lf-rhel.cfg

# MAIN KICKSTART

# Author:  Linuxfabrik GmbH, Zurich, Switzerland
# Contact: info (at) linuxfabrik (dot) ch
#          https://www.linuxfabrik.ch/
# License: The Unlicense, see LICENSE file.

# This kickstart file consists of two parts.
# * The main part, which is quite minimal,
# * and a dynamic part (/tmp/dynamic.ks) that gets written during the %pre script.
#   The %pre script starts by parsing some options from the kernel cmdline and
#   detecting the RHEL version.
#   It then fills /tmp/dynamic.ks depending on these variables.

# The order of the commands is relatively compatible with the output of
# https://access.redhat.com/labs/kickstartconfig/

# See the README for more details.


# System language
lang en_US.UTF-8

# Keyboard layouts
keyboard us

# System timezone
timezone Europe/Zurich --utc

# Shutdown after installation
shutdown

# Use text mode install and CDROM installation media
text
cdrom

# This command is required when performing an unattended installation on a system with previously
# initialized disks.
zerombr

# Automatically creates partitions required by your hardware platform, eg /boot/efi or biosboot
reqpart

# Network information
network --hostname=localhost.localdomain
# note: do not set any other network options. dhcp is the default anyway, and setting them here disregards the ip and nameserver settings on the kernel command line
# network --bootproto=dhcp --device=link --activate --onboot=on

# Do not configure the X Window System
skipx

# Disable the Setup Agent on first boot
firstboot --disable

# State of SELinux on the installed system
selinux --enforcing

# Firewalling should be done later on by the admin. Required for the cloud
firewall --disable

# System services
services --disabled="kdump" --enabled="NetworkManager,sshd"

# Disable kdump by default, frees up some memory
%addon com_redhat_kdump --disable
%end

%include /tmp/dynamic.ks



%pre --logfile /tmp/kickstart.install.pre.log --erroronfail
# fedora doesn't have platform-python and rhel8 only has platform-python, so we'll have to
# detect what we have
PYTHON=$(ls /usr/libexec/platform-python /usr/bin/python3 2> /dev/null | head -n1)
cat << EOT > /tmp/pre-script.py
#!$PYTHON
import os
import re
import stat
import sys


def isblockdevice(path):
    return os.path.exists(path) and stat.S_ISBLK(os.stat(path).st_mode)


lfkeys = [
    'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuYw1auj8Lo6l5Ie8H7q419pKNjD3LSDZpFLNI0KehO chris.drescher@linuxfabrik.ch',
    'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDaWaDOEGqhZy1XD3a0IJKPvuB0wz2Yzc7Y8b2E91PPDSfi2wczUjZ9T2f8J7fw46i6O8dUFdsle8HePlVt1f6P+SPr84KIvte4sCXPGjHO7UlP+0biPl1FJbe+LU6akGVgAhc37CTn7h10COim5TpIdmPfn8A1y0Y8G3GNTVELSC4GG6rJLgme++OTkNlenH+L7KSobQE1v+MS4mRjrg+qitgPzBv1VgTWJff4d3vdEtb9zwVdzZzyXcdP5/nWH54iDaZawLsyvPXG2VDQq9bUn4CbZ+/ldrVg+yi8Y5RlSLFlbaX2XKnqf8mC3fpszXrmZ93d/idvCLDQ2ijV1FQzYLNg9nstV6VHCek1+g0u3oQ17CyRRCuxSRf3kDagO/+FMGwIliQTSX8rTx0epYzj4vUKA0nYIHXhwklUTG2PFNgJ1Nfxllqblij/PbFfoJCCp+st7/ewYYiclV6jrAg01/bqAvrdS8PW6JQpTIeuJRZhkrvCxgzDsuYE+EqTHxyBs7Uxu9D8QvgZEYiwuClRE92xPNmuEk/BDpX9s8mcXtamp57AUESRFWPFUZoDFuHRjHz56lXJ0UIfDR7XDZHumdQRt6jh7Sj0YGVN3Es9UIqka9dZRiXLdZ9q/C0IReZKtcKDSIn/xB1Kt2qAIRLpSG3IX8JmONOa1h/Gns1NKw==  markus.frei@linuxfabrik.ch',
    'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5DxWzuUlSfdHHE1c4oQ2cbC0TyjXkVCuNKBJvn7TvX navid.sassan@linuxfabrik.ch',
]
lftype='minimal'
lfdisk = None
for guess in ['vda', 'sda', 'nvme0n1']:
    if isblockdevice('/dev/{}'.format(guess)):
        lfdisk = guess
        break

print('Linuxfabrik Kickstart: Set kernel cmdline arguments')
with open('/proc/cmdline', 'r') as file:
    cmdline = file.read()
    for item in cmdline.split(" "):
        if item.split("=")[0] == "lftype":
            lftype=item.split("=")[1].strip()
        elif item.split("=")[0] == "lfdisk":
            lfdisk=item.split("=")[1].strip()

if not lfdisk:
    print('Linuxfabrik Kickstart: Lfdisk is not given and no disk to install to could be guessed. Aborting...')
    sys.exit(1)

print('Linuxfabrik Kickstart: Lftype: {}, lfdisk: {}'.format(lftype, lfdisk))

print('Linuxfabrik Kickstart: Set bootloader')
# * console=ttyS0,115200n8:
#   required for cloud images.
#   see https://docs.openstack.org/image-guide/openstack-images.html#ensure-image-writes-boot-log-to-console
# * no_timer_check:
#   see https://opendev.org/openstack/diskimage-builder/commit/1ec93f43a8736171cb78382fd6184f03c001771b
# * net.ifnames=0:
#   for cloud images, 'eth0' _is_ the predictable device name
# * audit=1 audit_backlog_limit=8192:
#   required by CIS
# * vsyscall=none:
#   due to https://www.stigviewer.com/stig/red_hat_enterprise_linux_8/2020-11-25/finding/V-230278
bootloader_cis = 'bootloader --location=mbr --boot-drive={} --append="audit=1 audit_backlog_limit=8192 vsyscall=none"'.format(lfdisk)
bootloader_cloud = 'bootloader --location=mbr --boot-drive={} --append="console=tty0 console=ttyS0,115200n8 no_timer_check net.ifnames=0 vsyscall=none"'.format(lfdisk)
bootloader_cloud_cis = 'bootloader --location=mbr --boot-drive={} --append="console=tty0 console=ttyS0,115200n8 no_timer_check net.ifnames=0 audit=1 audit_backlog_limit=8192 vsyscall=none"'.format(lfdisk)
bootloader_minimal = 'bootloader --location=mbr --boot-drive={} --append="vsyscall=none"'.format(lfdisk)

print('Linuxfabrik Kickstart: Set packages')
packages = [
    '@core',
    '-plymouth', # No need for plymouth. Also means anaconda won't put rhgb/quiet on kernel command line
]
packages_cis = []
packages_cloud = [
    'cloud-init',
    'cloud-utils-growpart',
    'dhcp-client',
    'qemu-guest-agent',
    'rng-tools',
    'tuned',
    '-aic94xx-firmware',
    '-alsa-firmware',
    '-alsa-lib',
    '-alsa-tools-firmware',
    '-biosdevname',
    '-iprutils',
    '-ivtv-firmware',
    '-iwl100-firmware',
    '-iwl1000-firmware',
    '-iwl105-firmware',
    '-iwl135-firmware',
    '-iwl2000-firmware',
    '-iwl2030-firmware',
    '-iwl3160-firmware',
    '-iwl3945-firmware',
    '-iwl4965-firmware',
    '-iwl5000-firmware',
    '-iwl5150-firmware',
    '-iwl6000-firmware',
    '-iwl6000g2a-firmware',
    '-iwl6000g2b-firmware',
    '-iwl6050-firmware',
    '-iwl7260-firmware',
    '-langpacks-*',
    '-langpacks-en',
    '-libertas-sd8686-firmware',
    '-libertas-sd8787-firmware',
    '-libertas-usb8388-firmware',
]
packages_cloud_cis = packages_cloud
packages_minimal = []

