Created
September 13, 2019 08:45
-
-
Save sbellver/c501d2ed1d65bacfd42e0cb50c7385f5 to your computer and use it in GitHub Desktop.
Post proxmox install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| ################################################################################ | |
| # This is property of eXtremeSHOK.com | |
| # You are free to use, modify and distribute, however you may not remove this notice. | |
| # Copyright (c) Adrian Jon Kriel :: [email protected] | |
| ################################################################################ | |
| # | |
| # Script updates can be found at: https://github.com/extremeshok/xshok-proxmox | |
| # | |
| # post-installation script for Proxmox | |
| # | |
| # License: BSD (Berkeley Software Distribution) | |
| # | |
| ################################################################################ | |
| # | |
| # Assumptions: proxmox installed | |
| # | |
| # Notes: | |
| # to disable the MOTD banner, set the env NO_MOTD_BANNER to true (export NO_MOTD_BANNER=true) | |
| # | |
| ################################################################################ | |
| # | |
| # THERE ARE NO USER CONFIGURABLE OPTIONS IN THIS SCRIPT | |
| # | |
| ################################################################################ | |
| # Set the local | |
| export LANG="es_ES.UTF-8" | |
| export LC_ALL="C" | |
| ## Force APT to use IPv4 | |
| echo -e "Acquire::ForceIPv4 \"true\";\\n" > /etc/apt/apt.conf.d/99force-ipv4 | |
| ## disable enterprise proxmox repo | |
| if [ -f /etc/apt/sources.list.d/pve-enterprise.list ]; then | |
| echo -e "#deb https://enterprise.proxmox.com/debian stretch pve-enterprise\\n" > /etc/apt/sources.list.d/pve-enterprise.list | |
| fi | |
| ## enable public proxmox repo | |
| if [ ! -f /etc/apt/sources.list.d/proxmox.list ] && [ ! -f /etc/apt/sources.list.d/pve-public-repo.list ] && [ ! -f /etc/apt/sources.list.d/pve-install-repo.list ] ; then | |
| echo -e "deb http://download.proxmox.com/debian stretch pve-no-subscription\\n" > /etc/apt/sources.list.d/pve-public-repo.list | |
| fi | |
| ## Add non-free to sources | |
| sed -i "s/main contrib/main non-free contrib/g" /etc/apt/sources.list | |
| ## Add the latest ceph provided by proxmox | |
| echo "deb http://download.proxmox.com/debian/ceph-luminous stretch main" > /etc/apt/sources.list.d/ceph.list | |
| ## Refresh the package lists | |
| apt-get update > /dev/null | |
| ## Remove conflicting utilities | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' purge ntp openntpd chrony ksm-control-daemon | |
| ## Fix no public key error for debian repo | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring | |
| ## Update proxmox and install various system utils | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' dist-upgrade | |
| pveam update | |
| ## Fix no public key error for debian repo | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install debian-archive-keyring | |
| ## Install openvswitch for a virtual internal network | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install openvswitch-switch | |
| ## Install zfs support, appears to be missing on some Proxmox installs. | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfsutils | |
| ## Install zfs-auto-snapshot | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install zfs-auto-snapshot | |
| # make 5min snapshots , keep 12 5min snapshots | |
