时间同步、双因子安全验证及自动化安装实现过程

一、chrony实现内网时间同步

1.1 测试环境

chrony服务端	chrony客户端
内核及发行版本：4.18.0-147.el8.x86_64	内核及发行版本：3.10.0-1127.el7.x86_64
Hostname: chrony-server	Hostname: xsd7.linux.com
IP：172.20.200.130	IP：172.20.200.128

1.2 服务端设置

[root@chrony-server ~]# rpm -qf `which chronyd`chrony-3.5-1.el8.x86_64[root@chrony-server ~]# systemctl status chronyd● chronyd.service - NTP client/server   Loaded: loaded (/usr/lib/systemd/system/chronyd.service; disabled; vendor preset: enabled)   Active: inactive (dead)     Docs: man:chronyd(8)           man:chrony.conf(5)[root@chrony-server ~]# vim /etc/chrony.# Use public servers from the pool.ntp.org project.# Please consider joining the pool (http://www.pool.ntp.org/join.html).#pool 2.centos.pool.ntp.org iburstpool ntp1.aliyun.compool ntp2.aliyun.com# Allow NTP client access from local network.allow 172.20.200.0/24# Serve time even if not synchronized to a time source.local stratum 10[root@chrony-server ~]# systemctl enable --now chronydCreated symlink /etc/systemd/system/multi-user.target.wants/chronyd.service → /usr/lib/systemd/system/chronyd.service.[root@chrony-server ~]# chronycchronyc> clientsHostname                      NTP   Drop Int IntL Last     Cmd   Drop Int  Last===============================================================================172.20.200.128                  6      0   6   -     1       0      0   -     -

1.3 客户端配置

[root@xsd7 ~]# rpm -qf `which chronyc`chrony-3.4-1.el7.x86_64[root@xsd7 ~]# vim /etc/chrony.conf# Use public servers from the pool.ntp.org project.# Please consider joining the pool (http://www.pool.ntp.org/join.html).server 172.20.200.130 iburst[root@xsd7 ~]# systemctl enable --now chronydCreated symlink from /etc/systemd/system/multi-user.target.wants/chronyd.service to /usr/lib/systemd/system/chronyd.service.[root@xsd7 ~]# chronycchrony version 3.4Copyright (C) 1997-2003, 2007, 2009-2018 Richard P. Curnow and otherschrony comes with ABSOLUTELY NO WARRANTY.  This is free software, andyou are welcome to redistribute it under certain conditions.  See theGNU General Public License version 2 for details.chronyc> sources210 Number of sources = 1MS Name/IP address         Stratum Poll Reach LastRx Last sample               ===============================================================================^* 172.20.200.130                3   6    77     7   -103us[ -177us] +/-   32ms

二、PAM和g**模块实现ssh双因子安全验证

2.1 在服务器端安装配置g-authenticator**

#为了安装g**-authenticator，首先安装epel-release源 [root@chrony-server ~]# yum install epel-releaseTotal                                                                                                 36 kB/s |  23 kB     00:00     Running transaction checkTransaction check succeeded.Running transaction testTransaction test succeeded.Running transaction  Preparing        :                                                                                                             1/1   Installing       : epel-release-8-8.el8.noarch                                                                                 1/1   Running scriptlet: epel-release-8-8.el8.noarch                                                                                 1/1   Verifying        : epel-release-8-8.el8.noarch                                                                                 1/1 Installed:  epel-release-8-8.el8.noarch                                                                                                        Complete!#安装g**-authenticator[root@chrony-server ~]# yum install g**-authenticator Install  1 PackageTotal download size: 57 kInstalled size: 135 kIs this ok [y/N]: yDownloading Packages:g**-authenticator-1.07-1.el8.x86_64.rpm                                                           351 kB/s |  57 kB     00:00    -------------------------------------------------------------------------------------------------------------------------------------Total                                                                                                 46 kB/s |  57 kB     00:01     warning: /var/cache/dnf/epel-6519ee669354a484/packages/g**-authenticator-1.07-1.el8.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: NOKEYExtra Packages for Enterprise Linux 8 - x86_64                                                       1.2 MB/s | 1.6 kB     00:00    Importing GPG key 0x2F86D6A1: Userid     : "Fedora EPEL (8) <epel@fedoraproject.org>" Fingerprint: 94E2 79EB 8D8F 25B2 1810 ADF1 21EA 45AB 2F86 D6A1 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-8Is this ok [y/N]: yKey imported successfullyRunning transaction checkInstalled:  g**-authenticator-1.07-1.el8.x86_64                                                                                             Complete!

