1 / 34

電腦教室大量還原系統建置 SOP( 以 I2511 為例 )

電腦教室大量還原系統建置 SOP( 以 I2511 為例 ). 組員 : 徐啟閎 林啟哲 李 平 李承鴻. 建置流程 ( 大綱 ). 建置流程 ( 大綱 ). 使用服務概述. DHCP: 進行 Client 端的 IP 分配 DNS: 搭配 DHCP 使 IP 與主機名稱互相對應 TFTP : 傳送 PXE 檔案與開機所需的核心檔案到 Client 端 NFS:Client 端取得 ks.cfg 與後續安裝系統所需的各檔案 squid: 設置 proxy HTTP: 讓 sarg 軟體順利使用.

dagan
Download Presentation

電腦教室大量還原系統建置 SOP( 以 I2511 為例 )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 電腦教室大量還原系統建置SOP(以I2511為例) 組員: 徐啟閎 林啟哲 李 平 李承鴻

  2. 建置流程(大綱)

  3. 建置流程(大綱)

  4. 使用服務概述 • DHCP:進行Client端的IP分配 • DNS:搭配DHCP使IP與主機名稱互相對應 • TFTP:傳送PXE檔案與開機所需的核心檔案到Client端 • NFS:Client端取得ks.cfg與後續安裝系統所需的各檔案 • squid:設置proxy • HTTP:讓sarg軟體順利使用

  5. Server端硬碟分割表

  6. Client端硬碟分割表

  7. Server建置流程

  8. Server建置流程 • 1、安裝CentOS5.5 • 不用安裝圖形介面 • 2、決定分割表內容 • 指令 fdisk /dev/sda • sda1 1G boot • sda2 140G /home • sda3 10G /

  9. Server建置流程-設定網路與主機名稱 3、設定IP • vim /etc/sysconfig/network-scripts/ifcfg-eth0 • IP:120.114.140.189 • NETMASK:255.255.255.192 • GATEWAY:120.114.140.190 • vim /etc/sysconfig/network-scripts/ifcfg-eth1 • IP:192.168.25.254 • NETMASK:255.255.255.0 4、設定hostname • Vim /etc/sysconfig/network • HOSTNAME=i2511.dic.ksu 5、設定nameserver • vim /etc/resolv.conf • nameserver 120.114.150.1 • nameserver 120.114.100.1

  10. Server建置流程 6、更新系統 • yum clean all • yum update 7、安裝必要的程式 • 安裝setroubleshoot • yum install setroubleshoot • 安裝DHCP • yum install dhcp • 安裝DNS • yum install bind • yum install caching-nameserver • yum install bind-chroot • 安裝TFTP • yum install tftp • yum install tftp-server • 安裝wwwserver • yum install httpd • yum install php • yum install mysql • 安裝squid • yum install squid

  11. Server建置流程 8、設定selinux • Vim /etc/selinux/config • SELINUX=permissive <<<<改成permissive,原本為enforcing 9、設定DHCP • /etc/sysconfig/dhcpd • # Command line options here • DHCPDARGS=eth1 • /etc/dhcpd.conf

  12. dhcpd.conf檔案內容 # # DHCP Server Configuration file. # see /usr/share/doc/dhcp*/dhcpd.conf.sample # #1. ddns-update-style none; default-lease-time 259200; max-lease-time 518400; option routers 192.168.25.254; option broadcast-address 192.168.25.255; option domain-name-servers 192.168.25.254; #2. subnet 192.168.25.0 netmask 255.255.255.0 { range 192.168.25.1 192.168.25.100; option subnet-mask 255.255.255.0; option domain-name "i2511.dic.ksu"; next-server 192.168.25.254; filename "/pxelinux.0"; host station1.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:3E; fixed-address 192.168.25.1; } host station2.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:CE; fixed-address 192.168.25.2; } host station3.i2511.dic.ksu { hardware ethernet 00:1B:78:4F:FF:34; fixed-address 192.168.25.3; } } 填入教室的網卡卡號跟IP對應

  13. Server建置流程 10、設定DNS • /var/named/chroot/etc/named.confDNS設定檔 • ./var/named/named.192.168.25 .反解設定 • ./var/named/named.i2511.dic.ksu 正解設定

  14. named.conf設定檔內容 • options { • directory "/var/named"; • dump-file "/var/named/data/cache_dump.db"; • statistics-file "/var/named/data/named_stats.txt"; • pid-file "/var/run/named/named.pid"; ## • # memstatistics-file "/var/named/data/named_mem_stats.txt"; • allow-query { any; }; • allow-transfer { none; }; ## • # allow-query-cache { localhost; }; • }; • zone "." { • type hint; • file "named.ca"; • }; • zone “i2511.dic.ksu” {正解設置 • type master; • file "named.i2511.dic.ksu"; • }; • zone “25.168.192.in-addr.arpa” { 反解設置 • type master; • file "named.192.168.25"; • };

  15. named.i2511.dic.ksu內容 • $TTL 600 • @ IN SOA @ root (20110125 3H 1H 1W 1D) • @ IN NS @ • @ IN A 192.168.25.254 • station1 IN A 192.168.25.1 • station2 IN A 192.168.25.2 • station3 IN A 192.168.25.3 • station4 IN A 192.168.25.4 • station5 IN A 192.168.25.5 • station6 IN A 192.168.25.6 • station7 IN A 192.168.25.7 • station8 IN A 192.168.25.8 • station9 IN A 192.168.25.9 • station10 IN A 192.168.25.10 • station11 IN A 192.168.25.11 • station12 IN A 192.168.25.12 • station13 IN A 192.168.25.13 • station14 IN A 192.168.25.14 • station15 IN A 192.168.25.15 • station16 IN A 192.168.25.16 • station17 IN A 192.168.25.17 • station18 IN A 192.168.25.18 • station19 IN A 192.168.25.19 • station20 IN A 192.168.25.20

  16. named.192.168.25內容 • $TTL 600 • @ IN SOA i2511.dic.ksu. root.i2511.dic.ksu. ( • 2010021101 28800 14400 3600000 86400 ) • @ IN NS i2511.dic.ksu. • 254 IN PTR i2511.dic.ksu. • 1 IN PTR station1.i2511.dic.ksu. • 2 IN PTR station2.i2511.dic.ksu. • 3 IN PTR station3.i2511.dic.ksu. • 4 IN PTR station4.i2511.dic.ksu. • 5 IN PTR station5.i2511.dic.ksu. • 6 IN PTR station6.i2511.dic.ksu. • 7 IN PTR station7.i2511.dic.ksu. • 8 IN PTR station8.i2511.dic.ksu. • 9 IN PTR station9.i2511.dic.ksu. • 10 IN PTR station10.i2511.dic.ksu. • 11 IN PTR station11.i2511.dic.ksu. • 12 IN PTR station12.i2511.dic.ksu. • 13 IN PTR station13.i2511.dic.ksu. • 14 IN PTR station14.i2511.dic.ksu. • 15 IN PTR station15.i2511.dic.ksu. • 16 IN PTR station16.i2511.dic.ksu. • 17 IN PTR station17.i2511.dic.ksu. • 18 IN PTR station18.i2511.dic.ksu. • 19 IN PTR station19.i2511.dic.ksu. • 20 IN PTR station20.i2511.dic.ksu.

  17. Server建置流程 11、設定TFTP • TFTP設定檔:/etc/xinetd.d/tftp # default: off # description: The tftp server serves files using the trivial file transfer \ # protocol. The tftp protocol is often used to boot diskless \ # workstations, download configuration files to network-aware printers, \ # and to start the installation process for some operating systems. service tftp { disable = no socket_type = dgram protocol = udp wait = yes user = root server = /usr/sbin/in.tftpd server_args = -s /data/tftpboot #TFTP分享目錄 per_source = 11 cps = 100 2 flags = IPv4 }

  18. Server建置流程 12、設定NFS NFS設定檔位置:/etc/exports /data/iso 192.168.25.0/24(rw,sync) /data/restore 192.168.25.0/24(rw,sync) /data/kickstart 192.168.25.0/24(ro,sync) /data/tftpboot 192.168.25.0/24(ro,sync) /data/tftpboot/pxelinux.cfg 192.168.25.0/24(rw,sync)

  19. Server建置流程 • 固定NFS的PORT • 修改/etc/sysconfig/nfs • RQUOTAD_PORT=901 • RPCRQUOTADOPTS="901“ • LOCKD_TCPPORT=902 • LOCKD_UDPPORT=902 • MOUNTD_PORT=903 • STATDARG="904" • STATD_PORT=904

  20. Server建置流程 13、建置RAID • 使用fdisk至做出以下的分割區 • mdadm –detail 檢查raid訊息 • mdadm –create –auto=yes /dev/md0 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5 • mdadm –create –auto=yes /dev/md1 –raid-devices=2 –level=0 /dev/sda5 /dev/sdb5 • 修改/etc/fstab已達成開機自動掛載 • vim /etc/fstab • /dev/md0 /data ext3 defaults 1 2 • /dev/md1 /proxy ext3 defaults 1 2 • 還必須要寫入mdadm的設定檔案內,這樣才算完成 • vim /etc/mdadm.conf • ARRAY /dev/md0 UUID=08f97298:432e6d90:09b192ff:ecd30200 • ARRAY /dev/md0 UUID= e09247d3:0c2f54b6:068e87ab:fe78a3ad • 查詢UUID的方式 • mdadm –detail /dev/md0 | grep –color=auto ‘UUID’ • mdadm –detail /dev/md1 | grep –color=auto ‘UUID’

  21. Server建置流程-data架構圖 • ISO • d755 • network-install.iso • -644 • kickstart • d755 ks.cfg -755 (DATA) d755 -644(dcms_i2511_class1.img -644(dcms_i2511_class2.img -644(dcms_i2511_data.img -644(dcms_i2511_sda7.img -644(dcms_i2511_win7.img -644(dcms_i2511_newxp.img images d777 i2511 d777 -644(dcms_first_rewrite.sh -644(dcms_menu.sh -644(dcms_restore.sh -644(firewall.sh scripts d755 • restore • d755 -755(partimage-0.6.6-1.fc7.rf.i386.rpm -755(partimage-0.6.6-1.e15.rf.x86_64.rpm -644(udpcast-20091230-1.i386.rpm software d755 (kernel) d755 -644(initrd.img -755(vmlinuz • tftpboot • d755 pxelinux.0 -644 -644(default -644(pxe_menu.sh -644(pxe_more.sh -644(pxe_script.sh -644(pxe_wol.sh pxelinux.cfg d777

  22. Server建置流程-修改kickstart腳本 • /data/kickstart/ks.cfg • nfs --server=192.168.25.254 --dir=/data/iso第5行 • mount -t nfs 192.168.25.254:/data/restore /server 第51行 • mount -t nfs 192.168.25.254:/data/tftpboot/pxelinux.cfg /server 第66行

  23. Server建置流程-修改scripts腳本 • /data/restore/scripts/dcms_first_rewrite.sh • mou=192.168.${domain}.254:/data/restore 修改掛載點路徑第29行 • /data/restore/scripts/dcms_menu.sh • mou=192.168.${domain}.254:/data/restore 第24行 • /data/restore/scripts/dcms_restore.sh • mou=192.168.${domain}.254:/data/restore 第33行

  24. Server建置流程-修改PXE腳本 • /data/tftpboot/pxelinux.cfg/pxe_menu.sh • 第12行 • /usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_script.sh ${num} • sleep 1s • ############################ wol ########################### • /usr/bin/sudo /bin/sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh ${num} • sleep 1s • /data/tftpboot/pxelinux.cfg/pxe_more.sh • for num in $(seq 1 19) 教室電腦編號 • do • sh /data/tftpboot/pxelinux.cfg/pxe_script.sh $num • sleep 1s • sh /data/tftpboot/pxelinux.cfg/pxe_wol.sh $num • sleep 1s • done

  25. Server建置流程-修改PXE腳本(續) • /data/tftpboot/pxelinux.cfg/pxe_script.sh case $1 in "1") pxedata='01-00-1b-78-4f-ff-3e' ;; "2") pxedata=‘01-00-1b-78-4f-ff-ce‘ 依序修改網卡卡號與編號 • /data/tftpboot/pxelinux.cfg/pxe_wol.sh case $1 in "1") /usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:3E ;; "2") /usr/bin/sudo /sbin/ether-wake -i eth1 00:1B:78:4F:FF:CE 依序修改網卡卡號與編號 ;;

  26. Server建置流程-設置squid • 在/etc/squid下新增以下檔案 • game_url (666) • web_url (666) • pc_mac (666) • 設定squid設定檔 • vim /etc/squid/squid.conf 第574行 acl all src 0.0.0.0/0.0.0.0 acldicipsrc 192.168.25.0/24 acldicdndstdomain tw.yahoo.com tw.google.com tw.msn.com acl manager proto cache_object acllocalhostsrc 127.0.0.1/255.255.255.255 aclto_localhostdst 127.0.0.0/8 aclSSL_ports port 443 aclSafe_ports port 80 # http aclSafe_ports port 21 # ftp aclSafe_ports port 443 # https aclSafe_ports port 70 # gopher aclSafe_ports port 210 # wais aclSafe_ports port 1025-65535 # unregistered ports aclSafe_ports port 280 # http-mgmt aclSafe_ports port 488 # gss-http aclSafe_ports port 591 # filemaker aclSafe_ports port 777 # multiling http acl CONNECT method CONNECT aclgameurlurl_regex "/etc/squid/game_url" http_access deny gameurl aclweburlurl_regex "/etc/squid/web_url" http_access deny weburl aclpcmacarp "/etc/squid/pc_mac" http_access deny pcmac

  27. Server建置流程 • squid.conf內容(續) http_access allow dicip618行 http_access deny all http_access allow manager localhost624行 http_access deny manager http_access deny !Safe_ports 627行 http_access deny CONNECT !SSL_ports629行 http_access allow localhost645行 http_access deny all icp_access deny all 684行 icp_access allow all http_port 3128 transparent 931行 cache_peer proxy.ksu.edu.tw parent 3128 3130 1462行 hierarchy_stoplistcgi-bin ? 1551行 cache_mem 0 MB 1589行 cache_dirufs /var/spool/squid 500 16 256 1796行 cache_dirufs /proxy/proxy1 100000 64 254 cache_dirufs /proxy/proxy2 100000 64 254 cache_dirufs /proxy/proxy3 100000 64 254 cache_swap_low 75 1855行 cache_swap_high 90 access_log /var/log/squid/access.log squid 1961行 cache_store_log /var/log/squid/store.log 1987行 pid_filename /var/run/squid.pid 2099行 acl QUERY urlpath_regexcgi-bin \? 2386行 cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 2470行 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache 2665行 broken_vary_encoding allow apache visible_hostname i2511.dic.ksu 3019行 icp_port 3130 3553行 always_direct allow dicipdicdn4019行 allow_underscore on 4101行 coredump_dir /var/spool/squid 4445行

  28. Server建置流程 • 安裝sarg • wgethttp://www.sfr-fresh.com/unix/privat/sarg-2.3.1.tar.gz • yum install gcc • tar zxvf sarg-2.3.1.tar.gz • cd sarg-2.3.1 • ./configure • make • make install

  29. Server建置流程 • 修改sarg.conf • vim /usr/local/etc/sarg.conf • sarg.conf內容 • language English 第30行 • access_log /var/log/squid/access.log 第37行 • title “I2511 SARG WEB“ 第56行 • output_dir /var/www/html/dcms/sarg第152行 • overwrite_report no 第241行 • exclude_codes /usr/local/etc/exclude_codes第282行 • max_elapsed 28800000 第294行 • charset UTF-8 第372行 • 輸入指令sarg產生報表 • 可至http://120.114.140.189/dcms/sarg/觀察監控情形

  30. Server建置流程 #################### SSH ##################### iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -s 120.114.140.0/24 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -s 120.114.141.0/24 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -s 120.114.142.0/24 -p tcp --dport 22 -j ACCEPT #################### HTTP #################### iptables -A INPUT -p tcp --dport 80 -j ACCEPT #################### FTP ##################### iptables -A INPUT -p tcp --dport 21 -j ACCEPT #################### NAT ##################### iptables -t nat -F iptables -t nat -X iptables -t nat -Z iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT ACCEPT iptables -t nat -A POSTROUTING -s 192.168.25.0/24 -o eth0 -j MASQUERADE ################### SUQID ##################### iptables -A INPUT -i eth1 -p tcp --dport 3128 -j ACCEPT iptables -t nat -A PREROUTING -s 192.168.25.0/24 -d 120.114.140.189 -i eth1 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -s 192.168.25.0/24 -d 192.168.25.254 -i eth1 -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -s 192.168.25.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128 ############################################## /etc/init.d/iptables save ######################################### iptables -F iptables -X iptables -Z ######################################### iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ######################################### iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT ##################### DNS #################### iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 953 -j ACCEPT ################## TFTP ###################### iptables -A INPUT -i eth1 -p udp --dport 69 -j ACCEPT ################## DHCP ###################### iptables -A INPUT -i eth1 -p udp --dport 67 -j ACCEPT #################### NFS ##################### iptables -A INPUT -i eth1 -p udp --dport 111 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 111 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 2049 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 2049 -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 901:904 -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 901:904 -j ACCEPT

  31. Server建置流程 • 重起所有服務與設定開機啟動 • /etc/init.d/network restart • /etc/init.d/dhcpd restart • chkconfigdhcp on • /etc/init.d/xinetd restart TFTP服務 • chkconfigxinetd on • /etc/init.d/named restart • chkconfig named on • /etc/init.d/nfs restart • chkconfignfs on • /etc/init.d/httpd restart • chkconfighttpd on • /etc/init.d/squid restart • chkconfig squid on • /etc/init.d/setroubleshoot restart • chkconfigsetroubleshoot restart

  32. Server建置流程-sarg成果檢視

  33. SERVER其他設置 • 封鎖ROOT得SSH功能 • vim /etc/ssh/sshd_config • PermitRootLogin no 第39行 #這樣就不能直接ssh root • 開放使用者dic 擁有sudo root的權限 • 新增使用者dic密碼設定為123456 • useradddic • echo 123456| passwd –stdindic • 用visudo指令去修改sudo的設定檔 • 找 root ALL(ALL) ALL 第76行 • 下面新增(ex: vbird ALL(ALL) ALL • 讓SERVER可以每天自動更新 • vim /etc/crontab • 新增0 1 * * * root yum -y update && yum clean packages

  34. The end

More Related