ssh60/centos7_template

## centos7_template
## Download latest CentOS 7 x86_64 minimal iso image

## Good readings
# https://labs.vmware.com/vmtj/methodology-for-performance-analysis-of-vmware-vsphere-under-tier-1-applications
# https://labs.vmware.com/vmtj/virtualizing-latency-sensitive-applications-where-does-the-overhead-come-from

## Create typical CentOS VM
# compatible with 'ESXi 6.0 and later'
# set 'Guest OS Family' to 'Linux'
# set 'Guest OS Version' to 'CentOS 4/5/6/7 (64 bit)'
## look at page 47 https://www.vmware.com/files/pdf/techpaper/VMware-PerfBest-Practices-vSphere6-0.pdf
## consider to change it to 2 vCPU
# set 'CPU' to 4
# set 'Cores per Socket' to 4
# check 'Enable CPU Hot Add'
# set 'Memory' to 4096 MB
# check 'Memory Hot Plug'
# set 'New Hard disk' to 64 GB
# check 'Disk Provisioning' to 'Thin provision'
# set 'New SCSI controller' -> 'Change Type' to 'VMware Paravirtual'
# set 'New CD/DVD Drive' to 'Datastore ISO File' and select your CentOS 7 iso image

## Install CentOS 7
# boot with biosdevname=0 net.ifnames=0 parameters
# set language to English (United States)
# enable networking
# disable kdump
# set timezone and enable NTP
# set security policy to CPCP
# set installation destination to 'I will configure partitioning'
# 'Click here to create them automatically' and remove /home
# why xfs? http://danluu.com/file-consistency/
# set /boot (xfs) size to 500 MiB
# set swap size to 4 GiB
# set / (xfs) size to empty (rest of disk space)

## LVM
# set volume group name to vg00
# set logical volume names to lv_root and lv_swap

## Setup process
# set root password
# reboot
# 'Shut Down Guest'
# eject cd-rom
# set 'CD/DVD drive 1' to 'Client Device'
# uncheck 'Enable logging' at 'VM Options' -> 'Advanced'

## Configure CentOS
# 'Launch Remote Console'
# 'Power on' VM
# login as root

# edit /etc/sysconfig/selinux
# set 'SELINUX' to 'permissive'

# edit /etc/fstab
# set noatime for /

# comment these lines at /etc/logrotate.conf
# dateext

# comment these lines at the end of /etc/ssh/sshd_config
# ClientAliveInterval 300
# ClientAliveCountMax 0
# PermitRootLogin no
# set 'Banner' to '/etc/issue.net'

systemctl restart sshd.service

# login through ssh
# and set login banner to appropriate
# this one takes from http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/appendxA.html
cat << EOF > /etc/issue.net

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
You must have explicit, authorized permission to access or configure this device.
Unauthorized attempts and actions to access or use this system may result in civil and/or
criminal penalties.
All activities performed on this device are logged and monitored.

EOF

systemctl stop tuned.service
systemctl disable tuned.service

systemctl stop NetworkManager.service
systemctl disable NetworkManager.service
systemctl mask NetworkManager.service
systemctl enable network.service

yum remove -y $(yum list -q installed \*firmware\* | awk '{print $1}' | egrep -v 'Installed|alsa|linux')
yum install -y deltarpm yum-utils
yum clean expire-cache ; yum check-update ; yum update -y

systemctl reboot

package-cleanup -y --oldkernels --count=1

yum install -y bacula-client bash-completion bind-utils bzip2 epel-release iptables-services \
libselinux-python mailx man-pages man-pages-overrides mc nano net-tools nmap nmap-ncat open-vm-tools rsync \
telnet screen socat tcpdump vim vim-enhanced wget whois unzip yum-plugin-changelog yum-plugin-remove-with-leaves

systemctl start vmtoolsd.service

sed -i 's/always=false/always=true/' /etc/yum/pluginconf.d/changelog.conf
sed -i '/^#remove_always/s/^#//' /etc/yum/pluginconf.d/remove-with-leaves.conf

yum install -y htop

# if you use FreeIPA
yum install -y ipa-client

# if you use zabbix
yum install -y http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
yum install -y zabbix-agent zabbix-get zabbix-sender

# sort /etc/passwd and /etc/group
pwck -s ; grpck -s

# clean VM and shutdown
yum clean all
cd /root ; rm -rfv .gnupg openscap_data .pki
cd /tmp ; rm -fv rm -rf ks-script* yum*
rm -fv /etc/ssh/ssh_host*
rm -fv /var/lib/NetworkManager/*
rm -rfv /var/log/anaconda

mkdir -p /root/bin
cat << EOF > /root/bin/wipelogs
#!/bin/sh

echo -n > \$1
EOF

chmod +x /root/bin/wipelogs
systemctl stop systemd-journald.socket
find /var/log -type f -exec /root/bin/wipelogs '{}' \;
rm -f /root/bin/wipelogs

mkdir -p /var/log/journal
cd /root ; rm -f .bash_history ; history -c
systemctl poweroff
	## Download latest CentOS 7 x86_64 minimal iso image

