Skip to content
Snippets Groups Projects
Verified Commit 6f73bb99 authored by anarcat's avatar anarcat
Browse files

import old docs from alberti

parent ca1d6a33
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 977 additions and 0 deletions
tsa/old.mdwn 0 → 100644
+ 3
0
View file @ 6f73bb99
This section is all old documentation imported from alberti.
[[!map pages="tsa/old/*"]]
tsa/old/backuppc 0 → 100644
+ 10
0
View file @ 6f73bb99
on serra:
in /etc/backuppc:
- edit hosts, add the host in question
- create a file called $host.pl,
. include the common file,
. list shares to be backed up
(use an existing file as template)
tsa/old/nagios-client 0 → 100644
+ 16
0
View file @ 6f73bb99
sudo apt-get update &&
sudo apt-get install tor-nagios-checks &&
sudo sed -i -e 's/^#DAEMON/DAEMON/' /etc/default/nagios-nrpe-server &&
sudo env -i /etc/init.d/nagios-nrpe-server restart &&
if [ -e '/etc/firehol/firehol.conf' ] ; then
echo 'You might want to add these to /etc/firehol/firehol.conf:'
echo
cat << EOF
server custom monit tcp/4949 default accept src 38.229.70.32
server custom nrpe tcp/5666 default accept src 38.229.70.32
server ntp accept src 38.229.70.32
server icmp accept src 38.229.70.32
EOF
fi
tsa/old/new-kvm-virsh-vm 0 → 100755
+ 230
0
View file @ 6f73bb99
#!/bin/bash
# RUN ON moly
#############
set -e
set -u
VG=vg0
SUITE=wheezy
MIRROR=http://ftp.us.debian.org/debian
#SPONSOR="xx"
check_installed() {
local p
for p in "$@"; do
if ! dpkg -l "$p" 2>/dev/null | grep -q '^ii'; then
echo >&2 "Error: package $p not installed:"
echo >&2 " apt-get install $*"
exit 1
fi
done
}
get_sshkey_fprs() {
local f
for f in etc/ssh/ssh_host*_key.pub; do
echo -n " "
ssh-keygen -l -f "$f"
done
}
cleanup() {
set +x
if [ -n "$disk" ]; then
echo "Maybe:"
echo "lvremove $disk"
fi
echo
if [ -n "${target:-}" ] && [ -e "$target" ]; then
cd /
if [ "$(stat -f / -c %i)" != "$(stat -f "$target" -c %i)" ]; then
umount "$target"
fi
rmdir "$target"
fi
if [ -n "${part1:-}" ]; then
kpartx -d -p -p -v "$disk"
fi
}
check_installed debootstrap debian-archive-keyring kpartx ipv6calc
echo -n "New VM's name: "
if [ -n "${1:-}" ]; then echo "$1"; guest="$1"; shift; else read guest; fi
echo
echo -n "Disk size: [8g]"
if [ -n "${1:-}" ]; then echo "$1"; disksize="$1"; shift; else read disksize; fi
disksize=${disksize:-8g}
trap cleanup EXIT
LV="$guest"
lvcreate -L "$disksize" -n "$LV" "$VG"
disk="/dev/mapper/$VG-$(echo $guest | sed -e 's/-/--/')"
target="/mnt/target-$guest"
if ! [ -e "$disk" ]; then
echo >&2 "Error: Disk $disk does not exist."
exit 1
fi
if [ -e "$target" ]; then
echo >&2 "Error: Directory $target already exists."
exit 1
fi
if [ "$(head -c 65536 "$disk" | sha1sum | awk '{print $1}')" != "1adc95bebe9eea8c112d40cd04ab7a8d75c4f961" ]; then
echo -n "Warning: Disk appears to be not be empty. Continue anyway? [y/N] "
read ans
[ "$ans" = "y" ] || exit 0
fi
echo -n "ipaddr: "
if [ -n "${1:-}" ]; then echo "$1"; ipaddr="$1"; shift; else read ipaddr; fi
netmask=255.255.255.192
gateway=38.229.72.1
ip6addr=2620:0:6b0:b:1a1a::${ipaddr}
ip6gateway=2620:0:6b0:b::1
set -x
if [ -e "$disk-part1" ]; then
# we already had a partition table and udev/kpartx got it at boot time
kpartx -v -d -p -part $disk
fi
echo '2048,,L,*' | sfdisk -u S --Linux "$disk"
kpartx -v -p -p -a "$disk"
part1="${disk}-p1"
mkfs.ext4 "$part1"
mkdir "$target"
mount "$part1" "$target"
cd "$target"
debootstrap --variant=minbase --keyring=/usr/share/keyrings/debian-archive-keyring.gpg "$SUITE" . "$MIRROR"
### Set up swap and fstab
dd if=/dev/zero of=swapfile bs=1024k count=512
chmod 0 swapfile
mkswap ./swapfile
uuidroot=$(blkid -s UUID -o value ${part1}) &&
cat > etc/fstab << EOF
UUID=$uuidroot / ext4 errors=remount-ro 0 1
/swapfile none swap sw 0 0
EOF
echo 'RAMTMP=yes' >> etc/default/tmpfs
### Set up basic networking stuff
echo "$guest" > etc/hostname
cat > etc/hosts << EOF
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
EOF
rm -fv etc/udev/rules.d/70-persistent-*
mkdir -p etc/udev/rules.d/
touch etc/udev/rules.d/75-persistent-net-generator.rules
cat > etc/network/interfaces << EOF
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address $ipaddr
netmask $netmask
up ip route add $gateway/32 dev \$IFACE
up ip route add default via $gateway dev \$IFACE
down ip route del default via $gateway dev \$IFACE
down ip route del $gateway/32 dev \$IFACE
iface eth0 inet6 static
address $ip6addr
gateway $ip6gateway
netmask 64
accept_ra 0
EOF
cat > etc/resolv.conf << EOF
nameserver 8.8.8.8
search torproject.org
EOF
### A couple packages
mv etc/apt/sources.list etc/apt/sources.list.d/debian.list
chroot . apt-get update
echo "Apt::Install-Recommends 0;" > etc/apt/apt.conf.d/local-recommends
chroot . apt-get install -y locales-all net-tools iproute ifupdown dialog vim netbase udev psmisc usbutils pciutils
### Set up kernel and bootloader
chroot . apt-get install -y linux-image-amd64
DEBIAN_FRONTEND=noninteractive chroot . apt-get install -y grub2
! [ -e dev/vda ]
! [ -e dev/vda1 ]
cp -av `readlink -f "$disk"` dev/new-root
cp -av `readlink -f "$part1"` dev/new-root1
chroot . grub-install --modules=part_msdos /dev/new-root
rm -v dev/new-root*
cp -av `readlink -f "$disk"` dev/vda
cp -av `readlink -f "$part1"` dev/vda1
rm boot/grub/device.map
chroot . update-grub
rm -v dev/vda*
rootpw="$(head -c 12 /dev/urandom | base64)"
echo "root:$rootpw" | chroot . chpasswd
### install ssh
chroot . apt-get install -y ssh
sed -i -e "s/`hostname`\$/$guest/" etc/ssh/ssh_host*_key.pub
sshkeys="$(get_sshkey_fprs)"
rsahostkey="$(cat etc/ssh/ssh_host_rsa_key.pub)"
### clean up
trap - EXIT
cleanup
echo "$guest's root password is $rootpw"
echo "SSH host key fingerprints are:"
echo "$sshkeys"
echo "IP addresses:"
echo " $ipaddr"
echo " $ip6addr"
echo
echo "ud-ldap ldpavi snippet:"
cat << EOF
add host=$guest,ou=hosts,dc=torproject,dc=org
host: $guest
hostname: $guest.torproject.org
objectClass: top
objectClass: debianServer
l: Germany
distribution: Debian GNU/Linux
access: restricted
admin: torproject-admin@torproject.org
architecture: amd64
sshRSAHostKey: $rsahostkey
ipHostNumber: $ipaddr
ipHostNumber: `ipv6calc --in ipv6addr --out ipv6addr $ip6addr`
mXRecord: 0 INCOMING-MX
physicalHost: `hostname -f`
description: XXX
purpose: XXX
EOF
#sponsor: $SPONSOR
echo "Maybe run this now: "
echo " cd /etc/tor-virt && git pull && virsh define `hostname`/$guest.xml && virsh autostart $guest"
echo "And then:"
echo " virsh start $guest"
tsa/old/new-machine 0 → 100644
+ 104
0
View file @ 6f73bb99
(all commands to be run as root unless otherwise noted)
* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt
* sane base setup
cat /dev/null > /etc/default/locale
# cat /etc/resolv.conf # and ensure it has domain torproject.org in it.
grep torproject.org /etc/resolv.conf || echo 'domain torproject.org' >> /etc/resolv.conf
cat /etc/hosts
* add to ldap on alberti
for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
echo "sshRSAHostKey: `cat $i`"; done
* then:
: on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
: on nevii : && sudo -H ud-replicate
* set up puppet:
: on pauli : &&
( puppet agent -t --environment=production || true ) &&
ud-replicate &&
sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
: on new machine : &&
me=$(hostname -f) &&
[ "$me" != "${me%torproject.org}" ] &&
apt-get update &&
apt-get install -y --no-install-recommends puppet lsb-release &&
service puppet stop &&
systemctl mask puppet.service &&
(puppet agent -t || true ) &&
cd /var/lib/puppet/ssl/certificate_requests &&
echo sha256sum output: &&
echo &&
sha256sum $me.pem &&
echo &&
echo &&
cd /
: on pauli: &&
echo "paste sha256sum output now:" &&
read sha256 filename &&
cd /var/lib/puppet/ssl/ca/requests &&
( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
echo -e "$sha256 $filename" | sha256sum -c &&
puppet ca sign $(basename "$filename" .pem) &&
echo &&
echo &&
echo &&
echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
cat /var/lib/puppet/ssl/ca/signed/$filename &&
echo 'EOF' &&
echo 'puppet agent --enable' &&
echo 'puppet agent -t --pluginsync' &&
echo 'puppet agent -t --pluginsync' &&
cd /
* copy paste the thing you just created on pauli into a root shell on the new host
* fix nsswitch for ud fu. (you might have to restart sshd here)
sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
s/^group:[[:space:]]\+compat$/group: db compat/;
s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
(cd / && service ssh restart)
* do more puppet runs
puppet agent -t
puppet agent -t
* get rid of unneeded network services:
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
userdel -r Debian-exim
* fix etc/aliases
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
* set new root password, and document it
* run puppet a couple times 'til it converges:
puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;
* add more software
apt-get install fail2ban
* swap and tmp
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
! grep swap /etc/fstab &&
dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
chmod 0 /swapfile &&
mkswap /swapfile &&
echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
swapon -a
* add to nagios
tsa/old/new-machine-cymru 0 → 100644
+ 13
0
View file @ 6f73bb99
After installing from our tor iso:
- set up dedicated /srv disk, if we have one
- make a swapfile (either on / or on /srv if that's a dedicated FS)
cd /srv && [ -e lost+found ] &&
dd if=/dev/zero of=swapfile bs=1024k count=4096 &&
chmod 0 swapfile &&
mkswap swapfile &&
echo "`readlink -f swapfile` none swap sw 0 0" >> /etc/fstab &&
swapon -a
- follow normal new-machine docs
tsa/old/new-machine-hetzner-cloud 0 → 100644
+ 99
0
View file @ 6f73bb99
cat /dev/null > /etc/default/locale
echo 'domain torproject.org' >> /etc/resolv.conf
vi /etc/hosts
* add to ldap on alberti
for i in /etc/ssh/ssh_host_rsa_key.pub /etc/ssh/ssh_host_ed25519_key.pub; do
echo "sshRSAHostKey: `cat $i`"; done
* then:
: on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
: on nevii : && sudo -H ud-replicate
* set up puppet:
: on pauli : &&
( puppet agent -t --environment=production || true ) &&
ud-replicate &&
sudo -H -u puppet make -C /srv/puppet.torproject.org/auto-ca install
: on new machine : &&
me=$(hostname -f) &&
[ "$me" != "${me%torproject.org}" ] &&
apt-get update &&
apt-get install -y --no-install-recommends puppet lsb-release &&
service puppet stop &&
systemctl mask puppet.service &&
(puppet agent -t || true ) &&
cd /var/lib/puppet/ssl/certificate_requests &&
echo sha256sum output: &&
echo &&
sha256sum $me.pem &&
echo &&
echo &&
cd /
: on pauli: &&
