New Server Install

Quick setup

-Find out if your cpu is 64bit

grep flags /proc/cpuinfo

lm flag means Long mode cpu - 64 bit CPU

install OS

This is possible with CD1 only provided you deselect all packages including 'Base' and do not use a software RAID setup.

Lock it down

Change default SSH port

Install a basic Firewall

# iptables -P INPUT ACCEPT # iptables -F # iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p tcp --dport 50022 -j ACCEPT # iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -L -v

# iptables-save > /etc/sysconfig/iptables

Check Selinux config

update & install packages

install EPEL

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm

rpm -ivh epel-release-5-4.noarch.rpm

yum update

yum install mysql php php-pear php-common php-mysql php-gd php-cli mysql-server vim-enhanced.x86_64 screen ntp

Maybe install shellinaboxd (http://code.google.com/p/shellinabox/)

Maybe install puppet daemon / munin

yum install caching-nameserver (or nscd)

install and use figlet to get a nice MOTD (colors from 30-37)

--------------------------------------------

cat >>/etc/motd <<EOF

`TERM=linux setterm -default -foreground blue -bold on`

Oh, blue is my favorite color!

▞▀▌▝▀▖▚▗▘▛▚▀▖▞▀▖

▚▄▌▞▀▌▗▚ ▌▐ ▌▛▀

▗▄▘▝▀▘▘ ▘▘▝ ▘▝▀▘

`TERM=linux setterm -default -foreground green`

On second thought, I like green better.

`TERM=linux setterm -default`

EOF

----------------------------------------------

cat >>/etc/motd <<EOF

`TERM=linux setterm -default -foreground blue`

▞▀▌▝▀▖▚▗▘▛▚▀▖▞▀▖

▚▄▌▞▀▌▗▚ ▌▐ ▌▛▀

▗▄▘▝▀▘▘ ▘▘▝ ▘▝▀▘

`TERM=linux setterm -default`

EOF

Use FIGLET to make this text

^[[0m^[[33m

___ ___ _

|_ _/ _ \| |

| | | | | |

| | |_| | |___

|___\___/|_____|

-----

Installed 14th Feb 2914

-----

^[[0m

Place welcome message at login prompt - in this case with IP address (/etc/issue)

ifconfig eth0 | awk '/inet addr/ {print $2}' | cut -f2 -d: > /etc/issue

insert histimeformat for nice history format /etc/bashrc

export HISTTIMEFORMAT="%h/%d - %H:%M:%S "

insert nice vim colours in /root/.bashrc

alias vi=vim

insert ntpdate in crontab

20 1 * * * ntpdate clock.redhat.com

set start scripts on/off

chkconfig iptables off

chkconfig mysqld on

chkconfig httpd on

etc

start and set mysql password

/etc/init.d/mysqld start

/usr/bin/mysqladmin -u root password 'new-password'

create sql db and user and test

create database polopoly;

create user cmuser;

GRANT ALL ON polopoly.* TO cmuser@'%' IDENTIFIED BY 'pass';

GRANT ALL ON polopoly.* TO cmuser@localhost IDENTIFIED BY 'pass';

show databases;

mysql -u cmuser -p polopoly

set up IP addresses (/etc/sysconfig/network-scripts/ifcfg-eth0)

# Intel Corporation 82546EB Gigabit Ethernet Controller (Copper)

DEVICE=eth0

BOOTPROTO=none

HWADDR=00:14:4f:40:fb:3c

ONBOOT=yes

DHCP_HOSTNAME=polopoly

PEERDNS=no

IPADDR=164.88.11.25

NETMASK=255.255.255.0

GATEWAY=164.88.11.250

TYPE=Ethernet

[root@polopoly ~]# cat /etc/resolv.conf

nameserver 164.88.15.1

nameserver 164.88.15.71

[root@polopoly ~]# cat /etc/sysconfig/network

NETWORKING=yes

NETWORKING_IPV6=no

HOSTNAME=polopoly

GATEWAY=164.88.11.250

[root@polopoly ~]#

Change splash screen

• • Get an image file to use for the new splash image (can be some wallpaper in jpg, png format)

  • Check whether ImageMagick rpm is installed

[root@server ~]# rpm -q ImageMagick

• • If it's not installed you have to install it first

[root@server ~]# yum -y install ImageMagick

• • Then, Assuming the image is in the root's home folder & the image name is "myboot.jpg"

[root@server ~]# cd

[root@server ~]# convert myboot.jpg -resize 640x480! -colors 14 -depth 8 myboot.xpm

[root@server ~]# ls

• • Now you will be able to see a file call "myboot.xpm"

  • Then you have to gzip it.

[root@server ~]# gzip myboot.xpm

[root@server ~]# ls

• • Now you will be able to see a file call "myboot.xpm.gz"

  • Then you have to copy it to "/boot/grub" folder

[root@server ~]# cp myboot.xpm.gz /boot/grub

• • Then you have to edit "grub.conf" file with your favorite text editor, I'll use "nano" text editor

[root@server ~]# nano /etc/grub.conf

Edit the following line

splashimage=(hd0,0)/grub/splash.xpm.gz

to

splashimage=(hd0,0)/grub/myboot.xpm.gz

----------------------------------------------

CentOs 5 Linux Setup and Checklist

PB&CAS21/01/2009

AHCI change causes kernel panic

# Set you BIOS to IDE/ATA/Original setting mode

# boot into linux

# edit /etc/modprobe.conf and add the line alias scsi_hostadapter2 ahci

# run mkinitrd -f /boot/initrd-`uname -r`.img `uname -r`

# reboot in to you BIOS and set to AHCI/RAID mode

# boot into linux

BIOS

Flash BIOS to latest version

Check in BIOS that SATA is running in enhanced mode (run hdparm -t /dev/md0) post install.

You'll know if the disks are running in legacy mode as the install will take well over 30 minutes.

Set first boot device as CDROM

INSTALLATION

Install Media / Options

For automated installations:

Boot from CD / DVD and at the boot prompt enter: linux ks=http://196.14.2.17/kickstart/ks.cfg

For installing from USB key:

Download a copy of the 'net installation' iso image from Centos

Copy the ISO image of the full Centos DVD to the root of the USB stick

Burn the netinstall CD and boot from it, choosing 'install from HDD'

Choose the USB stick (normally /dev/sda1)

For the directory choose /

For installing from HTTP:

Copy the entire DVD contents to any webserver eg ServerRoot

Boot from the net installation CD and choose 'HTTP'

Enter the IP address of the webserver

If the DVD contents are in the httpd root enter / for the directory

For Hardware RAID which requires a driver disk:

Download the driver (usually an iso image) and mount it using mount -o loop <file.iso> <target> (you may need to specify -t iso9660). Burn the contents onto a DVD or copy to a USB stick and specify at boot linux dd

Partitions layout

/boot 200 MB SW RAID

/ 10000 MB SW RAID

/var 5000 MB SW RAID

/shares Available SW RAID

Swap 2048 MB hda

Swap 2048 MB hdb

Packages Selection

Desktop Environments

-Clear All

Applications

- Editors

- Text based Internet

- Add Lynx

Development

- Development libraries

- Development tools

- Legacy Software development

Servers

DNS name server

FTP server

Mail server

- Postfix

- Squirrellmail

- Mailman

MySQL database

Network server

DHCP

Openldap

Printer Support

Server configuration tools

Web server

SQL

LDAP

Windows file server

Base System

System tools

• • IPTraf

  • MC

  • MRTG

IS DNS

168.210.2.2

196.14.239.2

Post install setup / checklist / testing

MONITORING

NRPE - install only (nagios-plugins and nrpe but leave it off)

Munin & munin-node – install, configure and set to start at boot (munin-node)

Check the crontab has the check-raid script and other appropriate checks

BACKUPS

Check the appropriate backup script is in /shares/pcb-scripts and also check that the crontab has the backup enabled. If an rsnapshot to USB HDD, then also test the daily script. You might need to copy a working rsnapshot.conf from Ndlela or Genderlinks or another working site. Check the conf/pcb-scripts.conf and adjust any backup variables here to match the site

Set the backup conf to send email from pcb@domainname

EXTRAS / TWEAKS

Disable selinux and reboot

run grub installer on both boot disks

grub, root (hd0,0), setup (hd0)

grub, root (hd1,0), setup (hd1)

run updates

run start and package scripts

Set the histtimeformat in /etc/bashrc

update Centos-Base.repo to use the SA mirror

install appropriate rpmforge package

Install an appropriate MOTD in /etc to match PCB local & remote access policies

check that hdparm -T /dev/md* yields over 60Mb/sec

set noatime in /etc/fstab (/dev/md2 / ext3 defaults,noatime 0 0)

Optionally install Webmin / Linbox or similar stripped down administration interface for onsite administrators to make medial changes and rebrand

AUTOMATION

Puppet daemon - install only

Check that the PCB menu exists in the PATH. Putting it in bash_profile stops the boot process and waits for user input!

EMAIL

Install and configure Postfix or Exim. Set hostname & domain

Verify the correct smarthost and / or transport is set if applicable

Run the Squirrelmail script to set up Squirrelmail and the vacation plugin as well as the domain name etc and test webmail.domainname from another PC – make sure it is working with an account by sending a mail to the pcb account from the web interface and tailing the logs.

Re-brand the Squirrelmail login page with the customer logo.

Install MailArchiva OSE for archiving mail and configure the router in Exim or the same in Postfix. Possibly install appropriate header checks with known bad headers. In some cases a customer may have also purchased MailScanner which needs to be tested, and rebranded.

If the client's email is pulling mail down from wisenet, make sure to setup the fetchmail script to match the site's logon details.

DHCP

Install the DHCP server, configure /etc/dhcpd.conf and test for the server listening on interface eth0 (also check /etc/sysconfig/dhcpd)

DNS

Install a caching name server or use the start script and test (check /etc/resolv.conf to make sure 127.0.0.1 is the primary DNS). Also set up the domainname.zone file and dig the domain name to test

INTERNET

Squid proxy – Install and set to a transparent proxy and test restarting the service, checking the logs for any errors

Check ip_forward is enabled in rc.local and / or firewall script

Check that web traffic is being diverted to port 3128 in the firewall

Check that the httpd daemon is set to start on boot to accommodate Munin / Squirrelmail and any Intranet / CMS the client may have requested

Check Squid is set to start at boot

SAMBA

Install, set the domain name in smb.conf, check the interfaces and itadmin user, also check the netlogon and profiles folders exist in /shares/data and netlogon has the three kix files installed

Check Samba is set to start at boot

Test by adding a client PC to the domain and logging in as a user

SECURITY

Check the iptables firewall script has the correct interfaces set and test access via SSH and web etc. Check SSH and RDP access is allowed only from the PCB network

Check the firewall script is set to run at boot via /etc/rc.local or the iptables startup script

Update to the latest versions of Clam and Amavis for AV scanning

PRINTING

Verify you have the latest version of cups installed and can access the cups admin interface (http://server:631). Install and test any printers on the quote from the server and a windows client.

FINALLY

Check the services set to start at boot with ntsysv and disable non essentials like bluetooth

check that the UPS daemon is pulling correct info from the serial port with /etc/init.d/apcupsd status

Check /etc/crontab has all required jobs enabled

To make sure everything works, reboot the server and run appropriate tests on each service after installation and configuration

Update the job card with work done and email relevant parties with an update as well as any non-standard customisations that may be included on the build.

Question everything. Don't let a server leave PCB without knowing why a piece of hardware or software is or is not included with shipping.

When shipping a new server install Munin & munin node install NRPE & plugins check in BIOS that SATA is running in enhanced mode (run hdparm -t /dev/md0) and get at least 60MB per second) check grub is installed correctly over both disks (grub/root (hd0,0)/setup (hd0)) install rpmforge change CentOS-Base repo to local mirros in yum.repos (and run updates) install puppet daemon on all machines