davdunc / centos / kickstarts

Forked from centos/kickstarts 5 years ago
Clone

Blame CentOS-8-Stream-x86_64-Vagrant.ks

Brian Stinson b8477d
#url --mirrorlist=http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=BaseOS&infra=stock
Brian Stinson b8477d
#repo --name=AppStream --mirrorlist=http://mirrorlist.centos.org/?release=8&arch=x86_64&repo=AppStream&infra=stock
Brian Stinson b8477d
text
Brian Stinson b8477d
keyboard --vckeymap us
Brian Stinson b8477d
lang en_US
Brian Stinson b8477d
skipx
Brian Stinson b8477d
network  --bootproto=dhcp --device=link --activate --onboot=on
Brian Stinson b8477d
rootpw --plaintext vagrant
Brian Stinson b8477d
firewall --disabled
Brian Stinson b8477d
timezone --utc UTC
Brian Stinson b8477d
services --enabled=vmtoolsd
Brian Stinson b8477d
# The biosdevname and ifnames options ensure we get "eth0" as our interface
Brian Stinson b8477d
# even in environments like virtualbox that emulate a real NW card
Brian Stinson b8477d
bootloader --timeout=1 --append="no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop"
Brian Stinson b8477d
zerombr
Brian Stinson b8477d
clearpart --all --drives=vda
Brian Stinson b8477d
part / --fstype=xfs --asprimary --size=1024 --grow --ondisk=vda
Brian Stinson b8477d
Brian Stinson b8477d
user --name=vagrant --plaintext --password=vagrant
Brian Stinson b8477d
Brian Stinson b8477d
shutdown
Brian Stinson b8477d
Brian Stinson b8477d
%packages --instLangs=en
Brian Stinson b8477d
bash-completion
Brian Stinson b8477d
man-pages
Brian Stinson b8477d
bzip2
Brian Stinson b8477d
rsync
Brian Stinson b8477d
nfs-utils
Brian Stinson b8477d
cifs-utils
Brian Stinson b8477d
chrony
Brian Stinson b8477d
yum-utils
Brian Stinson b8477d
hyperv-daemons
Brian Stinson b8477d
open-vm-tools
Brian Stinson b8477d
# Vagrant boxes aren't normally visible, no need for Plymouth
Brian Stinson b8477d
-plymouth
Brian Stinson b8477d
# Microcode updates cannot work in a VM
Brian Stinson b8477d
-microcode_ctl
Brian Stinson b8477d
# Firmware packages are not needed in a VM
Brian Stinson b8477d
-iwl100-firmware
Brian Stinson b8477d
-iwl1000-firmware
Brian Stinson b8477d
-iwl105-firmware
Brian Stinson b8477d
-iwl135-firmware
Brian Stinson b8477d
-iwl2000-firmware
Brian Stinson b8477d
-iwl2030-firmware
Brian Stinson b8477d
-iwl3160-firmware
Brian Stinson b8477d
-iwl3945-firmware
Brian Stinson b8477d
-iwl4965-firmware
Brian Stinson b8477d
-iwl5000-firmware
Brian Stinson b8477d
-iwl5150-firmware
Brian Stinson b8477d
-iwl6000-firmware
Brian Stinson b8477d
-iwl6000g2a-firmware
Brian Stinson b8477d
-iwl6050-firmware
Brian Stinson b8477d
-iwl7260-firmware
Brian Stinson b8477d
# Don't build rescue initramfs
Brian Stinson b8477d
-dracut-config-rescue
Brian Stinson b8477d
%end
Brian Stinson b8477d
Brian Stinson b8477d
# kdump needs to reserve 160MB + 2bits/4kB RAM, and automatic allocation only
Brian Stinson b8477d
# works on systems with at least 2GB RAM (which excludes most Vagrant boxes)
Brian Stinson b8477d
# CBS doesn't support %addon yet https://bugs.centos.org/view.php?id=12169
Brian Stinson b8477d
%addon com_redhat_kdump --disable
Brian Stinson b8477d
%end
Brian Stinson b8477d
Brian Stinson b8477d
%post
Brian Stinson b8477d
# configure swap to a file
Brian Stinson b8477d
fallocate -l 2G /swapfile
Brian Stinson b8477d
chmod 600 /swapfile
Brian Stinson b8477d
mkswap /swapfile
Brian Stinson b8477d
echo "/swapfile none swap defaults 0 0" >> /etc/fstab
Brian Stinson b8477d
Brian Stinson b8477d
# sudo
Brian Stinson b8477d
echo "%vagrant ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/vagrant
Brian Stinson b8477d
chmod 0440 /etc/sudoers.d/vagrant
Brian Stinson b8477d
Brian Stinson b8477d
# Fix for https://github.com/CentOS/sig-cloud-instance-build/issues/38
Brian Stinson b8477d
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
Brian Stinson b8477d
DEVICE="eth0"
Brian Stinson b8477d
BOOTPROTO="dhcp"
Brian Stinson b8477d
ONBOOT="yes"
Brian Stinson b8477d
TYPE="Ethernet"
Brian Stinson b8477d
PERSISTENT_DHCLIENT="yes"
Brian Stinson b8477d
EOF
Brian Stinson b8477d
Brian Stinson b8477d
# sshd: disable password authentication and DNS checks
Brian Stinson b8477d
ex -s /etc/ssh/sshd_config <
Brian Stinson b8477d
:%substitute/^\(PasswordAuthentication\) yes$/\1 no/
Brian Stinson b8477d
:%substitute/^#\(UseDNS\) yes$/&\r\1 no/
Brian Stinson b8477d
:update
Brian Stinson b8477d
:quit
Brian Stinson b8477d
EOF
Brian Stinson b8477d
cat >>/etc/sysconfig/sshd <
Brian Stinson b8477d
Brian Stinson b8477d
# Decrease connection time by preventing reverse DNS lookups
Brian Stinson b8477d
# (see https://lists.centos.org/pipermail/centos-devel/2016-July/014981.html
Brian Stinson b8477d
#  and man sshd for more information)
Brian Stinson b8477d
OPTIONS="-u0"
Brian Stinson b8477d
EOF
Brian Stinson b8477d
Brian Stinson b8477d
# Default insecure vagrant key
Brian Stinson b8477d
mkdir -m 0700 -p /home/vagrant/.ssh
Brian Stinson b8477d
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> /home/vagrant/.ssh/authorized_keys
Brian Stinson b8477d
chmod 600 /home/vagrant/.ssh/authorized_keys
Brian Stinson b8477d
chown -R vagrant:vagrant /home/vagrant/.ssh
Brian Stinson b8477d
Brian Stinson b8477d
# Fix for issue #76, regular users can gain admin privileges via su
Brian Stinson b8477d
ex -s /etc/pam.d/su <<'EOF'
Brian Stinson b8477d
# allow vagrant to use su, but prevent others from becoming root or vagrant
Brian Stinson b8477d
/^account\s\+sufficient\s\+pam_succeed_if.so uid = 0 use_uid quiet$/
Brian Stinson b8477d
:append
Brian Stinson b8477d
account		[success=1 default=ignore] \\
Brian Stinson b8477d
				pam_succeed_if.so user = vagrant use_uid quiet
Brian Stinson b8477d
account		required	pam_succeed_if.so user notin root:vagrant
Brian Stinson b8477d
.
Brian Stinson b8477d
:update
Brian Stinson b8477d
:quit
Brian Stinson b8477d
EOF
Brian Stinson b8477d
Brian Stinson b8477d
# systemd should generate a new machine id during the first boot, to
Brian Stinson b8477d
# avoid having multiple Vagrant instances with the same id in the local
Brian Stinson b8477d
# network. /etc/machine-id should be empty, but it must exist to prevent
Brian Stinson b8477d
# boot errors (e.g.  systemd-journald failing to start).
Brian Stinson b8477d
:>/etc/machine-id
Brian Stinson b8477d
Brian Stinson b8477d
echo 'vag' > /etc/yum/vars/infra
Brian Stinson b8477d
Brian Stinson b8477d
# Blacklist the floppy module to avoid probing timeouts
Brian Stinson b8477d
echo blacklist floppy > /etc/modprobe.d/nofloppy.conf
Brian Stinson b8477d
chcon -u system_u -r object_r -t modules_conf_t /etc/modprobe.d/nofloppy.conf
Brian Stinson b8477d
Brian Stinson b8477d
# Customize the initramfs
Brian Stinson b8477d
pushd /etc/dracut.conf.d
Brian Stinson b8477d
# Enable VMware PVSCSI support for VMware Fusion guests.
Brian Stinson b8477d
echo 'add_drivers+=" vmw_pvscsi "' > vmware-fusion-drivers.conf
Brian Stinson b8477d
echo 'add_drivers+=" hv_netvsc hv_storvsc hv_utils hv_vmbus hid-hyperv "' > hyperv-drivers.conf
Brian Stinson b8477d
# There's no floppy controller, but probing for it generates timeouts
Brian Stinson b8477d
echo 'omit_drivers+=" floppy "' > nofloppy.conf
Brian Stinson b8477d
popd
Brian Stinson b8477d
# Fix the SELinux context of the new files
Brian Stinson b8477d
restorecon -f - <
Brian Stinson b8477d
/etc/sudoers.d/vagrant
Brian Stinson b8477d
/etc/dracut.conf.d/vmware-fusion-drivers.conf
Brian Stinson b8477d
/etc/dracut.conf.d/hyperv-drivers.conf
Brian Stinson b8477d
/etc/dracut.conf.d/nofloppy.conf
Brian Stinson b8477d
EOF
Brian Stinson b8477d
Brian Stinson b8477d
# Rerun dracut for the installed kernel (not the running kernel):
Brian Stinson b8477d
KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
Brian Stinson b8477d
dracut -f /boot/initramfs-${KERNEL_VERSION}.img ${KERNEL_VERSION}
Brian Stinson b8477d
Brian Stinson b8477d
# Seal for deployment
Brian Stinson b8477d
rm -rf /etc/ssh/ssh_host_*
Brian Stinson b8477d
hostnamectl set-hostname localhost.localdomain
Brian Stinson b8477d
rm -rf /etc/udev/rules.d/70-*
Brian Stinson b8477d
%end