You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
330 lines
8.7 KiB
330 lines
8.7 KiB
#!/bin/bash
|
|
# forksand-bootstrap-hk3
|
|
# GPLv3+
|
|
# This script does some initial setup and config
|
|
# Sets up Proxmox.
|
|
|
|
# Log script
|
|
exec > >(tee /root/bootstrap-hk3.log) 2>/root/bootstrap-hk3.err
|
|
|
|
set -x
|
|
|
|
# Set locale
|
|
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
|
|
locale-gen
|
|
update-locale
|
|
|
|
# XXX Set timezone
|
|
ln -sf /usr/share/zoneinfo/America/Denver /etc/localtime
|
|
|
|
# Set up git for tracking. XXX Ansible... XXX
|
|
apt-get -y install git sudo
|
|
cd /etc
|
|
git init
|
|
chmod og-rwx /etc/.git
|
|
|
|
cat > /etc/.gitignore <<EOF
|
|
prelink.cache
|
|
*.swp
|
|
ld.so.cache
|
|
adjtime
|
|
blkid.tab
|
|
blkid.tab.old
|
|
mtab
|
|
resolv.conf
|
|
asound.state
|
|
mtab.fuselock
|
|
aliases.db
|
|
EOF
|
|
|
|
git config --global user.name "debian"
|
|
git config --global user.email git@localhost
|
|
cd /etc ; git add . ; git commit -a -m 'Set up new Debian Stretch hk3 server.'
|
|
|
|
# SET UP APT
|
|
#
|
|
cat > /etc/apt/sources.list <<EOF
|
|
deb http://mirrors.kernel.org/debian/ stretch-backports main
|
|
deb http://mirrors.kernel.org/debian/ stretch main
|
|
deb http://mirrors.kernel.org/debian/ stretch-updates main
|
|
deb http://security.debian.org/ stretch/updates main
|
|
EOF
|
|
|
|
# Make apt use IPv4:
|
|
echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
|
|
|
|
git add /etc/apt/apt.conf.d/99force-ipv4
|
|
git commit -m "Force APT to use IPv4, not IPv6." /etc/apt/apt.conf.d/99force-ipv4
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'Set up apt.'
|
|
|
|
# UPGRADE SERVER
|
|
apt-get update
|
|
apt-get -y dist-upgrade --download-only
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'Update base install'
|
|
|
|
apt-get -y --download-only install \
|
|
--no-install-recommends \
|
|
apt-transport-https \
|
|
bzip2 \
|
|
ca-certificates \
|
|
colordiff \
|
|
cpufrequtils \
|
|
curl \
|
|
debian-archive-keyring \
|
|
exuberant-ctags \
|
|
git \
|
|
host \
|
|
less \
|
|
locales \
|
|
lsb-release \
|
|
man-db \
|
|
manpages \
|
|
molly-guard \
|
|
net-tools \
|
|
ntp \
|
|
openssh-server \
|
|
postfix \
|
|
python3 \
|
|
rsync \
|
|
telnet \
|
|
traceroute \
|
|
vim \
|
|
vim-scripts
|
|
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y \
|
|
-o Dpkg::Options::="--force-confdef" \
|
|
-o Dpkg::Options::="--force-confnew" \
|
|
install \
|
|
--no-install-recommends \
|
|
apt-transport-https \
|
|
bzip2 \
|
|
ca-certificates \
|
|
colordiff \
|
|
cpufrequtils \
|
|
curl \
|
|
debian-archive-keyring \
|
|
exuberant-ctags \
|
|
git \
|
|
host \
|
|
less \
|
|
locales \
|
|
lsb-release \
|
|
man-db \
|
|
manpages \
|
|
molly-guard \
|
|
net-tools \
|
|
ntp \
|
|
openssh-server \
|
|
postfix \
|
|
python3 \
|
|
rsync \
|
|
telnet \
|
|
traceroute \
|
|
vim \
|
|
vim-scripts
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'Install base packages'
|
|
|
|
# Speed up
|
|
echo 'GOVERNOR="performance"' > /etc/default/cpufrequtils
|
|
/etc/init.d/cpufrequtils restart
|
|
cd /etc ; git add . ; git commit -a -m 'Set up cpufrequtils'
|
|
|
|
# Small user tweaks
|
|
echo :syntax on > ~/.vimrc
|
|
echo :syntax on > /home/jebba/.vimrc
|
|
chown jebba:jebba /home/jebba/.vimrc
|
|
echo export EDITOR=vi >> /root/.bashrc
|
|
|
|
# XXX Passwordless sudo XXX Ya, probably remove
|
|
sed -i -e 's/%sudo\tALL=(ALL:ALL) ALL/%sudo ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers
|
|
|
|
adduser jebba sudo
|
|
cd /etc ; git add . ; git commit -a -m 'Set up passwordless sudo'
|
|
|
|
# SSH config XXX sed cruft
|
|
sed -i \
|
|
-e 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' \
|
|
-e 's/\#PermitRootLogin prohibit-password/PermitRootLogin prohibit-password/g' \
|
|
-e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
|
|
-e 's/\#X11Forwarding yes/X11Forwarding no/g' \
|
|
/etc/ssh/sshd_config
|
|
|
|
echo 'KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' >> /etc/ssh/sshd_config
|
|
|
|
echo 'Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' >> /etc/ssh/sshd_config
|
|
|
|
# Need to update/fix for Debian Buster (testing/10). This line breaks Buster:
|
|
#echo 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com' >> /etc/ssh/sshd_config
|
|
|
|
# XXX Add admins as only allowed ssh users
|
|
# XXX add user for ansbile
|
|
echo "AllowUsers jebba root" >> /etc/ssh/sshd_config
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'Set up sshd'
|
|
systemctl restart sshd
|
|
|
|
# Startup XXX disable unneeded.
|
|
for i in rsync exim4 saned
|
|
do echo $i
|
|
/usr/sbin/update-rc.d $i disable
|
|
done
|
|
# XXX KILL THIS, listening on public port (firewalled, but still):
|
|
# tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 296/systemd-resolve
|
|
cd /etc ; git add . ; git commit -a -m 'Turn off junk on boot'
|
|
|
|
# GRUB
|
|
sed -i -e 's/^GRUB_TIMEOUT=5/GRUB_TIMEOUT=4/g' /etc/default/grub
|
|
sed -i -e 's/^#GRUB_TERMINAL=console/GRUB_TERMINAL=console/g' /etc/default/grub
|
|
echo 'GRUB_DISABLE_OS_PROBER=true' >> /etc/default/grub
|
|
|
|
update-grub
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'GRUB tweaks'
|
|
|
|
# Fix network to come up on boot
|
|
sed -i -e 's/allow-hotplug/auto/g' /etc/network/interfaces
|
|
cd /etc ; git add . ; git commit -a -m 'Auto start network'
|
|
|
|
# XXX not sure why this is getting installed:
|
|
apt-get -y autoremove
|
|
|
|
apt-get -y remove os-prober
|
|
|
|
# Proxmox
|
|
#cat > /etc/apt/sources.list.d/pve-enterprise.list<<EOF
|
|
##deb https://enterprise.proxmox.com/debian/pve stretch pve-enterprise
|
|
#EOF
|
|
cat > /etc/apt/sources.list.d/pve-no-subscription.list<<EOF
|
|
deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
|
|
EOF
|
|
|
|
# Add Proxmox enterprise key XXX Add key
|
|
#cat > /etc/apt/auth.conf<<EOF
|
|
#machine enterprise.proxmox.com
|
|
# login pve2s-0000000000
|
|
# password 00000000000000000000000000000000
|
|
#EOF
|
|
|
|
# XXX crufty add proxmox apt key
|
|
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
|
|
|
|
apt-get update
|
|
apt-get -y dist-upgrade --download-only
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confnew" dist-upgrade
|
|
|
|
apt-get -y \
|
|
install \
|
|
ksm-control-daemon \
|
|
omping \
|
|
proxmox-ve
|
|
|
|
cd /etc ; git add . ; git commit -a -m 'Install Proxmox'
|
|
apt clean
|
|
|
|
exit 0
|
|
|
|
# Run this on workstation:
|
|
# ssh -N -C -L 8203:localhost:8006 hk3
|
|
# firefox https://localhost:8203
|
|
# Login as root user via PAM
|
|
# Set up Enterprise Key, if used
|
|
#
|
|
#
|
|
cd /etc ; git add . ; git commit -a -m 'Initial Proxmox configuration'