print('Linuxfabrik Kickstart: Set partitioning schema')
part_cis = [
    'logvol /              --fstype="xfs"  --size=4096   --vgname=rl --name=root',
    'logvol /home          --fstype="xfs"  --size=1024   --vgname=rl --name=home          --fsoptions="nodev,nosuid"',
    'logvol /tmp           --fstype="xfs"  --size=1024   --vgname=rl --name=tmp           --fsoptions="nodev,noexec,nosuid"',
    'logvol /var           --fstype="xfs"  --size=4096   --vgname=rl --name=var           --fsoptions="nodev,nosuid"',
    'logvol /var/log       --fstype="xfs"  --size=2048   --vgname=rl --name=var_log       --fsoptions="nodev,noexec,nosuid"',
    'logvol /var/log/audit --fstype="xfs"  --size=512    --vgname=rl --name=var_log_audit --fsoptions="nodev,noexec,nosuid"',
    'logvol /var/tmp       --fstype="xfs"  --size=1024   --vgname=rl --name=var_tmp       --fsoptions="nodev,noexec,nosuid"',
    'logvol swap           --fstype="swap" --recommended --vgname=rl --name=swap',
]
part_cloud = [
    'logvol /              --fstype="xfs"  --size=1024   --vgname=rl --name=root --grow',
    'logvol swap           --fstype="swap" --recommended --vgname=rl --name=swap',
]
part_cloud_cis = part_cis
part_minimal = part_cloud

print('Linuxfabrik Kickstart: Define users')
users_cis = [
    {
        'name': 'linuxfabrik',
        'cmd': 'user --name=linuxfabrik --groups=wheel --password=password --plaintext',
        'keys': lfkeys,
    },
    {
        'name': 'root',
        'cmd': 'rootpw --plaintext --lock password',
        'keys': [],
    },
]
users_cloud = [
    {
        'name': 'linuxfabrik',
        'cmd': 'user --name=linuxfabrik --groups=wheel --lock',
        'keys': [],
    },
    {
        'name': 'root',
        'cmd': 'rootpw --plaintext --lock password',
        'keys': [],
    },
]
users_cloud_cis = users_cloud
users_minimal = users_cis

print('Linuxfabrik Kickstart: Create post scripts')
post_cis = '''
# allow password-less sudo
cat > /etc/sudoers.d/linuxfabrik << EOF
%linuxfabrik ALL=(ALL) NOPASSWD: ALL
EOF
'''

post_cloud = '''
# setup systemd to boot to the right runlevel
echo "Setting default runlevel to multiuser text mode"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

# this is installed by default but we don't need it in virt
# Commenting out the following for =1234504
# rpm works just fine for removing this, no idea why yum can't cope
echo "Removing linux-firmware package"
rpm --erase linux-firmware

# Remove firewalld; was supposed to be optional in F18+, but is pulled in
# in install/image building.
echo "Removing firewalld"
# FIXME! clean_requirements_on_remove is the default with yum, but may
# not work when package was installed by Anaconda instead of command line.
# Also -- check if this is still even needed with new anaconda -- disabled
# firewall should _not_ pull in this package.
# yum -C -y remove "firewalld*" --setopt="clean_requirements_on_remove=1"
yum --cacheonly -y erase "firewalld*"

# Another one needed at install time but not after that, and it pulls
# in some unneeded deps (like, newt and slang)
echo "Removing authconfig"
yum --cacheonly -y erase authconfig

echo "Removing avahi"
yum --cacheonly -y remove avahi\\*

echo "Installing cloud-init cloud-utils-growpart rng-tools tuned"
# these tools always fail to install in the %packages section, so try this here
yum -y install cloud-init cloud-utils-growpart rng-tools tuned

# Since the scriptlets from yum install are running in chroot, they can't do a daemon-reload
# ("Running in chroot, ignoring command 'daemon-reload'"), so a "systemctl enable --now" would
# fail. "systemctl enable" is enough here.
systemctl enable cloud-init
systemctl enable cloud-init-local
systemctl enable cloud-config
systemctl enable cloud-final
systemctl enable rngd

echo "Getty fixes"
# although we want console output going to the serial console, we don't
# actually have the opportunity to login there. FIX.
# we don't really need to auto-spawn _any_ gettys.
sed --in-place 's/^#NAutoVTs=.*/NAutoVTs=0/' /etc/systemd/logind.conf

