Friday, January 7, 2011

Ubuntu 10.10 Base Image Installation Note

On the new VMware platform, I need to create a Ubuntu base image, which will be used as a deployment template for other groups. The base image has to be basic, flexible and secure.

Partioning the virtual hard disk, 36GB, LVM is used.

I create a volume group called VG01 on the 36GB HDD. From there I use the follow partion schema. There is no dedicated partition for /home because the users store the data to NFS space.

  • 210MB /boot ext3
  • 15.1GB / ext4
  • rest swap

Partitioning Strategies

The Linux Logical Volume Manager

Enable OpenSSH

Just remember to select it during the installation.

Build up the min security FIRST

First modify the entries in the following files:

root@pwbclinuxlab:~# cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#

#Allow servers & admin
...
root@pwbclinuxlab:~# cat /etc/hosts.deny
# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#                  See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: some.host.name, .some.domain
#             ALL EXCEPT in.fingerd: other.host.name, .other.domain
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#
# The PARANOID wildcard matches any host whose name does not match its
# address.
#
# You may wish to enable this to ensure any programs that don't
# validate looked up hostnames still leave understandable logs. In past
# versions of Debian this has been the default.
# ALL: PARANOID
ALL: ALL

Optional: change root password

sudo passwd

Optional: enable RSA SSH login

Password-less SSH via PuTTY

Config the network interface for internet access, DNS, hostname etc

Ubuntu Networking Configuration Using Command Line

Update the apt source.list so apt-get sources from Arrnet.

root@pwbclinuxlab:~# cat /etc/apt/sources.list
#
# deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ - Release amd64 (20101007)]/ maverick main restricted

#deb cdrom:[Ubuntu-Server 10.10 _Maverick Meerkat_ - Release amd64 (20101007)]/ maverick main restricted
# See http://help.ubuntu.com/community/UpgradeNotes for how to upgrade to
# newer versions of the distribution.

#deb http://au.archive.ubuntu.com/ubuntu/ maverick main restricted
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick main restricted
deb http://mirror.aarnet.edu.au/ubuntu/ maverick main restricted
deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick main restricted

## Major bug fix updates produced after the final release of the
## distribution.
#deb http://au.archive.ubuntu.com/ubuntu/ maverick-updates main restricted
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick-updates main restricted
deb http://mirror.aarnet.edu.au/ubuntu/ maverick-updates main restricted
deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick-updates main restricted

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team. Also, please note that software in universe WILL NOT receive any
## review or updates from the Ubuntu security team.
#deb http://au.archive.ubuntu.com/ubuntu/ maverick universe
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick universe
#deb http://au.archive.ubuntu.com/ubuntu/ maverick-updates universe
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick-updates universe
deb http://mirror.aarnet.edu.au/ubuntu/ maverick universe
deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick universe
deb http://mirror.aarnet.edu.au/ubuntu/ maverick-updates universe
deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick-updates universe

## N.B. software from this repository is ENTIRELY UNSUPPORTED by the Ubuntu
## team, and may not be under a free licence. Please satisfy yourself as to
## your rights to use the software. Also, please note that software in
## multiverse WILL NOT receive any review or updates from the Ubuntu
## security team.
#deb http://au.archive.ubuntu.com/ubuntu/ maverick multiverse
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick multiverse
#deb http://au.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
#deb-src http://au.archive.ubuntu.com/ubuntu/ maverick-updates multiverse
#deb http://mirror.aarnet.edu.au/ubuntu/ maverick multiverse
#deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick multiverse
#deb http://mirror.aarnet.edu.au/ubuntu/ maverick-updates multiverse
#deb-src http://mirror.aarnet.edu.au/ubuntu/ maverick-updates multiverse

## Uncomment the following two lines to add software from the 'backports'
## repository.
## N.B. software from this repository may not have been tested as
## extensively as that contained in the main release, although it includes
## newer versions of some applications which may provide useful features.
## Also, please note that software in backports WILL NOT receive any review
## or updates from the Ubuntu security team.
# deb http://au.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse
# deb-src http://au.archive.ubuntu.com/ubuntu/ maverick-backports main restricted universe multiverse

## Uncomment the following two lines to add software from Canonical's
## 'partner' repository.
## This software is not part of Ubuntu, but is offered by Canonical and the
## respective vendors as a service to Ubuntu users.
# deb http://archive.canonical.com/ubuntu maverick partner
# deb-src http://archive.canonical.com/ubuntu maverick partner

## Uncomment the following two lines to add software from Ubuntu's
## 'extras' repository.
## This software is not part of Ubuntu, but is offered by third-party
## developers who want to ship their latest software.
# deb http://extras.ubuntu.com/ubuntu maverick main
# deb-src http://extras.ubuntu.com/ubuntu maverick main

deb http://security.ubuntu.com/ubuntu maverick-security main restricted
deb-src http://security.ubuntu.com/ubuntu maverick-security main restricted
deb http://security.ubuntu.com/ubuntu maverick-security universe
deb-src http://security.ubuntu.com/ubuntu maverick-security universe
deb http://security.ubuntu.com/ubuntu maverick-security multiverse
deb-src http://security.ubuntu.com/ubuntu maverick-security multiverse

Install VMware Tools

Do not get the one from atp-get. It is unsupported by VMware. Follow the VMware official guide instead.

VMware Tools Installation Guide For Operating System Specific Packages

VMwareTools

Install other useful utilities like htop etc

Enable LDAP auth

LDAP feature can be enabled on another new image which is a clone of this one, so that I can have two images: with or without LDAP.

LDAPClientAuthentication

OpenLDAP Server

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)