LDAP_ host-based limited with Pam_filter Not Working

Recently, I was trying to migrate our all of the stuffs of LDAP into MysqlDB. The password with type: md5crypt (not very clear why using this by default). When using PAM_FILTER modules for host limiting, however it was failed. So googled find this solution. This is very helpful for me. Thanks to the author for this. 🙂

Reference link: http://computingfunnyfacts.blogspot.com/2008/01/pamfilter-not-working.html

Here is the blog content of :system-auth

config of /etc/ldap.conf

It’s working!
:::::::::::::::::::::::::::::::::::::::
pam_filter not working
So here is the problem you want to limit your cluster to a special user group. You have everything LDAP managed and use pam_ldap for authentication. But when you edit the /etc/ldap.conf and set a pam_filter nothing happens. First of all the the syntax of pam_filter :
(|(gidNumber=1028)(gidNumber=1160))
Will not work
Literally only
pam_filter gidNumber=1028
Will work. This is the way they stupidly implemented it
else if (!strcasecmp (k, “pam_filter”))
{
CHECKPOINTER (result->filter = strdup (v));
}

where v is everything after the ‘ ‘

while (*v != ‘\0’ && *v != ‘ ‘ && *v != ‘\t’)
v++;

*(v++) = ‘\0’;

For those that know C
So you can give it one value max. Now you have to modify the /etc/pam.d/system-auth file. The default configuration is:
[root@lxb5477 ~]# cat /etc/pam.d/system-auth.back | grep ldap
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
session optional /lib/security/$ISA/pam_ldap.so

But of course a optional is not really enough. You, of course, want that if the user doesn’t fulfill your filter he should be chucked into nirvana. So change to:
[root@lxb5477 ~]# cat /etc/pam.d/system-auth | grep ldap
auth required /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_ldap.so
password requried /lib/security/$ISA/pam_ldap.so use_authtok
session required /lib/security/$ISA/pam_ldap.so

Through this if ldap fails the login fails.

But be aware that in /etc/nsswitch.conf files is before ldap
passwd: files ldap
shadow: files ldap
group: files ldap

Setting up LDAP autentication with sudoer access

Building Environment:
==================================
OS: CentOS 5.4(64 bit)
==================================
Packages:openldap-servers-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
openldap-2.3.43-12.el5_7.10
openldap-clients-2.3.43-12.el5_7.10
openldap-devel-2.3.43-12.el5_7.10
===================================
sudo-1.6.9p17-5.el5
===================================
Optional: WEB UI
phpldap
===================================

#### Server settings ######
1. Install openldap-server

yum install openldap-servers openldap-devel openldap openldap-clients

2. Config sldap.conf
# set schemas
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/sudoer.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema

# DB type & dc setting
database bdb
suffix “dc=happyelements,dc=net”
rootdn “cn=manager,dc=happyelements,dc=net”
rootpw secret # this can by generated by “slappasswd”
#
directory /usr/local/openldap/var/openldap-data

3. /etc/openldap/ldap.conf for searching by ldapsearch

URI ldap://127.0.0.1/
BASE dc=happyelements,dc=net
TLS_CACERTDIR /etc/openldap/cacerts

4. Copy sudo schema to /etc/schema
cp /usr/share/doc/sudo-1.6.9p17/schema.OpenLDAP /etc/openldap/schema/sudoer.schema

5. Set database dir:
mkdir -p /usr/local/openldap/var/openldap-data
chown ldap:ldap /usr/local/openldap/var/openldap-data
cp /etc/openldap/DB_CONFIG.example /usr/local/openldap/var/openldap-data/DB_CONFIG

6. Testing Servers
/etc/init.d/ldap start

7. Create entries related for LDAP Server:

#Paste following lines as file: happyelements.ldif
dn: dc=happyelements,dc=net
objectClass: dcObject
objectClass: organization
dc: happyelements
o: happyelements.net
description: happyelements.net

dn: cn=manager,dc=happyelements,dc=net
objectClass: organizationalRole
cn: manager

dn: ou=Group,dc=happyelements,dc=net
objectClass: organizationalUnit
ou: Group

dn: ou=People,dc=happyelements,dc=net
objectClass: organizationalUnit
ou: People

#Paste following lines into file sudoeraccess.ldif

objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn:cn=defaults,ou=SUDOers,dc=happyelements,dc=net
cn:defaults
sudoOption:ignore_dot
sudoOption:!mail_no_user
sudoOption:!root_sudo
sudoOption:log_host
sudoOption:logfile=/var/log/sudolog
sudoOption:!syslog
sudoOption:timestamp_timeout=10
objectClass:top
objectClass:sudoRole
description:DefaultsudoOption’s

dn:cn=Rule1,ou=SUDOers,dc=happyelements,dc=net
cn:Rule1
sudoOption:!authenticate
objectClass:top
objectClass:sudoRole
sudoHost:ALL
sudoCommand:ALL
sudoUser:ALL
description:AllowedwithoutpasswordforALLusers

Add entries into LDAP Server:
ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f happyelements.ldif
ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f sudoeraccess.ldif

ADD User entries:
# paste following lines into user_passswd.ldif
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$DpCxWpSc$E1Tsbg/CFnP1MZhvXqCdg1
shadowLastChange: 15117
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

dn: uid=rma1,ou=People,dc=happyelements,dc=net
uid: rma1
cn: rma1
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$70S56nN0$rW/Sjk0rCrem4s3.emGun.
shadowLastChange: 15399
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10402
gidNumber: 10402
homeDirectory: /home/rma1

dn: uid=rma2,ou=People,dc=happyelements,dc=net
uid: rma2
cn: rma2
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$yfRr5GkD$lgF8Xu8cN92OMyR7tRlsK0
shadowLastChange: 15399
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10403
gidNumber: 10403
homeDirectory: /home/rma2

ADD group entries:
dn: cn=rma1,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma1
userPassword: {crypt}x
gidNumber: 10402

dn: cn=rma2,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma2
userPassword: {crypt}x
gidNumber: 10403

# Add entries into LDAP server

ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f user_passswd.ldif

# Add group entries

#paste following lines into ldif files with name: user_groups.ldif

#dn: cn=root,ou=Group,dc=happyelements,dc=net
#objectClass: posixGroup
#objectClass: top
#cn: root
#userPassword: {crypt}x
#gidNumber: 0

dn: cn=rma1,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma1
userPassword: {crypt}x
gidNumber: 10402

dn: cn=rma2,ou=Group,dc=happyelements,dc=net
objectClass: posixGroup
objectClass: top
cn: rma2
userPassword: {crypt}x
gidNumber: 10403

#ldapadd -x -D “cn=manger,dc=happyelements,dc=net” -W -f user_groups.ldif

### Client Settings ###
8. LDAP client settings

8.1 edit /etc/ldap.conf like this:

sudoers_base ou=SUDOers,dc=happyelements,dc=net
base dc=happyelements,dc=net
timelimit 120
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

nss_base_passwd ou=People,dc=happyelements,dc=net?one
nss_base_shadow ou=People,dc=happyelements,dc=net?one
nss_base_group ou=Group,dc=happyelements,dc=net?one

uri ldap://127.0.0.1
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5

8.2 edit /etc/nsswitch.conf

sudoers: ldap files

That’s all we need do. Enjoy.

APPINDEX 1:
Reference links
Official sudoer manual: http://www.sudo.ws/sudo/man/1.8.4/sudoers.ldap.man.html
Setting Up A Centralised Authentication Server With Sudo Access Using LDAP:
http://fci.wikia.com/wiki/Setting_Up_A_Centralised_Authentication_Server_With_Sudo_Access_Using_LDAP
posix migration tools: http://www.padl.com/download/MigrationTools.tgz

APPINDEX 2:
3 methods to enforce host-based authentication:
using pam_check_host_attr in /etc/ldap.conf
#pam_check_host_attr yes
using pam_filter authentication in /etc/ldap.conf
#pam_filter |(host=10.130.142.103) (host=\*)
using nss_base_

authentication in /etc/ldap.conf

Continue reading “Setting up LDAP autentication with sudoer access”

tempwatch

程序写一些文件到tmp目录下,一段时间内没有被访问的文件会被自动清空,是利用了crontab + tmpwatch 来做的,Google之,

referencelink: http://www.360doc.com/content/11/0517/11/3947093_117376392.shtml

tmpwatch – removes files which haven’t been accessed for a period of time

-x, –exclude=path
Skip path; if path is a directory, all files contained in it are skipped too. If path does not exist, it must be an absolute
path that contains no symbolic linksdf

-x 参数来排除不需要被检查的目录

于是修改/etc/cron.daily/
/usr/sbin/tmpwatch -x /tmp/.X11-unix -x /tmp/.XIM-unix -x /tmp/.font-unix \
-x /tmp/.ICE-unix -x /tmp/.Test-unix -x /tmp/myholdingdir 240 /tmp

 

在 CentOS 5.5 上安装 Git

Refernece link: http://blog.sonitech.org/2010/12/04/%E5%9C%A8-centos-5-5-%E4%B8%8A%E5%AE%89%E8%A3%85-git/

在 Ubuntu 上安装 Git 非常的简单,只需要:

sudo apt-get install git-core
但是 CentOS 默认的 yum 源中没有 Git,只能下载 RPM 包安装,确保已安装了依赖的包

sudo yum install curl curl-devel zlib-devel openssl-devel perl cpio expat-devel gettext-devel
安装最新的 Git

$ wget http://www.codemonkey.org.uk/projects/git-snapshots/git/git-latest.tar.gz
$ tar xzvf git-latest.tar.gz
$ cd git-{date}
$ autoconf
$ ./configure
$ make
$ sudo make install
检查版本

$ git –version
git version 1.7.3.GIT

chattr to change the file or dir’s attribute

Command:

chattr

Usage: chattr +=-
+ :在原有参数设定基础上,追加参数。
– :在原有参数设定基础上,移除参数。
= :更新为指定参数设定。
A:文件或目录的 atime (access time)不可被修改(modified), 可以有效预防例如手提电脑磁盘I/O错误的发生。
S:硬盘I/O同步选项,功能类似sync。
a:即append,设定该参数后,只能向文件中添加数据,而不能删除,多用于服务器日志文 件安全,只有root才能设定这个属性。
c:即compresse,设定文件是否经压缩后再存储。读取时需要经过自动解压操作。
d:即no dump,设定文件不能成为dump程序的备份目标。
i:设定文件不能被删除、改名、设定链接关系,同时不能写入或新增内容。i参数对于文件 系统的安全设置有很大帮助。
j:即journal,设定此参数使得当通过mount参数:data=ordered 或者 data=writeback 挂 载的文件系统,文件在写入时会先被记录(在journal中)。如果filesystem被设定参数为 data=journal,则该参数自动失效。
s:保密性地删除文件或目录,即硬盘空间被全部收回。
u:与s相反,当设定为u时,数据内容其实还存在磁盘中,可以用于undeletion.

各参数选项中常用到的是a和i。a选项强制只可添加不可删除,多用于日志系统的安全设定。而i是更为严格的安全设定,只有superuser (root) 或具有CAP_LINUX_IMMUTABLE处理能力(标识)的进程能够施加该选项。
应用实例:
1、用chattr命令防止系统中某个关键文件被修改
# chattr +i /etc/fstab
然后试一下rm mv rename等命令操作于该文件,都是得到Operation not permitted 的结果
2、让某个文件只能往里面追加内容,不能删除,一些日志文件适用于这种操作
# chattr +a /data1/user_act.log
知识点[2]:为何要设置5分钟后自动登出
由于客户的维护人员常常登陆上去后通过直接关闭TERM端口非法退出telnet,造成系统的pts进程越来越多,一个月下来竟然近百,当进程过多的时候系统就会产生报警。规范操作应该是用exit或者ctrl+D,但是其他人并不这样操作,所以我们定义了echo “TMOUT=300” >>/etc/profile这一项内容,是让服务器自动剔除300秒没有任何动作的客户端。当然了这一项大家可以根据实际需求而决定是否添加

self-testing:

touch 123
chattr +i 123
rm 123
rm: remove write-protected regular empty file `123′? y
rm: cannot remove `123′: Operation not permitted
chattr -i 123
rm 123 && echo OK
OK

Working on yum for RPM-based distributions(Notes)

Setting Up a yum Repository

7.1. Getting the Packages

Note

If you can’t work with DVD-sized files, you can still create a local repository. For example, if you’ve downloaded the four Fedora Core 4 binary CDs, all you need to do is mount the CDs one at a time, and copy their contents (including the .discinfo file from the first CD) to the directory of your choice. For example, you could run the following commands:

mount -o loop FC4-i386-disc1.iso /media/cdrecorder

cp -ar /media/cdrecorder/* \

/var/ftp/pub/yum/4/i386/os/

If it’s the first CD, don’t forget to copy the .discinfo file to the noted directory. Change CDs:

mount -o loop FC4-i386-disc2.iso /media/cdrecorder

cp -ar /media/cdrecorder/* \

/var/ftp/pub/yum/4/i386/os/

2. installing yum

rpm -Uvh /media/cdrecorder/Fedora/RPMS/yum*
rpm -Uvh /media/cdrecorder/Fedora/RPMS/createrepo*

2-1 header creation.
yum-arch

createrepo
The createrepo command now creates metadata from the headers in XML format

How To Build Linux Driver Into Booting img for PXE booting

How To Build Linux Driver Into Booting img for PXE booting

Written by: Libo.Ma
Created on July 28,2011

1. mkdir /tmp/testkernel/ # create testkernel package dir
2. gzip -cd /pxeist/tftpboot_centos54/initrd.img |cpio -ivd
3. cd modules; gzip -dc modules.cgz | cpio -ivd
4. cp /var/www/html/drivers/tg3.ko ./2.6.18-164.el5/x86_64 # Copy driver to kernel dir
5. modinfo -F alias 2.6.18-164.el5/x86_64/tg3.ko | sed -e ‘s/^/alias /’ -e ‘s/$/ tg3/’ >>modules.alias
6. find 2.6.18-164.el5 | cpio -o -H crc | gzip -9 > modules.cgz; rm -rf 2.6.18-164.el5
7. cd ..;find . | cpio -o -H newc | gzip -9 > /tmp/initrd.img
8. cd /pxeist/tftpboot_centos54/;
mv initrd.img bak_initrd.img
9. cp /tmp/initrd.img /pxeist/tftpboot_centos54/
10. OK

reference scripts:
#!/bin/sh

#This scripts is used to making kernel images for PXE BOOTING of linux
#installation.
#Created by Libo.ma @ July 26,2011
#
#

if [ ! -f $1 ]
then
echo “Usage: `basename $0` driver.ko”
exit 1
fi

FILE=$1

TKERNEL=/pxeist/tftpboot_centos54/testkernel
MODULES=/pxeist/tftpboot_centos54/testkernel/modules
FILE_NAME=$(basename $FILE)
FILE_ALIAS=${FILE_NAME%.*}
if [ -f $FILE ]
then
cp $FILE /var/www/html/drivers/2.6.18-164.el5/x86_64/ -rf
sed -i “/$FILE_ALIAS\$/d” $MODULES/modules.alias
modinfo -F alias 2.6.18-164.el5/x86_64/$FILE_NAME | sed -e “s/^/alias /” -e “s/$/ $FILE_ALIAS/” >> $MODULES/modules.alias
echo “Packag driver into modules.cgz”…
find 2.6.18-164.el5 | cpio -o -H crc | gzip -9 > $MODULES/modules.cgz
cd $TKERNEL
echo “Making kernel initrd.img…”
if find . | cpio -o -H newc | gzip -9 > /tmp/initrd.img;
then
echo “/tmp/initrd.img making successfully.”
else
echo “Failure.”
fi
fi

Refernece links:
http://lingho.com/mediawiki/index.php/Adding_driver_to_RHEL_PXE_initrd_file#Step_3_-_Add_or_replace_the_driver

Kickstart options notes

refer to :Fedora Kickstart Configration
Here is my Kickstart config file for general Centos Installation.

# Kickstart file automatically generated by anaconda.

install
url --url http://10.130.142.155/mirrors/centos5.4
lang en_US.UTF-8
keyboard us
network --device eth0 --bootproto static --ip 10.130.142.13 --netmask 255.255.255.0 --gateway 10.130.142.1 --nameserver 10.130.130.10,202.106.0.20 --hostname VIA-02
rootpw --iscrypted $1$Jd5lGnyJ$jcziaYiiCTqf4uWi8h4lc.
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --disabled
timezone --utc Asia/Chongqing
bootloader --location=mbr --driveorder=sda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
#clearpart --linux --drives=sda
part /boot --fstype ext3 --size=100 --ondisk=sda
part pv.7 --size=0 --grow --ondisk=sda
volgroup VolGroup00 --pesize=32768 pv.7
logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=40000
logvol /images --fstype ext3 --name=images.disk --vgname=VolGroup00 --size=60000
logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=1000 --grow --maxsize=5856

%packages
@admin-tools
@base
@core
@dns-server
@development-libs
@development-tools
@editors
@ftp-server
@network-server
@server-cfg
@text-internet
@xen
@web-server
keyutils
kexec-tools
iscsi-initiator-utils
trousers
bridge-utils
fipscheck
device-mapper-multipath
perl-XML-SAX
perl-XML-Twig
perl-XML-Dumper
perl-TimeDate
perl-libxml-perl
perl-Convert-ASN1
libstdc++44-devel
perl-XML-NamespaceSupport
perl-DateManip
perl-Crypt-SSLeay
perl-Mozilla-LDAP
perl-LDAP
perl-XML-Grove
python-imaging
perl-Archive-Zip
gcc44-c++
gcc44-gfortran
imake
gcc-objc
gcc-gnat
libgfortran44
gcc44
tftp
Virtualization-en-US
-gnome-applet-vm
%end

%pre
%end
%post
%end
reboot

significant Options explaination:

  • clearpart –all –drives=sda

    –all
    Erases all partitions from the system.

    –initlabel
    Initializes the disk label to the default for your architecture (for example msdos for x86 and gpt for Itanium). It is useful so that the installation program does not ask if it should initialize the disk label if installing to a brand new hard drive.

    –linux
    Erases all Linux partitions.
    –none (default)
    Do not remove any partitions.

  • firewall

    This option corresponds to the Firewall Configuration screen in the installation program:
    firewall –enabled|–disabled [options]

    –trust=
    Listing a device here, such as eth0, allows all traffic coming from that device to go through the firewall. To list more than one device, use –trust eth0 –trust eth1. Do NOT use a comma-separated format such as –trust eth0, eth1.

    Replace with none or more of the following to allow the specified services through the firewall.
    –ssh – The ssh option is enabled by default, regardless of the presence of this flag.
    –smtp
    –http
    –ftp
    –port=
    You can specify that ports be allowed through the firewall using the port:protocol format. You can also specify ports numerically. Multiple ports can be combined into one option as long as they are separeted by commas. For example:
    firewall –port=imap:tcp,1234:ucp,47
    –service=
    This option provides a higher-level way to allow services through the firewall. Some services (like cups, avahi, etc.) require multiple ports to be open in order for the service to work. You could specify each individual service with the –port option, or specify –service= and open them all at once. Valid options are anything recognized by the lokkit program in the system-config-firewall-base package

  • graphical

    Perform the kickstart installation in graphical mode. This is the default.

  • install

    Tells the system to install a fresh system rather than upgrade an existing system. This is the default mode. For installation, you must specify the type of installation from one of cdrom, harddrive, nfs, or url (for ftp or http installations). The install command and the installation method command must be on separate lines.
    cdrom
    Install from the first CD-ROM/DVD drive on the system.
    harddrive
    Install from a directory of ISO images on a local drive, which must be either vfat or ext2. In addition to this directory, you must also provide the install.img in some way. You can either do this by booting off the boot.iso or by creating an images/ directory in the same directory as the ISO images and placing install.img in there.
    –biospart=
    BIOS partition to install from (such as 82p2).
    –partition=
    Partition to install from (such as, sdb2).
    –dir=
    Directory containing both the ISO images and the images/install.img. For example:
    harddrive –partition=hdb2 –dir=/tmp/install-tree
    nfs
    Install from the NFS server specified. This can either be an exploded installation tree or a directory of ISO images. In the latter case, the install.img must also be provided subject to the same rules as with the harddrive installation method described above.
    –server=
    Server from which to install (hostname or IP).
    –dir=
    Directory containing the Packages/ directory of the installation tree. If doing an ISO install, this directory must also contain images/install.img.
    –opts=
    Mount options to use for mounting the NFS export. Any options that can be specified in /etc/fstab for an NFS mount are allowed. The options are listed in the nfs(5) man page. Multiple options are separated with a comma.
    For example:
    nfs –server=nfsserver.example.com –dir=/tmp/install-tree
    url
    Install from an installation tree on a remote server via FTP or HTTP.
    –url=
    The URL to install from.
    –proxy=[protocol://][username[:password]@]host[:port]
    Specify an HTTP/HTTPS/FTP proxy to use while performing the install. The various parts of the argument act like you would expect.
    –noverifyssl
    For a tree on a HTTPS server do not check the server’s certificate with what well-known CA validate and do not check the server’s hostname matches the certificate’s domain name.

  • logvol

    Create a logical volume for Logical Volume Management (LVM).
    logvol –vgname= –size= –name=

    –noformat
    Use an existing logical volume and do not format it.
    –useexisting
    Use an existing logical volume and reformat it.
    –fstype=
    Sets the file system type for the logical volume. Valid values include ext4, ext3, ext2, btrfs, swap, and vfat. Other filesystems may be valid depending on command line arguments passed to anaconda to enable other filesystems. Btrfs is a experimental filesystem. Do take regular backups if you are using it.
    –fsoptions=
    Specifies a free form string of options to be used when mounting the filesystem. This string will be copied into the /etc/fstab file of the installed system and should be enclosed in quotes.
    –grow
    Tells the logical volume to grow to fill available space (if any), or up to the maximum size setting. Note that –grow is not supported for logical volumes containing a RAID volume on top of them.
    –maxsize=
    The maximum size in megabytes when the logical volume is set to grow. Specify an integer value here, and do not append the number with MB.
    –recommended
    Determine the size of the logical volume automatically.
    –percent
    Specify the size of the logical volume as a percentage of available space in the volume group. Without the above –grow option, this may not work.
    –encrypted
    Specify that this logical volume should be encrypted.
    –passphrase=
    Specify the passphrase to use when encrypting this logical volume. Without the above –encrypted option, this option does nothing. If no passphrase is specified, the default system-wide one is used, or the installer will stop and prompt if there is no default.
    –escrowcert=
    Load an X.509 certificate from . Store the data encryption key of this logical volume, encrypted using the certificate, as a file in /root. Only relevant if –encrypted is specified as well.
    –backuppassphrase
    Only relevant if –escrowcert is specified as well. In addition to storing the data encryption key, generate a random passphrase and add it to this logical volume. Then store the passphrase, encrypted using the certificate specified by –escrowcert, as a file in /root. If more than one LUKS volume uses –backuppassphrase, the same passphrase will be used for all such volumes.
    Create the partition first, create the logical volume group, and then create the logical volume. For example:
    part pv.01 –size 3000
    volgroup myvg pv.01
    logvol / –vgname=myvg –size=2000 –name=rootvol

  • network

    Configures network information for target system and activates network devices in installer environment. Device of the first network command is activated if network is required, e.g. in case of network installation or using vnc. Activation of the device can be also explicitly required by –activate option. If the device has already been activated to get kickstart file (e.g. using configuration provided with boot options or entered in loader UI) it is re-activated with configuration from kickstart file.
    In F15, the device of first network command is activated also in case of non-network installs, and device is not re-activated using kickstart configuration.
    Additional devices configured in kickstart with network command can be activated in installer using –activate option (since F16).
    –bootproto=[dhcp|bootp|static|ibft]
    The default setting is dhcp. bootp and dhcp are treated the same.
    The DHCP method uses a DHCP server system to obtain its networking configuration. As you might guess, the BOOTP method is similar, requiring a BOOTP server to supply the networking configuration.
    The static method requires that you enter all the required networking information in the kickstart file. As the name implies, this information is static and will be used during and after the installation. The line for static networking is more complex, as you must include all network configuration information on one line. You must specify the IP address, netmask, gateway, and nameserver. For example: (the \ indicates that it is all one line):
    network –bootproto=static –ip=10.0.2.15 \
    –netmask=255.255.255.0 –gateway=10.0.2.254 \
    –nameserver=10.0.2.1
    If you use the static method, be aware of the following restriction:
    All static networking configuration information must be specified on one line; you cannot wrap lines using a backslash, for example.
    ibft setting is for reading the configuration from iBFT table. It was added in F16.
    –device=
    Specifies device to be configured and/or activated with the network command. The device can be specified in the same ways as ksdevice boot option. For example:
    network –bootproto=dhcp –device=eth0
    For the first network command, if the option is not specified it defaults to 1) ksdevice boot option, 2) device activated to fetch kickstart, or 3) selection dialog in UI. For following network commands, the –device option is required.
    –ip=
    IP address for the interface.
    –ipv6=
    IPv6 address for the interface. This can be the static address, “auto” for address assignment based on automatic neighbor discovery, or “dhcp” to use the DHCPv6 protocol.
    –gateway=
    Default gateway, as an IPv4 or IPv6 address.
    –nodefroute
    Prevents grabbing of the default route by the device. It can be useful when activating additional devices in installer using –activate option. Since F16.
    –nameserver=
    Primary nameserver, as an IP address. Multiple nameservers must be comma separated.
    –nodns
    Do not configure any DNS server.
    –netmask=
    Netmask for the installed system.
    –hostname=
    Hostname for the installed system.
    –ethtool=
    Specifies additional low-level settings for the network device which will be passed to the ethtool program.
    –essid=
    The network ID for wireless networks.
    –wepkey=
    The encryption key for wireless networks.
    –onboot=
    Whether or not to enable the device a boot time.
    –dhcpclass=
    The DHCP class.
    –mtu=
    The MTU of the device.
    –noipv4
    Disable IPv4 on this device.
    –noipv6
    Disable IPv6 on this device

  • selinux

    Sets the state of SELinux on the installed system. SELinux defaults to enforcing in anaconda.
    selinux [–disabled|–enforcing|–permissive]
    –disabled
    If this is present, SELinux is disabled.
    –enforcing
    If this is present, SELinux is set to enforcing mode.
    –permissive
    If this is present, SELinux is enabled, but only logs things that would be denied in enforcing mode

  • skipx
    If present, X is not configured on the installed system.
  • volgroup

    Use to create a Logical Volume Management (LVM) group.
    volgroup

    Name given to the volume group. The (which denotes that multiple partitions can be listed) lists the identifiers to add to the volume group.
    –noformat
    Use an existing volume group and do not format it.
    –useexisting
    Use an existing volume group and reformat it.
    –pesize=
    Set the size of the physical extents.
    Create the partition first, create the logical volume group, and then create the logical volume. For example:
    part pv.01 –size 3000
    volgroup myvg pv.01
    logvol / –vgname=myvg –size=2000 –name=rootvol

  • %packages

    refer to the repodata/*comps.xml file on the first CD-ROM for a list of groups.
    syntax:
    %packages
    @…
    @..
    @..
    %end

    PS: This may be handy if the kickstart file is used as a template and pulls in various other files with the %include mechanism.

  • Pre-installation Script

    This section must be at the end of the kickstart file (after the commands) and must start with the %pre command. You can access the network in the %pre section; however, name service has not been configured at this point, so only IP addresses will work.
    Preinstallation scripts are required to be closed with %end.

  • <2h2>post-install

    Examples

    Run a script named runme from an NFS share:
    %post
    mkdir /mnt/temp
    mount 10.10.0.2:/usr/new-machines /mnt/temp
    open -s -w — /mnt/temp/runme
    umount /mnt/temp
    %end
    Copy the file /etc/resolv.conf to the file system that was just installed:
    %post –nochroot
    cp /etc/resolv.conf /mnt/sysimage/etc/resolv.conf
    %end

  • Creating a Kickstart Boot CD-ROM
    Installation Boot CD-ROM section in the Red Hat Enterprise Linux Installation Guide for instruction on creating a boot CD-ROM; however, before making the file.iso image file, copy the ks.cfg kickstart file to the isolinux/ directory.

CentOS yum repository management tools

CentOS yum repository management tool


    —- Search

  • 1. yum list package_name (simple search)
    yum list package_name* wildcard supported.
  • 2. yum search package_name (deep search)
  • 3. To do a search for any packages that provide php, you can use the following command
    yum provider php*
    —- Group

  • 1. yum grouplist
  • 2. yum groupinstall groupname