echo "paste sha256sum output now:" &&
read sha256 filename &&
cd /var/lib/puppet/ssl/ca/requests &&
( [ -e $filename ] || (echo "$filename does not exist."; exit 1) ) &&
echo -e "$sha256 $filename" | sha256sum -c &&
puppet ca sign $(basename "$filename" .pem) &&
echo &&
echo &&
echo &&
echo 'cat > /var/lib/puppet/ssl/certs/ca.pem << EOF ' &&
cat /var/lib/puppet/ssl/certs/ca.pem &&
echo 'EOF' &&
echo "cat > /var/lib/puppet/ssl/certs/$filename << EOF " &&
cat /var/lib/puppet/ssl/ca/signed/$filename &&
echo 'EOF' &&
echo 'puppet agent --enable' &&
echo 'puppet agent -t --pluginsync' &&
echo 'puppet agent -t --pluginsync' &&
cd /
* copy paste the thing you just created on pauli into a root shell on the new host
* fix nsswitch for ud fu. (you might have to restart sshd here)
sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
s/^group:[[:space:]]\+compat$/group: db compat/;
s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
(cd / && service ssh restart)
* do one ud-replicate:
puppet agent -t
echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7,2620:0:6b0:b:1a1a:0:26e5:4806 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAW1UewATLaASMo4mJoH+L8AgN1sJUIk/87z6OdrQNL9fDseLhFSPNg1LsL2Ep1ZbE22ieERHcaS4Mm8QrX9Y2VrUmFWK3jwz3+enhZkEzq7K+YKGKhUwSu+Cr+gKD1olKnw8COsZ4v5xkLh5Or854ZNJKRB84IF99P9TZ+0l/LyJCE3RVY/wV5FyhrweGmVUQVqsi7xv815uRNWjsiBWvizZddny8xaKsNTD7guo+nN9h9gjKzv6ktj/U9nbmBsBiLs4zZj7/6rfgXK020xOp63LXz8jRnDiISgHw+ERFYlmUYs04JXVrcI21jdnhzNCpLwSwBITQLSVPEaXJqO9v root@alberti > /etc/ssh/ssh_known_hosts &&
ud-replicate
* get rid of unneeded network services:
dpkg --purge portmap nfs-common exim4 exim4-base exim4-config exim4-daemon-light
userdel -r Debian-exim
* fix etc/aliases
( ! grep '^root:' /etc/aliases && echo 'root: torproject-admin@torproject.org' >> /etc/aliases ) &&
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
* set new root password, and document it
* run puppet a couple times 'til it converges:
puppet agent -t ; puppet agent -t ; puppet agent -t ; puppet agent -t ;
* add more software
apt-get install fail2ban
* swap and tmp
grep tmpfs /etc/fstab || echo 'tmpfs /tmp tmpfs defaults 0 0' >> /etc/fstab
! grep swap /etc/fstab &&
dd if=/dev/zero bs=1024k count=1024 of=/swapfile &&
chmod 0 /swapfile &&
mkswap /swapfile &&
echo '/swapfile none swap sw 0 0' >> /etc/fstab &&
swapon -a
* add to nagios
tsa/old/new-machine-nondebian 0 → 100644
+ 52
0
View file @ 6f73bb99
for fc14:
11-03-08 23:11:34 <weasel> I cloned the git repo into usr/local/, added two symlinks to local/sbin,
11-03-08 23:11:41 <weasel> copied the config file to /etc/userdir-ldap
11-03-08 23:11:47 <weasel> modified nsswitch.conf,
11-03-08 23:11:53 <weasel> modified the pam stuff (added mkhomedir)
11-03-08 23:12:12 <weasel> created a symlink from /var/db/.... to ../lib/misc/foo
11-03-08 23:12:32 <weasel> disabled selinux, so ssh can read the key files
11-03-08 23:12:38 <weasel> update ssh config
11-03-08 23:12:40 <weasel> fix timezone
11-03-08 23:12:52 <weasel> and created the zsh symlink
11-03-08 23:13:03 <weasel> I think that's it. maybe I forgot something
* fix up hostname. It needs to have the fully qualified hostname in 'hostname -f'
cd /usr/local && git clone https://git.torproject.org/admin/userdir-ldap.git
cd /usr/local/sbin && ln -s ../ln -s ../userdir-ldap/ud-config ../userdir-ldap/ud-replicate .
mkdir /etc/userdir-ldap && cd /etc/userdir-ldap && cp /usr/local/userdir-ldap/userdir-ldap.conf .
echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqFvZsXVYuzrgDO7IbBjeBO5WKk+sXmb0rRzPcSwIRTaMS4h3QdLDG1VjeNA5CUeAjTOYC0hAWZiXzfsl4u0KwNJUWRGZCclbIt6V7Tk74mM0405A+y0JP3NwUnTevcRcVxiDo8mrI85y5MXvipaWnPdGYayL09h9EeNDzBVKNZooCeKQBqkejhH69gyy4gdN9HgfMep3uOInyjr86W49pZ4n7CXoVt8QkTWtoBX/qPHK8igqX/dcYkOgCclVYRrQ1G4FbxEOGD+QzwPnCGDWCUgapFXoqh7HpG0Xfg5iDXGFcIu1JgDdr/SFJkr6hmYjW0gmkge0ihGj7GZ6onWhzQ== root@alberti > /etc/ssh/ssh_known_hosts &&
ud-replicate
maybe change chown in ud-replicate
cd /var/db && ln -s ../lib/misc/group.db ../lib/misc/passwd.db ../lib/misc/shadow.db .
