Tạo mã thiết lập hệ thống server trên OpenSUSE 11.2 và cài đặt ISPConfig 3 Trong bài viết sau, Quản Trị Mạng sẽ hướng dẫn các bạn tạo 1 đoạn mã, có thể tự động thực thi nhiều công đoạn n
Trang 1Tạo mã thiết lập hệ thống server trên OpenSUSE 11.2 và cài đặt ISPConfig 3
Trong bài viết sau, Quản Trị Mạng sẽ hướng dẫn các bạn tạo 1 đoạn mã, có thể tự động thực thi nhiều công đoạn như thiết lập, tùy chỉnh các thông số kỹ thuật… và cuối cùng là cài đặt ứng dụng
Lưu ý rằng tuyệt đối không được thực thi đoạn mã này trên 1 hệ thống server đang hoạt động bình thường, vì sẽ gây ra hiện tượng xung đột, không tương thích khi đoạn mã tự động khởi tạo hoặc ghi đè các file tùy chỉnh và có thể khiến cho hệ thống ngừng hoạt động Chỉ nên áp dụng phương pháp này khi cài đặt mới hoàn toàn OpenSUSE 11.2
- Cơ chế xác thực thông qua Postfix
- Xác nhận quyền truy cập với Apache SSL, chuyển ISPConfig thành HTTPS
- Khắc phục và hoàn chỉnh quá trình thiết lập NameVirtualHost Apache với OpenSUSE (rất quan trọng đối với Apache để nhận biết các domain
đa dạng từ ISPConfig)
- Thiết lập quá trình rdiff-backup với cron
Tuy nhiên, đoạn mã này không phù hợp với những hệ thống trong thực tế
yêu cầu 2 thành tố: mysql_secure_install và ispconfig_update_svn đang
hoạt động Sử dụng câu lệnh sau:
Trang 2Đoạn mã này có yêu cầu 2 thao tác sau:
Đầu tiên, khi mysql_secure_install đang hoạt động
Thứ 2, dành cho việc cập nhật ISPConfig3, hãy gõ lệnh svn hoặc stable khi hệ thống yêu cầu cung cấp dạng cập nhật (nên chọn stable)
Tất cả các lựa chọn khác giữ nguyên ở chế độ mặc định bằng cách nhấn Enter
Bên cạnh đó, các bạn nên thay đổi những giá trị biến sau trong đoạn mã:
THIS_PLATFORM: có thể là x86_64 hoặc i586
MYSQLROOTPASS: hãy thay đổi giá trị này, và nhớ làm việc này trong
khi cài đặt module mysql_secure_install
MY_HOSTNAME, MY_DOMAIN: thay đổi thành tên server của bạn, ở giá
trị mặc định nó sẽ là server1.mydomain.com
ISPCONFIG_TAR_GZ: hãy chắc chắn rằng ISPCONFIG_TAR_GZ có
trong phiên bản ISPConfig 3 mới nhất
Lưu đoạn mã này tại 1 nơi nào đó trên server (ví dụ
/usr/local/sbin/opensuse_ispconfig3.sh):
vi /usr/local/sbin/opensuse_ispconfig3.sh
#!/bin/sh
# Script by George Yohng (georgesc#oss3d.com)
# Do zypper update and reboot before running this script
# Also better change host name (file HOSTNAME) manually before running this script, though looks like it's not necessary
# This script requires two manual actions
# First - when mysql_secure_install is running One should type a new mysql password, the same as here
# Second - for ISPConfig3 update One should type 'svn' when the update type is asked
# For both of scripts, all other options are
default, one can just press ENTER
Trang 3# Also, please change MYSQLROOTPASS below, and be sure to enter it verbatim
# during the installation of
mysql_secure_install
# Important: When setting an MX entry, point it
to mail.yourdomain.com rather than
# just to yourdomain.com, and create a CNAME
entry for mail Otherwise it doesn't
# seem to work somehow
THIS_PLATFORM=x86_64
MYSQLROOTPASS=098j91r3kx
# Change this to your server name By default it's configured to server1.mydomain.com
# If your web site hosts a complete domain, such
as domain.com, still leave
# something for MY_HOSTNAME 'server1' or 'host'
MAILDROP_RPM=http://download.opensuse.org/reposit ories/server:/mail/openSUSE_11.2/$THIS_PLATFORM/m aildrop-2.4.0-1.6.$THIS_PLATFORM.rpm
PAM_MYSQL_TARGZ=http://heanet.dl.sourceforge.net/ sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz SUPHP_RPM=http://download.opensuse.org/repositori es/server:/php/openSUSE_11.2/$THIS_PLATFORM/suphp -0.7.1-3.1.$THIS_PLATFORM.rpm
#SUPHP_RPM=http://download.opensuse.org/repositor ies/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/sup hp-0.7.1-16.1.$THIS_PLATFORM.rpm
FAIL2BAN_RPM=http://download.opensuse.org/reposit ories/home:/kolbma/openSUSE_11.1/$THIS_PLATFORM/f ail2ban-0.8.4-2.1.$THIS_PLATFORM.rpm
SQUIRRELMAIL_RPM=http://download.opensuse.org/rep ositories/server:/php:/applications/openSUSE_11.2 /noarch/squirrelmail-1.4.20-1.1.noarch.rpm
Trang 4JAILKIT_TARGZ=http://olivier.sessink.nl/jailkit/j ailkit-2.11.tar.gz
PHPMYADMIN_RPM=http://download.opensuse.org/repos itories/server:/php:/applications/openSUSE_11.2/n oarch/phpMyAdmin-3.3.3-1.1.noarch.rpm
