Skip to content

Instantly share code, notes, and snippets.

@ssh60
Forked from eye-scuzzy/centos7_template
Created November 8, 2016 16:19
Show Gist options
  • Save ssh60/7477bafa9bda8c2572f5018faf6d1273 to your computer and use it in GitHub Desktop.
Save ssh60/7477bafa9bda8c2572f5018faf6d1273 to your computer and use it in GitHub Desktop.
CentOS 7.2 VMware vSphere 6 template with guest customization working
## Download latest CentOS 7 x86_64 minimal iso image
## Good readings
# https://labs.vmware.com/vmtj/methodology-for-performance-analysis-of-vmware-vsphere-under-tier-1-applications
# https://labs.vmware.com/vmtj/virtualizing-latency-sensitive-applications-where-does-the-overhead-come-from
## Create typical CentOS VM
# compatible with 'ESXi 6.0 and later'
# set 'Guest OS Family' to 'Linux'
# set 'Guest OS Version' to 'CentOS 4/5/6/7 (64 bit)'
## look at page 47 https://www.vmware.com/files/pdf/techpaper/VMware-PerfBest-Practices-vSphere6-0.pdf
## consider to change it to 2 vCPU
# set 'CPU' to 4
# set 'Cores per Socket' to 4
# check 'Enable CPU Hot Add'
# set 'Memory' to 4096 MB
# check 'Memory Hot Plug'
# set 'New Hard disk' to 64 GB
# check 'Disk Provisioning' to 'Thin provision'
# set 'New SCSI controller' -> 'Change Type' to 'VMware Paravirtual'
# set 'New CD/DVD Drive' to 'Datastore ISO File' and select your CentOS 7 iso image
## Install CentOS 7
# boot with biosdevname=0 net.ifnames=0 parameters
# set language to English (United States)
# enable networking
# disable kdump
# set timezone and enable NTP
# set security policy to CPCP
# set installation destination to 'I will configure partitioning'
# 'Click here to create them automatically' and remove /home
# why xfs? http://danluu.com/file-consistency/
# set /boot (xfs) size to 500 MiB
# set swap size to 4 GiB
# set / (xfs) size to empty (rest of disk space)
## LVM
# set volume group name to vg00
# set logical volume names to lv_root and lv_swap
## Setup process
# set root password
# reboot
# 'Shut Down Guest'
# eject cd-rom
# set 'CD/DVD drive 1' to 'Client Device'
# uncheck 'Enable logging' at 'VM Options' -> 'Advanced'
## Configure CentOS
# 'Launch Remote Console'
# 'Power on' VM
# login as root
# edit /etc/sysconfig/selinux
# set 'SELINUX' to 'permissive'
# edit /etc/fstab
# set noatime for /
# comment these lines at /etc/logrotate.conf
# dateext
# comment these lines at the end of /etc/ssh/sshd_config
# ClientAliveInterval 300
# ClientAliveCountMax 0
# PermitRootLogin no
# set 'Banner' to '/etc/issue.net'
systemctl restart sshd.service
# login through ssh
# and set login banner to appropriate
# this one takes from http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/appendxA.html
cat << EOF > /etc/issue.net
UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.
EOF
systemctl stop tuned.service
systemctl disable tuned.service
systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
systemctl mask NetworkManager.service
systemctl enable network.service
yum remove -y $(yum list -q installed \*firmware\* | awk '{print $1}' | egrep -v 'Installed|alsa|linux')
yum install -y deltarpm yum-utils
yum clean expire-cache ; yum check-update ; yum update -y
systemctl reboot
package-cleanup -y --oldkernels --count=1
yum install -y bacula-client bash-completion bind-utils bzip2 epel-release iptables-services \
libselinux-python mailx man-pages man-pages-overrides mc nano net-tools nmap nmap-ncat open-vm-tools rsync \
telnet screen socat tcpdump vim vim-enhanced wget whois unzip yum-plugin-changelog yum-plugin-remove-with-leaves
systemctl start vmtoolsd.service
sed -i 's/always=false/always=true/' /etc/yum/pluginconf.d/changelog.conf
sed -i '/^#remove_always/s/^#//' /etc/yum/pluginconf.d/remove-with-leaves.conf
yum install -y htop
# if you use FreeIPA
yum install -y ipa-client
# if you use zabbix
yum install -y http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
yum install -y zabbix-agent zabbix-get zabbix-sender
# sort /etc/passwd and /etc/group
pwck -s ; grpck -s
# clean VM and shutdown
yum clean all
cd /root ; rm -rfv .gnupg openscap_data .pki
cd /tmp ; rm -fv rm -rf ks-script* yum*
rm -fv /etc/ssh/ssh_host*
rm -fv /var/lib/NetworkManager/*
rm -rfv /var/log/anaconda
mkdir -p /root/bin
cat << EOF > /root/bin/wipelogs
#!/bin/sh
echo -n > \$1
EOF
chmod +x /root/bin/wipelogs
systemctl stop systemd-journald.socket
find /var/log -type f -exec /root/bin/wipelogs '{}' \;
rm -f /root/bin/wipelogs
mkdir -p /var/log/journal
cd /root ; rm -f .bash_history ; history -c
systemctl poweroff
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment