Wiki Comminges Haut Débit

Outils pour utilisateurs

Outils du site

Piste: Futur chd-stg1
technique:referentiel:chd-stg1-ng

Ceci est une ancienne révision du document !

Table des matières

Futur chd-stg1

  • netinstall Debian 9 amd64
  • Français / France
  • hostname : chd-stg1.chd.sx
  • Une seule partition sda1 de la taille du SSD, options discard,noatime, label=chd-stg1-rootfs
  • tasksel : utilitaires usuels, serveur ssh, pas d'env graphique
  • user root et rescue

Configuration initiale

/root/.ssh/authorized_keys
[...]
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX="net.ifnames=0 nomodeset console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning"
GRUB_TERMINAL=console
GRUB_INIT_TUNE="1000 334 1 334 1 0 1 334 1 0 1 261 1 334 1 0 1 392 2 0 4 196 2"
/etc/default/console-setup
FontFace="VGA"
/etc/default/networking
VERBOSE=YES
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom}
update-grub
 
apt install arping beep bind binutils borgbackup conntrack cpufrequtils dnsutils ethtool fail2ban git gt5 htop iftop iotop iperf iperf3 ipmitool libvirt-daemon llibvirt-daemon-system lldpd lm-sensors molly-guard mtr-tiny nmap ntp nullmailer powertop psmisc qemu-kvm rsync screen sdparm smartmontools sshpass strace sysstat tcpdump tree unzip vim lvm2- mysql-common-
 
sensors-detect
 
# Pour if_rrd_fast.py
apt install rrdtool python-pyrrd
mkdir /root/git
cd /root/git
git clone root@chd.sx:/var/git/if_rrd_fast 
git clone root@chd.sx:/var/git/chd_gestion
 
ln -s /root/git/if_rrd_fast/if_rrd_fast.py /root/
ln -s /root/git/chd_gestion/misc/setup_routing.sh /root/
ln -s /root/git/chd_gestion/misc/ssh-rt.sh /root/
ln -s /root/git/chd_gestion/misc/genconf_prod /usr/local/bin/
 
# Créer VM chd-stg2 via virt-manager over SSH
ln -s /etc/libvirt/qemu/chd-stg2.xml /etc/libvirt/qemu/autostart/
/etc/default/ntp
NTPD_OPTS='-g -I eth0'
/etc/default/lldpd
# Active l'écoute CDP, désactive LLDP
DAEMON_ARGS="-c -ll"
/etc/hosts.system
127.0.0.1              localhost
185.131.40.1           chd-stg1.chd.sx chd-stg1
185.131.40.2           chd-stg2.chd.sx moniteur.chd.sx stg2.chd.sx ns2.commingeshautdebit.fr chd-stg2
 
::1                    localhost ip6-localhost ip6-loopback
ff02::1                ip6-allnodes
ff02::2                ip6-allrouters
/etc/ethers.system
# empty for now
adduser genconf
passwd -dl genconf
/home/genconf/.ssh/authorized_keys
/etc/modules
# ipmitool
ipmi_si
 
# Generated by sensors-detect on Fri Apr  6 09:11:11 2018
# Chip drivers
coretemp
jc42
w83627ehf
/etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
source /etc/network/interfaces.d/*
 
# The loopback network interface
auto lo
iface lo inet loopback
	# https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
	up sysctl -w net.ipv4.conf.all.arp_announce=2
	up sysctl -w net.ipv4.ip_forward=1 
	up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0
	up sysctl -w net.ipv6.conf.all.accept_redirects=0
	up sysctl -w net.ipv6.conf.all.router_solicitations=0
	up sysctl -w net.ipv6.conf.all.accept_dad=0
	up sysctl -w net.ipv6.route.max_size=16384
	up sysctl -w net.ipv6.conf.all.forwarding=1
	up ip a r 185.131.40.1/32 dev $IFACE
	up ip -6 a r 2a03:a0a0:0000::1/128 dev $IFACE
 
