script/LXC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add some documentations.

Browse Source
This commit is contained in:
Christoph 2021-05-02 23:27:53 +02:00
parent d5533ffb7e
commit fd1058d81c
8 changed files with 1867 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
README.docker → DOC/README.docker
View File

4
DOC/README.fuse Normal file
View File

@ -0,0 +1,4 @@
#fuse-overlayfs package installed both on host and inside container
#
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0

22
DOC/README.mount_iso Normal file
View File

@ -0,0 +1,22 @@
# - LX Container configuration:
# -
lxc.aa_profile = unconfined
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
# - Note!
# - Inside the container, you have to create /dev/loop0
# -
# - sudo mknod /dev/loop0 b 7 0
# - Verify if it works:
# -
# - $ truncate --size 100M my.img
# - $ mkfs.ext4 -F my.img
# - $ sudo mount -o loop,ro my.img /mnt
# - $ ls /mnt
# - lost+found
# - $ sudo umount /mnt
# -

16
DOC/README.postfix_does_not_start Normal file
View File

@ -0,0 +1,16 @@
# - After upgrade from jessie to strech systemd seems to "ignore" the Postfix startup.
# -
# - Also "systemctl start postfix" does not work.
# -
# - I found out that I simply have to reload systemd with
# - systemctl daemon-reload
# -
# - But after reboot, again no psotfix daemon is running
# -
# - Finally the following simple command fixed this problem
# - systemctl enable postfix@-
# -
# - After rebooting, on some systems postfix starts up fine.

269
DOC/etc_sshd_sshd_config Normal file
View File

@ -0,0 +1,269 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
#-----------------------------
# Daemon
#-----------------------------
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
#ListenAddress 176.9.117.77
# Specifies the protocol versions sshd(8) supports.
# The possible values are 1 , `2' and 1,2.
# The default is 2.
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#
# Note:
# Deprecated option KeyRegenerationInterval
# Deprecated option ServerKeyBits
#
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Specifies the maximum number of concurrent unauthenticated connections
# to the SSH daemon. See sshd_config(5) for specifiing the three colon
# separated values.
# The default is 10.
#MaxStartups 10:30:100
#MaxStartups 3
MaxStartups 10:30:100
# Specifies the maximum number of authentication attempts permitted per
# connection.
# The default is 6.
MaxAuthTries 3
# Specifies the maximum number of open sessions permitted per network
# connection.
# The default is 10.
MaxSessions 10
#-----------------------------
# Authentication
#-----------------------------
# Specifies whether sshd(8) separates privileges by creating an unprivileged
# child process to deal with incoming network traffic.
# The default is "yes" (for security).
UsePrivilegeSeparation yes
# The server disconnects after this time if the user has not
# successfully logged in.
# The default is 120 seconds.
LoginGraceTime 120
# Specifies whether root can log in using ssh(1).
# The default is "yes".
#PermitRootLogin yes
PermitRootLogin without-password
#PermitRootLogin no
# Specifies whether sshd(8) should check file modes and ownership of the
# user's files and home directory before accepting login. This is normally
# desirable because novices sometimes accidentally leave their directory or
# files world-writable. Note that this does not apply to ChrootDirectory,
# whose permissions and ownership are checked unconditionally.
# The default is “yes”.
StrictModes yes
# Specifies whether pure RSA authentication is allowed. This option
# applies to protocol version 1 only.
# The default is “yes”.
#
# Note:
# Deprecated option RSAAuthentication
#
#RSAAuthentication yes
# Specifies whether public key authentication is allowed. Note that this
# option applies to protocol version 2 only.
# The default is “yes”.
PubkeyAuthentication yes
# Specifies the file that contains the public keys that can be used for
# user authentication. The format is described in the AUTHORIZED_KEYS FILE
# FORMAT section of sshd(8).
# AuthorizedKeysFile may contain tokens of the form %T which are substituted
# during connection setup. The following tokens are defined: %% is replaced
# by a literal '%', %h is replaced by the home directory of the user being
# authenticated, and %u is replaced by the username of that user. After
# expansion, AuthorizedKeysFile is taken to be an absolute path or one relative
# to the user's home directory. Multiple files may be listed, separated by
# whitespace.
# The default is “.ssh/authorized_keys .ssh/authorized_keys2”.
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Specifies whether password authentication is allowed.
# Change to no to disable tunnelled clear text passwords
# The default is "yes".
#PasswordAuthentication yes
PasswordAuthentication no
# When password authentication is allowed, it specifies whether the
# server allows login to accounts with empty password strings.
# The default is “no”.
PermitEmptyPasswords no
# Specifies whether challenge-response authentication is allowed (e.g. via PAM).
# The default is “yes”.
ChallengeResponseAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#
# Note:
# Deprecated option RhostsRSAAuthentication
#
#RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Specifies whether sshd(8) should ignore the user's ~/.ssh/known_hosts
# during RhostsRSAAuthentication or HostbasedAuthentication.
# The default is “no”.
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# If specified, login is allowed only for user names that match one of
# the patterns.
# The allow/deny directives are processed in the following order: DenyUsers,
# AllowUsers, DenyGroups, and finally AllowGroups.
# By default, login is allowed for all users.
#AllowUsers chris cityslang sysadm
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
# Specifies whether login(1) is used for interactive login sessions.
# Note that login(1) is never used for remote command execution.
# Note also, that if this is enabled, X11Forwarding will be disabled
# because login(1) does not know how to handle xauth(1) cookies. If
# UsePrivilegeSeparation is specified, it will be disabled after
# authentication.
# The default is “no”.
#UseLogin no
#-----------------------------
# Logging
#-----------------------------
# Gives the facility code that is used when logging messages from sshd(8).
# The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
# LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
# The default is AUTH.
SyslogFacility AUTH
# Gives the verbosity level that is used when logging messages from
# sshd(8).
# The default is INFO.
LogLevel INFO
#-----------------------------
# Behavior
#-----------------------------
# Specifies whether the distribution-specified extra version suffix is included
# during initial protocol handshake.
# The default is "yes".
DebianBanner no
# The contents of the specified file are sent to the remote user before
# authentication is allowed.
# By default, no banner is displayed.
#Banner /etc/issue.net
# Specifies whether sshd(8) should print /etc/motd when a user logs in
# interactively. (On some systems it is also printed by the shell,
# /etc/profile, or equivalent.)
# The default is “yes”.
PrintMotd no
# Specifies what environment variables sent by the client will be copied
# into the session's environ(7).
# The default is not to accept any environment variables.
AcceptEnv LANG LC_*
# Configures an external subsystem (e.g. file transfer daemon).
# By default no subsystems are defined.
Subsystem sftp /usr/lib/openssh/sftp-server
# Specifies whether sshd(8) should look up the remote host name and check
# that the resolved host name for the remote IP address maps back to the
# very same IP address.
# The default is “yes”.
UseDNS no
# Specifies whether X11 forwarding is permitted. The argument must be
# “yes” or “no”. See sshd_config(5) for further expalnation
# The default is “no”.
#X11Forwarding yes
# Specifies the first display number available for sshd(8)'s X11
# forwarding. This prevents sshd from interfering with real X11 servers.
# The default is 10.
X11DisplayOffset 10
# Specifies whether the system should send TCP keepalive messages to the
# other side. If they are sent, death of the connection or crash of one
# of the machines will be properly noticed. However, this means
# that connections will die if the route is down temporarily, and some
# people find it annoying. On the other hand, if TCP keepalives are not
# sent, sessions may hang indefinitely on the server, leaving “ghost” users
# and consuming server resources.
#
# The default is “yes” (to send TCP keepalive messages), and the server
# will notice if the network goes down or the client host crashes. This
# avoids infinitely hanging sessions.
TCPKeepAlive yes
#Specifies whether sshd(8) should print the date and time of the last
# user login when a user logs in interactively.
# The default is “yes”.
PrintLastLog yes
#-----------------------------
# Kerberos options
#-----------------------------
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#-----------------------------
# GSSAPI options
#-----------------------------
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

560
DOC/install_LXC-buster.txt Normal file
View File

@ -0,0 +1,560 @@
#!/usr/bin/env bash
## - On the host-system install "bridge-utils"
## -
apt-get install bridge-utils
## - On the host-system install LXC
## -
apt-get install lxc
apt-get install btrfs-tools lua5.3
## - !! Debian stretch related
## -
## - Konfiguration /etc/security/limits.conf seems not be working together
## - with systemd.
## -
## - One possibility is, setting parameter "DefaultLimitNOFILE" in file
## - /etc/systemd/system.conf. This setting is "world wide".
## -
## - At least that allows me to do my work again but it is obviously not the
## - right solution. I just want to change my own user's limits, not the
## - limits of each and everything.
## -
cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG
perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf
systemctl daemon-reload
## - Configure your hots-sstem to use a bridge-interface (typically br0)
## - instead of a real one (typically eth0)
## -
## - Replace your network configuration in file /etc/network/interfaces
## - from:
## -
## - auto eth0
## - iface eth0 inet static
## - address <ip-address>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## -
## - to:
## -
## - auto br0
## - iface br0 inet static
## - bridge-ports eth0
## - address <ip-address..>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## - # default route to access subnet
## - #up route add -net <network-address> netmask <netmask> gw <gateway-address> br0
## -
cp -a /etc/network/interfaces /etc/network/interfaces.ORIG
vim /etc/network/interfaces
## - Restart host-system
## -
# ---
# - <lxc name>
# ----
#LXC_ROOT_DIR=/srv/lxc
LXC_ROOT_DIR=/var/lib/lxc
LXC_NAME=<lxc name>
LXC_DIST=debian
LXC_RELEASE=stretch
### Device 1
IPV4_ADDRESS_1=<ipv4-address 1>
IPV4_NETMASK_1=<netmask>
IPV4_BROADCAST_1=<broadcast>
IPV4_GATEWAY_1=<gateway>
IPv4_Prefix=24
## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !!
## -
## - Zufällige MAC Adresse erstellen
## -
## - echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n"
## -
#MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')"
MAC_ADDRESS_1=<mac address 1>
#IPV6_ADDRESS_1=<IPv6-address>
#IPV6_GATEWAY_1=<IPv6-gateway>
#IPv6_Prefix_1=<IPv6-Prefix 1>
### Device 2
IPV4_ADDRESS_2=83.223.86.202
IPV4_NETMASK_2=255.255.255.0
IPV4_BROADCAST_2=83.223.86.255
IPV4_GATEWAY_2="${IPV4_GATEWAY_1}"
IPv4_Prefix_2=24
MAC_ADDRESS_2=00:B4:D5:A0:5F:CE
#IPV6_ADDRESS_2=<IPv6-address 2>
#IPV6_GATEWAY_2=<IPv6-gateway 2>
#IPv6_Prefix_2=<IPv6-Prefix 2>
HOSTNAME=dns0.warenform.de
## - -------------------------------------------------------------------------
lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64
cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \
${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG
touch /var/lib/lxc/${LXC_NAME}/fstab
if [[ -z "$IPV4_ADDRESS_2" ]] ; then
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
iface eth0 inet6 manual
EOF
else
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100
up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100
#-----------------------------
# eth1
#-----------------------------
auto eth1
iface eth1 inet manual
up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200
up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120
EOF
fi
cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config
lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs
# Common configuration
lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf
# Container specific configuration
lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab
lxc.utsname = $LXC_NAME
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
# Network configuration
### Device 1
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = $MAC_ADDRESS_1
# IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix
lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1}
# IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1
#lxc.network.ipv6.gateway = $IPV6_GATEWAY_1
EOF
if [[ -n "$IPV4_ADDRESS_2" ]]; then
cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config
### Device 2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.hwaddr = $MAC_ADDRESS_2
## IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix
## IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix
EOF
fi
cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config
# Mount iso file inside LX Container
#lxc.aa_profile = unconfined
#lxc.cgroup.devices.allow = b 7:* rwm
#lxc.cgroup.devices.allow = c 10:237 rwm
# Autostart
lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 100
EOF
## - -------------------------------------------------------------------------
lxc-start -d -n $LXC_NAME
## - Starte eine root shell im neuen Container
## -
lxc-attach -n $LXC_NAME
## - Alternativ: Starte eine Console im neuen Container
## -
## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der
## - Ausgabe des "lxc-create" Befehls am Ende ist
## -
lxc-console -n $LXC_NAME
## - -------------------------------------------------------------------------
## - apt konfiguroren
## - setze in /etc/apt/sources.list
## -
## - deb http://ftp.de.debian.org/debian stretch main contrib non-free
## - deb-src http://ftp.de.debian.org/debian stretch main contrib non-free
## -
## - deb http://security.debian.org/ stretch/updates main contrib non-free
## - deb-src http://security.debian.org/ stretch/updates main contrib non-free
## -
## - ## - formerly: volatile
## - deb ftp://ftp.de.debian.org/debian stretch-updates main contrib
## -
## - # stretch-backports
## - deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free
## -
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian/ stretch main non-free contrib
deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
# stretch-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
# stretch-backports, previously on backports.debian.org
deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free
EOF
## - Update
## -
apt-get update
## - Install/Setup locales
## -
apt-get install locales
dpkg-reconfigure locales
## - take care shadow passwords are enabled
## -
dpkg-reconfigure passwd
/sbin/shadowconfig on
## - Set password for user root
## -
passwd
## - configure time-zone
## -
dpkg-reconfigure tzdata
## - Upgrade System
## -
apt-get upgrade
apt-get -y install openssh-server rssh \
vim vim-common vim-doc mc screen tmux bc figlet \
rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \
zip unzip bzip2 arj \
locate \
curl \
gawk mawk \
lynx links w3m ctags mime-support \
file coreutils moreutils less sipcalc psmisc \
dnsutils rblcheck whois \
gettext gettext-base gettext-doc \
debian-keyring \
patch patchutils \
recode recode-doc librecode0 librecode-dev sharutils \
perl perl-modules perl-doc libperl-dev \
libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \
libmail-imapclient-perl libtime-duration-perl libtimedate-perl \
libwww-perl libpcre3 libio-compress-perl \
re2c util-linux \
parted lshw gdisk smartmontools \
tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \
ethtool wipe iperf mtr iptraf \
wget logrotate rsyslog haveged \
rdate ntpdate wipe man \
iptables shellcheck \
ssl-cert ssl-cert-check \
git ftp \
htop \
net-tools lsb-release \
attr acl quota quotatool \
needrestart
# - poppler-utils - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt
# - catdoc - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext
# -
apt-get install catdoc poppler-utils
## - add more users
adduser chris
adduser defa
## - add user/group back
addgroup --gid 1060 back
adduser --uid 1060 --gid 1060 back
## - user/group sysadm
## -
## - passwd: gHZu81_p
## -
addgroup --gid 1050 sysadm
adduser --uid 1050 --gid 1050 sysadm
## - add new user to group sudo
usermod -a -G sudo chris
usermod -a -G sudo sysadm
usermod -a -G sudo defa
## - warenform specific
## -
#addgroup --gid 1008 webadmin
#mkdir /var/www
#adduser --uid 1008 --gid 1008 --home /var/www/html webadmin
## - Adjust (temporarily) /etc/sshd/sshd_config
## -
## - Set
## - PermitRootLogin yes
## -
cd /etc/ssh
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
vim sshd_config
systemctl restart ssh
## - Install git repository 'admin-stuff'
## -
mkdir -p /root/bin
cd /root/bin
git clone https://git.oopen.de/script/admin-stuff
## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp
## -
hostname=<ipv4-address>
users="chris sysadm back"
for user in $users ; do
cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG
cp -a /home/${user}/.profile /home/${user}/.profile.ORIG
done
cp -a /root/.bashrc /root/.bashrc.ORIG
cp -a /root/.profile /root/.profile.ORIG
cd /home/chris/O.OPEN/Rechner/templates_home/root
scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}:
cd /home/chris/O.OPEN/Rechner/templates_home/chris
scp -r .bashrc .profile .ssh .vimrc ${hostname}:
scp -r .bashrc .profile .ssh .vimrc back@${hostname}:
scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}:
cd ~
./adduser_defa.sh
./adduser_backup.oopen.sh
rm adduser_*
## - Coppy sshd_config
## -
cd ~/merke/install/LXC
scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config
## - Adjust /etc/resolv.conf
## -
## - search oopen.de
## - nameserver 83.223.66.51
## - nameserver 212.42.230.1
## - nameserver 83.223.90.90
## -
vim /etc/resolv.conf
## - configure sudo
## - add lines:
## -
## - back ALL=(root)NOPASSWD:/usr/bin/rsync
## - back ALL=(root)NOPASSWD:/usr/bin/find
## - back ALL=(root)NOPASSWD:/usr/bin/realpath
## -
## -
visudo
## - NOTICE!!
## -
## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my
## - scripts doesn't work. so link back to /bin/bash
## -
## - link /bin/sh to /bin/bash
## -
cd /bin
rm sh
ln -s bash sh
## - install subversion
## -
apt-get install -y subversion subversion-tools # smbclient
## ---------------------------------------------------------------
## - compiler stuff
## -
apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
make automake autoconf libtool flex bison \
gettext pkg-config gnu-standards \
libssl-dev libreadline-dev libncurses-dev
apt-get install -y libsystemd-dev
## - Packages to build utils-vserver
## -
apt-get install -y libnss3-dev
apt-get install -y python-dev
## - packages to build apache webserver with php5/ruby support
## -
apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \
libneon27-dev
apt-get -y install libxml2 libxml2-dev \
curl libcurl4-openssl-dev \
libqdbm-dev libgdbm-dev libpspell-dev \
libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \
libwmf-dev libtiff-dev libpaper-dev \
libmagic-dev \
libmagick-dev libgraphics-magick-perl \
libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \
libgraphviz-dev libgd-dev libcroco3-dev libgsf-1-dev libilmbase-dev \
libvpx-dev vpx-tools \
libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \
libatm-dev libexpat-dev \
imagemagick graphicsmagick \
exif libexiv2-dev \
re2c \
netpbm libnetpbm10-dev \
libmcrypt-dev mcrypt \
default-libmysqlclient-dev \
libpq-dev postgresql-client \
libreadline-dev libncurses-dev \
libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \
libxslt1-dev libpcre3-dev \
libc-client2007e-dev libc-client-dev \
libicu-dev \
libtidy-dev \
libmm-dev libgmp-dev libkrb5-dev libldap-dev \
libmhash-dev libgd-dev \
liblua5.3-dev \
libapr1-dev libaprutil1-dev \
libsctp-dev \
libcrypto++-dev
## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie
## -
## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt
## - Create a symlink
## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so
ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so
## - if ruby is/will be installed this is needed for rmagick gem
## -
##libmagick++-dev libmagickcore-dev libmagickwand-dev \
## - ffmpeg
## -
apt-get install -y ffmpeg
## - needed for php extension imagick
## -
apt-get install -y libmagickwand-dev
## - needed for php extension geoip
## -
apt-get install -y libgeoip-dev
## - add some tk/tcl stuff
## -
## - tcl tcl-dev tk tk-dev tclreadline
## -
apt-get install -y tk-dev tcl-dev tclreadline
apt-get install -y expect expect-dev libexpect-perl

