Linux Kickstart Scipts

2

Eu tenho trabalhado em um script de kickstart para uma instalação do Scientific Linux. Meu objetivo é criar um CD ISO para que alguém possa instalá-lo facilmente em um servidor. Eu consegui fazer uma quantia decente com isso, mas ainda estou tendo alguns problemas que eu gostaria de ajudar.

  1. Quando o menu de inicialização é iniciado e eu seleciono "instalar" ou "instalar (modo de texto)", ele nunca vai diretamente para a instalação. Ele vai para um prompt de comando onde eu tenho que digitar root e executar "liveinst".
  2. Quando a instalação começar, quero remover algumas das opções. Ex. - Eu estou definindo o fuso horário, idioma, etc no script de kickstart, então eu não quero que ninguém seja capaz de modificar isso.
  3. Não está me solicitando as informações da rede. Não quero executar o firstboot, só quero que ele me peça a rede durante a configuração inicial. Eu tentei várias coisas no script de kickstart, como "asknet", "network --query", e nenhuma parece funcionar.
  4. A configuração do iptables não funciona. Eu tentei adicionar "iptables --ssh --http --port: 514" no topo do script de kickstart, eu tentei echoing comandos em / etc / sysconfig / iptables, eu tentei reescrever o arquivo completamente, e nada disso parece funcionar.

Qualquer ajuda ou ponteiros seria muito apreciada.

######################################################
## Custom Kickstart Script
######################################################

######################################################
## Include another kickstart script
######################################################

%include sl62-livecd-gnome.ks

######################################################
## Basic Settings
######################################################

cdrom
install
autopart
autostep
xconfig --startxonboot
rootpw testpassword

lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables

clearpart --all

######################################################
## Repos
######################################################
repo --name=base          --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/
repo --name=security   --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/

######################################################
## Packages
######################################################

%packages

# Additional firmware support
aic94xx-firmware
netxen-firmware
atmel-firmware
bfa-firmware
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rt61pci-firmware
rt73usb-firmware
xorg-x11-drv-ati-firmware

# Remove these packages
-tigervnc-server
-tigervnc
-postfix
-pidgin
-cups
-pulseaudio-module-bluetooth
-gnome-bluetooth-libs
-gnome-bluetooth
-cheese
-evolution-data-server
-libgweather
-tsclient

/usr/sbin/lokkit

%end

######################################################
## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment)
######################################################
%post --nochroot

# Modify desktop background
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png

# Copy new splash screen for boot menu
cp -f splash.jpg $LIVE_ROOT/isolinux/

# Copy icons for the new applications
cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png
cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png
cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png

# Copy some files to the hard drive, will put them in the desktop later in the post script
cp -f system_stats $INSTALL_ROOT/usr/local/bin/

# Modify the boot menu
cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu

default vesamenu.c32
timeout 100

menu background splash.jpg
menu title Welcome to MyISO!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color timeout_msg 0 #ffffffff #00000000
menu color timeout 0 #ffffffff #00000000
menu color cmdline 0 #ffffffff #00000000
menu hidden
menu hiddenrow 5
label install0
 menu label Install
 kernel vmlinuz0
 append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  
menu default
EOF_boot_menu

%end

#####################################################
## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd)
#####################################################
%post

# Add a new user and modify permissions
/usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support

# Create the .ssh directory for root to have passwordless logins to the syslog server
mkdir /root/.ssh

# Create the keys
cat > /root/.ssh/id_rsa << EOF_id_rsa
PAST PRIVTE KEY HERE
EOF_id_rsa

cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub
PAST PUBLIC KEY HERE
EOF_id_rsa_pub