# Interco Fullsave LAN2LAN IPv4
auto eth0
iface eth0 inet static
	address 93.93.40.214
	netmask 255.255.255.252
	up ip r r unreachable 185.131.40.0/22
	up ip r r default via 93.93.40.213 dev $IFACE src 185.131.40.1
	up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
 
# Interco Fullsave LAN2LAN IPv6
iface eth0 inet6 static
	address 2a01:6600:20:3000::1/127
	up ip -6 r r unreachable 2a03:a0a0:0000::/48 
	up ip -6 r r unreachable 2a03:a0a0:0001::/48 
	up ip -6 r r default via 2a01:6600:20:3000:: dev $IFACE src 2a03:a0a0::1
 
# Réseau des antennes CHD
auto br1
iface br1 inet static
	bridge_ports	eth1
	bridge_stp	off
	bridge_maxwait	0
	bridge_fd	0
	# gw IPv4 routeurs adhérents
	address 172.16.0.254
	netmask 255.255.0.0
	# Nécessaire tant qu'on a du NAT
	up modprobe nf_conntrack
	up sysctl -w net.netfilter.nf_conntrack_max=65536
	up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0
	# gw IPv6 routeurs adhérents
	up ip -6 a r fe80::31/64 dev $IFACE
	# chd-stg2.chd.sx (2016-03-05 - now)
	up ip r r 185.131.40.2 dev $IFACE
	up ip -6 r r 2a03:a0a0::2 dev $IFACE
	# ns3.chd.sx (2016-03-05 - now) (on chd-stg2)
	up ip r r 185.131.40.3 dev $IFACE
	up ip -6 r r 2a03:a0a0::3 dev $IFACE
	# Routage adhérents
	#  cf /etc/systemd/system/setup_routing.service
	#
	# Anciens routages (historique 1 an nécessaire)
	# srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05)
	#up ip r r 185.131.40.2 dev $IFACE
	#up ip -6 r r 2a03:a0a0::2 dev $IFACE
	# nuc-stgo (old stg2) (2015-12-31 - 2016-09-19)
	#up ip r r 185.131.40.4 dev $IFACE
	# srv1.stg.prosoluce.net (2016-03-05 - now)
	#up ip r r 185.131.40.9 dev $IFACE
	#up ip -6 r r 2a03:a0a0::9 dev $IFACE
	# backup3.stg.prosoluce.net (2016-01-02 - now)
	#up ip r r 185.131.40.10 dev $IFACE
 
auto br1:1
iface br1:1 inet static
	address 192.168.0.2
	netmask 255.255.255.0
 
iface br1:1 inet static
	address 192.168.1.2
	netmask 255.255.255.0
reboot
 
apt install munin-node
rm /etc/munin/plugins/ntp_*
rm /etc/munin/plugins/swap
wget -O /etc/munin/plugins/systemd_units https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/systemd/systemd_units
chmod +x /etc/munin/plugins/systemd_units
 
# renommer les if_enp4s0 en if_eth0 si besoin
ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/
ln -s /usr/share/munin/plugins/ipmi_sensor_ /etc/munin/plugins/ipmi_sensor_u_volts
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_fan
ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_temp
ln -s /usr/share/munin/plugins/fw_conntrack /etc/munin/plugins/
ln -s /usr/share/munin/plugins/smart_ /etc/munin/plugins/smart_sda
ln -s /usr/share/munin/plugins/tcp  /etc/munin/plugins/
 
