starlingx/metal
Code Issues Proposed changes
1f0706ee30
metal/bsp-files/kickstarts/post_common.cfg
Don Penney 09b95bf651 Update kickstarts to generate DNF repo config files 
As the patching framework is updated to use DNF instead of the smart
package manager, the kickstarts are updated to generate the initial
DNF repo config files, rather than configure the smartpm channels.

Depends-On: https://review.opendev.org/700961
Change-Id: Ic625aa4646b45719c9527159aa46f157a4d2cff0
Story: 2006227
Task: 37935
Signed-off-by: Don Penney <don.penney@windriver.com>
2020-01-02 19:14:31 -05:00

105 lines
3.3 KiB
INI
Raw Blame History

%post --erroronfail
# Source common functions
. /tmp/ks-functions.sh
# Turn off locale support for i18n if is not installed
if [ ! -d /usr/share/i18n ] ; then
rm -f /etc/sysconfig/i18n
fi
# Unset the hostname
rm /etc/hostname
# If using a serial install make sure to add a getty on the tty1
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
if [ -n "$conarg" ] ; then
echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
fi
#### SECURITY PROFILE HANDLING (Post Installation) ####
# Check if the Security profile mode is enabled
# and load the appropriate kernel modules
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
if [ -n "$secprofile" ]; then
echo "In Extended Security profile mode. Loading IMA kernel module"
systemctl enable auditd.service
# Add the securityfs mount for the IMA Runtime measurement list
echo "securityfs /sys/kernel/security securityfs defaults,nodev 0 0" >> /etc/fstab
else
# Disable audit daemon in the Standard Security Profile
systemctl disable auditd
fi
. /etc/platform/platform.conf
# Delete the CentOS yum repo files
rm -f /etc/yum.repos.d/CentOS-*
# Create platform yum repo file
cat >/etc/yum.repos.d/platform.repo <<EOF
[platform-base]
name=platform-base
baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
gpgcheck=0
enabled=1
[platform-updates]
name=platform-updates
baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
gpgcheck=0
enabled=1
EOF
# Persist the boot device naming as UDEV rules so that if the network device
# order changes post-install that we will still be able to DHCP from the
# correct interface to reach the active controller. For most nodes only the
# management/boot interface needs to be persisted but because we require both
# controllers to be identically configured and controller-0 and controller-1
# are installed differently (e.g., controller-0 from USB and controller-1 from
# network) it is not possible to know which interface to persist for
# controller-0. The simplest solution is to persist all interfaces.
#
mkdir -p /etc/udev/rules.d
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
for dir in /sys/class/net/*; do
if [ -e ${dir}/device ]; then
dev=$(basename ${dir})
mac_address=$(cat /sys/class/net/${dev}/address)
echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
fi
done
# Mark the sysadmin password as expired immediately
chage -d 0 sysadmin
# Lock the root password
passwd -l root
# Enable tmpfs mount for /tmp
# delete /var/tmp so that it can similinked in
rm -rf /var/tmp
systemctl enable tmp.mount
# Disable automount of /dev/hugepages
systemctl mask dev-hugepages.mount
# Disable firewall
systemctl disable firewalld
# Disable libvirtd
systemctl disable libvirtd.service
# Enable rsyncd
systemctl enable rsyncd.service
# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root
# Make fstab just root read/writable
chmod 600 /etc/fstab
# Create first_boot flag
touch /etc/platform/.first_boot
%end
View Git Blame Copy Permalink