# Modify the permissions for the ssh key
chown root:root -R /root/.ssh/
chmod 700 -R /root/.ssh/

# Allow wheel group sudo access
cat >> /etc/sudoers << EOF_sudoers

### Allow wheel group sudo access ###
%wheel ALL=(ALL) ALL'
EOF_sudoers

# Modify ssh_config
cat >> /etc/ssh/ssh_config << EOF_ssh_config

### Specific settings for timeouts
TCPKeepAlive yes
ServerAliveInterval 120
ServerAliveCountMax 3

### Don't prompt for host verification
StrictHostKeyChecking no
EOF_ssh_config

# Modify sshd_config
/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/sbin/service sshd restart

# Create a directory for rsyslog queuing
mkdir /var/spool/rsyslog

# Modify rsyslog configuration
cat >> /etc/rsyslog.conf << EOF_rsyslog

### Queuing Config ###
\$WorkDirectory /var/spool/rsyslog
\$ActionQueueType LinkedList
\$ActionQueueFileName remotequeue
\$ActionResumeRetryCount -1
\$ActionQueueSaveOnShutdown on
\$ActionQueueMaxFileSize 100m
\$ActionQueueMaxDiskSpace 5g

### Forwarding Rule ###
*.*     @@127.0.0.1:1514
EOF_rsyslog

# Start the SSH tunnel and ensure if it goes down, it will be restarted
cat >> /etc/rc.local << EOF_inittab
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] > /dev/null 2>&1
EOF_inittab

cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog
#!/bin/bash
if ps aux | grep "ssh -fnNTx" | grep -v "grep"
then
echo "Already Running"
else
echo "Starting now"
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]
fi
EOF_ssh_syslog

chmod 777 /usr/local/bin/ssh_syslog

cat >> /etc/crontab << EOF_ssh_cron
*/1 * * * * root /usr/local/bin/ssh_syslog
EOF_ssh_cron

# Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf

cat > /etc/sysconfig/iptables.script << EOF_iptables_script
#!/bin/bash
# Iptables configuration script

# Flush all current rules from iptables
/sbin/iptables -F

# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Established inbound rule
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Define new chain with all management IPs
/sbin/iptables -N MGT_IPS
/sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS

# Allow SSH , HTTP, ,HTTPS, and ping access to management IPs
/sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
/sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow ICMP from internal IPs
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT

# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "

# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Save settings
/sbin/service iptables save

# List rules
/sbin/iptables -L -v
EOF_iptables_script

# Modify iptables.script permissions so it can run
chmod 700 /etc/sysconfig/iptables.script

# Add files to rc.local
cat >> /etc/rc.local << EOF_rclocal

# Run firewall script
/etc/sysconfig/iptables.script
EOF_rclocal

# Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them)
rpm -e --nodeps tigervnc
rpm -e --nodeps tigervnc-server
rpm -e --nodeps libgweather
rpm -e --nodeps pulseaudio
rpm -e --nodeps cups
rpm -e --nodeps sendmail

# Modify the applications menu
rm -f /usr/share/applications/gthumb*.desktop
rm -f /usr/share/applications/brasero*.desktop
rm -f /usr/share/applications/gnome-screens*.desktop
rm -f /usr/share/applications/about-this-computer.desktop
rm -f /usr/share/applications/gnome-about*.desktop
rm -f /usr/share/applications/gnome-dictionary.desktop
rm -f /usr/share/applications/gnome-gcalctool.desktop
rm -f /usr/share/applications/gnome-keybinding.desktop
rm -f /usr/share/applications/bluetooth-properties.desktop
rm -f /usr/share/applications/totem.desktop
rm -f /usr/share/applications/gnome-file-roller.desktop
rm -f /usr/share/applications/gnome-gucharmap.desktop
rm -f /usr/share/applications/gedit.desktop
rm -f /usr/share/applications/gnome-baobab.desktop
rm -f /usr/share/applications/gnome-system-monitor.desktop
rm -f /usr/share/applications/palimpsest.desktop
rm -f /usr/share/applications/gnome-nautilus-browser.desktop
rm -f /usr/share/applications/TUV.desktop
rm -f /usr/share/applications/sl-release-notes.desktop
rm -f /usr/share/applications/system-config-users.desktop
rm -f /usr/share/applications/authconfig.desktop
rm -f /usr/share/applications/system-config-firewall.desktop
rm -f /usr/share/applications/system-config-services.desktop
rm -f /usr/share/applications/gnome-network-properties.desktop
rm -f /usr/share/applications/gnome-volume-control.desktop
rm -f /usr/share/applications/gnome-default-application.desktop
rm -f /usr/share/applications/gnome-at-properties.desktop
rm -f /usr/share/applications/gnome-session-properties.desktop

/bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop

/bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop

# Create a various scripts for customers to use
cat > /usr/local/bin/remote_support << EOF_remote_support
#!/bin/bash
# This script will open a reverse SSH tunnel for support.
ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X
EOF_remote_support

chmod 777 /usr/local/bin/remote_support
chmod 777 /usr/local/bin/system_stats

# Add the scripts to the applications menu
cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu
[Desktop Entry]
Name=Remote Support
Comment=Support
Exec=remote_support
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_remote_sup_menu

cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu
[Desktop Entry]
Name=System Statistics
Comment=Basic system information
Exec=system_stats
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_sys_stats_menu

chmod 644 /usr/share/applications/remote-support.desktop
chmod 644 /usr/share/applications/system-stats.desktop

%end

# Reboot after installation
reboot --eject

EDIT: Eu descobri a maioria dos meus problemas. O único problema que tenho agora é que eu quero o procedimento de instalação para pular a seção onde ele solicita ao usuário uma senha de root. Eu configurarei isso mais tarde e não quero que eles tenham o poder de fazer isso.

EDIT2: Ok, atualizei meu script de kickstart acima. Usando este script, ele cria um live CD que instantaneamente vai para o processo de instalação. Uma vez que eu passo pelo processo de instalação, ele me pede senha root, localização HD, fusos horários, etc. Então ele é instalado e todo o meu script de kickstart funciona perfeitamente no novo sistema. No entanto, ainda quero fazer com que ele não solicite a senha de root durante a instalação inicial. Eu tentei adicionar o seguinte ao script kickstart, mas não funciona

# Copy kickstart script to the live CD
cp -f test.ks $INSTALL_ROOT/root/

# Modified the boot menu to say
append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  

No ks = part eu não tinha certeza do que estava correto, então eu também tentei ks = / root / test.ks e ainda me solicitou as informações iniciais de configuração.

EDIT3: Eu comecei a trabalhar nisso novamente nos últimos dias e ainda não consigo fazer com que o ISO siga automaticamente as etapas básicas de configuração, como senha de root, configurações de hora, teclado, etc. localizações de colocar o ks.cfg em / root /, no live CD sob esse diretório raiz e sob isolinux. Toda vez que ainda pede a informação.

    
por Eric 11.04.2012 / 17:30

3 respostas

5

Eu uso o CentOS, mas a maneira mais fácil que eu encontrei para configurar um sistema via kickstart é instalar e configurar um sistema do jeito que eu quero, então olhe para /root/anaconda-ks.cfg. Esse arquivo é um kickstart da instalação que você acabou de fazer. Presumo que o Scientific também tenha esse arquivo.

Uma vez que você tenha aquele arquivo, eu achei muito mais fácil modificar (adicionar / remover) o que eu quero e ter cuidado com a rede engraçada, o SELinux, a configuração do iptables, etc., para mim.

Felicidades, Josh

    
por 11.04.2012 / 20:12
0

Primeira coisa a corrigir! Na sua seção do menu de inicialização, você precisa alimentar o arquivo de kickstart na diretiva append da opção selecionada. por exemplo,

menu default
label linuxtext0
menu label Boot (Text Mode)
kernel vmlinuz0
append initrd=initrd0.img ks=/path/to/your/ks.cfg root=live:CDLABEL=TestISO rootfstype=auto ro liveimg 3 quiet textinst rhgb rd_NO_LUKS rd_NO_MD rd_NO_DM

O resto parece bem, tanto quanto as configurações de local / hora.

    
por 12.04.2012 / 21:26
0

EDIT: I've figured out most of my problems. The only issue I have now is that I want the install procedure to skip the section where it prompts the user for a root password. I will auto set this later and don't want them having the power to do that.

Você está procurando a opção rootpw . Você pode passar uma senha criptografada MD5 com o sinalizador --iscrypted . (Usar grub-md5-crypt é a maneira mais fácil de gerar sua senha.)

Veja: Opções do Kickstart

    
por 08.05.2012 / 21:46