Azure Cloud
For the Azure Cloud, you specify a user during the basic installation. The root password remains hidden. However, you can switch to root with the following command, the input of your own password is required:
Furthermore, it is necessary to assign the network card(s) to a zone. This is done by editing the network configuration:
vi /etc/sysconfig/network-scripts/ifcfg-eth0
... (add at end)
ZONE=public
...
service network restart |
|
System update
System aktualisieren und erste Pakete installieren
yum -y update
yum -y install nano unzip ntp ntpdate wget man openssh-clients rsync screen sysstat nfs-utils cifs-utils policycoreutils-python yum-plugin-versionlock yum-utils nmap bind-utils tcpdump lsof tmux tmpwatch
yum -y install https://repo.ius.io/ius-release-el7.rpm
yum -y install epel-release
# LAG: NO LONGER NEEDED
# Removed 17.09.2018 after feedback from FK
# yum -y install http://mirror1.hs-esslingen.de/repoforge/redhat/el7/en/x86_64/rpmforge/RPMS/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
# yum-config-manager --enable rpmforge-extras |
|
Reboot
disable ipv6
If the yum update fails because of IPv6, ipv6 can be disabled. |
vi /etc/sysctl.d/disable-ipv6.conf
# Add the following lines
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Then issue the following command
sysctl -p
# Then edit yum.conf
vi /etc/yum.conf
# Add the following line
ip_resolve=4
# Then reboot
reboot |
|
Basic configuration
Make sure firewalld is running (Required for Azure Cloud installation)
The following commands ensure that firewalld is running.
systemctl disable iptables
systemctl mask iptables
systemctl enable firewalld
systemctl start firewalld
|
|
Create User jtel
The following commands create the user jtel, add it to the group wheel and give it the password <password>:
useradd -m jtel
gpasswd -a jtel wheel
printf '<password>\n<password>\n' | passwd jtel |
|
Enter SSH key
Next, the SSH keys of the jtel project technicians are entered so that a secure login is possible without separate password entry. By default, neither the SSH configuration directory nor the corresponding configuration file exists in root's home directory. All this is generated with the commands in the following code block:
mkdir -p /home/jtel/.ssh
cat << EOFF > /home/jtel/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAgJWox9vkWssx24V6m+VB/9cfFUznUnVJqHeSnQFcE+ANzH+lgv90jQYXRf8XLSaKA4HZGO7SFUwLz7eNHk0lIS+TG+WKGrjl3GRvzNoYVAapeKUV7HjbeagQPNOCKTr6G8Vi/GVMyOx8XhJAgpr5gjyW9GdMdqnOS9uxd83BCh/UiAP9oVUbLiIIxbtmLAzyfJdjnbFP9sJXw96Vl040Fe4aoLofrkPyPu7cst6TPJx5myDhORG31nD/2iwUNLfv58m9ABMsePfhqzSp/Hi2XY/e5gikDh3xUxoBmL9fWwbiFb92AFW08rP1CtoCEtOe2nJkdtRzt0GiE+A+zgdDjw== support@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuP5DEZDI6/CITTqk8qburqDuKNj6jnQ9Zbjz6BO+5P8MlrS8KT7y56u/PSqdO3OzD58D2JS0yNvM5RbBGYDUD1ng7VSJLFLfErbuCzJ/Q+BSRaee+7MhLWXdVSc/EY2B4qUcZGRL/NXHtAY/3KvSSU3wnhI4edLYMAzuxAhNEPRkmniq1CAuykDdHvm0kVQzaSShYDBQWIlbWIMG6jsCmMpZR7v+v6gKWeowQkM4T4XZ1f2K5zlQXd6FHGY8C/+XICefum2qgQtqgjfQMoqIQbnmfKDGIHPvkas287tdCbU4y1lTsJbTiT7INkd6QbiVUayVxVwwoV+G2F7WofN4nw== root@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEArTi8N08gDz1CvDriZNALa1tHky/1+QNP0WU43dI7hkn2zH7fz9bXAs32z7dRjfgxaYXWPmClcDLDb0xwjGfMXK0HABPtp0bxh/58Y0QowBUJkcNi6hUphT+ArGkpjQb5CJcArnbLO727R8jJFgE1QpiWdehd5t3ec0wOL0NhnIE63S+DUm7+bQW6Z8Kmzl0+opGyoURLf8hxeAIUJwdeMFN7AIVPZlyuPobowwjGDXD9YpwXZ2oPtg6XISwW/O1fsetzmGkgD4gedxJxjc5x5ByZX98UsNJORrG5R5slLqQTJkJzGBLpH8kC9WLIEW0RduVR2mrQzOBRgA92i5ZUFw== lewis.graham@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9W40vFohIPQsH6Q5Rfef7xiC4WRHOkMaMsUXxLCnTCDGI0PDib23NBUTevcnAc+OrCUITRmwngRbcItbR9QM1qNhzrwS8ZI00psZVVnBUwVVpX4UJtmX0CDrtVwH1yz51/WnZVeS17JqoMjVMB3p+n1CjViwh6qlRTI/9F/KfaOfiLEiHnvcnmSq67R7o5wP65TR00xqA20E569M1lcdn43xL2GylkwHuWw+XcusKqf+lnaawFWhdZUTOuF3ZB+ssuEbXSyZEGtc5/HNUG8rg9tutzAfq3fNWc5Y5pY+B048g4oDyAQpwMB7i9OwNNk1IEZA+rmqIImf7XLVKIsNn andrey.tsvetkov@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkBiz9SsIXMO/a+7hCxNGQuQ4s/gqUZ6pyxDxjpDTD+bewxumyhn5aITbBSuHpx0n05JL4nGGdROii54ATildm3Uhi8JSljGy5uv97Sw8Kpy0eO314tOLU3NkAe2YOH1aUeArne4bYPebKBq0r1oln1Gu2+TFvCmMqu3FmleMv1xvw/waTwO57hSBPN83gOaJR7w6lOUp5HjYLSA0zRs1Os3g6ldQkHeGBknJ6jChqFXJHGl0KYzZGv3Q46fVTptS7NACxZs+ARUzJjbGjxnpHYK8rmSoTfoBS4qlN5+LxYKG341Hmq7cOsaISwUFbE/CbFOqUtjBviI1c7RLgtGnJQ== serge.djomo@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAuh3ZLgQo2e9Uv1vAQxxCGxe9D3u8DWh4egeteUAPj4b7tOxQ6to3zAlGytUR9R6sANL/CIP3nEA2d3r4km0FQWQ4QFCLTFjyXl0Kvsn1ahN8DljJ6mRlwtvN2r5mBIEy1ClGCh+Jvchzf4ZhXrWxOTYYO77O8wjj9Zbk0Y6wI2qBnE6TaxsRQ7Z61zTe80xfLPQLKjgQ/5Hdk0z0HAx3jEsZRo9CqMLb44UD+6jVCih1JPMFcnUu0uxRQdOHrg243tqAUmuqICWompZNO75v3HjIIXOebxVGBXugrYc2xR1q964/EE0ZR7JMWM+HJ47V8WJKkE126n9ZElCqNGIR+Q== heidi.mueller@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAilON3Cn1bZPBYtv67Bv63llD1KMTTH52/ioPLm+qYYDV80mSHSb+PHD9awXNKNv5iTecaQ/a56CkK0z+KI5zvJb3EiRZaRe70cIqdflHmTcasVPVk1hAma5xc5UOCr+dKokqMQGwpDRrDvdS3atflQznvlR8+qoxPjlKC4KDx0GOUeSOIPBO6DdYGPlFX6ohMVRE7p/vHIRAOfehmG1xFtfk+rGPmgiblPWWWklKYQUfMnHI0pqFJwrPW46nqdUlQwtknATZC2cuKe931zstFhuDsm218yS4hTTlcjw5i/DH7PFr9Y58BtY6ZTy8khwTUeMPpSxE7i2WYoqoJ7DXcw== sou@jtel.de
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0czZLbpaxo/EY9iHDq9n6EWTALeYB7GVmp/mLwp66zeV4DbvTm+3FDUJSD9rqMJzJkAAEicFe+II/ZdIeZzG4JdYf66M/Y6k0w0Y8jJqDtsdgUf3OJ1hJ53Z+BwFqy1vD/a7N2hxlEKD2rzyAfVb+xzTzhJTjpX1kNiUxDMXRZs4ytW0CbOqZSpTJ3eT9NS9gH188KFTvHN8rPzDAxRKcexO2fSzNa7e+dYsfImOQoYlxFBX5YU74Ay9F5b7K95Cxe8EstvKNVmjkNWgnNWuS2d7eabepC1jv3z0FdOGiVoZ1SDgqKz8ysBa6Rzkt5L5peHYAKyH8TedeUk7kRIwZQ== dhia@jtel.de
EOFF
restorecon -R -v /home/jtel/.ssh
chown -R jtel:jtel /home/jtel/.ssh
chmod 0700 /home/jtel/.ssh
chmod 0644 /home/jtel/.ssh/authorized_keys |
|
Note: do not use all other SSH keys.
In order for these to function correctly, the SELINUX security labels must be adapted correctly. This is done by the command at the end of the code block.
Improve history function
The following command generates a configuration file to improve the history function of the shell:
cat <<EOFF > ~/.inputrc
"\e[A": history-search-backward
"\e[B": history-search-forward
set show-all-if-ambiguous on
set completion-ignore-case on
EOFF |
|
Improve Screen Multiplexer
The following command improves the display of the screen multiplexer.
cat <<EOFF >> /etc/screenrc
# JTEL:Added
startup_message off
vbell off
hardstatus alwayslastline "%{kw} %{b}%H%{K} < %-w%{Wb} %n %t %{-}%+w >"
# This lets work all functions keys in midnight commander
# termcapinfo xterm 'k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~'
EOFF
|
|
Wheel (sudo) Configuration
The following command creates a configuration component to give users of the wheel group the right to execute commands as root using the sudo tool:
cat <<EOFF > /etc/sudoers.d/wheelers
## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
EOFF
|
|
Transfer shell configuration to jtel
The following commands replicate the shell configuration from the root user to the jtel user:
cp -a /root/.inputrc /home/jtel
chown -R jtel:jtel /home/jtel/.inputrc
|
|
Root hint for GIT
The following commands make it more difficult to execute GIT as root, since this should always be done in the context of the jtel user:
cat <<EOFF >> ~/.bashrc
alias git='printf "It looks like you are trying to run GIT as ROOT.\nFor jtel installations, GIT should always be run from the jtel user.\nIf you really want to run git as root, you will need to access it directly, using /usr/bin/git for example.\n"'
EOFF
source ~/.bashrc |
|
Transfer SSH keys to root
The following commands replicate the SSH keys from the jtel user to the root user:
cp -a /home/jtel/.ssh /root
chown -R root:root /root/.ssh |
|
Set NTP to PTB
The following commands enter the official time servers of the Physikalisch-Technische Bundesanstalt into the configuration file of the time synchronization service, configure the service to start automatically, synchronize the time once with one of the PTB servers and start the service
sed -i -e "s/^server 0.centos.pool.ntp.org iburst$/server ptbtime1.ptb.de iburst\nserver ptbtime2.ptb.de iburst\nserver ptbtime3.ptb.de iburst\nserver 0.centos.pool.ntp.org iburst/" /etc/ntp.conf
chkconfig ntpd on
ntpdate ptbtime2.ptb.de
service ntpd start
|
|
Check NTP
See here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-Checking_the_Status_of_NTP.html
for an explanation
Uninstalling anacron, installing cron
Since the anacron service stops if one of the maintenance scripts does not run, it is uninstalled and the cron service is installed:
sudo yum -y install cronie-noanacron
sudo yum -y remove cronie-anacron |
|
VMWare / Hyper-V / Virtualization Tools (NOT AZURE)
Install VMWare Tools
yum -y install open-vm-tools |
|
Hyper-V
yum -y install hyperv-daemons |
|
Other virtualization environments
Contact the respective manufacturer.
Proxy Server Entry
If a proxy server is used then use the following commands to set this up for root and the jtel user - please adjust the upper lines:
PROXY_USERNAME=
PROXY_PASSWORD=
PROXY_SERVER=proxy.example.de
PROXY_PORT=3128
PROXY_EXCEPTIONS=.example.de,.local,10.200.21.
if [ -n "$PROXY_USERNAME" ] && [ -n "$PROXY_PASSWORD" ]
then
PROXY="http://$USERNAME:$PASSWORD@$PROXY_SERVER:$PROXY_PORT"
elif [ -n "$PROXY_USERNAME" ]
then
PROXY="http://$USERNAME@$PROXY_SERVER:$PROXY_PORT"
else
PROXY="http://$PROXY_SERVER:$PROXY_PORT"
fi
cat <<EOFF >> ~/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
cat <<EOFF >> /home/jtel/.bashrc
export ALL_PROXY=$PROXY
export HTTP_PROXY=$PROXY
export HTTPS_PROXY=$PROXY
export FTP_PROXY=$PROXY
export RSYNC_PROXY=$PROXY
export http_proxy=$PROXY
export https_proxy=$PROXY
export ftp_proxy=$PROXY
export rsync_proxy=$PROXY
export NO_PROXY=$PROXY_EXCEPTIONS
EOFF
source ~/.bashrc
|
|
Ensuring name resolution
Edit the /etc/hosts file, and enter the names of the different machines for the solution:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.10 acd-lb acd-lb.example.com
192.168.1.10 acd-store acd-store.example.com
192.168.1.21 acd-dbm acd-dbm.example.com
192.168.1.22 acd-dbs acd-dbs.example.com
192.168.1.22 acd-dbr acd-dbr.example.com
192.168.1.31 acd-jb1 acd-jb1.example.com
192.168.1.32 acd-jb2 acd-jb2.example.com
192.168.1.40 acd-tel1 acd-tel1.example.com |
|