Transcript 電腦教室大量還原系統建置

電腦教室大量還原系統建置
SOP(以I2511為例)
組員: 徐啟閎
林啟哲
李 平
李承鴻
建置流程(大綱)
建置SERVER
將一台Client端電腦完整安裝
利用安裝完成的Client壓制映像檔並存到SERVER
其他Client端利用映像檔進行大量安裝
完成建置
建置流程(大綱)
建置SERVER
將一台Client端電腦完整安裝
利用安裝完成的Client壓制映像檔並存到SERVER
其他Client端利用映像檔進行大量安裝
完成建置
使用服務概述
•
•
•
•
•
•
DHCP:進行Client端的IP分配
DNS:搭配DHCP使IP與主機名稱互相對應
TFTP :傳送PXE檔案與開機所需的核心檔案到Client端
NFS:Client端取得ks.cfg與後續安裝系統所需的各檔案
squid:設置proxy
HTTP:讓sarg軟體順利使用
Server端硬碟分割表
Device
大小
檔案系統
掛載點
/dev/sda1
1GB
Linux
/boot
/dev/sda2
140GB
Linux
/home
/dev/sda3
10GB
Linux
/
延伸分割
/dev/sda4
/dev/sda5
150GB
Linux
/dev/sda6
150GB
Linux
Device
大小
檔案系統
/dev/sdb1
1GB
Linux
/dev/sdb2
140GB
Linux
/dev/sdb3
10GB
Linux
延伸分割
/dev/sdb4
/dev/sdb5
150GB
Linux
/dev/sdb6
150GB
Linux
掛載點
Client端硬碟分割表
Device
/dev/sda1
/dev/sda2
/dev/sda3
/dev/sda5
/dev/sda6
/dev/sda7
/dev/sda8
名稱
Backup
Win7
WinXP
D:
Class1
Ubuntu
Class2
檔案系統
ext3
NTFS
NTFS
NTFS
ext3
ext3
ext3
大小
3G
40G
15G
30G
15G
15G
15G
Server建置流程
安裝CentOS
決定分割表內
容
設定網際網路
與主機名稱
更新系統
設定DNS
設定DHCP
設定SElinux
安裝必要的程
式
設定TFTP
設定NFS
建置RAID
建置date檔案
重起所有服務
與設定開機啟
動
建置防火牆
設定squid與安
裝sarg
Server建置流程
• 1、安裝CentOS 5.5
– 不用安裝圖形介面
• 2、決定分割表內容
– 指令 fdisk /dev/sda
– sda1
1G
– sda2
140G
– sda3
10G
boot
/home
/
Server建置流程-設定網路與主機名稱
3、設定IP
– vim /etc/sysconfig/network-scripts/ifcfg-eth0
• IP:120.114.140.189
• NETMASK:255.255.255.192
• GATEWAY:120.114.140.190
– vim /etc/sysconfig/network-scripts/ifcfg-eth1
• IP:192.168.25.254
• NETMASK:255.255.255.0
4、設定hostname
– Vim /etc/sysconfig/network
– HOSTNAME=i2511.dic.ksu
5、設定nameserver
– vim /etc/resolv.conf
– nameserver 120.114.150.1
– nameserver 120.114.100.1
Server建置流程
6、更新系統
– yum clean all
– yum update
7、安裝必要的程式
– 安裝setroubleshoot
•
yum install setroubleshoot
– 安裝DHCP
•
yum install dhcp
– 安裝DNS
•
•
•
yum install bind
yum install caching-nameserver
yum install bind-chroot
– 安裝TFTP
•
•
yum install tftp
yum install tftp-server
– 安裝www server
•
•
•
yum install httpd
yum install php
yum install mysql
– 安裝squid
•
yum install squid
Server建置流程
8、設定selinux
– Vim /etc/selinux/config
– SELINUX=permissive <<<<改成permissive,原本為
enforcing
9、設定DHCP
– /etc/sysconfig/dhcpd
• # Command line options here
• DHCPDARGS=eth1
– /etc/dhcpd.conf
dhcpd.conf檔案內容
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
#1.
ddns-update-style
none;
default-lease-time 259200;
max-lease-time
518400;
option routers
192.168.25.254;
option broadcast-address
192.168.25.255;
option domain-name-servers 192.168.25.254;
#2.
subnet 192.168.25.0 netmask 255.255.255.0 {
range 192.168.25.1 192.168.25.100;
option subnet-mask 255.255.255.0;
option domain-name "i2511.dic.ksu";
next-server 192.168.25.254;
filename
"/pxelinux.0";
host station1.i2511.dic.ksu {
hardware ethernet
00:1B:78:4F:FF:3E;
fixed-address 192.168.25.1;
}
host station2.i2511.dic.ksu {
hardware ethernet
00:1B:78:4F:FF:CE;
fixed-address 192.168.25.2;
}
host station3.i2511.dic.ksu {
hardware ethernet
00:1B:78:4F:FF:34;
fixed-address 192.168.25.3;
}
}
填入教室的網卡卡號跟IP對應
Server建置流程
10、設定DNS
– /var/named/chroot/etc/named.conf DNS設定檔
– ./var/named/named.192.168.25 .反解設定
– ./var/named/named.i2511.dic.ksu 正解設定
named.conf設定檔內容
•
•
•
•
•
•
options {
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
pid-file "/var/run/named/named.pid"; ##
#
memstatistics-file "/var/named/data/named_mem_stats.txt";
•
•
•
•
#
};
•
•
•
•
zone "." {
type hint;
file "named.ca";
};
•
•
•
•
•
•
•
•
zone “i2511.dic.ksu” {
type master;
file "named.i2511.dic.ksu";
};
zone “25.168.192.in-addr.arpa” {
type master;
file "named.192.168.25";
};
allow-query { any; };
allow-transfer { none; }; ##
allow-query-cache { localhost; };
正解設置
反解設置
named.i2511.dic.ksu內容
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
$TTL 600
@
IN SOA @
root (20110125 3H 1H 1W 1D)
@
IN NS @
@
IN A
192.168.25.254
station1
IN A
192.168.25.1
station2
IN A
192.168.25.2
station3
IN A
192.168.25.3
station4
IN A
192.168.25.4
station5
IN A
192.168.25.5
station6
IN A
192.168.25.6
station7
IN A
192.168.25.7
station8
IN A
192.168.25.8
station9
IN A
192.168.25.9
station10
IN A
192.168.25.10
station11
IN A
192.168.25.11
station12
IN A
192.168.25.12
station13
IN A
192.168.25.13
station14
IN A
192.168.25.14
station15
IN A
192.168.25.15
station16
IN A
192.168.25.16
station17
IN A
192.168.25.17
station18
IN A
192.168.25.18
station19
IN A
192.168.25.19
station20
IN A
192.168.25.20
named.192.168.25內容
•
•
•
•
•
$TTL 600
@
IN SOA i2511.dic.ksu. root.i2511.dic.ksu. (
2010021101 28800 14400 3600000 86400 )
@
IN NS i2511.dic.ksu.
254 IN PTR i2511.dic.ksu.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
IN PTR station1.i2511.dic.ksu.
IN PTR station2.i2511.dic.ksu.
IN PTR station3.i2511.dic.ksu.
IN PTR station4.i2511.dic.ksu.
IN PTR station5.i2511.dic.ksu.
IN PTR station6.i2511.dic.ksu.
IN PTR station7.i2511.dic.ksu.
IN PTR station8.i2511.dic.ksu.
IN PTR station9.i2511.dic.ksu.
IN PTR station10.i2511.dic.ksu.
IN PTR station11.i2511.dic.ksu.
IN PTR station12.i2511.dic.ksu.
IN PTR station13.i2511.dic.ksu.
IN PTR station14.i2511.dic.ksu.
IN PTR station15.i2511.dic.ksu.
IN PTR station16.i2511.dic.ksu.
IN PTR station17.i2511.dic.ksu.
IN PTR station18.i2511.dic.ksu.
IN PTR station19.i2511.dic.ksu.
IN PTR station20.i2511.dic.ksu.
Server建置流程
11、設定TFTP
–
TFTP設定檔:/etc/xinetd.d/tftp
# default: off
# description: The tftp server serves files using the trivial file transfer \
#
protocol. The tftp protocol is often used to boot diskless \
#
workstations, download configuration files to network-aware printers, \
#
and to start the installation process for some operating systems.
