Debian Squeeze Recipe + LDAP + Mail Relay

A lot of provisions done by me need to be automated, since each install process can take 2 hours to get every single step done according to standards. I could set up scripts to do enviroment settings or to do install and configurations, but to be honest, that is not really elegant, and the question remains, how would the scripts be copied/mounted to the servers, and what process would start them.

There are some questions that need to be set before preseed can run, and they are following:


I run this from a perl script and the $hostname is always replaced with the target hostname. The script does a netinstall with my values and preseed file as a kernel argument.

Now my preseed file explained.
Repositary setups:

d-i apt-setup/contrib boolean true
d-i apt-setup/non-free boolean true
d-i apt-setup/security_host string
d-i apt-setup/services-select multiselect security, volatile
d-i apt-setup/volatile_host string

To avoid the question after installation:

d-i cdrom-detect/eject boolean false

Then we need to add values for Time and location:

d-i clock-setup/ntp boolean true
d-i clock-setup/utc boolean true
d-i clock-setup/utc-auto boolean true
d-i console-keymaps-at/keymap select us
d-i console-tools/archs skip-config

d-i debian-installer/locale select en_US
d-i console-setup/ask_detect boolean false
d-i keyboard-configuration/layoutcode string hu
d-i time/zone string Europe/Budapest
d-i clock-setup/ntp-server string ntp.test
tzdata  tzdata/Areas    select  Europe
tzdata tzdata/Zones/Europe select Budapest
tzdata tzdata/Zones/Europe seen true
d-i keyboard-configuration/xkb-keymap select us
d-i debian-installer/country string US
d-i localechooser/countrylist/North_America select US
d-i localechooser/shortlist/US select
d-i hw-detect/load_firmware boolean true
d-i mirror/suite string squeeze
d-i keyboard-configuration/variant USA

To skip the message at the end of the install process about reboot:

d-i finish-install/reboot_in_progress note

Then we continue with mirror setup for apt repo:

d-i mirror/country string manual HU
d-i mirror/http/directory string /debian
d-i mirror/http/hostname string
d-i mirror/http/proxy string
choose-mirror-bin       mirror/protocol select  http

some network settings. These will not override the initial values we gave at boot:

d-i netcfg/choose_interface select auto
d-i netcfg/dhcp_timeout string 60
d-i netcfg/get_domain string unassigned-domain
d-i netcfg/get_hostname string unassigned-hostname
d-i netcfg/wireless_wep string

I have all my machines provisioned without swap. Since memory is monitored with nagios, and if any imiediate actions are required I can do a virsh setmem from the KVM host.

d-i partman-auto/expert_recipe string                         \
      root ::                                            \
              1000 10000 1000000000 ext3                        \
                      $primary{ } $bootable{ }                \
                      method{ format } format{ }              \
                      use_filesystem{ } filesystem{ ext3 }    \
                      mountpoint{ / }                         \
d-i partman-auto/choose_recipe select root
partman-basicfilesystems    partman-basicfilesystems/create_swap_failed error
partman-basicfilesystems    partman-basicfilesystems/swap_check_failed  boolean
partman-basicfilesystems partman-basicfilesystems/no_swap boolean false
d-i partman-lvm/confirm boolean true
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-md/confirm boolean true
d-i partman-md/device_remove_md boolean true
d-i partman-partitioning/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman-auto/method string regular
d-i partman/confirm_nooverwrite boolean true
d-i partman/mount_style select traditional

Then we create the root user, and an additional test user.

d-i passwd/root-password password IamAsecret
d-i passwd/root-password-again password IamAsecret
d-i passwd/user-fullname string testuser
d-i passwd/user-password password IamAsecret
d-i passwd/user-password-again password IamAsecret
d-i passwd/username string testuser

I am more confortable with installing only applications that I require, and to keep system space to minimal:

tasksel tasksel/first multiselect Standard system
d-i pkgsel/include string openssh-server vim sudo ntpdate ntp postfix mailutils nfs-common portmap ldap-utils libnss-ldap libpam-ldap nscd coreutils dash e2fslibs initscripts libacl1 libattr1 libblkid1 libbz2-1.0 libc6 libcomerr2 libdb4.8 libncurses5 libpam0g libpam-modules libpam-runtime libselinux1 libsepol1 libslang2 libss2 libuuid1 sysvinit-utils sysv-rc util-linux xz-utils zlib1g autofs5 subversion
d-i pkgsel/install-language-support boolean false
d-i pkgsel/upgrade select none
popularity-contest popularity-contest/participate boolean false
d-i grub-installer/only_debian boolean true
d-i finish-install/reboot_in_progress note

The we preseed postfix to be a relay host to our internal mail server.

## postfix preseeding
postfix postfix/main_mailer_type select Satellite system
postfix postfix/root_address string admin@test.test
postfix postfix/relayhost       string mail.test
postfix postfix/mailname string /etc/mailname

One more step is to have LDAP preseeded to our system, with a read only user, since these scripts could be comprimised by any unauthorized person:

### LDAP preseeding
libnss-ldap    libnss-ldap/binddn    string    cn=proxyuser,ou=People,dc=test
libnss-ldap    libnss-ldap/bindpw    password IamAsecret
libnss-ldap    libnss-ldap/confperm    boolean    false
libnss-ldap    libnss-ldap/dblogin    boolean    false
libnss-ldap    libnss-ldap/dbrootlogin    boolean    false
libnss-ldap    libnss-ldap/nsswitch    note
libnss-ldap    libnss-ldap/override    boolean    true
libpam-ldap    libpam-ldap/binddn    string    cn=proxyuser,ou=People,dc=test
libpam-ldap    libpam-ldap/bindpw    password IamAsecret
libpam-ldap    libpam-ldap/dblogin    boolean    false
libpam-ldap    libpam-ldap/dbrootlogin    boolean    false
libpam-ldap    libpam-ldap/override    boolean    true
libpam-ldap    libpam-ldap/pam_password    select    crypt
libpam-ldap    libpam-ldap/rootbinddn    string    cn=proxyuser,ou=People,dc=test
libpam-ldap    libpam-ldap/rootbindpw    password IamAsecret
libpam-ldap    shared/ldapns/base-dn    string  dc=test
libpam-ldap    shared/ldapns/ldap-server    string    ldap://ldap.test/
libpam-ldap    shared/ldapns/ldap_version    select    3

The last step is to have our own post_install script run to do final changes to system. LDAP system login requires further changes, for example in nsswich.conf, which needs to be done here.

### post install
d-i preseed/late_command string wget -O /target/var/tmp/bootstrap http://main.test/debian/; in-target sh /var/tmp/bootstrap

Happy installs.


Author: S4mur4i

Happy in the unhappy world.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s