edit /etc/nsswitch.conf to read:
| passwd: files db
| shadow: files db
| group: db files
check if 'id weasel' works
disable selinux
include pam mkhomedir for ssh and su.
add to sshd_config:
AuthorizedKeysFile /etc/ssh/userkeys/%u
AuthorizedKeysFile2 /var/lib/misc/userkeys/%u
crontab:
cat > /etc/cron.d/ud-replicate << EOF
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
10,25,40,55 * * * * root ud-replicate
EOF
sudoers
tsa/old/new-machine.orig 0 → 100644
+ 189
0
View file @ 6f73bb99
* set a hostname - pick an unused one from https://svn.torproject.org/svn/projects/misc-sysadmin/onion-names.txt
* sane base setup
echo "Apt::Install-Recommends 0;" > /etc/apt/apt.conf.d/local-recommends &&
apt-get install locales-all rsync sudo zsh subversion git-core mtr-tiny ntp &&
cat /dev/null > /etc/default/locale
* fix TZ
echo 'Etc/UTC' > /etc/timezone &&
dpkg-reconfigure tzdata -pcritical -fnoninteractive
* ssh setup
cd /etc/ssh/ && rm -f ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_key ssh_host_key.pub &&
mkdir -p /etc/ssh/userkeys && ln -s /root/.ssh/authorized_keys /etc/ssh/userkeys/root &&
sed -i -e 's/^HostKey.*_dsa_key/# &/;
s/^X11Forwarding yes/X11Forwarding no/;
$ a AuthorizedKeysFile /etc/ssh/userkeys/%u
$ a AuthorizedKeysFile2 /var/lib/misc/userkeys/%u' sshd_config &&
(cd / && env -i /etc/init.d/ssh restart)
* re-key ssh
cd /etc/ssh/ && rm -f ssh_host_rsa_key ssh_host_rsa_key.pub &&
dpkg-reconfigure openssh-server
* torproject sources list entry:
sudo apt-key add - << EOF &&
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mQENBEvgZPYBCADQeFoNmFWv156s+JPiUv6vFZb1sm3sx5g61Wel38MYgEuYEdan
mFnULzdRc5ScCqXD9iC7vJtAFWv9xobQkpffy8uQNAL6Dom/4A4z8Ywhdt8qwZWt
qeJQ5HSv/ollXW1jd5B+VCFaLh70PMbooitq8F5uBbVhFzvd4XxbBIWw2PzFzBbI
0daBpEdwjrtNH/E+M+ZQLMtaYyTZ1vMx+KmP2hrWtKyK4ZLmr+/2rxmoJrFGQwmp
uBohXRHMrekrdbHPfJHPXqj4SgpP9DRj2MPemQLRByHX6Hll6xy0GKkBhg1Em5Qr
GCCFXIiSS/kP16f7hpyBxke859m/RXLzCHHDABEBAAG0I2RiLnRvcnByb2plY3Qu
b3JnIGFyY2hpdmUga2V5IDIwMTAtiQE8BBMBAgAmBQJL4GT2AhsDBQkFo5qABgsJ
CAcDAgQVAggDBBYCAwECHgECF4AACgkQwsdoQg4eEkBqFAf8DtnZo0flz0IkmKDU
D1FBAl6SHE5HN7f57mW/0CLMSvWohSKIouSBJH4dUTM8484Z15ikSRW9urzv9dsW
w24+9EEaxBBVJqoJIMZmvqaM452kZ/zwQR4NBIGxhSJ8UblpQ0gttMB90oVoAx9a
2erJUD8sRwCxcwPTE3fQMJZEu6oB5jIPnQQAPOznMO19CJmnZIlzWPALFC3NPRSX
QFEZPO9CGHzpB4UDzpoBctTpTfHot33ep1c5qaLfRkmTIdImqNe2gRykglHXHCa5
BLU4M6In3gMIoeUFeRzbE7eTm1j7NDUG3EbQf5aguRSWMWbIGWAnZdTH5ZhzSb72
fVoq6g==
=dBbT
-----END PGP PUBLIC KEY BLOCK-----
EOF
if ! [ -e /etc/apt/sources.list.d/db.torproject.org.list ] ; then
echo 'deb http://db.torproject.org/torproject-admin lenny main' | sudo tee /etc/apt/sources.list.d/db.torproject.org.list
fi
* install userdir-ldap
apt-get update && apt-get install userdir-ldap
* fix nsswitch for ud fu. (you might have to restart sshd here)
sed -i -e 's/^passwd:[[:space:]]\+compat$/passwd: compat db/;
s/^group:[[:space:]]\+compat$/group: db compat/;
s/^shadow:[[:space:]]\+compat$/shadow: compat db/' \
/etc/nsswitch.conf
(cd / && env -i /etc/init.d/ssh restart)
* add pam_mkhomedir to common-session:
grep pam_mkhomedir /etc/pam.d/common-session || \
echo "session optional pam_mkhomedir.so skel=/etc/skel umask=0022" >> /etc/pam.d/common-session
* setup sudo
grep '^%adm' /etc/sudoers || echo '%adm ALL=(ALL) ALL' >> /etc/sudoers
