其他分享
首页 > 其他分享> > 时间同步、双因子安全验证及自动化安装实现过程

时间同步、双因子安全验证及自动化安装实现过程

作者:互联网

时间同步、双因子安全验证及自动化安装实现过程

一、chrony实现内网时间同步

1.1 测试环境

chrony服务端 chrony客户端
内核及发行版本:4.18.0-147.el8.x86_64 内核及发行版本:3.10.0-1127.el7.x86_64
Hostname: chrony-server Hostname: xsd7.linux.com
IP:172.20.200.130 IP:172.20.200.128

1.2 服务端设置

[root@chrony-server ~]# rpm -qf `which chronyd`
chrony-3.5-1.el8.x86_64

[root@chrony-server ~]# systemctl status chronyd
● chronyd.service - NTP client/server
   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:chronyd(8)
           man:chrony.conf(5)
[root@chrony-server ~]# vim /etc/chrony.
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#pool 2.centos.pool.ntp.org iburst
pool ntp1.aliyun.com
pool ntp2.aliyun.com

# Allow NTP client access from local network.
allow 172.20.200.0/24

# Serve time even if not synchronized to a time source.
local stratum 10

[root@chrony-server ~]# systemctl enable --now chronyd
Created symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.
[root@chrony-server ~]# chronyc
chronyc> clients
Hostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last
===============================================================================
172.20.200.128                  6      0   6   -     1       0      0   -     -

1.3 客户端配置

[root@xsd7 ~]# rpm -qf `which chronyc`
chrony-3.4-1.el7.x86_64

[root@xsd7 ~]# vim /etc/chrony.conf

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).

server 172.20.200.130 iburst

[root@xsd7 ~]# systemctl enable --now chronyd
Created symlink from /etc/systemd/system/multi-user.target.wants/chronyd.service to /usr/lib/systemd/system/chronyd.service.

[root@xsd7 ~]# chronyc
chrony version 3.4
Copyright (C) 1997-2003, 2007, 2009-2018 Richard P. Curnow and others
chrony comes with ABSOLUTELY NO WARRANTY.  This is free software, and
you are welcome to redistribute it under certain conditions.  See the
GNU General Public License version 2 for details.

chronyc> sources
210 Number of sources = 1
MS Name/IP address         Stratum Poll Reach LastRx Last sample               
===============================================================================
^* 172.20.200.130                3   6    77     7   -103us[ -177us] +/-   32ms

二、PAM和g**模块实现ssh双因子安全验证

2.1 在服务器端安装配置g-authenticator**

#为了安装g**-authenticator,首先安装epel-release源 
[root@chrony-server ~]# yum install epel-release
Total                                                                                                 36 kB/s |  23 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                             1/1 
  Installing       : epel-release-8-8.el8.noarch                                                                                 1/1 
  Running scriptlet: epel-release-8-8.el8.noarch                                                                                 1/1 
  Verifying        : epel-release-8-8.el8.noarch                                                                                 1/1 

Installed:
  epel-release-8-8.el8.noarch                                                                                                        

Complete!

#安装g**-authenticator
[root@chrony-server ~]# yum install g**-authenticator 
Install  1 Package

Total download size: 57 k
Installed size: 135 k
Is this ok [y/N]: y
Downloading Packages:
g**-authenticator-1.07-1.el8.x86_64.rpm                                                           351 kB/s |  57 kB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                 46 kB/s |  57 kB     00:01     
warning: /var/cache/dnf/epel-6519ee669354a484/packages/g**-authenticator-1.07-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEY
Extra Packages for Enterprise Linux 8 - x86_64                                                       1.2 MB/s | 1.6 kB     00:00    
Importing GPG key 0x2F86D6A1:
 Userid     : "Fedora EPEL (8) <epel@fedoraproject.org>"
 Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8
Is this ok [y/N]: y
Key imported successfully
Running transaction check
Installed:
  g**-authenticator-1.07-1.el8.x86_64                                                                                             

Complete!

首先在手机上安装身份验证器app:G Authenticator_v5.10_apkpure.com.apk,备用。然后运行g-authenticator,进行配置。

[root@chrony-server ~]# g**-authenticator
Do you want authentication tokens to be time-based (y/n) y
Warning: pasting the following URL into your browser exposes the OTP secret to G**:
  https://www.g**.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@chrony-server%3Fsecret%3DPDM4F6QOZWHADXI4WFQWYUG6VE%26issuer%3Dchrony-server  #打开此网站
Failed to use libqrencode to show QR code visually for scanning.
Consider typing the OTP secret into your app manually.
Your new secret key is: PDM4F6QOZWHADXI4WFQWYUG6VE
Enter code from app (-1 to skip): 374408 #用手机上的authenticator软件扫描网页上的二维码进行手机绑定,将
                                         authenticator软件上面的数字填入此处                                                                   
Code confirmed
Your emergency scratch codes are:  #此处是应急登录码
  17168477
  73659424
  10626207
  46998705
  93436421

Do you want me to update your "/root/.g**_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y
[root@chrony-server ~]# 

2.2 更改sshd配置文件

[root@chrony-server ~]# vim /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_g**_authenticator.so   #增加此行

[root@chrony-server ~]# vim /etc/ssh/sshd_config
ChallengeResponseAuthentication yes    #更改成yes

[root@chrony-server ~]# systemctl restart sshd

ssh登录测试

root@xsd7 ~]# ssh 172.20.200.130
Password:   #root密码
Verification code:   #手机g** Authenticator上数字
PRD System!!
Activate the web console with: systemctl enable --now cockpit.socket

Last failed login: Tue Mar 16 19:26:59 CST 2021 from 172.20.200.128 on ssh:notty
There were 7 failed login attempts since the last successful login.
Last login: Tue Mar 16 19:16:02 2021 from 172.20.200.138
[root@chrony-server ~]# 
[root@chrony-server ~]# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.20.200.130  netmask 255.255.255.0  broadcast 172.20.200.255
        inet6 fe80::9259:3fdd:3221:fd8f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:c5:6f:ce  txqueuelen 1000  (Ethernet)
        RX packets 1902  bytes 186128 (181.7 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1373  bytes 271461 (265.0 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.3 排错

现象:反复提示输入Password: 以及Verification code: ,无法正确登录。查看/var/log/secure

Failed to update secret file "/root/.g_authenticator": Permission denied
Secret file "/root/.g
_authenticator" permissions (0644) are more permissive than 0600

解决:将"/root/.g_authenticator" 权限设置成0600**

仍然反复提示输入Password: 以及Verification code: ,无法正确登录。继续查看/var/log/secure,发现

Failed to create tempfile "/root/.g**_authenticator~uVmFnS": Permission denied

解决:关闭selinux,setenforce 0

三、利用cobbler实现系统自动化安装

3.1 安装cobbler与dhcp服务

#首先安装epel源
[root@xsd7 ~]# yum install epel-release.noarch 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.163.com
 * updates: mirrors.163.com
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Install  1 Package
Installed:
  epel-release.noarch 0:7-11                                                                                                   
Complete!

#安装cobbler
[root@xsd7 ~]# yum install cobbler -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
epel/x86_64/metalink                                                                                          |  13 kB  00:00:00     
 * base: mirrors.aliyun.com
 * epel: d2lzkl7pfhq30w.cloudfront.net
 * extras: mirrors.163.com
 * updates: mirrors.163.com
epel                                                                                                          | 4.7 kB  00:00:00     
(1/3): epel/x86_64/group_gz                                                                                   |  96 kB  00:00:00     
(2/3): epel/x86_64/updateinfo                                                                                 | 1.0 MB  00:00:05     
(3/3): epel/x86_64/primary_db                                                                                 | 6.9 MB  00:00:20     
Resolving Dependencies
--> Running transaction check
---> Package cobbler.x86_64 0:2.8.5-0.3.el7 will be installed
--> Processing Dependency: httpd for package: cobbler-2.8.5-0.3.el7.x86_64
Installed:
  cobbler.x86_64 0:2.8.5-0.3.el7                                                                                                     

Dependency Installed:
  apr.x86_64 0:1.4.8-7.el7                    apr-util.x86_64 0:1.5.2-6.el7          httpd.x86_64 0:2.4.6-97.el7.centos             
  httpd-tools.x86_64 0:2.4.6-97.el7.centos    mailcap.noarch 0:2.1.41-2.el7          mod_wsgi.x86_64 0:3.4-18.el7                   
  python-cheetah.x86_64 0:2.4.4-5.el7.centos  python-netaddr.noarch 0:0.7.5-9.el7    python-pillow.x86_64 0:2.0.0-21.gitd1c6db8.el7 
  python-pygments.noarch 0:1.4-10.el7         python2-markdown.noarch 0:2.4.1-4.el7  python2-pyyaml.noarch 0:3.10-0.el7             
  python2-simplejson.x86_64 0:3.10.0-2.el7    syslinux.x86_64 0:4.05-15.el7          tftp-server.x86_64 0:5.2-22.el7                

Complete!

#安装dhcp
# yum -y instal dhcp 
Loaded plugins: fastestmirror, langpacks
No such command: instal. Please use /usr/bin/yum --help
[root@xsd7 ~]# yum -y install cobbler dhcp 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.163.com
 * updates: mirrors.163.com
Installed:
  dhcp.x86_64 12:4.2.5-82.el7.centos                                                                                                 

Dependency Updated:
  dhclient.x86_64 12:4.2.5-82.el7.centos    dhcp-common.x86_64 12:4.2.5-82.el7.centos    dhcp-libs.x86_64 12:4.2.5-82.el7.centos   

Complete!

#设置cobblerd、httpd、tftp服务开机自启动
[root@xsd7 ~]# systemctl enable --now cobblerd httpd tftp
Created symlink from /etc/systemd/system/multi-user.target.wants/cobblerd.service to /usr/lib/systemd/system/cobblerd.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
Created symlink from /etc/systemd/system/sockets.target.wants/tftp.socket to /usr/lib/systemd/system/tftp.socket.
[root@xsd7 ~]# systemctl status cobblerd httpd tftp
● cobblerd.service - Cobbler Helper Daemon
   Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago
  Process: 3616 ExecStartPost=/usr/bin/touch /usr/share/cobbler/web/cobbler.wsgi (code=exited, status=1/FAILURE)
 Main PID: 3615 (cobblerd)
    Tasks: 1
   CGroup: /system.slice/cobblerd.service
           └─3615 /usr/bin/python2 -s /usr/bin/cobblerd -F

Mar 17 11:58:25 xsd7.linux.com systemd[1]: Starting Cobbler Helper Daemon...
Mar 17 11:58:25 xsd7.linux.com touch[3616]: /usr/bin/touch: cannot touch ‘/usr/share/cobbler/web/cobbler.wsgi’: No such file…irectory
Mar 17 11:58:26 xsd7.linux.com systemd[1]: Started Cobbler Helper Daemon.

● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago
     Docs: man:httpd(8)
           man:apachectl(8)
 Main PID: 3618 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
    Tasks: 6
   CGroup: /system.slice/httpd.service
           ├─3618 /usr/sbin/httpd -DFOREGROUND
           ├─3625 /usr/sbin/httpd -DFOREGROUND
           ├─3626 /usr/sbin/httpd -DFOREGROUND
           ├─3627 /usr/sbin/httpd -DFOREGROUND
           ├─3628 /usr/sbin/httpd -DFOREGROUND
           └─3629 /usr/sbin/httpd -DFOREGROUND

Mar 17 11:58:26 xsd7.linux.com systemd[1]: Starting The Apache HTTP Server...
Mar 17 11:58:26 xsd7.linux.com systemd[1]: Started The Apache HTTP Server.

● tftp.service - Tftp Server
   Loaded: loaded (/usr/lib/systemd/system/tftp.service; indirect; vendor preset: disabled)
   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago
     Docs: man:in.tftpd
 Main PID: 3619 (in.tftpd)
    Tasks: 1
   CGroup: /system.slice/tftp.service
           └─3619 /usr/sbin/in.tftpd -s /var/lib/tftpboot

Mar 17 11:58:26 xsd7.linux.com systemd[1]: Started Tftp Server.
Hint: Some lines were ellipsized, use -l to show in full.

3.2 配置cobblerd

#编辑cobblerd配置文件,调整以下三个参数

[root@xsd7 ~]# vim /etc/cobbler/settings
next_server: 172.20.200.128
server: 172.20.200.128
manage_dhcp: 1
[root@xsd7 ~]# cobbler check
The following are potential configuration items that you may want to fix:

1 : change 'disable' to 'no' in /etc/xinetd.d/tftp
2 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
3 : enable and start rsyncd.service with systemctl
4 : debmirror package is not installed, it will be required to manage debian deployments and repositories
5 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
6 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them

Restart cobblerd and then run 'cobbler sync' to apply changes.

3.3 实现dhcp服务

#边界cobbler的dhcp模板
[root@xsd7 ~]# vim /etc/cobbler/dhcp.template
subnet 172.20.200.0 netmask 255.255.255.0 {
     option routers             172.20.200.2;
     option domain-name-servers 180.76.76.76;
     option subnet-mask         255.255.255.0;
     range dynamic-bootp        172.20.200.200 171.20.200.253;
#将配置同步到dhcp配置文件中
[root@xsd7 ~]# cobbler sync
task started: 2021-03-17_125453_sync
task started (id=Sync, time=Wed Mar 17 12:54:53 2021)
running pre-sync triggers
cleaning trees
removing: /var/lib/tftpboot/pxelinux.cfg/default
removing: /var/lib/tftpboot/grub/images
removing: /var/lib/tftpboot/grub/efidefault
removing: /var/lib/tftpboot/s390x/profile_list
copying bootloaders
copying distros to tftpboot
copying images
generating PXE configuration files
generating PXE menu structure
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
cleaning link caches
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout: 
received on stderr: 
running: service dhcpd restart
received on stdout: 
received on stderr: Redirecting to /bin/systemctl restart dhcpd.service

running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.manage_genders
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***
#重启DHCP服务,查看状态
[root@xsd7 ~]# systemctl start dhcpd
[root@xsd7 ~]# systemctl status dhcpd
● dhcpd.service - DHCPv4 Server Daemon
   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2021-03-17 12:54:54 CST; 6min ago
     Docs: man:dhcpd(8)
           man:dhcpd.conf(5)
 Main PID: 2666 (dhcpd)
   Status: "Dispatching packets..."
    Tasks: 1
   CGroup: /system.slice/dhcpd.service
           └─2666 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

3.4 下载启动相关文件到/var/lib/tftpboot/

#下载PXE相关文件
root@xsd7 ~]# cobbler get-loaders
task started: 2021-03-17_132703_get_loaders
task started (id=Download Bootloader Content, time=Wed Mar 17 13:27:03 2021)
path /var/lib/cobbler/loaders/README already exists, not overwriting existing content, use --force if you wish to update
downloading https://cobbler.github.io/loaders/COPYING.elilo to /var/lib/cobbler/loaders/COPYING.elilo
downloading https://cobbler.github.io/loaders/COPYING.yaboot to /var/lib/cobbler/loaders/COPYING.yaboot
downloading https://cobbler.github.io/loaders/COPYING.syslinux to /var/lib/cobbler/loaders/COPYING.syslinux
downloading https://cobbler.github.io/loaders/elilo-3.8-ia64.efi to /var/lib/cobbler/loaders/elilo-ia64.efi
downloading https://cobbler.github.io/loaders/yaboot-1.3.17 to /var/lib/cobbler/loaders/yaboot
downloading https://cobbler.github.io/loaders/pxelinux.0-3.86 to /var/lib/cobbler/loaders/pxelinux.0
downloading https://cobbler.github.io/loaders/menu.c32-3.86 to /var/lib/cobbler/loaders/menu.c32
downloading https://cobbler.github.io/loaders/grub-0.97-x86.efi to /var/lib/cobbler/loaders/grub-x86.efi
downloading https://cobbler.github.io/loaders/grub-0.97-x86_64.efi to /var/lib/cobbler/loaders/grub-x86_64.efi
*** TASK COMPLETE ***

#同步下载文件到tftp工作目录
[root@xsd7 ~]# cobbler sync  
task started: 2021-03-17_133543_sync
task started (id=Sync, time=Wed Mar 17 13:35:43 2021)
running pre-sync triggers
cleaning trees
removing: /var/lib/tftpboot/pxelinux.cfg/default
removing: /var/lib/tftpboot/grub/images
removing: /var/lib/tftpboot/grub/efidefault
removing: /var/lib/tftpboot/s390x/profile_list
copying bootloaders
trying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
copying: /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32
copying: /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32
trying hardlink /var/lib/cobbler/loaders/yaboot -> /var/lib/tftpboot/yaboot
trying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efi
trying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.efi
copying distros to tftpboot
copying images
generating PXE configuration files
generating PXE menu structure
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
cleaning link caches
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout: 
received on stderr: 
running: service dhcpd restart
received on stdout: 
received on stderr: Redirecting to /bin/systemctl restart dhcpd.service

running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.manage_genders
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***

3.5 导入CentOS7、8系统的安装文件

#导入centos8.1系统镜像文件
[root@xsd7 cd]# cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --arch=x86_64  
task started: 2021-03-17_155515_import
task started (id=Media import, time=Wed Mar 17 15:55:15 2021)
Found a candidate signature: breed=redhat, version=rhel8
No signature matched in /var/www/cobbler/ks_mirror/centos-8.1-x86_64
!!! TASK FAILED !!!

#更新cobbler signature,解决上面问题
[root@xsd7 misc]# cobbler signature update  
task started: 2021-03-17_193227_sigupdate
task started (id=Updating Signatures, time=Wed Mar 17 19:32:27 2021)
Successfully got file from https://cobbler.github.io/signatures/2.8.x/latest.json
*** TASK COMPLETE ***

#再次导入centos8.1系统镜像文件
[root@xsd7 misc]# cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --arch=x86_64 
task started: 2021-03-17_193707_import
task started (id=Media import, time=Wed Mar 17 19:37:07 2021)
Found a candidate signature: breed=suse, version=sles15generic
Found a candidate signature: breed=suse, version=opensuse15.0
Found a candidate signature: breed=suse, version=opensuse15.1
Found a candidate signature: breed=redhat, version=rhel8
Found a matching signature: breed=redhat, version=rhel8
Adding distros from path /var/www/cobbler/ks_mirror/centos-8.1-x86_64:
creating new distro: centos-8.1-x86_64
trying symlink: /var/www/cobbler/ks_mirror/centos-8.1-x86_64 -> /var/www/cobbler/links/centos-8.1-x86_64
creating new profile: centos-8.1-x86_64
associating repos
checking for rsync repo(s)
checking for rhn repo(s)
checking for yum repo(s)
starting descent into /var/www/cobbler/ks_mirror/centos-8.1-x86_64 for centos-8.1-x86_64
processing repo at : /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStream
need to process repo/comps: /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStream
looking for /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStream/repodata/*comps*.xml
error launching createrepo (not installed?), ignoring
Exception occured: <type 'exceptions.IOError'>
Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/centos-8.1-x86_64.repo'
Exception Info:
  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file
    config_file = open(fname, "w+")

processing repo at : /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOS
need to process repo/comps: /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOS
looking for /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOS/repodata/*comps*.xml
error launching createrepo (not installed?), ignoring
Exception occured: <type 'exceptions.IOError'>
Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/centos-8.1-x86_64-1.repo'
Exception Info:
  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file
    config_file = open(fname, "w+")

*** TASK COMPLETE ***

#导入centos7系统镜像文件
[root@xsd7 ~]# cobbler import --name=CentOS-7-x86_64  --path=/mnt --arch=x86_64 
task started: 2021-03-17_151443_import
task started (id=Media import, time=Wed Mar 17 15:14:43 2021)
Found a candidate signature: breed=redhat, version=rhel6
Found a candidate signature: breed=redhat, version=rhel7
Found a matching signature: breed=redhat, version=rhel7
Adding distros from path /var/www/cobbler/ks_mirror/CentOS-7-x86_64:
creating new distro: CentOS-7-x86_64
trying symlink: /var/www/cobbler/ks_mirror/CentOS-7-x86_64 -> /var/www/cobbler/links/CentOS-7-x86_64
creating new profile: CentOS-7-x86_64
associating repos
checking for rsync repo(s)
checking for rhn repo(s)
checking for yum repo(s)
starting descent into /var/www/cobbler/ks_mirror/CentOS-7-x86_64 for CentOS-7-x86_64
processing repo at : /var/www/cobbler/ks_mirror/CentOS-7-x86_64
need to process repo/comps: /var/www/cobbler/ks_mirror/CentOS-7-x86_64
looking for /var/www/cobbler/ks_mirror/CentOS-7-x86_64/repodata/*comps*.xml
error launching createrepo (not installed?), ignoring
Exception occured: <type 'exceptions.IOError'>
Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/CentOS-7-x86_64.repo'
Exception Info:
  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file
    config_file = open(fname, "w+")

*** TASK COMPLETE ***

3.6 准备kickstart文件并与导入镜像关联

 #安装编辑kickstart文件工具system-config-kickstart
[root@xsd7 kickstarts]# yum install system-config-kickstart 
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * epel: mirrors.coreix.net
 * extras: mirrors.aliyun.com
 * updates: mirrors.163.com
Dependency Installed:
  gnome-python2.x86_64 0:2.28.1-14.el7                     gnome-python2-canvas.x86_64 0:2.28.1-14.el7              
  libart_lgpl.x86_64 0:2.3.21-10.el7                       libgnomecanvas.x86_64 0:2.30.3-8.el7                     
  rarian.x86_64 0:0.8.1-11.el7                             rarian-compat.x86_64 0:0.8.1-11.el7                      
  system-config-date.noarch 0:1.10.6-3.el7.centos          system-config-date-docs.noarch 0:1.0.11-4.el7            
  system-config-keyboard.noarch 0:1.4.0-5.el7              system-config-keyboard-base.noarch 0:1.4.0-5.el7         
  system-config-language.noarch 0:1.4.0-9.el7              usermode-gtk.x86_64 0:1.111-6.el7                        

Complete!  

#安装pykickstart软件包,其中的ksvalidator工具可以检查kickstart文件语法是否正确
root@xsd7 kickstarts]# yum install pykickstart   
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * epel: mirror.init7.net
 * extras: mirrors.aliyun.com
 * updates: mirrors.163.com
Updated:
  pykickstart.noarch 0:1.99.66.22-1.el7                                                                             

Complete!

#将centos7镜像与ks7.cfg文件关联并生成菜单
[root@xsd7 kickstarts]# cobbler profile --name=centos7 --distro=centos7-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks7.cfg    
usage
=====
cobbler profile add
cobbler profile copy
cobbler profile dumpvars
cobbler profile edit
cobbler profile find
cobbler profile getks
cobbler profile list
cobbler profile remove
cobbler profile rename
cobbler profile report
[root@xsd7 kickstarts]# 

#将centos8.1镜像与ks8.cfg文件关联并生成菜单
[root@xsd7 kickstarts]# cobbler profile --name=centos8.1 --distro=centos-8.1-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks8.cfg 
usage
=====
cobbler profile add
cobbler profile copy
cobbler profile dumpvars
cobbler profile edit
cobbler profile find
cobbler profile getks
cobbler profile list
cobbler profile remove
cobbler profile rename
cobbler profile report

#修改启动菜单名称
[root@xsd7 ks_mirror]# vim /etc/cobbler/pxe/pxedefault.template
DEFAULT menu
PROMPT 0
MENU TITLE Cobbler | xsd homework   #修改菜单名字
TIMEOUT 200
TOTALTIMEOUT 6000
ONTIMEOUT $pxe_timeout_profile

LABEL local
        MENU LABEL (local)
        MENU DEFAULT
        LOCALBOOT -1

$pxe_menu_items

MENU end
~                                        

#同步数据并生成菜单
[root@xsd7 kickstarts]# # cobbler sync
task started: 2021-03-17_200713_sync
task started (id=Sync, time=Wed Mar 17 20:07:13 2021)
running pre-sync triggers
cleaning trees
removing: /var/www/cobbler/images/CentOS-7-x86_64
removing: /var/www/cobbler/images/centos-8.1-x86_64
removing: /var/lib/tftpboot/pxelinux.cfg/default
removing: /var/lib/tftpboot/grub/images
removing: /var/lib/tftpboot/grub/grub-x86.efi
removing: /var/lib/tftpboot/grub/grub-x86_64.efi
removing: /var/lib/tftpboot/grub/efidefault
removing: /var/lib/tftpboot/images/CentOS-7-x86_64
removing: /var/lib/tftpboot/images/centos-8.1-x86_64
removing: /var/lib/tftpboot/s390x/profile_list
copying bootloaders
trying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
copying: /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0
trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32
copying: /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32
trying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efi
trying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.efi
copying distros to tftpboot
copying files for distro: centos-8.1-x86_64
trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/centos-8.1-x86_64/vmlinuz
trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/centos-8.1-x86_64/initrd.img
copying files for distro: CentOS-7-x86_64
trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/CentOS-7-x86_64/vmlinuz
trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/CentOS-7-x86_64/initrd.img
copying images
generating PXE configuration files
generating PXE menu structure
copying files for distro: centos-8.1-x86_64
trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/vmlinuz -> /var/www/cobbler/images/centos-8.1-x86_64/vmlinuz
trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/initrd.img -> /var/www/cobbler/images/centos-8.1-x86_64/initrd.img
Writing template files for centos-8.1-x86_64
copying files for distro: CentOS-7-x86_64
trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/vmlinuz -> /var/www/cobbler/images/CentOS-7-x86_64/vmlinuz
trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/initrd.img -> /var/www/cobbler/images/CentOS-7-x86_64/initrd.img
Writing template files for CentOS-7-x86_64
rendering DHCP files
generating /etc/dhcp/dhcpd.conf
rendering TFTPD files
generating /etc/xinetd.d/tftp
processing boot_files for distro: centos-8.1-x86_64
processing boot_files for distro: CentOS-7-x86_64
cleaning link caches
running post-sync triggers
running python triggers from /var/lib/cobbler/triggers/sync/post/*
running python trigger cobbler.modules.sync_post_restart_services
running: dhcpd -t -q
received on stdout: 
received on stderr: 
running: service dhcpd restart
received on stdout: 
received on stderr: Redirecting to /bin/systemctl restart dhcpd.service

running shell triggers from /var/lib/cobbler/triggers/sync/post/*
running python triggers from /var/lib/cobbler/triggers/change/*
running python trigger cobbler.modules.manage_genders
running python trigger cobbler.modules.scm_track
running shell triggers from /var/lib/cobbler/triggers/change/*
*** TASK COMPLETE ***

3.7 通过网络自动安装系统

选择网卡启动

时间同步、双因子安全验证及自动化安装实现过程

选择要安装的系统

时间同步、双因子安全验证及自动化安装实现过程

找到内核并引导

时间同步、双因子安全验证及自动化安装实现过程

开始自动安装

时间同步、双因子安全验证及自动化安装实现过程

登录自动安装的系统

时间同步、双因子安全验证及自动化安装实现过程

标签:x86,lib,验证,因子,cobbler,自动化,var,64,root
来源: https://blog.51cto.com/12302225/2663516