Dokumentation - Almitra, Migration auf neue Hardware (2021)

• alte phys IP : 188.138.72.82

• monitoring (zabbix)
• 32GB RAM
• 2TB SATA HDD (RAID1)
• IP: 85.25.95.149
• ReverseDNS (# s4y-dns-panel) : luna245.startdedicated.net
• Kosten: 27,99 EUR p.M. (Vertragsbeginn 210818)
• admin-panel: https://www.server4you.de/
• Configs (/etc) werden mit git verwaltet - regelmäßiges einchecken nach Configchanges nicht vergessen
• Migrationsdoku (Standderdinge) via 'hnb' (root-user)

wichtige Scripts:

• /root/bin/vm_iptables/vm_ssh_forwarding.sh

• Debian 10 stable
• Configs (/etc) werden mit git verwaltet - regelmäßiges einchecken nach Configchanges nicht vergessen

apt-get install configure-debian hnb htop ncdu nmap rsync sudo tcpdump tmux vim 
apt-get install apache2 libapache2-mod-rpaf libapache2-mod-php 
apt-get install docker-ce docker-ce-cli containerd.io docker-compose 
apt-get install qemu-kvm virt-manager

# Firewall & SSH-Portforwarding to VMs etc.
luna245:~# cd /root/bin/vm_iptables/
luna245:~/bin/vm_iptables# ./vm_ssh_forwarding.sh restart

# TODO configure fail2ban

• [X] füralle.de
  • admin-panel: strato.de
  • Kosten: 1EUR p.M.
• [X] kuchenfüralle.de
  • admin-panel: strato.de
  • Kosten: 1EUR p.M.
• [P] anypla.net
  • admin-panel: https://www.server4you.de/
  • Kosten:
• [X] allesaufanfang.net
  • admin-panel: https://www.server4you.de/
  • Kosten :
• [X] dragon-in-repose.com
  • admin-panel: https://www.server4you.de/
  • Kosten :

# --- Docker container 
rsync -av /srv/docker/minetest 85.25.95.149:/srv/docker
rsync -av /srv/docker/volumes/minetest 85.25.95.149:/srv/docker/volumes
rsync -av /srv/docker/reminiscence 85.25.95.149:/srv/docker
rsync -av /srv/docker/volumes/reminiscence 85.25.95.149:/srv/docker/volumes
rsync -av /srv/docker/nextcloud 85.25.95.149:/srv/docker
rsync -av /srv/docker/opentrashmail 85.25.95.149:/srv/docker
rsync -av /srv/docker/volumes/opentrashmail 85.25.95.149:/srv/docker/volumes
rsync -av /srv/docker/miniflux 85.25.95.149:/srv/docker
rsync -av /srv/docker/dokuwiki 85.25.95.149:/srv/docker
rsync -av /srv/docker/volumes/dokuwiki2 85.25.95.149:/srv/docker/volumes
rsync -av /srv/docker/service-mail 85.25.95.149:/srv/docker

# --- KVM VMs
rsync -av /var/lib/libvirt/images/aaa.qcow2 85.25.95.149:/var/lib/libvirt/images
rsync -av /var/lib/libvirt/images/anyplanet*.qcow2 85.25.95.149:/var/lib/libvirt/images

a2enmod ssl proxy proxy_http mod-php7.3 mod-rpaf mod-rewrite

a2ensite 000-default.conf default-ssl.conf #FIXMEP3 default-ssl.conf nutzt ein self-sign-cert (snakeoil)
a2ensite vm_aaa vm_aaa_ssl
a2ensite dragon-in-repose.com.conf dragon-in-repose.com-le-ssl.conf
a2ensite füralle.de füralle.de-le-ssl.conf monitoring.füralle.de-le-ssl.conf

luna245:/etc# ls /etc/apache2/sites-enabled/
000-default.conf                  füralle.de-le-ssl.conf
default-ssl.conf                  monitoring.füralle.de-le-ssl.conf
dragon-in-repose.com.conf         vm_aaa.conf
dragon-in-repose.com-le-ssl.conf  vm_aaa-le-ssl.conf
füralle.de.conf
luna245:/etc# date
Fri 20 Aug 2021 12:17:54 PM CEST
luna245:/etc# 

