Description

This document shows a way to configure Linux services to manage Linux hosts from deployment to usage.

The configurations have been tested on CentOS >=6 system but can be adapted to others GNU/Linux distributions.

Name resolution service

Bind uses named.conf as default configuration file. On CentOS, the file is in /etc directory, on debian, it's in /etc/bind directory.

While debian use include feature to separate the configuration, CentOS use only named.conf. But You can use include feature to.

The next sample listen on localhost and public IP the define a VIEW to restrict access.

//
// Fichier de configuration DNS
//
options {
    check-names master ignore;
    directory "/somewhere/local/named";
    dump-file "/somewhere/local/named/data/cache_dump.db";
    statistics-file "/somewhere/local/named/data/named_stats.txt";

    version "not currently available";
    listen-on-v6 { none; };
    notify explicit;

    // forward only oblige a interroger les serveurs forwarders
    // forward only;

    listen-on { 127.0.0.1; LOCAL_IP; };

};

include "/etc/rndc.key";
controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Toutes les categories sont prevues mais trop verbeux si on logge tout
// Decommenter uniquement les categories souhaitees "a la demande"

logging {
    channel vers_fichier {
        file "/somewhere/local/named/log/named.log" versions 50 size 100m;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    channel vers_syslog {
        syslog local2;
        severity info;
        print-category yes;
        print-severity yes;
        print-time yes;
    };


    //category panic { vers_syslog; vers_fichier; };
    //category packet { vers_fichier; };
    //category eventlib { vers_fichier; };

    category default        { vers_syslog; };
    category general        { vers_syslog; vers_fichier; };
    category client         { vers_syslog; };
    category config         { vers_syslog; vers_fichier; };
    category database       { vers_syslog; };
    category dnssec         { vers_syslog; };
    category lame-servers   { vers_syslog; };
    category network        { vers_syslog; };
    category notify         { vers_syslog; vers_fichier; };
    category queries        { vers_syslog; };
    category resolver       { vers_syslog; };
    category security       { vers_syslog; };
    category update         { vers_syslog; };
    category unmatched      { vers_syslog; vers_fichier; };
    category xfer-in        { vers_syslog; };
    category xfer-out       { vers_syslog; };
};

// Definition des acls pour les vues
acl "MYNETWORK" {
    127.0.0.1/32;
    #CIDR/
};

view "MYNETWORK" {
    match-clients { "MYNETWORK"; };

    //Section globale pour les vues
    transfer-source LOCAL_IP; 
    query-source address LOCAL_IP;
    notify-source LOCAL_IP;

    also-notify  { BACKUP_SRV_IP; }
    allow-transfer  { BACKUP_SRV_IP; }
    allow-query {
        127.0.0.1;
        #CIDR/
    };
    forwarders  {
        #FORWARDER_IP1;
        #FORWARDER_IP2;
    };

    zone "."    IN {
        type hint;
        file "primary/dummy-block";
    };
    zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "primary/named.0.0.127";
        allow-transfer { none; };
    };

    zone "IP.in-addr.arpa" IN {
        type master;
        file "primary/named.IP";
    };

    zone "domain.name" IN {
        type master;
        file "primary/named.domain.name";
    };

};

DHCP and BOOTP service

The service use isc-dhcp server. The next sample allows Network deployment and DHCP service only for known hosts. For security reason, the dynamic dns update is not set. The omapi-port is defined to allow system query tools.

dhcp server configurattion

TODO: add ipxe configuration

allow bootp;
allow booting;
# boot-unknown-clients  false;
# ddns-update-style     ad-hoc;
ddns-update-style       none;
authoritative;

default-lease-time  259200;
deny            client-updates;
deny            declines;
deny            duplicates;
#deny           leasequery;
filename        "linux-install/pxelinux.0";

ignore          unknown-clients;

# boot-unknown-clients      false;

# max-lease-time        43200;  # CentOS default
max-lease-time 259200;
omapi-port      7911;
one-lease-per-client    true;

option space PXE;
option PXE.mtftp-ip     code 1 = ip-address;
option PXE.mtftp-cport      code 2 = unsigned integer 16;
option PXE.mtftp-sport      code 3 = unsigned integer 16;
option PXE.mtftp-tmout      code 4 = unsigned integer 8;
option PXE.mtftp-delay      code 5 = unsigned integer 8;
option PXE.discovery-control    code 6 = unsigned integer 8;
option PXE.discovery-mcast-addr code 7 = ip-address;

class "pxeclients" {

    # match if substring (option vendor-class-identifier,0,9)="PXEClient";
    # Ajout de Etherboot pour les boot de machines virtuelles libvirt.
    match if substring (option vendor-class-identifier,0,9)="PXEClient" or substring (option vendor-class-identifier,0,9)="Etherboot";

    #option vendor-class-identifier "PXEClient";
    vendor-option-space PXE;
    option PXE.mtftp-ip 0.0.0.0;
    next-server TFTP_SERVER_IP;
}


group LINUX {
    next-server instsrv;
    server-name "TFTP_SERVER_IP";
    filename    "linux-install/pxelinux.0";
}

subnet 192.168.0.0 netmask 255.255.255.0 {
        ignore                          unknown-clients;
        option routers                  DEFAULT_GW_IP;
        option domain-name              "domain.name";
        option domain-name-servers      SERVERNAME_IP1 SERVERNAME_IP2;
}

host _some_host_name_ { hardware ethernet   11:22:33:44:55:66; fixed-address _host_ip_; group LINUX; }

tftp configuration for rhel kickstart net installation

PROMPT 0
timeout 200

SAY ============================
SAY - :host: _some_host_name_
SAY - :profile: puppet profile
SAY - :id: _some_ref_
SAY - :mac: _host_mac_addr_
SAY - :desc: _host_description
SAY - :date: 2017-12-06T11:20:40.706179
SAY ============================

default _some_host_name_
label _some_host_name_
   kernel kernels/vmlinuz
   APPEND initrd=kernels/initrd.img ks=http://_kickstart_server_/_some_host_name_.cfg  ksdevice=eth0  network  net.ifnames=0  biosdevname=0  devfs=nomount  noshell  device=eth0

ssh admin server

For security reason, it's useful to use an admin dedicated ssh server running on a dedicated an filtered port. Here is an example :

Port XXX
AddressFamily inet
ListenAddress 0.0.0.0
AcceptEnv LANG LC_CTYPE USERLOGIN
AllowAgentForwarding no
AllowTcpForwarding no
ChallengeResponseAuthentication no
ClientAliveInterval 60
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
IgnoreUserKnownHosts yes
MaxAuthTries 3
PasswordAuthentication no
PermitRootLogin without-password
PidFile /var/run/sshd_admin.pid
PrintMotd no
Protocol 2
# TODO RSAAuthentication no
RSAAuthentication yes
SyslogFacility AUTHPRIV
# ssh root de secours
PubkeyAuthentication yes
Subsystem   sftp    /usr/libexec/openssh/sftp-server
AllowUsers root@_host_1, userx@host_2

SSh for users service

The next example uses a Kerberos authentication:

Protocol 2
SyslogFacility AUTHPRIV
PermitRootLogin no
PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication no
KerberosOrLocalPasswd no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
GSSAPIStoreCredentialsOnRekey yes
GSSAPIKeyExchange yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
AllowTcpForwarding no
X11Forwarding yes
Subsystem   sftp    /usr/libexec/openssh/sftp-server

Autofs NFS configuration

Autofs is useful to mount on demand remote filesystems to avoid blocking process at boot time when remote file server is down.

# System security
mountpoint1 -fstype=nfs,sec=sys,proto=tcp,nodev,nosuid,rw,hard,bg,intr,retry=10000  NFS_SRV:/export/directory
# NFS with kerberos5
mountpoint2 -fstype=nfs,sec=krb5,proto=tcp,nodev,nosuid,rw,hard,bg,intr,retry=10000 NFS_SRV:/export/directory

The Cagou's Blog

Linux infra configuration