Ubuntu 16 + Base

by choice_ai
7 deployments · 5 still active · last rev. 3 months ago

Ubuntu as a user
Build essentials
Nginx
Git
Python 2.7
java 8
mongo 3.4 key

Compatible with: Ubuntu 16.04 LTS
						#!/bin/bash
#
# StackScript Bash Library
# copied from https://www.linode.com/stackscripts/view/1 as multiple level imports are not allowed

###########################################################
# System
###########################################################


function system_primary_ip {
    # returns the primary IP assigned to eth0
    echo $(ifconfig eth0 | awk -F: '/inet addr:/ {print $2}' | awk '{ print $1 }')
}

function system_secondary_ip {
    # returns the primary IP assigned to eth0
    echo $(ifconfig eth0:1 | awk -F: '/inet addr:/ {print $2}' | awk '{ print $1 }')
}

function system_set_hostname {
    # $1 - The hostname to define
    HOSTNAME="$1"
        
    if [ ! -n "$HOSTNAME" ]; then
        echo "Hostname undefined"
        return 1;
    fi
    
    echo "$HOSTNAME" > /etc/hostname
    hostname -F /etc/hostname
}

function system_add_host_entry {
    # $1 - The IP address to set a hosts entry for
    # $2 - The FQDN to set to the IP
    IPADDR="$1"
    FQDN="$2"

    if [ -z "$IPADDR" -o -z "$FQDN" ]; then
        echo "IP address and/or FQDN Undefined"
        return 1;
    fi
    
    echo $IPADDR $FQDN  >> /etc/hosts
}

###########################################################
# Users and Authentication
###########################################################


function user_add_sudo {
    # Installs sudo if needed and creates a user in the sudo group.
    #
    # $1 - Required - username
    # $2 - Required - password
    USERNAME="$1"
    USERPASS="$2"

    if [ ! -n "$USERNAME" ] || [ ! -n "$USERPASS" ]; then
        echo "No new username and/or password entered"
        return 1;
    fi
    
    aptitude -y install sudo
    adduser $USERNAME --disabled-password --gecos ""
    echo "$USERNAME:$USERPASS" | chpasswd
    usermod -aG sudo $USERNAME
}

# This sets the variable $IPADDR to the IP address the new Linode receives.
IPADDR=$(system_primary_ip)
IPADDR2=$(system_secondary_ip)

system_set_hostname $HOSTNAME
# system_add_host_entry "127.0.0.1" $HOSTNAME
# setting only one entry for hostname
# system_add_host_entry "$IPADDR" $HOSTNAME
# system_add_host_entry "$IPADDR2" $HOSTNAME
 
echo "
*************************PRIVATE IPS****************************
192.168.207.245 es-data-genx-01
192.168.194.151 es-data-genx-02
192.168.207.82 es-master-genx-01
192.168.205.80 es-master-genx-02
192.168.164.34 es-master-genx-03
192.168.172.70 es-data-ana-01
192.168.165.10 es-data-ana-02
192.168.151.119 es-master-ana-01
192.168.135.98 es-master-ana-02
192.168.204.123 es-master-ana-03
192.168.173.23 cai-cruncher-01
192.168.154.163 cai-aerospike-01
192.168.195.119 cai-mongo-01
192.168.144.140 cai-mongo-02
192.168.202.2 cai-aerospike-02
192.168.153.245 cai-worker-01
192.168.170.35 es-kibana-01
192.168.163.193 mw-collector-01
192.168.173.228 mw-cassa-ui-01
192.168.195.40 mw-cassa-writer-01
192.168.128.242 mw-cruncher-01
192.168.176.252 mw-mongo-01
192.168.175.79 mw-worker-01
****************************************************************
" >> /etc/hosts

echo 'Acquire::ForceIPv4 "true";' | tee /etc/apt/apt.conf.d/99force-ipv4
# Base Update
apt-get -o Acquire::ForceIPv4=true update 
apt-get -y upgrade
apt -y full-upgrade

apt-get -y install software-properties-common apt-transport-https

# Add new sudo user with given password
user_add_sudo $USER_NAME $USER_PASSWORD

# Nginx Key
echo "
deb http://nginx.org/packages/mainline/ubuntu/ trusty nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ trusty nginx
" > /etc/apt/sources.list.d/nginx.list
curl http://nginx.org/keys/nginx_signing.key | apt-key add -

# Oracle Java Key
add-apt-repository -y ppa:webupd8team/java

# Mongo Key
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 0C49F3730359A14518585931BC711F9BA15703C6
echo "deb http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/3.4 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-3.4.list
#Update
apt-get -o Acquire::ForceIPv4=true update

#Install git
apt-get --yes --force-yes install git
git config --global user.name "Ubuntu"
git config --global user.email ubuntu@minewhat.com
git config --global credential.helper 'cache --timeout=86400'

# Install Oracle Java
echo debconf shared/accepted-oracle-license-v1-1 select true | debconf-set-selections
echo debconf shared/accepted-oracle-license-v1-1 seen true | debconf-set-selections
apt-get -y install oracle-java8-installer

# most common need
apt-get --yes install ntp ufw unzip maven make build-essential tcl8.5 libkrb5-dev uuid-dev libtool pkg-config autoconf automake libc6-dev-i386 libev4 libev-dev python-setuptools python-pip lynx python-software-properties python g++ xfsprogs
apt-get --yes install fail2ban iotop htop nginx python-dev python-pip libssl-dev python-lxml libxslt-dev libxml2-dev
pip install supervisor supervisor-serialrestart

# passwordless ubuntu user
echo "# ubuntu user is default user.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALL
" > /etc/sudoers.d/ubuntu
chmod 440 /etc/sudoers.d/ubuntu

echo never > /sys/kernel/mm/transparent_hugepage/enabled
echo never > /sys/kernel/mm/transparent_hugepage/defrag
grep -q -F 'transparent_hugepage=never' /etc/default/grub || echo 'transparent_hugepage=never' >> /etc/default/grub

#System Tuning Settings
echo '
# /etc/security/limits.conf
*                -       nofile          165535
# End of file
' | tee -a /etc/security/limits.conf
echo '
# /etc/sysctl.conf

############# NEW VERSION ##############
fs.file-max = 165535
net.ipv4.ip_local_port_range=1024 65000
net.ipv4.tcp_tw_reuse=1
net.ipv4.tcp_fin_timeout=15
net.core.netdev_max_backlog=4096
net.core.rmem_max=16777216
net.core.somaxconn=4096
net.core.wmem_max=16777216
net.ipv4.tcp_max_syn_backlog=20480
net.ipv4.tcp_max_tw_buckets=400000
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_wmem=4096 65536 16777216

# disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

vm.min_free_kbytes=65536
vm.max_map_count = 262144
' | tee -a /etc/sysctl.conf

mkdir -p /etc/supervisor
# supervisor configuration need /mnt/supervisor/ to be created
echo '[unix_http_server]
file=/mnt/supervisor/supervisor.sock

[supervisord]
logfile = /mnt/supervisor/supervisord.log
logfile_maxbytes = 50MB
logfile_backups=1
loglevel = info
pidfile = /mnt/supervisor/supervisord.pid
nodaemon = false
minfds = 1024
minprocs = 200
umask = 022
user = ubuntu
identifier = supervisor
directory = /mnt/supervisor
nocleanup = true
strip_ansi = false

[supervisorctl]
serverurl=unix:///mnt/supervisor/supervisor.sock

[inet_http_server]
port = *:9009

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[ctlplugin:serialrestart]
supervisor.ctl_factory = supervisorserialrestart.controllerplugin:make_serialrestart_controllerplugin

' > /etc/supervisor/supervisord.conf


echo '[Unit]
Description=Supervisor process control system for UNIX
Documentation=http://supervisord.org
After=network.target

[Service]
ExecStart=/usr/local/bin/supervisord -n -c /etc/supervisor/supervisord.conf
ExecStop=/usr/bin/supervisorctl $OPTIONS shutdown
ExecReload=/usr/bin/supervisorctl $OPTIONS reload
KillMode=process
Restart=on-failure
RestartSec=50s

[Install]
WantedBy=multi-user.target
' > /etc/systemd/system/supervisord.service

systemctl daemon-reload
systemctl enable supervisord.service

#disable root login via ssh
#ssh_disable_root
#Disabling Root Password
#passwd -d root
#Disabling Root Shell
#chsh -s $(which nologin) root
#Disabling NullOK Pam/Unix Auth for SecureTTYs...
#grep -l nullok_secure /etc/pam.d/* | while read pamf; do sed -i s/nullok_secure// $pamf; done

#to be installed by ubuntu user
#curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.11/install.sh | bash
#nvm install 8
#sudo npm install -g forever

# to be enabled in the end after all machines are up, open all ports for internal ips, no external port than http/s && ssh
# see https://help.ubuntu.com/community/UFW
ufw logging off 
ufw default deny
ufw allow ssh/tcp
ufw limit ssh/tcp comment 'Rate limit for openssh server'
ufw allow http/tcp
ufw allow https/tcp
ufw allow from 192.168.207.245
ufw allow from 192.168.194.151
ufw allow from 192.168.207.82
ufw allow from 192.168.205.80
ufw allow from 192.168.164.34
ufw allow from 192.168.172.70
ufw allow from 192.168.165.10
ufw allow from 192.168.151.119
ufw allow from 192.168.135.98
ufw allow from 192.168.204.123
ufw allow from 192.168.173.23
ufw allow from 192.168.154.163
ufw allow from 192.168.195.119
ufw allow from 192.168.144.140
ufw allow from 192.168.202.2
ufw allow from 192.168.153.245
ufw allow from 192.168.170.35
ufw allow from 192.168.163.193
ufw allow from 192.168.173.228
ufw allow from 192.168.195.40
ufw allow from 192.168.128.242
ufw allow from 192.168.176.252
ufw allow from 192.168.175.79
ufw --force enable