• letsencrypt - certbot installation with snappy

certbot --apache -d allesaufanfang.de 
certbot --apache -d anypla.net
certbot --apache -d apps.anypla.net
certbot --apache -d cloud.anypla.net
certbot --apache -d connect.anypla.net
certbot --apache -d mail.anypla.net
[certbot --apache -d wiki.anypla.net] # TODO: mediawiki statt dokuwiki (apps.anypla.net/wiki/)
certbot --apache -d dragon-in-repose.com
certbot --apache -d xn--fralle-3ya.de # Punicode!
certbot --apache -d apps.xn--fralle-3ya.de 
certbot --apache -d kochen.xn--fralle-3ya.de 
certbot --apache -d mail.xn--fralle-3ya.de 
certbot --apache -d monitoring.xn--fralle-3ya.de 

• https://docs.docker.com/engine/install/debian/
• /root/bin/vm_iptables/vm_ssh_forwarding.sh

$ apt-get install docker-ce docker-ce-cli containerd.io docker-compose

luna245:/srv/docker# date
Sun 22 Aug 2021 09:39:47 PM CEST

luna245:/srv/docker# ls -l /srv/docker/
total 40
drwxr-xr-x  2 root   root   4096 Aug 20 13:07 dokuwiki
lrwxrwxrwx  1 root   root     48 Aug 19 17:53 kochen.füralle.de -> /home/s3h10r/development/mychef-meinerezepte.de/
drwxr-xr-x  3 s3h10r docker 4096 Aug 20 11:08 minetest
drwxr-xr-x  2 root   root   4096 Aug  1  2020 miniflux
-rwxr-xr-x  1 root   root    182 Aug 20 13:02 mydocker-helpers.sh
drwxr-xr-x  4 s3h10r docker 4096 Aug 20 13:21 nextcloud
drwxr-xr-x  2 root   root   4096 Aug  2  2020 opentrashmail
drwxr-xr-x 17 s3h10r root   4096 Mar 21 13:49 reminiscence
drwxr-xr-x  5 root   root   4096 May 24 17:34 service-mail
drwxr-xr-x  6 s3h10r docker 4096 Aug 20 12:35 volumes
drwxr-xr-x  2 root   root   4096 Aug 19 19:49 zabbix

luna245:/srv/docker/kochen.füralle.de# docker-compose stop && docker-compose build && docker-compose up -d
Building web
Step 1/10 : FROM debian:10-slim
10-slim: Pulling from library/debian
e1acddbe380c: Pull complete
Digest: sha256:1b138699146ca36569f2f2098c8e22c56756b5776f7668a6a294f81a2bef2a2d
Status: Downloaded newer image for debian:10-slim
...