( cd /etc/munin/plugins; time for p in *; do munin-run $p; done )
/etc/munin/munin-node.conf
allow ^185\.61\.116\.41$
/etc/munin/plugin-conf.d/local
[bind9]
group bind
service munin-node restart
 
apt autoremove --purge os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth 
 
mkdir /var/log/bind9
/etc/fstab
none	/var/log/bind9	tmpfs	uid=bind,gid=bind,mode=0750,size=30m	0	0
/etc/bind/named.conf.local
include "/etc/bind/zones.rfc1918";
 
acl internals {
	127.0.0.0/8;
	172.16.0.0/16;
	185.131.40.0/22;
	fe80::/12;
	2a03:a0a0::/32;
};
 
logging {
	channel query {
		file "/var/log/bind9/query.log" versions 2 size 10m;
		print-time yes;
		severity info;
	};
	category queries { query; };
};
/etc/bind/named.conf.options
        # 2018-04-04 lpo persionnalisation pour CHD
        #listen-on-v6 { any; };
        listen-on-v6 { fe80::31%br1; };
        listen-on { 127.0.0.1; 172.16.0.254; 185.131.40.1; };
        version none;
        allow-query { internals; };
        allow-recursion { internals; };
        memstatistics-file "/var/log/bind9/bind.stats";
        max-cache-size 384m;
/etc/resolv.conf
search chd.sx
nameserver 185.131.40.1
service bind9 restart
ls /var/log/bind9/query.log
/etc/systemd/system/getty@tty1.service.d/noclear.conf
[Service]
TTYVTDisallocate=no
/etc/systemd/system/setup_routing.service
[Unit]
Description=Setup routing at boot time
After=network.target
 
[Service]
Type=oneshot
ExecStart=/root/setup_routing.sh log_run
 
[Install]
WantedBy=multi-user.target
systemctl enable setup_routing.service
/etc/motd
      _         _           _        _ 
  ___| |__   __| |      ___| |_ __ _/ |
 / __| '_ \ / _` |_____/ __| __/ _` | |
| (__| | | | (_| |_____\__ \ || (_| | |
 \___|_| |_|\__,_|     |___/\__\__, |_|
                               |___/   
 
                                           chd-stg1.chd.sx
/root/.bashrc
# You may uncomment the following lines if you want `ls' to be colorized:
export LS_OPTIONS='--color=auto'
eval "`dircolors`"
alias ls='ls $LS_OPTIONS'
alias ll='ls $LS_OPTIONS -l'
alias l='ls $LS_OPTIONS -lA'
#
# Some more alias to avoid making mistakes:
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
 
export HISTIGNORE=' *'
alias journalnet="journalctl | awk '/ifup/ { out=1 } / (ifup|kernel|setup_routing)/{if (out==1) { print \$0 } }' | less"
 
systemctl is-system-running --quiet || ( systemctl --state=failed; echo >&2; echo "Use 'journalnet' for networking + related kernel and script logs" >&2 )
/root/iftoprc
interface: br1
max-bandwidth: 10M
hide-source: yes
dns-resolution: no
/root/.vimrc
syn on
/etc/fail2ban/
├── action.d
│   └── route.conf
├── fail2ban.conf
├── fail2ban.d
├── filter.d
│   ├── common.conf
│   ├── pam-generic.conf
│   └── sshd.conf
├── jail.conf
├── jail.conf.lpo
├── jail.d
│   ├── customisation.local
│   └── defaults-debian.conf
├── paths-common.conf
├── paths-debian.conf
└── paths-opensuse.conf
/etc/fail2ban/jail.d/customisation.local
[DEFAULT]
maxretry = 3
banaction_allports = route
 
[sshd]
enabled = true
banaction = %(banaction_allports)s
 
[pam-generic]
enabled = true
/etc/fail2ban/action.d/route.conf
[Init]
#blocktype = unreachable
blocktype = blackhole

TODO

configurer munin/multiping
VM chd-stg2 en d9 "vierge"
tester interfaces, max nfconntrack, genconf, fail2ban, nullmailer
voir si cpufreq par défaut est ok ou pas
netconsole config
apt remove --purge isc-dhcp-dhclient isc-dhcp-common
lldp a recompiler
backup borg
mailer + mail alert (smartmontools/logcheck ?)
Point de montage pour /var/lib/libvirt/images/
technique/referentiel/chd-stg1-ng.1523127277.txt.gz · Dernière modification: 2018/04/07 20:54 par admin

Outils de la page

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki