LQPP/installation-betriebssystem-rogers

Aus Piratenwiki
Wechseln zu: Navigation, Suche

Configuration of rogers.lqfb.piratenpartei.de

RAID

  • 2x36,4GB (ID0,ID1), RAID 1+0 plus 1x36,4GB (ID2) als Spare
    • Maximum boot partition disabled
  • 1x36,4 GB (ID3) nicht verwendet

Installation debian

-> Install -> English -> other -> Europe -> Gemarny -> German

-> Primary network interface eth0 -> Hostname: rogers -> Domain Name: lqfb.piratenpartei.de

-> Manual -> cciss/c0d0 -> Create a new partition -> 15GB, primary, beginning, ext3 at /, Bootable flag ON -> create new partition -> 10GB, primary, beginning, -> use as: physical volume for encryption -> AES,256,cbc-essiv:sha256,passphrase,yes,off -> create new partition -> 5,0GB, primary, beginning, ext3 on /var/log -> create new partition -> REST, primary, beginning, -> use as: physical volume for encryption -> AES/256/cbc-essiv:sha256/Random key/no/off -> configure encrypted volumes -> yes -> yes again -> passphrase c0d0p2 according to security manifest -> Select c0d0p2 -> Ext3, mount_point /var/lib -> Done setting ... -> select c0d0p4, swap -> Done setting -> Finish partitioning and write changes to disk -> YES -> (watch the progress bar or do something else)

-> root passwort according to security manifest -> system user alx -> alx passwort

-> Germany -> mirror: ftp.de.debian.org -> no -> no -> deselect standard system -> grub YES -> Continue

Configuration

Update packages

apt-get update
apt-get upgrade

LF-Dependencies

apt-get install  lighttpd postgresql libpq-dev lua5.1 liblua5.1-0-dev build-essential ghc  libghc6-parsec-dev imagemagick tig

vim /etc/apt/sources.list
    Add deb http://www.backports.org/debian etch-backports main contrib non-free to 
wget -O - http://backports.org/debian/archive.key | apt-key add -

install and configure etckeeper

apt-get install etckeeper git-core metastore -t etch-backports
cd /etc
etckeeper init
git add .
etckeeper commit 'Initial commit'
git gc 

ssh-install

apt-get install openssh-server

Komfort

aptitude install screen
apt-get install bash-completion less

bash-completion einkommentieren

vi /etc/bash.bashrc
# enable bash completion in interactive shells
if [ -f /etc/bash_completion ]; then
   . /etc/bash_completion
fi
apt-get install vim-nox
update-alternatives --config editor
 selection number 4

Nutzer registrieren und ssh-key-login

adduser mpd
adduser ibo

Keys eintragen

 su - alx
 mkdir .ssh
 chmod go-rwx .ssh
 vi .ssh/authorized_keys
 su - mpd
 mkdir .ssh
 chmod go-rwx .ssh
 vi .ssh/authorized_keys
 su - ibo
 mkdir .ssh
 chmod go-rwx .ssh
 vi .ssh/authorized_keys
exit

MTA

apt-get install postfix
 -> Internet Site
 -> lqfb.piratenpartei.de
vim /etc/postfix/main.cf
 -> mydomain = lqfb.piratenpartei.de
 -> myorigin = lqfb.piratenpartei.de
 -> masquerade_domains = $mydomain
 -> #relayhost =

sudo installieren

apt-get install sudo
visudo
 Einkommentieren: %sudo ALL=NOPASSWD: ALL 
vi /etc/group
 -> sudo:x:27:alx,ibo,mpd

SSH-Config

vi /etc/ssh/sshd_config

Kein direkter root-Login

PermitRootLogin no 

Kein Kennwort-basierender Login

PasswordAuthentication no

SSH-Daemon neustarten

/etc/init.d/ssh restart

RAID-Controler

apt-get install arrayprobe
wget "http://switch.dl.sourceforge.net/project/cciss/cciss_vol_status/cciss_vol_status-1.06.tar.gz"
tar xvfz cciss_vol_status-1.06.tar.gz
aptitude install build-essential
cd cciss_vol_status-1.06
./configure
make
make install
cd ..

array-configuration-utility

wget ftp://ftp.hp.com/pub/softlib2/software1/pubsw-linux/p414707558/v59422/hpacucli-8.50-6.0.noarch.rpm
apt-get install alien
alien hpacucli-8.50-6.0.noarch.rpm 
dpkg -i hpacucli_8.50-7_i386.deb 

array config

gib mir sparedrives status:

hpacucli controller slot=0 physicaldrive all show

add all unassigned drives as spares

hpacucli controller slot=0 array A add spares=allunassigned

status again:

hpacucli controller slot=0 physicaldrive all show

Ilo network config

10.134.168.156/30 wobei 157=me 158=you

system network config

vi /etc/network/interfaces

auto eth0
auto eth1
iface eth0 inet static
  address194.150.168.158
  network 194.150.168.156
  netmask 255.255.255.252
  gateway 194.150.168.157
iface eth1 inet static
  address 192.168.2.165
  network 192.168.2.0
  netmask 255.255.255.0
vi /etc/resolv.conf
 nameserver  141.1.1.1

firewall-regeln

Script aus git://git@github.com:lqpp/liquidfeedback.git verwenden

cd /opt/liquid_feedback/etc/init.d/
cp solas /etc/init.d/
sudo /etc/init.d/solas

ntp

sudo apt-get install ntp
sudo apt-get install ntpdate 

Munin

Munin-Node installieren

sudo apt-get install munin-node
sudo vim /etc/munin/munin-node.conf
 -> Insert Line "allow ^$IP$" - $IP is address of munin-master
 -> uncomment host_name rogers.lqfb.piratenpartei.de

Munin-Postgres-Plugin installieren

install perl-dbi-module

sudo apt-get install libdbd-pg-perl

Plugins installieren

cd /usr/share/munin/plugins/
sudo wget http://pgfoundry.org/frs/download.php/2096/muninpgplugins-0.2.2.tar.gz
sudo tar xvzf muninpgplugins-0.2.2.tar.gz
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__connections /etc/munin/plugins/pg_liquid_feedback_pp_connections
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__db_size /etc/munin/plugins/pg_liquid_feedback_pp_db_size
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__locks /etc/munin/plugins/pg_liquid_feedback_pp_locks
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__stat_bgwriter /etc/munin/plugins/pg_liquid_feedback_pp_stat_bgwriter
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__stat_database /etc/munin/plugins/pg_liquid_feedback_pp_stat_database
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__statio_tables /etc/munin/plugins/pg_liquid_feedback_pp_statio_tables
sudo ln -s /usr/share/munin/plugins/muninpgplugins/pg__stat_tables /etc/munin/plugins/pg_liquid_feedback_pp_stat_tables
sudo vim /etc/munin/plugin-conf.d/munin-node
-> [pg_liquid_feedback_pp*]
       user postgres
       env.dbname liquid_feedback_pp
sudo vim /etc/postgresql/8.3/main/postgresql.conf
->           stats_start_collector = true
              stats_block_level = true
sudo /etc/init.d/postgres restart
sudo /etc/init.d/munin-node restart

Lighttpd-Plugin installieren

install lwf:usermodule - metapackage
sudo apt-get install libwww-perl

plugin-symbolic links

sudo ln -s /usr/share/munin/plugins/apache_volume /etc/munin/plugins/apache_volume
sudo ln -s /usr/share/munin/plugins/apache_processes /etc/munin/plugins/apache_processes
sudo ln -s /usr/share/munin/plugins/apache_accesses /etc/munin/plugins/apache_accesses
sudo vim /etc/munin/plugin-conf.d/munin-node
-> [apache_*]
        env.ports 443
        env.url http://127.0.0.1:%d/status?auto
        env.ssl yes

lighttp-mod-status aktivieren

sudo lighttpd-enable-mod status

munin-node neustarten

sudo /etc/init.d/lighttpd force-reload
sudo /etc/init.d/munin-node restart

ntp-plugin

cd /etc/munin/plugins/
sudo ln -s /usr/share/munin/plugins/ntp_offset .
sudo ln -s /usr/share/munin/plugins/ntp_states .
sudo /etc/init.d/munin-node restart

SSL zertifikat

  1. Martin hat ein self signed erstellt und installiert
#schlüsselverzeichnis erstellen
mkdir -p /etc/lighttpd/ssl/lqfb.piratenpartei.de
#schlüssel erstellen
openssl genrsa -des3 -out lqfb.piratenpartei.de.key 1024
#das passwort des schlüssels entfernen
openssl rsa -in lqfb.piratenpartei.de.key -out lqfb.piratenpartei.de.nopass.key 
# Certificate signing request erstellen.
openssl req -new -key lqfb.piratenpartei.de.nopass.key -out lqfb.piratenpartei.de.csr
Country Name (2 letter code) [AU]:de
State or Province Name (full name) [Some-State]:Germany
Locality Name (eg, city) []:Berlin
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Piratenpartei Deutschland
Organizational Unit Name (eg, section) []:Liquid Feedback
Common Name (eg, YOUR name) []:*.lqfb.piratenpartei.de
Email Address []:admins@lqfb.piratenpartei.de
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

nrpe (nagios remote plugin execution )

sudo apt-get install nagios-nrpe-server

change remote host ip

diff --git a/nagios/nrpe.cfg b/nagios/nrpe.cfg
index f21cdab..97749e2 100644
--- a/nagios/nrpe.cfg
+++ b/nagios/nrpe.cfg
@@ -76,7 +76,8 @@ nrpe_group=nagios
#
# NOTE: This option is ignored if NRPE is running under either inetd or xinetd

-allowed_hosts=127.0.0.1
+#allowed_hosts=127.0.0.1
+allowed_hosts=127.0.0.1, 212.12.52.210