This guide is for all new servers in the Proxmox cluster för CNAP (not student cluster)
VM-nummer börjar på 202
Standard Inställningar, inklusive BIOS (not UEFI)
Alfa kör 1 CPU, 4 cores med fler/större går bra (max 2 cpu's pga moderkortet, max 16 cores pga allokeringalgoritmen)
Hårddisk: Standard för en server är 99GB, men behövs mer, ta mer. Alfa kommer i framtiden ha en extra 99GB disk som kan bli full för /var med syslog och TFTP-filer
RAM: 16GB (vi har gott om ram för 10 servrar, så vi kör detta tills vidare) Glöm inte att monitorera usage efteråt för att se om RAM räcker
Ingen server kör trunk - Alla skall kopplas till ett specifikt VLAN-nummer
Engelska, svenskt tangentbord
Hela disken
Statiskt IP-nummer domain: cnap.hv.se, DNS 193.10.199.96, 193.10.198.35 (inte alfa)
Inget IPv6
Skapa eget användarnamn (imra) med eget starkt lösenord (hahaha)
Efter installation:
Fixa IPv6: adressen skall sluta på ::11 för 193.10.203.11, osv
lägg till:addresses:- 2001:6b0:1d:10::X/64
routes:- to: default via: 2001:6b0:1d:10::1 ← ← Kan vara fel; antingen automatiskt via ND RA, eller FE80::10 ??
Inga ipv6 nameserver, ingen extra seatch-path
Fixa konton till alla andra ??
Testa IP:
ip route
ip -6 route
ip neighb <-- REACHABLE (fe80::10 fortfarande failed)
ping ipv6.google.com
ping 2600::
Fortigate# diagnose ipv6 address list
Fortigate# execute ping6 fe80::10 -I VLAN10Ändra i Proxmox → VM 20x (xyz) → Options → QEMU guest agent → Enabled
Får du orange text måste du starta om VM i proxmox (inte i Linux; shutdown -r now funkar inte !!!)
Eventuellt:
apt update
apt-get install qemu-guest-agent
systemctl start qemu-guest-agent
systemctl enable qemu-guest-agent
Dubbelkolla IP-nummer i proxmox
FIXA COPY-PASTE
?
Kolla IPv6 ??
ethtool ens18
ip
stäng av UFW
installera iptables
systemctl start …
systemctl enable …
Verify
IPv4
# no ip-numbers are allowed here, only services! IP's are in the Fortigate Firewall
iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -m comment --comment "Allow local communication WITHIN this server" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "TCP,UDP,ICMP? return traffic from OUR packets" -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "Allow incoming PING" -j ACCEPT
# enable SSH if bruforce-safe
-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "Allow incoming SSH" -j ACCEPT
-A INPUT -p tcp -m tcp --dport $$yourservice$$ COMMENT -j ACCEPTipv6
same, but
-A INPUT -p ipv6-icmp -m icmpv6-type 128 -comment --comment "Allow incoming IPv6 PING" -j ACCEPT apt-get update
apt-get install iptables-persistent
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6
systemctl list-unit-files | grep persHUR SPARAR MAN ÄNDRINGAR !!!????!!!!
Change to
no root loginBanner /etc/motd <-- \n\n KEEP OUT !! Property of Cisco Academy Network Program (CNAP) \n\nMaxTries variable in the sshd_config file4. Default: MaxStartups 10
error: BAD CHOICE - DON'T //Robert Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes is too much time to hold open an unauthenticated connection attempt (see above); 30 seconds is more than enough time to log in:
Senaste försöket; fortfarande inte gott nog…
LoginGraceTime 2m
PermitRootLogin no
StrictModes yes
MaxAuthTries 2
MaxSessions 2
MaxStartups 3:100:4
PerSourceMaxStartups 2
PerSourceNetBlockSize 24:64
apt install bind9 bind9utils bind9-doc
nano /etc/default/named
==named.conf.options ===========================
acl "slaves" {
193.10.198.34; //ns1
193.10.199.95; //ns2
};
acl "hv-nets" {
193.10.188.0/22;
193.10.192.0/20;
193.10.234.0/23;
193.10.236.0/23;
212.25.132.0/23;
192.168.0.0/16;
};
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
recursion yes;
allow-recursion { hv-nets; };
listen-on-v6 { any; };
};
===.local==========================================================
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
// include "/etc/bind/zones.rfc1918";
include "/etc/bind/named.conf.log";
zone "cnap.hv.se" {
type master;
file "/etc/bind/db.cnap.hv.se";
also-notify { 193.10.198.34; 193.10.199.95; };
allow-query { any; };
allow-transfer { slaves; hv-nets; };
allow-update { none; };
};===db.cnap.hv.se ============================================
cnap.hv.se. 3600 IN SOA ns1.hv.se. nic.cnap.hv.se. 2024101501 3600 604800 300 1800
cnap.hv.se. 3600 IN LOC 58 16 57.481 N 12 17 28.441 E 50.00m 10m 10m 10m
cnap.hv.se. 3600 IN NS ns1.hv.se.
cnap.hv.se. 3600 IN NS ns2.hv.se.
cnap.hv.se. 3600 IN MX 10 lmail01.server.hv.se.
cnap.hv.se. 3600 IN A 193.10.203.20
;cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
; external routed interface towards IT-enheten
brouter-gi01.cnap.hv.se. 3600 IN A 193.10.191.162
; VLAN 10 == 193.10.203.1/27 (last usable 193.10.203.30)
alfa.cnap.hv.se. 3600 IN A 193.10.203.11
compute-b-ipmi.cnap.hv.se 3600 IN A 193.10.203.15
cml.cnap.hv.se. 3600 IN A 193.10.203.16
ciscomodelinglabs 3600 IN CNAME cml.cnap.hv.se
wlc-sp.cnap.hv.se. 3600 IN A 193.10.203.17
wlc 3600 IN CNAME wlc-sp.cnap.hv.se
wlc1.cnap.hv.se. 3600 IN A 193.10.203.18
catch-up6.cnap.hv.se. 3600 IN AAAA 2001:6b0:1d:10::19
catch-up.cnap.hv.se. 3600 IN A 193.10.203.19
;lines below temporary for test of new catch-up system
;will only use wiki.cnap.hv.se in prod. /Simon
catch-up2.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN A 193.10.203.20
wiki.cnap.hv.se. 3600 IN TXT "malicious commands;here"
;legacycnap.hv.se 3600 IN A 193.10.203.19
netbox.cnap.hv.se. 3600 IN A 193.10.203.20
qnap-b215.cnap.hv.se. 3600 IN A 193.10.203.21
ymca.cnap.hv.se. 3600 IN A 193.10.203.23
ehp600.cnap.hv.se. 3600 IN A 193.10.203.24
;database.cnap.hv.se. 3600 IN A 193.10.203.28
; database deleted - scream test - unknown /Robert
; ;;;;;;;;;;
; Private addresses below
; ;;;;;;;;;;
frankenstein.cnap.hv.se 3600 IN A 192.168.17.20
leaf-d204c.cnap.hv.se. 3600 IN A 192.168.17.21
leaf-d204f.cnap.hv.se. 3600 IN A 192.168.17.22
vcenter-b.cnap.hv.se. 3600 IN A 192.168.17.35
vcenter-b-temp.cnap.hv.se. 3600 IN A 192.168.17.40
gammal.cnap.hv.se. 3600 IN A 192.168.18.18
hercules.cnap.hv.se. 3600 IN A 192.168.18.10
hercules-ipmi.cnap.hv.se. 3600 IN A 192.168.17.63
; placeholder titan 192.168.18.11
; placeholder titan-ipmi 192.168.17.65
radia.cnap.hv.se. 3600 IN A 192.168.18.41
radia-ipmi.cnap.hv.se. 3600 IN A 192.168.17.41
vint.cnap.hv.se. 3600 IN A 192.168.18.42
vint-ipmi.cnap.hv.se. 3600 IN A 192.168.17.42
kirk.cnap.hv.se. 3600 IN A 192.168.18.43
kirk-ipmi.cnap.hv.se. 3600 IN A 192.168.17.43
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.41
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.42
proxmox3.cnap.hv.se. 3600 IN A 192.168.18.43
esxi-h1.cnap.hv.se. 3600 IN A 192.168.17.51
esxi-h2.cnap.hv.se. 3600 IN A 192.168.17.52
esxi-h3.cnap.hv.se. 3600 IN A 192.168.17.53
esxi-h4.cnap.hv.se. 3600 IN A 192.168.17.54
esxi-h5.cnap.hv.se. 3600 IN A 192.168.17.55
esxi-h6.cnap.hv.se. 3600 IN A 192.168.17.56
kraken.cnap.hv.se. 3600 IN A 192.168.17.60
kraken-ipmi.cnap.hv.se. 3600 IN A 192.168.17.61
snoopy-ipmi.cnap.hv.se. 3600 IN A 192.168.17.66
woodstock-ipmi.cnap.hv.se. 3600 IN A 192.168.17.67
charlie-ipmi.cnap.hv.se. 3600 IN A 192.168.17.68
ssm.cnap.hv.se. 3600 IN A 192.168.17.100
node1-ipmi.cnap.hv.se. 3600 IN A 192.168.17.101
node2-ipmi.cnap.hv.se. 3600 IN A 192.168.17.102
node3-ipmi.cnap.hv.se. 3600 IN A 192.168.17.103
node4-ipmi.cnap.hv.se. 3600 IN A 192.168.17.104
node5-ipmi.cnap.hv.se. 3600 IN A 192.168.17.105
node6-ipmi.cnap.hv.se. 3600 IN A 192.168.17.106
node7-ipmi.cnap.hv.se. 3600 IN A 192.168.17.107
node8-ipmi.cnap.hv.se. 3600 IN A 192.168.17.108
node9-ipmi.cnap.hv.se. 3600 IN A 192.168.17.109
node10-ipmi.cnap.hv.se. 3600 IN A 192.168.17.110
node11-ipmi.cnap.hv.se. 3600 IN A 192.168.17.111
node12-ipmi.cnap.hv.se. 3600 IN A 192.168.17.112
node13-ipmi.cnap.hv.se. 3600 IN A 192.168.17.113
node14-ipmi.cnap.hv.se. 3600 IN A 192.168.17.114
node15-ipmi.cnap.hv.se. 3600 IN A 192.168.17.115
node16-ipmi.cnap.hv.se. 3600 IN A 192.168.17.116
node17-ipmi.cnap.hv.se. 3600 IN A 192.168.17.117
node18-ipmi.cnap.hv.se. 3600 IN A 192.168.17.118
node19-ipmi.cnap.hv.se. 3600 IN A 192.168.17.119
node20-ipmi.cnap.hv.se. 3600 IN A 192.168.17.120
node21-ipmi.cnap.hv.se. 3600 IN A 192.168.17.121
node22-ipmi.cnap.hv.se. 3600 IN A 192.168.17.122
node23-ipmi.cnap.hv.se. 3600 IN A 192.168.17.123
node24-ipmi.cnap.hv.se. 3600 IN A 192.168.17.124
modermaskin-1.cnap.hv.se. 3600 IN A 192.168.20.201
modermaskin-2.cnap.hv.se. 3600 IN A 192.168.20.202
modermaskin-3.cnap.hv.se. 3600 IN A 192.168.20.203
modermaskin-4.cnap.hv.se. 3600 IN A 192.168.20.204
modermaskin-5.cnap.hv.se. 3600 IN A 192.168.20.205
modermaskin-6.cnap.hv.se. 3600 IN A 192.168.20.206
modermaskin-7.cnap.hv.se. 3600 IN A 192.168.20.207
modermaskin-8.cnap.hv.se. 3600 IN A 192.168.20.208
modermaskin-9.cnap.hv.se. 3600 IN A 192.168.20.209
modermaskin-10.cnap.hv.se. 3600 IN A 192.168.20.210
modermaskin-11.cnap.hv.se. 3600 IN A 192.168.20.211
modermaskin-12.cnap.hv.se. 3600 IN A 192.168.20.212
modermaskin-13.cnap.hv.se. 3600 IN A 192.168.20.213
modermaskin-14.cnap.hv.se. 3600 IN A 192.168.20.214
modermaskin-15.cnap.hv.se. 3600 IN A 192.168.20.215
modermaskin-16.cnap.hv.se. 3600 IN A 192.168.20.216
modermaskin-17.cnap.hv.se. 3600 IN A 192.168.20.217
modermaskin-18.cnap.hv.se. 3600 IN A 192.168.20.218
modermaskin-19.cnap.hv.se. 3600 IN A 192.168.20.219
modermaskin-20.cnap.hv.se. 3600 IN A 192.168.20.220
modermaskin-21.cnap.hv.se. 3600 IN A 192.168.20.221
modermaskin-22.cnap.hv.se. 3600 IN A 192.168.20.222
modermaskin-23.cnap.hv.se. 3600 IN A 192.168.20.223
modermaskin-24.cnap.hv.se. 3600 IN A 192.168.20.224
group0-vcenter.cnap.hv.se. 3600 IN A 192.168.20.200
group1-vcenter.cnap.hv.se. 3600 IN A 192.168.20.100
group2-vcenter.cnap.hv.se. 3600 IN A 192.168.20.110
group3-vcenter.cnap.hv.se. 3600 IN A 192.168.20.120
group4-vcenter.cnap.hv.se. 3600 IN A 192.168.20.130
group5-vcenter.cnap.hv.se. 3600 IN A 192.168.20.140
group6-vcenter.cnap.hv.se. 3600 IN A 192.168.20.150
group7-vcenter.cnap.hv.se. 3600 IN A 192.168.20.160
group8-vcenter.cnap.hv.se. 3600 IN A 192.168.20.170
cnap-b112c.cnap.hv.se. IN A 192.168.17.4
cnap-b113h.cnap.hv.se. IN A 192.168.17.5
cnap-b114e.cnap.hv.se. IN A 192.168.17.6
cnap-b114b.cnap.hv.se. IN A 192.168.17.7
cnap-b118d.cnap.hv.se. IN A 192.168.17.8
cnap-b125c.cnap.hv.se. IN A 192.168.17.9
cnap-b123b.cnap.hv.se. IN A 192.168.17.13