一、环境准备:
操作系统:linux7.1——64
安装好操作系统(将防火墙 selinux关闭)
1、配置系统软件包环境
#yum –y install vim net-tools
#默认centos7.0最小化安装没有ifconfig net-tools生成ifconfig
2、安装依赖软件包
yum-y install createrepo httpd mkisofs python-netaddr python-urlgrabber rsyncsyslinux tftp-server yum-utils mod_ssl mod_wsgi git make python-develpython-setuptools fence-agents pykickstart dhcp rpm-build edpatch perl-Compress-Zlib perl-libwww-perl perl-Digest-SHA
二、开始安装cobbler2.6.9
1.安装PyYAML 下载地址: http://pyyaml.org/download/pyyaml/PyYAML-3.11.tar.gz #tar -zxvf PyYAML-3.11.tar.gz -C /usr/src/ #cd /usr/src/PyYAML-3.11/ #python setup.py install 2.安装Django 下载地址: https://pypi.python.org/packages/source/D/Django/Django-1.8.4.tar.gz #tar -zxvf Django-1.8.4.tar.gz -C /usr/src/ #cd /usr/src/Django-1.8.4 #python setup.py install 3.安装Markdown 下载地址: https://pypi.python.org/packages/source/M/Markdown/Markdown-2.6.2.tar.gz # tar –zxvf Markdown-2.6.2.tar.gz –C/usr/src/ #cd /usr/src/Markdown-2.6.2 #python setup.py install 4.安装Cheetah 下载地址: https://pypi.python.org/packages/source/C/Cheetah/Cheetah-2.4.4.tar.gz #tar –zxvf Cheetah-2.4.4.tar.gz –C /usr/src #cd /usr/src/Cheetah-2.4.4 #python setup.py install 5.安装simplejson 下载地址:https://pypi.python.org/packages/source/s/simplejson/simplejson-3.8.0.tar.gz # tar –zxvf simplejson-3.8.0.tar.gz #cd /usr/src/simplejson-3.8.0/ #python setup.py install 6.安装cobbler 下载地址: https://github.com/cobbler/cobbler/releases/tag/v2.6.9 #tar –zxvf cobbler-2.6.9.tar.gz -d/usr/src #cd /usr/src/cobbler-2.6.9 # make && make install #mkdir /var/www/cobbler/web #mkdir -p /srv/www/cobbler/svc #makewebtest
----以上软件包,我已经上传共享网盘,大家可以下载:http://pan.baidu.com/s/1boX7BGz
三、配置cobbler
1.配置cobbler
修改cobbler的Server配置文件 vim /etc/cobbler/settings 242 manage_dhcp: 1 261 manage_rsync: 1 272 next_server: 192.168.0.1 (IP修改成本机地址) 384 server: 192.168.0.1 (IP修改成本机地址) (配置开机登录密码) #openssl passwd -1 -salt 'root' '11111111' #root用户名,11111111是系统登录密码 (修改/etc/cobbler/settings文件) 101 default_password_crypted: " $1$root$46Dy7n8T8GRp0Mont0Mcw1"
2.配置dhcpd /etc/cobbler/dhcp.template
subnet 192.168.2.0 netmask 255.255.255.0 { (添加作用域) option routers 192.168.2.100; (dhcp主机地址) option domain-name-servers 192.168.2.100; option subnet-mask 255.255.255.0; range dynamic-bootp 192.168.2.110 192.168.2.254; (要分配IP地址池) default-lease-time 21600; max-lease-time 43200; next-server $next_server; class "pxeclients" { match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; if option pxe-system-type = 00:02 { filename "ia64/elilo.efi"; } else if option pxe-system-type = 00:06 { filename "grub/grub-x86.efi"; } else if option pxe-system-type = 00:07 { filename "grub/grub-x86_64.efi"; } else { filename "pxelinux.0"; } } }
3、修改/etc/cobbler/tftpd.template文件
[root@localhost ~]# vi /etc/cobbler/tftpd.template # default: off # description: The tftp server serves files using the trivial file transfer \ # protocol. The tftp protocol is often used to boot diskless \ # workstations, download configuration files to network-aware printers, \ # and to start the installation process for some operating systems. service tftp { disable = yes (改为no) socket_type = dgram protocol = udp wait = yes user = $user server = $binary server_args = -B 1380 -v -s $args per_source = 11 cps = 100 2 flags = IPv4 } #systemctl restart cobblerd ---启动cobbler get-loaders下载(需要开公网,如果没有开通公网就按照下面的方法将文件导入相关目录) [root@localhost ~]# cobbler get-loaders task started (id=Download Bootloader Content, time=Fri May 27 10:06:42 2016) downloading http://cobbler.github.com/loaders/README to /var/lib/cobbler/loaders/README downloading http://cobbler.github.com/loaders/COPYING.elilo to /var/lib/cobbler/loaders/COPYING.elilo downloading http://cobbler.github.com/loaders/COPYING.yaboot to /var/lib/cobbler/loaders/COPYING.yaboot downloading http://cobbler.github.com/loaders/COPYING.syslinux to /var/lib/cobbler/loaders/COPYING.syslinux downloading http://cobbler.github.com/loaders/elilo-3.8-ia64.efi to /var/lib/cobbler/loaders/elilo-ia64.efi downloading http://cobbler.github.com/loaders/yaboot-1.3.17 to /var/lib/cobbler/loaders/yaboot downloading http://cobbler.github.com/loaders/pxelinux.0-3.86 to /var/lib/cobbler/loaders/pxelinux.0 downloading http://cobbler.github.com/loaders/menu.c32-3.86 to /var/lib/cobbler/loaders/menu.c32 downloading http://cobbler.github.com/loaders/grub-0.97-x86.efi to /var/lib/cobbler/loaders/grub-x86.efi downloading http://cobbler.github.com/loaders/grub-0.97-x86_64.efi to /var/lib/cobbler/loaders/grub-x86_64.efi *** TASK COMPLETE ***
注意:上面这些文件我已经下载好,就在上面共享的文件里面,文件是loaders.zip,解压出来将里面的东西拷贝到/var/lib/cobbler/loaders/目录下即可
4、查看cobbler check (检查环境是否满足要求)
[root@localhost ~]# cobbler check The following are potential configuration items that you may want to fix: 1 : debmirror package is not installed, it will be required to manage debian deployments and repositories (这个错误可以忽略) Restart cobblerd and then run 'cobbler sync' to apply changes.
5、重启cobbler和dhcp,httpd等
systemctl start httpd.service
cobbler sync
6、导入ISO镜像
首先上传ISO镜像并挂载到 /test 目录下
mount -o loop /root/rhel-server-7.1-x86_64-dvd /test
然后执行:cobbler import --path=/test/ --name=linux7.1 --arch=x86_64
7、查看cobbler默认使用的ks引导文件
[root@localhost ~]# cobbler report
Kickstart : /var/lib/cobbler/kickstarts/sample_end.ks (默认使用的这个文件,)
##########################################################################################################################
8、修改适合自己的ks文件,修改sample_end.ks 文件即可(修改前做好备份)
修改好的文件如下(可以根据自己的需要更改配置文件,务必将安全加固配置也做好!):
[root@localhost ~]# cat /var/lib/cobbler/kickstarts/sample_end.ks # kickstart template for Fedora 8 and later. # (includes %end blocks) # do not use with earlier distros #platform=x86, AMD64, or Intel EM64T # System authorization information auth --useshadow --enablemd5 # System bootloader configuration bootloader --location=mbr # Partition clearing information clearpart --all --initlabel # Use text mode install text # Firewall configuration firewall --disable # Run the Setup Agent on first boot firstboot --disable # System keyboard keyboard us # System language lang en_US # Use network installation url --url=$tree # If any cobbler repo definitions were referenced in the kickstart profile, include them here. $yum_repo_stanza # Network information $SNIPPET('network_config') # Reboot after installation reboot #Root password rootpw --iscrypted $default_password_crypted # SELinux configuration selinux --disabled # Do not configure the X Window System skipx # System timezone timezone Asia/Shanghai # Install OS instead of upgrade install # Clear the Master Boot Record zerombr clearpart --all clearpart --none --initlabel # Disk partitioning information part /boot --fstype="xfs" --ondisk=sda --size=500 part pv.10 --fstype="lvmpv" --ondisk=sda --size=35000 volgroup rootvg --pesize=4096 pv.10 logvol /var --fstype="xfs" --size=5000 --name=var --vgname=rootvg logvol / --fstype="xfs" --size=10000 --name=root --vgname=rootvg logvol swap --fstype="swap" --size=500 --name=swap --vgname=rootvg logvol /usr --fstype="xfs" --size=5000 --name=usr --vgname=rootvg %pre $SNIPPET('log_ks_pre') $SNIPPET('kickstart_start') $SNIPPET('pre_install_network_config') # Enable installation monitoring $SNIPPET('pre_anamon') %end %packages @base @core @desktop-debugging @development @dial-up @fonts @gnome-desktop @guest-agents @guest-desktop-agents @input-methods @internet-browser @kde-desktop @multimedia @print-client @security-tools @x11 kexec-tools %end %post --nochroot $SNIPPET('log_ks_post_nochroot') %end %post $SNIPPET('log_ks_post') # Start yum configuration $yum_config_stanza # End yum configuration $SNIPPET('post_install_kernel_options') $SNIPPET('post_install_network_config') $SNIPPET('func_register_if_enabled') $SNIPPET('download_config_files') $SNIPPET('koan_environment') $SNIPPET('redhat_register') $SNIPPET('cobbler_register') # Enable post-install boot notification $SNIPPET('post_anamon') # Start final steps $SNIPPET('kickstart_done') # End final steps #system security setting for RHEL6 # Change default runlevel to 3 sed -i 's/id:[0-5]:/id:3:/' /etc/inittab #Add mantinance user groupadd admin groupadd test groupadd -g 402 test2 usermod -G wheel root useradd -g admin -G wheel admin useradd -g test -G adm test useradd -u 402 -g 402 -G wheel test2 echo '122234' |passwd --stdin admin1 echo '1234445' |passwd --stdin test2 echo '1233444' |passwd --stdin test echo export PATH=. >> /home/test/.bash_profile ln -s /bin/bash /bin/rbash cp /bin/su /home/test/su chmod 4755 /home/test/su touch /var/spool/cron/unionmon cp /etc/login.defs /etc/login.defs`date +%Y%m%d` # Security hardening for /etc/issue rm -rf /etc/issue /etc/issue.net # Security hardening for /etc/profile sed -i -e 's/umask 002/umask 027/' -e 's/umask 022/umask 027/' /etc/profile echo 'HISTSIZE=1000' >> /etc/profile echo 'HISTFILESIZE=1000' >> /etc/profile echo 'export HISTTIMEFORMAT="%Y%m%d-%H%M%S: "' >> /etc/profile echo "export TMOUT=120" >> /etc/profile echo "PS1=`whoami`@`hostname`$'[$PWD]'" >> /etc/profile # Security hardening for /etc/login.defs cp /etc/login.defs /etc/login.defs`date +%Y%m%d` sed -i "s/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/" /etc/login.defs sed '6d' /etc/pam.d/su echo "auth required pam_wheel.so use_uid" >> /etc/pam.d/su # Security hardening for PAM related sed -i 's/pam_cracklib.so.*/pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3/' /etc/pam.d/system-auth sed -i 's/pam_unix.so sha512/pam_unix.so sha512 remember=5/' /etc/pam.d/system-auth sed -i 's/pam_cracklib.so.*/pam_cracklib.so try_first_pass retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 difok=3/' /etc/pam.d/password-auth sed -i 's/pam_unix.so sha512/pam_unix.so sha512 remember=5/' /etc/pam.d/password-auth sed -i 's/^auth.