首先在手机上安装身份验证器app：G Authenticator_v5.10_apkpure.com.apk，备用。然后运行g-authenticator，进行配置。

[root@chrony-server ~]# g**-authenticatorDo you want authentication tokens to be time-based (y/n) yWarning: pasting the following URL into your browser exposes the OTP secret to G**:  https://www.g**.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/root@chrony-server%3Fsecret%3DPDM4F6QOZWHADXI4WFQWYUG6VE%26issuer%3Dchrony-server  #打开此网站Failed to use libqrencode to show QR code visually for scanning.Consider typing the OTP secret into your app manually.Your new secret key is: PDM4F6QOZWHADXI4WFQWYUG6VEEnter code from app (-1 to skip): 374408 #用手机上的authenticator软件扫描网页上的二维码进行手机绑定，将                                         authenticator软件上面的数字填入此处                                                                   Code confirmedYour emergency scratch codes are:  #此处是应急登录码  17168477  73659424  10626207  46998705  93436421Do you want me to update your "/root/.g**_authenticator" file? (y/n) yDo you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for atime skew of up to 30 seconds between authentication server and client. If youexperience problems with poor time synchronization, you can increase the windowfrom its default size of 3 permitted codes (one previous code, the currentcode, the next code) to 17 permitted codes (the 8 previous codes, the currentcode, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.Do you want to do so? (y/n) yIf the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting? (y/n) y[root@chrony-server ~]#

2.2 更改sshd配置文件

[root@chrony-server ~]# vim /etc/pam.d/sshd#%PAM-1.0auth       required     pam_g**_authenticator.so   #增加此行[root@chrony-server ~]# vim /etc/ssh/sshd_configChallengeResponseAuthentication yes    #更改成yes[root@chrony-server ~]# systemctl restart sshd

ssh登录测试

root@xsd7 ~]# ssh 172.20.200.130Password:   #root密码Verification code:   #手机g** Authenticator上数字PRD System!!Activate the web console with: systemctl enable --now cockpit.socketLast failed login: Tue Mar 16 19:26:59 CST 2021 from 172.20.200.128 on ssh:nottyThere were 7 failed login attempts since the last successful login.Last login: Tue Mar 16 19:16:02 2021 from 172.20.200.138[root@chrony-server ~]# [root@chrony-server ~]# ifconfigens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500        inet 172.20.200.130  netmask 255.255.255.0  broadcast 172.20.200.255        inet6 fe80::9259:3fdd:3221:fd8f  prefixlen 64  scopeid 0x20<link>        ether 00:0c:29:c5:6f:ce  txqueuelen 1000  (Ethernet)        RX packets 1902  bytes 186128 (181.7 KiB)        RX errors 0  dropped 0  overruns 0  frame 0        TX packets 1373  bytes 271461 (265.0 KiB)        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

2.3 排错

现象：反复提示输入Password: 以及Verification code: ，无法正确登录。查看/var/log/secure

Failed to update secret file "/root/.g_authenticator": Permission denied
Secret file "/root/.g_authenticator" permissions (0644) are more permissive than 0600