	## Good readings
	# https://labs.vmware.com/vmtj/methodology-for-performance-analysis-of-vmware-vsphere-under-tier-1-applications
	# https://labs.vmware.com/vmtj/virtualizing-latency-sensitive-applications-where-does-the-overhead-come-from

	## Create typical CentOS VM
	# compatible with 'ESXi 6.0 and later'
	# set 'Guest OS Family' to 'Linux'
	# set 'Guest OS Version' to 'CentOS 4/5/6/7 (64 bit)'
	## look at page 47 https://www.vmware.com/files/pdf/techpaper/VMware-PerfBest-Practices-vSphere6-0.pdf
	## consider to change it to 2 vCPU
	# set 'CPU' to 4
	# set 'Cores per Socket' to 4
	# check 'Enable CPU Hot Add'
	# set 'Memory' to 4096 MB
	# check 'Memory Hot Plug'
	# set 'New Hard disk' to 64 GB
	# check 'Disk Provisioning' to 'Thin provision'
	# set 'New SCSI controller' -> 'Change Type' to 'VMware Paravirtual'
	# set 'New CD/DVD Drive' to 'Datastore ISO File' and select your CentOS 7 iso image

	## Install CentOS 7
	# boot with biosdevname=0 net.ifnames=0 parameters
	# set language to English (United States)
	# enable networking
	# disable kdump
	# set timezone and enable NTP
	# set security policy to CPCP
	# set installation destination to 'I will configure partitioning'
	# 'Click here to create them automatically' and remove /home
	# why xfs? http://danluu.com/file-consistency/
	# set /boot (xfs) size to 500 MiB
	# set swap size to 4 GiB
	# set / (xfs) size to empty (rest of disk space)

	## LVM
	# set volume group name to vg00
	# set logical volume names to lv_root and lv_swap

	## Setup process
	# set root password
	# reboot
	# 'Shut Down Guest'
	# eject cd-rom
	# set 'CD/DVD drive 1' to 'Client Device'
	# uncheck 'Enable logging' at 'VM Options' -> 'Advanced'

	## Configure CentOS
	# 'Launch Remote Console'
	# 'Power on' VM
	# login as root

	# edit /etc/sysconfig/selinux
	# set 'SELINUX' to 'permissive'

	# edit /etc/fstab
	# set noatime for /

	# comment these lines at /etc/logrotate.conf
	# dateext

	# comment these lines at the end of /etc/ssh/sshd_config
	# ClientAliveInterval 300
	# ClientAliveCountMax 0
	# PermitRootLogin no
	# set 'Banner' to '/etc/issue.net'

	systemctl restart sshd.service

	# login through ssh
	# and set login banner to appropriate
	# this one takes from http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/appendxA.html
	cat << EOF > /etc/issue.net

	UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED
	You must have explicit, authorized permission to access or configure this device.
	Unauthorized attempts and actions to access or use this system may result in civil and/or
	criminal penalties.
	All activities performed on this device are logged and monitored.

	EOF

	systemctl stop tuned.service
	systemctl disable tuned.service

	systemctl stop NetworkManager.service
	systemctl disable NetworkManager.service
	systemctl mask NetworkManager.service
	systemctl enable network.service

	yum remove -y $(yum list -q installed \firmware\ \| awk '{print $1}' \| egrep -v 'Installed\|alsa\|linux')
	yum install -y deltarpm yum-utils
	yum clean expire-cache ; yum check-update ; yum update -y

	systemctl reboot

	package-cleanup -y --oldkernels --count=1

	yum install -y bacula-client bash-completion bind-utils bzip2 epel-release iptables-services \
	libselinux-python mailx man-pages man-pages-overrides mc nano net-tools nmap nmap-ncat open-vm-tools rsync \
	telnet screen socat tcpdump vim vim-enhanced wget whois unzip yum-plugin-changelog yum-plugin-remove-with-leaves

	systemctl start vmtoolsd.service

	sed -i 's/always=false/always=true/' /etc/yum/pluginconf.d/changelog.conf
	sed -i '/^#remove_always/s/^#//' /etc/yum/pluginconf.d/remove-with-leaves.conf

	yum install -y htop

	# if you use FreeIPA
	yum install -y ipa-client

	# if you use zabbix
	yum install -y http://repo.zabbix.com/zabbix/3.0/rhel/7/x86_64/zabbix-release-3.0-1.el7.noarch.rpm
	yum install -y zabbix-agent zabbix-get zabbix-sender

	# sort /etc/passwd and /etc/group
	pwck -s ; grpck -s

	# clean VM and shutdown
	yum clean all
	cd /root ; rm -rfv .gnupg openscap_data .pki
	cd /tmp ; rm -fv rm -rf ks-script* yum*
	rm -fv /etc/ssh/ssh_host*
	rm -fv /var/lib/NetworkManager/*
	rm -rfv /var/log/anaconda

	mkdir -p /root/bin
	cat << EOF > /root/bin/wipelogs
	#!/bin/sh

	echo -n > \$1
	EOF

	chmod +x /root/bin/wipelogs
	systemctl stop systemd-journald.socket
	find /var/log -type f -exec /root/bin/wipelogs '{}' \;
	rm -f /root/bin/wipelogs

	mkdir -p /var/log/journal
	cd /root ; rm -f .bash_history ; history -c
	systemctl poweroff