def install_cobbler(args):
'''
Install cobbler on current host.
'''
app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
version_obj = version.Version("installCobbler", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize password.
app.get_root_password_hash()
# Disable SELINUX it just messes with me.
x("echo 0 > /selinux/enforce")
general.set_config_property("/etc/selinux/config", '^SELINUX=.*',
"SELINUX=permissive")
_install_cobbler()
iptables.add_cobbler_chain()
iptables.save()
_modify_cobbler_settings()
_import_repos()
setup_all_systems(args)
# Start/Restart used services.
x("/etc/init.d/dhcpd restart")
version_obj.mark_executed()
def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access",
"Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access", "Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_cobbler(args):
'''
Install cobbler on current host.
'''
app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
version_obj = version.Version("installCobbler", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize password.
app.get_root_password_hash()
# Disable SELINUX it just messes with me.
x("echo 0 > /selinux/enforce")
general.set_config_property("/etc/selinux/config", '^SELINUX=.*', "SELINUX=permissive")
_install_cobbler()
iptables.add_cobbler_chain()
iptables.save()
_modify_cobbler_settings()
_import_repos()
setup_all_systems(args)
# Start/Restart used services.
x("/etc/init.d/dhcpd restart")
version_obj.mark_executed()
def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe"
)
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property(
"/etc/icinga/ido2db.cfg", "db_pass=icinga",
"db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg"
.format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args, reload=False)
return icinga_sql_password
def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe")
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property("/etc/icinga/ido2db.cfg","db_pass=icinga","db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args,reload=False)
return icinga_sql_password
def uninstall_dhcp(args):
general.shell_exec("service dhcpd stop")
general.shell_exec("/sbin/chkconfig dhcpd off")
general.shell_exec("rm /etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=")
general.shell_exec("yum -y erase dhcp")
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_dhcp(args):
general.shell_exec("service dhcpd stop")
general.shell_exec("/sbin/chkconfig dhcpd off")
general.shell_exec("rm /etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=")
general.shell_exec("yum -y erase dhcp")
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthName \"Nagios Access\"",
"AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthUserFile /etc/nagios/passwd",
"AuthUserFile /etc/icinga/passwd", False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(
constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def install_dhcp(args):
'''
Install a dhcp server on the current server.
'''
app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install dhcp")
general.shell_exec("/sbin/chkconfig dhcpd on")
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip()))
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface())
general.shell_exec("service dhcpd restart")
version_obj.mark_executed()
def _configure_backup_pathes(remote_server, ip, hostname):
app.print_verbose("Configure rsnapshot for " + hostname + " on " + ip)
# Add Caption
general.set_config_property("/etc/rsnapshot.conf", "# " + hostname, "\n# " + hostname)
for url in config.host(hostname).get_backup_pathes():
if url == 'do-mysql-backup':
remote_server.ssh_exec("syco install-mysql-backup")
_do_mysql_backup(ip, hostname)
elif url == 'do-mysqldump-backup':
remote_server.ssh_exec("syco install-mysql-backup")
_do_mysqldump_backup(ip, hostname)
elif url == 'do-svn-backup':
_do_svndump_backup(ip, hostname)
else:
_do_folder_backup(ip, hostname, url)
def install_dhcp(args):
"""
Install a dhcp server on the current server.
"""
app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install dhcp")
general.shell_exec("/sbin/chkconfig dhcpd on")
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip()))
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface())
general.shell_exec("service dhcpd restart")
version_obj.mark_executed()
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthName \"Nagios Access\"","AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthUserFile /etc/nagios/passwd","AuthUserFile /etc/icinga/passwd",False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def _configure_backup_pathes(remote_server, ip, hostname):
app.print_verbose("Configure rsnapshot for " + hostname + " on " + ip)
# Add Caption
general.set_config_property("/etc/rsnapshot.conf", "# " + hostname,
"\n# " + hostname)
for url in config.host(hostname).get_backup_pathes():
if url == 'do-mysql-backup':
remote_server.ssh_exec("syco install-mysql-backup")
_do_mysql_backup(ip, hostname)
elif url == 'do-mysqldump-backup':
remote_server.ssh_exec("syco install-mysql-backup")
_do_mysqldump_backup(ip, hostname)
elif url == 'do-svn-backup':
_do_svndump_backup(ip, hostname)
else:
_do_folder_backup(ip, hostname, url)
def add_export(name, path, clients="*", permissions="rw,sync,nohide"):
'''
Add a folder for nfs export.
