Created
August 30, 2018 22:44
-
-
Save Valyrox/554693631a1b37e11e56469864170567 to your computer and use it in GitHub Desktop.
OVH Proxmox post install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
################################################################################ | |
# This is property of eXtremeSHOK.com | |
# You are free to use, modify and distribute, however you may not remove this notice. | |
# Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com | |
################################################################################ | |
# | |
# Script updates can be found at: https://github.com/extremeshok/xshok-proxmox | |
# | |
# post-installation script for Proxmox | |
# | |
# License: BSD (Berkeley Software Distribution) | |
# | |
################################################################################ | |
# | |
# Assumptions: proxmox installed | |
# | |
################################################################################ | |
# | |
# THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT | |
# | |
################################################################################ | |
## Force APT to use IPv4 | |
echo -e "Acquire::ForceIPv4 \"true\";\n" > /etc/apt/apt.conf.d/99force-ipv4 | |
## disable enterprise proxmox repo | |
if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then | |
echo -e "#deb https://enterprise.proxmox.com/debian stretch pve-enterprise\n" > /etc/apt/sources.list.d/pve-enterprise.list | |
fi | |
## enable public proxmox repo | |
if [ ! -f /etc/apt/sources.list.d/proxmox.list ] && [ ! -f /etc/apt/sources.list.d/pve-public-repo.list ] && [ ! -f /etc/apt/sources.list.d/pve-install-repo.list ] ; then | |
echo -e "deb http://download.proxmox.com/debian stretch pve-no-subscription\n" > /etc/apt/sources.list.d/pve-public-repo.list | |
fi | |
## Add non-free to sources | |
sed -i "s/main contrib/main non-free contrib/g" /etc/apt/sources.list | |
## Install the latest ceph provided by proxmox | |
echo "deb http://download.proxmox.com/debian/ceph-luminous stretch main" > /etc/apt/sources.list.d/ceph.list | |
## Refresh the package lists | |
apt-get update | |
## Fix no public key error for debian repo | |
apt-get install -y debian-archive-keyring | |
## Update proxmox and install various system utils | |
apt-get -y dist-upgrade --force-yes | |
pveam update | |
## Fix no public key error for debian repo | |
apt-get install -y debian-archive-keyring | |
## Install openvswitch for a virtual internal network | |
apt-get install -y openvswitch-switch | |
## Install zfs support, appears to be missing on some Proxmox installs. | |
#apt-get install -y zfsutils | |
## Install missing ksmtuned | |
apt-get install -y ksmtuned | |
systemctl enable ksmtuned | |
## Install ceph support | |
echo "Y" | pveceph install | |
## Install common system utilities | |
apt-get install -y whois omping tmux sshpass wget axel nano pigz net-tools htop iptraf iotop iftop iperf vim vim-nox unzip zip software-properties-common aptitude curl dos2unix dialog mlocate build-essential git | |
#snmpd snmp-mibs-downloader | |
## Remove conflicting utilities | |
apt-get purge -y ntp openntpd chrony | |
## Detect AMD EPYC CPU and install kernel 4.15 | |
if [ "$(cat /proc/cpuinfo | grep -i -m 1 "model name" | grep -i "EPYC")" != "" ]; then | |
echo "AMD EPYC detected" | |
#Apply EPYC fix to kernel : Fixes random crashing and instability | |
if ! cat /etc/default/grub | grep "GRUB_CMDLINE_LINUX_DEFAULT" | grep -q "idle=nomwait" ; then | |
echo "Setting kernel idle=nomwait" | |
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="idle=nomwait /g' /etc/default/grub | |
update-grub | |
fi | |
echo "Installing kernel 4.15" | |
apt-get install -y pve-kernel-4.15 | |
fi | |
## Install kexec, allows for quick reboots into the latest updated kernel set as primary in the boot-loader. | |
# use command 'reboot-quick' | |
echo "kexec-tools kexec-tools/load_kexec boolean false" | debconf-set-selections | |
