下面的脚本是生产环境的副本,稍有改动,用于自己的实验环境。安装一步搞定,5分钟部署一套全新的kvm虚拟机。



  1. #platform=x86, AMD64, or Intel EM64T
    #version=DEVEL
    # Firewall configuration
    firewall --enabled --ssh
    # Install OS instead of upgrade
    install
    # Use network installation
    url --url="http://192.168.122.1/centos/6/os/x86_64/"
    # Root password:2w3e4r5t
    rootpw --iscrypted $1$SG65nSU2$qqls18a5fRwa0pahI9zsn.
    # System authorization information
    auth  --useshadow  --passalgo=sha512
    # Use text mode install
    text
    # System keyboard
    keyboard us
    # System language
    lang en_US
    # SELinux configuration
    selinux --disabled
    # Do not configure the X Window System
    skipx
    # Installation logging level
    logging --level=info
    # Reboot after installation
    reboot
    # System timezone
    #timezone  Asia/Shanghai
    timezone --isUtc Asia/Shanghai
    # Network information
    network  --bootproto=dhcp--onboot=on --hostname=new.test.org
    # System bootloader configuration
    # Grub passwd:linux
    bootloader --location=mbr --append="biosdevname=0" --md5pass="$1$cfVln6Oz$eR6dX/70Ny4dAA/amdvfA1"
    # Partition clearing information
    clearpart --none
    #clearpart --all --initlabel
    # Disk partitioning information
    part /boot --bytes-per-inode=4096 --fstype=ext4 --size=150
    part pv.01 --grow --size=1
    volgroup vg_centos --pesize=4096 pv.01
    logvol swap --name=lv_swap --vgname=vg_centos --size=512
    #logvol swap --name=lv_swap--vgname=vg_centos --recommend
    logvol / --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=51200
    logvol /data --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=1024  --fsoptions="noatime,nosuid,noexec,nodev"  --grow
    #part swap --fstype="swap" --size=512
    #part / --fstype="ext4" --grow --size=1
    # Addition repository
    repo --name="excel" --baseurl=http://192.168.122.1/repo/excel/6/ --cost=100
    repo --name="updates" --baseurl=http://192.168.122.1/centos/6/updates/x86_64/ --cost=100
    %pre --interpreter=/usr/bin/env bash
    if [ -e /dev/sda ];then
        dd if=/dev/zero of=/dev/sda bs=512count=1
        parted -s /dev/sda mklabel gpt
    fi
    if [ -e /dev/vda ];then
        dd if=/dev/zero of=/dev/vda bs=512 count=1
        parted -s /dev/vda mklabel gpt
    fi
    %end
    #%include /tmp/addition


  2. %post --interpreter=/usr/bin/env bash
    install_server=192.168.122.1
    # set build timestamp
    ntpdate $install_server
    echo this system was built at `LANG=C date -d "today" +"%Y-%m-%d %H:%M:%S"` >/root/timestamp.txt
    chattr +a /root/timestamp.txt
    sed -i '/^mirrorlist/{s/^/#/g}' /etc/yum.repos.d/CentOS-Base.repo
    sed -i '/#baseurl/{s/#//g}' /etc/yum.repos.d/CentOS-Base.repo
    # use local mirror to save bandwidth
    curl http://$install_server/conf/etc/yum.repos.d/CentOS-Base.repo >/etc/yum.repos.d/CentOS-Base.repo
    # install customerized repo
    curl http://$install_server/conf/etc/yum.repos.d/excel.repo  > /etc/yum.repos.d/excel.repo
    echo -e 127.0.0.1 "\t" new.test.org >>/etc/hosts
    echo -e $install_server mirror.centos.org >>/etc/hosts
    #add a static route
    #route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1
    #echo route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1  >> /etc/rc.local
    #set character,only english/chinese support
    localedef --list-archive |egrep -v ^"en_US|zh" |xargs localedef --delete-from-archive
    mv -f /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl
    build-locale-archive
    # Remove some unnessary packages
    #yum remove usermode -y
    yum remove -y rng-tools quota samba* rpcbind lm_sensors postgresql-libs
    # Run level 3 by default
    #sed -i '/^id/{s/5/3/}' /etc/inittab
    # Password protect single user mode
    #echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
    # unlock the MAC
    echo "> /etc/udev/rules.d/70-persistent-net.rules" >> /etc/rc.local
    echo $install_server >> /etc/ntp/step-tickers
    sed -i '/HWCLOCK/{s/no/yes/g}' /etc/sysconfig/ntpdate
    chkconfig ntpdate off
    curl http://$install_server/conf/etc/ntp.conf >/etc/ntp.conf
    chkconfig ntpd on
    # Configure ssh server
    curl http://$install_server/conf/etc/ssh/sshd_config >/etc/ssh/sshd_config
    # disable DNS lookup for ssh login
    #sed -i '/DNS/{s/#//g;s/yes/no/g}' /etc/ssh/sshd_config
    #show motd
    #sed -i '/Motd/{s/#//g}' /etc/ssh/sshd_config
    # disbale root login remotely
    #sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config
    #echo "PermitRootLogin no" >> /etc/ssh/sshd_config
    #echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
    #chroot for ssh
    #echo "session   required      pam_chroot.so" >>/etc/pam.d/sshd
    #echo "apple    /home/apple" >> /etc/security/chroot.conf
    #allow ssh for LAN only
    echo "SSHD:ALL EXCEPT 192.168.0.0/255.255.0.0" >>/etc/hosts.deny
    #setup bacula-client
    sed -i 's/@//g' /etc/bacula/bacula-fd.conf
    chkconfig bacula-fd off
    # Setup admin user and passwd
    useradd -g wheel admin
    echo "linuxfans" |passwd --stdin "admin"
    chkconfig denyhosts on
    #only user in wheel group can use "su"
    sed -i '/required/{s/#//g}' /etc/pam.d/su
    echo "SU_WHEEL_ONLY yes" >>/etc/login.defs
    #lock unused passwords
    passwd -l bin
    passwd -l daemon
    passwd -l adm
    passwd -l lp
    passwd -l sync
    passwd -l shutdown
    passwd -l halt
    passwd -l mail
    passwd -l uucp
    passwd -l operator
    passwd -l games
    passwd -l gopher
    passwd -l ftp
    passwd -l nobody
    passwd -l nagios
    passwd -l dbus
    passwd -l vcsa
    passwd -l bacula
    passwd -l rpc
    passwd -l ntp
    passwd -l sshd
    passwd -l saslauth
    passwd -l postfix
    passwd -l puppet
    passwd -l nrpe
    chmod 700 /usr/bin/finger
    chmod 700 /usr/bin/who
    chmod 700 /usr/bin/w
    chmod 700 /usr/bin/locate
    chmod 700 /usr/bin/whereis
    chmod 700 /sbin/ifconfig
    chmod 700 /sbin/ip
    chmod 700 /sbin/route
    chmod 700 /bin/mount
    #chmod 700 /usr/bin/which
    #chmod 700 /usr/bin/gcc
    #chmod 700 /usr/bin/make
    #chmod 700 /bin/rpm
    #echo "ulimit -SHn 65535" >> /etc/profile
    cat >> /etc/security/limits.conf <<EOF
    *               soft    nofile  10240
    *               hard    nofile  10240
    root            soft    nproc   65535
    root            hard    nproc   65535
    EOF
    # kernel optimize
    #curl http://$install_server/conf/etc/sysctl.conf >/etc/sysctl.conf
    echo "net.ipv6.conf.all.disable_ipv6 = 1"  >>/etc/sysctl.conf
    echo "vm.swappiness = 5"  >>/etc/sysctl.conf
    echo "vm.drop_caches = 0" >>/etc/sysctl.conf
    echo "net.core.somaxconn = 8192" >>/etc/sysctl.conf
    echo "net.ipv4.tcp_max_syn_backlog = 8192" >> /etc/sysctl.conf
    echo "net.core.netdev_max_backlog =  8192" >> /etc/sysctl.conf
    echo "net.ipv4.ip_local_port_range = 15000 65000" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.accept_redirects = 0" >>/etc/sysctl.conf
    echo "net.ipv4.conf.all.log_martians =1" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
    echo "net.ipv4.conf.all.send_redirects = 0" >>/etc/sysctl.conf
    echo "net.ipv4.conf.default.accept_redirects = 0" >>/etc/sysctl.conf
    echo "net.ipv4.conf.default.log_martians = 1" >>/etc/sysctl.conf
    echo "net.ipv4.tcp_timestamps = 1" >>/etc/sysctl.conf
    echo "net.ipv6.conf.all.accept_redirects = 0" >>/etc/sysctl.conf
    echo "net.ipv6.conf.default.accept_redirects = 0" >>/etc/sysctl.conf
    echo "net.netfilter.nf_conntrack_max = 65536" >>/etc/sysctl.conf
    echo "net.nf_conntrack_max = 65536" >>/etc/sysctl.conf
    echo "net.netfilter.nf_conntrack_tcp_timeout_established = 700" >>/etc/sysctl.conf
  3. #snmpd configure
    #curl http://$install_server/conf/etc/snmp/snmpd.conf >/etc/snmp/snmpd.conf
    sed -i '/^com2sec/{s/public/mycompany/g}' /etc/snmp/snmpd.conf
    sed -i '/^access/{s/systemview/all/g}' /etc/snmp/snmpd.conf
    sed -i '/80$/{s/#//g}' /etc/snmp/snmpd.conf
    chkconfig snmpd on
    # Let nano support grammar hghlight
    #curl http://$install_server/conf/etc/nanorc >/etc/nanorc
    sed -i '/^# include/{s/#//g}' /etc/nanorc
    sed -i '/set const/{s/#//g}' /etc/nanorc
    sed -i '/tabsize/{s/#//g;s/8/4/g}' /etc/nanorc
    sed -i '/set fill/{s/#//g}' /etc/nanorc
    #curl http://$install_server/conf/etc/profile >/etc/profile
    # enable timestamp in command history
    echo "export HISTTIMEFORMAT='%F %T '" >> /etc/profile
    echo export LANG=C>>/etc/profile
    #user will login out if no action within 60 minutes
    echo export TMOUT=3600>>/etc/profile
    #define a default puppet variable
    echo export FACTER_LSB=CentOS6>>/etc/profile
    # password policy (90 days)
    sed -i '/PASS_MAX_DAYS/{s/99999/90/}' /etc/login.defs
    sed -i '/PASS_MIN_LEN/{s/5/8/}' /etc/login.defs
    # due to disable ipv6,postfix has to work under ipv4
    postconf -e 'inet_protocols = ipv4'
    # hiden mail server type "postfix"
    postconf -e 'smtpd_banner = $myhostname'
    chkconfig postfix on
    #chkconfig sendmail on
    #setup network
    chkconfig network on
    ifconfig eth0 > /dev/null
    if [ $? == "0" ];then
    cat > /etc/sysconfig/network-scripts/ifcfg-eth0 <<EOG
    DEVICE="eth0"
    ONBOOT=yes
    BOOTPROTO=dhcp
    TYPE=Ethernet
    USERCTL=no
    IPV6INIT=no
    #IPADDR=192.168.122.10
    #NETMASK=255.255.255.0
    #GATEWAY=192.168.122.200
    #DNS1=202.45.84.58
    #DNS2=203.80.96.10
    #ETHTOOL_OPTS="speed 1000 duplex full autoneg on"
    EOG
        fi
    ifconfig eth1 > /dev/null
    if [ $? == "0" ];then
    cat > /etc/sysconfig/network-scripts/ifcfg-eth1 <<EOH
    DEVICE="eth1"
    ONBOOT=yes
    BOOTPROTO=dhcp
    TYPE=Ethernet
    #DNS1=202.45.84.58
    #DNS2=203.80.96.10
    USERCTL=no
    IPV6INIT=no
    #ETHTOOL_OPTS="speed 1000 duplex full autoneg on"
    EOH
            fi
    # set DNS
    echo "nameserver 202.45.84.58"  >>  /etc/resolv.conf
    echo "nameserver 203.80.96.10"  >> /etc/resolv.conf
    #setup firewall
    curl http://$install_server/conf/firewall.sh  >/root/firewall.sh
    cat > /etc/motd <<EOL
    ***Warning***
    This is a private system.Unauthorized access or use may be punishable by
    administrative discipline, civil penalties, and/or criminal prosecution.
    EOL
    >/etc/issue
    >/etc/issue.net
    
    if [ $(virt-what) == "vmware" ];then yum install open-vm-tools -y;fi
    
    # linux host template for nagios monitoring
    # curl http://$install_server/conf/etc/nagios/template.linux.cfg > /root/template.linux.cfg
    sed -i '/remove/{s/#//g}' /etc/yum/pluginconf.d/remove-with-leaves.conf
    #enable the fuction of watchdog
    echo "modprobe softdog" >> /etc/sysconfig/watchdog
    #curl http://$install_server/conf/etc/watchdog.conf >/etc/watchdog.conf
    sed -i '/min-memory/{s/#//}' /etc/watchdog.conf
    sed -i '/watchdog-device/{s/#//}' /etc/watchdog.conf
    sed -i '/admin/{s/#//}' /etc/watchdog.conf
    sed -i '/interval/{s/#//}' /etc/watchdog.conf
    sed -i '/logtick/{s/#//}'/etc/watchdog.conf
    sed -i '/pidfile/{s/#//}' /etc/watchdog.conf
    chkconfig watchdog on
    # configure nagios client
    curl http://$install_server/conf/etc/nagios/nrpe.cfg >/etc/nagios/nrpe.cfg
    #sed -i '/server_address/{s/#//g;s/127.0.0.1/'$lan_ip'/g}' /etc/nagios/nrpe.cfg
    sed -i '/allowed_hosts/{s/127.0.0.1/&,192.168.122.254/}' /etc/nagios/nrpe.cfg
    chkconfig nrpe on
    curl http://$install_server/conf/etc/zabbix/zabbix_agentd.conf >/etc/zabbix/zabbix_agentd.conf
    #sed -i '/^Server=/{s/127.0.0.1/192.168.1.254}' /etc/zabbix/zabbix_agentd.conf
    #sed -i '/^Hostname/{s/Zabbix/new}' /etc/zabbix/zabbix_agentd.conf
    chkconfig zabbix-agent on
    # sent out realtime syslog to log server
    curl http://$install_server/conf/etc/rsyslog.conf >/etc/rsyslog.conf
    #echo "*.* @192.168.122.254" >>/etc/rsyslog.conf
    # configure puppet client
    curl http://$install_server/conf/etc/puppet/puppet.conf >/etc/puppet/puppet.conf
    sed -i '/SERVER/{s/#//g}' /etc/sysconfig/puppet
    sed -i '/SERVER/{s/puppet/&.test.org/}' /etc/sysconfig/puppet
    sed -i '/PORT/{s/#//g}' /etc/sysconfig/puppet
    chkconfig puppet off
    # Mail out if system updates found
    curl http://$install_server/conf/etc/sysconfig/yum-cron >/etc/sysconfig/yum-cron
    chkconfig yum-cron on
    # Run rkhunter weekly
    mv /etc/cron.daily/rkhunter /etc/cron.weekly/
    /usr/bin/rkhunter --propupd
    #configure tripwire
    #curl http://$install_server/conf/etc/tripwire/twpol.txt >/etc/tripwire/twpol.txt
    # Configure linux audit system
    #curl http://$install_server/conf/etc/audit/audit.rules > /etc/audit/audit.rules
    chkconfig auditd on
    chkconfig ip6tables off
    chkconfig irqbalance on
    chkconfig psacct on
    chkconfig yum-updateonboot off
    #chkconfig --del rdisc
    %end
    %packages --nobase
    @Core
    autoconf
    automake
    bacula-client
    bison
    denyhosts
    dstat
    flex
    gcc
    gcc-c++
    gd-devel
    gdisk
    git
    iftop
    iotop
    ipa-client
    iptstate
    irqbalance
    lftp
    libtool
    logwatch
    lsof
    lynis
    mailx
    man
    mysql-devel
    nagios-plugins
    nagios-plugins-all
    nano
    ncurses
    net-snmp
    net-snmp-utils
    nmap
    nrpe
    ntsysv
    openssh-clients
    parted
    perl-Crypt-SSLeay
    perl-Net-SSLeay
    perl-libwww-perl
    puppet
    rsync
    setuptool
    sysstat
    system-config-firewall-tui
    system-config-network-tui
    telnet
    time
    tmpwatch
    vim
    virt-what
    watchdog
    wget
    yum-utils
    %end
  4. 系统安装完的工作是:

  5. 1、修改主机名(在新安装机器上进行)

  6. 2、分配合适的固定IP地址(在新安装机器上进行)

  7. 3、注册ipa客户端(在新安装机器上进行)

  8. 4、注册puppet客户端(在服务端进行,也可以antosign)

  9. 5、注册nagios和cacti客户端(在服务端进行)

  10. 6、注册bacula客户端(在服务端进行)

  11. 7、部署具体的应用



update 2012-12-25

为了磁盘扩展,采用lvm分区

update 2013-03-14

对于Dell服务器,网卡名称被识别成em*时,可以用内核参数biosdevname=0来识别成eth*

也可以在内核引导参数上指定网口名称即可。

linux ksdevice=em1 ks=http://xxxx/ks.cfg

ksdevice=link也可以

update 2013-03-17

默认采用gpt分区,用于支持2TB以上的大硬盘,彻底解决硬盘扩展问题。

消灭了硬盘初始化对话框,真正一步到位。

update 2013-04-25

添加网卡调优(针对千兆网卡)

update 2013-08-19

支持btrfs分区

update 2013-09-01

文件系统 4k对齐

update 2014-01-19

增加/data 挂载点,用于部署应用程序,并对挂载选项进行优化和安全加固

update 2014-05-01

优化字符集,仅保留中英文支持。


update 2014-08-22

多个机房共享一个ks脚本,但是安装源都在各自的机房内网?

1、注释掉ks脚本里的安装源,在PXE 内核启动参数上加上

repo=http://192.168.122.1/centos/6/os/x86_64

update 2014-09-12

如果是SSD硬盘,可能会报下面的错误

UNEXPECTED INCONSISTENCT; RUN fsck MANUALLY

临时解决办法:fsck -y /dev/sdax 

终极解决办法:在内核启动参数中加上acpi=off

update 20160805

增加vmware虚拟化判断,安装vm-tools