luna245:/srv/docker/zabbix# docker container ls
CONTAINER ID   IMAGE                                             COMMAND                  CREATED      STATUS      PORTS                                            NAMES
758a81861723   nextcloud:21.0.0                                  "/entrypoint.sh apac…"   2 days ago   Up 2 days   0.0.0.0:8090->80/tcp                             nextcloud
e423321f4640   reminiscence_nginx                                "/docker-entrypoint.…"   2 days ago   Up 2 days   0.0.0.0:8100->80/tcp                             reminiscence_nginx_1
6b275e569e6a   reminiscence_web                                  "bash -c 'while ! nc…"   2 days ago   Up 2 days   0.0.0.0:8101->8000/tcp                           reminiscence_web_1
eee83d39e019   postgres:11                                       "docker-entrypoint.s…"   2 days ago   Up 2 days   5432/tcp                                         reminiscence_db_1
c1950b1eaf20   linuxserver/dokuwiki                              "/init"                  2 days ago   Up 2 days   443/tcp, 0.0.0.0:4280->80/tcp                    dokuwiki
936d542d1937   linuxserver/minetest:5.2.0-ls50                   "/usr/bin/minetestse…"   2 days ago   Up 2 days   0.0.0.0:30000->30000/udp                         minetest
0952f7c9e4b4   zabbix/zabbix-web-nginx-pgsql:alpine-5.4-latest   "docker-entrypoint.sh"   2 days ago   Up 2 days   0.0.0.0:2280->8080/tcp, 0.0.0.0:2443->8443/tcp   zabbix-web-nginx-pgsql
8407c4292b83   zabbix/zabbix-server-pgsql:alpine-5.4-latest      "/sbin/tini -- /usr/…"   2 days ago   Up 2 days   0.0.0.0:10051->10051/tcp                         zabbix-server-pgsql
cb58f1f644ab   zabbix/zabbix-snmptraps:alpine-5.4-latest         "/usr/sbin/snmptrapd…"   2 days ago   Up 2 days   0.0.0.0:162->1162/udp                            zabbix-snmptraps
7c009a03fa22   postgres:latest                                   "docker-entrypoint.s…"   2 days ago   Up 2 days   5432/tcp                                         postgres-server
c0377a22e8b1   mychef-meinerezeptede_nginx                       "/docker-entrypoint.…"   2 days ago   Up 2 days   0.0.0.0:4242->80/tcp                             mychef-meinerezeptede_nginx_1
c2eb03f10f57   mychef-meinerezeptede_web                         "python3 /code/meine…"   2 days ago   Up 2 days   0.0.0.0:4281->8000/tcp                           mychef-meinerezeptede_web_1

docker run -d --name nextcloud -p 8090:80 -v /srv/docker/nextcloud/data:/var/www/html/data -v /srv/docker/nextcloud/config:/var/www/html/config nextcloud:19.0.9

# changing passwd
# open a shell as user www-data in nextcloud-container 
# $ docker exec -it nextcloud /bin/bash -u www-data
# and inside this then (here 'nextcloud' is the admin-user)
# $ php /var/www/html/occ user:resetpassword nextcloud

crontab -e 
*/15 * * * * /usr/bin/docker exec -u www-data nextcloud php -f /var/www/html/cron.php 2>&1                                                                                    

• https://www.dokuwiki.org/de:search
  • https://www.dokuwiki.org/de:cli : indexer.php

# dokuwiki search-Index neu erstellen (manuell)

docker exec -it c1 bash
root@c1950b1eaf20:/# /app/dokuwiki/bin/indexer.php
exit

# dokuwiki search-Index neu erstellen (cronjob, einzeiler) #TODOP2
crontab -e
...

• https://www.summer.co.at/post/2018/03/15_docker_birdge/
• https://collabnix.com/2-minutes-to-docker-macvlan-networking-a-beginners-guide/
• https://blog.oddbit.com/post/2018-03-12-using-docker-macvlan-networks/
• https://serverfault.com/questions/948339/networking-between-kvm-vm-and-docker-container-on-same-host

Idee: was man u.U. stattdessen probieren könnte: aktiven zabbix_agent auf dem kvm host -> dieser connected sich dann an die “öffentliche phys. host ip + port” der wiederum auf die docker-instance läuft (10050?). Voraussetzung der active agent funktioniert so, dass einzig er nur die verbindung zum server aufbaut…

• /var/lib/libvirt/images/ - VMs (HDDs)
• /srv/vm/iso - OS-installations-images (win10, windows-server-2016/2019/…)
• VMs
  • [X] aaa # allesaufanfang.net # dirk's debian7 legacy-vm
  • [X] anyplanet # das blog.anypla.net und code.anypla.net (gitlab)
  • [P] cln-w10.anypla.net # für RDP

$ apt-get install qemu-kvm virt-manager

luna245:~/bin# ls -l /var/lib/libvirt/images/
total 12582916
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 12884901888 Aug 20 01:23 aaa.qcow2

Administration via virsh oder grafisch via virt-manager.

• https://packages.gitlab.com/app/gitlab/gitlab-ce/search?dist=debian%2Fbullseye&page=1
• https://docs.gitlab.com/ee/update/index.html#upgrade-paths

# Upgrade von 12.7.5 auf 13.5.4

apt-get install gitlab-ce=12.9.2-ce.0
apt-get install gitlab-ce=12.10.14-ce.0
apt-get install gitlab-ce=13.0.14-ce.0
wget --content-disposition https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/buster/gitlab-ce_13.1.11-ce.0_amd64.deb/download.deb
dpkg -i gitlab-ce_13.1.11-ce.0_amd64.deb
wget --content-disposition https://packages.gitlab.com/gitlab/gitlab-ce/packages/debian/buster/gitlab-ce_13.5.4-ce.0_amd64.deb/download.deb
dpkg -i gitlab-ce_13.5.4-ce.0_amd64.deb

apt-clean

# ... auf 14.1.2

apt-get install gitlab-ce=13.9.2-ce.0
apt-get install gitlab-ce=13.12.9-ce.0
apt-get install gitlab-ce=14.0.7
apt-get install gitlab-ce=14.1.2

# ... auf 14.10 (#ts-220531) 

# automatisiert als script (:

root@aomame:~/bin# cat update_gitlab.debian.sh
#!/bin/bash
#set -x

function exit_on_error(){
  if [ $1 -ne 0 ]; then
    echo "command '$2' failed."
    exit 10
  else
    echo "command '$2' succeeded."
  fi
}

CMD=("ls -l /home/" 'ls -l /opt' "false" "ls -l /home") # arry
CMD=("apt-get install gitlab-ce=14.6.7-ce.0" "apt-get install gitlab-ce=14.7.7-ce.0" "gitlab-ce=14.8.6-ce.0" "apt-get install gitlab-ce=14.9.3-ce.0" "apt-get install gitlab-ce=14.10.0-ce.0") # arry

for cmd in "${CMD[@]}"; do   # The quotes are necessary here
  echo "running '${cmd}'..."
  ${cmd}
  exit_on_error $? "$cmd"
  apt clean
done

echo "whoopwhoop. gitlab-upgrade succeeded. (:"

apt-get update && apt-get upgrade
apt clean # free tons of space (apt cache)

• https://www.cyberciti.biz/security/howto-linux-hard-disk-encryption-with-luks-cryptsetup-command/
• https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html

210822, hessenm

* ''/dev/vdb'' (40gb) hinzugefügt 

cryptsetup -y -v --type luks2 luksFormat /dev/vdb
cryptsetup luksOpen /dev/vdb vdb_crypt
pvcreate /dev/mapper/vdb_crypt
vgextend aomame-vg /dev/mapper/vdb_crypt

root@aomame:~# cat /etc/crypttab
vda5_crypt UUID=cc385d17-244f-4bf9-a4dc-c0b694ecf806 none luks
root@aomame:~# uuid="$(blkid -o value -s UUID /dev/vdb)"
root@aomame:~# echo "vdb_crypt UUID=$uuid none luks" >> /etc/crypttab
root@aomame:~# cat /etc/crypttab
vda5_crypt UUID=cc385d17-244f-4bf9-a4dc-c0b694ecf806 none luks
vdb_crypt UUID=fd5e3f22-d285-42b3-be84-70d652a59a32 none luks

cryptdisks_start vdb_crypt

• 101 zabbix
• /usr/local/etc/zabbix_agent2.conf
• /var/log/zabbix_agent2.log

• installation (Example 2 : how to run Zabbix server with PostgreSQL database support, Zabbix web interface based on the Nginx web server and SNMP trap feature.
• how to compile the zabbix agent2 on debian linux - zabbix agent 2 supports monitoring docker containers
• KVM monitoring with zabbix
  • https://github.com/sergiotocalini/virbix

groupadd zabbix
useradd -g zabbix -s /bin/bash zabbix
apt-get update
apt-get install build-essential libmariadb-dev libssl-dev libsnmp-dev libevent-dev pkg-config
apt-get install libopenipmi-dev libxml2-dev libssh2-1-dev libpcre3-dev mlocate
apt-get install libldap2-dev libiksemel-dev libcurl4-openssl-dev libgnutls28-dev

cd /usr/local/src/

wget https://dl.google.com/go/go1.14.2.linux-amd64.tar.gz
tar -C /usr/local/ -zxvf go1.14.2.linux-amd64.tar.gz 

vi /etc/profile.d/go.sh

    #/bin/bash
    export GOROOT=/usr/local/go
    export GOPATH=$GOROOT/work
    export PATH=$PATH:$GOROOT/bin:$GOPATH/bin

source /etc/profile.d/go.sh 
env | grep -E "(ROOT|GOPATH)" # verify the required environement variables are available now


wget https://cdn.zabbix.com/zabbix/sources/stable/5.4/zabbix-5.4.3.tar.gz
tar -xvzf zabbix-5.4.3.tar.gz
cd 5.4.3
tar -zxvf zabbix-5.0.0.tar.gz
cd zabbix-5.0.0
./configure --enable-agent --enable-agent2 --with-openssl
make
make install

updatedb
locate zabbix_agent2.conf
vi /usr/local/etc/zabbix_agent2.conf
LogFile=/tmp/zabbix_agent2.log
Server=127.0.0.1,192.168.15.10
ServerActive=192.168.15.10
Hostname=DOCKER
ControlSocket=/tmp/agent.sock
DenyKey=system.run[*]

/usr/local/sbin/zabbix_agent2 &

• https://www.zabbix.com/documentation/current/manual/distributed_monitoring/proxies
• https://bestmonitoringtools.com/install-zabbix-proxy-on-debian/

Leider können die KVM VMs nicht mit den Docker Containern kommunizieren ohne sie an die gleiche Bridge zu hängen. TODO Daher wird ein Zabbix-Proxy auf dem Phys. Host installiert.

# --- checking zabbix server verion

luna245:~# docker exec -it --user root zabbix-server-pgsql zabbix_server -V
zabbix_server (Zabbix) 5.4.3
Revision 68dc2b0 21 July 2021, compilation time: Aug  5 2021 17:07:27

Copyright (C) 2021 Zabbix SIA
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it according to
the license. There is NO WARRANTY, to the extent permitted by law.

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/).

Compiled with OpenSSL 1.1.1k  25 Mar 2021
Running with OpenSSL 1.1.1k  25 Mar 2021

cd /usr/local/src && https://cdn.zabbix.com/zabbix/sources/stable/5.4/zabbix-5.4.3.tar.gz
tar -xvzf
cd zabbix-5.4.3
./configure --enable-proxy --with-sqlite3
make
make install

cat /usr/local/src/zabbix-5.4.3/database/sqlite3/schema.sql  | sqlite3 /var/lib/zabbix/zabbix_proxy.db
chown -R zabbix:zabbix /var/lib/zabbix/zabbix_proxy.db

ln -s /usr/local/etc/zabbix_proxy.conf /etc/zabbix/zabbix_proxy.conf
ln -s /usr/local/etc/zabbix_proxy.conf.d/ /etc/zabbix/zabbix_proxy.conf.d

vi /etc/zabbix/zabbix_proxy.conf
/usr/local/sbin/zabbix_proxy
tail -10f /var/log/zabbix_proxy.log
docker logs zabbix-server-pgsql

• [ ] fail2ban Template nutzen https://github.com/hermanekt - siehe auch unter 101 zabbix
• [P] mail-notifications konfigurieren (Administration/User/Media)
  • [ ] Testen via Administration/MediaTypes/email (dort kann man settings eintragen und testen) ⇒ schlägt momentan fehl/FEHLER!