Fedora 23 Note not finish yet !!!
# https://ask.fedoraproject.org/en/question/84212/grubx64efi-tftpboot-option-negotiation-failed-user-aborted-the-transmission/
# http://superuser.com/questions/1052455/grubx64-efi-tftpboot-option-negotiation-failed-user-aborted-the-transmission
# https://bugzilla.redhat.com/show_bug.cgi?id=1251600
#!/bin/bash
[Check list-status]
dhcp ipv4 ok
dhcp ipv6 Ping fail #https://www.ptt.cc/bbs/IPv6/M.1331661667.A.C61.html
tftp ok
CSM IPv4 x86_x64 OK
uefi IPv4 x86 NG
IPv6 x64 NG
[Check list-Question]
how to configration dhcp.conf, pxe?
[Port]
tftp udp 68
dhcp udp 67
pxe udp 69
[command]
uname -r
netstat -nx
netstat -an |fgrep -w 67
chmod 675 folderName #r=4,w=2,x=1
chmod -R g=rw filename #[ugoa]=[rwx]
chgrp dhcpd
usermod -G groupName userName #join a user to group
useradd -G root admin #add a new user
http://linux.vbird.org/linux_basic/0210filepermission.php#chmod
cp -p -R
cat /proc/net/if_inet6
netstat -utlnp | grep named
/usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf enp0s3
egrep "lease|hostname|hardware|\}" /var/lib/dhcpd/dhcpd.leases #dhcp list
chmod 675 -R /media/sf_ShareFolder
ln -s /media/sf_ShareFolder ./sf_ShareFolder
ln -s /etc/dhcp/dhcpd.conf ./dhcpd.conf
ln -s /etc/dhcp/dhcpd6.conf ./dhcpd6.conf
ln -s /var/lib/tftpboot ./tftpboot
ln -s /etc/radvd.conf .
ln -s /etc/dhcp6s.conf .
ln -s /etc/dhcp6c.conf .
ln -s /var/www/html ./html
dnf clean packages # remove cached packages
ausearch -m avc -ts recent
auditctl -w /etc/shadow -p w
Wireshark
ICMP, ICMPv6, DHCP, DHCPv6,TFTP
not nbns and not llmnr and not arp
[WLAN]
iwconfig
ifconfig wlp9s0 up
cat /var/log/messages #check system log
#!/bin/bash
#backup for fedora
tar -cizvf backup.tar.gz
#conf
/etc/radvd.conf
/etc/dhcp6s.conf
/etc/dhcp6c.conf
/etc/dhcp/dhcpd.conf
/etc/dhcp/dhcpd6.conf
/var/lib/tftpboot/
/etc/xinetd.d/tftp
/etc/mtftp
/etc/sysconfig/network
/etc/sysconfig/dhcpd
/etc/sysconfig/network
/etc/sysconfig/dhcpd
#file-cache
/var/cache/dnf
/etc/dnf
/var/lib/dnf
exit
#!/bin/bash
#restore
tar -xzvf backup.tar.gz -C /
exit
[vbox]
#no support vbox of kernel version
kernel-devel-4.4.2-301.fc23.x86_64
NIC1-bridge for PXE
IPv4 192.168.1.1
netmask 255.255.255.0
gateway 192.168.1.1
DNS 192.168.1.1
Search Domain 192.168.1.1
Routers Enable 只在使用這個連線的網路資源時,才使用此連線
IPv6 3ffe:501:ffff:100::1
前綴 64
DNS ::1, fec0:0:0:fff::1, 3ffe:501:ffff:100::1
NIC2-NAT for WAN
auto
#network-restart
/etc/init.d/network restart
/etc/selinux/config #Disable SELinux
# Server 2012
IP 2001:db8::1 / 64
Preferred DNS ::1
Alternate DNS fec0:0:0:fff::1
range6 2001:db8::
#get kernel version
uname -r
#裝完OS先裝這個 for vbox
dnf -y install gcc
dnf install kernel-devel-4.2.3-300.fc23.x86_64
[hostname]
hostnamectl set-hostname --static "yourHostName"
[OS update]
http://www.tecmint.com/things-to-do-after-fedora-23-installation/#
dnf update
[X-windows]
http://www.server-world.info/en/note?os=Fedora_22&p=desktop&f=3
dnf -y group install "MATE Desktop"
echo "exec /usr/bin/mate-session" >> ~/.xinitrc
startx
#設定開機啟動至 GUI 模式(runlevel 5)
systemctl set-default graphical.target
[PXE]
https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-dhcpd.html
[PXE-dhcp IPv4]
https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-dhcpd.html
dnf install dhcp
/etc/dhcp/dhcpd.conf
systemctl start dhcpd
systemctl enable dhcpd #auto run in boot.
journalctl --unit dhcpd --since -2m --follow
#debug command
journalctl -xe
#No need, just for reference
#http://www.linuxquestions.org/questions/linux-networking-3/dhcpd-no-free-leases-361548/
#To initial dhcpd.leases, del /var/lib/dhcpd/dhcpd.leases and then reboot that will auto create
#touch /var/lib/dhcpd/dhcpd.leases
----- pluma /etc/dhcp/dhcpd.conf start--------
allow booting;
allow bootp;
option space PXE;
option PXE.mtftp-ip code 1 = ip-address;
option PXE.mtftp-cport code 2 = unsigned integer 16;
option PXE.mtftp-sport code 3 = unsigned integer 16;
option PXE.mtftp-tmout code 4 = unsigned integer 8;
option PXE.mtftp-delay code 5 = unsigned integer 8;
option arch code 93 = unsigned integer 16;
subnet 192.168.1.0 netmask 255.255.255.0 {
interface enp0s3; # define eth0 to dhcp
range 192.168.1.10 192.168.1.200;
range dynamic-bootp 192.168.1.201 192.168.1.250;
authoritative;
default-lease-time 86400;
max-lease-time 86400;
option time-offset -18000; #Eastern Standard Time
ddns-update-style none;
option domain-name-servers 192.168.1.1;
option domain-name "ipc.linux";
option routers 192.168.1.1;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1,8.8.8.8;
# https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-bootloader.html
# http://logout.sh/computers/linux/netboot/
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server 192.168.1.1; #指定tftp server的位址
if option arch = 00:02 {
filename "ia64/elilo.efi";
} else if option arch = 00:06 {
filename "uefi/bootia32.efi";
} else if option arch = 00:07 {
filename "uefi/bootx64.efi";
#filename "uefi/shim.efi"; #for secure boot
} else { #/var/lib/tftpboot/
filename "pxelinux.0";
}
}
}
#next-server 192.168.1.1
#http://www.syslinux.org/wiki/index.php?title=PXELINUX
# .0 PXE bootstrap program (NBP) [PXELINUX only]
# .bin "CD boot sector" [ISOLINUX only]
# .bs Boot sector [SYSLINUX only]
# .bss Boot sector, DOS superblock will be patched in [SYSLINUX only]
# .c32 COM32 image (32-bit COMBOOT)
# .cbt COMBOOT image (not runnable from DOS)
# .com COMBOOT image (runnable from DOS)
# .img Disk image [ISOLINUX only]
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-dhcp-configuring-server.html#config-file
----- /etc/dhcp/dhcpd.conf end--------
[PXE-dhcp IPv6-radvd]
#https://fedoraproject.org/wiki/IPv6Guide
dnf install radvd # if no radvd the client can't ping to DHCP server
systemctl enable radvd.service
systemctl start radvd.service
------- pluma /etc/radvd.conf start ------------
interface enp0s3
{
AdvSendAdvert on;
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
AdvHomeAgentFlag off; #http://www.lijyyh.com/2012/05/dhcpv6ip-ciscolinux-isc-dhcpwindows.html
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix 3ffe:501:ffff:100::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
};
};
------- pluma /etc/radvd.conf end ------------
------- pluma /etc/dhcp6s.conf start ------------
interface enp0s3 {
link AAA {
allow unicast;
send unicast;
allow rapid-commit;
send server-preference 5;
renew-time 1000;
rebind-time 2400;
prefer-life-time 2000;
valid-life-time 3000;
range 3ffe:501:ffff:100::10 to 3ffe:501:ffff:100::100/64;
prefix 3ffe:501:ffff:100::/64;
pool {
prefer-life-time 3600;
valid-life-time 7200;
range 3ffe:501:ffff:100::10 to 3ffe:501:ffff:100::100/64;
prefix fec0:fffe::/48;
}
}
}
------- pluma /etc/dhcp6s.conf end ------------
------- pluma /etc/dhcp6c.conf start ------------
interface enp0s3 {
send rapid-commit;
request prefix-delegation;
request domain-name-servers;
request temp-address;
iaid 11111;
address {
3ffe:501:ffff:100::10/64;
prefer-life-time 6000;
valid-life-time 8000;
};
renew-time 11000;
rebind-time 21000;
};
------- pluma /etc/dhcp6c.conf end ------------
[PXE-dhcp IPv6]
無狀態位址自動指派(Stateless Address Autoconfiguration, SLAAC)
無狀態DHCPv6(Stateless DHCPv6) 家用
全狀態DHCPv6(Stateful DHCPv6) 辦公室
DHCPv6(Stateless DHCPv6)
------- pluma /etc/sysconfig/network start -------
NETWORKING=yes
HOSTNAME=ipc.linux
# Enable IPv6 routing and stop accept_ra/autoconf.
NETWORING_IPV6=yes
IPV6FORWARDING=yes
------- pluma /etc/sysconfig/network end -------
#no needed
------- pluma /var/lib/tftpboot/uefi/grub.cfg start -------
set timeout=30
menuentry 'RHEL' {
linuxefi uefi/vmlinuz ip=dhcp #inst.repo=http://10.32.5.1/mnt/archive/RHEL-7/7.x/Server/x86_64/os/
initrdefi uefi/initrd.img
}
------- /var/lib/tftpboot/uefi/grub.cfg end -------
# https://docs.fedoraproject.org/en-US/Fedora/22/html/Networking_Guide/sec-dhcp_for_ipv6_dhcpv6.html
pluma /etc/dhcp/dhcpd6.conf
/usr/sbin/dhcpd -6 -d -cf /etc/dhcp/dhcpd6.conf -user dhcpd -group dhcpd --no-pid enp0s3
systemctl --system daemon-reload
systemctl restart dhcpd.service
journalctl -xe
#need to modify the listen interface for dhcp and then reboot
echo "DHCPDARGS=\"enp0s3\";" >> /etc/sysconfig/dhcpd # important
# /usr/share/doc/dhcp-server/dhcpd6.conf.example
-------pluma /etc/dhcp/dhcpd6.conf start -----------------------
allow booting;
allow bootp;
default-lease-time 2592000;
preferred-lifetime 604800;
max-lease-time 7200;
option dhcp-renewal-time 3600;
option dhcp-rebinding-time 7200;
option dhcp6.info-refresh-time 21600;
option dhcp6.name-servers 3ffe:501:ffff:100::1;
option dhcp6.domain-search "ipc.linux";
option dhcp6.bootfile-url code 59 = string;
# The subnet where the server is attached
# (i.e., the server has an address in this subnet)
subnet6 3ffe:501:ffff:100::/64 {
interface enp0s3; # define eth0 to dhcp
# Two addresses available to clients
# (the third client should get NoAddrsAvail)
range6 3ffe:501:ffff:100::10 3ffe:501:ffff:100::100;
# Use the whole /64 prefix for temporary addresses
# (i.e., direct application of RFC 4941)
range6 3ffe:501:ffff:100:: temporary;
# Some /64 prefixes available for Prefix Delegation (RFC 3633)
prefix6 3ffe:501:ffff:100:: 3ffe:501:ffff:111:: /64;
option dhcp6.name-servers 3ffe:501:ffff:100::1;
option dhcp6.domain-search "ipc.linux";
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
# using url via tftp only for IPv6
# http://www.ietf.org/assignments/dhcpv6-parameters/dhcpv6-parameters.txt
if option dhcp6.client-arch-type = 00:06 { #efi x86
option dhcp6.bootfile-url "tftp://[3ffe:501:ffff:100::1]/uefi/bootia32.efi";
} else if option dhcp6.client-arch-type = 00:07 { #efi x64
#option dhcp6.bootfile-url "tftp://[3ffe:501:ffff:100::1]/uefi/shim.efi"; # for secure boot
option dhcp6.bootfile-url "tftp://[3ffe:501:ffff:100::1]/uefi/bootx64.efi";
} else {
option dhcp6.bootfile-url "tftp://[3ffe:501:ffff:100::1]/pxelinux.0";
}
#https://docs.fedoraproject.org/en-US/Fedora/18/html/Installation_Guide/s1-netboot-pxe-config-efi.html
}
}
# IPv6 boot failed
# IPv4 error : couldn't send network packet
# IPv4 not authoritative for subnet
#https://docs.fedoraproject.org/en-US/Fedora/13/html/Deployment_Guide/s1-dhcp_for_ipv6_dhcpv6.html
-------/etc/dhcp/dhcpd6.conf end -----------------------
[PXE-tftp]
https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-dhcpd.html
dnf install tftp-server
systemctl start tftp.socket
systemctl enable tftp.socket
##tftp check
tftp localhost
tftp> get hello.txt
[Q&A]
PXE-E32: TFTP open timeout --> 1. remove and then re-install again
2. disable and stop Firewall.service
3. hostname
#https://docs.oracle.com/cd/E19045-01/b200x.blade/817-5625-10/Linux_Troubleshooting.html
netstat -an | fgrep -w 67 # For DHCP
netstat -an | fgrep -w 69 # For tftp
# http://linux.vbird.org/linux_enterprise/0120installation.php#pxe_dhcp
-------pluma /etc/xinetd.d/tftp start -----------------------
service tftp
{
Disable = no
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -u nobody -s /var/lib/tftpboot
# -u 指定使用者, -s 指定要tdtp的目錄
disable = no
per_source = 11
cps = 100 2
flags = IPv4 IPv6
}
-------/etc/xinetd.d/tftp end -----------------------
#no needed
------- pluma /etc/mtftp start -----------------------
service mtftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.mtftpd
server_args = /tftpboot
disable = no
per_source = 11
cps = 100 2
#flags = IPv4
}
-------/etc/xinetd.d/tftp end -----------------------
[PXE-clients]
https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-bootloader.html
dnf install syslinux
mkdir -p /var/lib/tftpboot/pxelinux.cfg
cp /usr/share/syslinux/{pxelinux.0,vesamenu.c32,ldlinux.c32,libcom32.c32,libutil.c32} /var/lib/tftpboot/
dnf install shim grub2-efi --installroot=/tmp/fedora --releasever 23
mkdir -p /var/lib/tftpboot/uefi
cp /tmp/fedora/boot/efi/EFI/fedora/{shim.efi,grubx64.efi} /var/lib/tftpboot/uefi/
#chmod 675 for tftpboot
#vmlinuz:就是安裝軟體的核心檔案 (kernel file);
#initrd.img:就是開機過程中所需要的核心模組參數;
# To be confirm ...如果是UEFI的SUT安裝,就得直接在/tftpboot/下建立一個efidefault的文字檔(因為目前CentOS 6.5直接放在pxelinux.cfg/下還是會有找不到檔案的問題)
----- pluma /var/lib/tftpboot/pxelinux.cfg/efidefault start------------------
# https://access.redhat.com/documentation/zh-TW/Red_Hat_Enterprise_Linux/6/html/Installation_Guide/s1-netboot-pxe-config-efi.html
default=0
timeout=60
splashimage=uefi/logo.xpm.gz
#hiddenmenu
title Fedora Installation
root (nd)
kernel f23/vmlinuz
initrd f23/initrd.img
#Fetching Netboot Image
#initrd uefi/efiboot.img
#error : couldn't send network packet
title UEFI boot
root (nd)
kernel grubx64.efi
initrd uefi/efiboot.img
----- /var/lib/tftpboot/pxelinux.cfg/efidefault end--------------------------
----- pluma /var/lib/tftpboot/pxelinux.cfg/default start--------------------------
default vesamenu.c32
prompt 1
timeout 600
menu background logo.png
menu autoboot "Booting Default in #s"
menu title PXEboot menu
# install source
# https://access.redhat.com/documentation/zh-TW/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/chap-anaconda-boot-options.html#sect-boot-options-installer
#item 1
label linux
menu label ^Install Fedora 23 64-bit
menu default
kernel f23/vmlinuz
append initrd=f23/initrd.img inst.stage2=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=dhcp
#item 2
label server
menu label ^Install Fedora 23 64-bit ( Minimal Image )
menu default
kernel f23/vmlinuz
append initrd=f23/initrd.img inst.stage2=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=dhcp ks=https://example.com/fedora/kickstarts/minimal.ks
#item 3
label rescue
menu label ^Rescue installed system 64-bit
kernel f23/vmlinuz
append initrd=f23initrd.img ip=dhcp root=live:http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/LiveOS/squashfs.img rescue
#item 4
label local
menu label Boot from ^local drive
localboot 0xffff
# http://www.vercot.com/~serva/an/WindowsPXE1.html
# http://ftp.jaist.ac.jp/pub/Linux/Fedora/releases/23/Server/x86_64/os/isolinux/isolinux.cfg
# the main lable only has 5 items !?, using submenu for more items.
#item 5
# utilities submenu
menu begin ^Troubleshooting
menu title Troubleshooting
label vesa
menu indent count 5
#item 5-1 (not yet)
lable Win10
menu label ^Install Windows 10 (not ready)
com32 syslinux/linux.c32 /WinPE/wimboot/wimboot.x86_64
append initrdfile=WinPE/bootmgr,WinPE/bcd,WinPE/boot.sdi,WinPE/pe_x64.wim
#item 5-2
label memtest
menu label ^Run a memory test x86 (OK)
kernel memtest
#item 5-3
label Floppy
menu label ^Run a Floppy with Ram Disk x86 (OK)
kernel syslinux/memdisk
APPEND initrd=dos/fdboot.img floppy
#item 5-4
LABEL x86
MENU LABEL 32Bit (x86)
KERNEL syslinux/menu.c32
APPEND pxelinux.cfg/x86.conf
#item 5-5
LABEL x64
MENU LABEL 64Bit (x64)
KERNEL syslinux/menu.c32
APPEND pxelinux.cfg/x64.conf
#item 5-6
LABEL FreeDos
MENU LABEL FreeDos x86 (not ready)
COM32 syslinux/chain.c32
KERNEL syslinux/menu.c32
APPEND freedos="dos/kernel.sys"
#Initial menu has no LABEL entries.
# http://diddy.boot-land.net/pxe/files/imgs.htm
#item 5-6 (OK)
#http://www.howtogeek.com/162070/it-geek-how-to-network-boot-pxe-the-winpe-recovery-disk-with-pxelinux-v5-wimboot/
#https://technet.microsoft.com/en-us/library/cc753134(v=ws.10).aspx
LABEL WinPE
MENU LABEL WinPE (OK)
#linux for WinPE boot utility
com32 syslinux/linux.c32 /WinPE/wimboot/wimboot.x86_64
#To load WinPE require files (bootmgr,bcd,boot.sdi and pe_x64.wim) in /var/lib/tftpboot/WinPE
APPEND initrdfile=WinPE/bootmgr,WinPE/bcd,WinPE/boot.sdi,WinPE/pe_x64.wim
# cp -p /media/sf_ShareFolder/WinPE/* ./tftpboot/WinPE/
# chgrp root ./tftpboot/WinPE/*
# chmod 675 ./tftpboot/WinPE/*
# ls -l ./tftpboot/WinPE/
label returntomain
menu label Return to ^main menu
menu exit
menu end
# add wimboot path, root is tftpboot folder
PATH WinPE/wimboot
-----/var/lib/tftpboot/pxelinux.cfg/default end--------------------------
# http://www.syslinux.org/wiki/index.php?title=PXELINUX
-----/var/lib/tftpboot/pxelinux.cfg/x86.conf start --------------------------
# Default boot option to use
DEFAULT menu.c32
# Prompt user for selection
PROMPT 0
# Menu Configuration
MENU TITLE 32Bit (x86) OS Choice
# Return to Main Menu
LABEL MainMenu
MENU DEFAULT
MENU LABEL ^Main Menu
KERNEL syslinux/menu.c32
#
# Blank boots
#
LABEL linux-43
MENU LABEL ^Blank Boot 4.3
KERNEL f23/vmlinuz
APPEND initrd=f23/initrd.img
-----/var/lib/tftpboot/pxelinux.cfg/x86.conf end --------------------------
-----/var/lib/tftpboot/pxelinux.cfg/x64.conf start --------------------------
# Default boot option to use
DEFAULT menu.c32
# Prompt user for selection
PROMPT 0
# Menu Configuration
MENU TITLE 64Bit (x64) OS Choice
# Return to Main Menu
LABEL MainMenu
MENU DEFAULT
MENU LABEL ^Main Menu
KERNEL syslinux/menu.c32
#
# Blank boots
#
LABEL linux-43
MENU LABEL ^Blank Boot 4.3
KERNEL f23/vmlinuz
APPEND initrd=f23/initrd.img
-----/var/lib/tftpboot/pxelinux.cfg/x64.conf end --------------------------
--------(not used)---------- pluma /var/lib/tftpboot/pxelinux/uefi start --------------
function load_video {
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
insmod all_video
}
load_video
set gfxpayload=keep
insmod gzio
menuentry 'Install Fedora 64-bit' --class fedora --class gnu-linux --class gnu --class os {
linuxefi f23/vmlinuz ip=dhcp inst.repo=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/
initrdefi f23/initrd.img
}
menuentry 'Install Fedora 23 Server' --class fedora --class gnu-linux --class gnu --class os {
kernel f23/vmlinuz
append initrd=f23/initrd.img inst.repo=http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/ ip=dhcp ks=https://git.fedorahosted.org/cgit/spin-kickstarts.git/plain/fedora-install-server.ks?h=f21
}
menuentry 'Rescue installed system' --class fedora --class gnu-linux --class gnu --class os {
kernel f23/vmlinuz
append f23/initrd=initrd.img root=live:http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/LiveOS/squashfs.img rescue
}
--------(not used)----------/var/lib/tftpboot/pxelinux/uefi end----------------------
[ftp]
systemctl restart vsftpd
pluma /etc/vsftpd/vsftpd.conf
--------------- pluma /etc/xinetd.d/vsftpd start ---------------
service ftp
{
socket_type = stream
wait = no
user = anonymous #root
server = /var/lib/tftpboot #/usr/sbin/vsftpd
log_on_success += DURATION USERID
log_on_failure += USERID
nice = 10
disable = no
}
--------------- pluma /etc/xinetd.d/vsftpd end ---------------
[PXE-kernel & initrd]
https://docs.fedoraproject.org/en-US/Fedora/23/html/Installation_Guide/pxe-kernel.html
mkdir -p /var/lib/tftpboot/f23
wget http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/images/pxeboot/vmlinuz -O /var/lib/tftpboot/f23/vmlinuz
wget http://download.fedoraproject.org/pub/fedora/linux/releases/23/Server/x86_64/os/images/pxeboot/initrd.img -O /var/lib/tftpboot/f23/initrd.img
[LDAP (no needed)]
#https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/ch-Directory_Servers.html#s1-OpenLDAP
dnf install openldap-servers-2.4.40-14.fc23.x86_64
dnf install nss-pam-ldapd-0.8.14-5.fc23.x86_64
dnf install mod_ldap-2.4.18-1.fc23.x86_64
systemctl stop slapd.service
slappasswd
{SSHA}zq6z5sVg0xVrlmcBrAONySoXCFb2jfWb
---------- pluma /etc/openldap/ldap.conf start -----------
#http://blog.xuite.net/tolarku/blog/161523701-LDAP+%E5%AE%89%E8%A3%9D%E4%BB%8B%E7%B4%B9+-+CentOS+6.4+-+openldap
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#在底下這行下指定 log 紀錄
loglevel 256
logfile /var/log/slapd/ldap.log
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
#若有使用 SSL 憑證,則這個地方需修改
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=root,dc=ldap,dc=nthu,dc=org,dc=tw" read
by * none
#增加底下這兩段
access to attrs=userPassword
by self write
#by anonymous auth
by dn.base="cn=root,dc=ldap,dc=nthu,dc=org,dc=tw" write
#by * none
#attrs=userPassword 限制 userPassword 只用於認證,只能用來做認證用,只有 user 自己才能修改密碼
#self write 允許使用者變更自己的密碼
#anonymous auth匿名用戶需要認證
#* none任何人都無法存取
access to *
by self write
by users read
by dn.base="cn=root,dc=ldap,dc=nthu,dc=org,dc=tw" write
#by * none
#######################################################################
# database definitions
#######################################################################
database bdb
#suffix "dc=my-domain,dc=com"
suffix "dc=ipc,dc=linux,dc=com,dc=tw"
checkpoint 1024 15
#rootdn "cn=Manager,dc=my-domain,dc=com"
rootdn "cn=root,dc=ipc,dc=linux,dc=com,dc=tw"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw secret
# rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}zq6z5sVg0xVrlmcBrAONySoXCFb2jfWb
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
---------- pluma /etc/openldap/ldap.conf end -----------
[Firewall]
# http://iori.tw/%E6%9E%B6%E8%A8%ADuefiipv6%E7%92%B0%E5%A2%83%E7%9A%84pxe-server-under-the-rhel-6-x/
pluma /etc/sysconfig/selinux -> Enabled after rebooting system
SELINUX=disabled
[dnsmasq No need, only for reference]
systemctl restart dnsmasq.service
------------- pluma /etc/dnsmasq.conf start --------------
interface=enp0s3
bind-interfaces
dhcp-range=192.168.1.10,192.168.1.200
dhcp-boot=grubnetx64.efi.signed
enable-tftp
tftp-root=/srv/tftp/
------------- /etc/dnsmasq.conf end --------------
[PXE-dns No need, only for reference]
/etc/resolv.conf
--------/etc/resolv.conf start ------------------
search 192.168.1.1 linux
domain ipc.linux
nameserver 192.168.0.1
nameserver 192.168.1.1
---------/etc/resolv.conf end-----------------
[DNS BIND]
---------- pluma /etc/named.conf start -------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.1/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
---------- pluma /etc/named.conf end -------------
---------- pluma /etc/named.rfc1912.zones start -------------
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "ipc.linux" IN {
type master;
file "ipc.linux.zone";
allow-update { none; };
};
---------- pluma /etc/named.rfc1912.zones end -------------
沒有留言:
張貼留言