From 38081c383617314a9f1b12b16b7524897e644601 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Fri, 13 Mar 2009 00:59:24 +0100 Subject: [PATCH] Add new-machine --- input/howto/new-machine.creole | 217 +++++++++++++++++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 input/howto/new-machine.creole diff --git a/input/howto/new-machine.creole b/input/howto/new-machine.creole new file mode 100644 index 0000000..427163d --- /dev/null +++ b/input/howto/new-machine.creole @@ -0,0 +1,217 @@ +== setup/integrate a new machine == + +Note: this is partially obsolete now that we have [[puppet-setup|puppet]]. We should probably update/rework some parts. + +* install ssh if it isn't there already +{{{ + apt-get install ssh +}}} + +* make apt sane +{{{ + echo 'Acquire::PDiffs "false";' > /etc/apt/apt.conf.d/local-pdiff + echo 'APT::Install-Recommends 0;' > /etc/apt/apt.conf.d/local-recommends +}}} + +* sane locales: + + make sure there is _no_ locale defined in /etc/environment and /etc/default/locale + +* make debconf the same on every host: - dialog, - high +{{{ + dpkg-reconfigure debconf +}}} + +* add db.d.o to sources.list: +{{{ + cat > /etc/apt/sources.list.d/debian.org.list << EOF +deb http://db.debian.org/debian-admin lenny main +deb-src http://db.debian.org/debian-admin lenny main +EOF + + apt-key add - << EOF +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.6 (GNU/Linux) + +mQGiBEf4BP0RBACfXnRhBb9HKiA3h5A1tDnluVwfkSuDX4ZXdVAuMZapdOm8r9ug +9zE/dDGWPWja+DArAPZ/i3BFvlMewmden/IFbQKtXluQVIC4GL1RBMwrtWsZzo0g +picl3CYWDAYjRdg4WppUc9FawwGw081FlLGDv7eYRO3+8uGUHfr+SD7CwwCgxJK6 +SvDX6M2Ifuq8WmgWWrVFyakD/ipdxd3NPIcnl1JTO2NjbOJYKpZMl6v0g+1OofSq +CAKTO8ymc0z6SF1j/4mWe1W76wvTpOhOUgn2WO7SQHZaujb/3z+yAJedfbCDgq0S +H/T2qbQTzv+woAjyR/e2Zpsc2DRfqO/8aCw1Jx8N3UbH9MBPYlYlyCnSra1OAyXW +VvC0A/9nT/k6VIFBF0Oq2WwmzOLptOqg61WrnxBr3GIe503++p88tOwlCJlL0uZZ +k68m3m5t7WDtQK4fHQwLramb9AqtBPhiEaXU5bXk77RYE54EeEH9Z4H4YSMMkdYU +gLG5CZI2jprxAZew1mHKROv+15jxYd+BZCrORmpWn5g7N+TC5rQeZGIuZGViaWFu +Lm9yZyBhcmNoaXZlIGtleSAyMDA4iGYEExECACYFAkf4BP0CGwMFCQHhM4AGCwkI +BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRC+p88QvSsO4JZLAJ4slp2uRZHtzMXK8oTB +DV1XiztTZwCfQD7Y2mKDaMsmE4AmwOOTw2fmcZo= +=+jlJ +-----END PGP PUBLIC KEY BLOCK----- +EOF +}}} + +* in /etc/ssh/sshd_config: +** disable the DSA hostkey, so that it only does RSA +** remove old host keys:
{{{ + cd /etc/ssh/ && rm ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub +}}} +** disable X11 forwarding +** Tell it to use alternate authorized_keys locations +{{{ + | HostKey /etc/ssh/ssh_host_rsa_key + | X11Forwarding no + | AuthorizedKeysFile /etc/ssh/userkeys/%u + | AuthorizedKeysFile2 /var/lib/misc/userkeys/%u + + vi /etc/ssh/sshd_config + (cd / && env -i /etc/init.d/ssh restart) +}}} + + * maybe link root's auth key there: +{{{ + mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root +}}} + + +* install userdir-ldap +{{{ + apt-get update && apt-get install userdir-ldap +}}} + + +* on samosa, add the host to /home/sshdist/.ssh/authorized_keys and generate.conf +(you want the host's rsa host key there: {{{cat /etc/ssh/ssh_host_rsa_key.pub}}}) +{{{ + :: samosa :: && sudo vi /home/sshdist/.ssh/authorized_keys + :: samosa :: && sudo vi /etc/userdir-ldap/generate.conf +}}} +* run generate, or wait until cron runs it for you +{{{ + :: samosa :: && sudo -u sshdist ud-generate +}}} + +* fix nsswitch for ud fu. +{{{ + sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/; + s/^group:[[:space:]]\+compat$/group: db compat/; + s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \ + /etc/nsswitch.conf +}}} + +(you might have to restart sshd here: +{{{ + (cd / && env -i /etc/init.d/ssh restart) +}}} +) + +* on the host, run ud-replicate +{{{ + mkdir -p /root/.ssh && + echo db,db.debian.org,192.25.206.57 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAph3LozYmcwHwgnxfKia1lg1AXNuJiEroi/GpPztbcqxmFOYBZbMgYDj+kM+usoXF2diT9OQWqg1yx19CeEoghHYz4/yZa0PYdLgPj9Si4PScekVaE051GrLM63osfK0j3wIfpgLJv2/zs42NbXjkKPdjInEaWPn8W1fe88M3JDE= root@newsamosa >> /root/.ssh/known_hosts && + ud-replicate +}}} + +* check if it worked: +{{{ + id weasel +}}} + +* add pam_mkhomedir to common-session: +{{{ + grep pam_mkhomedir /etc/pam.d/common-session || \ + echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session +}}} + +* install debian.org which brings you shells and much other fun +{{{ + apt-get install debian.org +}}} + +* try to login using your user and ssh key. you should get a homedir. + +* make ca-certificates sane: (choose to *not* trust new certs, and we only want the spi cert activated) +{{{ + sed -i -e 's/^[^#!].*/!&/; s#^!spi-inc.org/spi-cacert-2008.crt#spi-inc.org/spi-cacert-2008.crt#' /etc/ca-certificates.conf + dpkg-reconfigure ca-certificates +}}} + +* exim setup: +{{{{ + :: now obsolete :: && + apt-get install git-core curl && + ! [ -d /etc/exim4.bak ] && + /etc/init.d/exim4 stop && + mv /etc/exim4 /etc/exim4.bak && + mkdir /etc/exim4 && + cd /etc/exim4 && + git clone https://db.debian.org/git/dsa-exim.git Git && + ./Git/bin/update && + (cd / && /etc/init.d/exim4 start) +}}} + ** Add debian-admin@debian.org to root in /etc/aliases + +* sane default editor +{{{ + apt-get install vim && update-alternatives --set editor /usr/bin/vim.basic +}}} + +* setup sudo +{{{ + grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers + grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean, /usr/sbin/samhain -t check -i -p err -s none -l none -m none' >> /etc/sudoers + + apt-get install libpam-pwdfile + cat > /etc/pam.d/sudo << EOF +#%PAM-1.0 + +auth [authinfo_unavail=ignore success=done ignore=ignore default=die] pam_pwdfile.so pwdfile=/var/lib/misc/thishost/sudo-passwd +auth required pam_unix.so nullok_secure try_first_pass +#@include common-auth +@include common-account + +session required pam_permit.so +session required pam_limits.so +EOF +}}} + +* OPEN A NEW SHELL - DO _NOT_ LOG OUT OF THIS ONE:
+ test that the dedicated sudo password works. if not, undo the pam sudo config. + (comment out the auth lines and include common-auth again) + +* setup ldap.conf: +{{{ + grep '^URI.*db.debian.org' /etc/ldap/ldap.conf || cat >> /etc/ldap/ldap.conf << EOF + +URI ldap://db.debian.org +BASE dc=debian,dc=org + +TLS_CACERT /etc/ssl/certs/spi-cacert-2008.pem +TLS_REQCERT hard +EOF +}}} + +* munin setup: +* grant access to spohr +{{{ + sed -i -e '/^allow/d; $ a \allow ^192\\\.25\\\.206\\\.57$\nallow ^192\\\.25\\\.206\\\.33$' /etc/munin/munin-node.conf + ( cd / && env -i /etc/init.d/munin-node restart ) +}}} +* add to munin on spohr +{{{ + :: spohr :: && sudo vi /etc/munin/munin.conf +}}} + + +* add host to nagios config + +* disable password auth with ssh, once you verified you can log in + and become root using keys. +{{{ + vi /etc/ssh/sshd_config + | PasswordAuthentication no + (cd / && env -i /etc/init.d/ssh restart) +}}} + +* if it is a HP Proliant, or has other management fu, read setup-oob + +-- weasel, Wed, 04 Jun 2008 20:52:56 +0200 -- 2.20.1