Eu tenho trabalhado em um script de kickstart para uma instalação do Scientific Linux. Meu objetivo é criar um CD ISO para que alguém possa instalá-lo facilmente em um servidor. Eu consegui fazer uma quantia decente com isso, mas ainda estou tendo alguns problemas que eu gostaria de ajudar.
- Quando o menu de inicialização é iniciado e eu seleciono "instalar" ou "instalar (modo de texto)", ele nunca vai diretamente para a instalação. Ele vai para um prompt de comando onde eu tenho que digitar root e executar "liveinst".
- Quando a instalação começar, quero remover algumas das opções. Ex. - Eu estou definindo o fuso horário, idioma, etc no script de kickstart, então eu não quero que ninguém seja capaz de modificar isso.
- Não está me solicitando as informações da rede. Não quero executar o firstboot, só quero que ele me peça a rede durante a configuração inicial. Eu tentei várias coisas no script de kickstart, como "asknet", "network --query", e nenhuma parece funcionar.
- A configuração do iptables não funciona. Eu tentei adicionar "iptables --ssh --http --port: 514" no topo do script de kickstart, eu tentei echoing comandos em / etc / sysconfig / iptables, eu tentei reescrever o arquivo completamente, e nada disso parece funcionar.
Qualquer ajuda ou ponteiros seria muito apreciada.
######################################################
## Custom Kickstart Script
######################################################
######################################################
## Include another kickstart script
######################################################
%include sl62-livecd-gnome.ks
######################################################
## Basic Settings
######################################################
cdrom
install
autopart
autostep
xconfig --startxonboot
rootpw testpassword
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables
clearpart --all
######################################################
## Repos
######################################################
repo --name=base --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/
repo --name=security --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/
######################################################
## Packages
######################################################
%packages
# Additional firmware support
aic94xx-firmware
netxen-firmware
atmel-firmware
bfa-firmware
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rt61pci-firmware
rt73usb-firmware
xorg-x11-drv-ati-firmware
# Remove these packages
-tigervnc-server
-tigervnc
-postfix
-pidgin
-cups
-pulseaudio-module-bluetooth
-gnome-bluetooth-libs
-gnome-bluetooth
-cheese
-evolution-data-server
-libgweather
-tsclient
/usr/sbin/lokkit
%end
######################################################
## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment)
######################################################
%post --nochroot
# Modify desktop background
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png
# Copy new splash screen for boot menu
cp -f splash.jpg $LIVE_ROOT/isolinux/
# Copy icons for the new applications
cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png
cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png
cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png
# Copy some files to the hard drive, will put them in the desktop later in the post script
cp -f system_stats $INSTALL_ROOT/usr/local/bin/
# Modify the boot menu
cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu
default vesamenu.c32
timeout 100
menu background splash.jpg
menu title Welcome to MyISO!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color timeout_msg 0 #ffffffff #00000000
menu color timeout 0 #ffffffff #00000000
menu color cmdline 0 #ffffffff #00000000
menu hidden
menu hiddenrow 5
label install0
menu label Install
kernel vmlinuz0
append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM
menu default
EOF_boot_menu
%end
#####################################################
## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd)
#####################################################
%post
# Add a new user and modify permissions
/usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support
# Create the .ssh directory for root to have passwordless logins to the syslog server
mkdir /root/.ssh
# Create the keys
cat > /root/.ssh/id_rsa << EOF_id_rsa
PAST PRIVTE KEY HERE
EOF_id_rsa
cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub
PAST PUBLIC KEY HERE
EOF_id_rsa_pub
# Modify the permissions for the ssh key
chown root:root -R /root/.ssh/
chmod 700 -R /root/.ssh/
# Allow wheel group sudo access
cat >> /etc/sudoers << EOF_sudoers
### Allow wheel group sudo access ###
%wheel ALL=(ALL) ALL'
EOF_sudoers
# Modify ssh_config
cat >> /etc/ssh/ssh_config << EOF_ssh_config
### Specific settings for timeouts
TCPKeepAlive yes
ServerAliveInterval 120
ServerAliveCountMax 3
### Don't prompt for host verification
StrictHostKeyChecking no
EOF_ssh_config
# Modify sshd_config
/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/sbin/service sshd restart
# Create a directory for rsyslog queuing
mkdir /var/spool/rsyslog
# Modify rsyslog configuration
cat >> /etc/rsyslog.conf << EOF_rsyslog
### Queuing Config ###
\$WorkDirectory /var/spool/rsyslog
\$ActionQueueType LinkedList
\$ActionQueueFileName remotequeue
\$ActionResumeRetryCount -1
\$ActionQueueSaveOnShutdown on
\$ActionQueueMaxFileSize 100m
\$ActionQueueMaxDiskSpace 5g
### Forwarding Rule ###
*.* @@127.0.0.1:1514
EOF_rsyslog
# Start the SSH tunnel and ensure if it goes down, it will be restarted
cat >> /etc/rc.local << EOF_inittab
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] > /dev/null 2>&1
EOF_inittab
cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog
#!/bin/bash
if ps aux | grep "ssh -fnNTx" | grep -v "grep"
then
echo "Already Running"
else
echo "Starting now"
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]
fi
EOF_ssh_syslog
chmod 777 /usr/local/bin/ssh_syslog
cat >> /etc/crontab << EOF_ssh_cron
*/1 * * * * root /usr/local/bin/ssh_syslog
EOF_ssh_cron
# Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
cat > /etc/sysconfig/iptables.script << EOF_iptables_script
#!/bin/bash
# Iptables configuration script
# Flush all current rules from iptables
/sbin/iptables -F
# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Established inbound rule
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Define new chain with all management IPs
/sbin/iptables -N MGT_IPS
/sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS
# Allow SSH , HTTP, ,HTTPS, and ping access to management IPs
/sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
/sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT
# Allow ICMP from internal IPs
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT
# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP
# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Save settings
/sbin/service iptables save
# List rules
/sbin/iptables -L -v
EOF_iptables_script
# Modify iptables.script permissions so it can run
chmod 700 /etc/sysconfig/iptables.script
# Add files to rc.local
cat >> /etc/rc.local << EOF_rclocal
# Run firewall script
/etc/sysconfig/iptables.script
EOF_rclocal
# Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them)
rpm -e --nodeps tigervnc
rpm -e --nodeps tigervnc-server
rpm -e --nodeps libgweather
rpm -e --nodeps pulseaudio
rpm -e --nodeps cups
rpm -e --nodeps sendmail
# Modify the applications menu
rm -f /usr/share/applications/gthumb*.desktop
rm -f /usr/share/applications/brasero*.desktop
rm -f /usr/share/applications/gnome-screens*.desktop
rm -f /usr/share/applications/about-this-computer.desktop
rm -f /usr/share/applications/gnome-about*.desktop
rm -f /usr/share/applications/gnome-dictionary.desktop
rm -f /usr/share/applications/gnome-gcalctool.desktop
rm -f /usr/share/applications/gnome-keybinding.desktop
rm -f /usr/share/applications/bluetooth-properties.desktop
rm -f /usr/share/applications/totem.desktop
rm -f /usr/share/applications/gnome-file-roller.desktop
rm -f /usr/share/applications/gnome-gucharmap.desktop
rm -f /usr/share/applications/gedit.desktop
rm -f /usr/share/applications/gnome-baobab.desktop
rm -f /usr/share/applications/gnome-system-monitor.desktop
rm -f /usr/share/applications/palimpsest.desktop
rm -f /usr/share/applications/gnome-nautilus-browser.desktop
rm -f /usr/share/applications/TUV.desktop
rm -f /usr/share/applications/sl-release-notes.desktop
rm -f /usr/share/applications/system-config-users.desktop
rm -f /usr/share/applications/authconfig.desktop
rm -f /usr/share/applications/system-config-firewall.desktop
rm -f /usr/share/applications/system-config-services.desktop
rm -f /usr/share/applications/gnome-network-properties.desktop
rm -f /usr/share/applications/gnome-volume-control.desktop
rm -f /usr/share/applications/gnome-default-application.desktop
rm -f /usr/share/applications/gnome-at-properties.desktop
rm -f /usr/share/applications/gnome-session-properties.desktop
/bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop
/bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop
# Create a various scripts for customers to use
cat > /usr/local/bin/remote_support << EOF_remote_support
#!/bin/bash
# This script will open a reverse SSH tunnel for support.
ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X
EOF_remote_support
chmod 777 /usr/local/bin/remote_support
chmod 777 /usr/local/bin/system_stats
# Add the scripts to the applications menu
cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu
[Desktop Entry]
Name=Remote Support
Comment=Support
Exec=remote_support
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_remote_sup_menu
cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu
[Desktop Entry]
Name=System Statistics
Comment=Basic system information
Exec=system_stats
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_sys_stats_menu
chmod 644 /usr/share/applications/remote-support.desktop
chmod 644 /usr/share/applications/system-stats.desktop
%end
# Reboot after installation
reboot --eject
EDIT: Eu descobri a maioria dos meus problemas. O único problema que tenho agora é que eu quero o procedimento de instalação para pular a seção onde ele solicita ao usuário uma senha de root. Eu configurarei isso mais tarde e não quero que eles tenham o poder de fazer isso.
EDIT2: Ok, atualizei meu script de kickstart acima. Usando este script, ele cria um live CD que instantaneamente vai para o processo de instalação. Uma vez que eu passo pelo processo de instalação, ele me pede senha root, localização HD, fusos horários, etc. Então ele é instalado e todo o meu script de kickstart funciona perfeitamente no novo sistema. No entanto, ainda quero fazer com que ele não solicite a senha de root durante a instalação inicial. Eu tentei adicionar o seguinte ao script kickstart, mas não funciona
# Copy kickstart script to the live CD
cp -f test.ks $INSTALL_ROOT/root/
# Modified the boot menu to say
append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM
No ks = part eu não tinha certeza do que estava correto, então eu também tentei ks = / root / test.ks e ainda me solicitou as informações iniciais de configuração.
EDIT3: Eu comecei a trabalhar nisso novamente nos últimos dias e ainda não consigo fazer com que o ISO siga automaticamente as etapas básicas de configuração, como senha de root, configurações de hora, teclado, etc. localizações de colocar o ks.cfg em / root /, no live CD sob esse diretório raiz e sob isolinux. Toda vez que ainda pede a informação.