| if [ -f "/etc/cron.d/zfs-auto-snapshot" ] ; then | |
| sed -i 's|--keep=[0-9]*|--keep=5|g' /etc/cron.d/zfs-auto-snapshot | |
| sed -i 's|*/[0-9]*|*/5|g' /etc/cron.d/zfs-auto-snapshot | |
| fi | |
| # keep 24 hourly snapshots | |
| if [ -f "/etc/cron.hourly/zfs-auto-snapshot" ] ; then | |
| sed -i 's|--keep=[0-9]*|--keep=12|g' /etc/cron.hourly/zfs-auto-snapshot | |
| fi | |
| # keep 7 daily snapshots | |
| if [ -f "/etc/cron.daily/zfs-auto-snapshot" ] ; then | |
| sed -i 's|--keep=[0-9]*|--keep=7|g' /etc/cron.daily/zfs-auto-snapshot | |
| fi | |
| # keep 4 weekly snapshots | |
| if [ -f "/etc/cron.weekly/zfs-auto-snapshot" ] ; then | |
| sed -i 's|--keep=[0-9]*|--keep=1|g' /etc/cron.weekly/zfs-auto-snapshot | |
| fi | |
| # keep 3 monthly snapshots | |
| if [ -f "/etc/cron.monthly/zfs-auto-snapshot" ] ; then | |
| sed -i 's|--keep=[0-9]*|--keep=1|g' /etc/cron.monthly/zfs-auto-snapshot | |
| fi | |
| ## Install missing ksmtuned | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install ksmtuned | |
| systemctl enable ksmtuned | |
| systemctl enable ksm | |
| ## Install ceph support | |
| echo "Y" | pveceph install | |
| ## Install common system utilities | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install whois omping tmux sshpass wget axel nano pigz net-tools htop iptraf iotop iftop iperf vim vim-nox unzip zip software-properties-common aptitude curl dos2unix dialog mlocate build-essential git ipset | |
| #snmpd snmp-mibs-downloader | |
| ## Install kexec, allows for quick reboots into the latest updated kernel set as primary in the boot-loader. | |
| # use command 'reboot-quick' | |
| echo "kexec-tools kexec-tools/load_kexec boolean false" | debconf-set-selections | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install kexec-tools | |
| cat <<'EOF' > /etc/systemd/system/kexec-pve.service | |
| [Unit] | |
| Description=boot into into the latest pve kernel set as primary in the boot-loader | |
| Documentation=man:kexec(8) | |
| DefaultDependencies=no | |
| Before=shutdown.target umount.target final.target | |
| [Service] | |
| Type=oneshot | |
| ExecStart=/sbin/kexec -l /boot/pve/vmlinuz --initrd=/boot/pve/initrd.img --reuse-cmdline | |
| [Install] | |
| WantedBy=kexec.target | |
| EOF | |
| systemctl enable kexec-pve.service | |
| echo "alias reboot-quick='systemctl kexec'" >> /root/.bash_profile | |
| ## Remove no longer required packages and purge old cached updates | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoremove | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' autoclean | |
| ## Disable portmapper / rpcbind (security) | |
| systemctl disable rpcbind | |
| systemctl stop rpcbind | |
| ## Set Timezone to UTC and enable NTP | |
| timedatectl set-timezone UTC | |
| cat <<EOF > /etc/systemd/timesyncd.conf | |
| [Time] | |
| NTP=0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org | |
| FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org | |
| RootDistanceMaxSec=5 | |
| PollIntervalMinSec=32 | |
| PollIntervalMaxSec=2048 | |
| EOF | |
| service systemd-timesyncd start | |
| timedatectl set-ntp true | |
| ## Set pigz to replace gzip, 2x faster gzip compression | |
| cat <<EOF > /bin/pigzwrapper | |
| #!/bin/sh | |
| PATH=/bin:\$PATH | |
| GZIP="-1" | |
| exec /usr/bin/pigz "\$@" | |
| EOF | |
| mv -f /bin/gzip /bin/gzip.original | |
| cp -f /bin/pigzwrapper /bin/gzip | |
| chmod +x /bin/pigzwrapper | |
