Public » Linux

• Quiet Boot - Disabled
• Advanced --> Processor Configuration
  • Intel(R) VT for Directed I/O - Enables
  • Intel(R) Hyper-Threading Tech - Disable
• Server Management
  • Resume on AC Power Loss - Power On lub Last State
  • Power Restore Delay - Auto
• Wyłączenie PXE Boot:
  • NIC Configuration --> NIC1 Port1 PXE - Disabled
  • NIC Configuration --> NIC2 Port2 PXE - Disabled
  • NIC Configuration --> IOM1 Port1 PXE - Disabled
  • NIC Configuration --> IOM1 Port2 PXE - Disabled
  • jeśli są kolejne karty to również wyłączamy, czasem na płycie jest 6 i więcej kart

• Wyłącznie Inter RST
• Włączenie interfejsów SATA w trybie AHCI

Wchodzimy do BIOS-u naciskają klawisz DEL

• Preferred Operating Mode -> Advanced
  Zakładka Save & Exit
• Save & Exit Setup -> Yes

Następnie ponownie wchodzimy do BIOS-u

• Advanced CPU Settings
  • Hyper-Threading Technology -> Disable

• Platform Power
  • AC BACK -> Memory (returns to its last known awake state upon the return of the AC power)
• IO Ports
  • Network Stack Configuration
    • Network Stack -> Disable - wszystkie opcje powinny się poniżej wyłączyć
  • SATA Configuration
    • Hot plug -> Enable
  • Miscellaneous
    • Intel Platform Trust Technology -> Disable
    • VT-d -> Enable
    • Trusted Computing -> Disable

• Full Screen LOGO Show -> Disable
• Fast Boot -> Enable
• NetWork Stack Driver Support -> Disable Link
• Next Boot After AC Power Loss -> Normal Boot
• CSM Support -> Enable
• LAN PXE Boot Option ROM -> Disable
• Storage Boot Option Control -> Legacy
• Other PCI devices -> Legacy
• Secure Boot -> Disable - ustawiamy CSM Support na Disable wyłączamy Secure Boot i włączamy CSM Support na Enable

• Save & Exit Setup -> Yes

• rootdelay=10 - odpowiada za opóźnienie botowania
• console=tty0 console=ttyS0,115200n8 - odpowiada za przekierowanie konsoli do SOL
• md-mod.start_dirty_degraded=1 bootdegraded=true - odpowiada za uruchomienie zdegradowanej macierzy RAID
• cgroup_enable=memory swapaccount=1 - odpowiada za obsługę pamięci RAM w kontenerach LXC
• intel_iommu=on - włącza obsługę SR-IOV, dla routerów ustawiamy to na OFF

Powyższe opcje dodajemy do /etc/default/grub przykładowa linia:

GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1 intel_iommu=on rootdelay=10 md-mod.start_dirty_degraded=1 bootdegraded=true console=tty0 console=ttyS0,115200n8 pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier" 

Routery

GRUB_CMDLINE_LINUX_DEFAULT="quiet cgroup_enable=memory swapaccount=1 intel_iommu=off rootdelay=10 md-mod.start_dirty_degraded=1 bootdegraded=true console=tty0 console=ttyS0,115200n8 pti=off spectre_v2=off l1tf=off nospec_store_bypass_disable no_stf_barrier" 

Po zmianie wykonujemy

update-grub

Temporary:
Do grub dodajemy "intel_iommu=on" sprawa załatwiona sekcje wcześniej

W /etc/network/interfaces dodajemy konfiguracje dla VF w obrębie PF

auto eth0
iface eth0 inet static
    address 192.168.0.206
    netmask 255.255.255.0
    gateway 192.168.0.1
    up echo '7' > /sys/bus/pci/devices/0000\:04\:00.0/sriov_numvfs

Ilość możliwych do uruchmienia VF na karcie czytamy za pomocą cat /sys/bus/pci/devices/0000\:04\:00.0/sriov_totalvfs

gdzie 0000:04:00.0 to adres urządzenia pci z lspci

lspci |grep -i ethern
04:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
04:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
04:00.2 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
04:00.3 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

apt -y update; \
apt-get -y install mc ssh less psmisc pciutils tcpdump logrotate cron nano vim rsyslog iptables lsof strace iputils-ping wget screen \
  pbzip2 aptitude htop man iftop bzip2 telnet htop tree rsync \
  dnsutils ncdu mtr arping lldpd bash-completion acl git python3 python3-pip nano net-tools diceware ifstat acl colordiff \
  fail2ban; 

egrep -q -i "^justnet" /etc/group; [ $? -eq 1 ] && addgroup --system justnet; \
egrep -q -i "^admin" /etc/group; [ $? -eq 1 ] && addgroup --system admin; \
egrep -q -i "^remote-console" /etc/group; [ $? -eq 1 ] && addgroup --system remote-console; \

USER=jadmin; \
adduser --force-badname --gecos "JustNet Admin Account" ${USER}; \
for group in justnet remote-console admin; do
 egrep -q -i "^${group}" /etc/group; [ $? -eq 0 ] && adduser ${USER} ${group} || addgroup --system ${group}; adduser ${USER} ${group};
done; \
echo "alias su='su - -c \"export SSH_AUTH_SOCK=$SSH_AUTH_SOCK; bash\"'" >> /home/${USER}/.bashrc; \
mkdir -p /home/${USER}/.config/mc; \
echo -e '[Midnight-Commander]\nuse_internal_edit=true\neditor_fill_tabs_with_spaces=true\neditor_tab_spacing=4\n\n[Panels]\nnavigate_with_arrows=true' > /home/${USER}/.config/mc/ini; \
chown -cR $USER.$USER /home/${USER}

passwd; \
mkdir -p /root/.config/mc; \
echo -e '[Midnight-Commander]\nuse_internal_edit=true\neditor_fill_tabs_with_spaces=true\neditor_tab_spacing=4\n\n[Panels]\nnavigate_with_arrows=true' > /root/.config/mc/ini; \
\
echo -e "\nAllowGroups remote-console\n" >> /etc/ssh/sshd_config; \
/etc/init.d/ssh restart; \
\
echo "auth       required   pam_wheel.so trust group=admin" >> /etc/pam.d/su; \
\
rsync -avz -e ssh jadmin@deploy.justnet.pl:storage/baseconfig/firewall/* /; \
SERVER_IP=`ip li|grep ',UP,'|grep -v lo|cut -d':' -f 2| xargs`; \
mkdir -p /etc/gen/firewall/host:${SERVER_IP}/22:tcp:ssh; \
echo -e "78.9.185.84\t# JustNet VPN" > /etc/gen/firewall/host\:${SERVER_IP}/22\:tcp\:ssh/allow; \
/etc/init.d/ip_firewall restart; \
update-rc.d ip_firewall defaults; \
echo "Europe/Warsaw" > /etc/timezone; \
rm /etc/localtime; \
ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime; \
\
echo 'DAEMON_ARGS="-c -s -e"' >> /etc/default/lldpd; \
systemctl restart lldpd;

apt -y update; \
apt-get -y install git sudo zabbix-agent rsync; \
\
git clone https://github.com/H-Software/Zabbix-Template-Linux-LXC.git /tmp/zabbix; \
cp /tmp/zabbix/conf/zabbix-lxc.conf /etc/zabbix/zabbix_agentd.conf.d/; \
cat /tmp/zabbix/conf/sudoers.d-zabbix-agent >> /etc/sudoers; \
mkdir -p /etc/zabbix/scripts; \
rm -rf /tmp/zabbix/; \
rsync -avz -e ssh jadmin@deploy.justnet.pl:storage/baseconfig/zabbix/* /; \
/etc/init.d/zabbix-agent restart; \
mkdir -p /etc/gen/firewall/host\:${SERVER_IP}/10050\:tcp\:zabbix; \
echo -e "78.9.185.79\t# Zabbix" > /etc/gen/firewall/host\:${SERVER_IP}/10050\:tcp\:zabbix/allow; \
/etc/init.d/ip_firewall restart; \
echo "Dodaj z laski swojej host $HOSTNAME o ip ${SERVER_IP} do zabbiksa";

apt-get update; \
apt-get -y install snmpd; \
sed -i "s|-Lsd|-LS6d|" /etc/init.d/snmpd; \
sed -i "s|-Lsd|-LS6d|" /etc/default/snmpd; \
sed -i "s|-Lsd|-LS6d|" /lib/systemd/system/snmpd.service; \
systemctl daemon-reload;
sed -i "s|udp:127.0.0.1:161|udp:${SERVER_IP}:161|" /etc/snmp/snmpd.conf; \
sed -i "s|rocommunity public  default|rocommunity read-`hostname`  default|" /etc/snmp/snmpd.conf; \
systemctl restart snmpd; \
mkdir -p /etc/gen/firewall/host:${SERVER_IP}/161:udp:snmp; \
echo -e "78.9.185.84\t# JustNet VPN" > /etc/gen/firewall/host\:${SERVER_IP}/161\:udp\:snmp/allow; \
/etc/init.d/ip_firewall restart; \

apt-get update; \
apt-get install -y lxc lxc-templates apparmor bridge-utils debootstrap ntp libvirt0 libpam-cgfs uidmap lvm2 xfslibs-dev xfsprogs distro-info; \
echo "cgroup  /sys/fs/cgroup  cgroup  defaults  0   0" >> /etc/fstab; \
echo "xfs" >> /etc/modules; \
echo "ip_conntrack_ftp" >> /etc/modules; \
echo "iptable_filter" >> /etc/modules; \
echo "nf_conntrack_proto_gre" >> /etc/modules; \
echo "nf_nat_proto_gre" >> /etc/modules; \
echo "nf_conntrack_pptp" >> /etc/modules; \
echo "nf_nat_pptp" >> /etc/modules; \
echo "lxc.rootfs.options = noatime" >> /etc/lxc/default.conf;

Przy tworzeniu kontenera wg:

-B lvm --vgname=first --lvname=lxc-$NAME --fstype=xfs --fssize=10G