Ceci est une ancienne révision du document !
GRUB_CMDLINE_LINUX_DEFAULT="" GRUB_CMDLINE_LINUX="net.ifnames=0 nomodeset console=ttyS0,115200n8 console=tty1 systemd.journald.forward_to_console=1 systemd.journald.max_level_console=warning" GRUB_TERMINAL=console GRUB_INIT_TUNE="1000 334 1 334 1 0 1 334 1 0 1 261 1 334 1 0 1 392 2 0 4 196 2"
FontFace="VGA"
VERBOSE=YES
chmod -x /etc/grub.d/{05_debian_theme,20_linux_xen,30_os-prober,30_uefi-firmware,40_custom,41_custom} update-grub apt install arping beep bind binutils borgbackup conntrack cpufrequtils dnsutils ethtool fail2ban git gt5 htop iftop iotop iperf iperf3 ipmitool libvirt-daemon llibvirt-daemon-system lldpd lm-sensors molly-guard mtr-tiny nmap ntp nullmailer powertop psmisc qemu-kvm rsync screen sdparm smartmontools sshpass strace sysstat tcpdump tree unzip vim lvm2- mysql-common- sensors-detect # Pour if_rrd_fast.py apt install rrdtool python-pyrrd mkdir /root/git cd /root/git git clone root@chd.sx:/var/git/if_rrd_fast git clone root@chd.sx:/var/git/chd_gestion ln -s /root/git/if_rrd_fast/if_rrd_fast.py /root/ ln -s /root/git/chd_gestion/misc/setup_routing.sh /root/ ln -s /root/git/chd_gestion/misc/ssh-rt.sh /root/ ln -s /root/git/chd_gestion/misc/genconf_prod /usr/local/bin/ # Créer VM chd-stg2 via virt-manager over SSH ln -s /etc/libvirt/qemu/chd-stg2.xml /etc/libvirt/qemu/autostart/
NTPD_OPTS='-g -I eth0'
# Active l'écoute CDP, désactive LLDP DAEMON_ARGS="-c -ll"
127.0.0.1 localhost 185.131.40.1 chd-stg1.chd.sx chd-stg1 185.131.40.2 chd-stg2.chd.sx moniteur.chd.sx stg2.chd.sx ns2.commingeshautdebit.fr chd-stg2 ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
# empty for now
adduser genconf passwd -dl genconf /home/genconf/.ssh/authorized_keys
# ipmitool ipmi_si # Generated by sensors-detect on Fri Apr 6 09:11:11 2018 # Chip drivers coretemp jc42 w83627ehf
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt up sysctl -w net.ipv4.conf.all.arp_announce=2 up sysctl -w net.ipv4.ip_forward=1 up sysctl -w net.ipv6.conf.all.accept_ra_pinfo=0 up sysctl -w net.ipv6.conf.all.accept_redirects=0 up sysctl -w net.ipv6.conf.all.router_solicitations=0 up sysctl -w net.ipv6.conf.all.accept_dad=0 up sysctl -w net.ipv6.route.max_size=16384 up sysctl -w net.ipv6.conf.all.forwarding=1 up ip a r 185.131.40.1/32 dev $IFACE up ip -6 a r 2a03:a0a0:0000::1/128 dev $IFACE # Interco Fullsave LAN2LAN IPv4 auto eth0 iface eth0 inet static address 93.93.40.214 netmask 255.255.255.252 up ip r r unreachable 185.131.40.0/22 up ip r r default via 93.93.40.213 dev $IFACE src 185.131.40.1 up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0 # Interco Fullsave LAN2LAN IPv6 iface eth0 inet6 static address 2a01:6600:20:3000::1/127 up ip -6 r r unreachable 2a03:a0a0:0000::/48 up ip -6 r r unreachable 2a03:a0a0:0001::/48 up ip -6 r r default via 2a01:6600:20:3000:: dev $IFACE src 2a03:a0a0::1 # Réseau des antennes CHD auto br1 iface br1 inet static bridge_ports eth1 bridge_stp off bridge_maxwait 0 bridge_fd 0 # gw IPv4 routeurs adhérents address 172.16.0.254 netmask 255.255.0.0 # Nécessaire tant qu'on a du NAT up modprobe nf_conntrack up sysctl -w net.netfilter.nf_conntrack_max=65536 up sysctl -w net.ipv6.conf.$IFACE.accept_dad=0 # gw IPv6 routeurs adhérents up ip -6 a r fe80::31/64 dev $IFACE # chd-stg2.chd.sx (2016-03-05 - now) up ip r r 185.131.40.2 dev $IFACE up ip -6 r r 2a03:a0a0::2 dev $IFACE # ns3.chd.sx (2016-03-05 - now) (on chd-stg2) up ip r r 185.131.40.3 dev $IFACE up ip -6 r r 2a03:a0a0::3 dev $IFACE # Routage adhérents # cf /etc/systemd/system/setup_routing.service # # Anciens routages (historique 1 an nécessaire) # srv1.stg.prosoluce.net (2015-12-31 - 2016-03-05) #up ip r r 185.131.40.2 dev $IFACE #up ip -6 r r 2a03:a0a0::2 dev $IFACE # nuc-stgo (old stg2) (2015-12-31 - 2016-09-19) #up ip r r 185.131.40.4 dev $IFACE # srv1.stg.prosoluce.net (2016-03-05 - now) #up ip r r 185.131.40.9 dev $IFACE #up ip -6 r r 2a03:a0a0::9 dev $IFACE # backup3.stg.prosoluce.net (2016-01-02 - now) #up ip r r 185.131.40.10 dev $IFACE auto br1:1 iface br1:1 inet static address 192.168.0.2 netmask 255.255.255.0 iface br1:1 inet static address 192.168.1.2 netmask 255.255.255.0
reboot apt install munin-node rm /etc/munin/plugins/ntp_* rm /etc/munin/plugins/swap wget -O /etc/munin/plugins/systemd_units https://raw.githubusercontent.com/munin-monitoring/contrib/master/plugins/systemd/systemd_units chmod +x /etc/munin/plugins/systemd_units # renommer les if_enp4s0 en if_eth0 si besoin ln -s /usr/share/munin/plugins/bind9 /etc/munin/plugins/ ln -s /usr/share/munin/plugins/ipmi_sensor_ /etc/munin/plugins/ipmi_sensor_u_volts ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_fan ln -s /usr/share/munin/plugins/sensors_ /etc/munin/plugins/sensors_temp ln -s /usr/share/munin/plugins/fw_conntrack /etc/munin/plugins/ ln -s /usr/share/munin/plugins/smart_ /etc/munin/plugins/smart_sda ln -s /usr/share/munin/plugins/tcp /etc/munin/plugins/ ( cd /etc/munin/plugins; time for p in *; do munin-run $p; done )
allow ^185\.61\.116\.41$
[bind9]
group bind
service munin-node restart apt autoremove --purge os-prober doc-debian doc-debian-fr debian-faq ispell laptop-detect wamerican wfrench xauth mkdir /var/log/bind9
none /var/log/bind9 tmpfs uid=bind,gid=bind,mode=0750,size=30m 0 0
include "/etc/bind/zones.rfc1918"; acl internals { 127.0.0.0/8; 172.16.0.0/16; 185.131.40.0/22; fe80::/12; 2a03:a0a0::/32; }; logging { channel query { file "/var/log/bind9/query.log" versions 2 size 10m; print-time yes; severity info; }; category queries { query; }; };
# 2018-04-04 lpo persionnalisation pour CHD #listen-on-v6 { any; }; listen-on-v6 { fe80::31%br1; }; listen-on { 127.0.0.1; 172.16.0.254; 185.131.40.1; }; version none; allow-query { internals; }; allow-recursion { internals; }; memstatistics-file "/var/log/bind9/bind.stats"; max-cache-size 384m;
search chd.sx nameserver 185.131.40.1
service bind9 restart ls /var/log/bind9/query.log
[Service] TTYVTDisallocate=no
[Unit] Description=Setup routing at boot time After=network.target [Service] Type=oneshot ExecStart=/root/setup_routing.sh log_run [Install] WantedBy=multi-user.target
systemctl enable setup_routing.service
_ _ _ _ ___| |__ __| | ___| |_ __ _/ | / __| '_ \ / _` |_____/ __| __/ _` | | | (__| | | | (_| |_____\__ \ || (_| | | \___|_| |_|\__,_| |___/\__\__, |_| |___/ chd-stg1.chd.sx
# You may uncomment the following lines if you want `ls' to be colorized: export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' alias ll='ls $LS_OPTIONS -l' alias l='ls $LS_OPTIONS -lA' # # Some more alias to avoid making mistakes: alias rm='rm -i' alias cp='cp -i' alias mv='mv -i' export HISTIGNORE=' *' alias journalnet="journalctl | awk '/ifup/ { out=1 } / (ifup|kernel|setup_routing)/{if (out==1) { print \$0 } }' | less" systemctl is-system-running --quiet || ( systemctl --state=failed; echo >&2; echo "Use 'journalnet' for networking + related kernel and script logs" >&2 )
interface: br1 max-bandwidth: 10M hide-source: yes dns-resolution: no
syn on
/etc/fail2ban/ ├── action.d │ └── route.conf ├── fail2ban.conf ├── fail2ban.d ├── filter.d │ ├── common.conf │ ├── pam-generic.conf │ └── sshd.conf ├── jail.conf ├── jail.conf.lpo ├── jail.d │ ├── customisation.local │ └── defaults-debian.conf ├── paths-common.conf ├── paths-debian.conf └── paths-opensuse.conf
[DEFAULT] maxretry = 3 banaction_allports = route [sshd] enabled = true banaction = %(banaction_allports)s [pam-generic] enabled = true
[Init] #blocktype = unreachable blocktype = blackhole
configurer munin/multiping VM chd-stg2 en d9 "vierge" tester interfaces, max nfconntrack, genconf, fail2ban, nullmailer voir si cpufreq par défaut est ok ou pas netconsole config apt remove --purge isc-dhcp-dhclient isc-dhcp-common lldp a recompiler backup borg mailer + mail alert (smartmontools/logcheck ?) Point de montage pour /var/lib/libvirt/images/