#!/usr/bin/env bash ## - On the host-system install "bridge-utils" ## - apt-get install bridge-utils ## - On the host-system install LXC ## - apt-get install lxc apt-get install btrfs-tools lua5.3 ## - !! Debian stretch related ## - ## - Konfiguration /etc/security/limits.conf seems not be working together ## - with systemd. ## - ## - One possibility is, setting parameter "DefaultLimitNOFILE" in file ## - /etc/systemd/system.conf. This setting is "world wide". ## - ## - At least that allows me to do my work again but it is obviously not the ## - right solution. I just want to change my own user's limits, not the ## - limits of each and everything. ## - cp -a /etc/systemd/system.conf /etc/systemd/system.conf.ORIG perl -i.ORIG -n -p -e "s/(\s*#\s*DefaultLimitNOFILE.*)/\1\nDefaultLimitNOFILE=1048576/" /etc/systemd/system.conf systemctl daemon-reload ## - Configure your hots-sstem to use a bridge-interface (typically br0) ## - instead of a real one (typically eth0) ## - ## - Replace your network configuration in file /etc/network/interfaces ## - from: ## - ## - auto eth0 ## - iface eth0 inet static ## - address ## - netmask ## - network ## - broadcast ## - gateway ## - ## - to: ## - ## - auto br0 ## - iface br0 inet static ## - bridge-ports eth0 ## - address ## - netmask ## - network ## - broadcast ## - gateway ## - # default route to access subnet ## - #up route add -net netmask gw br0 ## - cp -a /etc/network/interfaces /etc/network/interfaces.ORIG vim /etc/network/interfaces ## - Restart host-system ## - # --- # - # ---- #LXC_ROOT_DIR=/srv/lxc LXC_ROOT_DIR=/var/lib/lxc LXC_NAME= LXC_DIST=debian LXC_RELEASE=stretch ### Device 1 IPV4_ADDRESS_1= IPV4_NETMASK_1= IPV4_BROADCAST_1= IPV4_GATEWAY_1= IPv4_Prefix=24 ## - !! Über das Hetzner Webinterface MAC-Adresse vergeben !! ## - ## - Zufällige MAC Adresse erstellen ## - ## - echo -e "\n\t$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')\n" ## - #MAC_ADDRESS_1="$(echo -n 00 ; dd bs=1 count=5 if=/dev/random 2>/dev/null | hexdump -v -e '/1 ":%02X"')" MAC_ADDRESS_1= #IPV6_ADDRESS_1= #IPV6_GATEWAY_1= #IPv6_Prefix_1= ### Device 2 IPV4_ADDRESS_2=83.223.86.202 IPV4_NETMASK_2=255.255.255.0 IPV4_BROADCAST_2=83.223.86.255 IPV4_GATEWAY_2="${IPV4_GATEWAY_1}" IPv4_Prefix_2=24 MAC_ADDRESS_2=00:B4:D5:A0:5F:CE #IPV6_ADDRESS_2= #IPV6_GATEWAY_2= #IPv6_Prefix_2= HOSTNAME=dns0.warenform.de ## - ------------------------------------------------------------------------- lxc-create -n $LXC_NAME -t $LXC_DIST -- --release $LXC_RELEASE --arch amd64 cp ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces \ ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces.ORIG touch /var/lib/lxc/${LXC_NAME}/fstab if [[ -z "$IPV4_ADDRESS_2" ]] ; then cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces #----------------------------- # lo: loopback #----------------------------- auto lo iface lo inet loopback #----------------------------- # eth0 #----------------------------- auto eth0 iface eth0 inet manual iface eth0 inet6 manual EOF else cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/rootfs/etc/network/interfaces #----------------------------- # lo: loopback #----------------------------- auto lo iface lo inet loopback #----------------------------- # eth0 #----------------------------- auto eth0 iface eth0 inet manual up ip route add default via ${IPV4_GATEWAY_1} dev eth0 table 100 up ip rule add from ${IPV4_ADDRESS_1} table 100 prio 100 #----------------------------- # eth1 #----------------------------- auto eth1 iface eth1 inet manual up ip route add default via ${IPV4_GATEWAY_2} dev eth1 table 200 up ip rule add from ${IPV4_ADDRESS_2} table 200 prio 120 EOF fi cp ${LXC_ROOT_DIR}/${LXC_NAME}/config ${LXC_ROOT_DIR}/${LXC_NAME}/config.ORIG cat << EOF > ${LXC_ROOT_DIR}/${LXC_NAME}/config lxc.rootfs = /var/lib/lxc/${LXC_NAME}/rootfs # Common configuration lxc.include = /usr/share/lxc/config/${LXC_DIST}.common.conf # Container specific configuration lxc.mount = /var/lib/lxc/${LXC_NAME}/fstab lxc.utsname = $LXC_NAME lxc.arch = amd64 lxc.autodev = 1 lxc.kmsg = 0 # Network configuration ### Device 1 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth0 lxc.network.hwaddr = $MAC_ADDRESS_1 # IPv4 lxc.network.ipv4 = ${IPV4_ADDRESS_1}/$IPv4_Prefix lxc.network.ipv4.gateway = ${IPV4_GATEWAY_1} # IPv6 #lxc.network.ipv6 = ${IPV6_ADDRESS_1}/$IPv6_Prefix_1 #lxc.network.ipv6.gateway = $IPV6_GATEWAY_1 EOF if [[ -n "$IPV4_ADDRESS_2" ]]; then cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config ### Device 2 lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.name = eth1 lxc.network.hwaddr = $MAC_ADDRESS_2 ## IPv4 lxc.network.ipv4 = ${IPV4_ADDRESS_2}/$IPv4_Prefix ## IPv6 #lxc.network.ipv6 = ${IPV6_ADDRESS_2}/$IPv6_Prefix EOF fi cat << EOF >> ${LXC_ROOT_DIR}/${LXC_NAME}/config # Mount iso file inside LX Container #lxc.aa_profile = unconfined #lxc.cgroup.devices.allow = b 7:* rwm #lxc.cgroup.devices.allow = c 10:237 rwm # Autostart lxc.start.auto = 1 lxc.start.delay = 5 lxc.start.order = 100 EOF ## - ------------------------------------------------------------------------- lxc-start -d -n $LXC_NAME ## - Starte eine root shell im neuen Container ## - lxc-attach -n $LXC_NAME ## - Alternativ: Starte eine Console im neuen Container ## - ## - Bemerkung: Es wird das root-passwort benötigt, welches Teil der ## - Ausgabe des "lxc-create" Befehls am Ende ist ## - lxc-console -n $LXC_NAME ## - ------------------------------------------------------------------------- ## - apt konfiguroren ## - setze in /etc/apt/sources.list ## - ## - deb http://ftp.de.debian.org/debian stretch main contrib non-free ## - deb-src http://ftp.de.debian.org/debian stretch main contrib non-free ## - ## - deb http://security.debian.org/ stretch/updates main contrib non-free ## - deb-src http://security.debian.org/ stretch/updates main contrib non-free ## - ## - ## - formerly: volatile ## - deb ftp://ftp.de.debian.org/debian stretch-updates main contrib ## - ## - # stretch-backports ## - deb http://ftp.de.debian.org/debian stretch-backports main contrib non-free ## - cat << EOF > /etc/apt/sources.list deb http://ftp.de.debian.org/debian/ stretch main non-free contrib deb-src http://ftp.de.debian.org/debian/ stretch main non-free contrib deb http://security.debian.org/ stretch/updates main contrib non-free deb-src http://security.debian.org/ stretch/updates main contrib non-free # stretch-updates, previously known as 'volatile' deb http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free deb-src http://ftp.de.debian.org/debian/ stretch-updates main contrib non-free # stretch-backports, previously on backports.debian.org deb http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free deb-src http://ftp.de.debian.org/debian/ stretch-backports main contrib non-free EOF ## - Update ## - apt-get update ## - Install/Setup locales ## - apt-get install locales dpkg-reconfigure locales ## - take care shadow passwords are enabled ## - dpkg-reconfigure passwd /sbin/shadowconfig on ## - Set password for user root ## - passwd ## - configure time-zone ## - dpkg-reconfigure tzdata ## - Upgrade System ## - apt-get upgrade apt-get -y install openssh-server rssh \ vim vim-common vim-doc mc screen tmux bc figlet \ rcconf sudo rsync dselect iputils-ping apt-utils aptitude apt-transport-https \ zip unzip bzip2 arj \ locate \ curl \ gawk mawk \ lynx links w3m ctags mime-support \ file coreutils moreutils less realpath sipcalc psmisc \ dnsutils rblcheck whois \ gettext gettext-base gettext-doc \ debian-keyring \ patch patchutils \ recode recode-doc librecode0 librecode-dev sharutils \ perl perl-modules perl-doc libperl-dev \ libterm-readline-gnu-perl libterm-readline-perl-perl libterm-readkey-perl \ libmail-imapclient-perl libtime-duration-perl libtimedate-perl \ libwww-perl libpcre3 libio-compress-perl \ re2c util-linux \ parted lshw gdisk smartmontools \ tcpdump telnet unhide lsof hdparm groff iproute2 bridge-utils vlan \ ethtool wipe iperf mtr iptraf \ wget logrotate rsyslog haveged \ rdate ntpdate wipe man \ iptables shellcheck \ ssl-cert ssl-cert-check \ git ftp \ htop \ net-tools lsb-release \ attr acl quota quotatool \ needrestart # - poppler-utils - PDF-Werkzeuge (auf Basis von Poppler) u.a. pdftotxt # - catdoc - Konvertierungspromm von Word, Excel und PowerPoint zu Klartext # - apt-get install catdoc poppler-utils ## - add more users adduser chris adduser defa ## - add user/group back addgroup --gid 1020 back adduser --uid 1020 --gid 1020 back ## - user/group sysadm ## - ## - passwd: gHZu81_p ## - addgroup --gid 1050 sysadm adduser --uid 1050 --gid 1050 sysadm ## - add new user to group sudo usermod -a -G sudo chris usermod -a -G sudo sysadm usermod -a -G sudo defa ## - warenform specific ## - #addgroup --gid 1008 webadmin #mkdir /var/www #adduser --uid 1008 --gid 1008 --home /var/www/html webadmin ## - Adjust (temporarily) /etc/sshd/sshd_config ## - ## - Set ## - PermitRootLogin yes ## - cd /etc/ssh cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.ORIG vim sshd_config systemctl restart ssh ## - Install git repository 'admin-stuff' ## - mkdir -p /root/bin cd /root/bin git clone https://git.oopen.de/script/admin-stuff ## - Copy templates for .bashrc, .profile, .vimrc, .ssh etcpp ## - hostname= users="chris sysadm back" for user in $users ; do cp -a /home/${user}/.bashrc /home/${user}/.bashrc.ORIG cp -a /home/${user}/.profile /home/${user}/.profile.ORIG done cp -a /root/.bashrc /root/.bashrc.ORIG cp -a /root/.profile /root/.profile.ORIG cd /home/chris/O.OPEN/Rechner/templates_home/root scp -r adduser_backup.oopen.sh adduser_defa.sh .bashrc .profile .vimrc bin .ssh root@${hostname}: cd /home/chris/O.OPEN/Rechner/templates_home/chris scp -r .bashrc .profile .ssh .vimrc ${hostname}: scp -r .bashrc .profile .ssh .vimrc back@${hostname}: scp -r .bashrc .profile .ssh .vimrc sysadm@${hostname}: cd ~ ./adduser_defa.sh ./adduser_backup.oopen.sh rm adduser_* ## - Coppy sshd_config ## - cd ~/merke/install/LXC scp etc_sshd_sshd_config root@${hostname}:/etc/ssh/sshd_config ## - Adjust /etc/resolv.conf ## - ## - search oopen.de ## - nameserver 83.223.66.51 ## - nameserver 212.42.230.1 ## - nameserver 83.223.90.90 ## - vim /etc/resolv.conf ## - configure sudo ## - add lines: ## - ## - back ALL=(root)NOPASSWD:/usr/bin/rsync ## - back ALL=(root)NOPASSWD:/usr/bin/find ## - back ALL=(root)NOPASSWD:/usr/bin/realpath ## - ## - visudo ## - NOTICE!! ## - ## - since "sueeze", /bin/sh ist linked to /bin/dash. with that some of my ## - scripts doesn't work. so link back to /bin/bash ## - ## - link /bin/sh to /bin/bash ## - cd /bin rm sh ln -s bash sh ## - install subversion ## - apt-get install -y subversion subversion-tools # smbclient ## --------------------------------------------------------------- ## - compiler stuff ## - apt-get install -y g++ g++-multilib gcc gcc-multilib cpp \ make automake autoconf libtool flex bison \ gettext pkg-config gnu-standards \ libssl-dev libreadline-dev libncurses-dev apt-get install -y libsystemd-dev ## - Packages to build utils-vserver ## - apt-get install -y vlan apt-get install -y libnss3-dev apt-get install -y python-dev ## - packages to build apache webserver with php5/ruby support ## - apt-get install -y libdb-dev zlib1g zlib1g-dev libssl-dev \ libneon27-dev apt-get -y install libxml2 libxml2-dev \ curl libcurl4-openssl-dev \ libqdbm-dev libgdbm-dev libpspell-dev \ libjpeg-dev libpng-dev libxpm-dev libfreetype6-dev \ libwmf-dev libtiff-dev libpaper-dev \ libmagic-dev \ libmagick-dev libgraphics-magick-perl \ libgraphicsmagick++1-dev libgraphicsmagick++3 libgraphicsmagick1-dev \ libgraphviz-dev libgd2-xpm-dev libcroco3-dev libgsf-1-dev libilmbase-dev \ libvpx-dev vpx-tools \ libgpm-dev libkpathsea-dev libopenexr-dev librsvg2-dev libdjvulibre-dev \ libatm-dev libexpat-dev \ imagemagick graphicsmagick \ exif libexiv2-dev \ re2c \ netpbm libnetpbm10-dev \ libmcrypt-dev mcrypt \ default-libmysqlclient-dev mysql-client \ libpq-dev postgresql-client \ libreadline-dev libncurses-dev \ libdb5.3 libdb5.3++ libdb5.3++-dev libdb5.3-dev \ libxslt1-dev libpcre3-dev \ libc-client2007e-dev libc-client-dev \ libicu-dev \ libtidy-dev \ libmm-dev libgmp-dev libkrb5-dev libldap-dev \ libmhash-dev libgd-dev \ liblua5.3-dev \ libapr1-dev libaprutil1-dev \ libsctp-dev \ libcrypto++-dev ## - Hinweis: libjasper-dev nicht mehr verfügbar in debian jessie ## - ## - Hinweis: »graphicsmagick-libmagick-dev-compat« wird an Stelle von »libmagick-dev« gewählt ## - Create a symlink ## - /usr/lib/libldap.so -> /usr/lib/x86_64-linux-gnu/libldap.so ln -s x86_64-linux-gnu/libldap.so /usr/lib/libldap.so ## - if ruby is/will be installed this is needed for rmagick gem ## - ##libmagick++-dev libmagickcore-dev libmagickwand-dev \ ## - ffmpeg ## - apt-get install -y ffmpeg ## - needed for php extension imagick ## - apt-get install -y libmagickwand-dev ## - needed for php extension geoip ## - apt-get install -y libgeoip-dev ## - add some tk/tcl stuff ## - ## - tcl tcl-dev tk tk-dev tclreadline ## - apt-get install -y tk-dev tcl-dev tclreadline apt-get install -y expect expect-dev libexpect-perl