 
</pre></code>
 
</pre></code>
   
Line 84: Line 302:
 
NETWORKING=yes
 
NETWORKING=yes
 
NETWORKING_IPV6=no
 
NETWORKING_IPV6=no
HOSTNAME=xen2.cslabs.clarkson.edu
+
HOSTNAME=xen2
 
GATEWAY=128.153.145.1
 
GATEWAY=128.153.145.1
 
</pre></code>
 
</pre></code>
Line 152: Line 370:
 
(vif-script vif-bridge)
 
(vif-script vif-bridge)
   
(dom0-min-mem 256)
+
(dom0-min-mem 512)
   
 
(dom0-cpus 0)
 
(dom0-cpus 0)
   
 
(vncpasswd '')
 
(vncpasswd '')
  +
  +
(keymap 'en-us')
 
</pre></code>
 
</pre></code>
   
Line 163: Line 383:
 
<code><pre>
 
<code><pre>
 
127.0.0.1 localhost.localdomain localhost
 
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
 
 
128.153.145.42 xen2.cslabs.clarkson.edu xen2.cslabs xen2
 
128.153.145.42 xen2.cslabs.clarkson.edu xen2.cslabs xen2
 
10.0.1.38 xen2.sr.cslabs.clarkson.edu xen2.sr.cslabs xen2.sr
 
10.0.1.38 xen2.sr.cslabs.clarkson.edu xen2.sr.cslabs xen2.sr
 
10.0.0.17 xen2.int.cslabs.clarkson.edu xen2.int.cslabs xen2.int
 
10.0.0.17 xen2.int.cslabs.clarkson.edu xen2.int.cslabs xen2.int
  +
</pre></code>
  +
  +
*Edited <code>/etc/hosts.allow</code>
  +
<code><pre>
  +
For security purposes, this information has been intentionally left off.
  +
</pre></code>
  +
  +
*Edited <code>/etc/hosts.deny</code>
  +
<code><pre>
  +
ALL: ALL
 
</pre></code>
 
</pre></code>
   
Line 172: Line 401:
 
*Edited <code>/etc/resolv.conf</code>
 
*Edited <code>/etc/resolv.conf</code>
 
<code><pre>
 
<code><pre>
search clarkson.edu
+
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.0.254
+
nameserver 128.153.145.3
nameserver 128.153.5.254
+
nameserver 128.153.145.4
  +
</pre></code>
  +
  +
====Disabled IP v6====
  +
*Appended the following to <code>/etc/modprobe.conf</code>
  +
<code><pre>
  +
install ipv6 /bin/true
  +
</pre></code>
  +
*Disabled IP v6 firewall
  +
**<code>/sbin/chkconfig ip6tables off</code>
  +
  +
===Configured dom0 memory===
  +
*Due to a networking issue that arose on one of our dom0s (see [http://lists.xensource.com/archives/html/xen-users/2007-01/msg00430.html Bug Report]), the memory allocated to the dom0 memory needed to be set.
  +
**Edited <code>/boot/grub/menu.lst</code> and modified the kernel option
  +
<code><pre>
  +
kernel /xen.gz-2.6.18-128.1.10.el5 dom0_mem=512M
  +
</pre></code>
  +
  +
===Configured Automatic Starting of Xen Images===
  +
*Removed <code>/etc/xen/auto/</code>
  +
<code><pre>
  +
rmdir /etc/xen/auto/
  +
</pre></code>
  +
  +
*Created Symbolic Link to <code>/xen/confs</code>
  +
<code><pre>
  +
ln -s /xen/confs/ /etc/xen/auto
 
</pre></code>
 
</pre></code>
   
Line 269: Line 524:
   
 
*Configured ntpd to start on boot
 
*Configured ntpd to start on boot
**<code>/sbin/chkconfig --levels 35 ntpd on</code>
+
**<code>/sbin/chkconfig --levels 2345 ntpd on</code>
   
 
*Started ntpd
 
*Started ntpd
Line 349: Line 604:
 
NETSERVER on
 
NETSERVER on
   
NISIP 127.0.0.1
+
NISIP 0.0.0.0
   
 
NISPORT 3551
 
NISPORT 3551
Line 372: Line 627:
 
