%post --erroronfail # Source common functions . /tmp/ks-functions.sh ## Custom kernel options KERN_OPTS=" intel_iommu=off usbcore.autosuspend=-1" ## Add kernel options to ensure an selinux is disabled KERN_OPTS="${KERN_OPTS} selinux=0 enforcing=0" # Add kernel options to ensure NMI watchdog is enabled, if supported KERN_OPTS="${KERN_OPTS} nmi_watchdog=panic,1 softlockup_panic=1" # Add kernel option to panic on a softdog timeout KERN_OPTS="${KERN_OPTS} softdog.soft_panic=1" # Add kernel option to disable biosdevname if enabled # As this may already be in GRUB_CMDLINE_LINUX, only add if it is not already present grep -q '^GRUB_CMDLINE_LINUX=.*biosdevname=0' /etc/default/grub if [ $? -ne 0 ]; then KERN_OPTS="${KERN_OPTS} biosdevname=0" fi # k8s updates: #KERN_OPTS="${KERN_OPTS} cgroup_disable=memory" KERN_OPTS="${KERN_OPTS} user_namespace.enable=1" # If the installer asked us to use security related kernel params, use # them in the grub line as well (until they can be configured via puppet) grep -q 'nopti' /proc/cmdline if [ $? -eq 0 ]; then KERN_OPTS="${KERN_OPTS} nopti" fi grep -q 'nospectre_v2' /proc/cmdline if [ $? -eq 0 ]; then KERN_OPTS="${KERN_OPTS} nospectre_v2" fi grep -q 'nospectre_v1' /proc/cmdline if [ $? -eq 0 ]; then KERN_OPTS="${KERN_OPTS} nospectre_v1" fi perl -pi -e 's/(GRUB_CMDLINE_LINUX=.*)\"/\1'"$KERN_OPTS"'\"/g' /etc/default/grub if [ -d /sys/firmware/efi ] ; then grub2-mkconfig -o /boot/efi/EFI/centos/grub.cfg else grub2-mkconfig -o /boot/grub2/grub.cfg fi %end