|
|
#
|
|
#
|
|
# XXX Set up vmbr0 via web interface.
|
|
#
|
|
# Netwok
|
|
# hk3 (host) --> System --> Network
|
|
# Fix subnet mask, IP in web gui.
|
|
# Create --> Linux Bridge:
|
|
# vmbr0
|
|
# XXX best way for this server? No subnet.
|
|
#
|
|
# Set up ethernet ports
|
|
# XXX check name Disable enp2s0 (Autostart no)
|
|
# set up vmbr0 to the main IP, gateway, etc.
|
|
# Create Linux Bridge in web interface
|
|
# vmbr0
|
|
#XXX THIS ISN'T CORRECT IP
|
|
# 174.128.229.130/27
|
|
# 255.255.255.224
|
|
# Autostart
|
|
# VLAN Aware
|
|
# Bridge: enp2s0
|
|
# Comment Main bridge
|
|
#
|
|
# Set up 10.2.2.0 and 10.99.99.0 networks statically
|
|
# on secondary ethernet interfaces
|
|
|
|
# Reboot! hk3 (host) --> Restart
|
|
|
|
# Configure Corosync
|
|
# Set up hosts
|
|
# XXX MAKE SURE NEW NODES GET ADDED TO EXISTING SERVER /etc/hosts
|
|
echo "10.3.3.1 hk1-coro" >> /etc/hosts
|
|
echo "10.3.3.2 hk2-coro" >> /etc/hosts
|
|
echo "10.3.3.3 hk3-coro" >> /etc/hosts
|
|
|
|
echo "10.88.88.1 hk2-fs" >> /etc/hosts
|
|
echo "10.88.88.2 hk2-fs" >> /etc/hosts
|
|
echo "10.88.88.3 hk3-fs" >> /etc/hosts
|
|
|
|
# Test cluster ping
|
|
for i in hk1-coro hk2-coro hk3-coro
|
|
do ping -q -c1 $i
|
|
done
|
|
|
|
# Test ssh
|
|
for i in hk1-coro hk2-coro hk3-coro
|
|
do ssh $i hostname
|
|
done
|
|
# ssh via IP
|
|
for i in 10.2.2.3
|
|
do ssh $i hostname
|
|
done
|
|
|
|
# Note this is needed on at least one of the SharkTech servers or
|
|
# you get bad UDP checksums
|
|
# Also set to correct ethernet device
|
|
# XXX CHECK
|
|
ethtool -K enp3s0 gso off
|
|
ethtool --offload enp3s0 rx off tx off
|
|
ethtool -K enp4s0 gso off
|
|
ethtool --offload enp4s0 rx off tx off
|
|
|
|
# Run this on just one node, hk3, to get the cluster started
|
|
#pvecm create hkfork --bindnet0_addr 10.2.2.3 --ring0_addr hk3-coro
|
|
|
|
# Run this on hk3
|
|
pvecm add 10.2.2.1 --ring0_addr hk3-coro
|
|
|
|
pvecm status
|
|
pvecm nodes
|
|
|
|
# rebootz ?
|
|
|
|
# After Cluster is Configured
|
|
# ===========================
|
|
|
|
# Data Center --> Permissions --> Users
|
|
# Add user with Realm Proxmox VE authentication server.
|
|
# Give user root permissions: Datacenter --> Permissions --> Add --> User permission.
|
|
# Path: / User: j Role: Administrator
|
|
# XXX Or create admin group, add perms to that...
|
|
# Permissions --> Authentication. Set Proxmox VE authentication server to default.
|
|
|
|
# Storage
|
|
# Datacenter --> Storage --> Edit local. Enable all content (add VZDump)
|
|
#
|
|
# DNS
|
|
# hk3 (host) --> System --> DNS
|
|
# Add servers:
|
|
# 208.67.222.222 208.67.220.220 37.235.1.174
|
|
#
|