ks

Default Kickstart

The elmedia0 project provides a boot-time menu generated by the scripts during media creation time. The same scripts also retrieve updated tarball files with any required Ansible and Optional Software Distribution and installation support.

Default Files

The following three (3) Kickstart files have been created and may be updated to support identified package support and/or newer features (EL7/8 shown, EL9 in testing).

• ks-el8-00def.ks, ks-el7-00def.ks - Default Headless with local /home and /opt, no OpenSCAP, STIG Ansible Playbooks (default)
• ks-el8-01noluks.ks, ks-el7-01noluks.ks - As Headless (default), with local /home and /opt, no OpenSCAP, STIG Ansible Playbooks, but no LUKS volume encryption (e.g., block store is already hardware/host encrypted 'at rest')
• ks-el8-deskdevel.ks, ks-el7-deskdevel.ks - Desktop Developer with local /home and /opt, no OpenSCAP, STIG Ansible Playbooks (GUI 'out-of-the-box')

STATUS: At this time, these three (3) Kickstart files are hardcoded in boot files copied to the ISO/USB, and only a find/replace is done for the ISO/USB media label. In the future there will be a dynamic menu generator that re-generates the boot menus from files in this subdirectory. This includes those under the subdirectory path ./custom/ks/, under either a parent, Project directory ./elmedia0/ or ./elmedia0.custom/, that overrides ./default/ks/.

TIP: Storage Requirements - Depending on the filesystem requirements of DISA STIG, the minimum disk size requirements, but 60GB (55.9GiB) should be considered the 'universal minimum', and 120GB (111.8GiB) is a better minimum. Around (and beyond) 240GB (223.5GiB), the volume group will have unused storage, as the dynamic file system sizing will hit limits. Size VM storage accordingly.

Understanding Include Files

The Kickstart files use a modular system of Kickstart 'include' files, which are 'compiled' post-boot, pre-Kickstart during the install process on the actual system to install itself.

Section Pre-Kickstart

The 'compilation' is done in the %pre block of the Kickstart files themselves.

TIP: Until the system is full built, and logs are moved into /var/log/anaconda/ (technically /mnt/sysimage/var/log/anaconda while running), the in-memory directory /tmp/ contains all temporary Kickstart files (/tmp/*.ks), all Kickstart include files (/tmp/ks-*.inc) and the very helpeful (for troubleshooting) %pre log (/tmp/ks-script_elmedia-pre.log) as well as other logs (/tmp/*.log) with various STDOUT.

###############################################################################
### EL8 - Kickstart - Xxxxxxxx
###############################################################################
### metaFilename:xxxxx
### metaShortname:Xxxxxxxx Xxxxxxxx
### metaDescription:Xxxxxxxx Xxxxxxxx Xxxxxxxx Xxxxxxxx Xxxxxxxx Xxxxxxxx Xxxxxxxx Xxxxxxxx

###     Base - Install
    ...

###	PRE
%pre --log /tmp/ks-script_elmedia-pre.log
echo -e "\n===============\n[elmedia]\tKickstart %pre\n===============\n"
export DISTAG="el8"


# XXXXX INJECT_KSPRE XXXXX


## %pre - Dynamically Assemble Kickstart Includes

# 15lcl - Locale - Default-elmedia-Naught Location
mkIncFil 15lcl 00def 00el0_uscdtcst

# 20sec - Security - Defaults and Default-elmedia-Naught Accounts
mkIncFil 20sec 00def 00el0_accts
# custom # mkIncFil 20sec 00def 00cus_accts

# 30net - Network - Defaults and DHCP
mkIncFil 30net 00def 00el0_${NET_KS}

# 40dev - Device - Local Storage Device, GRUB Password and LVM w/LUKS Default Passphrase
mkIncFil 40dev 00def 00el0_luks 00el0_${DEV_KS}
# custom # mkIncFil 40dev 00def 00el0_luks 00cus_${DEV_KS}

# 45sto - Storage - Local Storage Layout w/separate /home + /opt
mkIncFil 45sto 00def 00el0_home_opt

# 60env - Environment - COMPS Default Environment
mkIncFil 60env 00def server

# 65pkg - Packages - COMPS Packages and Roles
mkIncFil 65pkg 00def ansible scc tpm2

# 80add - Add-ons - Various add-ons
mkIncFil 80add 00def

# 85pol - Policy - Built-in Security Policy
mkIncFil 85pol anaconda_passwd
# OpenSCAP NIST CUI - Use CyberX and/or Lockdown Instead # mkIncFil 85pol anaconda_passwd openscap_cui
# OpenSCAP DISA STIG - Use CyberX and/or Lockdown Instead # mkIncFil 85pol anaconda_passwd openscap_stig

# 90pst - Post - Post-Install
mkIncFil 90pst 00def 00el0_home 00el0_sshsudo clevis_common dracut_clevis_none
# custom # mkIncFil 90pst 00def 00el0_home 00cus_sshsudo clevis_common dracut_clevis_tpm2
# custom # mkIncFil 90pst 00def 00el0_home 00cus_sshsudo clevis_common dracut_clevis_tang

# 95opt - Post - Optional Software
mkIncFil 95opt cyberx_bench cyberx_scc cyberx_stig cyberx_view lockdown_stig
# custom w/Third Party Software # mkIncFil 95opt cyberx_bench cyberx_scc cyberx_stig cyberx_view lockdown_stig TPS cus

## %pre - end
%end

###     Base - Locale
    ...

IMPORTANT: Note the single (1) line (# XXXXX INJECT_KSPRE XXXXX) right after the start of Kickstart file section %pre. This is crucial as the script injects (replaces) the contents of a file (ks-elmedia.inject -- see ks-elmedia.inject) with all the fucntions required for these functions (e.g., mkIncFil, along with figuring out net, block, et al. devices).

WARNING: Failure to include this exact line (# XXXXX INJECT_KSPRE XXXXX) right after the start of Kickstart file section %pre in any custom Kickstart file will break the entire solution.

So other than the various mkIncFil calls in the %pre itself to generate different combinations of 'includes,' the Kickstart files should be cookie-cutter templates of one another.

Changing or Augmenting

To change anything, please either:

• modify an existing include file
• add a new include file as appropriate -- it will override any prior line

The enumeration/label of include files, after the initial ks-elX, where X is ...

• just x by default, for all releases by default (e.g., ks-elx), or ...
• a number (7, 8, 9, etc...), to override the default for a specific EL 'release' (e.g., ks-el8 for CentOS8/RHEL8)

Followed by a two (2) digit order, and a brief, three (3) letter abbreviation, which are listed as follows.

TODO: this should also be a table, for easier consumption

• 10ins - Installation includes -- WARNING: installation includes don't seem to work! So hardcoded into each Kickstart file, no 10inc.
• 15lcl - Locale includes (e.g., US Eastern or Central Timezone -- FUTURE: IP-based detection would require DHCP at install)
• 20sec - Security includes
• 30net - Network includes -- IMPORTANT: the default network interface device is dynamically detected
• 40dev - Device includes (e.g., basic storage) -- IMPORTANT: the default storage device is dynamically detected
• 45sto - Storage includes (e.g., advanced storage specifics, like layout)
• 60env - Environment includes (e.g., system role package)
• 65pkg - Package includes
• 80add - Additional includes
• 85pol - Policy includes (passwords, built-in OpenSCAP, etc...)
• 90pst - %post install core configuration includes and setup
• 95opt - %post install optional Software Distribution includes and setup

TIP: While the system is building, the the in-memory directory /tmp/ contains all the actual, 'compiled' Kickstart include files (/tmp/ks-*.inc). This is key to troubleshooting issues with any custom Kickstart files and/or custom Kickstart include files. E.g., the file for any mkIncFil 45sto ... line in a custom Kickstart file would be output as /tmp/ks-45sto.inc, and would contain any and all includes files that begin with ks-elX-45sto-*.inc referenced.

Example Change or Augmentation

Let's say we need to augment the package list for all three (3) EL7 Kickstart files, Headless Servers and Desktop Developer. Only one (1) include file needs to be modified.

• Modify the existing EL7-specific, default Package include file ks-el7-65pkg-devel.inc

IMPORTANT: Any and all Kickstart (*.ks) and Kickstart Include (include/*.inc) files under the default/ subdirectory (i.e., ./elmedia/default/ks/) may be overridden by the custom/ subdirectory (i.e., ./elmedia0/custom/ks/) or the external, separate, peer subdirectory named ./elmedia0.custom/ (i.e., ./elmedia0.custom/custom/ks/).

TIP: The option to use an ./elmedia0.custom/ 'peer' project directory, outside of the control of ./elmedia/ and the Upstream elmedia0 project on GitHub, is provided so it can be managed independently (e.g., internally) at Enterprises.

Now let's say a new package list that is needed by multiple Desktop and Server Kickstarts, but not all of them.

1. Add a new include file, say ks-el7-65pkg-someneed.inc to the ./include/ subdirectory, and ...
2. Either ... ** modify the existing mkIncFil 65pkg line in the %pre block of the select Kickstart file(s) and append someneed, or ... ** copy'n paste the existing mkIncFil 65pg line as a new, following line, and append someneed

E.g., for the two (2) EL8 Headless Server Kickstarts -- ks-el7-00def.ks and ks-el7-01noluks.ks -- the 'modify' option would result the following.

# 65pkg - Packages - COMPS Packages and Roles
mkIncFil 65pkg 00def ansible scc tpm2 someneed

While the 'copy'n paste' option would result in the following.

# 65pkg - Packages - COMPS Packages and Roles
mkIncFil 65pkg 00def ansible scc tpm2
mkIncFil 65pkg 00def ansible scc tpm2 someneed

The 'last line' in %pre 'wins.'

Post-install

TODO: this needs to be completed

Core Configuration

The default configuration

# 90pst - Post - Post-Install
mkIncFil 90pst 00def 00el0_home 00el0_sshsudo clevis_common dracut_clevis_none

Defaults and Users

TODO

LUKS with Clevis

Clevis provides a way for boot-time decryption, even auto-decryption, of storage. The latter two (2) may be done by either the following.

1. Hardware TPM 2.x compatible IC on-board, or ...
2. Remotely retrieved keystore via a Tang Server - requiring the system to be connected to the network to auto-decrypt

# 90pst - Post - Post-Install
mkIncFil 90pst 00def 00el0_home 00el0_sshsudo clevis_common dracut_clevis_none
# custom # mkIncFil 90pst 00def 00el0_home 00cus_sshsudo clevis_common dracut_clevis_tpm2
# custom # mkIncFil 90pst 00def 00el0_home 00cus_sshsudo clevis_common dracut_clevis_tang

TODO/finish

Optional Software Distribution