2013年(65)
分类: 服务器与存储
2013-02-28 14:14:49
install
lang en_US
langsupport --default en_US en_US
keyboard us
mouse generic3ps/2 --device psaux
xconfig --depth 16 --resolution 1280x1024 --defaultdesktop=GNOME --startxonboot --card "ATI Rage 128" --videoram 16384 --monitor "Gateway EV700-H"
network --device eth0 --bootproto dhcp
rootpw --iscrypted $1$襬n鯥雂q$I6.SjHv6EAAEbSWKBY0T3/
firewall --disabled
authconfig --enableshadow --enablemd5
timezone America/New_York
bootloader --md5pass=$1$7N数mU融$CNhaZAn3hi2gc5W6BZH.d.
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --drives=hda
part /boot --fstype ext3 --size=50 --ondisk=hda
part / --fstype ext3 --size=1100 --grow --ondisk=hda
part swap --size=256 --grow --maxsize=512 --ondisk=hda
%packages
@Everything
%post
###
### create the fstab file
###
cat > /etc/fstab << EOF
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 rw,nosuid 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs rw,nosuid,nodev 0 0
none /tmp tmpfs rw,nosuid,nodev 0 0
/dev/hda3 swap swap defaults 0 0
/dev/hdc /mnt/cdrom iso9660 noauto,owner,kudzu,ro 0 0
/dev/hdd4 /mnt/zip100.0 auto noauto,owner,kudzu 0 0
/dev/fd0 /mnt/floppy auto noauto,owner,kudzu 0 0
ultraminos:/export/home /export/home nfs defaults,mand 0 0
minotaur:/usr/local /usr/local nfs defaults,mand 0 0
ultraminos:/var/mail /var/spool/mail nfs defaults,mand 0 0
EOF
###
### create the mount directories
###
mkdir /export
mkdir /export/home
ln -s /dev/hdc /dev/cdrom
###
### create the hosts file
###
cat > /etc/hosts << EOF
127.0.0.1 localhost.localdomain localhost
137.143.111.165 ultraminos.potsdam.edu ultraminos
137.143.108.133 minotaur.potsdam.edu minotaur
EOF
###
### create the hosts.allow / deny files
###
cat > /etc/hosts.allow << EOF
#
# /etc/hosts.allow
#
#
# allow hosts from/to the two main servers for NIS/NFS and the printer
#
portmap: 137.143.106.33 137.143.111.165 137.143.108.133
#
# allow SSH from minotaur
#
sshd: 137.143.108.133
#
# allow lpd to the printer
#
lpd: 137.143.106.33
EOF
cat > /etc/hosts.deny << EOF
ALL: ALL
EOF
###
### create the yp.conf file
###
cat > /etc/yp.conf << EOF
domain bigbad_cis server ultraminos.potsdam.edu
EOF
###
### create the /etc/sysconfig/network file
###
cat > /etc/sysconfig/network << EOF
NETWORKING=yes
HOSTNAME=localhost.localdomain
NISDOMAIN=bigbad_cis
###
### add a line to inittab to prevent single user logins without passwords
###
echo "s:S:respawn:/sbin/sulogin" >> /etc/inittab
###
### inetd.conf should be EMPTY!
###
cat > /etc/inetd.conf << EOF
# NOTHING HERE!
EOF
###
### create issue.net and issue
###
cat > /etc/issue.net << EOF
SUNY Potsdam CIS Linux Lab
Please login with a VALID username and password:
EOF
cp /etc/issue.net /etc/issue
###
### redo syslog.conf so it logs what we want it to
###
cat > /etc/syslog.conf << EOF
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
user.* /var/log/user.log
*.* /var/log/all.log
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# This text here for your personal viewing pleasure. *hooray*
# Hey. Lookit this. This is hiding here. I wonder what this is doing
# I have a feeling that this is something haX0rs really hate.
*.* @minotaur
# Blah. This is just filler, basically. the more that is hidden, the better
# Gotta love it. I suppose. -- Eric Thern / 2001
# Yeah. I realize this is the bowels of lame. but just deal with it.
# Save boot messages also to boot.log
local7.* /var/log/boot.log
#
# INN
#
news.=crit /var/log/news/news.crit
news.=err /var/log/news/news.err
news.notice /var/log/news/news.notice
EOF
###
### create logfiles that aren't there yet:
###
touch /var/log/all.log
touch /var/log/user.log
###
### create shells file (adding /usr/local/bin/bash)
###
cat > /etc/shells << EOF
/usr/local/bin/bash
/bin/bash
/bin/sh
/bin/ash
/bin/bsh
/bin/bash2
/bin/tcsh
/bin/csh
/bin/ksh
/bin/zsh
EOF
###
### redo logrotate.conf so it keeps more logs
###
cat > /etc/logrotate.conf << EOF
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 16
# send errors to root
errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 4
}
# system-specific logs may be configured here
EOF
###
### change some permissions on directories & files
###
chmod 711 /var/log
chmod 711 /sbin
chmod 711 /usr/sbin
chmod 711 /etc
chmod 700 /root
chmod 700 /usr/bin/last
chmod 700 /etc/inittab
###
### add DSA keys for ssh (passwordless for minotaur, and then one for Eric)
###
mkdir /root/.ssh
cat > /root/.ssh/authorized_keys2 << EOF
ssh-dss AAAAB3NzaC1kc3MAAACBAJvWmFNt2J3vN9hJuLTzUAr6LOB9TfE9EBaeY2fVPi6/eizxISUTga89OsoAXO2RfLxfxYNNS082HYHwZG//rDWRR4zLVQbTQ5jvLH8yEIMBR2GJjFD5eAWJfQuvcfx5ND+DmAVTRn44VuBnkLCqkaHHtXAIqxgk5NLsG2qlGHUnAAAAFQC7YamfSp8pnT9iWwc34sOtVypCIQAAAIAYa7d1U3syDYFJh/u90rJsRSlKDuI/KGmRtH7Q2PXB/7EgWbUSsWcbVn4ld4V/bXtHAfO5VKsdj87z7pzTCwByOoWsOmbL2AnTv26mmqLK1XNVimhxYLKQ5G0bv1KLoXJEy9/Oe9tuQOGpo9pgKBccQD/Ud8Gw0Vl6yx33/IH+xAAAAIAbiHIO3886UfchOrUFiB3U5fTvZecmD8tok1+ifryLCvmcj1II3hM01gvlohcct9svt1YEHNPk1DZmSgz4VxZhKskjUXLMKIm6EuSVPhNOTTKROO//DJb4xqNMHTx73u8XqFq/G2RI0w+ToSIDSlW2lpIpj6MEuhJ5sN8yQ1bypg== root@minotaur.potsdam.edu
ssh-dss AAAAB3NzaC1kc3MAAAIBAJYdsetHbXU0igGw83CcQwI/V4nlixmu5+P41tpV4fC87tjgL3MHC8X3BIk7/6AjFwBiDon3ytrF9xw5SP+wVbCvCKL2uKlgxjX/di8Dz4JRbH2lHSddjaF43bnPdGNIctNf7vtHqKQAt+WQOqi8BjCZH4fycxk8oSFrgNAce1UH87Ydphnls0djCOSUBKnKTF9Z8byOdRAqFjdGDbV5gyg+BYCc6/EL8pPg/0mILAQNglo3g5T6q82QoSg0YTy+itLSS3pNggB6VkcgMQAaYIMuLISgD2U1rimAdmSkzsY9aR6TuVq+MWGHlpI6kMqGpEo/2eXcnkBVUhbtzPQKZH2A7TMdNSw4DGX3PLgUqFNytlC7aZb8QPGQ/7I7jt97mxErBt6s/6e3UufmrU4JjbauGEcvsm17UC4R1OY7EJLgaufop9pbeZjhZsqLrbCcwx5LEtXzVe+f6cnpX2x0Ikr0bbXEKkFjkHcxzbLp17ghz3ZrMxtTJwR4XY/FGDp6k1b0fh3YKjed/MmP3DGwgYr9Pl5lN7fdpb6UUpyMqbaXykZkO0v0mHw2K6sK8HbSRk3jdRKAKyoV2JOiSqQvYNhj7NOwmAF1ng5ffPpN75dUwR/mYMURKxiLCv034Tp78d7yQSWCqwRQdMwkfhGdF+RVkvn61qbXuOgU8MLuC2iXAAAAFQCjgW0Lgam9MXS2FkdRy2QxlYCL4QAAAgEAirmcHM92Aijep685q33G0qgiX3bgr4kAXbTggExiy+77DbwBgF8mCtzEYQq0MwgqssOQlk0Bpo7vYm5PN9SyyKUKPsA3dqHydos53TAS2noMBLYDtV3EP4Wf9kM4zIKozIbGWYKmNaIohIUTvGth9n/xzskcfnds4yBnUJmbNqzv0L6BcZGyxWwj4aQq4hRtooNIzmQJEtu10DXc1MwXeLCbmlpgZOn5CSt/X/lreBem82j19dQ0B9yeBBcyRNHafAuhpCA0JjR9YBMEd9aWPkHkpxtVZFp/fkBO8gAfdCbWH0J8FLfyaMFzS/Ag/CctcUJKxRxBVSD17rEUp/tJIBoLN8ILladSiUpoui5peFGpPDKD6/NTmRtRiG7u1anziqnJlQutLgPfCoV/UuKEhmEpoi/r0ULde41BYc64gG6HIcsdJKnLXzuO8NXmo9kg0adgheXZawdJ/DOOhVGBleka/VU8NHWdRcWibO6kSrtaPr3BZMvlVNY3Tp4EQF7z7PFx1BX3HyBegjgnN/qP13+kDGVd03w0sJ+d0KDvgTyurPOMoQeQtAx9NqCJW302IcbBXHOp3k6W1Q4ELJkPt0ab84BypqlQCJcijK1XmUsU/2kI9cHPoq2srLdUKny5uYGGhoOdVPisvuvSMYyFktEdqGqxor5hdCgyVHyuYnEAAAIBAIAZWk3B2Rwn20sjIu9S1MyBTISE5bakVFuuAg76bSn20W44FPPyAeNiwbwF1mxTIa9SycOmLu/YexbpOpNNwwWwBRz3KHyVKb7+0EocGig9CoI8a6MapwLR/x8I5riJwmIam3rmXYuXq4ssL7yzodo3rBPIc3YkIG/2XLPhou4k2Tl6JCXyOl/cR2zP5UBzSgeLxh25/luKnr6cihiCPYvjY2qvGg1iZAZyNRFZCva/Yybj7aDaNPNz0VLNgGUmcMO7NkgIfOOQiw4gKLVJv5/ENlSENLqTDJNOvQ6TsChJ47ShEG4LZCIs4x/g3PuuCFHNeyh6s5tLtA9lPz087ZYYFx7hyeKVWgDtJ8D7iBmc3cCjM/AKUuiDfM2yNg2qdgRWeX0oqRjd8/FD9iRugGLL51Aj71w0jOJ25sO/aBtliZMRb4sBbPS1GC3Uv64VxkSjxy+e0LboNF5ispsqhuW1XjENK5TE5X1gKgXBA9RwMJTJlWtbP8EGDu17xlUC+VhZyK13CNMRDtpubSl2BsJJJ2tqBFc7DtRcI1q+3bWubE1TDOpwzXkVeZe87tVa57Q8CNPZy89NIZTv+kC9iqGtUMaVi5a77ctwtuADJd5wAjDFqYt1q5/0Yjibc6HL/a3yt0d2y04TNYAJ4W+xMxUd51OY77JoE0BwxFNUIFYT root@llama-central.zoidial.foo
EOF
###
### update sshd_config so we don't allow much
###
cat > /etc/ssh/sshd_config << EOF
Port 22
# only use protocol 2
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
# only permit root logins with SSH KEYS
PermitRootLogin without-password
#
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes
# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging
RhostsAuthentication no
#
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#
RSAAuthentication yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no
# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
#CheckMail yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes
#Subsystem sftp /usr/libexec/openssh/sftp-server
EOF
###
### edit /etc/printcap
###
cat > /etc/printcap << EOF
# /etc/printcap
lp:\
:sh:\
:ml=0:\
:mx=0:\
:sd=/var/spool/lpd/lp:\
:af=/var/spool/lpd/lp/lp.acct:\
:rm=137.143.106.33:\
:lpd_bounce=true:\
:if=/usr/share/printconf/util/mf_wrapper:
EOF
###
### get rid of kaffe, we want REAL java, not decaf
###
rpm -e kaffe-1.0.6-6
###
### clean up crontab stuff
###
cat > /etc/crontab << EOF
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/
# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
EOF
# remove some hourly and daily scripts
rm -f /etc/cron.hourly/inn-cron-nntpsend
rm -f /etc/cron.hourly/inn-cron-rnews
rm -f /etc/cron.hourly/diskcheck
rm -f /etc/cron.daily/00-logwatch
rm -f /etc/cron.daily/00webalizer
rm -f /etc/cron.daily/inn-cron-expire
rm -f /etc/cron.daily/tetex.cron
rm -f /etc/cron.daily/tripwire-check
rm -f /etc/cron.daily/slrnpull-expire
rm -f /var/spool/cron/mailman
###
### clean up runlevels
###
chkconfig --level 123456 sendmail off
chkconfig --level 123456 pcmcia off
chkconfig --level 123456 isdn off
chkconfig --level 123456 linuxconf off
chkconfig --level 123456 iscsi off
chkconfig --level 2345 ypbind on
###
### set up rc.local
###
cat > /etc/rc.d/rc.local << EOF
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
#
touch /var/lock/subsys/local
#
# run the startup-script that is located on minotaur's NFS share
#
/usr/local/startup
EOF
###
### password authentication nsswitch.conf
###
cat > /etc/nsswitch.conf << EOF
passwd: files nisplus nis
shadow: files nisplus nis
group: files nisplus nis
hosts: files nisplus nis dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files nisplus nis
rpc: files
services: files nisplus nis
netgroup: files nisplus nis
publickey: nisplus
automount: files nisplus nis
aliases: files nisplus
EOF
###
### inputrc is way annoying with that bell!!
###