</pre></code>
 
</pre></code>
   
*Edited <code>/etc/apcupsd/offbattery</code>
+
*Configured <code>apcupsd</code> to start on boot
  +
**<code>/sbin/chkconfig --levels 2345 apcupsd on</code>
  +
  +
*Started <code>apcupsd</code>
  +
**<code>/etc/init.d/apcupsd start</code>
  +
  +
====Configured Xen Domains to Shutdown on System Shutdown====
  +
*Edited the following lines in <code>/etc/sysconfig/xendomains</code>
 
<code><pre>
 
<code><pre>
  +
XENDOMAINS_SAVE=""
#!/bin/sh
 
#
 
# This shell script if placed in /etc/apcupsd
 
# will be called by /etc/apcupsd/apccontrol when the
 
# UPS goes back on to the mains after a power failure.
 
# We send an email message to root to notify him.
 
#
 
SYSADMIN=mccarrms@gmail.com,emergency@cslabs.clarkson.edu
 
APCUPSD_MAIL="/bin/mail"
 
   
  +
XENDOMAINS_RESTORE=false
HOSTNAME=`hostname`
 
MSG="$HOSTNAME Power has returned"
 
#
 
(
 
echo "Subject: $MSG"
 
echo " "
 
echo "$MSG"
 
echo " "
 
/sbin/apcaccess status
 
) | $APCUPSD_MAIL -s "$MSG" $SYSADMIN
 
exit 0
 
 
</pre></code>
 
</pre></code>
   
  +
===Installed Debootstrap===
*Edited <code>/etc/apcupsd/onbattery</code>
 
  +
*<code>yum install debootstrap</code>
  +
  +
===Configured Aliases===
  +
*Edited <code>/etc/aliases</code>
 
<code><pre>
 
<code><pre>
#!/bin/sh
 
 
#
 
#
  +
# Aliases in this file will NOT be expanded in the header from
# This shell script if placed in /etc/apcupsd
 
  +
# Mail, but WILL be visible over networks or from /bin/mail.
# will be called by /etc/apcupsd/apccontrol when the UPS
 
# goes on batteries.
 
# We send an email message to root to notify him.
 
 
#
 
#
  +
# >>>>>>>>>> The program "newaliases" must be run after
SYSADMIN=mccarrms@gmail.com,emergency@cslabs.clarkson.edu
 
  +
# >> NOTE >> this file is updated for any changes to
APCUPSD_MAIL="/bin/mail"
 
  +
# >>>>>>>>>> show through to sendmail.
  +
#
  +
  +
# Basic system aliases -- these MUST be present.
  +
mailer-daemon: postmaster
  +
postmaster: logwatch@cslabs.clarkson.edu
   
  +
# General redirections for pseudo accounts.
HOSTNAME=`hostname`
 
  +
bin: logwatch@cslabs.clarkson.edu
MSG="$HOSTNAME Power Failure !!!"
 
  +
daemon: logwatch@cslabs.clarkson.edu
#
 
  +
adm: logwatch@cslabs.clarkson.edu
(
 
  +
lp: logwatch@cslabs.clarkson.edu
echo "Subject: $MSG"
 
  +
sync: logwatch@cslabs.clarkson.edu
echo " "
 
  +
shutdown: logwatch@cslabs.clarkson.edu
echo "$MSG"
 
  +
halt: logwatch@cslabs.clarkson.edu
echo " "
 
  +
mail: logwatch@cslabs.clarkson.edu
/sbin/apcaccess status
 
  +
news: logwatch@cslabs.clarkson.edu
) | $APCUPSD_MAIL -s "$MSG" $SYSADMIN
 
  +
uucp: logwatch@cslabs.clarkson.edu
exit 0
 
  +
operator: logwatch@cslabs.clarkson.edu
  +
games: logwatch@cslabs.clarkson.edu
  +
gopher: logwatch@cslabs.clarkson.edu
  +
ftp: logwatch@cslabs.clarkson.edu
  +
nobody: logwatch@cslabs.clarkson.edu
  +
radiusd: logwatch@cslabs.clarkson.edu
  +
nut: logwatch@cslabs.clarkson.edu
  +
dbus: logwatch@cslabs.clarkson.edu
  +
vcsa: logwatch@cslabs.clarkson.edu
  +
canna: logwatch@cslabs.clarkson.edu
  +
wnn: logwatch@cslabs.clarkson.edu
  +
rpm: logwatch@cslabs.clarkson.edu
  +
nscd: logwatch@cslabs.clarkson.edu
  +
pcap: logwatch@cslabs.clarkson.edu
  +
apache: logwatch@cslabs.clarkson.edu
  +
webalizer: logwatch@cslabs.clarkson.edu
  +
dovecot: logwatch@cslabs.clarkson.edu
  +
fax: logwatch@cslabs.clarkson.edu
  +
quagga: logwatch@cslabs.clarkson.edu
  +
radvd: logwatch@cslabs.clarkson.edu
  +
pvm: logwatch@cslabs.clarkson.edu
  +
amanda: logwatch@cslabs.clarkson.edu
  +
privoxy: logwatch@cslabs.clarkson.edu
  +
ident: logwatch@cslabs.clarkson.edu
  +
named: logwatch@cslabs.clarkson.edu
  +
xfs: logwatch@cslabs.clarkson.edu
  +
gdm: logwatch@cslabs.clarkson.edu
  +
mailnull: logwatch@cslabs.clarkson.edu
  +
postgres: logwatch@cslabs.clarkson.edu
  +
sshd: logwatch@cslabs.clarkson.edu
  +
smmsp: logwatch@cslabs.clarkson.edu
  +
postfix: logwatch@cslabs.clarkson.edu
  +
netdump: logwatch@cslabs.clarkson.edu
  +
ldap: logwatch@cslabs.clarkson.edu
  +
squid: logwatch@cslabs.clarkson.edu
  +
ntp: logwatch@cslabs.clarkson.edu
  +
mysql: logwatch@cslabs.clarkson.edu
  +
desktop: logwatch@cslabs.clarkson.edu
  +
rpcuser: logwatch@cslabs.clarkson.edu
  +
rpc: logwatch@cslabs.clarkson.edu
  +
nfsnobody: logwatch@cslabs.clarkson.edu
  +
  +
ingres: logwatch@cslabs.clarkson.edu
  +
system: logwatch@cslabs.clarkson.edu
  +
toor: logwatch@cslabs.clarkson.edu
  +
manager: logwatch@cslabs.clarkson.edu
  +
dumper: logwatch@cslabs.clarkson.edu
  +
abuse: logwatch@cslabs.clarkson.edu
  +
  +
newsadm: news
  +
newsadmin: news
  +
usenet: news
  +
ftpadm: ftp
  +
ftpadmin: ftp
  +
ftp-adm: ftp
  +
ftp-admin: ftp
  +
www: webmaster
  +
webmaster: logwatch@cslabs.clarkson.edu
  +
noc: logwatch@cslabs.clarkson.edu
  +
security: logwatch@cslabs.clarkson.edu
  +
hostmaster: logwatch@cslabs.clarkson.edu
  +
info: postmaster
  +
marketing: postmaster
  +
sales: postmaster
  +
support: postmaster
  +
  +
  +
# trap decode to catch security attacks
  +
decode: logwatch@cslabs.clarkson.edu
  +
  +
# Person who should get roots's mail
  +
root: logwatch@cslabs.clarkson.edu
 
</pre></code>
 
</pre></code>
   
  +
*Updated aliases
*Edited <code>/etc/apcupsd/commfailure</code>
 
  +
**<code>/usr/bin/newaliases</code>
  +
  +
===Disabled <code>CTRL-ALT-DELETE</code>===
  +
*Removed trap entry to prevent accidental reboots
 
<code><pre>
 
<code><pre>
  +
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
#!/bin/sh
 
  +
</pre></code>
#
 
# This shell script if placed in /etc/apcupsd
 
# will be called by /etc/apcupsd/apccontrol when apcupsd
 
# loses contact with the UPS (i.e. the serial connection is not responding).
 
# We send an email message to root to notify him.
 
#
 
SYSADMIN=mccarrms@gmail.com,emergency@cslabs.clarkson.edu
 
APCUPSD_MAIL="/bin/mail"
 
   
  +
*Made Changes Active
HOSTNAME=`hostname`
 
  +
<code><pre>
MSG="$HOSTNAME Communications with UPS lost"
 
  +
init q
#
 
(
 
echo "Subject: $MSG"
 
echo " "
 
echo "$MSG"
 
echo " "
 
/sbin/apcaccess status
 
) | $APCUPSD_MAIL -s "$MSG" $SYSADMIN
 
exit 0
 
 
</pre></code>
 
</pre></code>
   
  +
===Disabled Various Kernel Modules===
*Edited <code>/etc/apcupsd/commok</code>
 
  +
*Added the following to <code>/etc/modprobe.conf</code>
 
<code><pre>
 
<code><pre>
#!/bin/sh
+
install pppox /bin/true
  +
install bluetooth /bin/true
#
 
  +
install sctp /bin/true
# This shell script if placed in /etc/apcupsd
 
  +
</pre></code>
# will be called by /etc/apcupsd/apccontrol when apcupsd
 
# restores contact with the UPS (i.e. the serial connection is restored).
 
# We send an email message to root to notify him.
 
#
 
SYSADMIN=mccarrms@gmail.com,emergency@cslabs.clarkson.edu
 
APCUPSD_MAIL="/bin/mail"
 
   
  +
===Installed & Configured SNMP===
HOSTNAME=`hostname`
 
  +
*Installed needed packages
MSG="$HOSTNAME Communications with UPS restored"
 
  +
<code><pre>
#
 
  +
yum install net-snmp ntp
(
 
echo "Subject: $MSG"
 
echo " "
 
echo "$MSG"
 
echo " "
 
/sbin/apcaccess status
 
) | $APCUPSD_MAIL -s "$MSG" $SYSADMIN
 
exit 0
 
 
</pre></code>
 
</pre></code>
   
*Edited <code>/etc/apcupsd/changeme</code>
+
*Configured SNMP Daemon <code>/etc/snmp/snmpd.conf</code>
 
<code><pre>
 
<code><pre>
  +
rocommunity <passphrase> 127.0.0.1
#!/bin/sh
 
  +
rocommunity <passphrase> <ipsallowed>
#
 
  +
# This shell script if placed in /etc/apcupsd
 
  +
syslocation Clarkson University Applied CS Labs
# will be called by /etc/apcupsd/apccontrol when apcupsd
 
  +
syscontact Matt McCarrell <mccarrms@gmail.com>
# detects that the battery should be replaced.
 
  +
disk /
# We send an email message to root to notify him.
 
  +
disk /var
#
 
  +
disk /boot
SYSADMIN=mccarrms@gmail.com,emergency@cslabs.clarkson.edu
 
  +
disk /xen
APCUPSD_MAIL="/bin/mail"
 
  +
exec timeskew /usr/local/sbin/ntp_check
 
  +
exec uptime /usr/bin/uptime
HOSTNAME=`hostname`
 
MSG="$HOSTNAME UPS battery needs changing NOW."
 
#
 
(
 
echo "Subject: $MSG"
 
echo " "
 
echo "$MSG"
 
echo " "
 
/sbin/apcaccess status
 
) | $APCUPSD_MAIL -s "$MSG" $SYSADMIN
 
exit 0
 
 
</pre></code>
 
</pre></code>
   
*Configured <code>apcupsd</code> to start on boot
+
*Deployed <code>ntp_check</code> script
  +
**Copied over <code>/usr/local/sbin/ntp_check</code> from [[Isengard]] to /usr/local/sbin/
**<code>/sbin/chkconfig --levels 2345 apcupsd on</code>
 
  +
**<code>chown root.root /usr/local/sbin/ntp_check</code>
   
  +
*Configured SNMP to start at specific run levels
*Started <code>apcupsd</code>
 
  +
<code><pre>
**<code>/etc/init.d/apcupsd start</code>
 
  +
/sbin/chkconfig --levels 2345 snmpd on
  +
</pre></code>
   
  +
*Started daemon
====Configured Xen Domains to Shutdown on System Shutdown====
 
*Edited the following lines in <code>/etc/sysconfig/xendomains</code>
 
 
<code><pre>
 
<code><pre>
  +
/etc/init.d/snmpd start
XENDOMAINS_SAVE=""
 
  +
</pre></code>
   
  +
===Increased Detail of Logwatch Reports===
XENDOMAINS_RESTORE=false
 
  +
*Set detail level to be high
  +
<code><pre>
  +
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf
 
</pre></code>
 
</pre></code>
   
  +
===Disabled Unneeded Services===
  +
*Referenced [http://www.cyberciti.biz/faq/linux-default-services-which-are-enabled-at-boot/ this page]
  +
  +
<code><pre>
  +
chkconfig nfs off
  +
/etc/init.d/nfs stop
  +
chkconfig nfslock off
  +
/etc/init.d/nfslock stop
  +
chkconfig rpcgssd off
  +
/etc/init.d/rpcgssd stop
  +
chkconfig rpcidmapd off
  +
/etc/init.d/rpcidmapd stop
  +
chkconfig rpcsvcgssd off
  +
/etc/init.d/rpcsvcgssd stop
  +
chkconfig portmap off
  +
/etc/init.d/portmap stop
  +
chkconfig netfs off
  +
/etc/init.d/netfs stop
  +
chkconfig anacron off
  +
/etc/init.d/anacron stop
  +
chkconfig autofs off
  +
/etc/init.d/autofs stop
  +
chkconfig avahi-daemon off
  +
/etc/init.d/avahi-daemon stop
  +
chkconfig avahi-dnsconfd off
  +
/etc/init.d/avahi-dnsconfd stop
  +
chkconfig bluetooth off
  +
/etc/init.d/bluetooth stop
  +
chkconfig hidd off
  +
/etc/init.d/hidd stop
  +
chkconfig cups off
  +
/etc/init.d/cups stop
  +
chkconfig firstboot off
  +
/etc/init.d/firstboot stop
  +
chkconfig gpm off
  +
/etc/init.d/gpm stop
  +
chkconfig haldaemon off
  +
/etc/init.d/haldaemon stop
  +
chkconfig irda off
  +
/etc/init.d/irda stop
  +
chkconfig kudzu off
  +
/etc/init.d/kudzu stop
  +
chkconfig messagebus off
  +
/etc/init.d/messagebus stop
  +
chkconfig microcode_ctl off
  +
/etc/init.d/microcode_ctl stop
  +
chkconfig pcscd off
  +
/etc/init.d/pcscd stop
  +
chkconfig readahead_early off
  +
/etc/init.d/readahead_early stop
  +
chkconfig readahead_later off
  +
/etc/init.d/readahead_later stop
  +
chkconfig ypbind off
  +
/etc/init.d/ypbind stop
  +
</pre></code>
   
[[Category:Documentation]]
+
[[Category:Server Setup Documentation]]
[[Category:Infrastructure]]
 

Latest revision as of 13:21, 3 September 2015


This page summarizes how Xen2 was set up in Spring 2009.

Install

  • Installed CentOS 5.3 x64 with Virtualization Support.
    • Partition Scheme
      • 100 MB /boot - Software RAID 1
      • 73 GB root_lvg - Logical Volume Group Software RAID 1
        • 59 GB / (root_lvg-root_lv)
        • 4 GB /var (root_lvg-var_lv)
        • 10 GB swap (root_lvg-swap_lv)
      • 452 GB /xen - Software RAID 1

Kickstart File

# Kickstart file automatically generated by anaconda.

install
cdrom
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 128.153.145.42 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
network --device eth1 --bootproto static --ip 10.0.1.38 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
network --device eth2 --bootproto static --ip 10.0.0.17 --netmask 255.255.255.0 --gateway 128.153.145.1 --nameserver 128.153.0.254,128.153.5.254 --hostname xen2
rootpw --iscrypted ENCRYPTED-PASSWORD-GOES-HERE
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --enforcing
timezone --utc America/New_York
bootloader --location=partition --driveorder=sda,sdb,sdc,sdd --md5pass=ENCRYPTED-PASSWORD-GOES-HERE
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --linux
part raid.16 --size=100 --ondisk=sda
part raid.19 --size=100 --ondisk=sdb
part raid.20 --size=100 --grow --ondisk=sdd
part raid.18 --size=100 --grow --ondisk=sdb
part raid.17 --size=100 --grow --ondisk=sda
part raid.14 --size=100 --grow --ondisk=sdc
raid /boot --fstype ext3 --level=RAID1 --device=md0 raid.16 raid.19
raid pv.22 --fstype "physical volume (LVM)" --level=RAID1 --device=md1 raid.17 raid.18
raid /xen --fstype ext3 --level=RAID1 --device=md2 raid.14 raid.20
volgroup root_lvg --pesize=32768 pv.22
logvol / --fstype ext3 --name=root_lv --vgname=root_lvg --size=61856
logvol swap --fstype swap --name=swap_lv --vgname=root_lvg --size=10240
logvol /var --fstype ext3 --name=var_lv --vgname=root_lvg --size=4096

%packages
@virtualization
@core
@base
bridge-utils
device-mapper-multipath
-gnome-applet-vm
-NetworkManager
-bluez-utils

Configuration

Updated System

  • Configured Yum Priorities & to use our mirror
    • Edited /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
    • Edited /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
    • Edited /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
    • Edited /etc/yum.repos.d/epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
  • Disabled Yum FastestMirror since using local mirror
    • sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  • Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
    • yum install yum-priorities
  • Configured Yum Priorities to check for obsoletes
    • echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  • yum install vim-enhanced gcc emacs-nox screen pwgen dialog
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

#User_Alias ADMINS = mccarrms

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=(root)      ALL, !SHELLS
%xenadmins ALL=/usr/sbin/xm

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=xen2
GATEWAY=128.153.145.1
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Intel Corporation 82541PI Gigabit Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.153.145.255
HWADDR=00:1B:21:28:C8:4E
IPADDR=128.153.145.42
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
  • Verified eth1 configuration for the Server Room Network in /etc/sysconfig/network-scripts/ifcfg-eth1
# Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper)
DEVICE=eth1
BOOTPROTO=static
BROADCAST=10.0.1.255
HWADDR=00:E0:81:B5:88:84
IPADDR=10.0.1.38
NETMASK=255.255.255.0
NETWORK=10.0.1.0
ONBOOT=yes
  • Verified eth2 configuration for the Internal Network in /etc/sysconfig/network-scripts/ifcfg-eth2
# Intel Corporation 80003ES2LAN Gigabit Ethernet Controller (Copper)
DEVICE=eth2
BOOTPROTO=static
BROADCAST=10.0.0.255
HWADDR=00:E0:81:B5:88:85
IPADDR=10.0.0.17
NETMASK=255.255.255.0
NETWORK=10.0.0.0
ONBOOT=yes

Configured Additional Xen Bridges

  • Created a network configuration file (/etc/xen/scripts/networks-cslabs)
#!/bin/sh
dir=$(dirname "$0")

"$dir/network-bridge" start vifnum=0 netdev=eth0 bridge=xenbr0
"$dir/network-bridge" start vifnum=1 netdev=eth1 bridge=xenbr1
"$dir/network-bridge" start vifnum=2 netdev=eth2 bridge=xenbr2
  • Made script executable
    • chmod +x /etc/xen/scripts/networks-cslabs
  • Edited /etc/xen/xend-config.sxp
(xend-unix-server yes)

(xend-unix-path /var/lib/xend/xend-socket)

(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')

(network-script networks-cslabs)

(vif-script vif-bridge)

(dom0-min-mem 512)

(dom0-cpus 0)

(vncpasswd '')

(keymap 'en-us')

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain localhost
128.153.145.42  xen2.cslabs.clarkson.edu xen2.cslabs xen2
10.0.1.38       xen2.sr.cslabs.clarkson.edu xen2.sr.cslabs xen2.sr
10.0.0.17       xen2.int.cslabs.clarkson.edu xen2.int.cslabs xen2.int
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured dom0 memory

  • Due to a networking issue that arose on one of our dom0s (see Bug Report), the memory allocated to the dom0 memory needed to be set.
    • Edited /boot/grub/menu.lst and modified the kernel option
kernel /xen.gz-2.6.18-128.1.10.el5 dom0_mem=512M

Configured Automatic Starting of Xen Images

  • Removed /etc/xen/auto/
rmdir /etc/xen/auto/
  • Created Symbolic Link to /xen/confs
ln -s /xen/confs/ /etc/xen/auto

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.
  • Restarted iptables
    • /etc/init.d/iptables restart

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
                ___ 
 __ _____ ___  |_  |
 \ \ / -_) _ \/ __/ 
/_\_\\__/_//_/____/ 
                    

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Set Up & Configured NTP

  • Installed NTP
    • yum install ntp
  • Edited /etc/ntp.conf
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict 127.0.0.1
restrict -6 ::1

restrict tick.clarkson.edu mask 255.255.255.255 nomodify notrap noquery
restrict tock.clarkson.edu mask 255.255.255.255 nomodify notrap noquery

server tick.clarkson.edu
server tock.clarkson.edu

server  127.127.1.0     # local clock
fudge   127.127.1.0 stratum 10

driftfile /var/lib/ntp/drift

keys /etc/ntp/keys
  • Edited /etc/ntp/step-tickers
tick.clarkson.edu
tock.clarkson.edu
  • Configured ntpd to start on boot
    • /sbin/chkconfig --levels 2345 ntpd on
  • Started ntpd
    • /etc/init.d/ntpd start

Configured ntpd to Sync Hardware Clock

  • Edited /etc/sysconfig/ntpd
# Drop root to id 'ntp:ntp' by default.
OPTIONS="-u ntp:ntp -p /var/run/ntpd.pid"

# Set to 'yes' to sync hw clock after successful ntpdate
SYNC_HWCLOCK=yes

# Additional options for ntpdate
NTPDATE_OPTIONS=""

Installed and Configured APCUPSD

This package is used to monitor the UPS which Xen2 is plugged into and is used to shutdown the system in the event of a power failure.

Configured to Power On when Power is Restored

  • Edited the BIOS to have Restore on AC/Power Loss set to Power On.

Installed and configured apcupsd

  • Checked that the UPS was detected
    • cat /proc/bus/usb/devices
T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=1.5 MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=051d ProdID=0002 Rev= 1.01
S:  Manufacturer=American Power Conversion
S:  Product=Back-UPS RS 1500 LCD FW:839.H7 .D USB FW:H7
S:  SerialNumber=JB0802018526
C:* #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=  2mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
E:  Ad=81(I) Atr=03(Int.) MxPS=   6 Ivl=100ms
  • Installed apcupsd
    • yum install apcupsd
  • Edited /etc/apcupsd/apcupsd.conf
## apcupsd.conf v1.1 ##

UPSNAME ups4

UPSCABLE usb

UPSTYPE usb
DEVICE

LOCKFILE /var/lock

SCRIPTDIR /etc/apcupsd

PWRFAILDIR /etc/apcupsd

NOLOGINDIR /etc

ONBATTERYDELAY 6

BATTERYLEVEL 7

MINUTES 10

TIMEOUT 0

ANNOY 300

ANNOYDELAY 60

NOLOGON disable

KILLDELAY 0

NETSERVER on

NISIP 0.0.0.0

NISPORT 3551

EVENTSFILE /var/log/apcupsd.events

EVENTSFILEMAX 10

UPSCLASS standalone

UPSMODE disable

STATTIME 0

STATFILE /var/log/apcupsd.status

LOGSTATS off

DATATIME 0

SELFTEST 336
  • Configured apcupsd to start on boot
    • /sbin/chkconfig --levels 2345 apcupsd on
  • Started apcupsd
    • /etc/init.d/apcupsd start

Configured Xen Domains to Shutdown on System Shutdown

  • Edited the following lines in /etc/sysconfig/xendomains
XENDOMAINS_SAVE=""

XENDOMAINS_RESTORE=false

Installed Debootstrap

  • yum install debootstrap

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled CTRL-ALT-DELETE

  • Removed trap entry to prevent accidental reboots
sed -i 's/ca::ctrlaltdel:/#ca::ctrlaltdel:/g' /etc/inittab
  • Made Changes Active
init q

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
disk /boot
disk /xen
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over /usr/local/sbin/ntp_check from Isengard to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop