TDKC

From DER's LLC
Jump to navigation Jump to search

System Administrator Documentation

Mediawiki Installation Procedures

  • Build a Centos 7 Server
  • Set Selinux to Permissive and allow port 80 through the firewall:
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
setenforce 0
firewall-cmd --add-port 80/tcp
firewall-cmd --add-port 80/tcp --permanent
  • Install EPEL Repository:
yum install -y epel-release
  • Install Required Packages:
yum install -y mediawiki mariadb-server php-mysql
  • Enable and Turn on Services:
systemctl enable httpd
systemctl enable mariadb
systemctl start httpd
systemctl start mariadb
  • Configure Mariadb:
mysql
create database wiki;
GRANT ALL PRIVILEGES ON wiki.* to 'wiki'@'localhost' IDENTIFIED BY '<password>';
exit
  • Edit the /etc/httpd/conf.d/mediawiki123.conf to look like:
 Alias /mw-config               /var/www/mediawiki123/mw-config

 Alias /index.php           /var/www/mediawiki123/index.php
 Alias /api.php             /var/www/mediawiki123/api.php
 Alias /load.php            /var/www/mediawiki123/load.php
 Alias /opensearch_desc.php /var/www/mediawiki123/opensearch_desc.php
 Alias /skins               /var/www/mediawiki123/skins
 Alias /images              /var/www/mediawiki123/images
 Alias /                     /var/www/mediawiki123/index.php

<Directory /var/www/mediawiki123>
  Options FollowSymLinks
</Directory>
  • Restart the httpd service and go http://wiki.tdkc.com/mw-config to configure the Site.
    • Click Continue.
    • Click Continue.
    • Select the MySQL radio button.
    • Set the Database Name to wiki.
    • Set the Database Username to wiki.
    • Set the Database Password.
    • Click Continue.
    • Click Continue.
    • Set the Wiki Name to TDKC Wiki.
    • Set the Administrator Username to admin.
    • Set the Administrator Password and Confirm it.
    • Set the Administrator E-mail to [email protected].
    • Select the Ask me more questions radio button.
    • Click Continue.
    • Select the Authorized Editors Only radio button.
    • Check all of the Extensions.
    • Check Enable File Uploads .
    • Check Enable Instant Commons
    • Click Continue.
  • Download the LocalSettings.php and place it at /var/www/mediawiki123/LocalSettings.php on the wiki server.
  • After the install comment the mw-config line in the /etc/httpd/conf.d/mediawiki123.conf:
 #Alias /mw-config               /var/www/mediawiki123/mw-config

Disable Account Creation for everyon but admins

  • Edit the LocalSettings.php file and add the following to the bottom.
$wgGroupPermissions['*']['createaccount'] = false;

LDAP Integration

  • Install required Software
yum -y install php-ldap
systemctl restart httpd
  • Allow httpd to make network calls
setsebool -P httpd_can_network_connect on
  • Get Latest Plugin for your Version of MediaWiki
https://www.mediawiki.org/wiki/Extension:LDAP_Authentication
  • Download Snapshot and copy tar file to the wiki server
tar -zxvf <tar> -C /var/www/mediawiki123/extensions/
  • Add the following to the /var/www/mediawiki123/LocalSettings.php file
#LDAP Settings
require_once "extensions/LdapAuthentication/LdapAuthentication.php";
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array("TDKC");
$wgLDAPServerNames = array("TDKC" => "<IP>");
$wgLDAPEncryptionType = array("TDKC" => "clear");
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs = array("TDKC" => "dc=tdkc,dc=com");
$wgLDAPSearchAttributes = array("TDKC" => "sAMAccountName");
$wgLDAPRetrievePrefs = array("TDKC" => true);
$wgLDAPPreferences = array("TDKC" => array("email" => "mail", "realname"  => "displayname"));
$wgLDAPProxyAgent = array("TDKC" => "[email protected]");
$wgLDAPProxyAgentPassword = array("TDKC" => "<PASS>");

Restricting Wiki Pages

  • Get Latest Plugin for your Version of MediaWiki
https://www.mediawiki.org/wiki/Extension:AccessControl
  • Download Snapshot and copy tar file to the wiki server
tar -zxvf <tar> -C /var/www/mediawiki123/extensions/
  • Add the following to the /var/www/mediawiki123/LocalSettings.php file
require_once "$IP/extensions/AccessControl/AccessControl.php";
$wgAdminCanReadAll = true;
$wgAccessControlRedirect = false;
  • Add the below tag to the top of each page you want restricted:
<accesscontrol>Administrators</accesscontrol>
  • Add / Remove users to the Administrators Group
    • Go to Special Pages
    • User Right Management
    • Enter the username you wish to add/remove
    • Check or Uncheck the administrator box
    • Click Save user groups

Note: You may need to do this as the admin user.

