hidden:Linux Jump-Station in CN-441/164: Difference between revisions
From Lsdf
Jump to navigationJump to search
Bernhard-v (talk | contribs) |
(remove everything because it is internal docs) Tag: Blanking |
||
| Line 1: | Line 1: | ||
Dieser Rechner dient als Zugangsrechner, Gateway, Timehost, Traphost etc. für Geräte im Management-Netz 172.18.92.0/22 |
|||
==Installation== |
|||
* von DVD SL 6.4 als Web-Server, Plattenpartitionierung 500MB /boot, 16GB swap, Rest / |
|||
* yum update |
|||
* reboot wg. neuem Kernel |
|||
==Netzwerk== |
|||
===Schnittstellen=== |
|||
* eth0 |
|||
<pre> |
|||
[root@scc-cn-r164-l ~]# cat /etc/sysconfig/network |
|||
NETWORKING=yes |
|||
HOSTNAME=scc-cn-r164-l.scc.kit.edu |
|||
NETWORKING_IPV6=no |
|||
GATEWAY=141.52.36.1 |
|||
</pre> |
|||
<pre> |
|||
[root@scc-cn-r164-l ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0 |
|||
DEVICE=eth0 |
|||
TYPE=Ethernet |
|||
UUID=81597989-ab6a-4b11-a3eb-50d898c4aa14 |
|||
ONBOOT=yes |
|||
NM_CONTROLLED=yes |
|||
BOOTPROTO=none |
|||
HWADDR=D8:9D:67:27:7E:08 |
|||
IPADDR=141.52.36.36 |
|||
PREFIX=24 |
|||
DEFROUTE=yes |
|||
IPV4_FAILURE_FATAL=yes |
|||
IPV6INIT=no |
|||
NAME="System eth0" |
|||
</pre> |
|||
* eth1 (IP-Adresse muss noch auf 172.18.92.200 geändert werden, wenn die alte Jump-Station abgeschaltet wird) |
|||
<pre> |
|||
[root@scc-cn-r164-l ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1 |
|||
DEVICE=eth1 |
|||
TYPE=Ethernet |
|||
UUID=81597989-ab6a-4b11-a3eb-50d898c4aa14 |
|||
ONBOOT=yes |
|||
NM_CONTROLLED=yes |
|||
BOOTPROTO=none |
|||
HWADDR=D8:9D:67:27:7E:09 |
|||
IPADDR=172.18.92.199 |
|||
PREFIX=22 |
|||
DEFROUTE=no |
|||
IPV4_FAILURE_FATAL=yes |
|||
IPV6INIT=no |
|||
NAME="System eth1" |
|||
</pre> |
|||
<pre> |
|||
[root@scc-cn-r164-l ~]# cat /etc/resolv.conf |
|||
search scc.kit.edu lsdf.kit.edu |
|||
nameserver 141.52.3.3 |
|||
nameserver 141.52.8.18 |
|||
</pre> |
|||
===NAT=== |
|||
Damit man aus dem privaten Management-Netz ins Internet kommt, wird iptables so konfiguriert, dass es Network Address Translation (NAT) macht. Das Default Gateway der ILO-RSA-iDRAC etc. -Boards muss 172.18.92.200 sein. |
|||
* Original /etc/sysconfig/iptables |
|||
<pre> |
|||
# Firewall configuration written by system-config-firewall |
|||
# Manual customization of this file is not recommended. |
|||
*filter |
|||
:INPUT ACCEPT [0:0] |
|||
:FORWARD ACCEPT [0:0] |
|||
:OUTPUT ACCEPT [0:0] |
|||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
-A INPUT -p icmp -j ACCEPT |
|||
-A INPUT -i lo -j ACCEPT |
|||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT |
|||
-A INPUT -j REJECT --reject-with icmp-host-prohibited |
|||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
|||
COMMIT |
|||
</pre> |
|||
* nach aktivierung des NAT mit |
|||
<pre> |
|||
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE |
|||
iptables --append FORWARD --in-interface eth1 -j ACCEPT |
|||
/etc/init.d/iptables save |
|||
</pre> |
|||
sieht die /etc/sysconfig/iptables so aus.. weiterhin wurden alle Ports auf eth1 aufgemacht in dem -i eth0 in die Zeile -A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited eingefügt wurde |
|||
<pre> |
|||
