Tux.megazirt.local
Tux is "the box" on which everything else runs. It's my single point of failure, so I look after it. I seem to get the most power/control/performance from the system by running Linux as host, and then having Windows (tuz.megazirt.local) as a Guest instead of the other way round. The other big advantage of having the Linux as host and not Windows is also that it makes it easier for me to faze out the Windows stuff in the future. It hosts all the virtual servers, which are listed on the homepage.
Here's a few special things I've setup on Tux. Due to memory restrictions (the board maybe 64-bit, but it still has a 4GB limit design limit, bugger) I'm starting to move things from virtual servers onto the Tux itself.
Contents |
Network Settings
- Domain Name : www.megazirt.co.uk
- Local IP Adddress (bri0) : 192.168.8.4
- Wide IP Address (eth0) : 82.133.103.33
- bri0 : Bridge p1p8 & wifi1
Nagios
I run Nagios on this server, mainly to monitor all the virtual servers and update me using [aNag] on my phone if anything breaks.
Ignore the "Fedora Quickstart" guide on the Nagios Offical Documentation site, the magic commands to install Nagios are as simple as
sudo yum install nagios nagios-plugins nagios-plugins-all nagios-devel httpd php sudo chkconfig --level 345 httpd on sudo chkconfig --level 345 nagios on service httpd start service nagios start
To get things going the default installation user is 'nagiosadmin' and to set the default password use htpasswd...
(Make sure to use /etc/nagios/passwd and NOT /etc/passwd)
htpasswd -c /etc/nagios/passwd nagiosadmin
And by magic Nagios is installed, and assessable from http://tux.megazirt.local/nagios. You can change the default username as well using /etc/nagios/passwd, but you will need to edit /etc/nagios/cgi.cfg first to give the new user permissions.
Next check the configurations work with a verbose command line which outputs errors,
nagios -v /etc/nagios/nagios.cfg
As a little bonus, I like to install Twagios 2. It's a little plugin that will tweet whenever a service goes critical. You can setup a private twitter account for it, or link it into something public if you really want. I follow the instructions as they are at [1] so there is no need to repeat them here.
Samba
Samba Setup currently uses the Active Directory Server tuz.megazirt.local for authentication. I'd like to change this at some point to something non-Microsoft. Also, without giving the virtual Tuz server a huge virtual drive for folder sharing their doesn't seem any option then to share the folder from Tux as you can't share VirtualBox shared folders. Behold the cleaver Samba stuff...
To make the server more security I'm trying to keep selinux running but to do this I need to allow samba access to directories "other then required to run itself." Until I have a better way of specifying (via policy) what directors I want to permit sharing via samba, the only method of running samba and seems to be running
setsebool -P samba_export_all_rw 1
which allows all directory, not great but allows selinux to run.
The server is first setup using the winbind settings. Once that's all done, we can test Samba will recognize the users using the commands
wbinfo -i
and
getent passwd
groups are displayed using
wbinfo -i
Next we just need to edit the /etc/samba/smb.conf file to act as a Samba Server with ADS security. There seems to be some requirement to add the following lines before the list of shares...
winbind enum groups = yes winbind enum users = yes
Here's the final look of the smb.conf.
[global] workgroup = MEGAZIRT realm = MEGAZIRT.LOCAL server string = Tux security = ADS map to guest = Bad User password server = TUZ.MEGAZIRT.LOCAL log file = /var/log/samba/log.%m max log size = 50 server signing = auto idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/bash winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes invalid users = root cups options = raw [Storage] comment = Public Storage path = /storage/Shared write list = "+@Domain Admins" guest ok = Yes [Upload] comment = Public Upload path = /storage/Shared/upload valid users = @childs read only = No [Downloaded] comment = Torrent Stuff path = /storage/downloaded valid users = "@Domain Admins" read only = No browseable = No
I'm now working though the guide at SambaWiki to work out how to configure the roaming profiles for the windows users! --Alan 12:15, 6 January 2011 (UTC)
DNS
Start by removing dnsmasq and installing bind. I prefer using the beefy BIND and DHCPD, IMHO.
su root -c "yum erase dnsmasq && yum install bind bind-utils -ty && chkconfig --add named && chkconfig named on && systemctl start named.service"
As soon as BIND is installed and running, it can be checked using the following
dig @localhost www.megazirt.co.uk
Next setup /etc/named.conf to serve to the local network, and point it to some files for each zone.
//
// named.conf
//
options {
//Only serve locally, let 123-reg handle external
listen-on port 53 { 192.168.8.4; };
//No IPv6 on this server
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.8./24; };
allow-recursion { 192.168.8.0/24; };
allow-transfer { "none"; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "megazirt.local" {
type master;
file "pri.megazirt.local";
};
zone "megazirt.co.uk" {
type master;
file "pri.megazirt.co.uk";
};
zone "philsgardenandlandscape.co.uk" {
type master;
file "pri.philsgardenandlandscape.co.uk";
};
// Finally, include a file full of advert blocking, see http://www.deer-run.com/~hal/sysadmin/dns-advert-update.html
include "/some/dir/sa-blacklist.current.dummy-block";
// Extra config junk
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
In /etc/named/pri.megazirt.co.uk I've setup the following, the other files follow a similar format.
When everything is done, your'll probably want to change the servers ifcfg-* files to use the localhost DNS server.
DHCP
With my trusty router as backup, the DHCP is on Tux. DHCP is served by the standard Fedora DHCP package, in case it's not installed run...
su root -c "yum install dhcp -y && systemctl enable dhcpd.service && systemctl start dhcpd.service"
Note that the service probably won't run straight away as it hasn't been configured. A sample file is at /usr/share/doc/dhcp*/dhcpd.conf.sample if starting the configuration from scratch but you'll need to greatly customize it, else my example is below. Note that if DHCP fails to start, just running DHCP in the forground will give you the low down..
su root -c "vim /etc/dhcp/dhcpd.conf"
# dhcpd.conf
#
# Setup domain naming, the forest is local, public servers don't use DHCP
option domain-name "megazirt.local";
option domain-name-servers 192.168.8.6;
#
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
#ddns-update-style none;
#
# Set this DHCP as authoritative, all others belong to this
authoritative;
# This is our LAN connected clients
subnet 192.168.8.0 netmask 255.255.255.0 {
range 192.168.8.30 192.168.8.125;
option routers router.megazirt.local;
default-lease-time 600;
max-lease-time 7200;
filename "/pxelinux.0";
next-server 192.168.8.2;
}
#
#I have a Cisco 7960 that I have to specify a NEXT-SERVER for with it's configuration files.
#If I had more then one Cisco phone i'd use the "class of clients" part of DHCP.
host CiscoPhoneAlan {
hardware ethernet 00:0D:BC:91:0F:BD;
filename "";
next-server 192.168.8.2;
}