| chmod +x /bin/gzip | |
| ## Detect if this is an OVH server by getting the global IP and checking the ASN | |
| if [ "$(whois -h v4.whois.cymru.com " -t $(curl ipinfo.io/ip 2> /dev/null)" | tail -n 1 | cut -d'|' -f3 | grep -i "ovh")" != "" ] ; then | |
| echo "Deteted OVH Server, installing OVH RTM (real time monitoring)" | |
| #http://help.ovh.co.uk/RealTimeMonitoring | |
| wget ftp://ftp.ovh.net/made-in-ovh/rtm/install_rtm.sh -c -O install_rtm.sh && bash install_rtm.sh && rm install_rtm.sh | |
| fi | |
| ## Protect the web interface with fail2ban | |
| /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install fail2ban | |
| # shellcheck disable=1117 | |
| cat <<EOF > /etc/fail2ban/filter.d/proxmox.conf | |
| [Definition] | |
| failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* | |
| ignoreregex = | |
| EOF | |
| cat <<EOF > /etc/fail2ban/jail.d/proxmox.conf | |
| [proxmox] | |
| enabled = true | |
| port = https,http,8006 | |
| filter = proxmox | |
| logpath = /var/log/daemon.log | |
| maxretry = 3 | |
| # 1 hour | |
| bantime = 3600 | |
| EOF | |
| cat <<EOF > /etc/fail2ban/jail.local | |
| [DEFAULT] | |
| banaction = iptables-ipset-proto4 | |
| EOF | |
| systemctl enable fail2ban | |
| ##testing | |
| #fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf | |
| ## Increase vzdump backup speed, enable pigz and fix ionice | |
| sed -i "s/#bwlimit:.*/bwlimit: 0/" /etc/vzdump.conf | |
| sed -i "s/#pigz:.*/pigz: 1/" /etc/vzdump.conf | |
| sed -i "s/#ionice:.*/ionice: 5/" /etc/vzdump.conf | |
| ## Bugfix: pve 5.1 high swap usage with low memory usage | |
| echo "vm.swappiness=10" >> /etc/sysctl.conf | |
| sysctl -p | |
| ## Bugfix: reserve 512MB memory for system | |
| echo "vm.min_free_kbytes = 524288" >> /etc/sysctl.conf | |
| sysctl -p | |
| ## Remove subscription banner | |
| if [ -f "/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js" ] ; then | |
| sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js | |
| # create a daily cron to make sure the banner does not re-appear | |
| cat <<'EOF' > /etc/cron.daily/proxmox-nosub | |
| #!/bin/sh | |
| sed -i "s/data.status !== 'Active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js | |
| EOF | |
| chmod 755 /etc/cron.daily/proxmox-nosub | |
| fi | |
| ## Increase max user watches | |
| # BUG FIX : No space left on device | |
| echo 1048576 > /proc/sys/fs/inotify/max_user_watches | |
| echo "fs.inotify.max_user_watches=1048576" >> /etc/sysctl.conf | |
| sysctl -p /etc/sysctl.conf | |
| ## Increase max FD limit / ulimit | |
| cat <<EOF >> /etc/security/limits.conf | |
| # eXtremeSHOK.com Increase max FD limit / ulimit | |
| * soft nproc 256000 | |
| * hard nproc 256000 | |
| * soft nofile 256000 | |
| * hard nofile 256000 | |
| root soft nproc 256000 | |
| root hard nproc 256000 | |
| root soft nofile 256000 | |
| root hard nofile 256000 | |
| EOF | |
| ## Enable TCP BBR congestion control | |
| cat <<EOF > /etc/sysctl.d/10-kernel-bbr.conf | |
| # eXtremeSHOK.com | |
| # TCP BBR congestion control | |
| net.core.default_qdisc=fq | |
| net.ipv4.tcp_congestion_control=bbr | |
| EOF | |
| ## Increase kernel max Key limit | |
| cat <<EOF > /etc/sysctl.d/60-maxkeys.conf | |
| # eXtremeSHOK.com | |
| # Increase kernel max Key limit | |
| kernel.keys.root_maxkeys=1000000 | |
| kernel.keys.maxkeys=1000000 | |
| EOF | |
| ## Set systemd ulimits | |
| echo "DefaultLimitNOFILE=256000" >> /etc/systemd/system.conf | |
| echo "DefaultLimitNOFILE=256000" >> /etc/systemd/user.conf | |
| echo 'session required pam_limits.so' | tee -a /etc/pam.d/common-session-noninteractive | |
| echo 'session required pam_limits.so' | tee -a /etc/pam.d/common-session | |
| echo 'session required pam_limits.so' | tee -a /etc/pam.d/runuser-l | |
| ## Set ulimit for the shell user | |
| cd ~ && echo "ulimit -n 256000" >> .bashrc ; echo "ulimit -n 256000" >> .profile | |
| ## Optimise ZFS arc size | |
| if [ "$(command -v zfs)" != "" ] ; then | |
| RAM_SIZE_GB=$(( $(vmstat -s | grep -i "total memory" | xargs | cut -d" " -f 1) / 1024 / 1000)) | |
| if [[ RAM_SIZE_GB -lt 16 ]] ; then | |
| # 1GB/1GB | |
| MY_ZFS_ARC_MIN=1073741824 | |
| MY_ZFS_ARC_MAX=1073741824 | |
| else | |
| MY_ZFS_ARC_MIN=$((RAM_SIZE_GB * 1073741824 / 16)) | |
| MY_ZFS_ARC_MAX=$((RAM_SIZE_GB * 1073741824 / 8)) | |
| fi | |
| # Enforce the minimum, incase of a faulty vmstat | |
| if [[ MY_ZFS_ARC_MIN -lt 1073741824 ]] ; then | |
| MY_ZFS_ARC_MIN=1073741824 | |
| fi | |
| if [[ MY_ZFS_ARC_MAX -lt 1073741824 ]] ; then | |
| MY_ZFS_ARC_MAX=1073741824 | |
| fi | |
| cat <<EOF > /etc/modprobe.d/zfs.conf | |
| # Use 1/16 RAM for MAX cache, 1/8 RAM for MIN cache, or 1GB | |
| options zfs zfs_arc_min=$MY_ZFS_ARC_MIN | |
| options zfs zfs_arc_max=$MY_ZFS_ARC_MAX | |
| # use the prefetch method | |
| options zfs l2arc_noprefetch=0 | |
| # max write speed to l2arc | |
| # tradeoff between write/read and durability of ssd (?) | |
| # default : 8 * 1024 * 1024 | |
| # setting here : 500 * 1024 * 1024 | |
| options zfs l2arc_write_max=524288000 | |
| EOF | |
| fi | |
| # propagate the setting into the kernel | |
| update-initramfs -u -k all | |
| timedatectl set-timezone Europe/Madrid | |
| #Securizando el SSH | |
| sed -i 's/#Port 22/Port 7850/g' /etc/ssh/sshd_config | |
| sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
| sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config | |
| /etc/init.d/ssh restart | |
| #Firewall CSF | |
| apt-get install unzip > /dev/null | |
| cd /tmp | |
| wget http://download.configserver.com/csf.tgz | |
| tar xzf csf.tgz | |
| cd csf | |
| sh install.sh | |
| sed -i 's/TESTING = "1"/TESTING = "0"/g' /etc/csf/csf.conf | |
| sed -i 's/"20,21,22,25,53,80,110,143,443,465,587,993,995,7850"/"20,21,25,53,80,110,143,443,465,587,993,995,5666,7850,8006"/g' /etc/csf/csf.conf | |
| sed -i 's/"20,21,22,25,53,80,110,113,443,587,993,995"/"20,21,22,25,53,80,110,113,443,587,993,995"/g' /etc/csf/csf.conf | |
| sed -i 's/"20,21,53,113,123"/"20,21,53,113,123"/g' /etc/csf/csf.conf | |
| sed -i 's/LF_ALERT_TO = ""/LF_ALERT_TO = "[email protected]"/g' /etc/csf/csf.conf | |
| sed -i 's/RESTRICT_SYSLOG = "0"/RESTRICT_SYSLOG = "3"/g' /etc/csf/csf.conf | |
| sed -i 's/PT_USERPROC = "10"/PT_USERPROC = "0"/g' /etc/csf/csf.conf | |
| sed -i 's/PT_USERMEM = "512"/PT_USERMEM = "0"/g' /etc/csf/csf.conf | |
| sed -i 's/PT_USERRSS = "256"/PT_USERRSS = "0"/g' /etc/csf/csf.conf | |
| sed -i 's/PT_USERTIME = "1800"/PT_USERTIME = "0"/g' /etc/csf/csf.conf | |
| csf -x | |
| csf -e | |
| apt-get install htop vim > /dev/null | |
| apt-get install logwatch > /dev/null | |
| sed -i 's/--output mail/--output mail --mailto [email protected] --detail high/g' /etc/cron.daily/00logwatch | |
| ## Script Finish | |
| echo -e '\033[1;33m Finished....please restart the system \033[0m' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment