-
Notifications
You must be signed in to change notification settings - Fork 11
/
cfg-rhel_9.j2
354 lines (316 loc) · 11.2 KB
/
cfg-rhel_9.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
# RHEL 9 base image kickstart file
cmdline
zerombr
clearpart --all --initlabel --disklabel gpt
{% set boot_parameters_full = __console_boot_string + __fips_boot_parameter + boot_parameters %}
{% if __boot_pw_encrypted == '' %}
bootloader --timeout 1 --append "{{ boot_parameters_full }}"
{% else %}
bootloader --timeout 1 --append "{{ boot_parameters_full }}" --iscrypted --password {{ __boot_pw_encrypted }}
{% endif %}
{% if partitioning is defined and partitioning == 'auto' %}
autopart
{% elif partitioning is defined and partitioning == 'single' %}
{% if not bios_uefi_boot | bool %}
reqpart
{% else %}
part biosboot --fstype biosboot --size 1
part /boot/efi --fstype efi --size 127
{% endif %}
part / --fstype xfs --size 1024 --grow
{% elif partitioning is defined and partitioning == 'custom' %}
{{ custom_partitioning }}
{% else %}
{% if not bios_uefi_boot | bool %}
reqpart
{% else %}
part biosboot --fstype biosboot --size 1
part /boot/efi --fstype efi --size 127
{% endif %}
part /boot --fstype xfs --size 1024
part pv.01 --size 1024 --grow
volgroup vg_rhel pv.01
logvol swap --vgname vg_rhel --fstype swap --size 4096 --name lv_swap
logvol / --vgname vg_rhel --fstype xfs --size 6144 --name lv_root
logvol /home --vgname vg_rhel --fstype xfs --size 2048 --name lv_home
logvol /tmp --vgname vg_rhel --fstype xfs --size 2048 --name lv_tmp
logvol /var --vgname vg_rhel --fstype xfs --size 8192 --name lv_var
logvol /var/log --vgname vg_rhel --fstype xfs --size 2048 --name lv_var_log
logvol /var/log/audit --vgname vg_rhel --fstype xfs --size 2048 --name lv_var_log_audit
logvol /var/tmp --vgname vg_rhel --fstype xfs --size 2048 --name lv_var_tmp
{% endif %}
selinux --{{ selinux }}
authselect select minimal without-nullok with-pamaccess
rootpw --iscrypted {{ __root_pw_encrypted }}
{% if packer_builder != 'iso' %}
{% if network_setup_dhcp | bool %}
{% if not disable_ipv6 | bool %}
network --device net0 --bootproto dhcp --onboot yes --hostname {{ hostname }}
{% else %}
network --device net0 --bootproto dhcp --onboot yes --hostname {{ hostname }} --noipv6
{% endif %}
{% endif %}
{% endif %}
firewall --enabled --service ssh
firstboot --disabled
lang C.UTF-8
timezone --utc {{ timezone }}
{% for ntp_server in ntp_servers.split(',') %}
timesource --ntp-server {{ ntp_server }}
{% endfor %}
keyboard {{ keyboard }}
{% if security_profile is undefined or security_profile != 'stig' %}
services --enabled tuned
{% endif %}
{% if communicator == 'none' %}
poweroff
{% else %}
reboot
{% endif %}
{% if security_profile is defined %}
%addon com_redhat_oscap
content-type = scap-security-guide
profile = xccdf_org.ssgproject.content_profile_{{ security_profile }}
%end
{% endif %}
%packages{% if install_single_lang | bool %} --inst-langs en_US{% endif %}{% if install_exclude_docs | bool %} --excludedocs{% endif %}{% if install_exclude_weak_deps | bool %} --exclude-weakdeps{% endif %}{{''}}
bash-completion
bind-utils
#cloud-init
#cloud-utils-growpart
glibc-langpack-en
glibc-minimal-langpack
#insights-client
man-pages
nano
NetworkManager-config-server
policycoreutils-python-utils
prefixdevname
psmisc
python3
python3-libselinux
setools-console
#sos
tar
#unzip
#vim-enhanced
yum-utils
{% if bios_uefi_boot | bool %}
efibootmgr
-flashrom
grub2-efi-x64
grub2-pc
-mdadm
#parted
shim-x64
{% endif %}
{% if security_profile is defined %}
openscap
openscap-scanner
scap-security-guide
{% endif %}
{% if security_profile is undefined or security_profile != 'stig' %}
tuned
{% endif %}
{% if packer_builder == 'vmware' %}
# https://bugzilla.redhat.com/show_bug.cgi?id=2041424
perl-File-Temp
{% endif %}
{% if install_single_lang | bool %}
-gawk-all-langpacks
-langpacks-*
{% endif %}
{% if packer_builder != 'iso' %}
-linux-firmware
-n*firmware*
{% endif %}
-a*firmware*
-dracut-config-rescue
-i*firmware*
-lib*firmware*
-NetworkManager-team
-NetworkManager-tui
-parted
-plymouth
-rhc*
-sqlite
-sssd*
{% if custom_packages is defined %}
{{ custom_packages }}
{% endif %}
%end
%post
grub2-editenv - unset menu_auto_hide
sed -i -e '/cockpit/d' /etc/firewalld/zones/public.xml
rm -f /etc/firewalld/zones/public.xml.old
{% if install_single_lang | bool %}
echo "%_install_langs en_US" > /etc/rpm/macros.install-langs-conf
{% endif %}
{% if install_exclude_docs | bool %}
echo "%_excludedocs 1" > /etc/rpm/macros.excludedocs-conf
{% endif %}
{% if install_exclude_weak_deps | bool %}
echo "install_weak_deps=False" >> /etc/dnf/dnf.conf
{% endif %}
%end
{% if bios_uefi_boot | bool %}
%post
rm -f /boot/efi/EFI/redhat/grub.cfg.rpmsave
if [ -d /sys/firmware/efi ]; then
test -b /dev/vda && disk=/dev/vda || disk=/dev/sda
rpm -q grub2-pc > /dev/null 2>&1 && grub2-install --target=i386-pc $disk || :
#rpm -q parted > /dev/null 2>&1 && parted $disk disk_set pmbr_boot off || :
fi
%end
{% endif %}
{% if serial_console_setup | bool %}
%post
systemctl enable serial-getty@ttyS0.service
%end
{% endif %}
{% if disable_ipv6 | bool %}
%post
echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/50-ipv6.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.d/50-ipv6.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.d/50-ipv6.conf
for netconf in $(ls -1 /etc/NetworkManager/system-connections/*.nmconnection); do
sed -i -e '/^\[ipv6\]$/,/^\[/ s/method=.*/method=disabled/' $netconf
done
sed -i -e '/^::1/d' /etc/hosts
echo "AddressFamily inet" > /etc/ssh/sshd_config.d/50-ipv6.conf
sed -i -e '/dhcpv6-client/d' /etc/firewalld/zones/public.xml
if [ -d /etc/vmware-tools ]; then
echo "[guestinfo]" > /etc/vmware-tools/tools.conf
echo "max-ipv6-routes=0" >> /etc/vmware-tools/tools.conf
fi
%end
{% else %}
%post
echo "net.ipv6.conf.all.disable_ipv6 = 0" > /etc/sysctl.d/50-ipv6.conf
echo "net.ipv6.conf.default.disable_ipv6 = 0" >> /etc/sysctl.d/50-ipv6.conf
echo "net.ipv6.conf.lo.disable_ipv6 = 0" >> /etc/sysctl.d/50-ipv6.conf
%end
{% endif %}
{% if root_ssh_key is defined %}
%post
mkdir -m 0700 /root/.ssh
echo "{{ root_ssh_key }}" > /root/.ssh/authorized_keys
chmod 0600 /root/.ssh/authorized_keys
restorecon -R /root/.ssh
%end
{% endif %}
{% if packer_builder == 'vmware' %}
%post --erroronfail
vmtoolsd -b /run/vmtoolsd.pid
%end
{% endif %}
{% if custom_section_early is defined %}
{{ custom_section_early }}
{% endif %}
%post --erroronfail
# Import Red Hat RPM GPG key
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# Remote execution directory if tmp dirs are noexec
mkdir -p -m 0700 /var/lib/exec
{% if rh_register_command is defined %}
# Update to latest packages
{{ rh_register_command }} || exit 1
dnf -y update
{% if rh_satellite_tools_install | bool %}
dnf -y install katello-host-tools-tracer || exit 1
{% endif %}
subscription-manager unregister || exit 1
subscription-manager clean
dnf -C remove -y 'katello-ca-consumer-*'
mv /etc/rhsm/rhsm.conf.kat-backup /etc/rhsm/rhsm.conf
sed -i -e 's,^package_profile_on_trans = .*,package_profile_on_trans = 1,' /etc/rhsm/rhsm.conf
rm -f /etc/rhsm/syspurpose/syspurpose.json /etc/rhsm/ca/katello-*-ca.pem /var/lib/rhsm/cache/* \
/var/lib/rhsm/facts/*.json /var/lib/rhsm/repo*/*.repo /var/lib/rhsm/*_name
{% endif %}
{% if create_admin | bool %}
# Create admin group and user
groupadd -g {{ admin_user.gid }} {{ admin_user.group }}
useradd -c "{{ admin_user.gecos }}" -d {{ admin_user.home }} -g {{ admin_user.gid }} -G {{ admin_user.groups }} -m -u {{ admin_user.uid }} {{ admin_user.name }}
{% if admin_user.ssh_key is defined %}
mkdir -m 0700 {{ admin_user.home }}/.ssh
echo "{{ admin_user.ssh_key }}" > {{ admin_user.home }}/.ssh/authorized_keys
chmod 0600 {{ admin_user.home }}/.ssh/authorized_keys
chown -R {{ admin_user.uid }}:{{ admin_user.gid }} {{ admin_user.home }}/.ssh
restorecon -R {{ admin_user.home }}/.ssh
{% endif %}
chown -R {{ admin_user.uid }}:{{ admin_user.gid }} /var/lib/exec
{% if admin_user.passwordless_sudo is defined and admin_user.passwordless_sudo | bool %}
{% if admin_user.groups is not defined or 'wheel' not in admin_user.groups %}
usermod -a -G wheel {{ admin_user.name }}
{% endif %}
echo '{{ admin_user.name }} ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/{{ admin_user.name }}
chmod 0440 /etc/sudoers.d/{{ admin_user.name }}
restorecon /etc/sudoers.d/{{ admin_user.name }}
{% endif %}
{% if not root_permit_local | bool %}
{% if root_permit_override_security_policy | bool %}
# Lock root account - caution needed
passwd -l root
{% endif %}
{% endif %}
{% endif %}
# Configure root SSH access
{% if security_policy is not defined or
(security_policy is defined and root_permit_override_security_policy | bool) %}
echo "PermitRootLogin {{ root_permit_ssh }}" > /etc/ssh/sshd_config.d/0-local.conf
{% endif %}
# Services
systemctl disable dnf-makecache.timer nis-domainname.service remote-fs.target
# Watchdog
sed -i -e 's,^#RuntimeWatchdogSec=.*,RuntimeWatchdogSec=60s,' /etc/systemd/system.conf
{% if packer_builder == 'iso' %}
# Clean up permanent network configuration file
for netdev in $(nmcli -t dev | cut -d: -f1 | grep -v lo); do
sed -i -e '/dhcp-/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
sed -i -e '/origin/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
done
{% endif %}
{% if packer_builder != 'iso' %}
# Remove machine identification and state
for netdev in $(nmcli -t dev | cut -d: -f1 | grep -v lo); do
sed -i -e '/uuid=/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
sed -i -e '/dhcp-/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
sed -i -e '/origin/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
sed -i -e '/timestamp/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
{% if network_setup_purge | bool %}
sed -i -e '/dns-/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
sed -i -e '/address/d' /etc/NetworkManager/system-connections/$netdev.nmconnection
{% endif %}
done
truncate -s 0 /etc/machine-id /etc/resolv.conf
/bin/rm -rf /etc/systemd/network/7* /etc/udev/rules.d/7* /etc/ssh/ssh_host_*
/bin/rm -rf /var/lib/systemd/random-seed
# Clear caches, files, and logs
/bin/rm -rf /root/* /tmp/* /tmp/.[a-zA-Z]* /var/tmp/*
/bin/rm -rf /etc/*- /etc/*.bak /etc/*~ /etc/sysconfig/*~
/bin/rm -rf /var/cache/dnf/* /var/cache/yum/* /var/log/rhsm/*
/bin/rm -rf /var/lib/dnf/* /var/lib/yum/repos/* /var/lib/yum/yumdb/*
/bin/rm -rf /var/lib/NetworkManager/* /var/lib/unbound/*.key
/bin/rm -rf /var/log/*debug /var/log/anaconda /var/log/dmesg*
/bin/rm -rf /var/lib/cloud/* /var/log/cloud-init*.log
/bin/rm -rf /var/lib/authselect/backups/*
truncate -s 0 /var/log/cron /var/log/tuned/tuned.log
truncate -s 0 /var/log/audit/audit.log /var/log/messages /var/log/secure
truncate -s 0 /var/log/btmp /var/log/wtmp /var/log/lastlog
{% endif %}
# Update initramfs
dracut -f --regenerate-all
{% if not kdump_update_disable | bool %}
# Create kdump initramfs for all kernels
for kver in $(rpm -q --qf "%{version}-%{release}.%{arch}\n" kernel); do
sed -i -e "s,^KDUMP_KERNELVER=.*,KDUMP_KERNELVER=$kver," /etc/sysconfig/kdump
kdumpctl rebuild
sed -i -e 's,^KDUMP_KERNELVER=.*,KDUMP_KERNELVER="",' /etc/sysconfig/kdump
done
{% endif %}
# Ensure everything is written to the disk
sync ; echo 3 > /proc/sys/vm/drop_caches ;
%end
{% if custom_section_late is defined %}
{{ custom_section_late }}
{% endif %}