解决：将"/root/.g_authenticator" 权限设置成0600**

仍然反复提示输入Password: 以及Verification code: ，无法正确登录。继续查看/var/log/secure，发现

Failed to create tempfile "/root/.g**_authenticator~uVmFnS": Permission denied

解决：关闭selinux，setenforce 0

三、利用cobbler实现系统自动化安装

3.1 安装cobbler与dhcp服务

#首先安装epel源[root@xsd7 ~]# yum install epel-release.noarch Loaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.163.com * updates: mirrors.163.comResolving Dependencies--> Running transaction check---> Package epel-release.noarch 0:7-11 will be installed--> Finished Dependency ResolutionInstall  1 PackageInstalled:  epel-release.noarch 0:7-11                                                                                                   Complete!#安装cobbler[root@xsd7 ~]# yum install cobbler -yLoaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfileepel/x86_64/metalink                                                                                          |  13 kB  00:00:00      * base: mirrors.aliyun.com * epel: d2lzkl7pfhq30w.cloudfront.net * extras: mirrors.163.com * updates: mirrors.163.comepel                                                                                                          | 4.7 kB  00:00:00     (1/3): epel/x86_64/group_gz                                                                                   |  96 kB  00:00:00     (2/3): epel/x86_64/updateinfo                                                                                 | 1.0 MB  00:00:05     (3/3): epel/x86_64/primary_db                                                                                 | 6.9 MB  00:00:20     Resolving Dependencies--> Running transaction check---> Package cobbler.x86_64 0:2.8.5-0.3.el7 will be installed--> Processing Dependency: httpd for package: cobbler-2.8.5-0.3.el7.x86_64Installed:  cobbler.x86_64 0:2.8.5-0.3.el7                                                                                                     Dependency Installed:  apr.x86_64 0:1.4.8-7.el7                    apr-util.x86_64 0:1.5.2-6.el7          httpd.x86_64 0:2.4.6-97.el7.centos               httpd-tools.x86_64 0:2.4.6-97.el7.centos    mailcap.noarch 0:2.1.41-2.el7          mod_wsgi.x86_64 0:3.4-18.el7                     python-cheetah.x86_64 0:2.4.4-5.el7.centos  python-netaddr.noarch 0:0.7.5-9.el7    python-pillow.x86_64 0:2.0.0-21.gitd1c6db8.el7   python-pygments.noarch 0:1.4-10.el7         python2-markdown.noarch 0:2.4.1-4.el7  python2-pyyaml.noarch 0:3.10-0.el7               python2-simplejson.x86_64 0:3.10.0-2.el7    syslinux.x86_64 0:4.05-15.el7          tftp-server.x86_64 0:5.2-22.el7                Complete!#安装dhcp# yum -y instal dhcp Loaded plugins: fastestmirror, langpacksNo such command: instal. Please use /usr/bin/yum --help[root@xsd7 ~]# yum -y install cobbler dhcp Loaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.163.com * updates: mirrors.163.comInstalled:  dhcp.x86_64 12:4.2.5-82.el7.centos                                                                                                 Dependency Updated:  dhclient.x86_64 12:4.2.5-82.el7.centos    dhcp-common.x86_64 12:4.2.5-82.el7.centos    dhcp-libs.x86_64 12:4.2.5-82.el7.centos   Complete!#设置cobblerd、httpd、tftp服务开机自启动[root@xsd7 ~]# systemctl enable --now cobblerd httpd tftpCreated symlink from /etc/systemd/system/multi-user.target.wants/cobblerd.service to /usr/lib/systemd/system/cobblerd.service.Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.Created symlink from /etc/systemd/system/sockets.target.wants/tftp.socket to /usr/lib/systemd/system/tftp.socket.[root@xsd7 ~]# systemctl status cobblerd httpd tftp● cobblerd.service - Cobbler Helper Daemon   Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled; vendor preset: disabled)   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago  Process: 3616 ExecStartPost=/usr/bin/touch /usr/share/cobbler/web/cobbler.wsgi (code=exited, status=1/FAILURE) Main PID: 3615 (cobblerd)    Tasks: 1   CGroup: /system.slice/cobblerd.service           └─3615 /usr/bin/python2 -s /usr/bin/cobblerd -FMar 17 11:58:25 xsd7.linux.com systemd[1]: Starting Cobbler Helper Daemon...Mar 17 11:58:25 xsd7.linux.com touch[3616]: /usr/bin/touch: cannot touch ‘/usr/share/cobbler/web/cobbler.wsgi’: No such file…irectoryMar 17 11:58:26 xsd7.linux.com systemd[1]: Started Cobbler Helper Daemon.● httpd.service - The Apache HTTP Server   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago     Docs: man:httpd(8)           man:apachectl(8) Main PID: 3618 (httpd)   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"    Tasks: 6   CGroup: /system.slice/httpd.service           ├─3618 /usr/sbin/httpd -DFOREGROUND           ├─3625 /usr/sbin/httpd -DFOREGROUND           ├─3626 /usr/sbin/httpd -DFOREGROUND           ├─3627 /usr/sbin/httpd -DFOREGROUND           ├─3628 /usr/sbin/httpd -DFOREGROUND           └─3629 /usr/sbin/httpd -DFOREGROUNDMar 17 11:58:26 xsd7.linux.com systemd[1]: Starting The Apache HTTP Server...Mar 17 11:58:26 xsd7.linux.com systemd[1]: Started The Apache HTTP Server.● tftp.service - Tftp Server   Loaded: loaded (/usr/lib/systemd/system/tftp.service; indirect; vendor preset: disabled)   Active: active (running) since Wed 2021-03-17 11:58:26 CST; 3min 27s ago     Docs: man:in.tftpd Main PID: 3619 (in.tftpd)    Tasks: 1   CGroup: /system.slice/tftp.service           └─3619 /usr/sbin/in.tftpd -s /var/lib/tftpbootMar 17 11:58:26 xsd7.linux.com systemd[1]: Started Tftp Server.Hint: Some lines were ellipsized, use -l to show in full.

3.2 配置cobblerd

#编辑cobblerd配置文件，调整以下三个参数[root@xsd7 ~]# vim /etc/cobbler/settingsnext_server: 172.20.200.128server: 172.20.200.128manage_dhcp: 1[root@xsd7 ~]# cobbler checkThe following are potential configuration items that you may want to fix:1 : change 'disable' to 'no' in /etc/xinetd.d/tftp2 : Some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely.  Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.3 : enable and start rsyncd.service with systemctl4 : debmirror package is not installed, it will be required to manage debian deployments and repositories5 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one6 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use themRestart cobblerd and then run 'cobbler sync' to apply changes.

3.3 实现dhcp服务

#边界cobbler的dhcp模板[root@xsd7 ~]# vim /etc/cobbler/dhcp.templatesubnet 172.20.200.0 netmask 255.255.255.0 {     option routers             172.20.200.2;     option domain-name-servers 180.76.76.76;     option subnet-mask         255.255.255.0;     range dynamic-bootp        172.20.200.200 171.20.200.253;#将配置同步到dhcp配置文件中[root@xsd7 ~]# cobbler synctask started: 2021-03-17_125453_synctask started (id=Sync, time=Wed Mar 17 12:54:53 2021)running pre-sync triggerscleaning treesremoving: /var/lib/tftpboot/pxelinux.cfg/defaultremoving: /var/lib/tftpboot/grub/imagesremoving: /var/lib/tftpboot/grub/efidefaultremoving: /var/lib/tftpboot/s390x/profile_listcopying bootloaderscopying distros to tftpbootcopying imagesgenerating PXE configuration filesgenerating PXE menu structurerendering DHCP filesgenerating /etc/dhcp/dhcpd.confrendering TFTPD filesgenerating /etc/xinetd.d/tftpcleaning link cachesrunning post-sync triggersrunning python triggers from /var/lib/cobbler/triggers/sync/post/*running python trigger cobbler.modules.sync_post_restart_servicesrunning: dhcpd -t -qreceived on stdout: received on stderr: running: service dhcpd restartreceived on stdout: received on stderr: Redirecting to /bin/systemctl restart dhcpd.servicerunning shell triggers from /var/lib/cobbler/triggers/sync/post/*running python triggers from /var/lib/cobbler/triggers/change/*running python trigger cobbler.modules.manage_gendersrunning python trigger cobbler.modules.scm_trackrunning shell triggers from /var/lib/cobbler/triggers/change/**** TASK COMPLETE ***#重启DHCP服务，查看状态[root@xsd7 ~]# systemctl start dhcpd[root@xsd7 ~]# systemctl status dhcpd● dhcpd.service - DHCPv4 Server Daemon   Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled; vendor preset: disabled)   Active: active (running) since Wed 2021-03-17 12:54:54 CST; 6min ago     Docs: man:dhcpd(8)           man:dhcpd.conf(5) Main PID: 2666 (dhcpd)   Status: "Dispatching packets..."    Tasks: 1   CGroup: /system.slice/dhcpd.service           └─2666 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid

3.4 下载启动相关文件到/var/lib/tftpboot/

#下载PXE相关文件root@xsd7 ~]# cobbler get-loaderstask started: 2021-03-17_132703_get_loaderstask started (id=Download Bootloader Content, time=Wed Mar 17 13:27:03 2021)path /var/lib/cobbler/loaders/README already exists, not overwriting existing content, use --force if you wish to updatedownloading https://cobbler.github.io/loaders/COPYING.elilo to /var/lib/cobbler/loaders/COPYING.elilodownloading https://cobbler.github.io/loaders/COPYING.yaboot to /var/lib/cobbler/loaders/COPYING.yabootdownloading https://cobbler.github.io/loaders/COPYING.syslinux to /var/lib/cobbler/loaders/COPYING.syslinuxdownloading https://cobbler.github.io/loaders/elilo-3.8-ia64.efi to /var/lib/cobbler/loaders/elilo-ia64.efidownloading https://cobbler.github.io/loaders/yaboot-1.3.17 to /var/lib/cobbler/loaders/yabootdownloading https://cobbler.github.io/loaders/pxelinux.0-3.86 to /var/lib/cobbler/loaders/pxelinux.0downloading https://cobbler.github.io/loaders/menu.c32-3.86 to /var/lib/cobbler/loaders/menu.c32downloading https://cobbler.github.io/loaders/grub-0.97-x86.efi to /var/lib/cobbler/loaders/grub-x86.efidownloading https://cobbler.github.io/loaders/grub-0.97-x86_64.efi to /var/lib/cobbler/loaders/grub-x86_64.efi*** TASK COMPLETE ***#同步下载文件到tftp工作目录[root@xsd7 ~]# cobbler sync  task started: 2021-03-17_133543_synctask started (id=Sync, time=Wed Mar 17 13:35:43 2021)running pre-sync triggerscleaning treesremoving: /var/lib/tftpboot/pxelinux.cfg/defaultremoving: /var/lib/tftpboot/grub/imagesremoving: /var/lib/tftpboot/grub/efidefaultremoving: /var/lib/tftpboot/s390x/profile_listcopying bootloaderstrying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0copying: /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32copying: /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32trying hardlink /var/lib/cobbler/loaders/yaboot -> /var/lib/tftpboot/yaboottrying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efitrying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.eficopying distros to tftpbootcopying imagesgenerating PXE configuration filesgenerating PXE menu structurerendering DHCP filesgenerating /etc/dhcp/dhcpd.confrendering TFTPD filesgenerating /etc/xinetd.d/tftpcleaning link cachesrunning post-sync triggersrunning python triggers from /var/lib/cobbler/triggers/sync/post/*running python trigger cobbler.modules.sync_post_restart_servicesrunning: dhcpd -t -qreceived on stdout: received on stderr: running: service dhcpd restartreceived on stdout: received on stderr: Redirecting to /bin/systemctl restart dhcpd.servicerunning shell triggers from /var/lib/cobbler/triggers/sync/post/*running python triggers from /var/lib/cobbler/triggers/change/*running python trigger cobbler.modules.manage_gendersrunning python trigger cobbler.modules.scm_trackrunning shell triggers from /var/lib/cobbler/triggers/change/**** TASK COMPLETE ***