mysql-1.1.0-1.i386.rpm
MYDNS_RPM=http://mydns.bboy.net/download/mydns-VLOGGER_TARGZ=http://n0rp.chemlab.org/vlogger/vlo gger-1.3.tar.gz
RDIFF_BACKUP_TARGZ=http://savannah.nongnu.org/dow nload/rdiff-backup/rdiff-backup-1.2.8.tar.gz ISPCONFIG_TAR_GZ=http://downloads.sourceforge.net /ispconfig/ISPConfig-3.0.2.2.tar.gz?use_mirror= MY_FULLHOSTNAME=$MY_HOSTNAME.$MY_DOMAIN
# Disable apparmor
/etc/init.d/boot.apparmor stop
chkconfig -d boot.apparmor
# Allow ports through firewall
SuSEfirewall2 open EXT TCP 21 80 8080 25 143 465
# Host name
Trang 5echo $MY_FULLHOSTNAME > /etc/HOSTNAME
echo 127.0.0.2 $MY_FULLHOSTNAME $MY_HOSTNAME >> /etc/hosts
echo 69.46.236.210 mydns.bboy.net >> /etc/hosts export HOST=$MY_FULLHOSTNAME
export HOSTNAME=$MY_FULLHOSTNAME
# Postfix, Courier, Saslauthd, MySQL
yast2 -i postfix postfix-mysql mysql mysql-client courier-imap courier-authlib courier-authlib-
mysql python cron cyrus-sasl cyrus-sasl-crammd5 cyrus-sasl-digestmd5 cyrus-sasl-gssapi cyrus-
sasl-otp cyrus-sasl-plain cyrus-sasl-saslauthd libmysqlclient-devel pwgen
chkconfig add mysql
chkconfig add postfix
chkconfig add saslauthd
chkconfig add fam
chkconfig add courier-authdaemon
chkconfig add courier-pop
chkconfig add courier-imap
chkconfig add courier-pop-ssl
chkconfig add courier-imap-ssl
Trang 6#(echo Y; echo $MYSQLROOTPASS; echo
$MYSQLROOTPASS; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; echo; )
# amavis, spam asassin, etc
yast2 -i amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql
# TODO: change /etc/amavisd.conf
#$mydomain = "$MY_DOMAIN"; # a convenient default for other settings
chkconfig add amavis
chkconfig add clamd
/etc/init.d/amavis start
/etc/init.d/clamd start
# Apache2
yast2 -i apache2 apache2-mod_fcgid
yast2 -i bcmath bz2 calendar ctype php5-curl php5-dom php5-ftp php5-gd php5- gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5- sqlite php5-sysvsem php5-tokenizer php5-wddx
xmlrpc xsl zlib exif fastcgi php5-pear php5-sysvmsg php5-sysvshm
php5-ImageMagick curl apache2-mod_php5
Trang 7yast2 -i pure-ftpd quota
sed -i 's/NoRename.*yes/NoRename no/g' ftpd/pure-ftpd.conf
/etc/pure-sed -i 's/AutoRename.*yes/AutoRename no/g'
/etc/pure-ftpd/pure-ftpd.conf
sed -i 's/# PassivePortRange.*30000
50000/PassivePortRange 30000 30500/g' ftpd/pure-ftpd.conf
/etc/pure-chkconfig add pure-ftpd
# Author: Kurt Garloff
# Please send feedback to
# This program is free software; you can
redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
Trang 8# the Free Software Foundation; either version 2
# You should have received a copy of the GNU
General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA
# script on this template and ensure that it
works on non UL based LSB
# compliant Linux distributions, you either have
to provide the rc.status
# functions from UL or change the script to work without them
#
### BEGIN INIT INFO
# Provides: mydns
# Required-Start: \$syslog \$remote_fs mysql
# Should-Start: \$time ypbind sendmail
# Required-Stop: \$syslog \$remote_fs
# Should-Stop: \$time ypbind sendmail
# Default-Start: 3 5
Trang 9# continued on second line by '#<TAB>'
# should contain enough info for the runlevel editor
# to give admin some idea what this service does and
# what it's needed for
# (The Short-Description should already be a good hint.)
### END INIT INFO
# (a) Hard dependencies: This is used by the
runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense Example: nfsserver should have
# Required-Start: \$portmap
# Also, required services are started before the dependent ones
# The runlevel editor will warn about such
missing hard dependencies
# and suggest enabling During system startup, you may expect an error,
# if the dependency is not fulfilled
# (b) Specifying the init script ordering, not real (hard) dependencies
# This is needed by insserv to determine which service should be
# started first (and at a later stage what
Trang 10services can be started
# in parallel) The tag Should-Start: is used for this
# It tells, that if a service is available, it should be started
# before If not, never mind
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their
Provides: section)
# or pseudo names starting with a \$ The
following ones are available
# according to LSB (1.1):
# \$local_fs all local file systems are mounted
# (most services should need this!)
# \$remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# \$syslog system logging facility up
# \$network low level networking (eth card, )
# \$named hostname resolution available
# \$netdaemons all network daemons are running
# The \$netdaemons pseudo service has been
removed in LSB 1.2
# For now, we still offer it for backward
compatibility
# These are new (LSB 1.2):
# \$time the system time has been set correctly
# \$portmap SunRPC portmapping service available
# from the respective start tag
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used
Trang 11X-UnitedLinux-Should-Start/-Stop
# insserv does support both variants
# * X-UnitedLinux-Default-Enabled: yes/no is used
# 3 - multiuser w/ network (text mode) 5 -
multiuser w/ network and X11 (xdm)
#
# Note on script names:
#
http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/ gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace
# http://www.lanana.org/
# Please use the names already registered or
register one or use a
# vendor prefix
# Check for missing binaries (stale symlinks
should not happen)
# Note: Special treatment of stop for LSB
conformance
MYDNS_BIN=/usr/sbin/mydns
test -x \$MYDNS_BIN || { echo "\$mydns_BIN not installed";
if [ "\$1" = "stop" ]; then exit 0;
else exit 5; fi; }
# Check for existence of needed config file and read it
Trang 12# else exit 6; fi; }
# Read config
# \$MYDNS_CONFIG
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status
to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated
Trang 13# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8 199 - reserved (8 99 LSB, 100 149 distrib, 150 199 appl)
echo -n "Starting mydns "
## Start daemon with startproc(8) If this fails
## the return value is set appropriately by
echo -n "Shutting down mydns "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB
killproc -TERM \$MYDNS_BIN
# Remember status and be verbose
## RH has a similar command named condrestart
if test "\$1" = "condrestart"; then
Trang 14echo "\${attn} Use try-restart
\${done}(LSB)\${attn} rather than condrestart
## do this on signal 1 (SIGHUP)
## If it does not support it, restart
echo -n "Reload service mydns "
echo -n "Reload service mydns "
killproc -HUP \$MYDNS_BIN
Trang 15echo -n "Checking for service mydns "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0
# Return value is slightly different for the
status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file
exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5 199 reserved (5 99 LSB, 100 149 distro, 150 199 appl.)
# NOTE: checkproc returns LSB compliant status values
test /etc/mydns/mydns.conf -nt /var/run/mydns.pid
&& echo reload
;;
*)
echo "Usage: \$0
{start|stop|status|try-restart|restart|force-reload|reload|probe}"
Trang 16chkconfig add mydns
# VLOGGER and WEBALIZER
chkconfig add fail2ban
service fail2ban start
Trang 17sed -i cgi5\"/x-httpd-php="php:\/usr\/bin\/php-cgi5"\nx- httpd-suphp="php:\/usr\/bin\/php-cgi5"/g'
's/x\-httpd\-php\=\"php\:\/usr\/bin\/php\-/etc/suphp.conf
SuSEconfig
/usr/local/bin/ispconfig_update_from_svn.sh openssl genrsa -passout
pass:0passphrase$MYSQLROOTPASS -des3 -out
/etc/apache2/ssl.key/server.key 4096
(echo;echo;echo;echo;echo;echo;echo;echo;echo;ech o;echo;echo;echo;echo;echo;) | openssl req -
passin pass:0passphrase$MYSQLROOTPASS -new -key /etc/apache2/ssl.key/server.key -out
Trang 18On\nSSLCertificateFile
\/etc\/apache2\/ssl.crt\/server.crt\nSSLCertifica teKeyFile \/etc\/apache2\/ssl.key\/server.key/g' /etc/apache2/sites-available/ispconfig.vhost sed -i 's/DirectoryIndex index.html
index.html.var/DirectoryIndex index.html
index.htm index.shtml index.cgi index.php
index.php5 index.php4 index.php3 index.pl
index.html.var index.aspx default.aspx/g'
Trang 19chmod o-rwx /etc/postfix/smtpd.csr
chmod o-rwx /etc/postfix/smtpd.cert
chown root:root /srvbackup_do
chmod og-rwx /srvbackup_do
cat > /srvbackup_do/dobackup.sh <<EOFMARKER2
#!/bin/bash
cd /srvbackup_do
sync
mysqladmin -p$MYSQLROOTPASS refresh
mysqldump -p$MYSQLROOTPASS all-databases
>mysqldump.sql
chmod og-rw mysqldump.sql
/usr/local/bin/rdiff-backup ids exclude /tmp exclude /backup exclude /mnt exclude /proc exclude /dev exclude /sys exclude /var/lib/ntp/proc exclude /media exclude /var/tmp / /backup/$MY_FULLHOSTNAME EOFMARKER2
preserve-numerical-chown root:root /srvbackup_do/dobackup.sh
chmod og-rwx /srvbackup_do/dobackup.sh