metal/bsp-files/kickstarts/post_common.cfg
Saul Wold 67025c3bb2 metal: Convert wrsroot -> sysadmin
This also changes the group wrs_protected to sys_protected
to de-brand the user and group names.

Depends-On: I887464a20fc17d66529caea03be2b445156f9426
Change-Id: Icfd2faec0ba8236762c8045f5c244eaf13008ee4
Story: 2004716
Task: 28749
Signed-off-by: Saul Wold <sgw@linux.intel.com>
2019-06-14 15:12:03 -07:00

105 lines
3.6 KiB
INI

%post --erroronfail
# Source common functions
. /tmp/ks-functions.sh
# Turn off locale support for i18n if is not installed
if [ ! -d /usr/share/i18n ] ; then
rm -f /etc/sysconfig/i18n
fi
# Unset the hostname
rm /etc/hostname
# If using a serial install make sure to add a getty on the tty1
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
if [ -n "$conarg" ] ; then
echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
fi
#### SECURITY PROFILE HANDLING (Post Installation) ####
# Check if the Security profile mode is enabled
# and load the appropriate kernel modules
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
if [ -n "$secprofile" ]; then
echo "In Extended Security profile mode. Loading IMA kernel module"
systemctl enable auditd.service
# Add the securityfs mount for the IMA Runtime measurement list
echo "securityfs /sys/kernel/security securityfs defaults,nodev 0 0" >> /etc/fstab
else
# Disable audit daemon in the Standard Security Profile
systemctl disable auditd
fi
. /etc/platform/platform.conf
# Configure smart package manager channels
rm -rf /var/lib/smart
mkdir /var/lib/smart
/usr/bin/smart channel -y \
--add rpmdb type=rpm-sys name="RPM Database"
/usr/bin/smart channel -y \
--add base type=rpm-md name="Base" baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
/usr/bin/smart channel -y \
--add updates type=rpm-md name="Patches" baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
# Configure smart to use rpm --nolinktos option
/usr/bin/smart config --set rpm-nolinktos=true
# Configure smart to use rpm --nosignature option
/usr/bin/smart config --set rpm-check-signatures=false
# Delete the CentOS yum repo files
rm -f /etc/yum.repos.d/CentOS-*
# Persist the boot device naming as UDEV rules so that if the network device
# order changes post-install that we will still be able to DHCP from the
# correct interface to reach the active controller. For most nodes only the
# management/boot interface needs to be persisted but because we require both
# controllers to be identically configured and controller-0 and controller-1
# are installed differently (e.g., controller-0 from USB and controller-1 from
# network) it is not possible to know which interface to persist for
# controller-0. The simplest solution is to persist all interfaces.
#
mkdir -p /etc/udev/rules.d
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
for dir in /sys/class/net/*; do
if [ -e ${dir}/device ]; then
dev=$(basename ${dir})
mac_address=$(cat /sys/class/net/${dev}/address)
echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
fi
done
# Mark the sysadmin password as expired immediately
chage -d 0 sysadmin
# Lock the root password
passwd -l root
# Enable tmpfs mount for /tmp
# delete /var/tmp so that it can similinked in
rm -rf /var/tmp
systemctl enable tmp.mount
# Disable automount of /dev/hugepages
systemctl mask dev-hugepages.mount
# Disable firewall
systemctl disable firewalld
# Disable libvirtd
systemctl disable libvirtd.service
# Enable rsyncd
systemctl enable rsyncd.service
# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root
# Make fstab just root read/writable
chmod 600 /etc/fstab
# Create first_boot flag
touch /etc/platform/.first_boot
%end