This post was triggered by the VI3.5 Deploy Secure Analyse course I ran in Wellington last week, I realised at the end of the course that I hadn’t provided the guys with the template unattended file on the CD as I usually do.
The Ananconda Kickstart file reproduced below is an example which builds the configuration used in the HP Virtual Labs in the VI3 Install and Configure course with a few of the security settings from the DSA course added.
Due to the lack of a suitable editor in the HPVL this script has not been tested. The post section of the script is a Linux shell script and does not take kindly to DOS type “carriage return / line feed” end of line markers. To create your scripts on Windows I would suggest using an editor like Crimson which respects Unix format text, alternatively use a Unix editor!
I am still planning to post about making a custom boot CD to make your automated builds even easier and using a central script store as well, hopefully I’ll get some time to test & write those soon. Meanwhile follow the break for the unattend script.
# Auto-Generated Scripted Install Configuration file.
# This file is used for VMware ESX Server Scripted Install Deployment
install
lang en_US.UTF-8
langsupport –default en_US.UTF-8
keyboard us
mouse generic3ps/2 –device psaux
skipx
reboot
network –device eth0 –bootproto static –ip 192.168.38.36 –netmask 255.255.255.0 –gateway 192.168.38.3 –nameserver 192.168.38.3 –hostname chlorine06.hp.local –addvmportgroup=1 –vlanid=0
# root Password
rootpw –iscrypted $1$fEO6n2tZ$q97Kwrx1fJwx5fm8Crine0
firewall –enabled
# Authconfig
authconfig –enableshadow –enablemd5
timezone –utc Pacific/Auckland
# Text Mode
text
bootloader –location=mbr
clearpart –all –drives=cciss/c0d0
part /boot –fstype ext3 –size=250 –ondisk=cciss/c0d0
part / –fstype ext3 –size=5120 –ondisk=cciss/c0d0
part swap –size=2048 –ondisk=cciss/c0d0
part /var –fstype ext3 –size=5120 –ondisk=cciss/c0d0
part /opt –fstype ext3 –size=5120 –ondisk=cciss/c0d0
# VMware Specific Commands
vmaccepteula
vmlicense –mode=server –server=27000@dvc.demitasse.local –edition=esxFull
%packages
grub
%post
dateTime=`date ‘+%c’`
echo Built on “$dateTime” > /etc/motd
# Set banner to warn rebuild in rogress
mv /etc/issue /etc/issue.orig
cat > /etc/issue <<EOF9
Do not log on, this system is being rebuilt
Reuild began at “$dateTime”
Rebuild should complete within 30 minutes
EOF9
mv /etc/pam.d/su /etc/pam.d/su.orig
cat > /etc/pam.d/su <<EOF8
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the “wheel” group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the “wheel” group.
auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
EOF8
# Setup SSH config
cat > /etc/ssh/sshd_config <<EOF7
Protocol 2
SyslogFacility AUTH
LogLevel VERBOSE
Subsystem sftp /usr/libexec/openssh/sftp-server
Ciphers aes256-cbc,aes128-cbc
EOF7
# Setup NTP config
cat > /etc/ntp.conf <<EOF6
restrict default ignore
restrict 127.0.0.1
restrict default kod nomodify notrap
server 192.168.38.3
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
authenticate yes
keys /etc/ntp/keys
EOF6
# Setup NTP time source
cat > /etc/ntp/step-tickers <<EOF5
192.168.38.3
EOF5
# Append server information to hosts file
cat > /etc/hosts <<EOF4
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.38.31 chlorine01 chlorine01.hp.local
192.168.38.32 chlorine02 chlorine02.hp.local
192.168.38.33 chlorine03 chlorine03.hp.local
192.168.38.34 chlorine04 chlorine04.hp.local
192.168.38.35 chlorine05 chlorine05.hp.local
192.168.38.36 chlorine06 chlorine06.hp.local
EOF4
# Things that require the VMKernel should be placed in here
cat > /tmp/esxcfg.sh <<EOF3
#!/bin/sh
# Configure ESX Server
esxcfg-firewall -e ntpClient
esxcfg-vswitch -a vSwitch1
esxcfg-vswitch -A VMOTION vSwitch1
esxcfg-vswitch -L vmnic1 vSwitch1
esxcfg-vswitch -a vSwitch2
esxcfg-vswitch -A Production vSwitch2
esxcfg-vswitch -L vmnic2 vSwitch2
esxcfg-vswitch -A iSCSIAccess vSwitch0
# Get last octet from vSWif0 IP address & use as last octet of VMotion port IP address
LAST=`/sbin/ifconfig vswif0 | grep “inet addr” | awk ‘ { print $2 } ‘ | awk -F. ‘ { print $4 } ‘`
esxcfg-vmknic -a -i 10.1.38.$LAST -n 255.255.255.0 VMOTION
# Add 150 to be last octet of IP storage port IP address
LAST=`expr $LAST + 170`
esxcfg-vmknic -a -i 192.168.38.$LAST -n 255.255.255.0 iSCSIAccess
esxcfg-route 192.168.38.3
esxcfg-firewall -e swISCSIClient
esxcfg-swiscsi -e
vmkiscsi-tool -D -a 192.168.38.42 vmhba32
sleep 5
esxcfg-rescan vmhba32
esxcfg-nas -a -o hfs-chlorine.hp.local -s “/class” NFS_ISO_Library
# Install HP Management agents
/vmfs/volumes/NFS_ISO_Library/hpmgmt/791/installvm791.sh –silent –inputfile hpmgmt.conf
#Setup sshuser and add to wheeel group
useradd -G wheel -c ‘SSH access user’ sshuser
#Cleanup after build
rm -f /etc/rc.d/rc3.d/S99VMPostConfig
rm /etc/issue
mv /etc/issue.orig /etc/issue
ln -s /etc/rc.d/init.d/vmware-Patch /etc/rc.d/rc3.d/S99VMPatch
shutdown -r now
EOF3
# Backup original rc.local file
cp /etc/rc.d/rc.local /etc/rc.d/rc.local.bak
# Make esxcfg.sh run from rc.local and make rc.local reset itself
cat >> /etc/rc.d/rc.local <<EOF2
cd /tmp
ln -s /tmp/esxcfg.sh /etc/rc.d/rc3.d/S99VMPostConfig
shutdown -r +3 &
mv -f /etc/rc.d/rc.local.bak /etc/rc.d/rc.local
EOF2
# Make esxcfg.sh eXcutable
chmod +x /tmp/esxcfg.sh
# Setup pre-logon build message
cp /etc/issue /etc/issue.orig
cat > /etc/issue <<EOF1
VMware ESX Server 3 (Dali)
Kernel \r on an \m
Servers is still being built, please wait.
EOF1
© 2008 – 2009, Alastair. All rights reserved.
RSS - Posts