%post --nochroot --erroronfail

# Source common functions
. /tmp/ks-functions.sh

# Change GUID of backup partition
change_guid=/tmp/backup-guid-change.sh
if [ -f "$change_guid" ]; then
    sh $change_guid || report_post_failure_with_logfile "ERROR: Failed to update platform backup GUID"
fi

%end

%post --erroronfail

# Source common functions
. /tmp/ks-functions.sh

# Turn off locale support for i18n if is not installed
if [ ! -d /usr/share/i18n ] ; then
   rm -f /etc/sysconfig/i18n
fi
# Unset the hostname
rm /etc/hostname

# If using a serial install make sure to add a getty on the tty1
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
if [ -n "$conarg" ] ; then
   echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
fi

#### SECURITY PROFILE HANDLING (Post Installation) ####
# Check if the Security profile mode is enabled
# and load the appropriate kernel modules
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
if [ -n "$secprofile" ]; then
   echo "In Extended Security profile mode. Loading IMA kernel module"
   systemctl enable auditd.service
   # Add the securityfs mount for the IMA Runtime measurement list
   echo "securityfs     /sys/kernel/security    securityfs    defaults,nodev 0 0" >> /etc/fstab
else
   # Disable audit daemon in the Standard Security Profile
   systemctl disable auditd
fi

. /etc/platform/platform.conf

# Delete the CentOS yum repo files
rm -f /etc/yum.repos.d/CentOS-*

# Create platform yum repo file
cat >/etc/yum.repos.d/platform.repo <<EOF
[platform-base]
name=platform-base
baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
gpgcheck=0
enabled=1

[platform-updates]
name=platform-updates
baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
gpgcheck=0
enabled=1
EOF

# Persist the boot device naming as UDEV rules so that if the network device
# order changes post-install that we will still be able to DHCP from the
# correct interface to reach the active controller.  For most nodes only the
# management/boot interface needs to be persisted but because we require both
# controllers to be identically configured and controller-0 and controller-1
# are installed differently (e.g., controller-0 from USB and controller-1 from
# network) it is not possible to know which interface to persist for
# controller-0.  The simplest solution is to persist all interfaces.
#
mkdir -p /etc/udev/rules.d
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
for dir in /sys/class/net/*; do
    if [ -e ${dir}/device ]; then
       dev=$(basename ${dir})
       mac_address=$(cat /sys/class/net/${dev}/address)
       echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
    fi
done

# Mark the sysadmin password as expired immediately
chage -d 0 sysadmin

# Lock the root password
passwd -l root

# Enable tmpfs mount for /tmp
# delete /var/tmp so that it can similinked in
rm -rf /var/tmp
systemctl enable tmp.mount

# Disable automount of /dev/hugepages
systemctl mask dev-hugepages.mount

# Disable firewall
systemctl disable firewalld

# Disable libvirtd
systemctl disable libvirtd.service

# Enable rsyncd
systemctl enable rsyncd.service

# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root

# Make fstab just root read/writable
chmod 600 /etc/fstab

# Create first_boot flag
touch /etc/platform/.first_boot

%end