電腦教室大量還原系統建置 sop( 以 i2511 為例 )

電腦教室大量還原系統建置SOP( 以 I2511 為例 )

組員 : 徐啟閎林啟哲李平李承鴻

建置流程 ( 大綱 )

完成建置

其他 Client 端利用映像檔進行大量安裝

利用安裝完成的 Client 壓制映像檔並存到 SERVER

將一台 Client 端電腦完整安裝

建置 SERVER

使用服務概述• DHCP: 進行 Client 端的 IP 分配• DNS: 搭配 DHCP 使 IP 與主機名稱互相對應• TFTP : 傳送 PXE 檔案與開機所需的核心檔案到 Client 端• NFS:Client 端取得 ks.cfg 與後續安裝系統所需的各檔案• squid: 設置 proxy• HTTP: 讓 sarg 軟體順利使用

Server 端硬碟分割表Device 大小檔案系統掛載點

/dev/sda1 1GB Linux /boot

/dev/sda2 140GB Linux /home

/dev/sda3 10GB Linux /

/dev/sda4 延伸分割/dev/sda5 150GB Linux

/dev/sda6 150GB LinuxDevice 大小檔案系統掛載點

/dev/sdb1 1GB Linux

/dev/sdb2 140GB Linux


/dev/sdb4 延伸分割/dev/sdb5 150GB Linux


Client 端硬碟分割表Device 名稱檔案系統大小/dev/sda1 Backup ext3 3G/dev/sda2 Win7 NTFS 40G/dev/sda3 WinXP NTFS 15G/dev/sda5 D: NTFS 30G/dev/sda6 Class1 ext3 15G/dev/sda7 Ubuntu ext3 15G/dev/sda8 Class2 ext3 15G

Server 建置流程安裝 CentOS 決定分割表內容設定網際網路與主機名稱更新系統

安裝必要的程式設定 SElinux設定 DHCP設定 DNS

設定 TFTP 設定 NFS 建置 RAID 建置 date 檔案

設定 squid 與安裝 sarg建置防火牆重起所有服務與設定開機啟動

Server 建置流程• 1 、安裝 CentOS 5.5– 不用安裝圖形介面

• 2 、決定分割表內容– 指令 fdisk /dev/sda– sda1 1G boot– sda2 140G /home– sda3 10G /

Server 建置流程 - 設定網路與主機名稱3 、設定 IP

– vim /etc/sysconfig/network-scripts/ifcfg-eth0• IP:120.114.140.189• NETMASK:255.255.255.192• GATEWAY:120.114.140.190

– vim /etc/sysconfig/network-scripts/ifcfg-eth1• IP:192.168.25.254• NETMASK:255.255.255.0

4 、設定 hostname – Vim /etc/sysconfig/network– HOSTNAME=i2511.dic.ksu

5 、設定 nameserver– vim /etc/resolv.conf– nameserver 120.114.150.1– nameserver 120.114.100.1

Server 建置流程6、更新系統

– yum clean all– yum update

7、安裝必要的程式 – 安裝 setroubleshoot

• yum install setroubleshoot– 安裝 DHCP

• yum install dhcp– 安裝 DNS

• yum install bind• yum install caching-nameserver• yum install bind-chroot

– 安裝 TFTP• yum install tftp• yum install tftp-server

– 安裝 www server• yum install httpd• yum install php• yum install mysql

– 安裝 squid • yum install squid

Server 建置流程8 、設定 selinux– Vim /etc/selinux/config– SELINUX=permissive <<<< 改成 permissive, 原本為 enforcing

9 、設定 DHCP– /etc/sysconfig/dhcpd• # Command line options here• DHCPDARGS=eth1

– /etc/dhcpd.conf

dhcpd.conf 檔案內容## DHCP Server Configuration file.# see /usr/share/doc/dhcp*/dhcpd.conf.sample#

#1.ddns-update-style none;default-lease-time 259200;max-lease-time 518400;option routers 192.168.25.254;option broadcast-address 192.168.25.255;option domain-name-servers 192.168.25.254;#2.subnet 192.168.25.0 netmask 255.255.255.0 { range 192.168.25.1 192.168.25.100; option subnet-mask 255.255.255.0; option domain-name "i2511.dic.ksu";

next-server 192.168.25.254; filename "/pxelinux.0";

host station1.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:3E; fixed-address 192.168.25.1; } host station2.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:CE; fixed-address 192.168.25.2; } host station3.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:34; fixed-address 192.168.25.3; }}

填入教室的網卡卡號跟 IP 對應

Server 建置流程10 、設定 DNS– /var/named/chroot/etc/named.conf DNS 設定檔– ./var/named/named.192.168.25 . 反解設定– ./var/named/named.i2511.dic.ksu 正解設定

named.conf 設定檔內容• options {• directory "/var/named";• dump-file "/var/named/data/cache_dump.db";• statistics-file "/var/named/data/named_stats.txt";• pid-file "/var/run/named/named.pid"; ##• # memstatistics-file "/var/named/data/named_mem_stats.txt";

• allow-query { any; };• allow-transfer { none; }; ##• # allow-query-cache { localhost; };• };

• zone "." {• type hint;• file "named.ca";• };

• zone “i2511.dic.ksu” { 正解設置• type master;• file "named.i2511.dic.ksu";• };• zone “25.168.192.in-addr.arpa” { 反解設置• type master;• file "named.192.168.25";• };

named.i2511.dic.ksu 內容• $TTL 600• @ IN SOA @ root (20110125 3H 1H 1W 1D)• @ IN NS @• @ IN A 192.168.25.254• station1 IN A 192.168.25.1• station2 IN A 192.168.25.2• station3 IN A 192.168.25.3• station4 IN A 192.168.25.4• station5 IN A 192.168.25.5• station6 IN A 192.168.25.6• station7 IN A 192.168.25.7• station8 IN A 192.168.25.8• station9 IN A 192.168.25.9• station10 IN A 192.168.25.10• station11 IN A 192.168.25.11• station12 IN A 192.168.25.12• station13 IN A 192.168.25.13• station14 IN A 192.168.25.14• station15 IN A 192.168.25.15• station16 IN A 192.168.25.16• station17 IN A 192.168.25.17• station18 IN A 192.168.25.18• station19 IN A 192.168.25.19• station20 IN A 192.168.25.20

named.192.168.25 內容 • $TTL 600• @ IN SOA i2511.dic.ksu. root.i2511.dic.ksu. (• 2010021101 28800 14400 3600000 86400 )• @ IN NS i2511.dic.ksu.• 254 IN PTR i2511.dic.ksu.

• 1 IN PTR station1.i2511.dic.ksu.• 2 IN PTR station2.i2511.dic.ksu.• 3 IN PTR station3.i2511.dic.ksu.• 4 IN PTR station4.i2511.dic.ksu.• 5 IN PTR station5.i2511.dic.ksu.• 6 IN PTR station6.i2511.dic.ksu.• 7 IN PTR station7.i2511.dic.ksu.• 8 IN PTR station8.i2511.dic.ksu.• 9 IN PTR station9.i2511.dic.ksu.• 10 IN PTR station10.i2511.dic.ksu.• 11 IN PTR station11.i2511.dic.ksu.• 12 IN PTR station12.i2511.dic.ksu.• 13 IN PTR station13.i2511.dic.ksu.• 14 IN PTR station14.i2511.dic.ksu.• 15 IN PTR station15.i2511.dic.ksu.• 16 IN PTR station16.i2511.dic.ksu.• 17 IN PTR station17.i2511.dic.ksu.• 18 IN PTR station18.i2511.dic.ksu.• 19 IN PTR station19.i2511.dic.ksu.• 20 IN PTR station20.i2511.dic.ksu.

Server 建置流程11、設定TFTP

– TFTP設定檔 :/etc/xinetd.d/tftp

# default: off# description: The tftp server serves files using the trivial file transfer \# protocol. The tftp protocol is often used to boot diskless \# workstations, download configuration files to network-aware printers, \# and to start the installation process for some operating systems.service tftp{ disable = no socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /data/tftpboot #TFTP分享目錄 per_source = 11 cps = 100 2 flags = IPv4}

Server 建置流程12 、設定 NFS

NFS 設定檔位置 :/etc/exports/data/iso 192.168.25.0/24(rw,sync)/data/restore 192.168.25.0/24(rw,sync)/data/kickstart 192.168.25.0/24(ro,sync)/data/tftpboot 192.168.25.0/24(ro,sync)/data/tftpboot/pxelinux.cfg 192.168.25.0/24(rw,sync)

Server 建置流程• 固定 NFS 的 PORT– 修改 /etc/sysconfig/nfs• RQUOTAD_PORT=901• RPCRQUOTADOPTS="901“• LOCKD_TCPPORT=902• LOCKD_UDPPORT=902• MOUNTD_PORT=903• STATDARG="904"• STATD_PORT=904

Server 建置流程13、建置RAID

– 使用 fdisk至做出以下的分割區

• mdadm –detail 檢查raid訊息– mdadm –create –auto=yes /dev/md0 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5– mdadm –create –auto=yes /dev/md1 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5

• 修改/etc/fstab已達成開機自動掛載

– vim /etc/fstab– /dev/md0 /data ext3 defaults 1 2– /dev/md1 /proxy ext3 defaults 1 2

• 還必須要寫入mdadm的設定檔案內，這樣才算完成

– vim /etc/mdadm.conf– ARRAY /dev/md0 UUID=08f97298:432e6d90:09b192ff:ecd30200– ARRAY /dev/md0 UUID= e09247d3:0c2f54b6:068e87ab:fe78a3ad

• 查詢UUID的方式

– mdadm –detail /dev/md0 | grep –color=auto ‘UUID’– mdadm –detail /dev/md1 | grep –color=auto ‘UUID’

/sda5 150GB /sdb5 150GB md0(300GB)

/sda6 150GB /sdb6 150GB md1(300GB)

Server 建置流程 -data 架構圖

(DATA)d755

ISOd755

kickstartd755

restored755

tftpbootd755

network-install.iso-644

ks.cfg-755

imagesd777

scriptsd755

softwared755

i2511d777

-644(dcms_i2511_class1.img-644(dcms_i2511_class2.img-644(dcms_i2511_data.img-644(dcms_i2511_sda7.img-644(dcms_i2511_win7.img-644(dcms_i2511_newxp.img

(kernel)d755

pxelinux.0-644

-644(dcms_first_rewrite.sh-644(dcms_menu.sh-644(dcms_restore.sh-644(firewall.sh

-755(partimage-0.6.6-1.fc7.rf.i386.rpm-755(partimage-0.6.6-1.e15.rf.x86_64.rpm -644(udpcast-20091230-1.i386.rpm

pxelinux.cfgd777

-644(default-644(pxe_menu.sh-644(pxe_more.sh-644(pxe_script.sh-644(pxe_wol.sh

-644(initrd.img-755(vmlinuz

Server 建置流程 - 修改 kickstart腳本• /data/kickstart/ks.cfg

– nfs --server=192.168.25.254 --dir=/data/iso 第 5 行– mount -t nfs 192.168.25.254:/data/restore /server 第 51 行– mount -t nfs 192.168.25.254:/data/tftpboot/pxelinux.cfg /server 第 66 行

Server 建置流程 - 修改 scripts 腳本• /data/restore/scripts/dcms_first_rewrite.sh

– mou=192.168.${domain}.254:/data/restore 修改掛載點路徑第 29 行• /data/restore/scripts/dcms_menu.sh

– mou=192.168.${domain}.254:/data/restore 第 24 行• /data/restore/scripts/dcms_restore.sh

– mou=192.168.${domain}.254:/data/restore 第 33 行

Server 建置流程 - 修改 PXE 腳本• /data/tftpboot/pxelinux.cfg/pxe_menu.sh

– 第 12 行– /usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_script.sh ${num}– sleep 1s– ############################ wol ###########################– /usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh ${num}– sleep 1s

• /data/tftpboot/pxelinux.cfg/pxe_more.sh– for num in $(seq 1 19) 教室電腦編號– do– sh /data/tftpboot/pxelinux.cfg/pxe_script.sh $num– sleep 1s– sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh $num– sleep 1s– done

Server 建置流程 - 修改 PXE 腳本( 續 )

• /data/tftpboot/pxelinux.cfg/pxe_script.shcase $1 in "1") pxedata='01-00-1b-78-4f-ff-3e' ;; "2") pxedata=‘01-00-1b-78-4f-ff-ce‘ 依序修改網卡卡號與編號

• /data/tftpboot/pxelinux.cfg/pxe_wol.shcase $1 in "1") /usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:3E ;; "2") /usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:CE 依序修改網卡卡號與編號

;;

Server 建置流程 - 設置 squid• 在/etc/squid下新增以下檔案

– game_url (666)– web_url (666)– pc_mac (666)

• 設定squid設定檔– vim /etc/squid/squid.conf第574行acl all src 0.0.0.0/0.0.0.0acl dicip src 192.168.25.0/24acl dicdn dstdomain tw.yahoo.com tw.google.com tw.msn.comacl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl to_localhost dst 127.0.0.0/8acl SSL_ports port 443acl Safe_ports port 80 # httpacl Safe_ports port 21 # ftpacl Safe_ports port 443 # httpsacl Safe_ports port 70 # gopheracl Safe_ports port 210 # waisacl Safe_ports port 1025-65535 # unregistered portsacl Safe_ports port 280 # http-mgmtacl Safe_ports port 488 # gss-httpacl Safe_ports port 591 # filemakeracl Safe_ports port 777 # multiling httpacl CONNECT method CONNECT

acl gameurl url_regex "/etc/squid/game_url"http_access deny gameurlacl weburl url_regex "/etc/squid/web_url"http_access deny weburlacl pcmac arp "/etc/squid/pc_mac"http_access deny pcmac

Server 建置流程• squid.conf內容(續)

http_access allow dicip 618行http_access deny allhttp_access allow manager localhost 624行http_access deny managerhttp_access deny !Safe_ports 627行http_access deny CONNECT !SSL_ports 629行http_access allow localhost 645行http_access deny allicp_access deny all 684行icp_access allow allhttp_port 3128 transparent 931行cache_peer proxy.ksu.edu.tw parent 3128 3130 1462行hierarchy_stoplist cgi-bin ? 1551行cache_mem 0 MB 1589行cache_dir ufs /var/spool/squid 500 16 256 1796行cache_dir ufs /proxy/proxy1 100000 64 254cache_dir ufs /proxy/proxy2 100000 64 254cache_dir ufs /proxy/proxy3 100000 64 254cache_swap_low 75 1855行cache_swap_high 90access_log /var/log/squid/access.log squid 1961行cache_store_log /var/log/squid/store.log 1987行pid_filename /var/run/squid.pid 2099行acl QUERY urlpath_regex cgi-bin \? 2386行cache deny QUERYrefresh_pattern ^ftp: 1440 20% 10080 2470行refresh_pattern ^gopher: 1440 0% 1440refresh_pattern . 0 20% 4320acl apache rep_header Server ^Apache 2665行broken_vary_encoding allow apache

visible_hostname i2511.dic.ksu 3019 行 icp_port 3130 3553 行always_direct allow dicip dicdn 4019 行allow_underscore on 4101 行coredump_dir /var/spool/squid 4445 行

Server 建置流程• 安裝 sarg

– wget http://www.sfr-fresh.com/unix/privat/sarg-2.3.1.tar.gz– yum install gcc– tar zxvf sarg-2.3.1.tar.gz– cd sarg-2.3.1– ./configure– make– make install

http://www.sfr-fresh.com/unix/privat/sarg-2.3.1.tar.gz

Server 建置流程• 修改 sarg.conf

– vim /usr/local/etc/sarg.conf– sarg.conf 內容

• language English 第 30 行• access_log /var/log/squid/access.log 第 37 行• title “I2511 SARG WEB“ 第 56 行• output_dir /var/www/html/dcms/sarg 第 152 行• overwrite_report no 第 241 行• exclude_codes /usr/local/etc/exclude_codes 第 282 行• max_elapsed 28800000 第 294 行• charset UTF-8 第 372 行

• 輸入指令 sarg 產生報表– 可至 http://120.114.140.189/dcms/sarg/觀察監控情形

http://120.114.140.189/dcms/sarg/

Server 建置流程#########################################iptables -Fiptables -Xiptables -Z#########################################iptables -P INPUT DROPiptables -P OUTPUT ACCEPTiptables -P FORWARD ACCEPT#########################################iptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j

ACCEPTiptables -A INPUT -p icmp -j ACCEPT##################### DNS ####################iptables -A INPUT -p udp --dport 53 -j ACCEPTiptables -A INPUT -p tcp --dport 53 -j ACCEPTiptables -A INPUT -p tcp --dport 953 -j ACCEPT################## TFTP ######################iptables -A INPUT -i eth1 -p udp --dport 69 -j ACCEPT################## DHCP ######################iptables -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT#################### NFS #####################iptables -A INPUT -i eth1 -p udp --dport 111 -j ACCEPTiptables -A INPUT -i eth1 -p tcp --dport 111 -j ACCEPTiptables -A INPUT -i eth1 -p udp --dport 2049 -j ACCEPTiptables -A INPUT -i eth1 -p tcp --dport 2049 -j ACCEPTiptables -A INPUT -i eth1 -p udp --dport 901:904 -j ACCEPTiptables -A INPUT -i eth1 -p tcp --dport 901:904 -j ACCEPT

#################### SSH #####################iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPTiptables -A INPUT -i eth0 -s 120.114.140.0/24 -p tcp --dport 22 -j ACCEPTiptables -A INPUT -i eth0 -s 120.114.141.0/24 -p tcp --dport 22 -j ACCEPTiptables -A INPUT -i eth0 -s 120.114.142.0/24 -p tcp --dport 22 -j ACCEPT#################### HTTP ####################iptables -A INPUT -p tcp --dport 80 -j ACCEPT#################### FTP #####################iptables -A INPUT -p tcp --dport 21 -j ACCEPT#################### NAT #####################iptables -t nat -Fiptables -t nat -Xiptables -t nat -Ziptables -t nat -P PREROUTING ACCEPTiptables -t nat -P POSTROUTING ACCEPTiptables -t nat -P OUTPUT ACCEPTiptables -t nat -A POSTROUTING -s 192.168.25.0/24 -o eth0 -j MASQUERADE################### SUQID #####################iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPTiptables -t nat -A PREROUTING -s 192.168.25.0/24 -d 120.114.140.189 -i eth1 -p tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -s 192.168.25.0/24 -d 192.168.25.254 -i eth1 -p tcp --dport 80 -j ACCEPTiptables -t nat -A PREROUTING -s 192.168.25.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128##############################################/etc/init.d/iptables save

Server 建置流程• 重起所有服務與設定開機啟動

– /etc/init.d/network restart– /etc/init.d/dhcpd restart– chkconfig dhcp on– /etc/init.d/xinetd restart TFTP 服務– chkconfig xinetd on – /etc/init.d/named restart– chkconfig named on– /etc/init.d/nfs restart– chkconfig nfs on– /etc/init.d/httpd restart– chkconfig httpd on– /etc/init.d/squid restart– chkconfig squid on– /etc/init.d/setroubleshoot restart– chkconfig setroubleshoot restart

Server 建置流程 -sarg 成果檢視

SERVER 其他設置• 封鎖 ROOT 得 SSH 功能

– vim /etc/ssh/sshd_config• PermitRootLogin no 第 39 行 # 這樣就不能直接 ssh root

• 開放使用者 dic 擁有 sudo root 的權限– 新增使用者 dic 密碼設定為 123456

• useradd dic• echo 123456 | passwd –stdin dic

– 用 visudo 指令去修改 sudo 的設定檔– 找 root ALL(ALL) ALL 第 76 行– 下面新增 (ex: vbird ALL(ALL) ALL

• 讓 SERVER 可以每天自動更新– vim /etc/crontab– 新增 0 1 * * * root yum -y update && yum clean packages

The end

電腦教室大量還原系統建置 sop( 以 i2511 為例 )

Documents