From HFML-FELIX Wiki
Revision as of 20:34, 1 July 2024 by Claessen (talk | contribs)
Jump to: navigation, search
  1. set up debian system on zfs: follow [1]
Start with this!!!
Set disk.EnableUUID = "TRUE" in the vmx file or vsphere configuration. Doing this ensures that /dev/disk aliases are created in the guest.
  1. install emqx: follow [2]
  2. install packages
# Read Password for postfix relay
# when copy paste just fill it now:
PASSWORD=
# in script do it like this:
# echo -n feloperator password: 
# read -s PASSWORD
# echo
echo "nslcd   nslcd/ldap-uris string  ldaps://ldap2.science.ru.nl/" | debconf-set-selections
echo  nslcd   nslcd/ldap-reqcert      select  demand" | debconf-set-selections
echo "nslcd   nslcd/ldap-base string  dc=science,dc=ru,dc=nl" | debconf-set-selections
echo "libnss-ldapd    libnss-ldapd/nsswitch   multiselect     group, passwd, shadow" | debconf-set-selections
echo "postfix postfix/mailname string `hostname -f`" | debconf-set-selections
echo "postfix postfix/main_mailer_type string 'Satellite system'" | debconf-set-selections
echo "postfix postfix/relayhost string [smtp.science.ru.nl]:587" | debconf-set-selections
apt-get install -y libpam-ldapd libnss-ldapd postfix screen mc links monit nfs-common dnsutils git ntp p7zip locate net-tools usbutils nmap build-essential open-vm-tools simplesnap traceroute vnstat zfsnap pv lsof locate curl keepalived haproxy apache2 ufw
sed -i.bak -e "s/pool\ 0.debian.pool.ntp.org\ iburst/server isolator/" /etc/ntp.conf
sed -i -e "s/pool\ 1.debian.pool.ntp.org\ iburst/server felixdisk/" /etc/ntp.conf
sed -i -e "s/pool\ 2.debian.pool.ntp.org\ iburst//" /etc/ntp.conf
sed -i -e "s/pool\ 3.debian.pool.ntp.org\ iburst//" /etc/ntp.conf
service ntp restart&
printf "AllowGroups fftadmin rsync victor" >> /etc/ssh/sshd_config.d/fftadmin
printf "%%fftadmin ALL=(ALL:ALL) ALL" > /etc/sudoers.d/fftadmin
printf "session    required   pam_mkhomedir.so skel=/etc/skel/ umask=0022\n" >> /etc/pam.d/common-session
sed -i.bak -e "s/session\toptional\tpam_systemd.so/#session\toptional\tpam_systemd.so/" /etc/pam.d/common-session
sed -i.bak -e "/\"Primary\" block)/aauth    [success=1 default=ignore]      pam_succeed_if.so uid >= 1001 quiet" /etc/pam.d/common-auth
sed -i -e "s/minimum_uid=1000\ use_first_pass/minimum_uid=1001\ try_first_pass/" /etc/pam.d/common-auth
addgroup --gid 900 rsync
adduser --uid 900 --gid 900 --disabled-password --gecos "" rsync
mkdir -p /home/rsync/.ssh
chown rsync:rsync /home/rsync/.ssh
chmod 700 /home/rsync/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDU5CrXOd9rXUwU967RkgMfajV76paiMTsXJD+KCIjUFaHjSlYmDTTwkQLCPEZi1NqgsLtGNpVoGTdrOMxaG7q4DxdSYZj2rln5KZKh+pXtSkpcNETcwdoWJZi/IXnGzdQLTQM9fzeTjcQl+zU7mW9eMJET2b+7JFJzdBeU6RJg6MNldqkQ10F1vIlScMWsEgY/XMSWv3SDaIl5SgO1jJp+5sH2yrfxqG3FbvXI8gfGYRr4e5lPDUCX+GtvyjWdkL7juF7dnxRbe4y8NNtNbykF1tugsJdRjHvok2hziDFxJBP7tdKdLCyEQq1GREgLaycLX9+b9Tq9126VEK9i4yHn rsync@o-isolator" >> /home/rsync/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1PqnsBvNaqs2+hhcaDiCpiTHQExMG2WqP6Wjr1FO6HO/dvO1JG+p481Xfhp9e4zHuoDVz4hywdY2tOvseRphg6EOedTV+sD51G59i859O3RJdpxJyhUYqNEV9I1+TJ+KPxhi1XaYMPK1UF+lD30wao2H0pVSyo6jqA8EakW/h0I3gvzCA8IDlly3FGYK4T51+7XgttZtxb3jXFwr1FxA0bigPnRVO8J0cUJOlY5qMXg8E8mK28evLnVsczPVnxTE4i5jb9KSBVpjKk+Tk1JdzDwUflfj4bYocemaNkFHrbOCTq9vHjSNKAGsN7ZOmp0hJY/AlkSjqTP/7g/6qMADx root@o-isolator" >> /home/rsync/.ssh/authorized_keys
chown rsync:rsync /home/rsync/.ssh/authorized_keys
printf '#!/bin/sh\ndate >> $HOME/backuplog\necho $@ >> $HOME/backuplog\n/usr/bin/sudo /usr/bin/rsync "$@";\n' > /home/rsync/rsync-wrapper.sh
chmod +x /home/rsync/rsync-wrapper.sh
chown rsync:rsync /home/rsync/rsync-wrapper.sh 
printf '#rsnapshot backup\nrsync   ALL=NOPASSWD: /usr/bin/rsync\n' >> /etc/sudoers.d/rsnapshot
printf 'set daemon 15 \nset logfile /var/log/monit.log \nset idfile /var/lib/monit/id \nset statefile /var/lib/monit/state\n set eventqueue\n\tbasedir /var/lib/monit/events \n\tslots 100 \n\tset httpd port 2812 and\n\tallow @fftadmin\n\tallow @feloperator\n\tallow localhost\n\tallow 192.168.14.0/24\n\ninclude /etc/monit/conf.d/*' > /etc/monit/monitrc
service monit restart
printf "@`hostname`                 v.claessen@science.ru.nl\n@`hostname -f`       v.claessen@science.ru.nl" > /etc/postfix/generic
postmap /etc/postfix/generic
printf 'smtp_generic_maps = hash:/etc/postfix/generic\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd\nsmtp_sasl_security_options =\nsmtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt\nsmtp_use_tls = yes\n' >> /etc/postfix/main.cf
usermod -c root@`hostname` root
printf '# /etc/aliases\n*: claessen@science.ru.nl\nvictor: claessen@science.ru.nl\nroot: claessen@science.ru.nl\n' > /etc/aliases
newaliases
printf "smtp.science.ru.nl feloperator:${PASSWORD}" > /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
service postfix restart
PASSWORD=
printf 'auto eth14\niface eth14 inet dhcp' > /etc/network/interfaces.d/eth14
printf 'auto eth814\niface eth814 inet dhcp' > /etc/network/interfaces.d/eth814
printf 'auto eth914\niface eth914 inet dhcp' > /etc/network/interfaces.d/eth914
printf "auto ethesxi\niface ethesxi inet static\n  address 10.91.1.`hostname|tail -c2|head -c1`\n  subnet 255.255.0.0" > /etc/network/interfaces.d/ethesxi
rm /etc/network/interfaces.d/ens192
printf "[Match]\nMACAddress=`ip a show ens192| grep link | awk '{print $2}'`\n[Link]\nName=eth14\n" > /etc/systemd/network/10-science.link
printf "[Match]\nMACAddress=`ip a show ens256| grep link | awk '{print $2}'`\n[Link]\nName=eth814\n" > /etc/systemd/network/40-machine.link
printf "[Match]\nMACAddress=`ip a show ens161| grep link | awk '{print $2}'`\n[Link]\nName=eth914\n" > /etc/systemd/network/30-user.link
printf "[Match]\nMACAddress=`ip a show ens193| grep link | awk '{print $2}'`\n[Link]\nName=ethesxi\n" > /etc/systemd/network/50-esxi.link
systemctl restart systemd-udev-trigger

config 

echo -e "net.ipv4.ip_nonlocal_bind=1\nnet.ipv6.ip_nonlocal_bind=1\n"  >> /etc/sysctl.d/99-sysctl.conf
sysctl -f /etc/sysctl.d/99-sysctl.conf

mkdir /etc/haproxy/haproxy.d
sed -i 's/\/haproxy.cfg\|John/\/haproxy.d/' /lib/systemd/system/haproxy.service
systemctl daemon-reload

#keepalived, copy from somewhere? then apply default priority based on 100-hostname? (i.e. 99 on felixbrokernode1)
#haproxy, copy from somewhere? also needs hostname updates somewhere, template and sed?

ufw allow ssh
ufw allow to 224.0.0.18 comment "keepalived VRRP multicast"
ufw allow to 239.192.0.1 comment "EMQX autocluster multicast"
ufw allow from 10.91.1.1/24 to any port 5370 comment "emqx cluster communication"
ufw allow from 10.91.1.1/24 to any port 11883 comment "haproxy to emqx cluster node"
ufw allow from 192.168.14.0/24 to any port 8404 comment "haproxy stats" #perhaps replace this with apache2 reverse proxy

# TODO: get X from somewhere and replace below
# sed -i '1s/^/ServerName felixbrokernodeX.fxmnet.science.ru.nl\n/' /etc/apache2/apache2.conf

virtual machine - an emulation of a computer system running on another computer using hypervisor software.

server - computer program or a device that provides functionality for other programs or devices, called clients

daemon/service - a computer program that runs as a background process

daemon/service - a computer program that runs as a background process

Retrieved from "https://wiki.hfml-felix.nl/index.php?title=Installing_felixbrokernode&oldid=4550"