grep '^%adm.*apt-get' /etc/sudoers || echo '%adm ALL=(ALL) NOPASSWD: /usr/bin/apt-get update, /usr/bin/apt-get dist-upgrade, /usr/bin/apt-get clean' >> /etc/sudoers
* add host to ud-ldap
: on alberti : && sudo -u sshdist ud-generate && sudo -H ud-replicate
* fix resolver
sed -i -e 's/search localdomain/search torproject.org/' /etc/resolv.conf
* do one ud-replicate:
echo alberti.torproject.org,alberti,db.torproject.org,db,38.229.70.7 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqFvZsXVYuzrgDO7IbBjeBO5WKk+sXmb0rRzPcSwIRTaMS4h3QdLDG1VjeNA5CUeAjTOYC0hAWZiXzfsl4u0KwNJUWRGZCclbIt6V7Tk74mM0405A+y0JP3NwUnTevcRcVxiDo8mrI85y5MXvipaWnPdGYayL09h9EeNDzBVKNZooCeKQBqkejhH69gyy4gdN9HgfMep3uOInyjr86W49pZ4n7CXoVt8QkTWtoBX/qPHK8igqX/dcYkOgCclVYRrQ1G4FbxEOGD+QzwPnCGDWCUgapFXoqh7HpG0Xfg5iDXGFcIu1JgDdr/SFJkr6hmYjW0gmkge0ihGj7GZ6onWhzQ== root@alberti > /etc/ssh/ssh_known_hosts &&
ud-replicate
* apply phobos' sudo defaults
sed -i -e '
/^Defaults/ a Defaults mail_badpass\
Defaults mail_no_host\
Defaults mail_no_perms\
Defaults tty_tickets\
Defaults insults\
Defaults !lecture
' /etc/sudoers
* try to become root using sudo.
* disable password auth with ssh (again: once you verified you can log in and become root using keys.)
#vi /etc/ssh/sshd_config
# | PasswordAuthentication no
if grep '^PasswordAuthentication' /etc/ssh/sshd_config; then
sed -i -e 's/^PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config;
else
sed -i -e '$ a PasswordAuthentication no' /etc/ssh/sshd_config
fi &&
(cd / && env -i /etc/init.d/ssh restart)
* get rid of unneeded network services:
dpkg --purge portmap nfs-common
dpkg --purge exim4 exim4-base exim4-config exim4-daemon-light at bsd-mailx
userdel -r Debian-exim
* install postfix
apt-get install postfix postfix-cdb bsd-mailx
rm /etc/mailname
cat > /etc/postfix/main.cf << 'EOF'
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
mydomain = torproject.org
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls=yes
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
alias_maps =
hash:/etc/aliases
cdb:/var/lib/misc/thishost/mail-forward
alias_database = hash:/etc/aliases
mydestination = $myhostname
localhost.$mydomain
localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
EOF
env -i /etc/init.d/postfix restart
sed -i -e 's/^root:.*/root: torproject-admin@torproject.org/' /etc/aliases && newaliases
* install root admin key
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA2ToYPcCcP+/+E8dVlorOeeQpAauQN2rHF8LBy0BPzY9W4x0eMkPI5r5vDSN48+w9W/SELTd1ZFy7d2n6bjt06W0+78YwLeRN4wOoyiryh3yd2Kiy74Plb81RRx+Px9erh0mpMF9krnWfGyrr+q8be2ACWNHLiSUyx5PC5QmetBH+Ug7O+NpAL/grmLgdzkOEzaatrI+re1RyfwvJQ6ZC3Wc+KKUOVvB6zoRk9qegUydvx1NX5SrfDQrBzFBv6vcL0N1TESxDx8Pu6uFFsuWWBlhb3AKZKJEtLV8AqGQ007A3oK5PP/fdUvgKOcbw3bWXZKy/dgcH+httQPPt8brmXtRvNgXozsH6soegnoWA/opNVHcWwLjfk9mFMGLvY5zzX26xg9sVnBK1dI6geqGhv20oWIcIqEhmFr0HQnCIE9tMRb6jDmzymXoX2gnR2nfgpg81jLFSYm/BJYjISVrLAFy50N+4HcJ/VYTO/KBVoERfkz88LK5p2zOQNdMNSN4WIGizl6G7lQrFAZAkdk2dfaIA/PkxVXG0/Rfh+R2z94UCiAfc06FzkYRfFreThpgPWI4B/QFcBQ0MsxuQzl+ea3jRVKRGyKHpwRtjh2Ebt0YfCpyn1ZfU+enLIYJ0TmpC6HXpWiSc8qSaP6gMF0ULqZUtip1NfJiaEkUyhR5XbIU= Peter Palfrader - torproject adm key (2010-01-09)' >> /root/.ssh/authorized_keys &&
wc -l /root/.ssh/authorized_keys
* clean away broken firewall
rm -f /etc/network/if-pre-up.d/iptables /etc/iptables.rules /etc//iptables.up.rules
for j in INPUT FORWARD OUTPUT; do iptables -P $j ACCEPT; done; iptables -F
* set new root password
* sane editor
sudo apt-get install vim && sudo update-alternatives --set editor /usr/bin/vim.basic
* add more software
apt-get install ferm git-core logwatch rkhunter munin-node sudo fail2ban htop etckeeper wget
* configure the firewall
* take ferm defaults, but need something for ferm here.
* rkhunter
rkhunter --update --propupd
* fail2ban:
/etc/init.d/fail2ban start
* copy munin-node.conf from schmitzi to /etc/munin/
* on new host:
sudo /etc/init.d/munin-node restart
* on schmitzi, add the host to /etc/munin/munin.conf
tsa/old/new-vm-rethem 0 → 100644
+ 261
0
View file @ 6f73bb99
= HOW I CREATED A NEW VM AT RETHEMHOSTING (CYMRU) FOR MUMBLE
A quick guide for how to make VMs.
18 Sep 2015
== WHAT YOU WILL NEED
* Access to many git repositories
* Sudo access all over the place
* GPG key that can decrypt files in those git repositories
* Your ssh configuration file set up to use the appropriate
ProxyCommand magic to ssh into various .torproject.org hosts.
* Enough Unix shell skillz to be dangerous to yourself and others
== THE STEPS
* Go to the approach for rethemhosting. You can find it in
hosts-extra-info in the tor-passwords repository.
If your browser hates you when you do this, it's possible that
rethemhosting still hasn't upgraded their DH parameters to
something non-embarrassing. Disable the DHE ciphersuites and try
again. Very sorry. I emailed them about it.
* Pick an onion species name:
https://en.wikipedia.org/wiki/List_of_Allium_species
(I went with "tuburosum", since I have some of that in my
fridge. Try not to pick something that has the first 3 characters
in common with some other host.)
* In the rethemhosting interface, go to the list of instances, then
select "add instance" (currently towards the top right.)
It will walk you through a wizard.
1: Select ISO
2: Select "my ISOs", then tor-debian-7.8-20150221.
(If there is something more recent than that, ask weasel if it
is safe to use!)
You will have only one option for hypervisor.
3: Configure the CPU/RAM requirements as needed
4: Select 20 GB disk, always. More disks can get added later.
5: Is easy; nothing to do here.
6: Select 'Tor External Dual', then make it the default, then
deselect the original network.
Weasel explains: "one is I think an internal network that isn't
routed anywhere, and the two external things are two networks
that are in the internet but with different address space. I
think the first tor external one is full."
7: Give it a name. No group.
* Launch the VM! It will boot from a custom install CD.
* Did you think you were done? Lolololollol11ol!
* Once the VM is running, click on it in the rethem interface, and
go to the NICs tab. Learn the IP addresses (v4 and v6) and
gateways for the new VM.
* Edit the domains git repository. (It is at
git@git-rw.torproject.org:admin/dns/domains.)
DO NOT EDIT torproject.org!!!!!!
Instead, add the reverse-dns records as appropriate to the *.arpa files.
ipv6cal can help with ipv6 reverse fu. e.g.:
weasel@defiant:~$ ipv6calc --in ipv6addr --out revnibbles.arpa 2607:8500:5:1::5a2c
c.2.a.5.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.5.0.0.0.0.0.5.8.7.0.6.2.ip6.arpa.
Commit and push when you are done; magic will happen.
* Now you need to get console access to the new VM: Click the rightmost
icon on the details screen at the rethem cloudstack thing.
The debian installer is about to ask you for some advice:
- Tell it the IP address to use.
- Tell it a netmask
- Tell it a gateway.
- Tell it the hostname.
It might ask you if you want to create a swap partition. You don't.
It will ask you if you want to write the new partition map to the
the disk. You do.
Now it will do a debian installation! This will take a while.
* You need to add the new host to nagios.
git clone git@git-rw.torproject.org:admin/tor-nagios
cd config
edit nagios-master.cfg
Add the new host right below the most recently added host. By
default, you should put it in these hostgroups:
computers, syslog-ng-hosts, no-ntp-peer.
(Other hostgroups are documented at XXXXXXXXXXXXX.)
Run make. Did that work?
If so, run make install.
Commit and push.
* ssh into your shiny new host! (as root.)
(The root password is the one marked as "rethemhosting
torproject.org preseed debian-install image default root password"
in hosts-extra-info in tor-passwords.git. Don't worry, we'll
change it.)
(Use -o HostKeyAlgorithms=ssh-rsa to avoid a warning later on.)
* If you got in, detach the ISO.
It's one of the icons in the cloudstack thing. It looks like a paperclip.
* Get a shell on alberti, then run:
ldapvi -ZZ --encoding=ASCII --ldap-conf -h db.torproject.org -D uid=nickm,ou=users,dc=torproject,dc=org
You will need to use your ldap password.
Now you are editing the LDAP database!
Look for the last host= entry for a rethemhosting host in the file.
Copy that whole block to the end of the file, and replace the
number with the word "add". Then set the hostname correctly, and
update the other stuff. (like memory, ssh host key, ip addresses,
purpose.) drop or replace allowedGroups.
Use dpkg --print-architecture if you don't know what the architecture is.
(It's amd64.)
Save and quit, then say yes.
* Open an editor on the new host as root, and edit
/etc/network/interfaces. Edit it to be a copy of the one on the
most recently created host, except fill in the correct values for
this host. I got:
========
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 154.35.132.152/28
gateway 154.35.132.145
iface eth0 inet6 static
address 2607:8500:5:1::5a2c/64
gateway 2607:8500:5:1::1
accept_ra 0
========
Your IP will vary.
* Edit /etc/resolv.conf and /etc/hosts so that they include the
proper domain. (It is probably torproject.org, not
rethemhosting.)
* Reboot the new host (with shutdown -r now), and make sure it comes
up with the right IP.
* Now you are going to read new-machine-cymru on alberti! It lives
in /src/db.torproject.org.
Follow its instructions _on the new host_ as root.
* You will be told to recursively follow the instructions in
new-machine on alberti, which lives in the same repository. Do
so.
Some notes:
- You will need to be root for nearly all of this.
- If something just won't work, try puppet agent -t on the
new host again, and give it another try.
- Use weasel's magical pws scripts to manage the
tor-passwords repository.
* On the new host, if there is an /etc/apt/sources.list.d/debian.list,
remove /etc/apt/sources.list, then apt-get update.
* Run one last "apt-get update && apt-get dist-upgrade && apt-get clean"
* Reboot again for good measure!
* (Unless you used -o HostKeyAlgorithms=ssh-rsa before:)
When you next ssh into the new host, the key will probably have
changed. That's because it switched from ECDSA to RSA. Don't
worry, but make sure you got the right one.
NOW YOU HAVE A HOST!
But, nobody can log into it. That's sad.
I wanted to set it up so that ioerror could log in and become a new
"tormumble" role and administer the stuff.
= So here's how I made the tormumble role and stuff!
* Do the magic thing on alberti again to edit the ldap database.
Create a role account and associated group in ldap - ldapvi and
copy one from before, picking a free uid/gid number pair.
Add the group to the allowedGroups for the host.
Add the group to the supplemenataryGids for the users who should
be in it.
Then, in puppet:
/usr/sbin/visudo -f ./modules/sudo/files/sudoers
And add a line of the form:
%rolename hostname=(groupname) ALL
* Then on the host, you need to log in as the role user to create
their homedir and stuff. Do su - <role account> to do this, then
log out again.
If you couldn't log in, then the LDAP info hasn't propagated
yet. Run this on alberti:
sudo -u sshdist ud-generate
And this on the new host as root:
ud-replicate
* Move the home directory to the right place:
mkdir /srv/<roledirectoryservicewhatever>.torproject.org
mv /home/<roleuser> to /srv/$foo/home
, then replace the original location with a symlink
Also, chown /srv/<roledirectoryservicewhatever>.torproject.org
to the new <roleuser>:<rolegroup>
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment