This is my sixth day of the August Challenge.
The paper
“Operational thinking: a Cobbler unattended operation system installation standardization” is only realized with the hostname of the operating system, network, disk partition installation specification, but this also cannot be directly used for the production, because the operating system still has a lot of configuration is optimized, the next job is to configure standardization of operating system.
Train of thought
Let’s stop the endless work at hand and briefly recall that we have configured countless servers and whether the configuration process looks anything like this:
- Yum source configuration
Ali source, 163 source, EPEL source, etc
- Common Installation Tools
GCC, gcc-C ++, cmake, wget, iftop, supervisor, etc
- Environment Variable Configuration
A. Terminal timeout duration b. Optimize history
- Close and disable Selinux
- Creating a base directory
- Creating an Application User
- The NTP set
- Limit restrictions
A. File descriptor 65535 b. Number of processes 65535
- SSHD Security hardening
A. Change the port —- The port is still 22 in the testing phase b. Disable root login
- Agent Installation
- iptables
A. Disable the iptables and firewall. B. Configure the firewall
- Kernel parameter adjustment
- Powered up
Rc. local requires authorization 755 and lacks executable rights by default.
- Set the DNS
- Security Settings
Password complexity, and disable useless services
Above are the basic operating system configuration optimization may be involved in the point, I believe we must have configured. Is the point that we are still doing day to day, manual or scripted, personalized execution, or have we extracted specifications, circulated automation across teams, and executed on demand in bulk?
Yes, if the operation and maintenance team is small, manual or script can meet the configuration requirements. But once you scale up, each person on the team has a very different system because of their own perceptions, habits, etc.? In this case, the importance of configuration standardization is highlighted. With automatic operation and maintenance tools, functions such as automation, mass configuration, and on-demand configuration can be realized.
System configuration specifications
For the specification, we still need to follow the uniform specification writing style and follow the principle of simple, clear and intuitive display. See “Operation and Maintenance Thinking: How to Generate Operation and Maintenance Specifications” for details. Of course, the basis of norms is based on facts, which have been mentioned above. We only need to integrate them as follows, specifically involving the following aspects:
-
The user
The server uses fixed users, including management users, application users, and log users
-
Software sources
Installing basic components requires a unified software source
-
Close the service
Disable useless services such as Selinux, iptables, Sendmail, and Postfix in a unified manner
-
Initial directory
Create fixed initial directories, such as application, log, and backup directories
-
Limit and kernel parameters
-
The DNS and NTP
-
Environment variables and historical command records
Terminal timeout
History command record and remote backup
-
SSH optimization
Disabling root Login
Slow optimization of SSH login
Modifying a Default Port
-
Security Settings
Password complexity and length
CTRL + Alt + delete and so on is prohibited
In order to avoid the normalization of details output, to the operation and maintenance work is not easy to add additional burden, so we still list the main points, as for the details can see the content of automatic deployment, to facilitate our effective combination of specification and practical operation.
Configuration automation
In combination with configuration normalization, our next step is the implementation of automation. In order to cope with the demand of the server, we had better realize the on-demand configuration, that is, we can realize the full implementation of the configuration, but also can realize the implementation of a configuration requirement. Therefore, we need to do a good job of function allocation in advance. Here, we use Ansible to fully automate server configuration and implement on-demand configuration through TAG.
Ansible-playbook for configuration automation
vim os_init.yml
- hosts: "{{ host_ip }}"
gather_facts: yes
remote_user: root
roles:
- os_init
# Task
vim mail.yml
- include: user.yml # User management
- include: repo.yml # yum source
- include: init_pkg.yml Install the base components
- include: profile.yml # Environment variables
- include: selinux.yml #selinux
- include: dir.yml # Base directory
- include: limits.yml # System parameters
- include: iptables.yml # firewall
- include: sysctl.yml Kernel parameters
- include: rc.local.yml # Boot up
- include: dns.yml #dns
- include: ntp.yml #ntp
- include: rsyslog.yml # Log synchronization
- include: sshd.yml # SSH optimization
- include: safe.yml # Security configuration
# Complete server configurationAnsible-playbook -b -e host_ip=10.10.2.10 -v os_init.ymlAdd users individually using tagAnsible-playbook -b -e host_ip=10.10.2.10 -v os_init.yml -t user# Separate security configuration via tagAnsible-playbook -b -e host_ip=10.10.2.10 -v os_init.yml -t safeCopy the codeHost_ip can be used to implement individual server execution, and Ansible assets can be used to implement batch server execution.
conclusion
On the premise of standardized installation and configuration of the operating system, the combination of Cobbler+Ansible can realize the automation of installation and configuration of the operating system, which can solve the basic operation and maintenance work to a certain extent. Its more profound significance is to effectively avoid production problems caused by confusion of configuration parameters. The foundation has been laid for more automatic access in the future.