  • Copy the logo to the wiki server and replace the /var/www/mediawiki123/skins/common/images/wiki.png file:
mv /var/www/mediawiki123/skins/common/images/wiki.png /var/www/mediawiki123/skins/common/images/wiki.png.old
mv /tmp/logo.png /var/www/mediawiki123/skins/common/images/wiki.png
  • Refresh the Webpage


Spacewalk Installation Procedures

Spacewalk Installation Procedures

  • Build a Centos 7 Server
  • Set Selinux to Permissive and allow port 80 through the firewall:
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
setenforce 0
firewall-cmd --add-port 80/tcp
firewall-cmd --add-port 80/tcp --permanent
firewall-cmd --add-port 443/tcp
firewall-cmd --add-port 443/tcp --permanent
  • Install the Required Server Repositories:
# Spacewalk Server Repository
rpm -Uvh http://yum.spacewalkproject.org/2.3/RHEL/7/x86_64/spacewalk-repo-2.3-4.el7.noarch.rpm

# JPackage Repository
cat <<EOF> /etc/yum.repos.d/jpackage-generic.repo
[jpackage-generic]
name=JPackage generic
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF
  • Install The Spacewalk Database:
yum -y install spacewalk-setup-postgresql
  • Install Spacewalk:
yum -y install spacewalk-postgresql
# EPEL Repository
yum -y install epel-release

Spacewalk Configuration

Basic Configuration

  • Start the installation wizard:
spacewalk-setup --disconnected
  • Answer the questions:
Admin Email Address? [email protected]

Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? Y

CA certificate password? <pass>
Re-enter CA certificate password? <pass>
Organization? TDKC
Organization Unit? IT
Email Address [[email protected]]? [email protected]
City? Fairborn
State? OH
Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? US

Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? Y
  • On complete, start the Spacewalk service if not started automatically.
/usr/sbin/spacewalk-service start

File:Spacewalk1.png

  • Resize the TDKC logo to 44px wide
  • Change spacewalk logo to TDKC:
mv /var/www/html/img/logo_vendor.png /var/www/html/img/logo_vendor.png.old
mv /tmp/logo.png /var/www/html/img/logo_vendor.png

Creating Software Channels

Base Channels

  • Go to the Channels Tab.
  • Click the Manage Software Channels Tab on the Left Menu.
  • Click the Create Channel Button.
  • Fill out the form.
Channel Name: CentOS 7
Channel Label: centos-7
Parent Channel: None
Architecture: x86_64
Yum Repository Checksum Type: sha512
Channel Summary: CentOS Base Channel
Channel Description: CentOS Base Channel
  • Click Create Channel.
  • Repeat the above steps for each needed Base Channel

Sub Channels

  • Go to the Channels Tab.
  • Click the Manage Software Channels Tab on the Left Menu.
  • Click the Create Channel Button.
  • Fill out the form.
Channel Name: CentOS 7 Updates
Channel Label: centos-7-updates
Parent Channel: CentOS 7
Architecture: x86_64
Yum Repository Checksum Type: sha512
Channel Summary: CentOS 7 Updates Sub Channel
Channel Description: CentOS 7 Updates Sub Channel
  • Click Create Channel.
  • Repeat the above steps for each needed Sub Channel

Syncing Software Channels

  • SSH to the spacewalk server
  • Create a scripts directory
mkdir -p /usr/share/rhn/scripts
  • Create a file called reposync.sh
vi /usr/share/rhn/scripts/reposync.sh

mkdir -p /var/log/scripts/
date > /var/log/scripts/spacewalk-repo-sync.log
echo ##################################################### >> /var/log/scripts/spacewalk-repo-sync.log
CENT7LATEST=`curl --silent http://mirror.centos.org/centos/ | grep folder | grep ">7\." | cut -d '"' -f 8 | cut -d '/' -f 1 | sort -g | tail -1`
 
spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/os/x86_64/ -c centos-7  >> /var/log/scripts/spacewalk-repo-sync.log
spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/extras/x86_64/ -c centos-7-extras  >> /var/log/scripts/spacewalk-repo-sync.log
spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/updates/x86_64/ -c centos-7-updates >> /var/log/scripts/spacewalk-repo-sync.log
spacewalk-repo-sync -u http://dl.fedoraproject.org/pub/epel/7/x86_64/ -c centos-7-epel >> /var/log/scripts/spacewalk-repo-sync.log 
spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/7/x86_64/ -c centos-7-spacewalk-client  >> /var/log/scripts/spacewalk-repo-sync.log

chmod -R 777 /var/satellite/redhat/1/ 
echo #################################################### >> /var/log/scripts/spacewalk-repo-sync.log
date >> /var/log/scripts/spacewalk-repo-sync.log
  • Change permissions to the reposync.sh file
chmod 755 /usr/share/rhn/scripts/reposync.sh
  • To run it manually simply use the following command:
/usr/share/rhn/scripts/reposync.sh
  • To schedule the script use cron as root:
crontab -e
  • Add the following line to the crontab: (This will run the script once a week on sunday morning at 00:01)
1 0 * * 0 /usr/share/rhn/scripts/reposync.sh
  • This script is logged at /var/log/scripts/spacewalk-repo-sync.log

Creating System Groups

  • Go to the Systems Tab.
  • Click the System Groups Tab on the Left Menu.
  • Click the Create Group Button.
  • Fill out the form.
Name: Centos 7 Servers
Description: Centos 7 Servers
  • Repeat for all of the groups you wish to create.

Creating Configuration Channels

These are groups of configuration files that are managed by spacewalk. These files can be pushed to the servers that are subscribed to the channel.

  • Go to the Configuration Tab.
  • Click the Configuration Channels Tab on the Left Menu.
  • Click the Create Config Channel Button.
  • Fill out the form.
Name: Centos 7 Servers
Label: centos-7-config
Description: Centos 7 Servers
  • Click the Add Files Tab and add any configuration files you wish.

Note: These can be added at anytime.
Note: These files can be pulled to each server that is subscribed, by running the command rhncfg-client get

  • Repeat for all of the channels you wish to create.

Creating Activation Keys

These are used during kickstarts to join the spacewalk server. They are also use to assign kickstarted machines to the appropriate System Groups, Software Channels, Configuration Channels and more.

  • Go to the Systems Tab.
  • Click the Activation Keys Tab on the Left Menu.
  • Click the Create Key Button.
  • Fill out the form.
Description: Centos 7 Servers
Key: centos-7-key
Base Channel: CentOS 7
Check Provisioning
  • Under the Child Channels tab add all desired Software channels by pressing ctrl and clicking each channel you wish.
  • Then click the Update Key button.
  • Under the Packages Tab, add all of the software packages you wish to install at spacewalk registration time.
  • Then click the Update Key button.
  • Under the Configuration Tab and the Subscribe Channels Sub-Tab, add all of the configuration channels you wish the servers be added to.
  • Then click the Update Key button.
  • Under the Groups Tab and the Join sub-tab, check the groups you wish the activation key to add the server to.
  • Then click the Join Selected Group button.

Joining Existing Servers

Spacewalk Setup

  • Create a Repository file on the spacewalk server
mkdir -p /var/www/html/pub/repo_files/
vi /var/www/html/pub/repo_files/centos7.repo

[local-centos-7]
name=local-centos-7
baseurl=http://spacewalk.tdkc.com/ks/dist/org/1/centos-7-latest
enabled=1
gpgcheck=0

[local-centos-7-updates]
name=local-centos-7-updates
baseurl=http://spacewalk.tdkc.com/ks/dist/child/centos-7-updates/centos-7-latest
enabled=1
gpgcheck=0

[local-centos-7-extras]
name=local-centos-7-extras
baseurl=http://spacewalk.tdkc.com/ks/dist/child/centos-7-extras/centos-7-latest
enabled=1
gpgcheck=0

[local-centos-7-spacewalk-client]
name=local-centos-7-spacewalk-client
baseurl=http://spacewalk.tdkc.com/ks/dist/child/centos-7-spacewalk-client/centos-7-latest
enabled=1
gpgcheck=0

[local-centos-7-epel]
name=local-centos-7-epel
baseurl=http://spacewalk.tdkc.com/ks/dist/child/centos-7-epel/centos-7-latest
enabled=1
gpgcheck=0

Add python-gudev and python-hwdata to the CentOS 7 Spacewalk Client Repo

  • Go to the Channels Tab
  • Go to the Manage Software Channels Tab on the Left hand side.
  • Click the CentOS 7 Spacewalk Client Channel.
  • Click the Packages Tab.
  • Click the Add Sub Tab.
  • Under channel Choose CentOS 7 and Click View Packages
  • Search for python-gudev and python-hwdata and Click Add Packages
  • Then Click Confirm Addition Button.

Client Setup

CentOS 7

Run the following as ROOT: 

mkdir -p /tmp/old_repos
for i in `ls /etc/yum.repos.d/*`; do mv -f $i /tmp/old_repos/; done
#for i in `ls /etc/yum.repos.d/Cent*`; do echo  > $i; done
curl http://spacewalk/pub/repo_files/centos7.repo > /etc/yum.repos.d/local-centos-7.repo
yum -y install wget
rpm --import http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-EPEL-7  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-CentOS-7  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2008  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2010  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2012  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2014  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2015
cat /tmp/ssl-key-* > /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
perl -pe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/up2date
yum -y install pyOpenSSL rhnlib libxml2 libxml2-python
perl -npe 's|^(\s*(noSSLS\|s)erverURL\s*=\s*[^:]+://)[^/]*/|${1}spacewalk.tdkc.com/|' -i /etc/sysconfig/rhn/up2date
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/run
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all 
mkdir -p /usr/share/rhn/
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
yum -y install rhncfg-client rhncfg rhncfg-actions osad osa-common jabberpy rhn-setup
rhnreg_ks --serverUrl=https://spacewalk.tdkc.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-centos-7-key
rhncfg-client get
systemctl enable osad
systemctl start osad
systemctl disable firewalld
systemctl stop firewalld

# The Below are only needed if you want to keep firewalld ON
#firewall-cmd --add-port 5222/tcp
#firewall-cmd --add-port 4545/tcp
#firewall-cmd --add-port 5222/tcp --permanent
#firewall-cmd --add-port 4545/tcp --permanent

CentOS 6

Run the following as ROOT: 

mkdir -p /tmp/old_repos
for i in `ls /etc/yum.repos.d/*`; do mv -f $i /tmp/old_repos/; done
#for i in `ls /etc/yum.repos.d/Cent*`; do echo  > $i; done
curl http://spacewalk/pub/repo_files/centos6.repo > /etc/yum.repos.d/local-centos-6.repo
yum -y install wget
rpm --import http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-pbis  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-EPEL-6  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-CentOS-6  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2008  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2010  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2012  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2014  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2015
cat /tmp/ssl-key-* > /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
perl -pe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/up2date
yum -y install pyOpenSSL rhnlib libxml2 libxml2-python
perl -npe 's|^(\s*(noSSLS\|s)erverURL\s*=\s*[^:]+://)[^/]*/|${1}spacewalk.tdkc.com/|' -i /etc/sysconfig/rhn/up2date
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/run
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all 
mkdir -p /usr/share/rhn/
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
yum -y install rhncfg-client rhncfg rhncfg-actions osad osa-common jabberpy rhn-setup
rhnreg_ks --serverUrl=https://spacewalk.tdkc.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-centos-6-key --force
rhncfg-client get
chkconfig osad on 
service osad start
chkconfig iptables off
service iptables stop
chkconfig ip6tables off
service ip6tables stop

# The Below are only needed if you want to keep iptables ON
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 4545 -j ACCEPT' /etc/sysconfig/iptables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT' /etc/sysconfig/iptables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 4545 -j ACCEPT' /etc/sysconfig/ip6tables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT' /etc/sysconfig/ip6tables
#service iptables restart
#service ip6tables restart

CentOS 5

Run the following as ROOT: 

mkdir -p /tmp/old_repos
for i in `ls /etc/yum.repos.d/*`; do mv -f $i /tmp/old_repos/; done
#for i in `ls /etc/yum.repos.d/Cent*`; do echo  > $i; done
curl http://spacewalk/pub/repo_files/centos5.repo > /etc/yum.repos.d/local-centos-5.repo
yum -y install wget
rpm --import http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-pbis  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-EPEL-5  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-CentOS-5  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2008  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2010  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2012  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2014  http://spacewalk.tdkc.com/pub/repo_files/RPM-GPG-KEY-spacewalk-2015
cat /tmp/ssl-key-* > /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
perl -pe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/up2date
yum -y install pyOpenSSL rhnlib libxml2 libxml2-python
perl -npe 's|^(\s*(noSSLS\|s)erverURL\s*=\s*[^:]+://)[^/]*/|${1}spacewalk.tdkc.com/|' -i /etc/sysconfig/rhn/up2date
mkdir -p /etc/sysconfig/rhn/allowed-actions/script
touch /etc/sysconfig/rhn/allowed-actions/script/run
mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles
touch /etc/sysconfig/rhn/allowed-actions/configfiles/all 
echo '#includedir /etc/sudoers.d' >> /etc/sudoers
chmod 755 /etc/sudoers.d/
mkdir -p /usr/share/rhn/
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
yum -y install rhncfg-client rhncfg rhncfg-actions osad osa-common jabberpy rhn-setup
rhnreg_ks --serverUrl=https://spacewalk.tdkc.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-centos-5-key
rhncfg-client get
chkconfig osad on 
service osad start
chkconfig iptables off
service iptables stop
chkconfig ip6tables off
service ip6tables stop

# The Below are only needed if you want to keep iptables ON
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 4545 -j ACCEPT' /etc/sysconfig/iptables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT' /etc/sysconfig/iptables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 4545 -j ACCEPT' /etc/sysconfig/ip6tables
#sed -i '/--dport 22/a -A INPUT -m state --state NEW -m tcp -p tcp --dport 5222 -j ACCEPT' /etc/sysconfig/ip6tables
#service iptables restart
#service ip6tables restart

Ubuntu 12.04

Run the following as ROOT: 

mkdir -p /tmp/spacewalk/
cd /tmp/spacewalk/
wget http://spacewalk.tdkc.com/pub/register/ubuntu-1204/apt-transport-spacewalk-1.0.6-2.5-1ubuntu1-precise1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/libnl1_1.1-7_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/osad-5.9.21-2.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/pyjabber-0.5.0-1.4ubuntu3-precise1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-dmidecode_3.10.11-1build2_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-ethtool_0.6-0ubuntu1_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-gudev_147.2-2_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-libxml2-2.7.8.dfsg-5.1ubuntu4.15.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-newt_0.52.11-2ubuntu10_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-rhn-2.5.52-1ubuntu1-precise1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-support_1.0.14ubuntu2_all.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/rhncfg-5.10.14-1ubuntu1-precise2.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/rhn-client-tools_1.8.9-4~precise1_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/rhnsd-5.0.4-3.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/libgudev-1.0-0_175-0ubuntu9_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-gobject-2_2.28.6-10ubuntu1_amd64.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1204/python-gobject_3.2.2-1~precise_all.deb
dpkg -i *.deb 
#add-apt-repository -y ppa:mj-casalogic/spacewalk-ubuntu
#apt-get update
mkdir -p /usr/share/rhn/
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
apt-get -y install rhncfg rhn-client-tools apt-transport-spacewalk python-rhn rhnsd python-libxml2
sed -i 's/if not self.allow_none:/#if not self.allow_none:/' /usr/lib/python2.7/xmlrpclib.py
sed -i 's/raise TypeError, "cannot marshal None unless allow_none is enabled"/#raise TypeError, "cannot marshal None unless allow_none is enabled"/' /usr/lib/python2.7/xmlrpclib.py
mkdir /var/lock/subsys
rhnreg_ks --activationkey=1-ubuntu-1204 --serverUrl=http://spacewalk.tdkc.com/XMLRPC --force 
rhn-actions-control --enable-run
echo 'deb spacewalk://spacewalk.tdkc.com/XMLRPC channels: main ubuntu-1204-custom ubuntu-1204-security ubuntu-1204-updates' >  /etc/apt/sources.list.d/spacewalk.list
mv /etc/apt/sources.list /etc/apt/sources.list.bak
mkdir -p /var/spool/rhn
cd /tmp
rm -rf /tmp/spacewalk/
apt-get update
sleep 10
apt-get update

Ubuntu 14.04

Run the following as ROOT: 

mkdir -p /tmp/spacewalk/
cd /tmp/spacewalk/
mkdir -p /usr/share/rhn/
wget http://spacewalk.tdkc.com/pub/register/ubuntu-1404/apt-transport-spacewalk-1.0.6-2.1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/libgudev-1.0-0-1-204-5ubuntu20.22.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/libnl1-1.1-8ubuntu1.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-dbus-1.2.0-2build2.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-dbus-dev-1.2.0-2build2.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-dmidecode-3.10.13-3.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-ethtool-0.7-1.1.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-gi-3.12.0-1ubuntu1.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-gobject-2-2.28.6-12build1.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-gobject-3.12.0-1ubuntu1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-gudev-147.2-3.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-libxml2-2.9.1+dfsg1-3ubuntu4.8.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-newt-0.52.15-2ubuntu5.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-rhn-2.5.52-1.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/python-support-1.0.15-X.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/rhncfg-5.10.14-1ubuntu1-saucy2.all-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/rhn-client-tools-1.8.26-4-ubuntu14.04.1-ppa1.amd64-deb.deb http://spacewalk.tdkc.com/pub/register/ubuntu-1404/rhnsd-4.9.15-1.amd64-deb.deb
dpkg -i *.deb
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
apt-get -y install rhn-client-tools apt-transport-spacewalk python-rhn rhnsd python-libxml2
wget http://spacewalk.tdkc.com/pub/register/rhncfg-5.10.14-1ubuntu1-saucy2.all-deb.deb
dpkg -i rhncfg-5.10.14-1ubuntu1-saucy2.all-deb.deb 
sed -i 's/if not self.allow_none:/#if not self.allow_none:/' /usr/lib/python2.7/xmlrpclib.py
sed -i 's/raise TypeError, "cannot marshal None unless allow_none is enabled"/#raise TypeError, "cannot marshal None unless allow_none is enabled"/' /usr/lib/python2.7/xmlrpclib.py
apt-get install python-libxml2
mkdir -p /var/lock/subsys
rhnreg_ks --activationkey=1-ubuntu-1404 --serverUrl=http://spacewalk.tdkc.com/XMLRPC --force 
rhn-actions-control --enable-run
rhn_check
rhncfg-client get
echo 'deb spacewalk://spacewalk.tdkc.com/XMLRPC channels: main ubuntu-1404-custom ubuntu-1404-security ubuntu-1404-updates' >  /etc/apt/sources.list.d/spacewalk.list
mv /etc/apt/sources.list /etc/apt/sources.list.bak
mkdir -p /var/spool/rhn
cd /tmp
rm -rf /tmp/spacewalk/
apt-get update
sleep 10
apt-get update

Ubuntu 15.10

Run the following as ROOT: 

