Ansible Tower

 

# Generated by iptables-save v1.4.7 on Tue Aug 23 04:58:34 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -p udp -m udp --dport 162 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2048 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
COMMIT
# Completed on Tue Aug 23 04:58:34 2016

iptables

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1E3h6EO5zu28LaSQBqMhKRxJQQH+TwX/6m9VtAImW2uxkQ15GUa8CRmDGTQuG3y7OgnY5CUeBVZQgtLPJl3WY4bfz2LXT1ysRzEDPZCIMBFCFSktzeWoIcuaVg59S3ta5LZIp1TOM03vsipaU0zghVO6XbrJ74/YOZIE3ngWuC3ZCMiykRehPoIToLphoG1XKb001hA01cxppwqTKSPhs0YvAOhMy8On9woj2kvWYhbW7R6rPzwCVhBw1VSunYPmGHUEqcQKbfdrnENKYW0w9yM96BUkK4Y4GhikGgwngorsQh6feXDzVOeJ/UOoaa2bgE+Pv6e6OonGiiNeGz9+3w== root@iZ23k44penhZ

authorized_keys

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PAM authentication via ChallengeResponseAuthentication may bypass
# If you just want the PAM account and session checks to run without
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
UseDNS no
AddressFamily inet
PermitRootLogin yes
SyslogFacility AUTHPRIV
Port 2048
PasswordAuthentication no

sshd_config

#!/bin/bash
# BLOG:  https://blog.linuxeye.com
# Project home page:
#       https://oneinstack.com
#       https://github.com/lj2007331/oneinstack

export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
export LANG=en_US.UTF-8
clear
printf "
#######################################################################
#       OneinStack for CentOS/RadHat 5+ Debian 6+ and Ubuntu 12+      #
#                             Auto fdisk                              #
#       For more information please visit http://oneinstack.com       #
#######################################################################
"

echo=echo
for cmd in echo /bin/echo; do
        $cmd >/dev/null 2>&1 || continue
        if ! $cmd -e "" | grep -qE '^-e'; then
                echo=$cmd
                break
        fi
done
CSI=$($echo -e "\033[")
CEND="${CSI}0m"
CDGREEN="${CSI}32m"
CRED="${CSI}1;31m"
CGREEN="${CSI}1;32m"
CYELLOW="${CSI}1;33m"
CBLUE="${CSI}1;34m"
CMAGENTA="${CSI}1;35m"
CCYAN="${CSI}1;36m"
CSUCCESS="$CDGREEN"
CFAILURE="$CRED"
CQUESTION="$CMAGENTA"
CWARNING="$CYELLOW"
CMSG="$CCYAN"

# Check if user is root
[ $(id -u) != "0" ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; } 

MOUNT_DIR=/data
FSTAB_FILE=/etc/fstab

count=0
TMP1=/tmp/.tmp1
TMP2=/tmp/.tmp2

> $TMP1
> $TMP2

# check lock file, one time only let the script run one time 
LOCKfile=/tmp/.$(basename $0)
if [ -f "$LOCKfile" ];then
    echo
    echo "${CWARNING}The script is already exist, please next time to run this script${CEND}"
    echo
    exit
else
    echo
    echo "${CMSG}Step 1.No lock file, begin to create lock file and continue${CEND}"
    echo
    touch $LOCKfile
fi

# check disk partition
check_disk() {
    > $LOCKfile
    for i in `fdisk -l | grep "Disk" | grep "/dev" | awk '{print $2}' | awk -F: '{print $1}' | grep "vd"`
    do
        if [ -z "$(blkid | grep -v 'PTTYPE="dos"' | grep -w "$i")" ];then
            DEVICE_COUNT=$(fdisk -l $i | grep "$i" | awk '{print $2}' | awk -F: '{print $1}' | wc -l)
            NEW_MOUNT=$(df -h)
            if [ $DEVICE_COUNT -lt 2 ];then
                if [ -n "$(echo $NEW_MOUNT | grep -w "$i")" -o "$(grep -v '^#' $FSTAB_FILE | grep -v ^$ | awk '{print $1,$2,$3}' | grep -w "$i" | awk '{print $2}')" == '/' -o "$(grep -v '^#' $FSTAB_FILE | grep -v ^$ | awk '{print $1,$2,$3}' | grep -w "$i" | awk '{print $3}')" == 'swap' ];then
                    echo "${CWARNING}The $i disk is mounted${CEND}"
                else
                    echo $i >> $LOCKfile
                    echo "You have a free disk, Now will fdisk it and mount it"
                fi
            fi
        fi
    done
    DISK_LIST=$(cat $LOCKfile)
    if [ "X$DISK_LIST" == "X" ];then
        echo
        echo "${CWARNING}No free disk need to be fdisk. Exit script${CEND}"
        echo
        rm -rf $LOCKfile
        exit 0
    else
        echo "${CMSG}This system have free disk :${CEND}"
        for i in `echo $DISK_LIST`
        do
            echo "$i"
            count=$((count+1))
        done
        [ $count -gt 1 ] && { echo "${CWARNING}This system has at least two free disk, You must manually mount it${CEND}"; exit 0; } 
    fi
}

# check os
check_os() {
    os_release=$(grep "Aliyun Linux release" /etc/issue 2>/dev/null)
    os_release_2=$(grep "Aliyun Linux release" /etc/aliyun-release 2>/dev/null)
    if [ "$os_release" ] && [ "$os_release_2" ];then
        if echo "$os_release" | grep "release 5" >/dev/null 2>&1;then
            os_release=aliyun5
            modify_env
        fi
    fi
}

# install ext4
modify_env() {
    modprobe ext4
    yum -y install e4fsprogs
}

# fdisk ,formating and create the file system
fdisk_fun() {
fdisk -S 56 $1 << EOF
n
p
1


wq
EOF

sleep 5
mkfs.ext4 ${1}1
}

# make directory
make_dir() {
    echo "${CMSG}Step 4.Begin to make directory${CEND}"
    [ -d "$MOUNT_DIR" ] && mv ${MOUNT_DIR}{,_bk} 
    mkdir -p $MOUNT_DIR
    echo "$MOUNT_DIR" >> $TMP1
}

# config /etc/fstab and mount device
main() {
    for i in `echo $DISK_LIST`
    do
        echo
        echo "${CMSG}Step 3.Begin to fdisk free disk${CEND}"
        [ -n "`df -h | grep ${i}1`" ] && { echo "${CFAILURE}The ${i}1 already mount${CEND}"; echo; exit 0; }
        fdisk_fun $i > /dev/null 2>&1
        echo
        echo "${i}1" >> $TMP2
    done
    make_dir
    > $LOCKfile
    paste $TMP2 $TMP1 > $LOCKfile
    echo
    echo "${CMSG}Step 5.Begin to write configuration to /etc/fstab and mount device${CEND}"
    while read a b
    do
        [ -z "`grep ^${a} $FSTAB_FILE`" -a -z "`grep ${b} $FSTAB_FILE`" ] && echo "${a} $b      ext4    defaults    0 0" >> $FSTAB_FILE
    done < $LOCKfile
    mount -a
    echo
}

# start script
echo "${CMSG}Step 2.Begin to check free disk${CEND}"
#service mysqld stop
#mv /data /root
check_os
check_disk
main
df -h
#mv /root/data/* /data
#service mysqld start
rm -rf $LOCKfile $TMP1 $TMP2

auto_disk.sh

# /etc/profile

# System wide environment and startup programs, for login setup
# Functions and aliases go in /etc/bashrc

# It's NOT a good idea to change this file unless you know what you
# are doing. It's much better to create a custom.sh shell script in
# /etc/profile.d/ to make custom changes to your environment, as this
# will prevent the need for merging in future updates.

pathmunge () {
    case ":${PATH}:" in
        *:"$1":*)
            ;;
        *)
            if [ "$2" = "after" ] ; then
                PATH=$PATH:$1
            else
                PATH=$1:$PATH
            fi
    esac
}


if [ -x /usr/bin/id ]; then
    if [ -z "$EUID" ]; then
        # ksh workaround
        EUID=`id -u`
        UID=`id -ru`
    fi
    USER="`id -un`"
    LOGNAME=$USER
    MAIL="/var/spool/mail/$USER"
fi

# Path manipulation
if [ "$EUID" = "0" ]; then
    pathmunge /sbin
    pathmunge /usr/sbin
    pathmunge /usr/local/sbin
else
    pathmunge /usr/local/sbin after
    pathmunge /usr/sbin after
    pathmunge /sbin after
fi

HOSTNAME=`/bin/hostname 2>/dev/null`

HISTFILESIZE=200
HISTSIZE=100
HISTTIMEFORMAT="%Y%m%d-%H%M%S: " #or HISTTIMEFORMAT="%Y%m%d %T "
export HISTTIMEFORMA

if [ "$HISTCONTROL" = "ignorespace" ] ; then
    export HISTCONTROL=ignoreboth
else
    export HISTCONTROL=ignoredups
fi

export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE HISTCONTROL

# By default, we want umask to get set. This sets it for login shell
# Current threshold for system reserved uid/gids is 200
# You could check uidgid reservation validity in
# /usr/share/doc/setup-*/uidgid file
if [ $UID -gt 199 ] && [ "`id -gn`" = "`id -un`" ]; then
    umask 002
else
    umask 022
fi

for i in /etc/profile.d/*.sh ; do
    if [ -r "$i" ]; then
        if [ "${-#*i}" != "$-" ]; then
            . "$i"
        else
            . "$i" >/dev/null 2>&1
        fi
    fi
done

unset i
unset -f pathmunge

profile

options timeout:1 attempts:1 rotate
nameserver 10.143.22.116
nameserver 10.143.22.118
nameserver 8.8.8.8
nameserver 114.114.114.114

resolv.conf

net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.tcp_max_tw_buckets = 150000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_wmem = 8192 4336600 873200
net.ipv4.tcp_rmem = 32768 4336600 873200
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_mem = 786432 1048576 1572864
net.ipv4.tcp_fin_timeout = 30
#net.ipv4.tcp_keepalive_time = 30
net.ipv4.tcp_keepalive_time = 300
net.ipv4.ip_local_port_range = 1024 65000

sysctl.conf

com2sec notConfigUser default 1public1 #default is all IP address
group notConfigGroup v1 notConfigUser
group notConfigGroup v2c notConfigUser

# name incl/excl subtree mask(optional)
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1

access notConfigGroup "" any noauth exact all none none
view all included .1 80
view mib2 included .iso.org.dod.internet.mgmt.mib-2 fc

snmpd.conf

 

- hosts: all
  remote_user: root
  tasks:
  - name: ####System update ####
    yum: name=* state=latest
  - name: ####INSTALL LRZSX NETHOGS NLOAD####
    yum: name={{item}} state=present
    with_items:
    - lrzsz
    - nethogs
    - nload

  - name: ####Install EPEL Yum Repo####
    yum: name=http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm state=present
  - name: ####Install NTP####
    yum: name=ntp state=latest

  - name: ####Install Java 1.7 and some basic dependencies####
    yum: name={{item}} state=present
    with_items:
    - java-1.7.0-openjdk
    - libselinux-python
    - libsemanage-python

  - name: ##### Configure iptables  #####
  - copy: src=iptables/iptables dest=/etc/sysconfig/iptables force=yes

  - name: ##### Create and Copy SSH  #####
  - file: path=/root/.ssh state=directory  mode=0644
  - copy: src=ssh/sshd_config dest=/etc/ssh/sshd_config force=yes
  - copy: src=ssh/authorized_keys dest=/root/.ssh/authorized_keys force=yes
  - file: path=/root/.ssh/authorized_keys  mode=0600

  - name: ##### Replace sysctl and profile  #####
  - copy: src=system/sysctl.conf dest=/etc/sysctl.conf force=yes
  - copy: src=system/profile dest=/etc/profile force=yes

  - name: ##### Enable iptables to be started at boot #####
  - service: name=iptables enabled=yes state=started

  - name: ##### Auto Disk to /data #####
  - copy: src=fdisk/auto_disk.sh dest=/tmp/auto_disk.sh
  - file: path=/tmp/auto_disk.sh  mode=0700
  - command: /tmp/auto_disk.sh

  - name: ##### INSTALL Snmpd ##### 
    yum: name={{item}} state=present
    with_items:
    - net-snmp
  - copy: src=snmp/snmpd.conf dest=/etc/snmp/snmpd.conf force=yes
  - service: name=snmpd enabled=yes state=restarted

  - name: ##### Reboot  #####  
  - command: shutdown -r now