3.5 导入CentOS7、8系统的安装文件

#导入centos8.1系统镜像文件[root@xsd7 cd]# cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --arch=x86_64  task started: 2021-03-17_155515_importtask started (id=Media import, time=Wed Mar 17 15:55:15 2021)Found a candidate signature: breed=redhat, version=rhel8No signature matched in /var/www/cobbler/ks_mirror/centos-8.1-x86_64!!! TASK FAILED !!!#更新cobbler signature，解决上面问题[root@xsd7 misc]# cobbler signature update  task started: 2021-03-17_193227_sigupdatetask started (id=Updating Signatures, time=Wed Mar 17 19:32:27 2021)Successfully got file from https://cobbler.github.io/signatures/2.8.x/latest.json*** TASK COMPLETE ***#再次导入centos8.1系统镜像文件[root@xsd7 misc]# cobbler import --name=centos-8.1-x86_64 --path=/misc/cd --arch=x86_64 task started: 2021-03-17_193707_importtask started (id=Media import, time=Wed Mar 17 19:37:07 2021)Found a candidate signature: breed=suse, version=sles15genericFound a candidate signature: breed=suse, version=opensuse15.0Found a candidate signature: breed=suse, version=opensuse15.1Found a candidate signature: breed=redhat, version=rhel8Found a matching signature: breed=redhat, version=rhel8Adding distros from path /var/www/cobbler/ks_mirror/centos-8.1-x86_64:creating new distro: centos-8.1-x86_64trying symlink: /var/www/cobbler/ks_mirror/centos-8.1-x86_64 -> /var/www/cobbler/links/centos-8.1-x86_64creating new profile: centos-8.1-x86_64associating reposchecking for rsync repo(s)checking for rhn repo(s)checking for yum repo(s)starting descent into /var/www/cobbler/ks_mirror/centos-8.1-x86_64 for centos-8.1-x86_64processing repo at : /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStreamneed to process repo/comps: /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStreamlooking for /var/www/cobbler/ks_mirror/centos-8.1-x86_64/AppStream/repodata/*comps*.xmlerror launching createrepo (not installed?), ignoringException occured: <type 'exceptions.IOError'>Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/centos-8.1-x86_64.repo'Exception Info:  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file    config_file = open(fname, "w+")processing repo at : /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOSneed to process repo/comps: /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOSlooking for /var/www/cobbler/ks_mirror/centos-8.1-x86_64/BaseOS/repodata/*comps*.xmlerror launching createrepo (not installed?), ignoringException occured: <type 'exceptions.IOError'>Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/centos-8.1-x86_64-1.repo'Exception Info:  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file    config_file = open(fname, "w+")*** TASK COMPLETE ***#导入centos7系统镜像文件[root@xsd7 ~]# cobbler import --name=CentOS-7-x86_64  --path=/mnt --arch=x86_64 task started: 2021-03-17_151443_importtask started (id=Media import, time=Wed Mar 17 15:14:43 2021)Found a candidate signature: breed=redhat, version=rhel6Found a candidate signature: breed=redhat, version=rhel7Found a matching signature: breed=redhat, version=rhel7Adding distros from path /var/www/cobbler/ks_mirror/CentOS-7-x86_64:creating new distro: CentOS-7-x86_64trying symlink: /var/www/cobbler/ks_mirror/CentOS-7-x86_64 -> /var/www/cobbler/links/CentOS-7-x86_64creating new profile: CentOS-7-x86_64associating reposchecking for rsync repo(s)checking for rhn repo(s)checking for yum repo(s)starting descent into /var/www/cobbler/ks_mirror/CentOS-7-x86_64 for CentOS-7-x86_64processing repo at : /var/www/cobbler/ks_mirror/CentOS-7-x86_64need to process repo/comps: /var/www/cobbler/ks_mirror/CentOS-7-x86_64looking for /var/www/cobbler/ks_mirror/CentOS-7-x86_64/repodata/*comps*.xmlerror launching createrepo (not installed?), ignoringException occured: <type 'exceptions.IOError'>Exception value: [Errno 2] No such file or directory: '/var/www/cobbler/ks_mirror/config/CentOS-7-x86_64.repo'Exception Info:  File "/usr/lib/python2.7/site-packages/cobbler/modules/manage_import_signatures.py", line 599, in yum_process_comps_file    config_file = open(fname, "w+")*** TASK COMPLETE ***