mkdir -p /tmp/spacewalk/
cd /tmp/spacewalk/
#wget http://spacewalk.tdkc.com/download/package/9a990879fd7d446a221fb1beecb9386b4193b9dd/1486533691738/2/74389/apt-transport-spacewalk-1.0.6-4.1.all-deb.deb http://spacewalk.tdkc.com/download/package/1fe2d5c78bb3a4bcffd210bc38a55809c7cb493f/1486533709647/2/74390/libgudev-1.0-0-1:230-2.amd64-deb.deb http://spacewalk.tdkc.com/download/package/0c38f9a52f4cdefd3ab2a29e574d215f99e3905e/1486533717989/2/74391/libnl-route-3-200-3.2.26-1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/6230d4117a0a9c2ec92e348696efe3befad4355f/1486533730178/2/74393/python-cffi-1.1.2-1ubuntu2.all-deb.deb http://spacewalk.tdkc.com/download/package/4ca9d34787524960ef65707edda3f05353029408/1486533739004/2/74394/python-cffi-backend-1.1.2-1ubuntu2.amd64-deb.deb http://spacewalk.tdkc.com/download/package/d85db44c341d453689819112feb6150e9e14916d/1486533748338/2/74395/python-cryptography-1.0.1-1ubuntu1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/2b6ee8eddeee8532995e732212aa590e6780cc6e/1486533757114/2/74396/python-dbus-1.2.0-2build3.amd64-deb.deb http://spacewalk.tdkc.com/download/package/73437d3050ecbc99ce5e0b52f9236963d327f1fd/1486533777174/2/74397/python-dbus-dev-1.2.0-2build3.all-deb.deb http://spacewalk.tdkc.com/download/package/ad71b97a51a6d2d41ef0169c9d2ab2e146f09a1e/1486533790037/2/74398/python-dmidecode-3.12.2-1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/645ea178fa3d1d9109a630054e40650116118edf/1486533799975/2/74399/python-enum34-1.0.4-2.all-deb.deb http://spacewalk.tdkc.com/download/package/7fddb9738fe66b922e505e8258125cf2f3556734/1486533809243/2/74400/python-ethtool-0.11-3.amd64-deb.deb http://spacewalk.tdkc.com/download/package/9db7758c9f44c5600100046e022e7e78ee285d9c/1486533818862/2/74401/python-gi-3.16.2-1build1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/45b505436891a30e5038f98f1125e5c8faf87255/1486533827584/2/73063/python-gobject-2-2.28.6-12build1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/e3b34a2322fbc36ea1f14f5629402eed3a341345/1486533838570/2/74402/python-gobject-3.16.2-1build1.all-deb.deb http://spacewalk.tdkc.com/download/package/cac91472f41247a71e0cdfc09dc9ced6aa191808/1486533847044/2/73066/python-gudev-147.2-3.amd64-deb.deb http://spacewalk.tdkc.com/download/package/bc96ea69767e2929b0d42089e21306eed4a70c96/1486533855510/2/74403/python-idna-2.0-3.all-deb.deb http://spacewalk.tdkc.com/download/package/22a736afd87c57cc10b5d66077d68d96bbe2e303/1486533863520/2/74404/python-ipaddress-1.0.14-2.all-deb.deb http://spacewalk.tdkc.com/download/package/16d798f91c1736ea0b8cc85ae10ebc425ecfb20c/1486533872744/2/74405/python-libxml2-2.9.2+zdfsg1-4ubuntu0.4.amd64-deb.deb http://spacewalk.tdkc.com/download/package/2df719267a55d9e7f45eda9a9b5f2f54bf28efe8/1486533882046/2/74406/python-newt-0.52.18-1ubuntu1.amd64-deb.deb http://spacewalk.tdkc.com/download/package/24e041a6f29874de148225d3d3d42a035bc399a5/1486533891902/2/74408/python-openssl-0.15.1-2build1.all-deb.deb http://spacewalk.tdkc.com/download/package/2a18f3173b2af6c901f19631571170ee909482f5/1486533901275/2/74409/python-pkg-resources-18.4-1.all-deb.deb http://spacewalk.tdkc.com/download/package/83c2bfd93db39cc2976bfb242ba35ec15dd4ec19/1486533909664/2/74410/python-ply-3.7-1.all-deb.deb http://spacewalk.tdkc.com/download/package/ca446abc1e8472df4de42930170f6e3993a074c0/1486533925603/2/74411/python-pyasn1-0.1.8-2.all-deb.deb http://spacewalk.tdkc.com/download/package/2c37e07e157e58310e68b331bdcf74da4be2fdb7/1486533934180/2/74413/python-pycparser-2.14+dfsg-2build1.all-deb.deb http://spacewalk.tdkc.com/download/package/3200828f2c633a17a6776d8a8387c3144795c12c/1486533943711/2/74414/python-rhn-2.5.55-2.all-deb.deb http://spacewalk.tdkc.com/download/package/43e0245e31ec67a9c1bf508c8710f52a134af713/1486533958421/2/74415/python-six-1.9.0-5.all-deb.deb http://spacewalk.tdkc.com/download/package/683688494c9a41c085211fb8ecc7cf2fca3a82c1/1486533966846/2/74416/rhn-client-tools-1.8.26-4.amd64-deb.deb http://spacewalk.tdkc.com/download/package/1464b7a0f4d17718fe9eb2262df30a3e6c0bade3/1486533975390/2/74417/rhnsd-5.0.4-3.amd64-deb.deb http://spacewalk.tdkc.com/download/package/4100a3dcc3bde6c366888af2fc264e498167dddf/1486534916145/2/73403/rhncfg-5.10.14-1ubuntu1~saucy2.all-deb.deb
wget http://spacewalk.tdkc.com/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
apt-get -y install rhn-client-tools apt-transport-spacewalk python-rhn rhnsd python-libxml2
wget http://spacewalk.tdkc.com/pub/register/rhncfg-5.10.14-1ubuntu1-saucy2.all-deb.deb
dpkg -i rhncfg-5.10.14-1ubuntu1-saucy2.all-deb.deb 
#dpkg -i *.deb
sed -i 's/if not self.allow_none:/#if not self.allow_none:/' /usr/lib/python2.7/xmlrpclib.py
sed -i 's/raise TypeError, "cannot marshal None unless allow_none is enabled"/#raise TypeError, "cannot marshal None unless allow_none is enabled"/' /usr/lib/python2.7/xmlrpclib.py
mkdir -p /var/lock/subsys
rhnreg_ks --activationkey=1-ubuntu-1510 --serverUrl=http://spacewalk.tdkc.com/XMLRPC --force 
rhn-actions-control --enable-run
rhn_check
rhncfg-client get
echo 'deb spacewalk://spacewalk.tdkc.com/XMLRPC channels: main ubuntu-1510-custom ubuntu-1510-security ubuntu-1510-updates' >  /etc/apt/sources.list.d/spacewalk.list
mv /etc/apt/sources.list /etc/apt/sources.list.bak
mkdir -p /var/spool/rhn
cd /tmp
rm -rf /tmp/spacewalk/
apt-get update
sleep 10
apt-get update


Files Managed By Spacewalk

Files Managed By Spacewalk

/etc/sssd/sssd.conf

This File is here to ensure proper configuration of the SSSD clients.

By Default SSSD does not configure itself with all of the needed settings.

/etc/sudoers.d/master-sudoers

This file is managed by spacewalk to ensure all machines are compliant with the concept of least privilege.

The % refers to groups

Adding TDKC\\ in front of groups and users allow likewise joined servers (without the /opt/pbis/bin/config AssumeDefaultDomain true command run) to be compatible with the sudoers file.

For in-depth information on this file please refer to https://linux.die.net/man/5/sudoers.

/etc/sysconfig/rhn/rhnsd

This file is managed by spacewalk to reduce the amount of time that the clients check in with spacewalk. The Default is 4 hours. Setting the INTERVAL to 60 (the lowest it allows) tells the clients to check in once an hour.

/etc/profile.d/security_lockdowns.sh

This file is managed by spacewalk to provide the spacewalk clients with the proper profile lockdowns.

TMOUT refers to the amount of Idle time a session is allowed, in seconds. If a user is idle for this length of time they will be automatically logged off.


General Linux Commands and Scripts

General Linux Commands and Scripts

Create Keytab file for adjoin user

Run the following code as ROOT: 

yum -y install krb5-workstation
ktutil
addent -password -p [email protected] -k 1 -e RC4-HMAC
<enter password for username>
wkt adjoin.keytab 
q

Joining CentOS 7 Server to Active Directory (AD)

You must first join the Spacewalk server: Join CentOS 7 to Spacewalk

Run the following code as ROOT: 

# Install Required Software
yum install -y realmd samba samba-common oddjob oddjob-mkhomedir sssd adcli sssd-tools samba-libs  krb5-workstation

# Get Keytab for authentication
wget -q http://spacewalk.tdkc.com/pub/join/adjoin.keytab -O /root/adjoin.keytab

kinit -k -t /root/adjoin.keytab [email protected]

# Leave all realms (this is only really needed if you are previously joined)
realm leave
sleep 5

# Join the Domain using an admin account and place the computer in the Servers OU
realm join --no-password --computer-ou="ou=VMs,OU=TDKCMachines,dc=tdkc,dc=com"  "tdkc.com"
sleep 15

# Pull the Corrected configuration file from Spacewalk 
systemctl stop sssd
rm -rf /var/lib/sss/db/*
rhncfg-client get
systemctl start sssd
sleep 10
systemctl restart sssd

# Remove Keytab File
rm -rf /root/adjoin.keytab

# Test to make sure it worked
id droessner

Joining Ubuntu Server to Active Directory (AD)

You must first join the Spacewalk server: Join Ubuntu Server to Spacewalk

Run the following code as ROOT: 

# Download PBIS Script
wget http://spacewalk.tdkc.com/pub/pbis/pbis-open-8.0.1.2029.linux.x86_64.deb.sh
bash pbis-open-8.0.1.2029.linux.x86_64.deb.sh

Answer the Script's Questions:

  1. Would you like to install package for legacy links? yes
  2. Would you like to install now? yes
# Cleanup after script
rm -rf pbis-open-8.0.1.2029.linux.x86_64.deb pbis-open-8.0.1.2029.linux.x86_64.deb.sh

#****ONLY RUN THIS ON 15.10****
cat <<EOF> /lib/systemd/system/lwsmd.service
[Unit]
Description=BeyondTrust PBIS Service Manager
After=network.target

[Service]
Type=forking
EnvironmentFile=/opt/pbis/libexec/init-base.sh
ExecStart=/opt/pbis/sbin/lwsmd --start-as-daemon
ExecReload=/opt/pbis/bin/lwsm refresh
ExecStop=/opt/pbis/bin/lwsm shutdown
# We want systemd to give lwsmd some time to finish gracefully, but still want
# it to kill lwsmd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill lwsmd. We are sending useless SIGCONT here to give
# lwsmd time to finish.
KillSignal=SIGCONT
PrivateTmp=true

