Foreman
Foreman is a complete lifecycle management tool for physical and virtual servers. We give system administrators the power to easily automate repetitive tasks, quickly deploy applications, and proactively manage servers, on-premise or in the cloud.
Foreman Infrastructure and host management services are:
- DHCP – Capsule can act as a DHCP server or it can integrate with an existing solution, including ISC DHCP servers, Active Directory, and Libvirt instances.
- DNS – Capsule can act as a DNS server or it can integrate with an existing solution, including ISC DNS, Active Directory, or BIND.
- TFTP – Capsule can act as a TFTP server or integrate with any UNIX-based TFTP server.
- Realm – Capsule can manage Kerberos realms or domains so that hosts can join them automatically during provisioning. Capsule can integrate with an existing infrastructure including IdM, FreeIPA, and Active Directory.
- Puppet Master – Capsule can act as a configuration management server by running Puppet Master.
- Puppet Certificate Authority – Capsule can act as a Puppet CA to provide certificates to hosts.
- Baseboard Management Controller (BMC) – Capsule can provide power management for hosts.
- Provisioning template proxy – Capsule can serve provisioning templates to hosts.
- OpenSCAP – Capsule can perform security compliance scans on hosts.
Preparation
- Define foreman-initial-organization
- Define foreman-initial-location
- Define which repo needs to be synced (is there any custom content)
- Define for dns, dhcp, tftp server (will it be managed by Satellite??)
- Define Satellite server’s SSL Certificate
- Define Life Cycle Environment
- Define the location, P/V, of satellite and capsule
- Define Hardening Guide
Installation
##Build on libvirt
SERVERNAME="vajicko.home.lichnak.cz"
#EXTARG="ip=10.0.0.19::10.0.0.1:255.128.0.0:vajicko.home.lichnak.cz:eth0:none"
MAC="50:54:00:00:40:90"
DOMAIN=home.lichnak.cz
DISKSIZE_GB=400
RAM_MB=16384
VCPU=4
OS_VARIANT=rhel7
qemu-img create -f qcow2 /vms/images/"$SERVERNAME".qcow2 "$DISKSIZE_GB"G
virt-install --virt-type=kvm --name "$SERVERNAME" --ram "$RAM_MB" --vcpus="$VCPU" --os-variant="$OS_VARIANT" --cdrom=/vms/isos/CentOS-7-x86_64-Minimal-1810.iso --network=bridge=virbr0,model=virtio,mac="$MAC" --graphics vnc,listen=0.0.0.0 --noautoconsole --disk path=/vms/images/"$SERVERNAME".qcow2,size="$DISKSIZE_GB",bus=virtio,format=qcow2 # --extra-args "$EXTARG"
virsh start "$SERVERNAME"
virsh autostart "$SERVERNAME"
## Rozdeleni disku
# /boot 1 GB
# / 40 GB
# /var/lib/pulp 100 GB
# /var/lib/mongodb 50 GB
# /var/ftp/pub 49 GB
# /var/spool/squid 60 GB
# /var/lib/pgsql 40 GB
# /var 15 GB
# /var/log 15 GB
# /tmp 10 GB
# swap 20 GB
## Konfigurace
#df -hT
#cp -ax /home /tmp/
#umount -fl /home
#cp -ax /tmp/home /
#rm -rf /tmp/home
#vi /etc/fstab
#reboot
#lvs
#lvremove /dev/centos/home
#lvextend -t -r -l+100%FREE /dev/centos/root
#lvextend -r -l+100%FREE /dev/centos/root
#xfs_growfs /dev/mapper/centos-root
#dracut --regenerate-all --force
#df -hT
#fdisk /dev/vda4
#
#To Create new partition Press n.
#Choose primary partition use p.
#Choose which number of partition to be selected to create the primary partition.
#Press 1 if any other disk available.
#Change the type using t.
#Type 8e to change the partition type to Linux LVM.
#Use p to print the create partition ( here we have not used the option).
#Press w to write the changes.
#
#fdisk -l /dev/vda
#
#pvs
#vgs
#lvs
#
#pvcreate /dev/vda4
#vgextend system /dev/vda4
#
#lvextend -t -r -L +10GB /dev/system/tmp
#lvextend -r -L +10GB /dev/system/tmp
#xfs_growfs /dev/system/tmp
#dracut --regenerate-all --force
#
#lvextend -t -r -L +10GB /dev/system/var_log
#lvextend -r -L +10GB /dev/system/var_log
#xfs_growfs /dev/system/var_log
#dracut --regenerate-all --force
#
#lvextend -t -r -L +15GB /dev/system/root
#lvextend -r -L +15GB /dev/system/root
#xfs_growfs /dev/system/root
#dracut --regenerate-all --force
#
#lvextend -t -r -L +15GB /dev/system/var
#lvextend -r -L +15GB /dev/system/var
#xfs_growfs /dev/system/var
#dracut --regenerate-all --force
#
#df -hT
#
#
#blkid /dev/system/swap
#swapoff -av
#
#lvextend -t -r -l+100%FREE /dev/system/swap
#lvextend -r -l+100%FREE /dev/system/swap
#dracut --regenerate-all --force
#
## hcl resize cl_centos73-swap
#reboot
#mkswap -U "a949b636-1669-43cb-acc4-b1ed86e7f2f1" /dev/system/swap
#swapon -va
#swapon --show
setenforce 0
sestatus
cat <<"EOF"> /etc/sysconfig/selinux
SELINUX=disabled
SELINUXTYPE=targeted
EOF
cat <<"EOF"> /etc/resolv.conf
search home.lichnak.cz
nameserver pastnakuny.home.lichnak.cz
nameserver pastnalisky.home.lichnak.cz
nameserver 10.0.0.15
nameserver 10.0.0.36
EOF
cat <<"EOF">/etc/hostname
vajicko.home.lichnak.cz
EOF
cat <<"EOF"> /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
EOF
useradd lichnak
sudo cat <<"EOF"> /etc/sudoers.d/20-lichnak
lichnak ALL=(ALL) ALL
EOF
su lichnak
mkdir -m 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
cat <<"EOF"> ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEA4POAs/aB10= lich-mzmpal-rsa-key-20171109
EOF
chmod 600 ~/.ssh/authorized_keys
exit
yum -y install yum-utils epel-release iptables iptables-services rsync bind-utils net-tools nmap ntp openssl tcpdump sysstat wget
yum -y update
systemctl disable firewalld
systemctl stop firewalld
cat <<"EOF"> firewall.sh
#!/bin/bash
# Load the connection tracker kernel module
modprobe ip_conntrack
# Flush the iptables rules
iptables -F
# Set the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Create a necessary chains
iptables -N LOG_ACCEPT
iptables -N LOG_REJECT
iptables -N LOG_DROP
iptables -N IN_SSH
# Allow established connections
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
# Drop traffic with invalid states
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow icmp ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
# For SSH traffic jump in the IN_SSH chain
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH
# Allow web services
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j LOG_ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j LOG_ACCEPT
# Allow zabbix agent
iptables -A INPUT -p tcp --dport 10050 -m conntrack --ctstate NEW -j LOG_ACCEPT
# Allow NTP Agent
iptables -A INPUT -p udp --dport 123 -m conntrack --ctstate NEW -j LOG_ACCEPT
# Allow Foreman Ports
#53/tcp
iptables -A INPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j LOG_ACCEPT
#67-69/udp
iptables -A INPUT -p udp --match multiport --dports 67:69 -m conntrack --ctstate NEW -j LOG_ACCEPT
#3000/tcp
iptables -A INPUT -p tcp --dport 3000 -m conntrack --ctstate NEW -j LOG_ACCEPT
#3306/tcp
iptables -A INPUT -p tcp --dport 3306 -m conntrack --ctstate NEW -j LOG_ACCEPT
#5910-5930/tcp
iptables -A INPUT -p udp --match multiport --dports 5910:5930 -m conntrack --ctstate NEW -j LOG_ACCEPT
#5432/tcp
iptables -A INPUT -p tcp --dport 5432 -m conntrack --ctstate NEW -j LOG_ACCEPT
#8140/tcp
iptables -A INPUT -p tcp --dport 8140 -m conntrack --ctstate NEW -j LOG_ACCEPT
#8443/tcp
iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate NEW -j LOG_ACCEPT
#5647/tcp
iptables -A INPUT -p tcp --dport 5647 -m conntrack --ctstate NEW -j LOG_ACCEPT
#9090/tcp
iptables -A INPUT -p tcp --dport 9090 -m conntrack --ctstate NEW -j LOG_ACCEPT
#5900:5920/tcp
iptables -A INPUT -p tcp --dport 5900:5920 -m conntrack --ctstate NEW -j LOG_ACCEPT
# Protect the SSH against brute force attacks
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 3 --seconds 10 -j DROP
iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcount 4 --seconds 1800 -j DROP
iptables -A IN_SSH -m recent --name sshbf --set -j LOG_ACCEPT
# Chain for logging of accepted traffic
iptables -A LOG_ACCEPT -j LOG --log-prefix "INPUT:ACCEPT:" --log-level 6
iptables -A LOG_ACCEPT -j ACCEPT
# Chain for logging of rejected traffic
iptables -A LOG_REJECT -j LOG --log-prefix "INPUT:REJECT:" --log-level 6
# TCP traffic will be rejected with the RST packet
iptables -A LOG_REJECT -p tcp -j REJECT --reject-with tcp-reset
# UDP traffic will be rejected with ICMP message Port Unreachable
iptables -A LOG_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
# Protocols other than TCP/UDP will be rejected with ICMP message Protocol Unreachable
iptables -A LOG_REJECT -j REJECT --reject-with icmp-proto-unreachable
# Chain for logging of dropped traffic
iptables -A LOG_DROP -j LOG --log-prefix "INPUT:DROP:" --log-level 6
iptables -A LOG_DROP -j DROP
/sbin/service iptables save
EOF
chmod 755 firewall.sh
./firewall.sh
systemctl stop NetworkManager firewalld
systemctl disable NetworkManager firewalld
yum -y remove NetworkManager NetworkManager-libnm firewalld
systemctl start network
systemctl enable network
systemctl start iptables
systemctl enable iptables
timedatectl set-timezone 'Europe/Prague'
cat <<"EOF">/etc/ntp.conf
driftfile /var/lib/ntp/drift
restrict 127.0.0.1
restrict ::1
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
server ntp.nic.cz iburst prefer
server tik.cesnet.cz iburst
server tak.cesnet.cz iburst
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
EOF
ntpd -qg
systemctl enable ntpd
systemctl start ntpd
cat <<"EOF"> /etc/motd
###############################################
## _ FUCK YOU _ ##
## |_| |_| ##
## | | /^^^\ | | ##
## _| |_ (| "o" |) _| |_ ##
## _| | | | _ (_---_) _ | | | |_ ##
## | | | | || | _| |_ | || | | | | ##
## | | / \ | | ##
## \ / / /(. .)\ \ \ / ##
## \ / / / | . | \ \ \ / ##
## \ \/ / ||Y|| \ \/ / ##
## \__/ || || \__/ ##
## () () ##
## || || ##
## ooO Ooo ##
###############################################
EOF
cat <<"EOF"> /etc/ssh/sshd_banner
###############################################
## Vitejete na vajicko.home.lichnak.cz! ##
###############################################
EOF
cat <<"EOF"> /etc/ssh/sshd_config
Port 22
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
LogLevel DEBUG
LoginGraceTime 5m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
MaxSessions 4
AllowUsers lichnak adis
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
#RhostsRSAAuthentication no
#HostbasedAuthentication no
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
#IgnoreRhosts yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
GSSAPIAuthentication no
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Banner /etc/ssh/sshd_banner
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server
#ForceCommand cvs server
EOF
cat <<"EOF">/etc/rsyncd.conf
max connections = 10
EOF
# Install Zabbix Agent
rpm -Uvh https://repo.zabbix.com/zabbix/6.0/rhel/7/x86_64/zabbix-release-6.0-2.el8.noarch.rpm
yum clean all
yum install zabbix-agent
systemctl restart zabbix-agent
systemctl enable zabbix-agent
cp /etc/zabbix/zabbix_agentd.conf /etc/zabbix/zabbix_agentd.conf.orig
cat <<"EOF"> /etc/zabbix/zabbix_agentd.conf
PidFile=/var/run/zabbix/zabbix_agentd.pid
LogFile=/var/log/zabbix/zabbix_agentd.log
LogFileSize=0
# SourceIP=0.0.0.0
Server=10.0.0.33
# ListenPort=10050
# ListenIP=0.0.0.0
ServerActive=10.0.0.33
Hostname=vajicko.home.lichnak.cz
# HostnameItem=system.hostname
Include=/etc/zabbix/zabbix_agentd.d/*.conf
# Include=/usr/local/etc/zabbix_agentd.userparams.conf
# Include=/usr/local/etc/zabbix_agentd.conf.d/
# Include=/usr/local/etc/zabbix_agentd.conf.d/*.conf
# LoadModulePath=${libdir}/modules
# LoadModule=
EOF
systemctl start zabbix-agent
systemctl enable zabbix-agent
systemctl status zabbix-agent
## Foreman Instalace
yum install -y yum-utils epel-release centos-release-scl centos-release-scl-rh
yum install -y libguestfs-tools libguestfs-xfs virt-top qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer
yum install -y ansible
yum install -y vsftpd xinetd
yum -y localinstall https://fedorapeople.org/groups/katello/releases/yum/3.11/katello/el7/x86_64/katello-repos-latest.rpm
yum -y localinstall https://yum.theforeman.org/releases/1.21/el7/x86_64/foreman-release.rpm
#yum -y localinstall https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum -y localinstall https://yum.puppetlabs.com/puppet5/puppet5-release-el-7.noarch.rpm
yum -y localinstall https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum --enablerepo=foreman clean metadata
yum --enablerepo=katello clean metadata
yum -y install foreman-release-scl python2-django
yum -y update
yum install -y puppetserver
yum install -y katello
yum install -y foreman-libvirt
yum install -y foreman-openstack
yum install -y foreman-ovirt
yum install -y foreman-ec2
yum install -y foreman-rackspace
yum install -y foreman-vmware
yum install -y foreman-ansible
yum install -y foreman-openscap
yum -y install rubygem-smart_proxy_discovery
yum -y install tfm-rubygem-hammer_cli_foreman_discovery
# foreman-installer \
# --enable-foreman-proxy \
# --foreman-proxy-tftp=true \
# --foreman-proxy-tftp-servername=10.0.0.2 \
# --foreman-proxy-dhcp=true \
# --foreman-proxy-dhcp-interface=ens3 \
# --foreman-proxy-dhcp-gateway= \
# --foreman-proxy-dhcp-range="10.0.0.100 10.0.0.210" \
# --foreman-proxy-dhcp-nameservers="10.0.0.2" \
# --foreman-proxy-dns=true \
# --foreman-proxy-dns-interface=ens3 \
# --foreman-proxy-dns-zone=ollebo.com \
# --foreman-proxy-dns-reverse=0.0.10.in-addr.arpa \
# --foreman-proxy-dns-forwarders=10.0.0.1 \
# --foreman-proxy-foreman-base-url=https://forman.ollebo.com \
# --foreman-proxy-oauth-consumer-key=BPWNafbAMTEADEEf \
# --foreman-proxy-oauth-consumer-secret=3UwzrvN
# -–foreman-initial-organization “initial_organization_name” \
# -–foreman-initial-location “initial_location_name” \
# -–foreman-admin-username admin-username \
# -–foreman-admin-password admin-password \
# -–foreman-proxy-dns-managed=false \
# -–foreman-proxy-dhcp-managed=false
# https://makeyourkloug.wordpress.com/2018/02/05/how-to-foreman/
# foreman-installer --enable-foreman-plugin-discovery
# In the Foreman WebUI, go to Provisioning Templates, edit « PXELinux global default » template, unlock it, and change the default entry from localboot entry to Discovery:
ONTIMEOUT discovery
foreman-installer \
--scenario "katello" \
--foreman-initial-location "Praha" \
--foreman-initial-organization "Lichnak" \
--foreman-proxy-dhcp "false" \
--foreman-proxy-dns "false" \
--foreman-proxy-tftp "true" \
--foreman-proxy-tftp-servername=10.0.0.19 \
--foreman-proxy-puppet "true" \
--foreman-proxy-puppetca "true" \
--foreman-puppetrun "true" \
--foreman-proxy-puppetrun-provider "ssh" \
--puppet-runinterval "3600" \
--enable-foreman-cli-discovery \
--enable-foreman-cli-openscap \
--enable-foreman-cli-remote-execution \
--enable-foreman-cli-tasks \
--enable-foreman-cli-templates \
--enable-foreman-compute-ec2 \
--enable-foreman-compute-libvirt \
--enable-foreman-compute-openstack \
--enable-foreman-compute-rackspace \
--enable-foreman-compute-vmware \
--enable-foreman-plugin-ansible \
--enable-foreman-plugin-bootdisk \
--enable-foreman-plugin-default-hostgroup \
--enable-foreman-plugin-discovery \
--enable-foreman-plugin-hooks \
--enable-foreman-plugin-openscap \
--enable-foreman-plugin-remote-execution \
--enable-foreman-plugin-tasks \
--enable-foreman-plugin-templates \
--enable-foreman-proxy-plugin-ansible \
--enable-foreman-proxy-plugin-discovery \
--enable-foreman-proxy-plugin-openscap \
--enable-foreman-proxy-plugin-remote-execution-ssh
#Mics
mkdir -m 1777 /opt/tmp
cat <<"EOF">/etc/sysconfig/puppetserver
JAVA_ARGS="-Xms2G -Xmx2G -XX:MaxPermSize=256m -Djava.io.tmpdir=/opt/tmp"
EOF
yum search foreman-|grep "^foreman-.*support"
#update
yum -y update
yum clean all && yum update -y foreman-release-sc
katello-service stop
yum -y update
foreman-installer --scenario katello --upgrade
########################################################
## Katello: Create Products, Repositories, Content Views, Lifecycle Environments, Activation Keys
cat ~/.hammer/cli.modules.d/foreman.yml
#Produkt
hammer defaults add --param-name organization --param-value "Lichnak"
hammer defaults add --param-name location --param-value "Praha"
hammer product create --name "el7_repos" --description "Various repositories to use with CentOS 7"
hammer product list
#GPG klice
mkdir /etc/pki/rpm-gpg/import/
cd /etc/pki/rpm-gpg/import/
wget http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7
hammer gpg create --key "RPM-GPG-KEY-CentOS-7" --name "RPM-GPG-KEY-CentOS-7"
wget https://archive.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7Server
hammer gpg create --key "RPM-GPG-KEY-EPEL-7Server" --name "RPM-GPG-KEY-EPEL-7Server"
wget https://repo.mysql.com/RPM-GPG-KEY-mysql
hammer gpg create --key "RPM-GPG-KEY-mysql" --name "RPM-GPG-KEY-mysql"
wget https://yum.puppetlabs.com/RPM-GPG-KEY-puppet
hammer gpg create --key "RPM-GPG-KEY-puppet" --name "RPM-GPG-KEY-puppet"
wget http://repo.zabbix.com/RPM-GPG-KEY-ZABBIX
hammer gpg create --key "RPM-GPG-KEY-ZABBIX" --name "RPM-GPG-KEY-ZABBIX"
wget https://rpms.remirepo.net/RPM-GPG-KEY-remi
hammer gpg create --key "RPM-GPG-KEY-remi" --name "RPM-GPG-KEY-remi"
wget https://raw.githubusercontent.com/Graylog2/fpm-recipes/master/recipes/graylog-repository/files/rpm/RPM-GPG-KEY-graylog
hammer gpg create --key "RPM-GPG-KEY-graylog" --name "RPM-GPG-KEY-graylog"
wget https://www.mongodb.org/static/pgp/server-3.6.asc
hammer gpg create --key "server-3.6.asc" --name "RPM-GPG-KEY-mongodb"
wget https://artifacts.elastic.co/GPG-KEY-elasticsearch
hammer gpg create --key "GPG-KEY-elasticsearch" --name "GPG-KEY-elasticsearch"
Bacula signing GPG key:
wget https://copr-be.cloud.fedoraproject.org/results/slaanesh/Bacula/pubkey.gpg -O slaanesh-bacula.gpg
hammer gpg create --key "slaanesh-bacula.gpg" --name "RPM-GPG-KEY-slaanesh-bacula"
wget https://packages.cisofy.com/keys/cisofy-software-rpms-public.key
hammer gpg create --key "cisofy-software-rpms-public.key" --name "RPM-GPG-KEY-cisofy"
########################################################
## Repozitare
#CentOS 7 base repository:
hammer repository create --product "el7_repos" --name "base_x86_64" --label "base_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-CentOS-7" --url "http://mirror.centos.org/centos/7/os/x86_64/" --mirror-on-sync "no"
#CentOS 7 extras repository:
hammer repository create --product "el7_repos" --name "extras_x86_64" --label "extras_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-CentOS-7" --url "http://mirror.centos.org/centos/7/extras/x86_64/" --mirror-on-sync "no"
#CentOS 7 updates repository:
hammer repository create --product "el7_repos" --name "updates_x86_64" --label "updates_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-CentOS-7" --url "http://mirror.centos.org/centos/7/updates/x86_64/" --mirror-on-sync "no"
#EPEL 7 repository:
hammer repository create --product "el7_repos" --name "epel_x86_64" --label "epel_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-EPEL-7Server" --url "https://dl.fedoraproject.org/pub/epel/7Server/x86_64/"
#MySQL 5.7 repository:
hammer repository create --product "el7_repos" --name "mysql_57_x86_64" --label "mysql_57_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-mysql" --url "https://repo.mysql.com/yum/mysql-5.7-community/el/7/x86_64/"
#Lynis repository for security auditing (this one is optional):
hammer repository create --product "el7_repos" --name "lynis" --label "lynis" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-cisofy" --url "https://packages.cisofy.com/community/lynis/rpm/"
#Katello repository to download the latest client from. Currently not GPG signed.
hammer repository create --product "el7_repos" --name "katello_agent_x86_64" --label "katello_agent_x86_64" --content-type "yum" --download-policy "on_demand" --url "https://fedorapeople.org/groups/katello/releases/yum/3.11/katello/el7/x86_64/"
#Puppet5 repository:
hammer repository create --product "el7_repos" --name "puppet5_x86_64" --label "puppet5_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-puppet" --url "https://yum.puppetlabs.com/puppet5/el/7/x86_64/"
#Zabbix 3.4 repository:
hammer repository create --product "el7_repos" --name "zabbix_34_x86_64" --label "zabbix_34_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-ZABBIX" --url "http://repo.zabbix.com/zabbix/3.4/rhel/7/x86_64/"
#Remi PHP 7.2 repository:
hammer repository create --product "el7_repos" --name "remi_php_72_x86_64" --label "remi_php_72_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-remi" --url "https://mirrors.ukfast.co.uk/sites/remi/enterprise/7/php72/x86_64/"
#Remi safe repository:
hammer repository create --product "el7_repos" --name "remi_safe_x86_64" --label "remi_safe_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-remi" --url "https://mirrors.ukfast.co.uk/sites/remi/enterprise/7/safe/x86_64/"
#Graylog 2.4 repository:
hammer repository create --product "el7_repos" --name "graylog_24_x86_64" --label "graylog_24_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-graylog" --url "https://packages.graylog2.org/repo/el/stable/2.4/x86_64/"
#Elasticsearch 5.x repository. At the time I write this, Graylog 2.4 does not work with Elasticsearch 6.x.
hammer repository create --product "el7_repos" --name "elasticsearch_5_x86_64" --label "elasticsearch_5_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "GPG-KEY-elasticsearch" --url "https://artifacts.elastic.co/packages/5.x/yum"
#MongoDB 3.6 repository:
hammer repository create --product "el7_repos" --name "mongodb_36_x86_64" --label "mongodb_36_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-mongodb" --url "https://repo.mongodb.org/yum/redhat/7Server/mongodb-org/3.6/x86_64/"
#Bacula repository:
hammer repository create --product "el7_repos" --name "slaanesh_bacula_x86_64" --label "slaanesh_bacula_x86_64" --content-type "yum" --download-policy "on_demand" --gpg-key "RPM-GPG-KEY-slaanesh-bacula" --url "https://copr-be.cloud.fedoraproject.org/results/slaanesh/Bacula/epel-7-x86_64/"
hammer repository list
for i in $(seq 1 15); do hammer repository synchronize --product "el7_repos" --id "$i"; done
#Content Views
hammer content-view create --name "el7_content" --description "Content view for CentOS 7"
hammer product list
for i in $(seq 1 15); do hammer content-view add-repository --name "el7_content" --product "el7_repos" --repository-id "$i"; done
#Lifecycle Environments
hammer lifecycle-environment create --name "stable" --label "stable" --prior "Library"
hammer lifecycle-environment list
hammer content-view publish --name "el7_content" --description "Publishing repositories"
hammer content-view version promote --content-view "el7_content" --version "1.0" --to-lifecycle-environment "stable"
hammer content-view version list
#Activation Keys
hammer activation-key create --name "el7-key" --description "Key to use with CentOS7" --lifecycle-environment "stable" --content-view "el7_content" --unlimited-hosts
hammer activation-key list
hammer subscription list
hammer activation-key add-subscription --name "el7-key" --quantity "1" --subscription-id "1"
foreman-maintain backup online -y /mnt/backup/
foreman-maintain service stop
du -sh /var/lib/mongodb /var/lib/pgsql/data /var/lib/pulp
du -csh /var/lib/qpidd /var/lib/tftpboot /etc /root/ssl-build \
/var/www/html/pub /opt/puppetlabs
foreman-maintain backup offline -y /mnt/backup/
foreman-maintain service start
foreman-maintain backup snapshot -y /mnt/backup/
########################################################
## Import CentOS Errata into Pulp
yum install -y git pulp-admin-client pulp-rpm-admin-extensions pulp-rpm-consumer-extensions pulp-rpm-yumplugins pulp-consumer-client perl-Text-Unidecode perl-XML-Simple perl-XML-Parser
cd /opt && git clone https://github.com/rdrgmnzs/pulp_centos_errata_import.git
cd ./pulp_centos_errata_import
wget -N https://cefs.steve-meier.de/errata.latest.xml.bz2
bunzip2 ./errata.latest.xml.bz2
mkdir -m0700 ~/.pulp
cat /etc/pki/katello/certs/pulp-client.crt /etc/pki/katello/private/pulp-client.key > ~/.pulp/user-cert.pem
chmod 0400 ~/.pulp/user-cert.pem
perl ./errata_import.pl --errata=errata.latest.xml
pulp-admin repo list | grep Id
pulp-admin repo list | grep Id
perl ./errata_import.pl --errata=errata.latest.xml \
--include-repo=16e665bf-50a3-42f7-b448-649da8ad46d0 \
--include-repo=099298f1-fe65-44c8-b03b-d2f01d3d4dfe \
--include-repo=14bdc197-7b68-4d40-a414-e9966df384dd \
--include-repo=441051a7-71a0-44c4-b463-a9dfcac8b579 \
--include-repo=2e1583a2-6e4f-4ebc-9335-920b54000cb6 \
--include-repo=31cc9520-819f-46c8-b281-692bfd8adf15 \
--include-repo=4b6bbe1f-7b7b-4bfc-8cc6-fe87511cacde \
--include-repo=93f7c63b-dd20-4c89-a97e-c38b35a1b7fa \
--include-repo=60b2b183-3722-41fa-b22f-4bcefb8c1ddb \
--include-repo=fb00c502-f975-498d-bee1-474d8fb4e5d9 \
--include-repo=ebb06e22-a6c9-46fc-9b97-0db479cc9679 \
--include-repo=0769b37b-e550-41aa-9872-6de1d379c83e \
--include-repo=83efbc04-79f9-4276-b4a1-9bd9a4ecfe1c \
--include-repo=ee484d1b-731e-4d63-b251-028f8c748ff2 \
--include-repo=9a5f2c14-dc58-4183-bb73-c69452bb5629 \
--include-repo=2-el7_content-v1_0-14bdc197-7b68-4d40-a414-e9966df384dd \
--include-repo=2-el7_content-v1_0-31cc9520-819f-46c8-b281-692bfd8adf15 \
--include-repo=2-el7_content-v1_0-2e1583a2-6e4f-4ebc-9335-920b54000cb6 \
--include-repo=2-el7_content-v1_0-099298f1-fe65-44c8-b03b-d2f01d3d4dfe \
--include-repo=2-el7_content-v1_0-441051a7-71a0-44c4-b463-a9dfcac8b579 \
--include-repo=2-el7_content-v1_0-4b6bbe1f-7b7b-4bfc-8cc6-fe87511cacde \
--include-repo=2-el7_content-v1_0-93f7c63b-dd20-4c89-a97e-c38b35a1b7fa \
--include-repo=2-el7_content-v1_0-fb00c502-f975-498d-bee1-474d8fb4e5d9 \
--include-repo=2-el7_content-v1_0-60b2b183-3722-41fa-b22f-4bcefb8c1ddb \
--include-repo=2-el7_content-v1_0-ebb06e22-a6c9-46fc-9b97-0db479cc9679 \
--include-repo=2-el7_content-v1_0-0769b37b-e550-41aa-9872-6de1d379c83e \
--include-repo=2-el7_content-v1_0-83efbc04-79f9-4276-b4a1-9bd9a4ecfe1c \
--include-repo=2-el7_content-v1_0-ee484d1b-731e-4d63-b251-028f8c748ff2 \
--include-repo=2-el7_content-v1_0-9a5f2c14-dc58-4183-bb73-c69452bb5629 \
--include-repo=2-el7_content-v1_0-16e665bf-50a3-42f7-b448-649da8ad46d0 \
--include-repo=2-el7_content-Library-31cc9520-819f-46c8-b281-692bfd8adf15 \
--include-repo=2-el7_content-Library-fb00c502-f975-498d-bee1-474d8fb4e5d9 \
--include-repo=2-el7_content-Library-2e1583a2-6e4f-4ebc-9335-920b54000cb6 \
--include-repo=2-el7_content-Library-60b2b183-3722-41fa-b22f-4bcefb8c1ddb \
--include-repo=2-el7_content-Library-14bdc197-7b68-4d40-a414-e9966df384dd \
--include-repo=2-el7_content-Library-ebb06e22-a6c9-46fc-9b97-0db479cc9679 \
--include-repo=2-el7_content-Library-099298f1-fe65-44c8-b03b-d2f01d3d4dfe \
--include-repo=2-el7_content-Library-4b6bbe1f-7b7b-4bfc-8cc6-fe87511cacde \
--include-repo=2-el7_content-Library-9a5f2c14-dc58-4183-bb73-c69452bb5629 \
--include-repo=2-el7_content-Library-93f7c63b-dd20-4c89-a97e-c38b35a1b7fa \
--include-repo=2-el7_content-Library-ee484d1b-731e-4d63-b251-028f8c748ff2 \
--include-repo=2-el7_content-Library-83efbc04-79f9-4276-b4a1-9bd9a4ecfe1c \
--include-repo=2-el7_content-Library-0769b37b-e550-41aa-9872-6de1d379c83e \
--include-repo=2-el7_content-Library-16e665bf-50a3-42f7-b448-649da8ad46d0 \
--include-repo=2-el7_content-Library-441051a7-71a0-44c4-b463-a9dfcac8b579 \
--include-repo=2-el7_content-v1_0-puppet-7c355640-7dfe-44a2-be7b-78f4fb2d7 \
--include-repo=2-el7_content-stable-ee484d1b-731e-4d63-b251-028f8c748ff2 \
--include-repo=2-el7_content-stable-83efbc04-79f9-4276-b4a1-9bd9a4ecfe1c \
--include-repo=2-el7_content-stable-9a5f2c14-dc58-4183-bb73-c69452bb5629 \
--include-repo=2-el7_content-stable-0769b37b-e550-41aa-9872-6de1d379c83e \
--include-repo=2-el7_content-stable-ebb06e22-a6c9-46fc-9b97-0db479cc9679 \
--include-repo=2-el7_content-stable-16e665bf-50a3-42f7-b448-649da8ad46d0 \
--include-repo=2-el7_content-stable-fb00c502-f975-498d-bee1-474d8fb4e5d9 \
--include-repo=2-el7_content-stable-60b2b183-3722-41fa-b22f-4bcefb8c1ddb \
--include-repo=2-el7_content-stable-93f7c63b-dd20-4c89-a97e-c38b35a1b7fa \
--include-repo=2-el7_content-stable-4b6bbe1f-7b7b-4bfc-8cc6-fe87511cacde \
--include-repo=2-el7_content-stable-31cc9520-819f-46c8-b281-692bfd8adf15 \
--include-repo=2-el7_content-stable-2e1583a2-6e4f-4ebc-9335-920b54000cb6 \
--include-repo=2-el7_content-stable-441051a7-71a0-44c4-b463-a9dfcac8b579 \
--include-repo=2-el7_content-stable-14bdc197-7b68-4d40-a414-e9966df384dd \
--include-repo=2-el7_content-stable-099298f1-fe65-44c8-b03b-d2f01d3d4dfe
hammer settings set --name "skip-metadata-check" --value "true"
hammer repository synchronize --name "base_x86_64" --product "el7_repos"
hammer repository info --name "base_x86_64" --product "el7_repos"
hammer erratum info --id 4191
########################################################
## Konfigurace Katello
hammer domain create --name "home.lichnak.cz"
hammer domain list
hammer proxy list
hammer subnet create --organizations "Lichnak" --locations "Praha" --name "Praha_LAN" --network "10.0.0.0" --mask "255.128.0.0" --network-type "IPv4" --gateway "10.0.0.1" --dns-primary "10.0.0.15" --dns-secondary "10.0.0.36" --boot-mode "DHCP" --ipam "None" --domain-ids "1" --tftp-id "1"
hammer subnet list
yum install vsftpd
systemctl enable vsftpd
###Konfigurace
yum install bind-utils net-tools xinetd syslinux tftp-server vsftpd -y
cat <<"EOF"> /etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
# protocol. The tftp protocol is often used to boot diskless \
# workstations, download configuration files to network-aware printers, \
# and to start the installation process for some operating systems.
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -s /var/lib/tftpboot
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
EOF
#optional
cp /usr/share/syslinux/* /var/lib/tftpboot/
cd
mount -o loop CentOS-7* /mnt/
mkdir /var/ftp/pub/centos7_x64
cp -fr /mnt/* /var/ftp/pub/centos7_x64
chmod -R 755 /var/ftp/pub/centos7_x64
mkdir /var/lib/tftpboot/pxelinux.cfg
cat <<"EOF"> /var/lib/tftpboot/pxelinux.cfg/default
default menu.c32
prompt 0
timeout 300
ONTIMEOUT local
menu title ## Lichnak's PXE Boot Menu By Lichnak ##
label 1
menu label ^1) Install & Setup - CentOS 7
menu default
kernel centos7/vmlinuz
append initrd=centos7/initrd.img method=ftp://10.0.0.19/pub/centos7_x64/ devfs=nomount
label 2
menu label ^2) Install CentOS 7 x64 with http://mirror.centos.org Repo
kernel centos7/vmlinuz
append initrd=centos7/initrd.img method=http://mirror.centos.org/centos/7/os/x86_64/ devfs=nomount ip=dhcp
label 3
menu label ^3) Install CentOS 7 x64 with Local Repo using VNC
kernel centos7/vmlinuz
append initrd=centos7/initrd.img method=ftp://10.0.0.19/pub/centos7_x64/ devfs=nomount inst.vnc inst.vncpassword=password
label 4
menu label ^4) Boot from local drive
localboot 0
EOF
cat <<"EOF"> /var/lib/tftpboot/pxelinux.cfg/default
default menu.c32
prompt 0
timeout 300
ONTIMEOUT local
menu title ## Lichnak's PXE Boot Menu By Lichnak ##
label 1
menu label ^1) Install & Setup - CentOS 7
menu default
kernel centos7_x64/images/pxeboot/vmlinuz
append initrd=/pub/centos7_x64/images/pxeboot/initrd.img method=ftp://10.0.0.16/pub/centos7_x64/ devfs=nomount
EOF
mkdir /var/lib/tftpboot/centos7/
cp /var/ftp/pub/centos7_x64/images/pxeboot/vmlinuz /var/lib/tftpboot/centos7/
cp /var/ftp/pub/centos7_x64/images/pxeboot/initrd.img /var/lib/tftpboot/centos7/
#optional end
chkconfig xinetd on
chkconfig vsftpd on
service vsftpd restart
service xinetd restart
vi /etc/vsftpd/vsftpd.conf
..
anonymous_enable=YES
write_enable=NO
listen=YES
..
systemctl restart vsftpd
wget http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-DVD-1810.iso
wget http://isoredirect.centos.org/centos/7/isos/x86_64/CentOS-7-x86_64-Minimal-1810.iso
cd /var/ftp/pub
mount -o loop CentOS-7-x86_64-DVD-1810.iso /mnt/
mkdir "$(pwd)"/CentOS_7_x86_64
cp -fr /mnt/* "$(pwd)"/CentOS_7_x86_64
chmod -R 755 "$(pwd)"/CentOS_7_x86_64
rsync -rv --progress /mnt/ "$(pwd)"/CentOS_7_x86_64/
umount /mnt
cd /var/ftp/pub
mount -o loop CentOS-7-x86_64-DVD-1810.iso /mnt/
mkdir "$(pwd)"/CentOS_7_x86_64_Mini
cp -fr /mnt/* "$(pwd)"/CentOS_7_x86_64_Mini
chmod -R 755 "$(pwd)"/CentOS_7_x86_64_Mini
rsync -rv --progress /mnt/ "$(pwd)"/CentOS_7_x86_64_Mini/
umount /mnt
# restorecon -Rv /var/ftp/pub/
# One last thing, we can mount /var/ftp/pub with “ro,nodev,noexec,nosuid”, as we only need to read files.
hammer medium create --organizations "Lichnak" --locations "Praha" --name CentOS7_DVD_FTP --path "ftp://10.0.0.19/pub/CentOS_7_x86_64/" --operatingsystems "CentOS 7.6.1810" --os-family "Redhat"
hammer medium create --organizations "Lichnak" --locations "Praha" --name CentOS7_Minimal_FTP --path "ftp://10.0.0.19/pub/CentOS_7_x86_64_Mini/" --operatingsystems "CentOS 7.6.1810" --os-family "Redhat"
#hammer medium update --organizations "Lichnak" --locations "Praha" --name CentOS7_DVD_FTP --path "ftp://10.0.0.19/pub/CentOS_7_x86_64/" --operatingsystems "CentOS 7.6.1810" --os-family "Redhat"
#hammer medium update --organizations "Lichnak" --locations "Praha" --name CentOS7_Minimal_FTP --path "ftp://10.0.0.19/pub/CentOS_7_x86_64_Mini/" --operatingsystems "CentOS 7.6.1810" --os-family "Redhat"
hammer medium list
hammer partition-table list|grep default
cat <<"EOF"> hardened_ptable.txt
<%#
kind: ptable
name: Kickstart hardened 32GB
oses:
- CentOS
- Fedora
- RedHat
%>
# System bootloader configuration
bootloader --location=mbr --boot-drive=vda --timeout=3
# Partition clearing information
clearpart --all --drives=vda
zerombr
# Disk partitioning information
part /boot --fstype="xfs" --ondisk=vda --size=1024 --label=boot --fsoptions="rw,nodev,noexec,nosuid"
# 30GB physical volume
part pv.01 --fstype="lvmpv" --ondisk=vda --size=30720
volgroup vg_os pv.01
logvol / --fstype="xfs" --size=4096 --vgname=vg_os --name=lv_root
logvol /home --fstype="xfs" --size=512 --vgname=vg_os --name=lv_home --fsoptions="rw,nodev,nosuid"
logvol /tmp --fstype="xfs" --size=1024 --vgname=vg_os --name=lv_tmp --fsoptions="rw,nodev,noexec,nosuid"
logvol /var --fstype="xfs" --size=6144 --vgname=vg_os --name=lv_var --fsoptions="rw,nosuid"
logvol /var/log --fstype="xfs" --size=512 --vgname=vg_os --name=lv_log --fsoptions="rw,nodev,noexec,nosuid"
logvol swap --fstype="swap" --size=2048 --vgname=vg_os --name=lv_swap --fsoptions="swap"
EOF
hammer partition-table create --organizations "Lichnak" --locations "Praha" --name "Kickstart hardened 32GB" --os-family "Redhat" --operatingsystems "CentOS 7.6.1810" --file "hardened_ptable.txt"
#53/udp
iptables -A INPUT -p udp --dport 53 -m conntrack --ctstate NEW -j LOG_ACCEPT
hammer partition-table list|egrep 'ID|hardened'
# hammer os create --name "CentOS" --major "7" --minor "6.1810" --family "Redhat" --password-hash "SHA512" --architectures "x86_64" --media "CentOS7_DVD_FTP" --partition-tables "Kickstart hardened 32GB"
hammer template list
os_family = @host.operatingsystem.family
if os_family == 'Redhat'
var_dir = '/opt/puppetlabs/puppet/cache'
log_dir = '/var/log/puppetlabs/puppet'
run_dir = '/var/run/puppetlabs'
ssl_dir = '/etc/puppetlabs/puppet/ssl'
end
hammer template dump --id "Katello Kickstart Default" > template1.txt
erb -x -T '-' template1.txt|ruby -c
hammer template create --organizations "Lichnak" --locations "Praha" --file "template1.txt" --name "Katello Kickstart Puppet5 Default" --type "provision" --operatingsystems "CentOS 7.6.1810"
hammer template kinds
echo "Registering the System"
subscription-manager register --org="<%= @host.rhsm_organization_label %>" --name="<%= @host.name %>" --activationkey="<%= @host.params['kt_activation_keys'] %>"
echo "Removing public CentOS repositories"
rm -rvf /etc/yum.repos.d/CentOS-*
hammer environment list
hammer environment create --name "Lich_Prod" --organizations "Lichnak" --locations "Praha"
hammer environment create --name "Lich_Test" --organizations "Lichnak" --locations "Praha"
hammer environment create --name "Lich_Dev" --organizations "Lichnak" --locations "Praha"
hammer environment list
hammer proxy list
hammer hostgroup create --query-organization "Lichnak" --locations "Praha" --name "lich_el7_prod" --description "Lich Production Host group for CentOS 7 servers" --lifecycle-environment "stable" --content-view "el7_content" --content-source-id "1" --environment "Lich_Prod" --puppet-proxy "vajicko.home.lichnak.cz" --puppet-ca-proxy "vajicko.home.lichnak.cz" --domain "home.lichnak.cz" --subnet "Praha_LAN" --architecture "x86_64" --operatingsystem "CentOS 7.6.1810" --medium "CentOS7_DVD_FTP" --partition-table "Kickstart hardened 32GB" --pxe-loader "PXELinux BIOS" --root-pass "LetsDoSome360"
hammer hostgroup set-parameter --name "kt_activation_keys" --value "el7-key" --hostgroup "lich_el7_prod"
hammer host create --name "$GUEST_NAME" --hostgroup "lich_el7_prod" --interface "type=interface,mac=$MAC_ADDR,ip=$IP_ADDR,managed=true,primary=true,provision=true"
#on qemu-kvm start
virsh list --name | while read n
do
[[ ! -z $n ]] && echo $n && virsh dumpxml $n | grep "mac address" | awk -F\' '{ print $2}'
done
cat <<"EOF"> /etc/dhcp/dhcpd.conf
failover peer "failover-dhcp" {
primary; # This defines the master
address 10.0.0.16;
port 647;
peer address 10.0.0.18;
peer port 647;
max-response-delay 60;
max-unacked-updates 10;
mclt 3600;
split 128; # 128 is balanced; use 255 if primary is 100% responsible until failure
load balance max seconds 3;
}
authoritative;
allow booting;
allow bootp;
next-server 10.0.0.19; # Katello TFTP
filename "pxelinux.0";
default-lease-time 86400; # 1 day
max-lease-time 86400; # 1 day
ddns-update-style interim;
update-static-leases on;
one-lease-per-client on;
# We generated the rndc-key when setting up DNS servers
key "rndc-key" {
algorithm hmac-md5;
secret "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000==";
};
# We created zones when setting up DNS servers
zone 0.0.10.in-addr.arpa {
primary 10.0.0.16;
key "rndc-key";
}
zone home.lichnak.cz {
primary 10.0.0.16;
key "rndc-key";
}
subnet 10.0.0.0 netmask 255.128.0.0 {
option subnet-mask 255.128.0.0;
option broadcast-address 10.127.255.255;
option routers 10.0.0.1;
option domain-name-servers zloutek.home.lichnak.cz, bilek.home.lichnak.cz;
option domain-search "home.lichnak.cz";
pool {
failover peer "failover-dhcp";
range 10.0.0.80 10.0.0.99;
}
}
# DHCP leases for PXE boot
host zumpa {
hardware ethernet 00:26:55:D9:C3:8D;
fixed-address 10.0.0.1;
option host-name "zumpa.home.lichnak.cz";
}
host pastnakuny {
hardware ethernet 52:54:00:03:2B:BD;
fixed-address 10.0.0.15;
option host-name "pastnakuny.home.lichnak.cz";
}
host zloutek {
hardware ethernet 52:54:00:C7:27:6B;
fixed-address 10.0.0.8;
option host-name "zloutek.home.lichnak.cz";
}
host kurinec {
hardware ethernet 00:15:5D:3D:C0:07;
fixed-address 10.0.0.37;
option host-name "kurinec.home.lichnak.cz";
}
}
host tester {
hardware ethernet 52:54:00:C7:27:6C;
fixed-address 10.0.0.60;
option host-name "tester.home.lichnak.cz";
}
EOF
#--extra-args "ip=192.168.1.2::192.168.1.1:255.255.255.0:test.example.com:eth0:none"
SERVERNAME="tester.home.lichnak.cz"
IP="10.0.0.60"
MAC="52:54:00:07:41:94"
DISKSIZE_GB="32"
RAM_MB="2048"
VCPU="1"
qemu-img create -f qcow2 /vms/images/"$SERVERNAME".qcow2 "$DISKSIZE_GB"G
virt-install --virt-type=kvm --name "$SERVERNAME" --ram "$RAM_MB" --vcpus="$VCPU" --os-variant=centos7.0 --cdrom=/vms/isos/CentOS-7-x86_64-Minimal-1708.iso --network=bridge=virbr0,model=virtio,mac="$MAC" --graphics vnc,listen=0.0.0.0 --noautoconsole --disk path=/vms/images/"$SERVERNAME".qcow2,size="$DISKSIZE_GB",bus=virtio,format=qcow2
virsh start "$SERVERNAME"
virsh autostart "$SERVERNAME"
#on qemu-kvm end
# mkdir /etc/puppet
# ln -sf /etc/puppetlabs/puppet/autosign.conf /etc/puppet/autosign.conf
# restorecon -Rv /etc/puppet/
########################################################
## Foreman Qemu KVM Images (image based provisioning)
# http://thomasmullaly.com/2014/08/15/connect-foreman-to-kvm-host-machine/
# https://lifeandshell.com/foreman-provision-to-bare-and-libvirtd-centos7-foreman-libvirtd-kvm/
# https://gist.github.com/johnpmitsch/4e3e01df231d55fda8712d50ff834841
# https://access.redhat.com/documentation/en-us/red_hat_satellite/6.2/html/provisioning_guide/provisioning_virtual_machines_in_kvm
sudo mkdir /atomic_images
sudo cp ~/rhel-atomic-cloud-7.2-10.x86_64.qcow2 /atomic_images/rhel-atomic.qcow2
virsh pool-define-as guest-images dir - - - - /atomic_images/
virsh pool-build guest-images
virsh pool-start guest-images
virsh pool-refresh guest-images
Let foreman know about the image
Switch back to Any Location.
Navigate to Infrastructure > Compute Resources
Click on the lab-host compute resource
Click the Images tab
Click ‘New Image’
Enter:
Name: Atomic
Operating System: Red Hat Enterprise Linux Atomic Host 7.2
Architecture: x86_64
Username: root
Password: <Leave Blank>
User Data: <Checked>
Image path: /atomic_images/rhel-atomic.qcow2
Ensure that the User Data box is checked
Click Submit
#on qemu-kvm (kure) start
groupadd libvirt
vi /etc/libvirt/libvirtd.conf
..
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
..
service libvirtd restart
usermod -G libvirt -a username1
usermod -G libvirt -a username1
usermod -G libvirt -a username1
#on qemu-kvm (kure) end
#connect to KVM hypervisor
mkdir /usr/share/foreman/.ssh
chmod 700 /usr/share/foreman/.ssh
chown foreman:foreman /usr/share/foreman/.ssh
su foreman -s /bin/bash
ssh-keygen
ssh-copy-id root@10.0.0.11
ssh root@10.0.0.11
exit
yum -y install libguestfs-tools libguestfs-xfs virt-top qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-client virt-install virt-viewer
virsh -c qemu+ssh://root@10.0.0.11/system list
hammer compute-resource create --name "ACME's KVM Server" \
--provider "Libvirt" --description "KVM server at kvm.example.com" \
--url "qemu+ssh://root@kvm.example.com/system" --locations "New York" \
--organizations "ACME"
hammer compute-resource image create --name "Test KVM Image" \
--operatingsystem "RedHat 7.2" --architecture "x86_64" --username root \
--user-data false --uuid "/var/lib/libvirt/images/TestImage.qcow2" \
--compute-resource "ACME's KVM Server"
## Working with Puppet Modules and Creating the Main Manifest
#https://puppet.com/docs/puppet/5.3/modules_installing.html
mkdir -p /etc/puppetlabs/code/environments/Lich_Prod/{manifests,modules}
touch /etc/puppetlabs/code/environments/Lich_Prod/manifests/site.pp
chgrp puppet /etc/puppetlabs/code/environments/Lich_Prod/manifests/site.pp
chmod 0640 /etc/puppetlabs/code/environments/Lich_Prod/manifests/site.pp
puppet module search apache
MY_CMD="puppet module install --environment Lich_Prod"
$MY_CMD arioch-keepalived ;\
$MY_CMD camptocamp-openldap ;\
$MY_CMD camptocamp-systemd ;\
$MY_CMD derdanne-nfs ;\
$MY_CMD elastic-elasticsearch ;\
$MY_CMD graylog-graylog ;\
$MY_CMD herculesteam-augeasproviders_core ;\
$MY_CMD herculesteam-augeasproviders_shellvar ;\
$MY_CMD hunner-wordpress ;\
$MY_CMD puppet-archive ;\
$MY_CMD puppet-corosync ;\
$MY_CMD puppet-mongodb ;\
$MY_CMD puppet-selinux ;\
$MY_CMD puppet-staging ;\
$MY_CMD puppet-zabbix ;\
$MY_CMD puppetlabs-accounts ;\
$MY_CMD puppetlabs-apache ;\
$MY_CMD puppetlabs-apt ;\
$MY_CMD puppetlabs-concat ;\
$MY_CMD puppetlabs-firewall ;\
$MY_CMD puppetlabs-haproxy ;\
$MY_CMD puppetlabs-java ;\
$MY_CMD puppetlabs-mysql ;\
$MY_CMD puppetlabs-ntp ;\
$MY_CMD puppetlabs-pe_gem ;\
$MY_CMD puppetlabs-postgresql ;\
$MY_CMD puppetlabs-ruby ;\
$MY_CMD puppetlabs-stdlib ;\
$MY_CMD puppetlabs-translate ;\
$MY_CMD razorsedge-snmp ;\
$MY_CMD richardc-datacat ;\
$MY_CMD saz-limits ;\
$MY_CMD saz-rsyslog ;\
$MY_CMD saz-ssh ;\
$MY_CMD saz-sudo ;\
$MY_CMD sgnl05-sssd ;\
$MY_CMD thias-sysctl
puppet module list --environment Lich_Prod
puppet module generate lich-lich_firewall
touch ./lich_firewall/manifests/{init.pp,pre.pp,post.pp}
vi pre.pp
..
class lisenet_firewall::pre {
Firewall {
require => undef,
}
firewall { '000 drop all IPv6':
proto => 'all',
action => 'drop',
provider => 'ip6tables',
}->
firewall { '001 allow all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 allow all ICMP':
proto => 'icmp',
action => 'accept',
}->
firewall { '004 allow related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}->
firewall { '005 allow SSH':
proto => 'tcp',
source => '10.0.0.0/8',
state => [ "NEW" ],
dport => '22',
action => 'accept',
}
}
..
vi post.pp
..
class lisenet_firewall::post {
firewall {'999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
..
vi init.pp
..
class lisenet_firewall($firewall_data = false) {
include lisenet_firewall::pre
include lisenet_firewall::post
resources { "firewall":
purge => true
}
Firewall {
before => Class['lisenet_firewall::post'],
require => Class['lisenet_firewall::pre'],
}
if $firewall_data != false {
create_resources('firewall', $firewall_data)
}
}
..
# restorecon -Rv /etc/puppetlabs/code/environments/Lich_Prod/modules/
Configuration
# Configuration
Backup and restore
# Backups
# Restore
