Ansible Tower
# Generated by iptables-save v1.4.7 on Tue Aug 23 04:58:34 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 161 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 2048 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT COMMIT # Completed on Tue Aug 23 04:58:34 2016
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1E3h6EO5zu28LaSQBqMhKRxJQQH+TwX/6m9VtAImW2uxkQ15GUa8CRmDGTQuG3y7OgnY5CUeBVZQgtLPJl3WY4bfz2LXT1ysRzEDPZCIMBFCFSktzeWoIcuaVg59S3ta5LZIp1TOM03vsipaU0zghVO6XbrJ74/YOZIE3ngWuC3ZCMiykRehPoIToLphoG1XKb001hA01cxppwqTKSPhs0YvAOhMy8On9woj2kvWYhbW7R6rPzwCVhBw1VSunYPmGHUEqcQKbfdrnENKYW0w9yM96BUkK4Y4GhikGgwngorsQh6feXDzVOeJ/UOoaa2bgE+Pv6e6OonGiiNeGz9+3w== root@iZ23k44penhZ
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #ListenAddress 0.0.0.0 #ListenAddress :: # Disable legacy (protocol version 1) support in the server for new # installations. In future the default will change to require explicit # activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #LogLevel INFO # Authentication: #LoginGraceTime 2m #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys #AuthorizedKeysCommand none #AuthorizedKeysCommandRunAs nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PAM authentication via ChallengeResponseAuthentication may bypass # If you just want the PAM account and session checks to run without # and ChallengeResponseAuthentication to 'no'. #UsePAM no UsePAM yes # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server UseDNS no AddressFamily inet PermitRootLogin yes SyslogFacility AUTHPRIV Port 2048 PasswordAuthentication no
#!/bin/bash # BLOG: https://blog.linuxeye.com # Project home page: # https://oneinstack.com # https://github.com/lj2007331/oneinstack export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin export LANG=en_US.UTF-8 clear printf " ####################################################################### # OneinStack for CentOS/RadHat 5+ Debian 6+ and Ubuntu 12+ # # Auto fdisk # # For more information please visit http://oneinstack.com # ####################################################################### " echo=echo for cmd in echo /bin/echo; do $cmd >/dev/null 2>&1 || continue if ! $cmd -e "" | grep -qE '^-e'; then echo=$cmd break fi done CSI=$($echo -e "\033[") CEND="${CSI}0m" CDGREEN="${CSI}32m" CRED="${CSI}1;31m" CGREEN="${CSI}1;32m" CYELLOW="${CSI}1;33m" CBLUE="${CSI}1;34m" CMAGENTA="${CSI}1;35m" CCYAN="${CSI}1;36m" CSUCCESS="$CDGREEN" CFAILURE="$CRED" CQUESTION="$CMAGENTA" CWARNING="$CYELLOW" CMSG="$CCYAN" # Check if user is root [ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; } MOUNT_DIR=/data FSTAB_FILE=/etc/fstab count=0 TMP1=/tmp/.tmp1 TMP2=/tmp/.tmp2 > $TMP1 > $TMP2 # check lock file, one time only let the script run one time LOCKfile=/tmp/.$(basename $0) if [ -f "$LOCKfile" ];then echo echo "${CWARNING}The script is already exist, please next time to run this script${CEND}" echo exit else echo echo "${CMSG}Step 1.No lock file, begin to create lock file and continue${CEND}" echo touch $LOCKfile fi # check disk partition check_disk() { > $LOCKfile for i in `fdisk -l | grep "Disk" | grep "/dev" | awk '{print $2}' | awk -F: '{print $1}' | grep "vd"` do if [ -z "$(blkid | grep -v 'PTTYPE="dos"' | grep -w "$i")" ];then DEVICE_COUNT=$(fdisk -l $i | grep "$i" | awk '{print $2}' | awk -F: '{print $1}' | wc -l) NEW_MOUNT=$(df -h) if [ $DEVICE_COUNT -lt 2 ];then if [ -n "$(echo $NEW_MOUNT | grep -w "$i")" -o "$(grep -v '^#' $FSTAB_FILE | grep -v ^$ | awk '{print $1,$2,$3}' | grep -w "$i" | awk '{print $2}')" == '/' -o "$(grep -v '^#' $FSTAB_FILE | grep -v ^$ | awk '{print $1,$2,$3}' | grep -w "$i" | awk '{print $3}')" == 'swap' ];then echo "${CWARNING}The $i disk is mounted${CEND}" else echo $i >> $LOCKfile echo "You have a free disk, Now will fdisk it and mount it" fi fi fi done DISK_LIST=$(cat $LOCKfile) if [ "X$DISK_LIST" == "X" ];then echo echo "${CWARNING}No free disk need to be fdisk. Exit script${CEND}" echo rm -rf $LOCKfile exit 0 else echo "${CMSG}This system have free disk :${CEND}" for i in `echo $DISK_LIST` do echo "$i" count=$((count+1)) done [ $count -gt 1 ] && { echo "${CWARNING}This system has at least two free disk, You must manually mount it${CEND}"; exit 0; } fi } # check os check_os() { os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null) os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null) if [ "$os_release" ] && [ "$os_release_2" ];then if echo "$os_release" | grep "release 5" >/dev/null 2>&1;then os_release=aliyun5 modify_env fi fi } # install ext4 modify_env() { modprobe ext4 yum -y install e4fsprogs } # fdisk ,formating and create the file system fdisk_fun() { fdisk -S 56 $1 << EOF n p 1 wq EOF sleep 5 mkfs.ext4 ${1}1 } # make directory make_dir() { echo "${CMSG}Step 4.Begin to make directory${CEND}" [ -d "$MOUNT_DIR" ] && mv ${MOUNT_DIR}{,_bk} mkdir -p $MOUNT_DIR echo "$MOUNT_DIR" >> $TMP1 } # config /etc/fstab and mount device main() { for i in `echo $DISK_LIST` do echo echo "${CMSG}Step 3.Begin to fdisk free disk${CEND}" [ -n "`df -h | grep ${i}1`" ] && { echo "${CFAILURE}The ${i}1 already mount${CEND}"; echo; exit 0; } fdisk_fun $i > /dev/null 2>&1 echo echo "${i}1" >> $TMP2 done make_dir > $LOCKfile paste $TMP2 $TMP1 > $LOCKfile echo echo "${CMSG}Step 5.Begin to write configuration to /etc/fstab and mount device${CEND}" while read a b do [ -z "`grep ^${a} $FSTAB_FILE`" -a -z "`grep ${b} $FSTAB_FILE`" ] && echo "${a} $b ext4 defaults 0 0" >> $FSTAB_FILE done < $LOCKfile mount -a echo } # start script echo "${CMSG}Step 2.Begin to check free disk${CEND}" #service mysqld stop #mv /data /root check_os check_disk main df -h #mv /root/data/* /data #service mysqld start rm -rf $LOCKfile $TMP1 $TMP2
# /etc/profile # System wide environment and startup programs, for login setup # Functions and aliases go in /etc/bashrc # It's NOT a good idea to change this file unless you know what you # are doing. It's much better to create a custom.sh shell script in # /etc/profile.d/ to make custom changes to your environment, as this # will prevent the need for merging in future updates. pathmunge () { case ":${PATH}:" in *:"$1":*) ;; *) if [ "$2" = "after" ] ; then PATH=$PATH:$1 else PATH=$1:$PATH fi esac } if [ -x /usr/bin/id ]; then if [ -z "$EUID" ]; then # ksh workaround EUID=`id -u` UID=`id -ru` fi USER="`id -un`" LOGNAME=$USER MAIL="/var/spool/mail/$USER" fi # Path manipulation if [ "$EUID" = "0" ]; then pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin else pathmunge /usr/local/sbin after pathmunge /usr/sbin after pathmunge /sbin after fi HOSTNAME=`/bin/hostname 2>/dev/null` HISTFILESIZE=200 HISTSIZE=100 HISTTIMEFORMAT="%Y%m%d-%H%M%S: " #or HISTTIMEFORMAT="%Y%m%d %T " export HISTTIMEFORMA if [ "$HISTCONTROL" = "ignorespace" ] ; then export HISTCONTROL=ignoreboth else export HISTCONTROL=ignoredups fi export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL # By default, we want umask to get set. This sets it for login shell # Current threshold for system reserved uid/gids is 200 # You could check uidgid reservation validity in # /usr/share/doc/setup-*/uidgid file if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then umask 002 else umask 022 fi for i in /etc/profile.d/*.sh ; do if [ -r "$i" ]; then if [ "${-#*i}" != "$-" ]; then . "$i" else . "$i" >/dev/null 2>&1 fi fi done unset i unset -f pathmunge
options timeout:1 attempts:1 rotate nameserver 10.143.22.116 nameserver 10.143.22.118 nameserver 8.8.8.8 nameserver 114.114.114.114
net.ipv4.ip_forward = 0 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296 net.ipv4.tcp_max_tw_buckets = 150000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_wmem = 8192 4336600 873200 net.ipv4.tcp_rmem = 32768 4336600 873200 net.core.wmem_default = 8388608 net.core.rmem_default = 8388608 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 262144 net.core.somaxconn = 262144 net.ipv4.tcp_max_orphans = 3276800 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_syn_retries = 1 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 786432 1048576 1572864 net.ipv4.tcp_fin_timeout = 30 #net.ipv4.tcp_keepalive_time = 30 net.ipv4.tcp_keepalive_time = 300 net.ipv4.ip_local_port_range = 1024 65000
com2sec notConfigUser default 1public1 #default is all IP address group notConfigGroup v1 notConfigUser group notConfigGroup v2c notConfigUser # name incl/excl subtree mask(optional) view systemview included .1.3.6.1.2.1.1 view systemview included .1.3.6.1.2.1.25.1.1 access notConfigGroup "" any noauth exact all none none view all included .1 80 view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc
- hosts: all
remote_user: root
tasks:
- name: ####System update ####
yum: name=* state=latest
- name: ####INSTALL LRZSX NETHOGS NLOAD####
yum: name={{item}} state=present
with_items:
- lrzsz
- nethogs
- nload
- name: ####Install EPEL Yum Repo####
yum: name=http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm state=present
- name: ####Install NTP####
yum: name=ntp state=latest
- name: ####Install Java 1.7 and some basic dependencies####
yum: name={{item}} state=present
with_items:
- java-1.7.0-openjdk
- libselinux-python
- libsemanage-python
- name: ##### Configure iptables #####
- copy: src=iptables/iptables dest=/etc/sysconfig/iptables force=yes
- name: ##### Create and Copy SSH #####
- file: path=/root/.ssh state=directory mode=0644
- copy: src=ssh/sshd_config dest=/etc/ssh/sshd_config force=yes
- copy: src=ssh/authorized_keys dest=/root/.ssh/authorized_keys force=yes
- file: path=/root/.ssh/authorized_keys mode=0600
- name: ##### Replace sysctl and profile #####
- copy: src=system/sysctl.conf dest=/etc/sysctl.conf force=yes
- copy: src=system/profile dest=/etc/profile force=yes
- name: ##### Enable iptables to be started at boot #####
- service: name=iptables enabled=yes state=started
- name: ##### Auto Disk to /data #####
- copy: src=fdisk/auto_disk.sh dest=/tmp/auto_disk.sh
- file: path=/tmp/auto_disk.sh mode=0700
- command: /tmp/auto_disk.sh
- name: ##### INSTALL Snmpd #####
yum: name={{item}} state=present
with_items:
- net-snmp
- copy: src=snmp/snmpd.conf dest=/etc/snmp/snmpd.conf force=yes
- service: name=snmpd enabled=yes state=restarted
- name: ##### Reboot #####
- command: shutdown -r now
