input/howto/new-machine.creole

   1 == setup/integrate a new machine ==
   2
   3 Note: this is partially obsolete now that we have [[puppet|howto/puppet-setup]].  We should probably update/rework some parts.
   4
   5 * install ssh if it isn't there already
   6 {{{
   7     apt-get install ssh
   8 }}}
   9
  10 * make apt sane
  11 {{{
  12     echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local-pdiff
  13     echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends
  14 }}}
  15
  16 * sane locales: (make sure there is _no_ locale defined in /etc/environment and /etc/default/locale)
  17 {{{
  18    echo -n > /etc/environment
  19    echo -n > /etc/default/locale
  20 }}}
  21
  22 * make debconf the same on every host: - dialog, - high
  23 {{{
  24     apt-get install dialog &&
  25     echo "debconf debconf/priority        select high" | debconf-set-selections &&
  26     echo "debconf debconf/frontend        select Dialog" | debconf-set-selections
  27 }}}
  28
  29 * add db.d.o to sources.list:
  30 {{{
  31     cat > /etc/apt/sources.list.d/debian.org.list << EOF
  32 deb     http://db.debian.org/debian-admin lenny main
  33 deb-src http://db.debian.org/debian-admin lenny main
  34 EOF
  35
  36     apt-key add - << EOF
  37 -----BEGIN PGP PUBLIC KEY BLOCK-----
  38 Version: GnuPG v1.4.9 (GNU/Linux)
  39
  40 mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug
  41 9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g
  42 picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6
  43 SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq
  44 CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S
  45 H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW
  46 VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ
  47 k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU
  48 gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu
  49 Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYCGwMGCwkIBwMCBBUCCAMEFgID
  50 AQIeAQIXgAUCSdlA9AUJA8JvcwAKCRC+p88QvSsO4AoeAJ0dY+rDwxNVR6HPs8JZ
  51 xLceOYU/hgCeNW1KkOXrSt2Lv8PVWXnr5jHNZSo=
  52 =4LFD
  53 -----END PGP PUBLIC KEY BLOCK-----
  54 EOF
  55 }}}
  56
  57 * in /etc/ssh/sshd_config:
  58 ** disable the DSA hostkey, so that it only does RSA
  59 ** remove old host keys:
  60 ** disable X11 forwarding
  61 ** Tell it to use alternate authorized_keys locations
  62 ** maybe link root's auth key there:
  63 {{{
  64     #| HostKey /etc/ssh/ssh_host_rsa_key
  65     #| X11Forwarding no
  66     #| AuthorizedKeysFile /etc/ssh/userkeys/%u
  67     #| AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
  68
  69     cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
  70     mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
  71     sed -i -e 's/^HostKey.*_dsa_key/# &/;
  72                s/^X11Forwarding yes/X11Forwarding no/;
  73                $ a AuthorizedKeysFile /etc/ssh/userkeys/%u
  74                $ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
  75     (cd / && env -i /etc/init.d/ssh restart)
  76 }}}
  77
  78
  79
  80 * install userdir-ldap
  81 {{{
  82     apt-get update && apt-get install userdir-ldap
  83 }}}
  84
  85
  86 * on draghi, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf
  87 (you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}})
  88 {{{
  89     : :: draghi :: && sudo vi /home/sshdist/.ssh/authorized_keys
  90     : :: draghi :: && sudo vi /etc/userdir-ldap/generate.conf
  91 }}}
  92 * run generate, or wait until cron runs it for you
  93 {{{
  94     : :: draghi :: && sudo -u sshdist ud-generate
  95 }}}
  96
  97 * fix nsswitch for ud fu.  (you might have to restart sshd here)
  98 {{{
  99     sed -i -e 's/^passwd:\[[:space:]]\+compat$/passwd:         compat db/;
 100               s/^group:\[[:space:]]\+compat$/group:          db compat/;
 101               s/^shadow:\[[:space:]]\+compat$/shadow:         compat db/' \
 102         /etc/nsswitch.conf
 103     (cd / && env -i /etc/init.d/ssh restart)
 104 }}}
 105
 106 * on the host, run ud-replicate
 107 {{{
 108     echo draghi.debian.org,draghi,db.debian.org,db,82.195.75.106,::ffff:82.195.75.106 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAy1mAS0xIOZH9OrJZf1Wv9qYORv5Z5fmpF0o8Y4IMdS+ZzTjN1Sl8M77jaFTJbumJNs+n2CMcX8CoMemQEPBoRe20a5t3dExPQ3c7FNU0z+WIVFbu/oTTkAWGp5gCDwF3pg2QxUjqYc0X4jpv6pkisyvisij6V/VJ5G1hsIMuKqrCKYyyyiJJytfzSfRrBx2QvB5ZWQxhYeSYDoLDvuF31qUy4TLZ/HR3qZQ1cBrP9dCh5d+GQxdY9LuO6zjlnSyU64GHkyjYt3p03AKG4plD7WHX01bD0DQQ/NOFVwFhOZ63mePyridPuqBMFW39jBf4jSsewV95RE5VbY04+MY4XQ== root@draghi >> /etc/ssh/ssh_known_hosts &&
 109     ud-replicate
 110 }}}
 111
 112 * check if it worked:
 113 {{{
 114     id weasel
 115 }}}
 116
 117 * install debian.org which brings you shells and much other fun
 118 {{{
 119     apt-get install debian.org
 120 }}}
 121
 122 * make ca-certificates sane:  (choose to *not* trust new certs, and we only want the spi cert activated)
 123 {{{
 124     echo "ca-certificates ca-certificates/trust_new_crts  select no" | debconf-set-selections
 125     sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf
 126     dpkg-reconfigure ca-certificates
 127 }}}
 128
 129 * Add debian-admin@debian.org to root in /etc/aliases
 130 {{{
 131         if ! egrep '^root:' /etc/aliases > /dev/null; then
 132                 echo "root: debian-admin@debian.org" >> /etc/aliases
 133         elif ! egrep '^root:.*debian-admin@debian.org' /etc/aliases > /dev/null; then
 134                 sed -i -e 's/^root: .*/&, debian-admin@debian.org/' /etc/aliases
 135         fi
 136         newaliases
 137 }}}
 138
 139 * sane default editor
 140 {{{
 141     apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic
 142 }}}
 143
 144 * add to munin on spohr
 145 {{{
 146     : :: spohr :: && sudo vi /etc/munin/munin.conf
 147 }}}
 148
 149
 150 * disable password auth with ssh, once you verified you can log in
 151   and become root using keys.
 152 {{{
 153     #vi /etc/ssh/sshd_config
 154     #  | PasswordAuthentication no
 155
 156     sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config &&
 157     (cd / && env -i /etc/init.d/ssh restart)
 158 }}}
 159
 160 * if it is a HP Proliant, or has other management fu, read [[howto/ilo-https]]
 161
 162 * setup [[puppet|howto/puppet-setup]]
 163
 164 * try to login using your user and ssh key.  you should get a homedir.
 165
 166 * edit dedication into in $DSA-PUPPET/modules/debian-org/misc/local.yaml
 167
 168 * add to nagios
 169
 170 * add host to ldap: ud-host -a $USER -h ....
 171
 172 -- weasel, Wed, 04 Jun 2008 20:52:56 +0200