os:freebsd:template
XenServer用のFreeBSD VM Templateを作成する
そろそろ、基本となる部分が固まってきたので、FreeBSD用のTemplateを作成してみる。
準備
Template用のIP Addressを確保する
- templateは、必要に応じて起動し、updateを行う必要がある。
- 普段はshutdownしておく
Template用VMを作成
XenServer上にtemplate用VMを構築し、FreeBSDをInstallする
- FilesystemはZFSにする
- 有効にするサービスはsshdだけ
- dumpdevはOffで良い
- ntpdはchronyを使うのでOffで良い
- System Hardeningは全部Onにする
- Hide processes running as other users
security.bsd.see_other_uids
on /etc/sysctl.conf
- Hide processes running as other groups
security.bsd.see_other_gids
on /etc/sysctl.conf
- Disable reading kernel message buffer for unprivileged users
security.bsd.unprivileged_read_msgbuf
on /etc/sysctl.conf
- Disable process debugging facilities for unprivileged users
security.bsd.unprivileged_proc_debug
on /etc/sysctl.conf
- Randomize the PID of newly created processes
kern.randompid
on /etc/sysctl.conf
- Insert stack guard page ahed of the growable segments
security.bsd.stack_guard_page
on /etc/sysctl.conf
- Clean the /tmp filesystem on system startup
clear_tmp_enable=“YES”
on /etc/rc.conf
- Disable opening Syslogd network socket (disable remote logging)
syslogd_flags=“-ss”
on /etc/rc.conf
- Disable Sendmail services
sendmail_enable=“NONE”
on /etc/rc.conf
- 絶対に必要なAccountを作成しておく
- 自分や構成管理用ツールの使うアカウント、vulsアカウントなど
基本設定を投入
/etc/rc.confを編集する
- XenServerの場合、TSO等の機能は切るべき
ifconfig_xn0=“inet 192.0.2.1/24 -rxcsum -txcsum -tso -lro”
などとする- 共通となる様々な設定をここで記載するのは良いこと
root@tmpl:/etc # cat /etc/rc.conf # # System Run Configuration # # Host Information hostname="tmpl" keymap="jp" dumpdev="NO" # Boot/Shutdown clear_tmp_enable="YES" rcshutdown_timeout="30" # Filesystem tmpmfs="YES" tmpsize="128m" tmpmfs_flags="-S" zfs_enable="YES" zfsd_enable="YES" # Network #cloned_interfaces="" ifconfig_xn0="inet 192.0.2.1/24 -rxcsum -txcsum -tso -lro route_private10=" -net 10.0.0.0/8 127.0.0.1 -blackhole" route_private172="-net 172.16.0.0/12 127.0.0.1 -blackhole" route_private192="-net 192.168.0.0/16 127.0.0.1 -blackhole" static_routes="private10 private172 private192" defaultrouter="192.0.2.254" gateway_enable="NO" icmp_bmcastecho="NO" icmp_drop_redirect="YES" icmp_log_redirect="YES" ip6addrctl_enable="NO" ip6addrctl_policy="ipv4_prefer" ipv6_activate_all_interfaces="NO" ipv6_network_interfaces="NO" tcp_drop_synfin="YES" # NFS rpc_lockd_enable="YES" rpc_statd_enable="YES" rpcbind_enable="YES" nfs_client_enable="YES" autofs_enable="YES" # pf pf_enable="NO" pflog_enable="NO" # Audit accounting_enable="YES" # Userland syslogd_flags="-ss" syslogd_oomprotect="YES" blacklistd_enable="NO" blacklistd_flags="" sendmail_enable="NONE" sshd_enable="YES" root@tmpl:/etc #
/boot/loader.confを編集する
- 起動時設定の編集
carp_load="YES" kern.geom.label.disk_ident.enable="0" kern.geom.label.gptid.enable="0" vfs.zfs.min_auto_ashift=12 zfs_load="YES" # for OpenSSL/AES-NI cryptodev_load="YES" aesni_load="YES" # for All servers kern.maxusers=1024 kern.ipc.nmbclusters=65536 # for NGiNX aio_load="YES" accf_data_load="YES" accf_http_load="YES" net.inet.tcp.syncache.hashsize=1024 net.inet.tcp.syncache.bucketlimit=100 net.inet.tcp.tcbhashsize=4096 # for squid kern.ipc.msgmnb=8192 kern.ipc.msgssz=64 kern.ipc.msgtql=2048
/etc/sysctl.confを編集する
- Kernel Parameterの設定
# $FreeBSD: releng/11.1/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $ # # This file is read when going to multi-user and its contents piped thru # ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details. # # Uncomment this to prevent users from seeing information about processes that # are being run under another UID. security.bsd.see_other_uids=0 security.bsd.see_other_gids=0 security.bsd.unprivileged_read_msgbuf=0 security.bsd.unprivileged_proc_debug=0 kern.randompid=4042 security.bsd.stack_guard_page=1 # Enable CARP #net.inet.carp.allow=1 #net.inet.carp.preempt=1 #net.inet.carp.log=1 #net.inet.carp.arpbalance=0 # IP Tuning net.inet.ip.portrange.randomized=0 net.inet.ip.portrange.first=1024 net.inet.ip.portrange.last=65535 # ICMP Tuning net.inet.icmp.icmplim=3000 # TCP Tuning net.inet.tcp.msl=1000 net.inet.tcp.finwait2_timeout=3000 net.inet.tcp.nolocaltimewait=1 net.inet.tcp.fast_finwait2_recycle=1 net.inet.tcp.syncookies=1 net.inet.tcp.recvspace=8192 net.inet.tcp.blackhole=2 net.inet.tcp.tso=0 # for HTTP kern.ipc.somaxconn=16384 kern.ipc.maxsockets=65536 kern.ipc.maxsockbuf=4194304 kern.maxfiles=16384 kern.maxfilesperproc=1024 # ARP cache timeout #net.link.ether.inet.max_age=97 ### NFS parameters vfs.nfsd.server_min_nfsvers=3
ssh関連の設定を行う
- Passwordによる認証をOffにする
*** sshd_config.orig Tue Aug 15 19:55:21 2017 --- sshd_config Tue Aug 15 19:56:39 2017 *************** *** 15,20 **** --- 15,21 ---- # FreeBSD has a few additional options. #Port 22 + Port xxxxxx #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: *************** *** 77,82 **** --- 78,84 ---- # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes + ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no *************** *** 116,121 **** --- 118,124 ---- #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes + UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no
- loginするユーザーの公開鍵を設置する
/home/user/.ssh
を作成し、そこに、authorized_keysを「必ず」設置すること
/etc/freebsd-update.confを編集
- 自前のUpdate用Proxy Serverがある場合、
ServerName
フィールドにProxy Serverを記載する
pkgコマンドをインストール
- pkg install pkg
- 自前のpkg用Proxy Serverを設置している場合、
mkdir -p /usr/local/etc/pkg/repos
を作成し、FreeBSD.confを作成 # $FreeBSD: releng/10.2/etc/pkg/FreeBSD.conf 285830 2015-07-23 23:31:40Z gjb $ # # To disable this repository, instead of modifying or removing this file, # create a /usr/local/etc/pkg/repos/FreeBSD.conf file: # # mkdir -p /usr/local/etc/pkg/repos # echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf # FreeBSD: { # url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", url: "pkg+http://some.where.example.com/${ABI}/latest", mirror_type: "srv", signature_type: "fingerprints", fingerprints: "/usr/share/keys/pkg", enabled: yes }
/usr/local/etc/newsyslog.conf.d
を作成
/etc/periodic.conf.local
を作成
# Daily options daily_show_badconfig="YES" daily_clean_disks_enable="YES" daily_clean_tmps_enable="YES" daily_accounting_compress="YES" daily_accounting_flags=-q daily_accounting_save=7 daily_status_zfs_enable="YES" daily_scrub_zfs_enable="NO" # Weekly options weekly_noid_enable="NO" # Monthly options # Security options security_show_badconfig="YES" security_status_noamd="YES" # Disable sendmail specific tasks daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"
/etc/newsyslog.conf
を編集
- 基本的に、毎日0時にファイルを更新する。過去記録は7つ。
/etc/fstab
にprocfsを追加
- 本当に必要かどうかには議論があるが、bashが必要な場合があるので足しておく
proc /proc procfs rw 0 0
- 必須Packageを追加する
- chrony, postfix-current, sudo, xe-guest-utilities
pkg install -y xe-guest-utilities sudo chrony postfix-current
- chrony.confを修正
*** /usr/local/etc/chrony.conf.sample Sun Aug 13 11:09:49 2017 --- /usr/local/etc/chrony.conf Tue Aug 15 20:52:24 2017 *************** *** 30,39 **** ! server foo.example.net iburst ! server bar.example.net iburst ! server baz.example.net iburst # This is a reasonable default setting to have on in typical cases for # a workstation with a full-time internet connection: ! pool 0.freebsd.pool.ntp.org iburst ####################################################################### ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK --- 30,41 ---- ! server foo.example.net iburst ! server bar.example.net iburst ! server baz.example.net iburst + server 192.0.2.254 iburst + server 192.0.2.253 iburst # This is a reasonable default setting to have on in typical cases for # a workstation with a full-time internet connection: ! ! pool 0.freebsd.pool.ntp.org iburst ####################################################################### ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
/usr/local/etc/sudores.dにファイルを作成
- /usr/local/etc/sudoers.d/vuls
vuls ALL=(root) NOPASSWD: /usr/bin/yum, /bin/echo
- /usr/local/etc/sudoers.d/idempotence
idempotence ALL=(root) NOPASSWD: ALL
必須のPackageを起動時に起動する設定を投入
- /etc/rc.conf.localに記述
# # Local Run Configiguration. # xenguest_enable="YES" chronyd_enable="YES" # Mail Configuration postfix_enable="YES"
不要なZFS Dataset を削除する
zfs destroy zroot/usr/ports
zfs destroy zroot/usr/src
freebsd-update fetch installを実行して最新の状態にする
os/freebsd/template.txt · 最終更新: 2017/08/15 21:13 by 127.0.0.1