下面的脚本是生产环境的副本,稍有改动,用于自己的实验环境。安装一步搞定,5分钟部署一套全新的kvm虚拟机。
#platform=x86, AMD64, or Intel EM64T#version=DEVEL# Firewall configurationfirewall --enabled --ssh# Install OS instead of upgradeinstall# Use network installationurl --url="http://192.168.122.1/centos/6/os/x86_64/"# Root password:2w3e4r5trootpw --iscrypted $1$SG65nSU2$qqls18a5fRwa0pahI9zsn.# System authorization informationauth --useshadow --passalgo=sha512# Use text mode installtext# System keyboardkeyboard us# System languagelang en_US# SELinux configurationselinux --disabled# Do not configure the X Window Systemskipx# Installation logging levellogging --level=info# Reboot after installationreboot# System timezone#timezone Asia/Shanghaitimezone --isUtc Asia/Shanghai# Network informationnetwork --bootproto=dhcp--onboot=on --hostname=new.test.org# System bootloader configuration# Grub passwd:linuxbootloader --location=mbr --append="biosdevname=0" --md5pass="$1$cfVln6Oz$eR6dX/70Ny4dAA/amdvfA1"# Partition clearing informationclearpart --none#clearpart --all --initlabel# Disk partitioning informationpart /boot --bytes-per-inode=4096 --fstype=ext4 --size=150part pv.01 --grow --size=1volgroup vg_centos --pesize=4096 pv.01logvol swap --name=lv_swap --vgname=vg_centos --size=512#logvol swap --name=lv_swap--vgname=vg_centos --recommendlogvol / --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=51200logvol /data --bytes-per-inode=4096 --fstype=ext4 --name=lv_root --vgname=vg_centos --size=1024 --fsoptions="noatime,nosuid,noexec,nodev" --grow#part swap --fstype="swap" --size=512#part / --fstype="ext4" --grow --size=1# Addition repositoryrepo --name="excel" --baseurl=http://192.168.122.1/repo/excel/6/ --cost=100repo --name="updates" --baseurl=http://192.168.122.1/centos/6/updates/x86_64/ --cost=100%pre --interpreter=/usr/bin/env bashif [ -e /dev/sda ];then dd if=/dev/zero of=/dev/sda bs=512count=1 parted -s /dev/sda mklabel gptfiif [ -e /dev/vda ];then dd if=/dev/zero of=/dev/vda bs=512 count=1 parted -s /dev/vda mklabel gptfi%end#%include /tmp/addition
%post --interpreter=/usr/bin/env bashinstall_server=192.168.122.1# set build timestampntpdate $install_serverecho this system was built at `LANG=C date -d "today" +"%Y-%m-%d %H:%M:%S"` >/root/timestamp.txtchattr +a /root/timestamp.txtsed -i '/^mirrorlist/{s/^/#/g}' /etc/yum.repos.d/CentOS-Base.reposed -i '/#baseurl/{s/#//g}' /etc/yum.repos.d/CentOS-Base.repo# use local mirror to save bandwidthcurl http://$install_server/conf/etc/yum.repos.d/CentOS-Base.repo >/etc/yum.repos.d/CentOS-Base.repo# install customerized repocurl http://$install_server/conf/etc/yum.repos.d/excel.repo > /etc/yum.repos.d/excel.repoecho -e 127.0.0.1 "\t" new.test.org >>/etc/hostsecho -e $install_server mirror.centos.org >>/etc/hosts#add a static route#route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1#echo route add -net 192.168.0.0 netmask 255.255.0.0 gw 192.168.122.1 >> /etc/rc.local#set character,only english/chinese supportlocaledef --list-archive |egrep -v ^"en_US|zh" |xargs localedef --delete-from-archivemv -f /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmplbuild-locale-archive# Remove some unnessary packages#yum remove usermode -yyum remove -y rng-tools quota samba* rpcbind lm_sensors postgresql-libs# Run level 3 by default#sed -i '/^id/{s/5/3/}' /etc/inittab# Password protect single user mode#echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab# unlock the MACecho "> /etc/udev/rules.d/70-persistent-net.rules" >> /etc/rc.localecho $install_server >> /etc/ntp/step-tickerssed -i '/HWCLOCK/{s/no/yes/g}' /etc/sysconfig/ntpdatechkconfig ntpdate offcurl http://$install_server/conf/etc/ntp.conf >/etc/ntp.confchkconfig ntpd on# Configure ssh servercurl http://$install_server/conf/etc/ssh/sshd_config >/etc/ssh/sshd_config# disable DNS lookup for ssh login#sed -i '/DNS/{s/#//g;s/yes/no/g}' /etc/ssh/sshd_config#show motd#sed -i '/Motd/{s/#//g}' /etc/ssh/sshd_config# disbale root login remotely#sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config#echo "PermitRootLogin no" >> /etc/ssh/sshd_config#echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config#chroot for ssh#echo "session required pam_chroot.so" >>/etc/pam.d/sshd#echo "apple /home/apple" >> /etc/security/chroot.conf#allow ssh for LAN onlyecho "SSHD:ALL EXCEPT 192.168.0.0/255.255.0.0" >>/etc/hosts.deny#setup bacula-clientsed -i 's/@//g' /etc/bacula/bacula-fd.confchkconfig bacula-fd off# Setup admin user and passwduseradd -g wheel adminecho "linuxfans" |passwd --stdin "admin"chkconfig denyhosts on#only user in wheel group can use "su"sed -i '/required/{s/#//g}' /etc/pam.d/suecho "SU_WHEEL_ONLY yes" >>/etc/login.defs#lock unused passwordspasswd -l binpasswd -l daemonpasswd -l admpasswd -l lppasswd -l syncpasswd -l shutdownpasswd -l haltpasswd -l mailpasswd -l uucppasswd -l operatorpasswd -l gamespasswd -l gopherpasswd -l ftppasswd -l nobodypasswd -l nagiospasswd -l dbuspasswd -l vcsapasswd -l baculapasswd -l rpcpasswd -l ntppasswd -l sshdpasswd -l saslauthpasswd -l postfixpasswd -l puppetpasswd -l nrpechmod 700 /usr/bin/fingerchmod 700 /usr/bin/whochmod 700 /usr/bin/wchmod 700 /usr/bin/locatechmod 700 /usr/bin/whereischmod 700 /sbin/ifconfigchmod 700 /sbin/ipchmod 700 /sbin/routechmod 700 /bin/mount#chmod 700 /usr/bin/which#chmod 700 /usr/bin/gcc#chmod 700 /usr/bin/make#chmod 700 /bin/rpm#echo "ulimit -SHn 65535" >> /etc/profilecat >> /etc/security/limits.conf <
/etc/sysctl.confecho "net.ipv6.conf.all.disable_ipv6 = 1" >>/etc/sysctl.confecho "vm.swappiness = 5" >>/etc/sysctl.confecho "vm.drop_caches = 0" >>/etc/sysctl.confecho "net.core.somaxconn = 8192" >>/etc/sysctl.confecho "net.ipv4.tcp_max_syn_backlog = 8192" >> /etc/sysctl.confecho "net.core.netdev_max_backlog = 8192" >> /etc/sysctl.confecho "net.ipv4.ip_local_port_range = 15000 65000" >> /etc/sysctl.confecho "net.ipv4.conf.all.accept_redirects = 0" >>/etc/sysctl.confecho "net.ipv4.conf.all.log_martians =1" >> /etc/sysctl.confecho "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects = 0" >>/etc/sysctl.confecho "net.ipv4.conf.default.accept_redirects = 0" >>/etc/sysctl.confecho "net.ipv4.conf.default.log_martians = 1" >>/etc/sysctl.confecho "net.ipv4.tcp_timestamps = 1" >>/etc/sysctl.confecho "net.ipv6.conf.all.accept_redirects = 0" >>/etc/sysctl.confecho "net.ipv6.conf.default.accept_redirects = 0" >>/etc/sysctl.confecho "net.netfilter.nf_conntrack_max = 65536" >>/etc/sysctl.confecho "net.nf_conntrack_max = 65536" >>/etc/sysctl.confecho "net.netfilter.nf_conntrack_tcp_timeout_established = 700" >>/etc/sysctl.conf #snmpd configure#curl http://$install_server/conf/etc/snmp/snmpd.conf >/etc/snmp/snmpd.confsed -i '/^com2sec/{s/public/mycompany/g}' /etc/snmp/snmpd.confsed -i '/^access/{s/systemview/all/g}' /etc/snmp/snmpd.confsed -i '/80$/{s/#//g}' /etc/snmp/snmpd.confchkconfig snmpd on# Let nano support grammar hghlight#curl http://$install_server/conf/etc/nanorc >/etc/nanorcsed -i '/^# include/{s/#//g}' /etc/nanorcsed -i '/set const/{s/#//g}' /etc/nanorcsed -i '/tabsize/{s/#//g;s/8/4/g}' /etc/nanorcsed -i '/set fill/{s/#//g}' /etc/nanorc#curl http://$install_server/conf/etc/profile >/etc/profile# enable timestamp in command historyecho "export HISTTIMEFORMAT='%F %T '" >> /etc/profileecho export LANG=C>>/etc/profile#user will login out if no action within 60 minutesecho export TMOUT=3600>>/etc/profile#define a default puppet variableecho export FACTER_LSB=CentOS6>>/etc/profile# password policy (90 days)sed -i '/PASS_MAX_DAYS/{s/99999/90/}' /etc/login.defssed -i '/PASS_MIN_LEN/{s/5/8/}' /etc/login.defs# due to disable ipv6,postfix has to work under ipv4postconf -e 'inet_protocols = ipv4'# hiden mail server type "postfix"postconf -e 'smtpd_banner = $myhostname'chkconfig postfix on#chkconfig sendmail on#setup networkchkconfig network onifconfig eth0 > /dev/nullif [ $? == "0" ];thencat > /etc/sysconfig/network-scripts/ifcfg-eth0 <
/dev/nullif [ $? == "0" ];thencat > /etc/sysconfig/network-scripts/ifcfg-eth1 < > /etc/resolv.confecho "nameserver 203.80.96.10" >> /etc/resolv.conf#setup firewallcurl http://$install_server/conf/firewall.sh >/root/firewall.shcat > /etc/motd < /etc/issue>/etc/issue.netif [ $(virt-what) == "vmware" ];then yum install open-vm-tools -y;fi# linux host template for nagios monitoring# curl http://$install_server/conf/etc/nagios/template.linux.cfg > /root/template.linux.cfgsed -i '/remove/{s/#//g}' /etc/yum/pluginconf.d/remove-with-leaves.conf#enable the fuction of watchdogecho "modprobe softdog" >> /etc/sysconfig/watchdog#curl http://$install_server/conf/etc/watchdog.conf >/etc/watchdog.confsed -i '/min-memory/{s/#//}' /etc/watchdog.confsed -i '/watchdog-device/{s/#//}' /etc/watchdog.confsed -i '/admin/{s/#//}' /etc/watchdog.confsed -i '/interval/{s/#//}' /etc/watchdog.confsed -i '/logtick/{s/#//}'/etc/watchdog.confsed -i '/pidfile/{s/#//}' /etc/watchdog.confchkconfig watchdog on# configure nagios clientcurl http://$install_server/conf/etc/nagios/nrpe.cfg >/etc/nagios/nrpe.cfg#sed -i '/server_address/{s/#//g;s/127.0.0.1/'$lan_ip'/g}' /etc/nagios/nrpe.cfgsed -i '/allowed_hosts/{s/127.0.0.1/&,192.168.122.254/}' /etc/nagios/nrpe.cfgchkconfig nrpe oncurl http://$install_server/conf/etc/zabbix/zabbix_agentd.conf >/etc/zabbix/zabbix_agentd.conf#sed -i '/^Server=/{s/127.0.0.1/192.168.1.254}' /etc/zabbix/zabbix_agentd.conf#sed -i '/^Hostname/{s/Zabbix/new}' /etc/zabbix/zabbix_agentd.confchkconfig zabbix-agent on# sent out realtime syslog to log servercurl http://$install_server/conf/etc/rsyslog.conf >/etc/rsyslog.conf#echo "*.* @192.168.122.254" >>/etc/rsyslog.conf# configure puppet clientcurl http://$install_server/conf/etc/puppet/puppet.conf >/etc/puppet/puppet.confsed -i '/SERVER/{s/#//g}' /etc/sysconfig/puppetsed -i '/SERVER/{s/puppet/&.test.org/}' /etc/sysconfig/puppetsed -i '/PORT/{s/#//g}' /etc/sysconfig/puppetchkconfig puppet off# Mail out if system updates foundcurl http://$install_server/conf/etc/sysconfig/yum-cron >/etc/sysconfig/yum-cronchkconfig yum-cron on# Run rkhunter weeklymv /etc/cron.daily/rkhunter /etc/cron.weekly//usr/bin/rkhunter --propupd#configure tripwire#curl http://$install_server/conf/etc/tripwire/twpol.txt >/etc/tripwire/twpol.txt# Configure linux audit system#curl http://$install_server/conf/etc/audit/audit.rules > /etc/audit/audit.ruleschkconfig auditd onchkconfig ip6tables offchkconfig irqbalance onchkconfig psacct onchkconfig yum-updateonboot off#chkconfig --del rdisc%end%packages --nobase@Coreautoconfautomakebacula-clientbisondenyhostsdstatflexgccgcc-c++gd-develgdiskgitiftopiotopipa-clientiptstateirqbalancelftplibtoollogwatchlsoflynismailxmanmysql-develnagios-pluginsnagios-plugins-allnanoncursesnet-snmpnet-snmp-utilsnmapnrpentsysvopenssh-clientspartedperl-Crypt-SSLeayperl-Net-SSLeayperl-libwww-perlpuppetrsyncsetuptoolsysstatsystem-config-firewall-tuisystem-config-network-tuitelnettimetmpwatchvimvirt-whatwatchdogwgetyum-utils%end 系统安装完的工作是:
1、修改主机名(在新安装机器上进行)
2、分配合适的固定IP地址(在新安装机器上进行)
3、注册ipa客户端(在新安装机器上进行)
4、注册puppet客户端(在服务端进行,也可以antosign)
5、注册nagios和cacti客户端(在服务端进行)
6、注册bacula客户端(在服务端进行)
7、部署具体的应用
update 2012-12-25
为了磁盘扩展,采用lvm分区
update 2013-03-14
对于Dell服务器,网卡名称被识别成em*时,可以用内核参数biosdevname=0来识别成eth*
也可以在内核引导参数上指定网口名称即可。
linux ksdevice=em1 ks=http://xxxx/ks.cfg
ksdevice=link也可以
update 2013-03-17
默认采用gpt分区,用于支持2TB以上的大硬盘,彻底解决硬盘扩展问题。
消灭了硬盘初始化对话框,真正一步到位。
update 2013-04-25
添加网卡调优(针对千兆网卡)
update 2013-08-19
支持btrfs分区
update 2013-09-01
文件系统 4k对齐
update 2014-01-19
增加/data 挂载点,用于部署应用程序,并对挂载选项进行优化和安全加固
update 2014-05-01
优化字符集,仅保留中英文支持。
update 2014-08-22
多个机房共享一个ks脚本,但是安装源都在各自的机房内网?
1、注释掉ks脚本里的安装源,在PXE 内核启动参数上加上
repo=http://192.168.122.1/centos/6/os/x86_64
update 2014-09-12
如果是SSD硬盘,可能会报下面的错误
UNEXPECTED INCONSISTENCT; RUN fsck MANUALLY
临时解决办法:fsck -y /dev/sdax
终极解决办法:在内核启动参数中加上acpi=off
update 20160805
增加vmware虚拟化判断,安装vm-tools