echo "Network fixes"
# initscripts don't like this file to be missing.
# and https://bugzilla.redhat.com/show_bug.cgi?id=1204612
cat > /etc/sysconfig/network << EOF
NETWORKING=yes
NOZEROCONF=yes
DEVTIMEOUT=10
EOF

echo "Truncate /etc/resolv.conf"
# Anaconda is writing an /etc/resolv.conf from the install environment.
# The system should start out with an empty file, otherwise cloud-init
# will try to use this information and may error:
# https://bugs.launchpad.net/cloud-init/+bug/1670052
truncate --size=0 /etc/resolv.conf

echo "Disable predictable network interface names"
# For cloud images, 'eth0' _is_ the predictable device name, since
# we don't want to be tied to specific virtual (!) hardware
rm -f /etc/udev/rules.d/70*
ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules

echo 'Set generic localhost names (/etc/hosts)'
cat > /etc/hosts << EOF
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

EOF

# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
# default of having /tmp on tmpfs.
# However, there is no need to disable the mount, as we are already overwriting the options
# for /tmp above.
# Masking the mount now would lead to a missing /tmp.
# echo "Disabling tmpfs for /tmp."
# systemctl mask tmp.mount

echo 'Set tuned profile to virtual-guest'
echo 'virtual-guest' > /etc/tuned/active_profile

echo 'Make sure firstboot does not start'
echo 'RUN_FIRSTBOOT=NO' > /etc/sysconfig/firstboot

echo 'Adjust sudoers for the linuxfabrik user'
cat > /etc/sudoers.d/linuxfabrik << EOF
%linuxfabrik ALL=(ALL) NOPASSWD: ALL
EOF
sed --in-place 's/name: cloud-user/name: linuxfabrik/g' /etc/cloud/cloud.cfg

echo 'Cleaning up old yum repodata'
yum clean all

echo 'Increase DHCP client retry/timeouts'
# change dhcp client retry/timeouts to resolve =6866
cat  >> /etc/dhcp/dhclient.conf << EOF

timeout 300;
retry 60;
EOF

echo 'Adjust console output in /etc/default/grub and regenerate grub config'
# If init script messages need to be seen on the serial console as well, it should be made
# the primary by swapping the order of the console parameters:
sed --in-place 's/console=ttyS0,115200n8 console=tty0/console=tty0 console=ttyS0,115200n8/' /etc/default/grub
if [ -d /sys/firmware/efi/ ]; then
    grub_config_file=$(find /boot/efi -name grub.cfg)
else
    grub_config_file=$(find /boot/ -name grub.cfg)
fi
if [ -z "$grub_config_file" ]; then
    echo 'Could not find a grub.cfg in /boot. Skipping grub2-mkconfig'
else
    grub2-mkconfig --output=$grub_config_file
fi

echo "Removing random-seed so it's not the same in every image"
rm -f /var/lib/systemd/random-seed

echo 'Remove /etc/machine-id'
# https://git.resf.org/sig_core/kickstarts/src/branch/r8/Rocky-8-GenericCloud-LVM.ks
cat /dev/null > /etc/machine-id

echo 'Remove various other log / cache files'
rm -f /root/.wget-hsts
rm -rf /root/anaconda-ks.cfg
rm -rf /root/install.log
rm -rf /root/install.log.syslog
rm -rf /var/lib/yum/*
rm -rf /var/log/anaconda*
rm -rf /var/log/yum.log
rm -rf /var/tmp/*
find /var/log -type f -exec truncate --size=0 {} \\;
export HISTSIZE=0
cat /dev/null > ~/.bash_history
history -c

echo 'Fixing SELinux contexts'
touch /var/log/cron
touch /var/log/boot.log
mkdir -p /var/cache/yum
# ignore return code because UEFI systems with vfat filesystems
# that don't support selinux will give us errors like
# "Could not set context for /boot/efi/EFI/BOOT/BOOTX64.EFI:  Operation not supported"
/usr/sbin/fixfiles -R -a restore || true
'''

post_cloud_cis = post_cloud
post_minimal = post_cis


print('Linuxfabrik Kickstart: Act on cmdargs & discovery for {}'.format(lftype))
if lftype == 'cloud':
    bootloader = bootloader_cloud
    packages += packages_cloud
    part = part_cloud
    post = post_cloud
    users = users_cloud

elif lftype == 'cloud-cis':
    bootloader = bootloader_cloud_cis
    packages += packages_cloud_cis
    part = part_cloud_cis
    post = post_cloud_cis
    users = users_cloud_cis

elif lftype == 'cis':
    bootloader = bootloader_cis
    packages += packages_cis
    part = part_cis
    post = post_cis
    users = users_cis

elif lftype == 'minimal':
    bootloader = bootloader_minimal
    packages += packages_minimal
    part = part_minimal
    post = post_minimal
    users = users_minimal

# version specifics
with open('/etc/redhat-release') as file:
    rhel_version = int(re.findall('[0-9]{1,2}', file.read())[0])

print('Linuxfabrik Kickstart: Detected OS version {}'.format(rhel_version))
if rhel_version == 7:
    try:
        packages.remove('dhcp-client') # does not exist on RHEL7
    except ValueError:
        pass # means it is already removed

print('Linuxfabrik Kickstart: Write dynamic.ks')
dynamic = []
keypost = []

dynamic.append('# System users')
for user in users:
    dynamic.append(user['cmd'])
    for key in user['keys']:
        if rhel_version == 7: # sshkey only exists for RHEL8+. instead manually add the keys
            if user['name'] == 'root':
                keypost.append('mkdir -m0700 /root/.ssh')
                keypost.append('echo "{}" >> /root/.ssh/authorized_keys'.format(key))
                keypost.append('restorecon -F /root/.ssh/authorized_keys')
            else:
                keypost.append('mkdir -m0700 /home/{}/.ssh'.format(user['name']))
                keypost.append('echo "{}" >> "/home/{}/.ssh/authorized_keys"'.format(key, user['name']))
                keypost.append('chown -R {}: /home/{}/.ssh'.format(user['name'], user['name']))
                keypost.append('restorecon -F "/home/{}/.ssh/authorized_keys"'.format(user['name']))
        else:
            dynamic.append('sshkey --user={} "{}"'.format(user['name'], key))

dynamic.append('# Only touch $lfdisk. This setting is also respected by zerombr (confirmed on RHEL8 and 9)')
dynamic.append('ignoredisk --only-use={}'.format(lfdisk))

dynamic.append('# System bootloader configuration')
dynamic.append(bootloader)

dynamic.append('# Do not remove any partitions, but initializes a disk (or disks) by creating a default disk label')
dynamic.append('clearpart --all --drives={} --initlabel --disklabel gpt'.format(lfdisk))

dynamic.append('# Partitioning')
dynamic.append('volgroup rl --pesize=4096 pv.0')
dynamic.append('part pv.0 --fstype=lvmpv --ondisk={} --size=1 --grow'.format(lfdisk))
dynamic.append('part /boot --fstype=xfs --ondisk={} --size=1024 --asprimary'.format(lfdisk))
dynamic.extend(part)

dynamic.append('%packages')
dynamic.extend(packages)
dynamic.append('%end')

dynamic.append('%post --erroronfail')
dynamic.append(post)
dynamic.append('%end\n')

# actually write to file
with open('/tmp/dynamic.ks', 'w') as file:
    file.write('\n'.join(dynamic))

if rhel_version == 7:
    with open('/usr/share/anaconda/post-scripts/70-install-ssh-keys.ks', 'a') as file:
        file.write('%post\n')
        file.write('\n'.join(keypost))
        file.write('%end\n')
print('Linuxfabrik Kickstart: Wrote dynamic kickstart to /tmp/dynamic.ks')
EOT
$PYTHON /tmp/pre-script.py
%end



%post --nochroot
root_mount=$(awk '/rl-root/{print $2}' /proc/mounts)
echo "Copying /tmp/dynamic.ks to $root_mount/root/"
cp /tmp/dynamic.ks $root_mount/root/
[ -f /usr/share/anaconda/post-scripts/70-install-ssh-keys.ks ] && cp /usr/share/anaconda/post-scripts/70-install-ssh-keys.ks $root_mount/root/
%end