# Generated by iptables-save v1.4.7 on Thu Feb 20 16:25:10 2014 |
|||
*nat |
|||
:PREROUTING ACCEPT [169:44555] |
|||
:POSTROUTING ACCEPT [0:0] |
|||
:OUTPUT ACCEPT [3:228] |
|||
-A POSTROUTING -o eth0 -j MASQUERADE |
|||
COMMIT |
|||
# Completed on Thu Feb 20 16:25:10 2014 |
|||
# Generated by iptables-save v1.4.7 on Thu Feb 20 16:25:10 2014 |
|||
*filter |
|||
:INPUT ACCEPT [0:0] |
|||
:FORWARD ACCEPT [0:0] |
|||
:OUTPUT ACCEPT [207:32868] |
|||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|||
-A INPUT -p icmp -j ACCEPT |
|||
-A INPUT -i lo -j ACCEPT |
|||
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
|||
-A INPUT -i eth0 -j REJECT --reject-with icmp-host-prohibited |
|||
# -A FORWARD -j REJECT --reject-with icmp-host-prohibited Diese Zeile muss raus, sonst funktinoiert das NAT nicht ! |
|||
-A FORWARD -i eth1 -j ACCEPT |
|||
COMMIT |
|||
# Completed on Thu Feb 20 16:25:10 2014 |
|||
</pre> |
|||
* jetzt noch IPv4-Forwarding einschalten: In /etc/sysctl.conf die Zeile ""net.ipv4.ip_forward = 1"" eintragen |
|||
==Nacharbeiten am Betriebssystem== |
|||
* Uhr stellen |
|||
** /etc/init.d/ntpdate start |
|||
** chkconfig ntpdate on |
|||
** /etc/init.d/ntpd start |
|||
** chkconfig ntpd on |
|||
* epel-Repo für weitere Software hinzufügen: <pre>yum install yum-conf-epel</pre> |
|||
===Weitere Pakete=== |
|||
* nc zb. zum Testen der Firewall |
|||
* net-snmp weil diser Host snmptraps verarbeiten soll |
|||
* xorg-x11-xauth für X11-Forwarding |
|||
* xorg-x11-apps für X11-Testanwendungen (xclock, xeyes ...) |
|||
==DHCP-Server== |
|||
* Für die IP-Adress-Verwaltung wird ein DHCP-Server installiert, der auch als solcher funktioniert |
|||
** yum install dhcp |
|||
==LDAP== |
|||
* <strike>siehe [https://wiki.archlinux.org/index.php/LDAP_authentication#Client_Setup]</strike> |
|||
* yum install openldap-clients |
|||
* yum install nss-pam-ldapd |
|||
** Dependency Installed: nscd.x86_64 0:2.12-1.132.el6 pam_ldap.x86_64 0:185-11.el6 |
|||
* <strike>/etc/nsswitch.conf anpassen |
|||
<pre> |
|||
passwd: files sss |
|||
group: files sss |
|||
shadow: files sss |
|||
</pre></strike> |
|||
* <strike>/etc/nslcd.conf für den "local LDAP name service daemon" (nslcd) anpassen</strike> |
|||
* <b>Dienstkonto einrichten lassen (Patrick von der Hagen)</b> |
|||
* ldapsearch -LLL -H ldaps://kit-ldap-01.scc.kit.edu -b 'ou=unix,ou=IDM,dc=kit,dc=edu' -D 'uid=scc-jumpstation-lsdfhpss,ou=ProxyUser,ou=IDM,dc=kit,dc=edu' -w 'AshsiepdoatEipdecfak' cn='iy1773' liefert mal ein Ergebnis |
|||
* yum install authconfig-gtk |
|||
** mal schauen, ob man damit die Authentifizierung gegen LDAP konfigurieren kann... |
|||
** [root@scc-cn-r164-l ~]# authconfig-gtk findet schon ein paar richtige Infos ...und startet etwas .. |
|||
*** Starting sssd: [ OK ] |
|||
*** Starting oddjobd: [ OK ] |
|||
*** /etc/nsswitch.conf sieht dann so aus: |
|||
<pre>passwd: files sss |
|||
group: files sss |
|||
shadow: files sss</pre> |
|||
* /etc/sssd/sssd.conf anpassen |
|||
<pre> |
|||
[domain/default] |
|||
ldap_id_use_start_tls = True |
|||
cache_credentials = True |
|||
ldap_search_base = ou=unix,ou=IDM,dc=kit,dc=edu |
|||
krb5_realm = EXAMPLE.COM |
|||
krb5_server = kerberos.example.com |
|||
id_provider = ldap |
|||
auth_provider = ldap |
|||
chpass_provider = ldap |
|||
ldap_uri = ldap://kit-ldap-01.scc.kit.edu/ |
|||
ldap_tls_cacertdir = /etc/openldap/cacerts |
|||
ldap_default_bind_dn = uid=scc-jumpstation-lsdfhpss,ou=ProxyUser,ou=IDM,dc=kit,dc=edu |
|||
ldap_default_authtok_type = password |
|||
ldap_default_authtok = AshsiepdoatEipdecfak |
|||
ldap_tls_reqcert = never |
|||
[sssd] |
|||
services = nss, pam |
|||
config_file_version = 2 |
|||
domains = default |
|||
[nss] |
|||
[pam] |
|||
[sudo] |
|||
[autofs] |
|||
[ssh] |
|||
[pac] |
|||
</pre> |
|||
* jetzt funktioniert ein getent passwd iy1773, ein getent shadow iy1773 liefert kein Ergebnis .... |
|||
* login via ssh geht auch ! |
|||
===Benutzer=== |
|||
* Gruppenname: SCC-Service-Extern |
|||
<pre> |
|||
Broussard, Kayla IBM US HPSS System Engineer kbabin@us.ibm.com le7848 |
|||
Kerr, Jae IBM US HPSS Deployment Lead jrkerr@us.ibm.com vv8488 |
|||
Giddens, Alan IBM US GHI Deployment Lead agiddens@us.ibm.com mg7325 |
|||
Batchelder, Scott IBM US HPSS & GHI Deployment Backup scbatche@us.ibm.com ox7620 |
|||
Hermann, Jonathan IBM-DE IT Specialist - HPSS Admin jonathan.hermann@de.ibm.com ns3128 |
|||
Jenke, Kay-Christian IBM-DE Advisory IT Specialist Storage kay-christian.jenke@de.ibm.com ir6341 |
|||
</pre> |
|||
* Aktivierung der Accounts über https://intra.kit.edu/Aktivierung |
|||
* Passwort-Änderung von intern soll über https://scc-idm-01.scc.kit.edu/idm/user/login.jsp?lang=en&cntry=US funktionieren, von extern über https://intra.kit.edu/Aktivierung |
|||
* Gruppenverwaltung: https://team.kit.edu/sites/scc-admin-tools/gruppenverwaltung/SitePages/Homepage.aspx |
|||
==Backup== |
|||
<pre> |
|||
mkdir TSM |
|||
cd TSM |
|||
wget ftp://ftp.scc.kit.edu/pub/tsm/scc/client/linux/x86_64/v641/6.4.1.3/6.4.1.3-TIV-TSMBAC-LinuxX86.tar |
|||
tar -xvf 6.4.1.3-TIV-TSMBAC-LinuxX86.tar |
|||
yum localinstall gskcrypt64-8.0.14.26.linux.x86_64.rpm |
|||
yum localinstall gskssl64-8.0.14.26.linux.x86_64.rpm |
|||
yum localinstall TIVsm-API64.x86_64.rpm |
|||
yum localinstall TIVsm-BA.x86_64.rpm |
|||
cd /opt/tivoli/tsm/client/ba/bin/ |
|||
vim dsm.sys |
|||
cd /etc/init |
|||
vim dsmc.conf |
|||
initctl start dsmc |
|||
</pre> |
|||
* dsm.sys |
|||
<pre> |
|||
Servername grid0 |
|||
Nodename scc-cn-r164-l |
|||
TCPPORT 1603 |
|||
COMMmethod TCPip |
|||
TCPServeraddress scc-tsm-nb03.scc.kit.edu |
|||
PASSWORDACCESS GENERATE |
|||
SCHEDLOGname /var/log/tsm/dsmsched_ba.log |
|||
ERRORLOGname /var/log/tsm/dsmerror_ba.log |
|||
SCHEDLOGretention 14 D |
|||
ERRORLOGretention 14 D |
|||
</pre> |
|||
* /etc/init/dsmc.conf |
|||
<pre> |
|||
# dsmc |
|||
# |
|||
# This service starts the Tivoli Storage Manager "dsmc sched" backup |
|||
# process and respawns it as the scheduled backup happens or the |
|||
# dsmc process gets killed or dies. |
|||
start on runlevel 2 |
|||
start on runlevel 3 |
|||
start on runlevel 4 |
|||
start on runlevel 5 |
|||
stop on runlevel 0 |
|||
stop on runlevel 1 |
|||
stop on runlevel 6 |
|||
respawn |
|||
exec /usr/bin/dsmc sched >/dev/null 2>&1 |
|||
</pre> |
|||
* passwort noch ändern mit dsmc set password |
|||