*pam_securetty.so/auth required pam_securetty.so/' /etc/pam.d/login sed -i "s/pam_env.so/&\nauth required pam_tally2.so deny=5 unlock_time=900/g" /etc/pam.d/system-auth # Security hardening for ssh echo "Authorized only. All activity will be monitored and reported." > /etc/ssh/ssh_banner chmod 644 /etc/ssh/ssh_banner sed -i "s/^#PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config echo "Banner /etc/ssh/ssh_banner" >> /etc/ssh/sshd_config # Security hardeing best practice: keep all binaries which have setuid bit set find / -xdev -type f -perm +6000 > /etc/ksinstall/sysinfobkg/sidfilelist # Customized settings in /etc/sysctl.conf sed -i -r 's/(kernel.sysrq = ).*/\11/' /etc/sysctl.conf # Customized resource limit settings cp /etc/security/limits.conf /etc/security/limits.conf`date +%Y%m%d` sed -i 's/# End of file/\* soft nproc 65536\n\* hard nproc 65536\n\* soft nofile 65536\n\* hard nofile 65536\n\* soft core 0\n\* hard core 0\n# End of file/' /etc/security/limits.conf sed -i 's/* soft nproc 1024/\* soft nproc 4096\n\* hard nproc 16384/' /etc/security/limits.d/90-nproc.conf systemctl stop chronyd.service systemctl disable chronyd.service # user security echo "umask 027" >> /etc/profile echo "umask 027" >> /etc/csh.login echo "umask 027" >> /etc/csh.cshrc echo "umask 027" >> /etc/bashrc # rsyslog.conf security cp /etc/rsyslog.conf /etc/rsyslog.conf`date +%Y%m%d` echo "authpriv.* /var/log/secure" >> /etc/rsyslog.conf echo "kern.warning;*.err;authpriv.none /var/log/syslog/kern.log" >> /etc/rsyslog.conf echo "*.info;mail.none;authpriv.none;cron.none /var/log/syslog/info.log" >> /etc/rsyslog.conf echo "*.emerg /var/log/syslog/emerg.log" >> /etc/rsyslog.conf echo "local7.* /var/log/syslog/local7.log" >> /etc/rsyslog.conf echo "*.info @132.77.220.74" >> /etc/rsyslog.conf systemctl stop avahi-daemon systemctl disable avahi-daemon systemctl disable telnet.socket systemctl stop telnet.socket systemctl restart xinetd yum -y install telnet >/dev/null yum -y install ntp >/dev/null yum -y install xinetd >/dev/null unlink /etc/systemd/system/default.target ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target reboot %end
上面这个配置文件大家可以作为参考,里面定义了创建用户,安全加固的一些配置,可以根据自己的需要自己适当调整
四、cobbler日常命令
######################################################################### cobbler 常用命令 cobbler check 核对当前设置是否有问题 cobbler list 列出所有的cobbler元素 cobbler report 列出元素的详细信息 cobbler sync 同步配置到数据目录,更改配置最好都要执行下 cobbler reposync 同步yum仓库 cobbler distro 查看导入的发行版系统信息 cobbler system 查看添加的系统信息 cobbler profile 查看配置信息 ############################################################################# cobbler常用配置文件 /etc/cobbler/cobbler_bash /etc/cobbler/completions /etc/cobbler/dhcp.template #dhcp 配置模板。 /etc/cobbler/distro_signatures.json /etc/cobbler/dnsmasq.template #dnsmasq的配置模板。 dnsmasq一个轻量的dhcp与dns转发功能的程序。 /etc/cobbler/import_rsync_whitelist /etc/cobbler/iso/buildiso.template #生成iso文件的模板。cobbler可以以distro来制作iso文件。 /etc/cobbler/modules.conf #cobbler用来管理其它程序的模块或者是引擎。 /etc/cobbler/named.template #named的配置模板, dns我们这里压根就不用安装。 /etc/cobbler/settings #主配置文件。 /etc/cobbler/tftpd.template #tftp配置模板。 /etc/httpd/conf.d/cobbler.conf #httpd的配置文件,用来把/var/www/cobbler目录由httpd输出,也就是可以通过httpd下