[Install]
WantedBy=multi-user.target nss-lookup.target
EOF
cd /etc/systemd/system
ln -s /lib/systemd/system/lwsmd.service
systemctl enable lwsmd.service
systemctl start lwsmd.service

# Join the Domain
domainjoin-cli join --ou  "ou=VMs,OU=TDKCMachines,dc=tdkc,dc=com" TDKC.COM <DOMAIN_ADMIN>@tdkc.com

# Make PBIS Assume the Default Domain
/opt/pbis/bin/config AssumeDefaultDomain true

# Test to make sure it worked
id [email protected]

# Reboot Server
reboot

Note: You need to login using full domain name.. i.e. [email protected]

Joining CentOS 5/6 Server to Active Directory (AD)

You must first join the Spacewalk server: Join CentOS 6 Server to Spacewalk

Run the following code as ROOT: 

# Install Required Software
 yum -y install pbis-open

# Join the Domain
domainjoin-cli join --ou  "ou=VMs,OU=TDKCMachines,dc=tdkc,dc=com" TDKC.COM <DOMAIN_ADMIN>@tdkc.com

# Make PBIS Assume the Default Domain
/opt/pbis/bin/config AssumeDefaultDomain true

 # Test to make sure it worked
id [email protected]

# Reboot Server
reboot

Note: You need to login using full domain name.. i.e. [email protected]

Modify Local User Accounts

Run the following code as ROOT: 

usermod -l cpowell-local cpowell
usermod -l jwalrath-local jwalrath
mv /home/cpowell /home/cpowell-local
mv /home/jwalrath /home/jwalrath-local

Restrict Users from Ubuntu Linux Login

The Following command will enable the access security on the Server: 

grep -q pam_access.so /etc/pam.d/common-account && echo "Already There!" || sed -i '1s/^/account     required      pam_access.so\n/' /etc/pam.d/common-account

The Following commands will create a default access config file: 

echo '+ : root : ALL' > /etc/security/access.conf
echo '+ : TDKC\domain^admins : ALL' >> /etc/security/access.conf
echo '+ : TDKC\subcontractors : ALL' >> /etc/security/access.conf
echo '- : TDKC\domain^users : ALL' >> /etc/security/access.conf
echo '- : ALL : ALL' >> /etc/security/access.conf

The file is read from Top to bottom so if the user is denied on line 1 but allowed on line 2, the user is Denied access. (The first match wins)

Legend:

  • The First Column:
+  =  Allow Access
-  =  Deny Access
  • The Second Column:
user / group to be denied or allowed
  • The Third Column:
The location the user is connecting from

For more information please refer to https://linux.die.net/man/5/access.conf

Add Client to Elastic Stack

CentOS 7

Copy the SSL certificate from elastic.tdkc.com to the client: 

scp /etc/pki/tls/certs/logstash-forwarder.crt user@client:/tmp

Copy the filebeat.yml file from a reference machine: 

scp /etc/filebeat/filebeat.yml user@client:/tmp

Run the following code as Root: 

mkdir -p /etc/pki/tls/certs
cp /tmp/logstash-forwarder.crt /etc/pki/tls/certs/
rpm --import http://packages.elastic.co/GPG-KEY-elasticsearch
vi /etc/yum.repos.d/elastic-beats.repo

Edit the open file to contain the following: 

[elastic-5.x]
name=Elastic repository for 5.x packages
baseurl=https://artifacts.elastic.co/packages/5.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md

Run the following code as Root: 

yum -y install filebeat
chown root:root /tmp/filebeat.yml
mv /tmp/filebeat.yml /etc/filebeat/filebeat.yml
systemctl start filebeat
systemctl enable filebeat
systemctl restart filebeat
systemctl status filebeat

Ensure that the "TLS" section of filebeat.yml is labled "SSL", it was changed in a recent version.


Network layout information

DHCP Reservation Preservation

Export all current reservations as a CSV file
Sort by IP address and create new a new CSV file per subnet/vlan
Create new DHCP scopes
Import the matching CSV file per subnet/vlan


VLAN Structure

One subnet to a vlan
 10.179.0.0/24 = VLAN 500 - Virtual machine network
 10.179.1.0/24 = VLAN 501 - Infrastructure - WAP's, switches, printers, physical servers, UPS
 10.179.2.0/24 = VLAN 502 - Company Owned computers/have reservations - Wired
 10.179.3.0/24 = VLAN 503 - Company Owned computers/have reservations - Wireless
 10.179.4.0/24 = VLAN 504 - Company or user owned trusted devices but no reservations
 10.179.5.0/24 = VLAN 505 - Growth, not currently in use
 10.179.6.0/24 = VLAN 506 - Growth, not currently in use
 10.179.7.0/24 = VLAN 507 - VPN pool - used by remote users - connectivity needs to be tested manually
Retrieved from "http://wiki.dersllc.com/index.php?title=TDKC&oldid=53"