apt-get install -y kexec-tools | |
cat > /etc/systemd/system/kexec-pve.service <<EOF | |
[Unit] | |
Description=boot into into the latest pve kernel set as primary in the boot-loader | |
Documentation=man:kexec(8) | |
DefaultDependencies=no | |
Before=shutdown.target umount.target final.target | |
[Service] | |
Type=oneshot | |
ExecStart=/sbin/kexec -l /boot/pve/vmlinuz --initrd=/boot/pve/initrd.img --reuse-cmdline | |
[Install] | |
WantedBy=kexec.target | |
EOF | |
systemctl enable kexec-pve.service | |
echo "alias reboot-quick='systemctl kexec'" >> /root/.bash_profile | |
## Remove no longer required packages and purge old cached updates | |
apt-get autoremove -y | |
apt-get autoclean -y | |
## Disable portmapper / rpcbind (security) | |
systemctl disable rpcbind | |
systemctl stop rpcbind | |
## Set Timezone to UTC and enable NTP | |
timedatectl set-timezone UTC | |
echo > /etc/systemd/timesyncd.conf <<EOF | |
[Time] | |
NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org | |
FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org | |
RootDistanceMaxSec=5 | |
PollIntervalMinSec=32 | |
PollIntervalMaxSec=2048 | |
EOF | |
service systemd-timesyncd start | |
timedatectl set-ntp true | |
## Set pigz to replace gzip, 2x faster gzip compression | |
cat > /bin/pigzwrapper <<EOF | |
#!/bin/sh | |
PATH=/bin:\$PATH | |
GZIP="-1" | |
exec /usr/bin/pigz "\$@" | |
EOF | |
mv -f /bin/gzip /bin/gzip.original | |
cp -f /bin/pigzwrapper /bin/gzip | |
chmod +x /bin/pigzwrapper | |
chmod +x /bin/gzip | |
## Detect if this is an OVH server by getting the global IP and checking the ASN | |
if [ "$(whois -h v4.whois.cymru.com " -t $(curl ipinfo.io/ip 2> /dev/null)" | tail -n 1 | cut -d'|' -f3 | grep -i "ovh")" != "" ] ; then | |
echo "Deteted OVH Server, installing OVH RTM (real time monitoring)" | |
#http://help.ovh.co.uk/RealTimeMonitoring | |
wget ftp://ftp.ovh.net/made-in-ovh/rtm/install_rtm.sh -c -O install_rtm.sh && bash install_rtm.sh && rm install_rtm.sh | |
fi | |
## Protect the web interface with fail2ban | |
apt-get install -y fail2ban | |
cat > /etc/fail2ban/filter.d/proxmox.conf <<EOF | |
[Definition] | |
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | |
ignoreregex = | |
EOF | |
cat > /etc/fail2ban/jail.d/proxmox <<EOF | |
[proxmox] | |
enabled = true | |
port = https,http,8006 | |
filter = proxmox | |
logpath = /var/log/daemon.log | |
maxretry = 3 | |
# 1 hour | |
bantime = 3600 | |
EOF | |
systemctl enable fail2ban | |
##testing | |
#fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf | |
## Increase vzdump backup speed | |
sed -i "s/#bwlimit: KBPS/bwlimit: 10240000/" /etc/vzdump.conf | |
## Bugfix: pve 5.1 high swap usage with low memory usage | |
echo "vm.swappiness=10" >> /etc/sysctl.conf | |
sysctl -p | |
## Remove subscription banner | |
sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js | |
# create a daily cron to make sure the banner does not re-appear | |
cat > /etc/cron.daily/proxmox-nosub <<EOF | |
#!/bin/sh | |
sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js | |
EOF | |
chmod 755 /etc/cron.daily/proxmox-nosub | |
## Increase max user watches | |
# BUG FIX : No space left on device | |
echo 1048576 > /proc/sys/fs/inotify/max_user_watches | |
echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf | |
sysctl -p /etc/sysctl.conf | |
## Increase max FD limit / ulimit | |
cat <<'EOF' >> /etc/security/limits.conf | |
* soft nproc 131072 | |
* hard nproc 131072 | |
* soft nofile 131072 | |
* hard nofile 131072 | |
root soft nproc 131072 | |
root hard nproc 131072 | |
root soft nofile 131072 | |
root hard nofile 131072 | |
EOF | |
## Increase kernel max Key limit | |
cat <<'EOF' > /etc/sysctl.d/60-maxkeys.conf | |
kernel.keys.root_maxkeys=1000000 | |
kernel.keys.maxkeys=1000000 | |
EOF | |
## Script Finish | |
echo -e '\033[1;33m Finished....please restart the system \033[0m' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment