Linux Baremetal OS 설치 매뉴얼

Linux

Linux Baremetal OS 설치 매뉴얼

도경다경 2022. 11. 2. 17:03

신규 BM OS 설치

1. OS 설치 세부

- lvm 구성

※ vg name은 vg0으로 설정

/boot 1G

/boot_efi 1G

/ 30G

/var 20G

/home 10G

swap 32G

/sysadmin 나머지

- minimal os : standard + system tool

- timezone : seoul

2. hostname 설정

- OS 설치시 세팅 or /etc/hostname 수정

3. bonding 설정

1) Master (/etc/sysconfig/network-scripts/ifcfg-bond0)

DEVICE=bond0

TYPE=bond

NAME=bond0

ONBOOT=yes

BOOTPROTO=static

IPADDR=[ip]

PREFIX=24

GATEWAY=[gateway ip]

BONDING_MASTER=yes

BONDING_OPTS="mode=1 miimon=100"

nmcli connection add type bond con-name bond0 ifname bond0 bond.options "mode=active-backup, miimon=100"

## mode 는 1로 설정해도 된다.

## nmcli device status 로 상태 확인하면 연결되었다고 보인다

## gateway로 ping도 간다. 하지만 타 서버와 정상적으로 통신하려면 slave 설정 후 nmcli connection up bond0 해줘야 한다.

2) Slave (/etc/sysconfig/network-scripts/?)

TYPE=Ethernet

BOOTPROTO=static

NAME=[device name]

UUID=[]

DEVICE=[device name]

ONBOOT=yes

MASTER=bond0

SLAVE=yes

ETHTOOL_OPTS="-K ${DEVICE} gso off gro off tso off lro off; -G ${DEVICE} rx4096 tx4096" #RHEL7까지 사용 RHEL8부터 명령어 사용

# nmcli con modify <네트워크인터페이스> ethtool.feature-gso off ethtool.feature-gro off ethtool.feature-tso off ethtool.feature-lro off ethtool.ring-rx 4096 ethtool.ring-tx 4096

# nmcli connection up <네트워크인터페이스>

nmcli connection add type ethernet slave-type bond con-name bond0-port1 ifname ens2f0 master bond0

nmcli connection add type ethernet slave-type bond con-name bond0-port2 ifname ens4f0 master bond0

3) ip setting

nmcli connection modify bond0 ipv4.addresses 'X.X.X.X/24'

nmcli connection modify bond0 ipv4.gateway 'X.X.X.X'

nmcli connection modify bond0 ipv4.dns 'X.X.X.X'

nmcli connection modify bond0 connection.autoconnect yes

nmcli connection modify bond0 ipv4.method manual

nmcli connection modify bond0 ipv6.method disabled

nmcli connection up bond0

※ VM은 bond0 대신 ens192 입력(기본)

5. kdump 설정

/etc/default/grub 파일 수정

GRUB_CMDLINE_LINUX="crashkernel=512M rhgb quiet LANG=en_US.UTF-8 nmi_watchdog=0 transparent_hugepage=never elevator=noop mce=ignore_ce intel_pstate=disable intel_idle.max_cstate=0 processor.max_cstate=1"

해당 서버에서 grub 재설정

grub2-mkconfig -o /boot/grub2/grub.cfg

sed -i 's/save_raw$/#save_raw/g' /usr/bin/kdumpctl

lvcreate -n DUMP -L [memorysize, 128G보다 크면 128G] vg0

lvcreate -n CRASH -L [DUMP SIZE + 1G] vg0;

mkfs.xfs -f /dev/vg0/CRASH;

mkdir /CRASH

echo "/dev/vg0/CRASH /CRASH xfs defaults 0 0" >> etc/fstab

mount -a

sed -i 's/^path/#path/g' /etc/kdump.conf

sed -i 's/^core_collector/#core_collector/g' /etc/kdump.conf

echo "raw /dev/vg0/DUMP" >> /etc/kdump.conf

echo "core_collector makedumpfile -c -d 31 -F" >> /etc/kdump.conf

systemctl restart kdump

※ 해당 서버에서 반드시 테스트 필요

echo c > /proc/sysrq-trigger # 테스트

makedumpfile -R /CRASH/vmcore < /dev/vg0/DUMP

/CRASH/vmcore 파일 사이즈가 0이 아니고 success로 정상적으로 생성된다면 ok

dd if=/dev/zero of=/dev/vg0/DUMP bs=1b count=1 명령어로 디바이스를 클리어 해주자 안그럼 DUMP가 생성되지 않을 수 있다.

6. kernel patch and firewall, selinux disable

yum localinstall /sysadmin/kernel/kernel* ※ 필요시만 수행

systemctl stop firewalld

systemctl disable firewalld

sed -i 's/^SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

reboot

7. OS Image mount

/tmp에 redhat os 이미지 업로드

mount /tmp/rhel-8.10-x86_64-dvd.iso /media

echo "[RHEL810_BaseOS]" >> /etc/yum.repos.d/rhel.repo

echo "name=RHEL810_BaseOS" >> /etc/yum.repos.d/rhel.repo

echo "baseurl=file:///media/BaseOS" >> /etc/yum.repos.d/rhel.repo

echo "enabled=1" >> /etc/yum.repos.d/rhel.repo

echo "gpgcheck=0" >> /etc/yum.repos.d/rhel.repo

echo "" >> /etc/yum.repos.d/rhel.repo

echo "[RHEL810_AppStream] " >> /etc/yum.repos.d/rhel.repo

echo "name=RHEL810_AppStream" >> /etc/yum.repos.d/rhel.repo

echo "baseurl=file:///media/AppStream" >> /etc/yum.repos.d/rhel.repo

echo "enabled=1" >> /etc/yum.repos.d/rhel.repo

echo "gpgcheck=0" >> /etc/yum.repos.d/rhel.repo

yum update

8. basic package install

yum install -y nfs-utils

yum install -y net-tools

yum install -y lvm2

yum install -y sysstat

yum install -y unzip

yum install -y psmisc

yum install -y perl

yum install -y ksh

yum install -y tcsh

yum install -y gdisk

yum install -y createrepo

yum install -y pciutils

yum install -y traceroute

yum install -y device-mapper-multipath

yum install -y systemd

yum install -y libgudev1

yum install -y polkit

yum install -y grub2-efi-x64-modules

yum install -y java-1.8.0-openjdk

yum install -y rear genisoimage syslinux

9. ntp configure

echo "[ip] [hostname]" >> /etc/hosts

sed -i 's/pool 2.rhel.pool.ntp.org/server [hostname]/g' /etc/chrony.conf

sed -i 's/^makestep 1.0 3/leapsecmode slew/g' /etc/chrony.conf

systemctl enable chronyd

systemctl restart chronyd

chronyc sources

10. OS backup configure

echo "nameserver [domain1]" > /etc/resolv.conf

echo "nameserver [domain2]" >> /etc/resolv.conf

echo "options timeout:1 attempts:1" >> /etc/resolv.conf

chmod 600 /etc/resolv.conf

echo "OUTPUT=ISO" > /etc/rear/local.conf

echo "OUTPUT_URL=nfs://[nas_ip]/REARR/regular/" >> /etc/rear/local.conf

echo "BACKUP_URL=nfs://[nas_ip]/REARR/regular/" >> /etc/rear/local.conf

echo "BACKUP=NETFS" >> /etc/rear/local.conf

echo "AUTOEXCLUDE_MULTIPATH=y" >> /etc/rear/local.conf

echo "NETFS_KEEP_OLD_BACKUP_COPY=y" >> /etc/rear/local.conf

echo "BACKUP_PROG_ARCHIVE=\"$(hostname)\"" >> /etc/rear/local.conf

echo "INCLUDE_VG=( 'vg0' )" >> /etc/rear/local.conf

echo "INCLUDE_MOUNTS=( '/' '/boot' '/etc' '/var' '/usr' '/opt' '/lib' )" >> /etc/rear/local.conf

echo "EXCLUDE_MOUNTPOINTS=( '/sysadmin' '/mnt' '/media' '/tmp' '/var/tmp' '/proc' '/sys' '/dev' '/run' '/APP' '/LOG' '/SHARE' '/LIB' '/CRASH' '/pgdata' )" >> /etc/rear/local.conf

echo "EXCLUDE_VG=( 'vg1' 'vg2' )" >> /etc/rear/local.conf

echo "MAILTO=\"\"" >> /var/spool/cron/root

echo "10 0 8-14 * * (test `date +\%a` = Sun && > rear mkbackup > /dev/null 2>&1)" >> /var/spool/cron/root

echo "root" > /etc/cron.allow

chmod go-w /etc/cron.allow

11. multipath setting

mpathconf --enable

systemctl start multipathd

systemctl enable multipathd

systemctl restart multipathd

※ alias 문제로 /etc/multipath.conf 는 수동 설정

※ multipath -ll 결과의 wwid 리스트에 입력. alias는 LOCAL(or SHARE)_DATA01_500G 로 표기

※ 나중에 한꺼번에 조회해서 관리하기 위해서는 이름이 표준화 되어야 한다.

12. Safe Architect Configure

ln -sf /dev/null /lib/systemd/system/ctrl-alt-del.target

echo "kernel.sysrq = 1" >>/etc/sysctl.conf

echo "kernel.panic_on_io_nmi = 1" >>/etc/sysctl.conf

echo "kernel.panic_on_unrecovered_nmi = 1" >>/etc/sysctl.conf

echo "kernel.unknown_nmi_panic = 1" >>/etc/sysctl.conf

echo "net.ipv4.ip_forward = 0" >>/etc/sysctl.conf

echo "net.ipv4.conf.default.accept_source_route = 0" >>/etc/sysctl.conf

echo "net.core.somaxconn = 8192" >>/etc/sysctl.conf

echo "net.ipv4.tcp_max_syn_backlog = 8192" >>/etc/sysctl.conf

echo "net.ipv6.conf.all.disable_ipv6 = 1" >>/etc/sysctl.conf

echo "net.ipv6.conf.default.disable_ipv6 = 1" >>/etc/sysctl.conf

echo "net.core.netdev_max_backlog = 2048" >>/etc/sysctl.conf

echo "net.core.netdev_budget = 600" >>/etc/sysctl.conf

echo "vm.dirty_ratio = 30" >>/etc/sysctl.conf

echo "vm.swappiness = 30" >>/etc/sysctl.conf

echo "kernel.core_pattern = /CRASH/core_%e_%p_%h_%u_%t" >>/etc/sysctl.conf

echo "kernel.pid_max = 120000" >>/etc/sysctl.conf

echo "sunrpc.tcp_max_slot_table_entries = 128" >>/etc/sysctl.conf

echo "kernel.watchdog_thresh = 60" >>/etc/sysctl.conf

echo "kernel.numa_balancing = 0" >>/etc/sysctl.conf

echo "* - nofile 65535" >> /etc/security/limits.conf

echo "* soft nproc 10240" >> /etc/security/limits.d/20-nproc.conf

echo "root soft nproc unlimited" >> /etc/security/limits.d/20-nproc.conf

sed -i 's/^weekly/monthly/g' /etc/logrotate.conf

sed -i 's/^rotate 4/rotate 12/g' /etc/logrotate.conf

sed -i 's/^create/create 0600 root root/g' /etc/logrotate.conf

echo "/var/log/wtmp {" >> /etc/logrotate.conf

echo " missingok" >> /etc/logrotate.conf

echo " monthly" >> /etc/logrotate.conf

echo " create 0664 root utmp" >> /etc/logrotate.conf

echo " rotate 12" >> /etc/logrotate.conf

echo "}" >> /etc/logrotate.conf

echo "" >> /etc/logrotate.conf

echo "/var/log/btmp {" >> /etc/logrotate.conf

echo " missingok" >> /etc/logrotate.conf

echo " monthly" >> /etc/logrotate.conf

echo " create 0600 root utmp" >> /etc/logrotate.conf

echo " rotate 12" >> /etc/logrotate.conf

echo "}" >> /etc/logrotate.conf

echo "umask 027" >> /etc/profile

echo "export TMOUT=900" >> /etc/profile

echo "export HISTTIMEFORMAT=\"%Y-%m-%d [%H:%M:%S]\"" >> /etc/profile

echo "export PS1=\"\`whoami\`@\`hostname\` \"'\$PWD # '" >> /etc/profile

echo "shopt -s histappend" >> /etc/profile.d/bash_history.sh

echo "export HISTIGNORE=\"\"" >> /etc/profile.d/bash_history.sh

echo "export HISTCONTROL=\"\"" >> /etc/profile.d/bash_history.sh

echo "export HISTFILESIZE=100000" >> /etc/profile.d/bash_history.sh

echo "export HISTSIZE=2000" >> /etc/profile.d/bash_history.sh

echo "export PROMPT_COMMAND=\"history -a;$PROMPT_COMMAND\"" >> /etc/profile.d/bash_history.sh

echo "export TERMINAL='tty | cut -d\/ -f3,4'" >> /etc/profile.d/bash_history.sh

echo "export HISTTIMEFORMAT=\"$TERMINAL %Y-%m-%d %H:%M:%S \"" >> /etc/profile.d/bash_history.sh

echo "PATH=\$PATH:\$HOME/bin" >> /etc/profile.d/cmd_history.sh

echo "export PATH" >> /etc/profile.d/cmd_history.sh

echo "" >> /etc/profile.d/cmd_history.sh

echo "PORT=\$(who am i|awk -F\"[()]\" '{print \$2}')" >> /etc/profile.d/cmd_history.sh

echo "logger -p local7.notice -t \"bash \$LOGNAME \$\$\" User \$LOGNAME logged from \$PORT" >> /etc/profile.d/cmd_history.sh

echo "" >> /etc/profile.d/cmd_history.sh

echo "function history_to_syslog" >> /etc/profile.d/cmd_history.sh

echo "{" >> /etc/profile.d/cmd_history.sh

echo "declare cmd" >> /etc/profile.d/cmd_history.sh

echo "declare p_dir" >> /etc/profile.d/cmd_history.sh

echo "declare LOG_NAME" >> /etc/profile.d/cmd_history.sh

echo "cmd=\$(history 1)" >> /etc/profile.d/cmd_history.sh

echo "cmd=\$(echo \$cmd | awk '{print substr(\$0,length(\$1)+length(\$2)+13)}')" >> /etc/profile.d/cmd_history.sh

echo "p_dir=\$(pwd)" >> /etc/profile.d/cmd_history.sh

echo "LOG_NAME=\$(echo \$LOGNAME)" >> /etc/profile.d/cmd_history.sh

echo "if [ \"\$cmd\" != \"\$old_command\" ]; then" >> /etc/profile.d/cmd_history.sh

echo "logger -p local7.notice -- SESSION = \$\$, from_remote_host = \$PORT, USER = \$LOG_NAME, PWD = \$p_dir, CMD = \"\${cmd}\"" >> /etc/profile.d/cmd_history.sh

echo "fi" >> /etc/profile.d/cmd_history.sh

echo "old_command=\$cmd" >> /etc/profile.d/cmd_history.sh

echo "}" >> /etc/profile.d/cmd_history.sh

echo "trap history_to_syslog DEBUG || EXIT" >> /etc/profile.d/cmd_history.sh

13. Security Configure

sed -i 's/^MAIL_DIR/#MAIL_DIR/g' /etc/login.defs

sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs

sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/g' /etc/login.defs

sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs

sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/g' /etc/login.defs

echo " *********** W A R N I N G ***********" >> /etc/issue

echo "" >> /etc/issue

echo " This system is available to authorized personnels only of Life Insurance Co.,LTD." >> /etc/issue

echo " Your all activities are being monitored and you can be penalized for" >> /etc/issue

echo " illegal access according to related regulations." >> /etc/issue

echo "" >> /etc/issue

echo " *************************************" >> /etc/issue

echo " *********** W A R N I N G ***********" >> /etc/issue.net

echo "" >> /etc/issue.net

echo " This system is available to authorized personnels only of Life Insurance Co.,LTD." >> /etc/issue.net

echo " Your all activities are being monitored and you can be penalized for" >> /etc/issue.net

echo " illegal access according to related regulations." >> /etc/issue.net

echo "" >> /etc/issue.net

echo " *************************************" >> /etc/issue.net

echo " *********** W A R N I N G ***********" >> /etc/motd

echo "" >> /etc/motd

echo " This system is available to authorized personnels only of Life Insurance Co.,LTD." >> /etc/motd

echo " Your all activities are being monitored and you can be penalized for" >> /etc/motd

echo " illegal access according to related regulations." >> /etc/motd

echo "" >> /etc/motd

echo " *************************************" >> /etc/motd

sed -i 's/^echo /#echo/g' /etc/services

sed -i 's/^discard /#discard/g' /etc/services

sed -i 's/^daytime /#daytime/g' /etc/services

sed -i 's/^chargen /#chargen/g' /etc/services

sed -i 's/^ftp /#ftp/g' /etc/services

sed -i 's/^telnet /#telnet/g' /etc/services

sed -i 's/^smtp /#smtp/g' /etc/services

sed -i 's/^tftp /#tftp/g' /etc/services

sed -i 's/^finger /#finger/g' /etc/services

sed -i 's/^rsync /#rsync/g' /etc/services

sed -i 's/^exec /#exec/g' /etc/services

sed -i 's/^login /#login/g' /etc/services

sed -i 's/^shell /#shell/g' /etc/services

sed -i 's/^talk /#talk/g' /etc/services

sed -i 's/^ntalk /#ntalk/g' /etc/services

sed -i 's/^%wheel/#%wheel/g' /etc/sudoers

sed -i 's/^# %wheel/%wheel/g' /etc/sudoers

touch /etc/hosts.equiv

chmod 000 /etc/hosts.equiv

chmod 644 /etc/passwd

chmod 644 /etc/group

chmod 000 /etc/shadow

chmod 400 /etc/security/passwd

chmod 644 /etc/hosts

chmod 644 /etc/services

chmod 700 /usr/bin/last

chmod 700 /usr/sbin/ifconfig

chmod 644 /etc/profile

chmod 600 /etc/xinetd.conf

chmod go-w /etc/pam.d/system-auth

chmod 644 /etc/rsyslog.conf

chmod go-w /etc/exports

chmod go-w /etc/dfs/dfstab

chmod go-w /etc/cron.allow

chmod 640 /etc/cron.deny

chmod 640 /etc/at.allow

chmod 640 /etc/at.deny

chmod o-r /etc/cron.d/*

chmod 600 /var/log/wtmp

chmod 600 /var/log/utmp

chmod 660 /var/log/btmp

chmod 600 /var/log/sulog

chmod 600 /var/log/messages

chmod 640 /var/log/lastlog

chmod o-x /usr/bin/cc

chmod o-x /usr/bin/gcc

chmod 755 /usr/bin/newgrp

chmod 755 /usr/sbin/unix_chkpwd

chmod 755 /usr/bin/at

chmod o-x /usr/bin/su

groupdel lp

groupdel games

userdel -r lp

userdel -r games

userdel -r operator

userdel -r ftp

sed -i 's/wtmp 0664/wtmp 0644/g' /lib/tmpfiles.d/var.conf

sed -i 's/btmp 0660/btmp 0640/g' /lib/tmpfiles.d/var.conf

sed -i 's/lastlog 0664/lastlog 0644/g' /lib/tmpfiles.d/var.conf

sed -i '/required/ {/pam_wheel\.so/ s/^[[:space:]]*#//}' /etc/pam.d/su

14. Admin User add

chmod o-r /etc/skel/.*

chmod -R o-r /home/*/.b*

chmod -R o-r /home/*/.k*

chmod -R o-r /home/*/.z*

chmod -R o-r /home/*/.c*

chmod -R o-r /home/*/.t*

chmod o-r /root/.b*

chmod o-r /root/.k*

chmod o-r /root/.z*

chmod o-r /root/.c*

chmod o-r /root/.t*

15. RTC time 이 Universal time과 다를 경우 RTC in local TZ 는 no 로 설정해야 한다. (어차피 timedatectl 치면 경고가 나온다.)

timedatectl set-local-rtc 0

16. RHEL 8 이상 faillock 적용

authselect select sssd --force

authselect enable-feature with-faillock

sed -i 's/^# deny = 3/deny = 5/g' /etc/security/faillock.conf

sed -i 's/^# unlock_time = 600/unlock_time = 600/g' /etc/security/faillock.conf

echo "[sssd]" > /etc/sssd/sssd.conf

echo "services = nss, pam" >> /etc/sssd/sssd.conf

echo "domains = digitaln.com" >> /etc/sssd/sssd.conf

echo "" >> /etc/sssd/sssd.conf

echo "[domain/digitaln.com]" >> /etc/sssd/sssd.conf

echo "id_provider = files" >> /etc/sssd/sssd.conf

authselect apply-changes

chmod 600 /etc/sssd/sssd.conf

chmod 600 /etc/security/faillock.conf

systemctl restart sssd

authselect current

authselect check

last. root access deny

# scp /DATA/config/sshd_config root@[ip]:/etc/ssh/sshd_config

저작자표시 비영리 변경금지 (새창열림)