下面的脚本是生产环境的副本,稍有改动,用于自己的实验环境。安装一步搞定,5分钟部署一套全新的kvm虚拟机。
#platform=x86, AMD64, or Intel EM64T #version=DEVEL # Firewall configuration firewall --enabled --ssh # Install OS instead of upgrade install # Use network installation url --url="http://192.168.122.1/centos/6/os/x86_64/" # Root password:2w3e4r5t rootpw --iscrypted $1$SG65nSU2$qqls18a5fRwa0pahI9zsn. # System authorization information auth --useshadow --passalgo=sha512 # Use text mode install text # System keyboard keyboard us # System language lang en_US # SELinux configuration selinux --disabled # Do not configure the X Window System skipx # Installation logging level logging --level=info # Reboot after installation reboot # System timezone #timezone Asia/Shanghai timezone --isUtc Asia/Shanghai # Network information network --bootproto=dhcp--onboot=on --hostname=new.test.org # System bootloader configuration # Grub passwd:linux bootloader --location=mbr --append="biosdevname=0" --md5pass="$1$cfVln6Oz$eR6dX/70Ny4dAA/amdvfA1" # Partition clearing information clearpart --none #clearpart --all --initlabel # Disk partitioning information part /boot --bytes-per-inode=4096 --fstype=ext4 --size=150 part pv.01 --grow --size=1 volgroup vg_centos --pesize=4096 pv.01 logvol swap --name=lv_swap --vgname=vg_centos --size=512 #logvol swap --name=lv_swap--vgname=vg_centos --recommend logvol / --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=51200 logvol /data --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=1024 --fsoptions="noatime,nosuid,noexec,nodev" --grow #part swap --fstype="swap" --size=512 #part / --fstype="ext4" --grow --size=1 # Addition repository repo --name="excel" --baseurl=http://192.168.122.1/repo/excel/6/ --cost=100 repo --name="updates" --baseurl=http://192.168.122.1/centos/6/updates/x86_64/ --cost=100 %pre --interpreter=/usr/bin/env bash if [ -e /dev/sda ];then dd if=/dev/zero of=/dev/sda bs=512count=1 parted -s /dev/sda mklabel gpt fi if [ -e /dev/vda ];then dd if=/dev/zero of=/dev/vda bs=512 count=1 parted -s /dev/vda mklabel gpt fi %end #%include /tmp/addition
%post --interpreter=/usr/bin/env bash install_server=192.168.122.1 # set build timestamp ntpdate $install_server echo this system was built at `LANG=C date -d "today" +"%Y-%m-%d %H:%M:%S"` >/root/timestamp.txt chattr +a /root/timestamp.txt sed -i '/^mirrorlist/{s/^/#/g}' /etc/yum.repos.d/CentOS-Base.repo sed -i '/#baseurl/{s/#//g}' /etc/yum.repos.d/CentOS-Base.repo # use local mirror to save bandwidth curl http://$install_server/conf/etc/yum.repos.d/CentOS-Base.repo >/etc/yum.repos.d/CentOS-Base.repo # install customerized repo curl http://$install_server/conf/etc/yum.repos.d/excel.repo > /etc/yum.repos.d/excel.repo echo -e 127.0.0.1 "\t" new.test.org >>/etc/hosts echo -e $install_server mirror.centos.org >>/etc/hosts #add a static route #route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1 #echo route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1 >> /etc/rc.local #set character,only english/chinese support localedef --list-archive |egrep -v ^"en_US|zh" |xargs localedef --delete-from-archive mv -f /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl build-locale-archive # Remove some unnessary packages #yum remove usermode -y yum remove -y rng-tools quota samba* rpcbind lm_sensors postgresql-libs # Run level 3 by default #sed -i '/^id/{s/5/3/}' /etc/inittab # Password protect single user mode #echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab # unlock the MAC echo "> /etc/udev/rules.d/70-persistent-net.rules" >> /etc/rc.local echo $install_server >> /etc/ntp/step-tickers sed -i '/HWCLOCK/{s/no/yes/g}' /etc/sysconfig/ntpdate chkconfig ntpdate off curl http://$install_server/conf/etc/ntp.conf >/etc/ntp.conf chkconfig ntpd on # Configure ssh server curl http://$install_server/conf/etc/ssh/sshd_config >/etc/ssh/sshd_config # disable DNS lookup for ssh login #sed -i '/DNS/{s/#//g;s/yes/no/g}' /etc/ssh/sshd_config #show motd #sed -i '/Motd/{s/#//g}' /etc/ssh/sshd_config # disbale root login remotely #sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config #echo "PermitRootLogin no" >> /etc/ssh/sshd_config #echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config #chroot for ssh #echo "session required pam_chroot.so" >>/etc/pam.d/sshd #echo "apple /home/apple" >> /etc/security/chroot.conf #allow ssh for LAN only echo "SSHD:ALL EXCEPT 192.168.0.0/255.255.0.0" >>/etc/hosts.deny #setup bacula-client sed -i 's/@//g' /etc/bacula/bacula-fd.conf chkconfig bacula-fd off # Setup admin user and passwd useradd -g wheel admin echo "linuxfans" |passwd --stdin "admin" chkconfig denyhosts on #only user in wheel group can use "su" sed -i '/required/{s/#//g}' /etc/pam.d/su echo "SU_WHEEL_ONLY yes" >>/etc/login.defs #lock unused passwords passwd -l bin passwd -l daemon passwd -l adm passwd -l lp passwd -l sync passwd -l shutdown passwd -l halt passwd -l mail passwd -l uucp passwd -l operator passwd -l games passwd -l gopher passwd -l ftp passwd -l nobody passwd -l nagios passwd -l dbus passwd -l vcsa passwd -l bacula passwd -l rpc passwd -l ntp passwd -l sshd passwd -l saslauth passwd -l postfix passwd -l puppet passwd -l nrpe chmod 700 /usr/bin/finger chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod 700 /sbin/ifconfig chmod 700 /sbin/ip chmod 700 /sbin/route chmod 700 /bin/mount #chmod 700 /usr/bin/which #chmod 700 /usr/bin/gcc #chmod 700 /usr/bin/make #chmod 700 /bin/rpm #echo "ulimit -SHn 65535" >> /etc/profile cat >> /etc/security/limits.conf <<EOF * soft nofile 10240 * hard nofile 10240 root soft nproc 65535 root hard nproc 65535 EOF # kernel optimize #curl http://$install_server/conf/etc/sysctl.conf >/etc/sysctl.conf echo "net.ipv6.conf.all.disable_ipv6 = 1" >>/etc/sysctl.conf echo "vm.swappiness = 5" >>/etc/sysctl.conf echo "vm.drop_caches = 0" >>/etc/sysctl.conf echo "net.core.somaxconn = 8192" >>/etc/sysctl.conf echo "net.ipv4.tcp_max_syn_backlog = 8192" >> /etc/sysctl.conf echo "net.core.netdev_max_backlog = 8192" >> /etc/sysctl.conf echo "net.ipv4.ip_local_port_range = 15000 65000" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" >>/etc/sysctl.conf echo "net.ipv4.conf.all.log_martians =1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" >>/etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects = 0" >>/etc/sysctl.conf echo "net.ipv4.conf.default.log_martians = 1" >>/etc/sysctl.conf echo "net.ipv4.tcp_timestamps = 1" >>/etc/sysctl.conf echo "net.ipv6.conf.all.accept_redirects = 0" >>/etc/sysctl.conf echo "net.ipv6.conf.default.accept_redirects = 0" >>/etc/sysctl.conf echo "net.netfilter.nf_conntrack_max = 65536" >>/etc/sysctl.conf echo "net.nf_conntrack_max = 65536" >>/etc/sysctl.conf echo "net.netfilter.nf_conntrack_tcp_timeout_established = 700" >>/etc/sysctl.conf
#snmpd configure #curl http://$install_server/conf/etc/snmp/snmpd.conf >/etc/snmp/snmpd.conf sed -i '/^com2sec/{s/public/mycompany/g}' /etc/snmp/snmpd.conf sed -i '/^access/{s/systemview/all/g}' /etc/snmp/snmpd.conf sed -i '/80$/{s/#//g}' /etc/snmp/snmpd.conf chkconfig snmpd on # Let nano support grammar hghlight #curl http://$install_server/conf/etc/nanorc >/etc/nanorc sed -i '/^# include/{s/#//g}' /etc/nanorc sed -i '/set const/{s/#//g}' /etc/nanorc sed -i '/tabsize/{s/#//g;s/8/4/g}' /etc/nanorc sed -i '/set fill/{s/#//g}' /etc/nanorc #curl http://$install_server/conf/etc/profile >/etc/profile # enable timestamp in command history echo "export HISTTIMEFORMAT='%F %T '" >> /etc/profile echo export LANG=C>>/etc/profile #user will login out if no action within 60 minutes echo export TMOUT=3600>>/etc/profile #define a default puppet variable echo export FACTER_LSB=CentOS6>>/etc/profile # password policy (90 days) sed -i '/PASS_MAX_DAYS/{s/99999/90/}' /etc/login.defs sed -i '/PASS_MIN_LEN/{s/5/8/}' /etc/login.defs # due to disable ipv6,postfix has to work under ipv4 postconf -e 'inet_protocols = ipv4' # hiden mail server type "postfix" postconf -e 'smtpd_banner = $myhostname' chkconfig postfix on #chkconfig sendmail on #setup network chkconfig network on ifconfig eth0 > /dev/null if [ $? == "0" ];then cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOG DEVICE="eth0" ONBOOT=yes BOOTPROTO=dhcp TYPE=Ethernet USERCTL=no IPV6INIT=no #IPADDR=192.168.122.10 #NETMASK=255.255.255.0 #GATEWAY=192.168.122.200 #DNS1=202.45.84.58 #DNS2=203.80.96.10 #ETHTOOL_OPTS="speed 1000 duplex full autoneg on" EOG fi ifconfig eth1 > /dev/null if [ $? == "0" ];then cat > /etc/sysconfig/network-scripts/ifcfg-eth1 <<EOH DEVICE="eth1" ONBOOT=yes BOOTPROTO=dhcp TYPE=Ethernet #DNS1=202.45.84.58 #DNS2=203.80.96.10 USERCTL=no IPV6INIT=no #ETHTOOL_OPTS="speed 1000 duplex full autoneg on" EOH fi # set DNS echo "nameserver 202.45.84.58" >> /etc/resolv.conf echo "nameserver 203.80.96.10" >> /etc/resolv.conf #setup firewall curl http://$install_server/conf/firewall.sh >/root/firewall.sh cat > /etc/motd <<EOL ***Warning*** This is a private system.Unauthorized access or use may be punishable by administrative discipline, civil penalties, and/or criminal prosecution. EOL >/etc/issue >/etc/issue.net if [ $(virt-what) == "vmware" ];then yum install open-vm-tools -y;fi # linux host template for nagios monitoring # curl http://$install_server/conf/etc/nagios/template.linux.cfg > /root/template.linux.cfg sed -i '/remove/{s/#//g}' /etc/yum/pluginconf.d/remove-with-leaves.conf #enable the fuction of watchdog echo "modprobe softdog" >> /etc/sysconfig/watchdog #curl http://$install_server/conf/etc/watchdog.conf >/etc/watchdog.conf sed -i '/min-memory/{s/#//}' /etc/watchdog.conf sed -i '/watchdog-device/{s/#//}' /etc/watchdog.conf sed -i '/admin/{s/#//}' /etc/watchdog.conf sed -i '/interval/{s/#//}' /etc/watchdog.conf sed -i '/logtick/{s/#//}'/etc/watchdog.conf sed -i '/pidfile/{s/#//}' /etc/watchdog.conf chkconfig watchdog on # configure nagios client curl http://$install_server/conf/etc/nagios/nrpe.cfg >/etc/nagios/nrpe.cfg #sed -i '/server_address/{s/#//g;s/127.0.0.1/'$lan_ip'/g}' /etc/nagios/nrpe.cfg sed -i '/allowed_hosts/{s/127.0.0.1/&,192.168.122.254/}' /etc/nagios/nrpe.cfg chkconfig nrpe on curl http://$install_server/conf/etc/zabbix/zabbix_agentd.conf >/etc/zabbix/zabbix_agentd.conf #sed -i '/^Server=/{s/127.0.0.1/192.168.1.254}' /etc/zabbix/zabbix_agentd.conf #sed -i '/^Hostname/{s/Zabbix/new}' /etc/zabbix/zabbix_agentd.conf chkconfig zabbix-agent on # sent out realtime syslog to log server curl http://$install_server/conf/etc/rsyslog.conf >/etc/rsyslog.conf #echo "*.* @192.168.122.254" >>/etc/rsyslog.conf # configure puppet client curl http://$install_server/conf/etc/puppet/puppet.conf >/etc/puppet/puppet.conf sed -i '/SERVER/{s/#//g}' /etc/sysconfig/puppet sed -i '/SERVER/{s/puppet/&.test.org/}' /etc/sysconfig/puppet sed -i '/PORT/{s/#//g}' /etc/sysconfig/puppet chkconfig puppet off # Mail out if system updates found curl http://$install_server/conf/etc/sysconfig/yum-cron >/etc/sysconfig/yum-cron chkconfig yum-cron on # Run rkhunter weekly mv /etc/cron.daily/rkhunter /etc/cron.weekly/ /usr/bin/rkhunter --propupd #configure tripwire #curl http://$install_server/conf/etc/tripwire/twpol.txt >/etc/tripwire/twpol.txt # Configure linux audit system #curl http://$install_server/conf/etc/audit/audit.rules > /etc/audit/audit.rules chkconfig auditd on chkconfig ip6tables off chkconfig irqbalance on chkconfig psacct on chkconfig yum-updateonboot off #chkconfig --del rdisc %end %packages --nobase @Core autoconf automake bacula-client bison denyhosts dstat flex gcc gcc-c++ gd-devel gdisk git iftop iotop ipa-client iptstate irqbalance lftp libtool logwatch lsof lynis mailx man mysql-devel nagios-plugins nagios-plugins-all nano ncurses net-snmp net-snmp-utils nmap nrpe ntsysv openssh-clients parted perl-Crypt-SSLeay perl-Net-SSLeay perl-libwww-perl puppet rsync setuptool sysstat system-config-firewall-tui system-config-network-tui telnet time tmpwatch vim virt-what watchdog wget yum-utils %end
系统安装完的工作是:
1、修改主机名(在新安装机器上进行)
2、分配合适的固定IP地址(在新安装机器上进行)
3、注册ipa客户端(在新安装机器上进行)
4、注册puppet客户端(在服务端进行,也可以antosign)
5、注册nagios和cacti客户端(在服务端进行)
6、注册bacula客户端(在服务端进行)
7、部署具体的应用
update 2012-12-25
为了磁盘扩展,采用lvm分区
update 2013-03-14
对于Dell服务器,网卡名称被识别成em*时,可以用内核参数biosdevname=0来识别成eth*
也可以在内核引导参数上指定网口名称即可。
linux ksdevice=em1 ks=http://xxxx/ks.cfg
ksdevice=link也可以
update 2013-03-17
默认采用gpt分区,用于支持2TB以上的大硬盘,彻底解决硬盘扩展问题。
消灭了硬盘初始化对话框,真正一步到位。
update 2013-04-25
添加网卡调优(针对千兆网卡)
update 2013-08-19
支持btrfs分区
update 2013-09-01
文件系统 4k对齐
update 2014-01-19
增加/data 挂载点,用于部署应用程序,并对挂载选项进行优化和安全加固
update 2014-05-01
优化字符集,仅保留中英文支持。
update 2014-08-22
多个机房共享一个ks脚本,但是安装源都在各自的机房内网?
1、注释掉ks脚本里的安装源,在PXE 内核启动参数上加上
repo=http://192.168.122.1/centos/6/os/x86_64
update 2014-09-12
如果是SSD硬盘,可能会报下面的错误
UNEXPECTED INCONSISTENCT; RUN fsck MANUALLY
临时解决办法:fsck -y /dev/sdax
终极解决办法:在内核启动参数中加上acpi=off
update 20160805
增加vmware虚拟化判断,安装vm-tools