3.6 准备kickstart文件并与导入镜像关联

 #安装编辑kickstart文件工具system-config-kickstart[root@xsd7 kickstarts]# yum install system-config-kickstart Loaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirrors.coreix.net * extras: mirrors.aliyun.com * updates: mirrors.163.comDependency Installed:  gnome-python2.x86_64 0:2.28.1-14.el7                     gnome-python2-canvas.x86_64 0:2.28.1-14.el7                libart_lgpl.x86_64 0:2.3.21-10.el7                       libgnomecanvas.x86_64 0:2.30.3-8.el7                       rarian.x86_64 0:0.8.1-11.el7                             rarian-compat.x86_64 0:0.8.1-11.el7                        system-config-date.noarch 0:1.10.6-3.el7.centos          system-config-date-docs.noarch 0:1.0.11-4.el7              system-config-keyboard.noarch 0:1.4.0-5.el7              system-config-keyboard-base.noarch 0:1.4.0-5.el7           system-config-language.noarch 0:1.4.0-9.el7              usermode-gtk.x86_64 0:1.111-6.el7                        Complete!  #安装pykickstart软件包，其中的ksvalidator工具可以检查kickstart文件语法是否正确root@xsd7 kickstarts]# yum install pykickstart   Loaded plugins: fastestmirror, langpacksLoading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirror.init7.net * extras: mirrors.aliyun.com * updates: mirrors.163.comUpdated:  pykickstart.noarch 0:1.99.66.22-1.el7                                                                             Complete!#将centos7镜像与ks7.cfg文件关联并生成菜单[root@xsd7 kickstarts]# cobbler profile --name=centos7 --distro=centos7-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks7.cfg    usage=====cobbler profile addcobbler profile copycobbler profile dumpvarscobbler profile editcobbler profile findcobbler profile getkscobbler profile listcobbler profile removecobbler profile renamecobbler profile report[root@xsd7 kickstarts]# #将centos8.1镜像与ks8.cfg文件关联并生成菜单[root@xsd7 kickstarts]# cobbler profile --name=centos8.1 --distro=centos-8.1-x86_64 --kickstart=/var/lib/cobbler/kickstarts/ks8.cfg usage=====cobbler profile addcobbler profile copycobbler profile dumpvarscobbler profile editcobbler profile findcobbler profile getkscobbler profile listcobbler profile removecobbler profile renamecobbler profile report#修改启动菜单名称[root@xsd7 ks_mirror]# vim /etc/cobbler/pxe/pxedefault.templateDEFAULT menuPROMPT 0MENU TITLE Cobbler | xsd homework   #修改菜单名字TIMEOUT 200TOTALTIMEOUT 6000ONTIMEOUT $pxe_timeout_profileLABEL local        MENU LABEL (local)        MENU DEFAULT        LOCALBOOT -1$pxe_menu_itemsMENU end~                                        #同步数据并生成菜单[root@xsd7 kickstarts]# # cobbler synctask started: 2021-03-17_200713_synctask started (id=Sync, time=Wed Mar 17 20:07:13 2021)running pre-sync triggerscleaning treesremoving: /var/www/cobbler/images/CentOS-7-x86_64removing: /var/www/cobbler/images/centos-8.1-x86_64removing: /var/lib/tftpboot/pxelinux.cfg/defaultremoving: /var/lib/tftpboot/grub/imagesremoving: /var/lib/tftpboot/grub/grub-x86.efiremoving: /var/lib/tftpboot/grub/grub-x86_64.efiremoving: /var/lib/tftpboot/grub/efidefaultremoving: /var/lib/tftpboot/images/CentOS-7-x86_64removing: /var/lib/tftpboot/images/centos-8.1-x86_64removing: /var/lib/tftpboot/s390x/profile_listcopying bootloaderstrying hardlink /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0copying: /var/lib/cobbler/loaders/pxelinux.0 -> /var/lib/tftpboot/pxelinux.0trying hardlink /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32copying: /var/lib/cobbler/loaders/menu.c32 -> /var/lib/tftpboot/menu.c32trying hardlink /var/lib/cobbler/loaders/grub-x86.efi -> /var/lib/tftpboot/grub/grub-x86.efitrying hardlink /var/lib/cobbler/loaders/grub-x86_64.efi -> /var/lib/tftpboot/grub/grub-x86_64.eficopying distros to tftpbootcopying files for distro: centos-8.1-x86_64trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/centos-8.1-x86_64/vmlinuztrying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/centos-8.1-x86_64/initrd.imgcopying files for distro: CentOS-7-x86_64trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/vmlinuz -> /var/lib/tftpboot/images/CentOS-7-x86_64/vmlinuztrying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/initrd.img -> /var/lib/tftpboot/images/CentOS-7-x86_64/initrd.imgcopying imagesgenerating PXE configuration filesgenerating PXE menu structurecopying files for distro: centos-8.1-x86_64trying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/vmlinuz -> /var/www/cobbler/images/centos-8.1-x86_64/vmlinuztrying hardlink /var/www/cobbler/ks_mirror/centos-8.1-x86_64/images/pxeboot/initrd.img -> /var/www/cobbler/images/centos-8.1-x86_64/initrd.imgWriting template files for centos-8.1-x86_64copying files for distro: CentOS-7-x86_64trying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/vmlinuz -> /var/www/cobbler/images/CentOS-7-x86_64/vmlinuztrying hardlink /var/www/cobbler/ks_mirror/CentOS-7-x86_64/images/pxeboot/initrd.img -> /var/www/cobbler/images/CentOS-7-x86_64/initrd.imgWriting template files for CentOS-7-x86_64rendering DHCP filesgenerating /etc/dhcp/dhcpd.confrendering TFTPD filesgenerating /etc/xinetd.d/tftpprocessing boot_files for distro: centos-8.1-x86_64processing boot_files for distro: CentOS-7-x86_64cleaning link cachesrunning post-sync triggersrunning python triggers from /var/lib/cobbler/triggers/sync/post/*running python trigger cobbler.modules.sync_post_restart_servicesrunning: dhcpd -t -qreceived on stdout: received on stderr: running: service dhcpd restartreceived on stdout: received on stderr: Redirecting to /bin/systemctl restart dhcpd.servicerunning shell triggers from /var/lib/cobbler/triggers/sync/post/*running python triggers from /var/lib/cobbler/triggers/change/*running python trigger cobbler.modules.manage_gendersrunning python trigger cobbler.modules.scm_trackrunning shell triggers from /var/lib/cobbler/triggers/change/**** TASK COMPLETE ***

3.7 通过网络自动安装系统

选择网卡启动

选择要安装的系统

找到内核并引导

开始自动安装

登录自动安装的系统

时间同步、双因子安全验证及自动化安装实现过程