435
DOC/install_LXC-jessie.txt Normal file
View File

@ -0,0 +1,435 @@
## - On the host-system install "bridge-utils"
## -
apt-get install bridge-utils
## - On the host-system install LXC
## -
apt-get install lxc
apt-get install btrfs-tools lua5.2
## - !! Debian Jessie related
## -
## - Konfiguration /etc/security/limits.conf seems not be working together
## - with systemd.
## -
## - One possibility is, setting parameter "DefaultLimitNOFILE" in file
## - /etc/systemd/system.conf. This setting is "world wide".
## -
## - At least that allows me to do my work again but it is obviously not the
## - right solution. I just want to change my own user's limits, not the
## - limits of each and everything.
## -
perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf
systemctl daemon-reload
## - Configure your hots-sstem to use a bridge-interface (typically br0)
## - instead of a real one (typically eth0)
## -
## - Replace your network configuration in file /etc/network/interfaces
## - from:
## -
## - auto eth0
## - iface eth0 inet static
## - address <ip-address>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## -
## - to:
## -
## - auto br0
## - iface br0 inet static
## - bridge-ports eth0
## - address <ip-address..>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## - # default route to access subnet
## - #up route add -net <network-address> netmask <netmask> gw <gateway-address> br0
## -
vim /etc/network/interfaces
## - Restart host-system
## -
## - -------------------------------------------------------------------------
## - <lxc-name>
## -
#LXC_ROOT_DIR=/srv/lxc
LXC_ROOT_DIR=/data/lxc
LXC_NAME=<lxc-name>
LXC_DIST=debian
LXC_RELEASE=jessie
IPV4_ADDRESS=<IPv4-address>
IPV4_NETMASK=<IPv4-netmask>
IPV4_BROADCAST=<IPv4-broadcast>
IPV4_GATEWAY=<IPv4-gateway>
IPv4_Prefix=<IPv4-Prefix>
## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !!
MAC_ADDRESS=`echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"'`
#MAC_ADDRESS=<MAC-Address>
#IPV6_ADDRESS=<IPv6-address>
#IPV6_GATEWAY=<IPv6-gateway>
#IPv6_Prefix=<IPv6-Prefix>
HOSTNAME=<Hostname>
## - -------------------------------------------------------------------------
lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64
cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \
${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG
touch /var/lib/lxc/${LXC_NAME}/fstab
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
iface eth0 inet6 manual
EOF
cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config
lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs
# Common configuration
lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf
# Container specific configuration
lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab
lxc.utsname = $LXC_NAME
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = $MAC_ADDRESS
# IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS}/$IPv4_Prefix
lxc.network.ipv4.gateway = ${IPV4_GATEWAY}
# IPv6
lxc.network.ipv6 = ${IPV6_ADDRESS}/$IPv6_Prefix
lxc.network.ipv6.gateway = $IPV6_GATEWAY
# Autostart
lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 100
EOF
## - -------------------------------------------------------------------------
lxc-start -d -n $LXC_NAME
## - Starte eine root shell im neuen Container
## -
lxc-attach -n $LXC_NAME
## - Alternativ: Starte eine Console im neuen Container
## -
## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der
## - Ausgabe des "lxc-create" Befehls am Ende ist
## -
lxc-console -n $LXC_NAME
## - -------------------------------------------------------------------------
## - apt konfiguroren
## - setze in /etc/apt/sources.list
## -
## - deb http://ftp.de.debian.org/debian jessie main contrib non-free
## - deb-src http://ftp.de.debian.org/debian jessie main contrib non-free
## -
## - deb http://security.debian.org/ jessie/updates main contrib non-free
## - deb-src http://security.debian.org/ jessie/updates main contrib non-free
## -
## - ## - formerly: volatile
## - deb ftp://ftp.de.debian.org/debian jessie-updates main contrib
## -
## - # jessie-backports
## - deb http://ftp.de.debian.org/debian jessie-backports main contrib non-free
## -
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.de.debian.org/debian/ jessie main non-free contrib
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
# jessie-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie-updates main contrib non-free
# jessie-backports, previously on backports.debian.org
deb http://ftp.de.debian.org/debian/ jessie-backports main contrib non-free
deb-src http://ftp.de.debian.org/debian/ jessie-backports main contrib non-free
EOF
## - Update
## -
apt-get update
## - Install/Setup locales
## -
apt-get install locales
dpkg-reconfigure locales
## - Install os-upgrade.sh
## -
mkdir -p /root/bin
cat << EOF >> /root/bin/os-upgrade.sh
#!/usr/bin/env bash
apt-get update
apt-get upgrade -y
apt-get clean
exit 0
EOF
chmod 700 /root/bin/os-upgrade.sh
## - Upgrade System
## -
apt-get upgrade
apt-get install -y openssh-server rssh \
vim vim-common vim-doc mc screen tmux bc \
rcconf iproute sudo rsync dselect iputils-ping aptitude \
zip unzip bzip2 arj \
locate \
gawk mawk \
lynx links w3m ctags mime-support \
file coreutils moreutils less realpath sipcalc psmisc \
dnsutils rblcheck whois \
gettext gettext-base gettext-doc \
debian-keyring \
patch patchutils \
recode recode-doc librecode0 librecode-dev sharutils \
perl perl-modules perl-doc libperl-dev \
libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \
libmail-imapclient-perl libtime-duration-perl libtimedate-perl \
libwww-perl libpcre3 libio-compress-perl \
re2c util-linux \
parted lshw gdisk smartmontools \
tcpdump telnet unhide lsof groff iproute bridge-utils vlan \
ethtool wipe iperf mtr iptraf \
wget logrotate rsyslog haveged \
ntpdate wipe man groff \
iptables shellcheck \
git
## - take care shadow passwords are enabled
## -
dpkg-reconfigure passwd
/sbin/shadowconfig on
## - configure time-zone
## -
dpkg-reconfigure tzdata
## - add more users
adduser chris
adduser defa
## - add user/group back
addgroup --gid 1020 back
adduser --uid 1020 --gid 1020 back
## - user/group sysadm
## -
## - passwd: gHZu81_p
## -
addgroup --gid 1050 sysadm
adduser --uid 1050 --gid 1050 sysadm
## - add new user tou group (gid) 11
usermod -a -G sudo chris
usermod -a -G sudo sysadm
usermod -a -G sudo defa
## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp
## -
hostname=83.223.86.97
cd /home/chris/O.OPEN/Rechner/templates_home/root
scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}:
cd /home/chris/O.OPEN/Rechner/templates_home/chris
scp -r .bashrc .profile .ssh .vimrc ${hostname}:
scp -r .bashrc .profile .vimrc back@${hostname}:
scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}:
cd /home/chris/O.OPEN/Rechner/templates_home/root
scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .ssh .vimrc root@sympa.oopen.de:
cd ~
./adduser_defa.sh
./adduser_backup.oopen.sh
## - Adjust /etc/sudoers
## -
## - back ALL=(root)NOPASSWD:/usr/bin/rsync
## - back ALL=(root)NOPASSWD:/usr/bin/find
## - back ALL=(root)NOPASSWD:/usr/bin/realpath
## -
visudo
## - Adjust /etc/resolv.conf
## -
## - search warenform.de
## - nameserver 83.223.66.51
## - nameserver 212.42.230.1
## - nameserver 83.223.90.90
## -
vim /etc/resolv.conf
## - NOTICE!!
## -
## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my
## - scripts doesn't work. so link back to /bin/bash
## -
## - link /bin/sh to /bin/bash
## -
cd /bin
rm sh
ln -s bash sh
## - install subversion
## -
apt-get install -y subversion subversion-tools # smbclient
## - Install git
## -
apt-get install -y git
## - if package-version of mysql is needed
## -
apt-get install mysql-client-5.5 mysql-common \
mysql-server-5.5 mysql-server-core-5.5
## ---------------------------------------------------------------
## - compiler stuff
## -
apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
make automake autoconf libtool flex bison \
gettext pkg-config gnu-standards \
libssl-dev libreadline-dev libncurses-dev
apt-get install libsystemd-dev
## - packages to build apache webserver with php5/ruby support
## -
apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \
libneon27-dev
apt-get install -y libxml2 libxml2-dev \
curl libcurl4-openssl-dev \
libqdbm-dev libgdbm-dev libpspell-dev \
libjpeg-dev libpng12-dev libxpm-dev libfreetype6-dev \
libwmf-dev libtiff-dev libjasper-dev libpaper-dev \
libmagic-dev \
libmagick-dev libgraphics-magick-perl \
libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \
libgraphviz-dev libgd2-xpm-dev libcroco3-dev libgsf-1-dev libilmbase-dev \
libvpx-dev libvpx1 vpx-tools \
libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \
libatm-dev libexpat-dev \
imagemagick graphicsmagick \
re2c \
exif libexiv2-dev \
netpbm libnetpbm10-dev \
libmcrypt-dev mcrypt \
libmysqlclient-dev mysql-client \
libpq-dev postgresql-client \
libreadline-dev libncurses-dev \
libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \
libxslt1-dev libpcre3-dev \
libc-client2007e-dev libc-client-dev \
libicu-dev \
libtidy-dev \
libmm-dev libgmp-dev libkrb5-dev libldap-dev \
libmhash-dev libgd-dev \
libapr1-dev libaprutil1-dev \
liblua5.1-0 liblua5.1-0-dev \
libsctp-dev \
libcrypto++-dev
## - So create a symlink
## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so
ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so
## - Hinweis: libt1-dev nicht mehr verfügbar in debian jessie
## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt
## - if ruby is/will be installed this is needed for rmagick gem
## -
##libmagick++-dev libmagickcore-dev libmagickwand-dev \
## - needed for php extension imagick
## -
apt-get install -y libmagickwand-dev
## - needed for php extension geoip
## -
apt-get install -y libgeoip-dev
## - add some tk/tcl stuff
## -
## - tcl tcl-dev tk tk-dev tclreadline
## -
apt-get install -y tk-dev tcl-dev tclreadline
apt-get install -y expect expect-dev libexpect-perl

561
DOC/install_LXC-stretch.txt Normal file
View File

@ -0,0 +1,561 @@
#!/usr/bin/env bash
## - On the host-system install "bridge-utils"
## -
apt-get install bridge-utils
## - On the host-system install LXC
## -
apt-get install lxc
apt-get install btrfs-tools lua5.3
## - !! Debian stretch related
## -
## - Konfiguration /etc/security/limits.conf seems not be working together
## - with systemd.
## -
## - One possibility is, setting parameter "DefaultLimitNOFILE" in file
## - /etc/systemd/system.conf. This setting is "world wide".
## -
## - At least that allows me to do my work again but it is obviously not the
## - right solution. I just want to change my own user's limits, not the
## - limits of each and everything.
## -
cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG
perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf
systemctl daemon-reload
## - Configure your hots-sstem to use a bridge-interface (typically br0)
## - instead of a real one (typically eth0)
## -
## - Replace your network configuration in file /etc/network/interfaces
## - from:
## -
## - auto eth0
## - iface eth0 inet static
## - address <ip-address>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## -
## - to:
## -
## - auto br0
## - iface br0 inet static
## - bridge-ports eth0
## - address <ip-address..>
## - netmask <netmask>
## - network <network-address>
## - broadcast <broadcast-address>
## - gateway <gateway-address>
## - # default route to access subnet
## - #up route add -net <network-address> netmask <netmask> gw <gateway-address> br0
## -
cp -a /etc/network/interfaces /etc/network/interfaces.ORIG
vim /etc/network/interfaces
## - Restart host-system
## -
# ---
# - <lxc name>
# ----
#LXC_ROOT_DIR=/srv/lxc
LXC_ROOT_DIR=/var/lib/lxc
LXC_NAME=<lxc name>
LXC_DIST=debian
LXC_RELEASE=stretch
### Device 1
IPV4_ADDRESS_1=<ipv4-address 1>
IPV4_NETMASK_1=<netmask>
IPV4_BROADCAST_1=<broadcast>
IPV4_GATEWAY_1=<gateway>
IPv4_Prefix=24
## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !!
## -
## - Zufällige MAC Adresse erstellen
## -
## - echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n"
## -
#MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')"
MAC_ADDRESS_1=<mac address 1>
#IPV6_ADDRESS_1=<IPv6-address>
#IPV6_GATEWAY_1=<IPv6-gateway>
#IPv6_Prefix_1=<IPv6-Prefix 1>
### Device 2
IPV4_ADDRESS_2=83.223.86.202
IPV4_NETMASK_2=255.255.255.0
IPV4_BROADCAST_2=83.223.86.255
IPV4_GATEWAY_2="${IPV4_GATEWAY_1}"
IPv4_Prefix_2=24
MAC_ADDRESS_2=00:B4:D5:A0:5F:CE
#IPV6_ADDRESS_2=<IPv6-address 2>
#IPV6_GATEWAY_2=<IPv6-gateway 2>
#IPv6_Prefix_2=<IPv6-Prefix 2>
HOSTNAME=dns0.warenform.de
## - -------------------------------------------------------------------------
lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64
cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \
${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG
touch /var/lib/lxc/${LXC_NAME}/fstab
if [[ -z "$IPV4_ADDRESS_2" ]] ; then
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
iface eth0 inet6 manual
EOF
else
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces
#-----------------------------
# lo: loopback
#-----------------------------
auto lo
iface lo inet loopback
#-----------------------------
# eth0
#-----------------------------
auto eth0
iface eth0 inet manual
up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100
up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100
#-----------------------------
# eth1
#-----------------------------
auto eth1
iface eth1 inet manual
up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200
up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120
EOF
fi
cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG
cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config
lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs
# Common configuration
lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf
# Container specific configuration
lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab
lxc.utsname = $LXC_NAME
lxc.arch = amd64
lxc.autodev = 1
lxc.kmsg = 0
# Network configuration
### Device 1
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = $MAC_ADDRESS_1
# IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix
lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1}
# IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1
#lxc.network.ipv6.gateway = $IPV6_GATEWAY_1
EOF
if [[ -n "$IPV4_ADDRESS_2" ]]; then
cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config
### Device 2
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth1
lxc.network.hwaddr = $MAC_ADDRESS_2
## IPv4
lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix
## IPv6
#lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix
EOF
fi
cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config
# Mount iso file inside LX Container
#lxc.aa_profile = unconfined
#lxc.cgroup.devices.allow = b 7:* rwm
#lxc.cgroup.devices.allow = c 10:237 rwm
# Autostart
lxc.start.auto = 1
lxc.start.delay = 5
lxc.start.order = 100
EOF
## - -------------------------------------------------------------------------
lxc-start -d -n $LXC_NAME
## - Starte eine root shell im neuen Container
## -
lxc-attach -n $LXC_NAME
## - Alternativ: Starte eine Console im neuen Container
## -
## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der
## - Ausgabe des "lxc-create" Befehls am Ende ist
## -
lxc-console -n $LXC_NAME
## - -------------------------------------------------------------------------
## - apt konfiguroren
## - setze in /etc/apt/sources.list
## -
## - deb http://ftp.de.debian.org/debian stretch main contrib non-free
## - deb-src http://ftp.de.debian.org/debian stretch main contrib non-free
## -
## - deb http://security.debian.org/ stretch/updates main contrib non-free
## - deb-src http://security.debian.org/ stretch/updates main contrib non-free
## -
## - ## - formerly: volatile
## - deb ftp://ftp.de.debian.org/debian stretch-updates main contrib
## -
## - # stretch-backports
## - deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free
## -
cat << EOF > /etc/apt/sources.list
deb http://ftp.de.debian.org/debian/ stretch main non-free contrib
deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib
deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
# stretch-updates, previously known as 'volatile'
deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free
# stretch-backports, previously on backports.debian.org
deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free
deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free
EOF
## - Update
## -
apt-get update
## - Install/Setup locales
## -
apt-get install locales
dpkg-reconfigure locales
## - take care shadow passwords are enabled
## -
dpkg-reconfigure passwd
/sbin/shadowconfig on
## - Set password for user root
## -
passwd
## - configure time-zone
## -
dpkg-reconfigure tzdata
## - Upgrade System
## -
apt-get upgrade
apt-get -y install openssh-server rssh \
vim vim-common vim-doc mc screen tmux bc figlet \
rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \
zip unzip bzip2 arj \
locate \
curl \
gawk mawk \
lynx links w3m ctags mime-support \
file coreutils moreutils less realpath sipcalc psmisc \
dnsutils rblcheck whois \
gettext gettext-base gettext-doc \
debian-keyring \
patch patchutils \
recode recode-doc librecode0 librecode-dev sharutils \
perl perl-modules perl-doc libperl-dev \
libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \
libmail-imapclient-perl libtime-duration-perl libtimedate-perl \
libwww-perl libpcre3 libio-compress-perl \
re2c util-linux \
parted lshw gdisk smartmontools \
tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \
ethtool wipe iperf mtr iptraf \
wget logrotate rsyslog haveged \
rdate ntpdate wipe man \
iptables shellcheck \
ssl-cert ssl-cert-check \
git ftp \
htop \
net-tools lsb-release \
attr acl quota quotatool \
needrestart
# - poppler-utils - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt
# - catdoc - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext
# -
apt-get install catdoc poppler-utils
## - add more users
adduser chris
adduser defa
## - add user/group back
addgroup --gid 1020 back
adduser --uid 1020 --gid 1020 back
## - user/group sysadm
## -
## - passwd: gHZu81_p
## -
addgroup --gid 1050 sysadm
adduser --uid 1050 --gid 1050 sysadm
## - add new user to group sudo
usermod -a -G sudo chris
usermod -a -G sudo sysadm
usermod -a -G sudo defa
## - warenform specific
## -
#addgroup --gid 1008 webadmin
#mkdir /var/www
#adduser --uid 1008 --gid 1008 --home /var/www/html webadmin
## - Adjust (temporarily) /etc/sshd/sshd_config
## -
## - Set
## - PermitRootLogin yes
## -
cd /etc/ssh
cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG
vim sshd_config
systemctl restart ssh
## - Install git repository 'admin-stuff'
## -
mkdir -p /root/bin
cd /root/bin
git clone https://git.oopen.de/script/admin-stuff
## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp
## -
hostname=<ipv4-address>
users="chris sysadm back"
for user in $users ; do
cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG
cp -a /home/${user}/.profile /home/${user}/.profile.ORIG
done
cp -a /root/.bashrc /root/.bashrc.ORIG
cp -a /root/.profile /root/.profile.ORIG
cd /home/chris/O.OPEN/Rechner/templates_home/root
scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}:
cd /home/chris/O.OPEN/Rechner/templates_home/chris
scp -r .bashrc .profile .ssh .vimrc ${hostname}:
scp -r .bashrc .profile .ssh .vimrc back@${hostname}:
scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}:
cd ~
./adduser_defa.sh
./adduser_backup.oopen.sh
rm adduser_*
## - Coppy sshd_config
## -
cd ~/merke/install/LXC
scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config
## - Adjust /etc/resolv.conf
## -
## - search oopen.de
## - nameserver 83.223.66.51
## - nameserver 212.42.230.1
## - nameserver 83.223.90.90
## -
vim /etc/resolv.conf
## - configure sudo
## - add lines:
## -
## - back ALL=(root)NOPASSWD:/usr/bin/rsync
## - back ALL=(root)NOPASSWD:/usr/bin/find
## - back ALL=(root)NOPASSWD:/usr/bin/realpath
## -
## -
visudo
## - NOTICE!!
## -
## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my
## - scripts doesn't work. so link back to /bin/bash
## -
## - link /bin/sh to /bin/bash
## -
cd /bin
rm sh
ln -s bash sh
## - install subversion
## -
apt-get install -y subversion subversion-tools # smbclient
## ---------------------------------------------------------------
## - compiler stuff
## -
apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \
make automake autoconf libtool flex bison \
gettext pkg-config gnu-standards \
libssl-dev libreadline-dev libncurses-dev
apt-get install -y libsystemd-dev
## - Packages to build utils-vserver
## -
apt-get install -y vlan
apt-get install -y libnss3-dev
apt-get install -y python-dev
## - packages to build apache webserver with php5/ruby support
## -
apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \
libneon27-dev
apt-get -y install libxml2 libxml2-dev \
curl libcurl4-openssl-dev \
libqdbm-dev libgdbm-dev libpspell-dev \
libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \
libwmf-dev libtiff-dev libpaper-dev \
libmagic-dev \
libmagick-dev libgraphics-magick-perl \
libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \
libgraphviz-dev libgd2-xpm-dev libcroco3-dev libgsf-1-dev libilmbase-dev \
libvpx-dev vpx-tools \
libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \
libatm-dev libexpat-dev \
imagemagick graphicsmagick \
exif libexiv2-dev \
re2c \
netpbm libnetpbm10-dev \
libmcrypt-dev mcrypt \
default-libmysqlclient-dev mysql-client \
libpq-dev postgresql-client \
libreadline-dev libncurses-dev \
libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \
libxslt1-dev libpcre3-dev \
libc-client2007e-dev libc-client-dev \
libicu-dev \
libtidy-dev \
libmm-dev libgmp-dev libkrb5-dev libldap-dev \
libmhash-dev libgd-dev \
liblua5.3-dev \
libapr1-dev libaprutil1-dev \
libsctp-dev \
libcrypto++-dev
## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie
## -
## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt
## - Create a symlink
## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so
ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so
## - if ruby is/will be installed this is needed for rmagick gem
## -
##libmagick++-dev libmagickcore-dev libmagickwand-dev \
## - ffmpeg
## -
apt-get install -y ffmpeg
## - needed for php extension imagick
## -
apt-get install -y libmagickwand-dev
## - needed for php extension geoip
## -
apt-get install -y libgeoip-dev
## - add some tk/tcl stuff
## -
## - tcl tcl-dev tk tk-dev tclreadline
## -
apt-get install -y tk-dev tcl-dev tclreadline
apt-get install -y expect expect-dev libexpect-perl