#!/bin/bash # Zach Loeber - 09/04/09 # # esx_postinstall.sh - Post install script for esx 4.0 hosts # (specifically on HP c7000 blades) # Note: This was a rewrite of a esx 3.5 script I wrote so things # will be commented out (but left in for, "wow, that's how you do # that" sake) # # Description: After setting up an ESX server run this script by # saving it to a location on the new server then do the following: # chmod +x ./esx_postinstall.sh # ./esx_postinstall.sh # or just # sh ./esx_postinstall.sh # Each section should have comments regarding what is going on ################################### # Hosts file manipulation portion # ################################### # Start with a backup #cp /etc/hosts /etc/hosts.old1 #Swap the localhost lines around #awk 'NR==3 { # s=$0 # getline;s=$0"\n"s # getline;print s # next #}1' /etc/hosts > /etc/hosts.new #echo -e '\t\t ' >> /etc/hosts.new #echo -e '\t\t ' >> /etc/hosts.new #echo 'Please edit this file and add all other ESX hosts which might be missing' #echo ' Save as hosts.new when you are done (Ctrl+X then press Y to save)' #echo '' #echo ' -- Press any key to continue --' #read #nano /etc/hosts.new #cp --reply=yes /etc/hosts.new /etc/hosts ########################### # Install Dell OpenManage # ########################### #echo ' I will now download the OpenManage Agent 5.4, if you do not want to continue with this version' #echo ' exit the script and continue manually. Other versions of the agent are at http://ftp.us.dell.com/sysman/' #read #mkdir /tmp/OpenManage/ #cd /tmp/OpenManage/ #esxcfg-firewall -allowoutgoing #lwp-download http://ftp.us.dell.com/sysman/OM_5.4.0_ManNode_A01.tar.gz #tar xzvf OM_5.4.0_ManNode_A01.tar.gz #cd /tmp/OpenManage/linux/supportscripts/ #./srvadmin-install.sh -b -w -r -s #svradmin-services.sh start ############################ # Install Navisphere agent # ############################ #echo ' Make sure that anonymous access has been enabled on the ftp server' #echo ' you can (should) disable this after this script completes' #read #mkdir /tmp/naviagent #cd /tmp/naviagent #lwp-download ftp:///naviagentcli-6.26.5.0.95-1.noarch.rpm #rpm -ivh naviagentcli-6.26.5.0.95-1.noarch.rpm #echo -e 'user system@' >> /etc/Navisphere/agent.config #echo -e 'user system@' >> /etc/Navisphere/agent.config # Put firewall back in safe state then enable ports needed #esxcfg-firewall -blockoutgoing #esxcfg-firewall -o 6389,tcp,in,naviagent #esxcfg-firewall -o 6389,tcp,out,naviagent #esxcfg-firewall -o 6390,tcp,in,naviagent #esxcfg-firewall -o 6391,tcp,in,naviagent #esxcfg-firewall -o 6392,tcp,in,naviagent #esxcfg-firewall -o 443,tcp,out,naviagent #esxcfg-firewall -o 2163,tcp,out,naviagent #esxcfg-firewall -o 1311,tcp,in,OpenManageRequest #service naviagent restart ############## # Misc Stuff # ############## # For updates mkdir /var/updates esxcfg-firewall --openport 8080,tcp,out,dynamicupdates #esxcfg-firewall --enableService LicenseClient # Needed for virtual Center Agent Install #mkdir /tmp/vmware-root ########################### # Setup ntp time services # ########################### # start with a backup of changed files of course cp /etc/ntp.conf /etc/ntp.conf.old1 cp /etc/ntp/step-tickers /etc/ntp/step-tickers.old1 esxcfg-firewall --enableService ntpClient echo '# --Company Specific NTP Settings--' >> /etc/ntp.conf echo 'restrict kod nomodify notrap' >> /etc/ntp.conf echo 'restrict kod nomodify notrap' >> /etc/ntp.conf echo 'server ' >> /etc/ntp.conf echo 'server ' >> /etc/ntp.conf echo '' >> /etc/ntp/step-tickers echo '' >> /etc/ntp/step-tickers chkconfig --level 345 ntpd on service ntpd restart hwclock --systohc ############################# # Configure log compression # ############################# perl -p -i -e 's/nocompress/compress/g' /etc/logrotate.d/vmkernel perl -p -i -e 's/nocompress/compress/g' /etc/logrotate.d/vmksummary perl -p -i -e 's/#compress/compress/g' /etc/logrotate.conf ################## # Configure SNMP # ################## esxcfg-firewall --enableService snmpd mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.old1 echo -e 'proxy -v 1 -c udp:127.0.0.1:171 .1.3.6.1.4.1.6876' >> /etc/snmp/snmpd.conf echo -e 'syscontact ' >> /etc/snmp/snmpd.conf echo -e 'syslocation ' >> /etc/snmp/snmpd.conf echo -e 'rocommunity ' >> /etc/snmp/snmpd.conf echo -e 'trapcommunity public' >> /etc/snmp/snmpd.conf echo -e 'trapsink localhost' >> /etc/snmp/snmpd.conf echo -e 'dlmod SNMPESX\t /usr/lib/vmware/snmp/libSNMPESX.so' >> /etc/snmp/snmpd.conf echo -e 'smuxpeer .1.3.6.1.4.1.674.10892.1' >> /etc/snmp/snmpd.conf mv /etc/vmware/snmp.xml /etc/vmware/snmp.xml.old1 echo -e '' >> /etc/vmware/snmp.xml echo -e '' >> /etc/vmware/snmp.xml echo -e '_RO_SNMP_STRING_' >> /etc/vmware/snmp.xml echo -e 'true' >> /etc/vmware/snmp.xml echo -e '171' >> /etc/vmware/snmp.xml echo -e 'IP address@162 private' >> /etc/vmware/snmp.xml echo -e '' >> /etc/vmware/snmp.xml echo -e '' >> /etc/vmware/snmp.xml ############################### # Changing Qlogic Queue Depth # ############################### #cp /etc/vmware/esx.conf /etc/vmware.esx.old1 #for i in `grep QLogic /etc/vmware/esx.conf | cut -d'/' -f3` #do # echo ${i} # sed "s/^\/device\/${i}\/options.*/\/device\/${i}\/options = \"ql2xmaxqdepth=2048\"/" /etc/vmware/esx.conf > /etc/vmware/tmpfile # mv --reply=yes /etc/vmware/tmpfile /etc/vmware/esx.conf #done # I'll use this slightly less huge number for the queue (plus this is less cryptic) #if grep "QLogic" /etc/vmware/esx.conf ; then # esxcfg-module -s ql2xmaxqdepth=128 qla2300_707_vmw #fi # setting the ql2xmaxdepth queue is usesless w/o upping the amount of requests allowed. #/usr/sbin/esxcfg-advcfg -s 128 /Disk/SchedNumReqOutstanding #/usr/sbin/esxcfg-advcfg -s 1 /Disk/UseLunReset #/usr/sbin/esxcfg-advcfg -s 0 /Disk/UseDeviceReset #/usr/sbin/esxcfg-boot -b ############################### # Configure AD Authentication # ############################### esxcfg-firewall --enableService activeDirectorKerberos echo -e 'nameserver ' >> /etc/resolv.conf esxcfg-auth --enablead --addomain= --addc= esxcfg-auth --enablekrb5 --krb5realm= --krb5kdc= --krb5adminserver= echo "auth sufficient /lib/security/pam_unix_auth.so shadow nullok" >> /etc/pam.d/vmware-authd # The following should add minimum_uid=15 to the end of the following line in /etc/pam.d/system-auth # auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass # Basically this makes local accounts below uid 15 authenticate locally instead of via kerberos perl -p -i -e 's/use_first_pass/use_first_pass minimum_uid=15/g' /etc/pam.d/system-auth # Kerberos enabled login id's for remote access - note this only works for local logons (like ssh) useradd useradd useradd usermod -a -G wheel usermod -a -G wheel usermod -a -G wheel ############################## # Configure Other Auth Stuff # ############################## #esxcfg-firewall --enableService sshClient #perl -p -i -e 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config #echo -e 'auth\t required\t /lib/security/$ISA/pam_wheel.so use_uid' >> /etc/pam.d/su echo -e '%wheel\t ALL=(ALL)\t ALL' >> /etc/sudoers echo -e 'local2.*\t\t /var/log/messages' >> /etc/syslog.conf echo -e '*.*\t\t @il-chi-itsyslog.na1.ad.group' >> /etc/syslog.conf esxcfg-firewall -o 514,udp,out,syslog ################################################## # Configure secure permissions on critical files # ################################################## chmod 700 /etc/snmp/snmpd.conf service mgmt-vmware restart service snmpd restart chkconfig snmpd on echo 'Complete! - Reboot to be safe' echo ' P.S. Remember to add the wheel group to the admin group in VI Client' read