service tftp
{
disable
= no
socket_type
= dgram
protocol
= udp
wait
= yes
user
= root
server
= /usr/sbin/in.tftpd
server_args
= -s /data/tftpboot
#TFTP分享目錄
per_source
= 11
cps
= 100 2
flags
= IPv4
}
Server建置流程
12、設定NFS
NFS設定檔位置:/etc/exports
/data/iso
/data/restore
/data/kickstart
/data/tftpboot
/data/tftpboot/pxelinux.cfg
192.168.25.0/24(rw,sync)
192.168.25.0/24(rw,sync)
192.168.25.0/24(ro,sync)
192.168.25.0/24(ro,sync)
192.168.25.0/24(rw,sync)
Server建置流程
• 固定NFS的PORT
– 修改/etc/sysconfig/nfs
•
•
•
•
•
•
•
RQUOTAD_PORT=901
RPCRQUOTADOPTS="901“
LOCKD_TCPPORT=902
LOCKD_UDPPORT=902
MOUNTD_PORT=903
STATDARG="904"
STATD_PORT=904
Server建置流程
13、建置RAID
–
•
/sda5
150GB
/sdb5
150GB
md0(300GB)
/sda6
150GB
/sdb6
150GB
md1(300GB)
mdadm –detail 檢查raid訊息
–
–
•
vim /etc/fstab
/dev/md0
/dev/md1
/data
/proxy
ext3
ext3
defaults 1 2
defaults 1 2
還必須要寫入mdadm的設定檔案內，這樣才算完成
–
–
–
•
mdadm –create –auto=yes /dev/md0 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5
mdadm –create –auto=yes /dev/md1 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5
修改/etc/fstab已達成開機自動掛載
–
–
–
•
使用fdisk至做出以下的分割區
vim /etc/mdadm.conf
ARRAY /dev/md0 UUID=08f97298:432e6d90:09b192ff:ecd30200
ARRAY /dev/md0 UUID= e09247d3:0c2f54b6:068e87ab:fe78a3ad
查詢UUID的方式
–
–
mdadm –detail /dev/md0 | grep –color=auto ‘UUID’
mdadm –detail /dev/md1 | grep –color=auto ‘UUID’
Server建置流程-data架構圖
ISO
d755
network-install.iso
-644
kickstart
d755
ks.cfg
-755
images
d777
(DATA)
d755
restore
d755
tftpboot
d755
scripts
d755
i2511
d777
-644(dcms_i2511_class1.img
-644(dcms_i2511_class2.img
-644(dcms_i2511_data.img
-644(dcms_i2511_sda7.img
-644(dcms_i2511_win7.img
-644(dcms_i2511_newxp.img
-644(dcms_first_rewrite.sh
-644(dcms_menu.sh
-644(dcms_restore.sh
-644(firewall.sh
software
d755
-755(partimage-0.6.6-1.fc7.rf.i386.rpm
-755(partimage-0.6.6-1.e15.rf.x86_64.rpm 644(udpcast-20091230-1.i386.rpm
(kernel)
d755
-644(initrd.img
-755(vmlinuz
pxelinux.0
-644
pxelinux.cfg
d777
-644(default
-644(pxe_menu.sh
-644(pxe_more.sh
-644(pxe_script.sh
-644(pxe_wol.sh
Server建置流程-修改kickstart腳本
• /data/kickstart/ks.cfg
– nfs --server=192.168.25.254 --dir=/data/iso 第5行
– mount -t nfs 192.168.25.254:/data/restore /server
第51行
– mount -t nfs 192.168.25.254:/data/tftpboot/pxelinux.cfg /server
第66行
Server建置流程-修改scripts腳本
• /data/restore/scripts/dcms_first_rewrite.sh
– mou=192.168.${domain}.254:/data/restore
修改掛載點路徑
• /data/restore/scripts/dcms_menu.sh
– mou=192.168.${domain}.254:/data/restore
第24行
• /data/restore/scripts/dcms_restore.sh
– mou=192.168.${domain}.254:/data/restore
第33行
第29行
Server建置流程-修改PXE腳本
• /data/tftpboot/pxelinux.cfg/pxe_menu.sh
– 第12行
–
–
–
–
–
/usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_script.sh ${num}
sleep 1s
############################ wol ###########################
/usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh ${num}
sleep 1s
• /data/tftpboot/pxelinux.cfg/pxe_more.sh
– for num in $(seq 1 19)
教室電腦編號
– do
–
sh /data/tftpboot/pxelinux.cfg/pxe_script.sh $num
–
sleep 1s
–
sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh $num
–
sleep 1s
– done
Server建置流程-修改PXE腳本(續)
• /data/tftpboot/pxelinux.cfg/pxe_script.sh
case $1 in
"1")
pxedata='01-00-1b-78-4f-ff-3e'
;;
"2")
pxedata=‘01-00-1b-78-4f-ff-ce‘
依序修改網卡卡號與編號
• /data/tftpboot/pxelinux.cfg/pxe_wol.sh
case $1 in
"1")
/usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:3E
;;
"2")
/usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:CE 依序修改網卡卡號與編號
;;
Server建置流程-設置squid
•
在/etc/squid下新增以下檔案
–
–
–
•
game_url (666)
web_url (666)
pc_mac (666)
設定squid設定檔
–
vim /etc/squid/squid.conf
第574行
acl all src 0.0.0.0/0.0.0.0
acl dicip src 192.168.25.0/24
acl dicdn dstdomain tw.yahoo.com tw.google.com tw.msn.com
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
# http
acl Safe_ports port 21
# ftp
acl Safe_ports port 443
# https
acl Safe_ports port 70
# gopher
acl Safe_ports port 210
# wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280
# http-mgmt
acl Safe_ports port 488
# gss-http
acl Safe_ports port 591
# filemaker
acl Safe_ports port 777
# multiling http
acl CONNECT method CONNECT
acl gameurl url_regex "/etc/squid/game_url"
http_access deny gameurl
acl weburl url_regex "/etc/squid/web_url"
http_access deny weburl
acl pcmac arp "/etc/squid/pc_mac"
http_access deny pcmac
Server建置流程
•
squid.conf內容(續)
http_access allow dicip
618行
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports627行
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access deny all
icp_access allow all
http_port 3128 transparent 931行
cache_peer proxy.ksu.edu.tw parent 3128 3130
hierarchy_stoplist cgi-bin ? 1551行
cache_mem 0 MB
cache_dir ufs /var/spool/squid 500 16 256
cache_dir ufs /proxy/proxy1 100000 64 254
cache_dir ufs /proxy/proxy2 100000 64 254
cache_dir ufs /proxy/proxy3 100000 64 254
cache_swap_low 75
cache_swap_high 90
access_log /var/log/squid/access.log squid
cache_store_log /var/log/squid/store.log
pid_filename /var/run/squid.pid
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
refresh_pattern ^ftp:
1440 20% 10080
refresh_pattern ^gopher:
1440 0% 1440
refresh_pattern .
0
20% 4320
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
624行
629行
645行
684行
1462行
1589行
1796行
1855行
1961行
1987行
2099行
2386行
2470行
2665行
visible_hostname i2511.dic.ksu
icp_port 3130
always_direct allow dicip dicdn
allow_underscore on
coredump_dir /var/spool/squid
3019行
3553行
4019行
4101行
4445行
Server建置流程
• 安裝sarg
–
–
–
–
–
–
–
wget http://www.sfr-fresh.com/unix/privat/sarg-2.3.1.tar.gz
yum install gcc
tar zxvf sarg-2.3.1.tar.gz
cd sarg-2.3.1
./configure
make
make install
Server建置流程
• 修改sarg.conf
– vim /usr/local/etc/sarg.conf
– sarg.conf內容
•
•
•
•
•
•
•
•
language English
第30行
access_log /var/log/squid/access.log
第37行
title “I2511 SARG WEB“ 第56行
output_dir /var/www/html/dcms/sarg 第152行
overwrite_report no
第241行
exclude_codes /usr/local/etc/exclude_codes
第282行
max_elapsed 28800000 第294行
charset UTF-8
第372行
• 輸入指令sarg產生報表
– 可至http://120.114.140.189/dcms/sarg/觀察監控情形
Server建置流程
#########################################
iptables -F
iptables -X
iptables -Z
#########################################
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#########################################
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
##################### DNS ####################
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 953 -j ACCEPT
################## TFTP ######################
iptables -A INPUT -i eth1 -p udp --dport 69 -j ACCEPT
################## DHCP ######################
iptables -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT
#################### NFS #####################
iptables -A INPUT -i eth1 -p udp --dport 111 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 111 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 2049 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 2049 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 901:904 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 901:904 -j ACCEPT
#################### SSH #####################
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 120.114.140.0/24 -p tcp -dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 120.114.141.0/24 -p tcp -dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 120.114.142.0/24 -p tcp -dport 22 -j ACCEPT
#################### HTTP ####################
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#################### FTP #####################
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#################### NAT #####################
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.25.0/24 -o
eth0 -j MASQUERADE
################### SUQID
#####################
iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.25.0/24 -d
120.114.140.189 -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.25.0/24 -d
192.168.25.254 -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.25.0/24 -p tcp
--dport 80 -j REDIRECT --to-ports 3128
#############################################
#
/etc/init.d/iptables save
Server建置流程
• 重起所有服務與設定開機啟動
–
–
–
–
–
–
–
–
–
–
–
–
–
–
–
/etc/init.d/network restart
/etc/init.d/dhcpd restart
chkconfig dhcp on
/etc/init.d/xinetd restart
TFTP服務
chkconfig xinetd on
/etc/init.d/named restart
chkconfig named on
/etc/init.d/nfs restart
chkconfig nfs on
/etc/init.d/httpd restart
chkconfig httpd on
/etc/init.d/squid restart
chkconfig squid on
/etc/init.d/setroubleshoot restart
chkconfig setroubleshoot restart
Server建置流程-sarg成果檢視
SERVER其他設置
• 封鎖ROOT得SSH功能
– vim /etc/ssh/sshd_config
•
PermitRootLogin
no
第39行
#這樣就不能直接ssh root
• 開放使用者dic 擁有sudo root的權限
– 新增使用者dic 密碼設定為123456
• useradd dic
• echo 123456 | passwd –stdin dic
– 用visudo指令去修改sudo的設定檔
– 找
root
ALL(ALL)
– 下面新增(ex: vbird
ALL(ALL)
ALL
ALL
第76行
• 讓SERVER可以每天自動更新
– vim /etc/crontab
– 新增0 1 * * * root yum -y update && yum clean packages
The end