Example
add_export("dvd", "/media/dvd")
Will create the export /exports/dvd
'''
x("mkdir -p /exports/" + name)
x("chmod 755 /exports/")
x("mount --bind " + path + " /exports/" + name)
x("chmod 755 " + path + " /exports/" + name)
set_config_property(
"/etc/fstab",
"^%s.*$" % (path),
"%s /exports/%s none bind 0 0" % (path, name)
)
# Add for example /exports/log *(rw,sync,nohide)
set_config_property(
"/etc/exports",
"^/exports/%s.*$" % (name),
"/exports/%s %s(%s)" % (name, clients, permissions)
)
# Only needed once, but is dublicate here.
set_config_property("/etc/exports", "\/exports \*\(ro\,fsid\=0\)", "/exports *(ro,fsid=0)")
def _create_kvm_snapshot_partition():
"""
Create a partion that will be used by kvm/qemu to store guest snapshots.
Memory snapshots when rebooting and such.
TODO: Size should be equal to RAM.
"""
volgroup = disk.active_volgroup_name()
devicename = "/dev/" + volgroup + "/qemu"
result = x("lvdisplay -v " + devicename, output=False)
if devicename not in result:
x("lvcreate -n qemu -L 100G " + volgroup)
x("mkfs.ext4 -j " + devicename)
x("mkdir -p /var/lib/libvirt/qemu")
x("mount " + devicename + " /var/lib/libvirt/qemu")
x("chown qemu:qemu /var/lib/libvirt/qemu")
x("restorecon -R -v /var/lib/libvirt/qemu")
# Automount the new partion when rebooting.
value = devicename + " /var/lib/libvirt/qemu ext4 defaults 1 2"
general.set_config_property("/etc/fstab", value, value)
def _create_kvm_snapshot_partition():
'''
Create a partion that will be used by kvm/qemu to store guest snapshots.
Memory snapshots when rebooting and such.
TODO: Size should be equal to RAM.
'''
volgroup = disk.active_volgroup_name()
devicename = "/dev/" + volgroup + "/qemu"
result = x("lvdisplay -v " + devicename, output=False)
if (devicename not in result):
x("lvcreate -n qemu -L 100G " + volgroup)
x("mkfs.ext4 -j " + devicename)
x("mkdir -p /var/lib/libvirt/qemu")
x("mount " + devicename + " /var/lib/libvirt/qemu")
x("chown qemu:qemu /var/lib/libvirt/qemu")
x("restorecon -R -v /var/lib/libvirt/qemu")
# Automount the new partion when rebooting.
value = devicename + " /var/lib/libvirt/qemu ext4 defaults 1 2"
general.set_config_property("/etc/fstab", value, value)
def install_monitor(args):
'''
Monitor installation
This script install nagios-plugins-all and nrpe server to the host.
the host is then setup to allow cennections from the monitor server nand to reply
back results to the monitor server.
Install munin-node to accept muninserver connections.
'''
#Installting nagios plugins and nrpe server
general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y")
#Setting upp nrpe config for
#-Accepting connections from m#onitor-tp.*
#-Adding to use fareoffice nrpe commands
#-Removing all commands in nrpe.conf file
general.set_config_property(
"/etc/nagios/nrpe.cfg", "^allowed_hosts=.*",
"allowed_hosts=" + config.general.get_monitor_server())
general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*",
"#command")
general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*",
"dont_blame_nrpe=1")
munin_ip = config.general.get_monitor_server().split(".")
general.set_config_property(
"/etc/munin/munin-node.conf", "^allow.*", "allow " + munin_ip[0] +
"\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "")
x("rm /etc/nrpe.d/nrpe_fareoffice.cfg")
x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg"
)
# Openning ports in iptabled for accepting connections from
# monitor server.
# Opening port 4949 munin and 5666 nrpe
iptables.add_monitor_chain()
#Restaring services
general.shell_exec('/etc/init.d/nrpe restart')
general.shell_exec('/etc/init.d/munin-node restart')
def install_monitor(args):
"""
Monitor installation
This script install nagios-plugins-all and nrpe server to the host.
the host is then setup to allow cennections from the monitor server nand to reply
back results to the monitor server.
Install munin-node to accept muninserver connections.
"""
# Installting nagios plugins and nrpe server
general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y")
# Setting upp nrpe config for
# -Accepting connections from m#onitor-tp.*
# -Adding to use fareoffice nrpe commands
# -Removing all commands in nrpe.conf file
general.set_config_property(
"/etc/nagios/nrpe.cfg", "^allowed_hosts=.*", "allowed_hosts=" + config.general.get_monitor_server()
)
general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*", "#command")
general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*", "dont_blame_nrpe=1")
munin_ip = config.general.get_monitor_server().split(".")
general.set_config_property(
"/etc/munin/munin-node.conf",
"^allow.*",
"allow " + munin_ip[0] + "\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "",
)
x("rm /etc/nrpe.d/nrpe_fareoffice.cfg")
x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg")
# Openning ports in iptabled for accepting connections from
# monitor server.
# Opening port 4949 munin and 5666 nrpe
iptables.add_monitor_chain()
# Restaring services
general.shell_exec("/etc/init.d/nrpe restart")
general.shell_exec("/etc/init.d/munin-node restart")
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword), False)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass),
False)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file(
"/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/translation.xml",
"default_locale=\"en\"",
"default_locale=\"en\" default_timezone=\"CET\"", False)
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword),
False
)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga",
"mysql://icinga:{0}".format(icinga_db_pass),
False
)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file("/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property("/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"","default_locale=\"en\" default_timezone=\"CET\"",False)
def add_export(name, path, clients="*", permissions="rw,sync,nohide"):
'''
Add a folder for nfs export.
Example
add_export("dvd", "/media/dvd")
Will create the export /exports/dvd
'''
x("mkdir -p /exports/" + name)
x("chmod 755 /exports/")
x("mount --bind " + path + " /exports/" + name)
x("chmod 755 " + path + " /exports/" + name)
set_config_property("/etc/fstab", "^%s.*$" % (path),
"%s /exports/%s none bind 0 0" % (path, name))
# Add for example /exports/log *(rw,sync,nohide)
set_config_property("/etc/exports", "^/exports/%s.*$" % (name),
"/exports/%s %s(%s)" % (name, clients, permissions))
# Only needed once, but is dublicate here.
set_config_property("/etc/exports", "\/exports \*\(ro\,fsid\=0\)",
"/exports *(ro,fsid=0)")
def install_mail_client(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
file = "/etc/mail/sendmail.mc"
domain = config.general.get_mail_relay_domain_name()
app.print_verbose("Configure /etc/mail/*")
# Set the mail-relay server.
set_config_property(file, ".*define\(\`SMART_HOST\'\, \`.*\'\)dnl",
"define(`SMART_HOST', `" + domain + "')dnl")
# FEATURE always_add_domain always masquerades email addresses, even if the
# mail is sent from a user on the mail server to another user on the same
# mail server.
set_config_property2(file, "FEATURE(always_add_domain)dnl")
# FEATURE masquerade_entire_domain makes sendmail masquerade servers named
# *my-site.com, and *another-site.com as my-site.com. In other words, mail
# from sales.my-site.com would be masqueraded as my-site.com. If this wasn't
# selected, then only servers named my-site.com and my-othersite.com would be
# masqueraded. Use this with caution when you are sure you have the necessary
# authority to do this.
set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl")
# FEATURE masquerade_envelope rewrites the email envelope just as
# MASQUERADE_AS rewrote the header.
set_config_property2(file, "FEATURE(masquerade_envelope)dnl")
# FEATURE allmasquerade makes sendmail rewrite both recipient addresses and
# sender addresses relative to the local machine. If you cc: yourself on an
# outgoing mail, the other recipient sees a cc: to an address he knows instead
# of one on localhost.localdomain.
# TODO: need to be before MAILER
#set_config_property2(file, "FEATURE(allmasquerade)dnl")
# The MASQUERADE_AS directive makes all mail originating on
# client appear to come from a server within the domain
# DOMAIN by rewriting the email header.
set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*",
"MASQUERADE_AS(`" + domain + "')dnl")
# The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server
# from all machines in the localdomain domains appear to come from the
# MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated
# with the IP address of the mail relay client sending the mail to help it
# determine whether it should do masquerading or not.
set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl")
set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl")
# By default, user "root" will not be masqueraded. Removing the EXPOSED_USER
# will also masqueraded root.
set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*",
"dnl EXPOSED_USER(`root')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_ntp(ntp_server_ip=False):
'''
Install and configure the ntp-server on the local host.
'''
app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.check_executed()
# Install the NTP packages.
if (not os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("yum -y install ntp")
general.shell_exec("/sbin/chkconfig ntpd on")
iptables.add_ntp_chain()
iptables.save()
# Set ntp-server configs
#
# For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
#
if (ntp_server_ip):
app.print_verbose("Configure /etc/ntp.conf as a client")
# Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries.
general.set_config_property("/etc/ntp.conf", "restrict default.*",
"restrict default ignore")
general.set_config_property("/etc/ntp.conf", "restrict -6 default.*",
"restrict -6 default ignore")
# Using only internal NTP-server.
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org",
"server " + ntp_server_ip + " burst")
general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org",
"#server 1.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org",
"#server 2.se.pool.ntp.org")
# Allow access to/from the ntp-server. You may use either a hostname or IP address
# on the server line. You must use an IP address on the restrict line. Or do I??
general.set_config_property(
"/etc/ntp.conf", "restrict " + ntp_server_ip +
" kod nomodify notrap nopeer noquery", "restrict " +
ntp_server_ip + " kod nomodify notrap nopeer noquery")
# Don't use fudge server
general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*",
"#server 127.127.1.0")
general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*",
"#fudge 127.127.1.0 stratum 10")
# This command modifies the ntpd panic threshold (which is normally 1024
# seconds). Setting this to 0 disables the panic sanity check and a clock
# offset of any value will be accepted.
general.set_config_property("/etc/ntp.conf", ".*tinker panic.*",
"tinker panic 0")
else:
app.print_verbose("Configure /etc/ntp.conf as a server")
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org",
"server ntp3.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org",
"server ntp4.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org",
"server ntp1.sth.netnod.se")
general.set_config_property(
"/etc/ntp.conf", "server 3.*ntp.org",
"server " + config.general.get_slave_ntp_server())
general.shell_exec("service ntpd start")
version_obj.mark_executed()
def _install_cobbler():
#
# Install cobbler
#
# See http://linux.die.net/man/1/cobbler
# See https://fedorahosted.org/cobbler/wiki/DownloadInstructions
# See https://fedorahosted.org/cobbler/wiki/UsingCobblerImport
# See http://www.ithiriel.com/content/2010/02/22/installing-linux-vms-under-kvm-cobbler-and-koan
# Cobbler packages are in the EPEL repo.
install.epel_repo()
# To get cobbler and kvm work correct.
x("yum -y install cobbler koan httpd dhcp createrepo mkisofs mod_wsgi " +
"python-cheetah python-netaddr python-simplejson python-urlgrabber " +
"PyYAML rsync tftp-server yum-utils pykickstart")
# Cobbler web only has one other requirement besides cobbler itself
x("yum -y install Django")
# Autostart services
x("/sbin/chkconfig httpd on")
x("/sbin/chkconfig cobblerd on")
x("/sbin/chkconfig dhcpd on")
# This allows the Apache httpd server to connect to the network
x('/usr/sbin/semanage fcontext -a -t public_content_rw_t "/var/lib/tftpboot/.*"'
)
x('/usr/sbin/semanage fcontext -a -t public_content_rw_t "/var/www/cobbler/images/.*"'
)
x('/usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"'
)
x('restorecon -R -v "/var/lib/tftpboot/"')
x('restorecon -R -v "/var/www/cobbler/images"')
x('restorecon -R -v "/var/lib/cobbler/webui_sessions/"')
# Enables cobbler to read/write public_content_rw_t
x('/usr/sbin/setsebool -P cobbler_anon_write on')
# Enable httpd to connect to cobblerd (optional, depending on if web interface is installed)
# Notice: If you enable httpd_can_network_connect_cobbler and you should switch httpd_can_network_connect off
x('/usr/sbin/setsebool -P httpd_can_network_connect off')
x('/usr/sbin/setsebool -P httpd_can_network_connect_cobbler on')
#Enabled cobbler to use rsync etc.. (optional)
x('/usr/sbin/setsebool -P cobbler_can_network_connect on')
#Enable cobbler to use CIFS based filesystems (optional)
#x('/usr/sbin/setsebool -P cobbler_use_cifs on')
# Enable cobbler to use NFS based filesystems (optional)
#x('/usr/sbin/setsebool -P cobbler_use_nfs on')
_install_custom_selinux_policy()
# Double check your choices
x('getsebool -a|grep cobbler')
app.print_verbose("Update xinetd config files")
general.set_config_property("/etc/xinetd.d/tftp", '[\s]*disable[\s]*[=].*',
" disable = no")
general.set_config_property("/etc/xinetd.d/rsync",
'[\s]*disable[\s]*[=].*',
" disable = no")
x("/etc/init.d/xinetd restart")
def configure_with_static_ip():
'''
http://www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports/
@TODO: Should be named configure_with_static_ports.
'''
app.print_verbose("Configure nfs static server ports.")
# TCP port rpc.lockd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*LOCKD_TCPPORT.*", "LOCKD_TCPPORT=32803")
# UDP port rpc.lockd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*LOCKD_UDPPORT.*", "LOCKD_UDPPORT=32769")
# Port rpc.mountd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*MOUNTD_PORT.*", "MOUNTD_PORT=892")
# Port rquotad should listen on.
set_config_property("/etc/sysconfig/nfs", ".*RQUOTAD_PORT.*", "RQUOTAD_PORT=875")
# Port rpc.statd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*STATD_PORT.*", "STATD_PORT=662")
# Outgoing port statd should used. The default is port is random
set_config_property("/etc/sysconfig/nfs", ".*STATD_OUTGOING_PORT.*", "STATD_OUTGOING_PORT=2020")
def _do_command(ip, hostname, cmd):
folder = _get_unused_folder()
row = 'backup_script\t/usr/bin/ssh root@%s "%s"\t%s/' % (ip, cmd, folder)
general.set_config_property("/etc/rsnapshot.conf", row, row)
def _install_cobbler():
#
# Install cobbler
#
# See http://linux.die.net/man/1/cobbler
# See https://fedorahosted.org/cobbler/wiki/DownloadInstructions
# See https://fedorahosted.org/cobbler/wiki/UsingCobblerImport
# See http://www.ithiriel.com/content/2010/02/22/installing-linux-vms-under-kvm-cobbler-and-koan
# Cobbler packages are in the EPEL repo.
install.epel_repo()
# To get cobbler and kvm work correct.
x(
"yum -y install cobbler koan httpd dhcp createrepo mkisofs mod_wsgi " +
"python-cheetah python-netaddr python-simplejson python-urlgrabber " +
"PyYAML rsync tftp-server yum-utils pykickstart"
)
# Cobbler web only has one other requirement besides cobbler itself
x("yum -y install Django")
# Autostart services
x("/sbin/chkconfig httpd on")
x("/sbin/chkconfig cobblerd on")
x("/sbin/chkconfig dhcpd on")
# This allows the Apache httpd server to connect to the network
x('/usr/sbin/semanage fcontext -a -t public_content_rw_t "/var/lib/tftpboot/.*"')
x('/usr/sbin/semanage fcontext -a -t public_content_rw_t "/var/www/cobbler/images/.*"')
x('/usr/sbin/semanage fcontext -a -t httpd_sys_content_rw_t "/var/lib/cobbler/webui_sessions/.*"')
x('restorecon -R -v "/var/lib/tftpboot/"')
x('restorecon -R -v "/var/www/cobbler/images"')
x('restorecon -R -v "/var/lib/cobbler/webui_sessions/"')
# Enables cobbler to read/write public_content_rw_t
x('/usr/sbin/setsebool -P cobbler_anon_write on')
# Enable httpd to connect to cobblerd (optional, depending on if web interface is installed)
# Notice: If you enable httpd_can_network_connect_cobbler and you should switch httpd_can_network_connect off
x('/usr/sbin/setsebool -P httpd_can_network_connect off')
x('/usr/sbin/setsebool -P httpd_can_network_connect_cobbler on')
#Enabled cobbler to use rsync etc.. (optional)
x('/usr/sbin/setsebool -P cobbler_can_network_connect on')
#Enable cobbler to use CIFS based filesystems (optional)
#x('/usr/sbin/setsebool -P cobbler_use_cifs on')
# Enable cobbler to use NFS based filesystems (optional)
#x('/usr/sbin/setsebool -P cobbler_use_nfs on')
_install_custom_selinux_policy()
# Double check your choices
x('getsebool -a|grep cobbler')
app.print_verbose("Update xinetd config files")
general.set_config_property("/etc/xinetd.d/tftp", '[\s]*disable[\s]*[=].*', " disable = no")
general.set_config_property("/etc/xinetd.d/rsync", '[\s]*disable[\s]*[=].*', " disable = no")
x("/etc/init.d/xinetd restart")
def _do_folder_backup(ip, hostname, url):
new_row = "backup\t\troot@%s:%s\t\t%s/" % (ip, url, hostname)
general.set_config_property("/etc/rsnapshot.conf", new_row, new_row)
def install_mail_client(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
file = "/etc/mail/sendmail.mc"
domain = config.general.get_mail_relay_domain_name()
app.print_verbose("Configure /etc/mail/*")
# Set the mail-relay server.
set_config_property(file,
".*define\(\`SMART_HOST\'\, \`.*\'\)dnl",
"define(`SMART_HOST', `" + domain + "')dnl"
)
# FEATURE always_add_domain always masquerades email addresses, even if the
# mail is sent from a user on the mail server to another user on the same
# mail server.
set_config_property2(file, "FEATURE(always_add_domain)dnl")
# FEATURE masquerade_entire_domain makes sendmail masquerade servers named
# *my-site.com, and *another-site.com as my-site.com. In other words, mail
# from sales.my-site.com would be masqueraded as my-site.com. If this wasn't
# selected, then only servers named my-site.com and my-othersite.com would be
# masqueraded. Use this with caution when you are sure you have the necessary
# authority to do this.
set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl")
# FEATURE masquerade_envelope rewrites the email envelope just as
# MASQUERADE_AS rewrote the header.
set_config_property2(file, "FEATURE(masquerade_envelope)dnl")
# FEATURE allmasquerade makes sendmail rewrite both recipient addresses and
# sender addresses relative to the local machine. If you cc: yourself on an
# outgoing mail, the other recipient sees a cc: to an address he knows instead
# of one on localhost.localdomain.
# TODO: need to be before MAILER
#set_config_property2(file, "FEATURE(allmasquerade)dnl")
# The MASQUERADE_AS directive makes all mail originating on
# client appear to come from a server within the domain
# DOMAIN by rewriting the email header.
set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*", "MASQUERADE_AS(`" + domain + "')dnl")
# The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server
# from all machines in the localdomain domains appear to come from the
# MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated
# with the IP address of the mail relay client sending the mail to help it
# determine whether it should do masquerading or not.
set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl")
set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl")
# By default, user "root" will not be masqueraded. Removing the EXPOSED_USER
# will also masqueraded root.
set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*", "dnl EXPOSED_USER(`root')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def _do_command(ip, hostname, cmd):
folder = _get_unused_folder()
row = 'backup_script\t/usr/bin/ssh root@%s "%s"\t%s/' % (ip, cmd, folder)
general.set_config_property("/etc/rsnapshot.conf", row, row)
def _do_folder_backup(ip, hostname, url):
new_row = "backup\t\troot@%s:%s\t\t%s/" % (ip, url, hostname)
general.set_config_property("/etc/rsnapshot.conf", new_row, new_row)
def build_client_certs(args):
install.package("zip")
os.chdir("/etc/openvpn/easy-rsa/keys")
general.set_config_property("/etc/cronjob", "01 * * * * root run-parts syco build_client_certs", "01 * * * * root run-parts syco build_client_certs")
# Create client.conf
clientConf = "/etc/openvpn/easy-rsa/keys/client.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf)
x("echo auth-user-pass >> %s" % clientConf)
scOpen(clientConf).replace('${OPENVPN.HOSTNAME}', config.general.get_openvpn_hostname())
x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .")
for user in os.listdir("/home"):
cert_already_installed=os.access("/home/" + user +"/openvpn_client_keys.zip", os.F_OK)
valid_file="lost+found" not in user
if valid_file and not cert_already_installed:
os.chdir("/etc/openvpn/easy-rsa/")
general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_CN.*', 'export KEY_CN="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_NAME.*', 'export KEY_NAME="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/build-key-pkcs12", '.*export EASY_RSA.*', 'source ./vars;export EASY_RSA="${EASY_RSA:-.}"')
out = general.shell_exec("./build-key-pkcs12 --batch " + user,
cwd="/etc/openvpn/easy-rsa/",
events={'(?i)Enter Export Password:'******'\n', '(?i)Verifying - Enter Export Password:'******'\n'}
)
app.print_verbose(out)
# Config client.crt
general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt", "cert " + user + ".crt")
general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key", "key " + user + ".key")
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "${OPENVPN.HOSTNAME}",
config.general.get_openvpn_hostname()
)
os.chdir("/etc/openvpn/easy-rsa/keys")
x("zip /home/" + user +"/openvpn_client_keys.zip ca.crt " + user + ".crt " + user + ".key " + user + ".p12 client.conf install.txt")
# Set permission for the user who now owns the file.
os.chmod("/home/" + user +"/openvpn_client_keys.zip", stat.S_IRUSR | stat.S_IRGRP)
general.shell_exec("chown " + user + ":users /home/" + user +"/openvpn_client_keys.zip ")
def remove_export(name):
x("umount /exports/" + name)
set_config_property("/etc/exports", "^/exports/" + name + ".*$", "")
set_config_property("/etc/fstab", "^.*/exports/%s.*$" % (name), "")
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa")
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
x("mkdir -p /etc/openvpn/easy-rsa")
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
general.set_config_property("/etc/sysctl.conf", '[\s]*net.ipv4.ip_forward[\s]*[=].*', "net.ipv4.ip_forward = 1")
x("echo 1 > /proc/sys/net/ipv4/ip_forward")
ldapconf = scOpen("/etc/openvpn/auth/ldap.conf")
ldapconf.replace("^\\s*URL\s*.*","\\tURL\\tldaps://%s" % config.general.get_ldap_hostname())
ldapconf.replace("^\s*# Password\s*.*","\\tPassword\\t%s" % app.get_ldap_admin_password())
ldapconf.replace("^\s*# BindDN\s*.*","\\tBindDN\\tcn=Manager,%s" % config.general.get_ldap_dn())
ldapconf.replace("^\s*TLSEnable\s*.*","\\t# TLSEnable\\t YES")
#Deal with certs
ldapconf.replace("^\s*TLSCACertFile\s*.*","\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt")
ldapconf.replace("^\s*TLSCACertDir\s*.*","\\tTLSCACertDir\\t /etc/openldap/cacerts/")
ldapconf.replace("^\s*TLSCertFile\s*.*","\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt")
ldapconf.replace("^\s*TLSKeyFile\s*.*","\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key")
#Auth
ldapconf.replace("^\s*BaseDN\s*.*","\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn() )
ldapconf.replace("^\s*SearchFilter\s*.*","\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"")
x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ')
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def configure_with_static_ip():
'''
http://www.cyberciti.biz/faq/centos-fedora-rhel-iptables-open-nfs-server-ports/
@TODO: Should be named configure_with_static_ports.
'''
app.print_verbose("Configure nfs static server ports.")
# TCP port rpc.lockd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*LOCKD_TCPPORT.*",
"LOCKD_TCPPORT=32803")
# UDP port rpc.lockd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*LOCKD_UDPPORT.*",
"LOCKD_UDPPORT=32769")
# Port rpc.mountd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*MOUNTD_PORT.*",
"MOUNTD_PORT=892")
# Port rquotad should listen on.
set_config_property("/etc/sysconfig/nfs", ".*RQUOTAD_PORT.*",
"RQUOTAD_PORT=875")
# Port rpc.statd should listen on.
set_config_property("/etc/sysconfig/nfs", ".*STATD_PORT.*",
"STATD_PORT=662")
# Outgoing port statd should used. The default is port is random
set_config_property("/etc/sysconfig/nfs", ".*STATD_OUTGOING_PORT.*",
"STATD_OUTGOING_PORT=2020")
def remove_export(name):
x("umount /exports/" + name)
set_config_property("/etc/exports", "^/exports/" + name + ".*$", "")
set_config_property("/etc/fstab", "^.*/exports/%s.*$" % (name), "")
def replace_add(self, search, replace):
set_config_property(self.filename, search, replace)
def _modify_cobbler_settings():
app.print_verbose("Update cobbler config files")
general.set_config_property(
"/etc/cobbler/settings", '^server:.*',
"server: " + config.general.get_installation_server_ip())
general.set_config_property(
"/etc/cobbler/settings", '^next_server:.*',
"next_server: " + config.general.get_installation_server_ip())
general.set_config_property("/etc/cobbler/settings",
'^default_virt_bridge:.*',
"default_virt_bridge: br0")
general.set_config_property(
"/etc/cobbler/settings", '^default_password_crypted:.*',
"default_password_crypted: " + app.get_root_password_hash())
general.set_config_property("/etc/cobbler/settings",
'^default_virt_type:.*',
"default_virt_type: qemu")
general.set_config_property("/etc/cobbler/settings", '^anamon_enabled:.*',
"anamon_enabled: 1")
general.set_config_property("/etc/cobbler/settings",
'^yum_post_install_mirror:.*',
"yum_post_install_mirror: 1")
general.set_config_property("/etc/cobbler/settings", '^manage_dhcp:.*',
"manage_dhcp: 1")
# Email out a report when cobbler finishes installing a system.
general.set_config_property('/etc/cobbler/settings',
'^build_reporting_enabled:.*',
'build_reporting_enabled: 1')
general.set_config_property(
'/etc/cobbler/settings', '^build_reporting_email::.*',
"build_reporting_email: [ '%s' ]" % config.general.get_admin_email())
# Setup kickstart files.
shutil.copyfile(app.SYCO_PATH + "/var/kickstart/cobbler.ks",
"/var/lib/cobbler/kickstarts/cobbler.ks")
# Configure DHCP
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp.template",
"/etc/cobbler/dhcp.template")
# Config crontab to update repo automagically
general.set_config_property2(
"/etc/crontab", "01 4 * * * root syco install-cobbler-refresh")
# Set apache servername
general.set_config_property(
"/etc/httpd/conf/httpd.conf", "#ServerName www.example.com:80",
"ServerName " + config.general.get_installation_server() + ":80")
x("/etc/init.d/httpd restart")
x("/etc/init.d/cobblerd restart")
# Wait for cobblered to restart
time.sleep(1)
# Iptables rules need be fixed now.
x("cobbler get-loaders")
# Setup distro/repo for centos
x("cobbler check")
def replace_add(self, search, replace):
set_config_property(self.filename, search, replace)
def install_ntp(ntp_server_ip = False):
'''
Install and configure the ntp-server on the local host.
'''
app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.check_executed()
# Install the NTP packages.
if (not os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("yum -y install ntp")
general.shell_exec("/sbin/chkconfig ntpd on")
iptables.add_ntp_chain()
iptables.save()
# Set ntp-server configs
#
# For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
#
if (ntp_server_ip):
app.print_verbose("Configure /etc/ntp.conf as a client")
# Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries.
general.set_config_property("/etc/ntp.conf", "restrict default.*", "restrict default ignore")
general.set_config_property("/etc/ntp.conf", "restrict -6 default.*", "restrict -6 default ignore")
# Using only internal NTP-server.
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server " + ntp_server_ip + " burst")
general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org", "#server 1.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org", "#server 2.se.pool.ntp.org")
# Allow access to/from the ntp-server. You may use either a hostname or IP address
# on the server line. You must use an IP address on the restrict line. Or do I??
general.set_config_property("/etc/ntp.conf", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery")
# Don't use fudge server
general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*", "#server 127.127.1.0")
general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*", "#fudge 127.127.1.0 stratum 10")
# This command modifies the ntpd panic threshold (which is normally 1024
# seconds). Setting this to 0 disables the panic sanity check and a clock
# offset of any value will be accepted.
general.set_config_property("/etc/ntp.conf", ".*tinker panic.*", "tinker panic 0")
else:
app.print_verbose("Configure /etc/ntp.conf as a server")
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server ntp3.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org", "server ntp4.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org", "server ntp1.sth.netnod.se")
general.set_config_property("/etc/ntp.conf", "server 3.*ntp.org", "server " + config.general.get_slave_ntp_server())
general.shell_exec("service ntpd start")
version_obj.mark_executed()
def _modify_cobbler_settings():
app.print_verbose("Update cobbler config files")
general.set_config_property("/etc/cobbler/settings", '^server:.*', "server: " + config.general.get_installation_server_ip())
general.set_config_property("/etc/cobbler/settings", '^next_server:.*', "next_server: " + config.general.get_installation_server_ip())
general.set_config_property("/etc/cobbler/settings", '^default_virt_bridge:.*', "default_virt_bridge: br0")
general.set_config_property("/etc/cobbler/settings", '^default_password_crypted:.*', "default_password_crypted: " + app.get_root_password_hash())
general.set_config_property("/etc/cobbler/settings", '^default_virt_type:.*', "default_virt_type: qemu")
general.set_config_property("/etc/cobbler/settings", '^anamon_enabled:.*', "anamon_enabled: 1")
general.set_config_property("/etc/cobbler/settings", '^yum_post_install_mirror:.*', "yum_post_install_mirror: 1")
general.set_config_property("/etc/cobbler/settings", '^manage_dhcp:.*', "manage_dhcp: 1")
# Email out a report when cobbler finishes installing a system.
general.set_config_property(
'/etc/cobbler/settings',
'^build_reporting_enabled:.*',
'build_reporting_enabled: 1'
)
general.set_config_property(
'/etc/cobbler/settings',
'^build_reporting_email::.*',
"build_reporting_email: [ '%s' ]" % config.general.get_admin_email()
)
# Setup kickstart files.
shutil.copyfile(app.SYCO_PATH + "/var/kickstart/cobbler.ks", "/var/lib/cobbler/kickstarts/cobbler.ks")
# Configure DHCP
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp.template", "/etc/cobbler/dhcp.template")
# Config crontab to update repo automagically
general.set_config_property2("/etc/crontab", "01 4 * * * root syco install-cobbler-refresh")
# Set apache servername
general.set_config_property("/etc/httpd/conf/httpd.conf", "#ServerName www.example.com:80", "ServerName " + config.general.get_installation_server() + ":80")
x("/etc/init.d/httpd restart")
x("/etc/init.d/cobblerd restart")
# Wait for cobblered to restart
time.sleep(1)
# Iptables rules need be fixed now.
x("cobbler get-loaders")
# Setup distro/repo for centos
x("cobbler check")
def _configure_rsnapshot():
'''
Do the general configuration of rsnapshot
'''
app.print_verbose("Configure rsnapshot.")
# Always use a default .conf file as the base.
if (os.access("/etc/rsnapshot.conf.backup", os.F_OK)):
shutil.copyfile("/etc/rsnapshot.conf.backup", "/etc/rsnapshot.conf")
else:
shutil.copyfile("/etc/rsnapshot.conf", "/etc/rsnapshot.conf.backup")
# Set default config values.
general.set_config_property("/etc/rsnapshot.conf", ".*snapshot_root.*", "snapshot_root\t\t" + BACKUP_ROOT)
general.set_config_property("/etc/rsnapshot.conf", ".*cmd_ssh.*", "cmd_ssh\t\t/usr/bin/ssh")
general.set_config_property("/etc/rsnapshot.conf", ".*interval.*hourly.*", "interval\thourly\t24")
general.set_config_property("/etc/rsnapshot.conf", ".*interval.*monthly.*", "interval\tmonthly\t12")
general.set_config_property("/etc/rsnapshot.conf", ".*exclude.*NoBackup.*", "exclude\tNoBackup")
general.set_config_property("/etc/rsnapshot.conf", ".*backup.*etc.*localhost.*", "")
general.set_config_property("/etc/rsnapshot.conf", ".*backup.*usr[/]local.*localhost.*", "")
def _configure_rsnapshot():
'''
Do the general configuration of rsnapshot
'''
app.print_verbose("Configure rsnapshot.")
# Always use a default .conf file as the base.
if (os.access("/etc/rsnapshot.conf.backup", os.F_OK)):
shutil.copyfile("/etc/rsnapshot.conf.backup", "/etc/rsnapshot.conf")
else:
shutil.copyfile("/etc/rsnapshot.conf", "/etc/rsnapshot.conf.backup")
# Set default config values.
general.set_config_property("/etc/rsnapshot.conf", ".*snapshot_root.*",
"snapshot_root\t\t" + BACKUP_ROOT)
general.set_config_property("/etc/rsnapshot.conf", ".*cmd_ssh.*",
"cmd_ssh\t\t/usr/bin/ssh")
general.set_config_property("/etc/rsnapshot.conf", ".*interval.*hourly.*",
"interval\thourly\t24")
general.set_config_property("/etc/rsnapshot.conf", ".*interval.*monthly.*",
"interval\tmonthly\t12")
general.set_config_property("/etc/rsnapshot.conf", ".*exclude.*NoBackup.*",
"exclude\tNoBackup")
general.set_config_property("/etc/rsnapshot.conf",
".*backup.*etc.*localhost.*", "")
general.set_config_property("/etc/rsnapshot.conf",
".*backup.*usr[/]local.*localhost.*", "")
