From: Frank Brehm Date: Thu, 25 Oct 2018 09:14:13 +0000 (+0200) Subject: Adding bin/postinst.chrony X-Git-Tag: 0.3.2^2~23 X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=6eab3378e1573d4c1dcf6fc516f9d514c3825de3;p=pixelpark%2Fcreate-vmware-tpl.git Adding bin/postinst.chrony --- diff --git a/bin/postinst.chrony b/bin/postinst.chrony new file mode 100644 index 0000000..f68a36b --- /dev/null +++ b/bin/postinst.chrony @@ -0,0 +1,1108 @@ +#!/bin/bash + + +HASH_LINE="#######################################################################################" +COBBLER_URL="http://192.168.88.8" + +echo "$(date --rfc-3339=seconds): Das ist das Post-Install-Script '$0'." +echo + +if [[ -z "${hostname}" ]] ; then + hostname="template.pixelpark.com" +fi +IP_ADDRESS_ETH0=$( host "${hostname}" | sed -e 's/.*has address[ ][ ]*//' ) +DOMAIN=$( echo "${hostname}" | cut -d. -f2,3 ) +SIMPLE_HOSTNAME=$( echo "${hostname}" | cut -d. -f1 ) + +ROOT_PW_CRYPTED="\$6\$I0yXrNsT\$YU3ekjNLy1KTWLRVNww8YM1xtO8FXgTEFhOANS.HB8baj7CxNMRCoxDQh5oFYkZbli67s4pwZ36aNchD2YL.G0" + +GIT_ACCOUNT="vmware-provisioning" +GIT_PASSWD="shiesa&a4taich+iecah8Chu" +GIT_REPO_DIR="postfix_config" +GIT_SERVER="git.pixelpark.com" +GIT_NAMESPACE="ppadmin" +#GIT_REPO="https://@@acount@@:@@pwd@@@git.pixelpark.com/ppadmin/${GIT_REPO_DIR}.git" +POSTFIX_MYORIGIN='pixelpark.net' +POSTFIX_RELAYHOST='[mx.pixelpark.net]' + +ERROR_POINTER="/root/postinst-error.txt" + +echo +echo "Some information:" +echo " \$hostname: $hostname" +echo " \$system_name: $system_name" +echo " \$gateway: $gateway" +echo " \$mac_address_eth0: $mac_address_eth0" +echo " \$ip_address_eth0: $ip_address_eth0" +echo " \$IP_ADDRESS_ETH0: $IP_ADDRESS_ETH0" +echo " \$SIMPLE_HOSTNAME: $SIMPLE_HOSTNAME" +echo " \$DOMAIN: $DOMAIN" + +#----------------------------------------------------------- +log() { + + echo "$(date --rfc-3339=seconds): $*" + echo "$*" >/dev/console +} + +#----------------------------------------------------------- +create_authkeys() { + + echo + echo "${HASH_LINE}" + echo + local url="${COBBLER_URL}/custom/create-vmware-tpl/keys/auth_keys_pp_betrieb" + + log "Creating /root/.ssh ..." + mkdir -pv /root/.ssh + chmod -v 0700 /root/.ssh + + log "Creating /root/.ssh/authorized_keys ..." + echo "${HASH_LINE}" >> /root/.ssh/authorized_keys + echo "ssh-dss AAAAB3NzaC1kc3MAAACBAKDLJjA6G2vfqM55xaDspJetd/IUqWWExh3wyrroHY1+wUCF39Qj3kibUP5IfynjPWjVwrxB5JDEPnGdr1kiMO9mfXMiOVZMRcB26RLXfWjpuoXSR+aUKtzEiJv9s+0R3A4Xxj9Vzn5xcGVqU/X9o25Wjltvgp2QgR8OOPjj0PLfAAAAFQDtdQMaYrc70T6Tl+E9d2pAXjJfcwAAAIBVPIqPUg6jTRU6XJgudNtWlmWOD/GdU1nlaHsTm3rKDzQY9hAx+JMKg9ihimGCGdHxXNYQwEk8UnHe04GuKwEw7Lz3+w8x/o0VUBRAkjPAYt34nIO2r2RXEH8NZUBOHPjMng5aygavLlXYovtvlcA4TZsW0T5eqf/5zS3iWhwilAAAAIBrbamvXpY/cbsVDbkw6JmqFoVeOR0jro4a3+/+fDssUygSw+9fSSRAmoXxF1eXTtq28Wx5I5jBSEVYfwSh++3YT+y9cFsnClJ3OwA9JxIWy8JhmXbNdktn8msrIusjUbGjWhIIw7DLm1LMxLcWByR7f97z1MVdetAsGQB9sfxZzQ== softdist" >> /root/.ssh/authorized_keys + echo "${HASH_LINE}" >> /root/.ssh/authorized_keys + echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZ3QNzqiDE6jUzmXnOzIM93mZBPZtSDbCgYQd8xwOz9ZROxqLcckr8qIvyLFDv/fedwQlLDTg90LGX/zHHAB0T+0DB2dMFOWeSloIMMp+0WwG9i6H0ty6NUVSktvG6h4jbgkhMhHGUEHhxgR2LgxTjq8fpcMOLJ4HLLGW9W3BQOVtoi8hiffKm5DB9Au0HgNvXP/UrCQkBtFzMyhRb7D7aFyDyU/7SuM6m17DIYNx1cg79AH3mjRTQXaOVBrOBJ4uaqy6srbGzWs5FSIMMbgOrcmZRw5GilrG5dBbT/OQSN+sHlECx216pyLrbSWcwG1Fo11iI53pnColRUljMIPJ+XRffxT2yINEfyvfr0GGMKi4c5fcDumgYwT2+foefy72sBhNwKhzjuGySPgRU/1PH8oIcu4TJWyW1xi0AfVZnJhjU5RKeWQ9VMhh1nDntpRdD5z+0FrAL+9AINW4Bjboc6OisikIABBeoT9mbYNNGdHA7rpdJwURycJDpJDhyr0voNnmQ15JF6KZebM0+OW9apTxdotKPKYJ8pFBRGXrTENSVvFNIBbYD55IJ2MlOD2eX6XX2/tnHMdZHCE9Gi22Y8p1oiahLtCU3Th8WwazQlh4H9xAJzK0jp7MOpI3Y553i8zBU47VpO5juELH2bCNwChpdbZbY0i6MxQF61d2iJw== create-vmware-tpl@pixelpark.com" >> /root/.ssh/authorized_keys + + local tmp_file=$( mktemp ) + wget -O "${tmp_file}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" || true + if [[ -s "${tmp_file}" ]] ; then + cat "${tmp_file}" >> /root/.ssh/authorized_keys + fi + rm -v "${tmp_file}" +} + +#----------------------------------------------------------- +import_ssh_hostkeys() { + + echo + echo "${HASH_LINE}" + echo + log "Importing SSH host keys ..." + + mkdir -pv /etc/ssh + local tmp_file= + local stem= + local fullname= + local url= + + for stem in ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key ; do + for fullname in "${stem}" "${stem}.pub" ; do + tmp_file=$( mktemp ) + url="${COBBLER_URL}/custom/create-vmware-tpl/keys/${fullname}" + wget -O "${tmp_file}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" + if [[ -s "${tmp_file}" ]] ; then + mv -v "${tmp_file}" "/etc/ssh/${fullname}" + if [[ "${stem}" == "${fullname}" ]] ; then + chown -v root:ssh_keys "/etc/ssh/${fullname}" + chmod -v 0640 "/etc/ssh/${fullname}" + else + chmod -v 0644 "/etc/ssh/${fullname}" + fi + fi + rm -f "${tmp_file}" + done + done + +} + +#----------------------------------------------------------- +create_etc_hosts() { + + echo + echo "${HASH_LINE}" + echo + log "Generating /etc/hosts ..." + + cat <<-EOF >/etc/hosts + # generated by pixelpark install server + + 127.0.0.1 localhost + ${IP_ADDRESS_ETH0} ${hostname} ${SIMPLE_HOSTNAME} + + EOF + +} + +#----------------------------------------------------------- +set_hostname() { + echo + echo "${HASH_LINE}" + echo + log "Setting hostname ${hostname} ..." + hostnamectl set-hostname --static "${hostname}" + hostname > /etc/hostname + echo "Hostname normal: $(hostname)" + echo "Hostname simple: $(hostname -s)" + echo "Hostname FQDN: $(hostname -f)" +} + +#----------------------------------------------------------- +disable_ipv6() { + local sysctl_file="/etc/sysctl.d/99-disable-ipv6.conf" + echo + echo "${HASH_LINE}" + echo + log "Disabling IPv6 in '${sysctl_file}' ..." + mkdir -pv /etc/sysctl.d + echo "#disable ipv6" | tee -a "${sysctl_file}" + echo "net.ipv6.conf.all.disable_ipv6 = 1" | tee -a "${sysctl_file}" + echo "net.ipv6.conf.default.disable_ipv6 = 1" | tee -a "${sysctl_file}" + echo "net.ipv6.conf.lo.disable_ipv6 = 1" | tee -a "${sysctl_file}" +} + +#----------------------------------------------------------- +mac_exists() { + + [[ -z "$1" ]] && return 1 + local mac_address="$1" + + ip -o link | grep -i "${mac_address}" 2>/dev/null >/dev/null + return $? + +} + +#----------------------------------------------------------- +get_ifname() { + + [[ -z "$1" ]] && return 1 + local mac_address="$1" + + ip -o link | grep -i "${mac_address}" | sed -e 's/^[0-9]*: //' -e 's/:.*//' + +} + +#----------------------------------------------------------- +install_network() { + + echo + echo "${HASH_LINE}" + echo + log "Generating network configuration ..." + + local temp_dir=$( mktemp -p /tmp -d 'tmp.XXXXXXXXXX.cobbler' ) + local tmp_nw_cfg="${temp_dir}/network" + local tmp_nw_script_dir="${temp_dir}/network-scripts" + local nw_script_dir="/etc/sysconfig/network-scripts" + local old_dir="${nw_script_dir}/.old" + local ifcfg_file= + + mkdir -pv "${tmp_nw_script_dir}" + mkdir -pv "${old_dir}" + + echo "Generating /etc/sysconfig/network ..." + #cp -pv /etc/sysconfig/network-scripts/ifcfg-lo "${tmp_nw_script_dir}" + grep -v 'GATEWAY|HOSTNAME' /etc/sysconfig/network > "${tmp_nw_cfg}" + echo "GATEWAY=${gateway}" >> "${tmp_nw_cfg}" + echo "HOSTNAME=${hostname}" >> "${tmp_nw_cfg}" + mv -v /etc/sysconfig/network "/etc/sysconfig/network.orig.$( date -r /etc/sysconfig/network +'%Y-%m-%d_%H:%M:%S' )" + mv -v "${tmp_nw_cfg}" /etc/sysconfig/network + + # Also set the hostname now, some applications require it + /bin/hostname "${hostname}" + + local dev_file="${tmp_nw_script_dir}/ifcfg-eth0" + echo "Generating '${dev_file}' ..." + + cat <<-EOF >"${dev_file}" + Name="System eth0" + DEVICE=eth0 + ONBOOT=yes + HWADDR=${mac_address_eth0} + TYPE=Ethernet + BOOTPROTO=none + IPADDR=${ip_address_eth0} + NETMASK=255.255.254.0 + DEFROUTE=yes + IPV4_FAILURE_FATAL=yes + IPV6INIT=no + DNS1=217.66.52.10 + DNS2=93.188.109.13 + DNS3=212.91.225.75 + DOMAIN="pixelpark.com pixelpark.net" + + EOF + + for ifcfg_file in ${nw_script_dir}/ifcfg-* ; do + local bname=$(basename "${ifcfg_file}" ) + if [[ "${bname}" == "ifcfg-lo" ]] ; then + continue + fi + mv -v "${ifcfg_file}" "${old_dir}" + done + mv -v "${dev_file}" "${nw_script_dir}" + + rm -vrf "${temp_dir}" + +} + +#----------------------------------------------------------- +manage_dns() { + + echo + echo "${HASH_LINE}" + echo + log "Generating /etc/resolv.conf ..." + + rm -fv /etc/resolv.conf + + cat <<-EOF >"/etc/resolv.conf" + search pixelpark.net pixelpark.com + nameserver 217.66.52.10 + nameserver 93.188.109.13 + nameserver 212.91.225.75 + + EOF + +} + +#----------------------------------------------------------- +tweak_systemd() { + + echo + echo "${HASH_LINE}" + echo + log "Tweaking systemd ..." + + local sdir="/etc/systemd/system" + local getty_dir_tgt="${sdir}/getty.target.wants" + local getty_dir_at="${sdir}/getty@.service.d" + local getty_svc="/usr/lib/systemd/system/getty@.service" + local i= + local glink= + + mkdir -pv "${getty_dir_at}" + echo "Generating ${getty_dir_at}/noclear.conf ..." + cat <<-EOF >"${getty_dir_at}/noclear.conf" + [Service] + TTYVTDisallocate=no + EOF + + for i in 2 3 4 ; do + glink="${getty_dir_tgt}/gett@tty${i}.service" + ln -sv "${getty_svc}" "${glink}" + done + +} + +#----------------------------------------------------------- +tweak_grub() { + + local grub_cfg="/etc/default/grub" + if [[ -f "${grub_cfg}" ]] ; then + + echo + echo "${HASH_LINE}" + echo + log "Tweaking '${grub_cfg}' ..." + + echo "Selecting entry in /etc/grub2.cfg ..." + awk -F\' '$1=="menuentry " {print i++ " : " $2}' /etc/grub2.cfg + grub2-set-default 0 + grub2-editenv list + + echo "Removing quiet from '${grub_cfg}' ..." + sed --in-place -e 's/^\(GRUB_CMDLINE_LINUX=.*\)[ ]quiet\(.*\)/\1\2/' "${grub_cfg}" + + echo "Removing rhgb (RedHat Graphical Boot) from '${grub_cfg}' ..." + sed --in-place -e 's/^\(GRUB_CMDLINE_LINUX=.*\)[ ]rhgb\(.*\)/\1\2/' "${grub_cfg}" + + echo "Recreating /boot/grub2/grub.cfg ..." + grub2-mkconfig -o /boot/grub2/grub.cfg + + fi + +} + +#----------------------------------------------------------- +install_epel() { + + echo + echo "${HASH_LINE}" + echo + log "Install EPEL repository package ..." + + local url= + local tgt= + local bname= + local repo_file= + + echo + echo "Backing up existing repo files -> /etc/yum.repos.d/.old ..." + mkdir -pv /etc/yum.repos.d/.old + for repo_file in /etc/yum.repos.d/*.repo ; do + if [[ ! -f "${repo_file}" ]] ; then + continue + fi + cp -pv "${repo_file}" /etc/yum.repos.d/.old + done + + for bname in public-yum-ol7.repo epel.repo epel-testing.repo puppet.repo rpm-repo.pixelpark.com.repo ; do + url="${COBBLER_URL}/custom/create-vmware-tpl/yum.repos/${bname}" + tgt="/etc/yum.repos.d/${bname}" + echo + echo "Retrieving '${url}' -> '${tgt}' ..." + if wget -O "${tgt}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + : + else + echo "[$(date)]: Could not get '${bname}' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + chmod -v 0644 "${tgt}" + done + + mkdir -pv "/etc/pki/rpm-gpg" + chmod -v 0755 "/etc/pki" + chmod -v 0755 "/etc/pki/rpm-gpg" + + for bname in RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-pixelpark RPM-GPG-KEY-puppet-release ; do + url="${COBBLER_URL}/custom/create-vmware-tpl/yum.repos/${bname}" + tgt="/etc/pki/rpm-gpg/${bname}" + echo + echo "Retrieving '${url}' -> '${tgt}' ..." + if wget -O "${tgt}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + : + else + echo "[$(date)]: Could not get '${bname}' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + chmod -v 0644 "${tgt}" + done + + echo + log "Cleaning YUM cache ..." + yum clean all + + echo + log "Updating YUM cache ..." + if yum makecache fast ; then + : + else + echo "[$(date)]: Could not update YUM cache." | tee -a "${ERROR_POINTER}" + fi + + echo + log "Installing perl-Config-IniFiles.noarch ..." + if yum install -y perl-Config-IniFiles.noarch ; then + : + else + echo "[$(date)]: Could not install perl-Config-IniFiles.noarch." | tee -a "${ERROR_POINTER}" + fi + sleep 3 + +} + +#----------------------------------------------------------- +install_pp_tcsh_env() { + + echo + echo "${HASH_LINE}" + echo + log "Pulling pixelpark TCSH config .." + + local cdir=$(pwd) + local url="${COBBLER_URL}/custom/shell/linux_tcsh.tar" + local local_tar=$( mktemp -p /tmp "linux_tcsh.XXXXXXXX.tar" ) + + echo "Local tar file: '${local_tar}'." + if wget -O "${local_tar}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + : + else + echo "[$(date)]: Could not get 'linux_tcsh.tar' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + if [[ -f "${local_tar}" && -s "${local_tar}" ]] ; then + cd /etc + echo "Unpacking '${local_tar}' ..." + sleep 1 + tar xvf "${local_tar}" + mv -v /etc/.cshrc /etc/csh.cshrc + fi + rm -fv "${local_tar}" + + echo + echo "${HASH_LINE}" + echo + log "Pulling BASH config .." + + url="${COBBLER_URL}/custom/create-vmware-tpl/files/fbr.sh" + local tgt="/etc/profile.d/fbr.sh" + echo "Retrieving '${url}' -> '${tgt}' ..." + if wget -O "${tgt}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}"; then + : + else + echo "[$(date)]: Could not get 'fbr.sh' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + chmod -v 0644 "${tgt}" + +} + +#----------------------------------------------------------- +make_pp_dirs() { + echo + echo "${HASH_LINE}" + echo + log "Creating Pixelpark directories ..." + for bname in bin etc man ; do + mkdir -pv "/opt/PPlocal/${bname}" + done +} + +#----------------------------------------------------------- +misc_packages() { + + local misc_pkgs="ksh tmux vim telnet curl git colordiff psmisc" + local misc_pkgs_remove="deltarpm nfs* rpcbind abrt*" + + echo + echo "${HASH_LINE}" + echo "Disabling mysql-community in /etc/yum.conf ..." + echo "exclude=mysql-community*" >> /etc/yum.conf + + echo + echo "${HASH_LINE}" + echo + log "Installing NetworkManager ..." + if yum install -y NetworkManager NetworkManager-config-server NetworkManager-tui ; then + : + else + echo "[$(date)]: Could not install NetworkManager." | tee -a "${ERROR_POINTER}" + fi + echo "Enabling NetworkManager ..." + systemctl enable NetworkManager + + echo + log "Removing iptables-services ..." + yum remove -y iptables-services + echo "Stopping and disabling firewalld ..." + systemctl stop firewalld + systemctl disable firewalld + + echo + log "Installng VLAN vconfig ..." + if yum install -y vconfig ; then + : + else + echo "[$(date)]: Could not install vconfig." | tee -a "${ERROR_POINTER}" + fi + echo + log "Installing packages: ${misc_pkgs}" + if yum install -y ${misc_pkgs} ; then + : + else + echo "[$(date)]: Could not install ${misc_pkgs}" | tee -a "${ERROR_POINTER}" + fi + + echo + log "Removing packages mysql-community* ..." + yum remove -y mysql-community* + + echo + log "Removing packages: ${misc_pkgs_remove}" + yum remove -y ${misc_pkgs_remove} + + echo + echo "Creating /etc/gitconfig ..." + cat <<-EOF >/etc/gitconfig + [color] + ui = true + EOF + +} + +#----------------------------------------------------------- +remove_ipv6_localhost() { + + echo + echo "${HASH_LINE}" + echo + log "Removing ::1 from /etc/hosts ..." + + sed -i -e '/^::1/ d' /etc/hosts + +} + +#----------------------------------------------------------- +create_motd() { + + echo + echo "${HASH_LINE}" + echo + local url="${COBBLER_URL}/custom/pp-scripts/mk_create_motd.ksh" + + echo + log "Creating initial /etc/motd ..." + local mk_script=$( mktemp -p /tmp "mk_create_motd.XXXXXXXXXX.ksh" ) + if wget -O "${mk_script}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + chmod 0755 "${mk_script}" + "${mk_script}" -i 192.168.88.0/23 \ + -p "Template VM" \ + -l "L105 VMWare" \ + -o "Pixelpark GmbH" > /etc/motd + else + echo "[$(date)]: Could not get 'mk_create_motd.ksh' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + rm -fv "${mk_script}" + +} + +#----------------------------------------------------------- +install_legato_networker() { + + local url_client="${COBBLER_URL}/custom/legato/lgtoclnt-latest.x86_64.rpm" + local url_man="${COBBLER_URL}/custom/legato/lgtoman-latest.x86_64.rpm" + + echo + echo "${HASH_LINE}" + echo + log "Installing Legato networker client ..." + + echo "Installing from URL '${url_client}' ..." + if yum install -y "${url_client}" ; then + : + else + echo "[$(date)]: Could not install from ${url_client}" | tee -a "${ERROR_POINTER}" + fi + echo "Installing from URL '${url_man}' ..." + if yum install -y "${url_man}" ; then + : + else + echo "[$(date)]: Could not install from ${url_man}" | tee -a "${ERROR_POINTER}" + fi + + mkdir -pv /nsr/res + echo "legato01.pixelpark.com" > /nsr/res/servers + +} + +#----------------------------------------------------------- +install_ntp() { + + echo + echo "${HASH_LINE}" + echo + log "Deinstalling chrony from whatever reason ..." + echo "Stopping chronyd ..." + systemctl stop chronyd + echo "Disabling chronyd ..." + systemctl disable chronyd + echo "Deinstalling chrony ..." + yum remove -y chrony + + echo + log "Installing NTP ..." + if yum install -y ntp ; then + : + else + echo "[$(date)]: Could not install ntp." | tee -a "${ERROR_POINTER}" + fi + + echo "Cofiguring ntpd ..." + mkdir -pv /etc/ntp + + cat <<-EOF > /etc/ntp.conf + tinker panic 0 + driftfile /var/lib/ntp/drift + # Permit time synchronization with our time source, but do not + # permit the source to query or modify the service on this system. + restrict default kod nomodify notrap nopeer noquery + restrict -6 default kod nomodify notrap nopeer noquery + restrict 127.0.0.1 + restrict -6 ::1 + server time01.pixelpark.com iburst + server time02.pixelpark.com iburst + server time03.pixelpark.com iburst + + EOF + + cat <<-EOF > /etc/ntp/step-tickers + time01.pixelpark.com + time02.pixelpark.com + time03.pixelpark.com + EOF + + systemctl enable ntpd + +} + +#----------------------------------------------------------- +install_openvm_tools() { + + echo + echo "${HASH_LINE}" + echo + log "Installing open-vm-tools ..." + + if yum install -y open-vm-tools ; then + + echo "Enabling vmware-tools and vmtoolsd ..." + systemctl enable vmware-tools + systemctl enable vmtoolsd + + vmware-toolbox-cmd timesync disable + + else + echo "[$(date)]: Could not install open-vm-tools" | tee -a "${ERROR_POINTER}" + fi + +} + +#----------------------------------------------------------- +remove_uek_packages() { + + echo + echo "${HASH_LINE}" + echo + log "Switch kernel in /etc/sysconfig/kernel ..." + + sed -i -e 's/^\(DEFAULTKERNEL=\).*/\1kernel/i' /etc/sysconfig/kernel + + echo + log "Removing UEK packages ..." + + yum remove -y *-uek-* + + echo + log "Removing firmware packages ..." + + rpm -qa | grep -- -firmware | xargs --no-run-if-empty yum remove -y + +} + +#----------------------------------------------------------- +dist_upgrade() { + + echo + echo "${HASH_LINE}" + echo + log "Upgrading all packages ..." + echo + if yum upgrade -y ; then + : + else + echo "[$(date)]: Upgrading system not successful." | tee -a "${ERROR_POINTER}" + fi + +} + +#----------------------------------------------------------- +install_puppet() { + + local pplabs_conf_dir="/etc/puppetlabs" + local puppet_conf_dir="${pplabs_conf_dir}/puppet" + local puppet_conf_file="${puppet_conf_dir}/puppet.conf" + local facter_conf_dir="${pplabs_conf_dir}/facter/facts.d" + + echo + echo "${HASH_LINE}" + echo + log "Installing Puppet agent ..." + echo + + echo "Creating group puppet ..." + groupadd -g 63000 puppet + getent group puppet + + echo "Creating user puppet ..." + useradd -u 63000 -g puppet -d /var/lib/puppet -c "Puppet configuration management" -s /sbin/nologin puppet + getent passwd puppet + id puppet + + echo + echo "Installing puppet package ..." + if yum install -y puppet-agent ; then + : + else + echo "[$(date)]: Could not install puppet-agent." | tee -a "${ERROR_POINTER}" + fi + + echo + echo "Creating config dirs ..." + mkdir -pv "${puppet_conf_dir}" "${facter_conf_dir}" + + echo + echo "Creating ${puppet_conf_file} ..." + cat <<-EOF >"${puppet_conf_file}" + [main] + ca_ttl = 10y + [agent] + # The file in which puppetd stores a list of the classes + # associated with the retrieved configuratiion. Can be loaded in + # the separate "puppet" executable using the "--loadclasses" + # option. + # The default value is '\$confdir/classes.txt'. + classfile = \$vardir/classes.txt + + environment = production + report = true + pluginsync = true + splay = true + use_srv_records = true + srv_domain = pixelpark.info + pluginsource = puppet:///plugins + pluginfactsource = puppet:///pluginfacts + + EOF + + echo + echo "Creating ${facter_conf_dir}/customer.yaml" + cat <<-EOF >"${facter_conf_dir}/customer.yaml" + --- + customer: pixelpark + EOF + + echo + echo "Creating ${facter_conf_dir}/host" + cat <<-EOF >"${facter_conf_dir}/host" + --- + pp_purpose: Unknown + pp_location: L105 + pp_owner: Pixelpark AG + pp_contact: 8x5@pixelpark.com + pp_zonehost: Unknown + EOF + + echo + echo "Creating ${facter_conf_dir}/tier.yaml" + cat <<-EOF >"${facter_conf_dir}/tier.yaml" + --- + tier: production + EOF + + echo + echo "Disabling service puppet ..." + systemctl disable puppet + +} + +#----------------------------------------------------------- +disable_floppy() { + + echo + echo "${HASH_LINE}" + echo + log "Disabling floppy kernel module ..." + + cat <<-EOF >"/etc/modprobe.d/local-blacklist.conf" + blacklist floppy + EOF + +} + +#----------------------------------------------------------- +set_root_pw() { + + echo + echo "${HASH_LINE}" + echo + log "Setting root password ..." + usermod -p "${ROOT_PW_CRYPTED}" root + +} + +#----------------------------------------------------------- +disable_root_login_pw() { + + echo + echo "${HASH_LINE}" + echo + log "Disabling SSH access for root with password ..." + + perl -p -i -e 's/^\s*#?\s*PermitRootLogin\s.*/PermitRootLogin without-password/i' /etc/ssh/sshd_config + +} + +#----------------------------------------------------------- +install_clamav() { + + echo + echo "${HASH_LINE}" + echo + log "Installing and configuring ClamAV ..." + + yum install -y clamav clamav-update + + echo "Tweaking /etc/freshclam.conf ..." + + sed -e '/^#*Example/ d' \ + -e 's/^[ ]*DatabaseMirror[ ].*/DatabaseMirror clamav.pixelpark.com/i' \ + -e 's/\(#PrivateMirror mirror2.mynetwork.com\)/\1\nPrivateMirror clamav.pixelpark.com/i' \ + -i /etc/freshclam.conf + + echo + log "Running freshclam ..." + freshclam --verbose + +} + +#----------------------------------------------------------- +install_postfix() { + + echo + echo "${HASH_LINE}" + echo + log "Installing and configuring Postfix ..." + + local -a main_options_remove=( + 'address_verify_map' + 'address_verify_relay_transport' + 'broken_sasl_auth_clients' + 'command_directory' + 'daemon_directory' + 'data_directory' + 'debug_peer_level' + 'debugger_command' + 'hash_queue_depth' + 'html_directory' + 'lmtp_tls_loglevel' + 'mail_owner' + 'manpage_directory' + 'masquerade_domains' + 'master_service_disable' + 'maximal_queue_lifetime' + 'queue_directory' + 'readme_directory' + 'recipient_canonical_maps' + 'recipient_delimiter' + 'relay_domains' + 'sample_directory' + 'sender_dependent_default_transport_maps' + 'sender_dependent_relayhost_maps' + 'setgid_group' + 'smtp_sasl_auth_enable' + 'smtp_tls_cert_file' + 'smtp_tls_enforce_peername' + 'smtp_tls_key_file' + 'smtp_tls_loglevel' + 'smtp_tls_per_site' + 'smtp_tls_policy_maps' + 'smtp_tls_session_cache_database' + 'smtp_use_tls' + 'smtpd_client_restrictions' + 'smtpd_helo_restrictions' + 'smtpd_recipient_restrictions' + 'smtpd_relay_restrictions' + 'smtpd_sasl_auth_enable' + 'smtpd_sasl_authenticated_header' + 'smtpd_sasl_local_domain' + 'smtpd_sender_restrictions' + 'smtpd_tls_auth_only' + 'smtpd_tls_CAfile' + 'smtpd_tls_cert_file' + 'smtpd_tls_key_file' + 'smtpd_tls_loglevel' + 'smtpd_tls_received_header' + 'smtpd_tls_session_cache_database' + 'smtpd_use_tls' + 'tls_random_prng_update_period' + 'tls_random_source' + 'transport_maps' + 'unknown_local_recipient_reject_code' + 'unverified_recipient_reject_code' + ) + + local -a main_options_set=( + 'alias_database = ${default_database_type}:/etc/aliases' + 'alias_maps =' + 'append_dot_mydomain = no' + 'biff = no' + 'default_database_type = hash' + 'inet_protocols = all' + 'local_recipient_maps =' + 'local_transport = error:5.1.1 Mailbox unavailable' + 'mailbox_size_limit = 0' + 'message_size_limit = 358400000' + 'mydestination =' + "mydomain = ${POSTFIX_MYORIGIN}" + "myhostname = ${hostname}" + 'mynetworks = 127.0.0.0/8' + "relayhost = ${POSTFIX_RELAYHOST}" + 'smtp_generic_maps = ${default_database_type}:/etc/postfix/generic' + 'smtp_tls_note_starttls_offer = yes' + 'smtp_tls_security_level = none' + 'smtpd_banner = $myhostname ESMTP $mail_name $mail_version' + 'smtpd_tls_security_level = none' + 'virtual_alias_maps = ${default_database_type}:/etc/postfix/virtual' + ) + + + if yum install -y postfix mailx ; then + : + else + echo "[$(date)]: Could not install postfix and mailx." | tee -a "${ERROR_POINTER}" + fi + + cat <<-EOF >"/etc/postfix/generic" + + root root+${hostname} + root@localhost root+${hostname} + icinga icinga+${hostname} + icinga@localhost icinga+${hostname} + nagios nagios+${hostname} + nagios@localhost nagios+${hostname} + xymon xymon+${hostname} + xymon@localhost xymon+${hostname} + + EOF + + postmap hash:/etc/postfix/generic + + echo "Backup Postfix configuration ..." + cp -pv "/etc/postfix/main.cf" \ + "/etc/postfix/main.cf.$( date -r /etc/postfix/main.cf +'%Y-%m-%d_%H:%M:%S' ).bak" + cp -pv "/etc/postfix/master.cf" \ + "/etc/postfix/master.cf.$( date -r /etc/postfix/master.cf +'%Y-%m-%d_%H:%M:%S' ).bak" + if [[ -f "/etc/postfix/virtual" ]] ; then + cp -pv "/etc/postfix/virtual" \ + "/etc/postfix/virtual.$( date -r /etc/postfix/virtual +'%Y-%m-%d_%H:%M:%S' ).bak" + fi + + local option= + for option in "${main_options_remove[@]}" ; do + echo "Removing postfix option '${option}' ..." + postconf -X "${option}" + done + + for option in "${main_options_set[@]}" ; do + echo "Setting postfix option: '${option}' ..." + postconf -e "${option}" + done + + mkdir -pv /var/tmp + cd /var/tmp + +# local url=$( echo "${GIT_REPO}" | sed -e "s/@@acount@@/${GIT_ACCOUNT}/" \ +# -e "s/@@pwd@@/${GIT_PASSWD}/" ) + local url="https://${GIT_ACCOUNT}:${GIT_PASSWD}@${GIT_SERVER}/${GIT_NAMESPACE}/${GIT_REPO_DIR}.git" + echo "Using Git URL: '${url}' ..." + + git clone "${url}" + cd "${GIT_REPO_DIR}" + + echo "Copying virtual ..." + cp -pv maps/virtual-nullclient-webmaster /etc/postfix/virtual + postmap hash:/etc/postfix/virtual + + echo "Copying master.cf ..." + cp -pv master-nullclient.cf /etc/postfix/master.cf + + cd .. + echo "Removing '${GIT_REPO_DIR}'" + rm -rf "${GIT_REPO_DIR}" + cd + + echo + echo "${HASH_LINE}" + echo "Generated main postfix configuration:" + echo + postconf -n + echo + echo "${HASH_LINE}" + echo "Generated master postfix configuration:" + echo + postconf -M + echo + +} + +#----------------------------------------------------------- +config_rsyslog_to_remote() { + + echo + echo "${HASH_LINE}" + echo + log "Adding loghost to rsyslog configuration ..." + + mkdir -pv /etc/rsyslog.d + + cat <<-EOF > "/etc/rsyslog.d/loghost.conf" + \$ModLoad imklog + *.* @loghost.pixelpark.com:514 + EOF + +} + +#----------------------------------------------------------- +config_logrotate() { + + echo + echo "${HASH_LINE}" + echo + log "Configuring logrotation ..." + echo + + mkdir -pv /etc/logrotate.d + + local base_url="${COBBLER_URL}/custom/create-vmware-tpl/files" + + local tmp_file=$( mktemp ) + local url="${base_url}/logrotate.conf" + local tgt="/etc/logrotate.conf" + + echo "Getting ${url} => ${tgt} ..." + if wget -O "${tmp_file}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + : + else + echo "[$(date)]: Could not get 'logrotate.conf' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + if [[ -s "${tmp_file}" ]] ; then + cp -v "${tmp_file}" "${tgt}" + fi + + local base= + for base in btmp syslog wtmp ; do + url="${base_url}/logrotate.d.${base}" + tgt="/etc/logrotate.d/${base}" + cp -v /dev/null "${tmp_file}" + echo "Getting ${url} => ${tgt} ..." + if wget -O "${tmp_file}" --dns-timeout=2 --connect-timeout=3 --read-timeout=3 "${url}" ; then + : + else + echo "[$(date)]: Could not get '${base}' from '${url}'." | tee -a "${ERROR_POINTER}" + fi + if [[ -s "${tmp_file}" ]] ; then + cp -v "${tmp_file}" "${tgt}" + fi + done + + rm -v "${tmp_file}" + +} + +#----------------------------------------------------------- +main() { + + create_authkeys + import_ssh_hostkeys + create_etc_hosts + set_hostname + disable_ipv6 + install_network + manage_dns + tweak_systemd + install_epel + install_pp_tcsh_env + make_pp_dirs + misc_packages + remove_ipv6_localhost + create_motd + install_legato_networker + install_ntp + install_openvm_tools + remove_uek_packages + disable_floppy + set_root_pw + disable_root_login_pw + dist_upgrade + install_clamav + install_puppet + install_postfix + config_logrotate + config_rsyslog_to_remote + remove_ipv6_localhost + + tweak_grub + +} + + +#----------------------------------------------------------- +main "$@" + +# vim: ts=4 et list