67025c3bb2
This also changes the group wrs_protected to sys_protected to de-brand the user and group names. Depends-On: I887464a20fc17d66529caea03be2b445156f9426 Change-Id: Icfd2faec0ba8236762c8045f5c244eaf13008ee4 Story: 2004716 Task: 28749 Signed-off-by: Saul Wold <sgw@linux.intel.com>
105 lines
3.6 KiB
INI
105 lines
3.6 KiB
INI
%post --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
# Turn off locale support for i18n if is not installed
|
|
if [ ! -d /usr/share/i18n ] ; then
|
|
rm -f /etc/sysconfig/i18n
|
|
fi
|
|
# Unset the hostname
|
|
rm /etc/hostname
|
|
|
|
# If using a serial install make sure to add a getty on the tty1
|
|
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
|
|
if [ -n "$conarg" ] ; then
|
|
echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
|
|
fi
|
|
|
|
#### SECURITY PROFILE HANDLING (Post Installation) ####
|
|
# Check if the Security profile mode is enabled
|
|
# and load the appropriate kernel modules
|
|
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
|
|
if [ -n "$secprofile" ]; then
|
|
echo "In Extended Security profile mode. Loading IMA kernel module"
|
|
systemctl enable auditd.service
|
|
# Add the securityfs mount for the IMA Runtime measurement list
|
|
echo "securityfs /sys/kernel/security securityfs defaults,nodev 0 0" >> /etc/fstab
|
|
else
|
|
# Disable audit daemon in the Standard Security Profile
|
|
systemctl disable auditd
|
|
fi
|
|
|
|
. /etc/platform/platform.conf
|
|
# Configure smart package manager channels
|
|
rm -rf /var/lib/smart
|
|
mkdir /var/lib/smart
|
|
/usr/bin/smart channel -y \
|
|
--add rpmdb type=rpm-sys name="RPM Database"
|
|
/usr/bin/smart channel -y \
|
|
--add base type=rpm-md name="Base" baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
|
|
/usr/bin/smart channel -y \
|
|
--add updates type=rpm-md name="Patches" baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
|
|
|
|
# Configure smart to use rpm --nolinktos option
|
|
/usr/bin/smart config --set rpm-nolinktos=true
|
|
|
|
# Configure smart to use rpm --nosignature option
|
|
/usr/bin/smart config --set rpm-check-signatures=false
|
|
|
|
# Delete the CentOS yum repo files
|
|
rm -f /etc/yum.repos.d/CentOS-*
|
|
|
|
# Persist the boot device naming as UDEV rules so that if the network device
|
|
# order changes post-install that we will still be able to DHCP from the
|
|
# correct interface to reach the active controller. For most nodes only the
|
|
# management/boot interface needs to be persisted but because we require both
|
|
# controllers to be identically configured and controller-0 and controller-1
|
|
# are installed differently (e.g., controller-0 from USB and controller-1 from
|
|
# network) it is not possible to know which interface to persist for
|
|
# controller-0. The simplest solution is to persist all interfaces.
|
|
#
|
|
mkdir -p /etc/udev/rules.d
|
|
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
|
|
for dir in /sys/class/net/*; do
|
|
if [ -e ${dir}/device ]; then
|
|
dev=$(basename ${dir})
|
|
mac_address=$(cat /sys/class/net/${dev}/address)
|
|
echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
|
|
fi
|
|
done
|
|
|
|
# Mark the sysadmin password as expired immediately
|
|
chage -d 0 sysadmin
|
|
|
|
# Lock the root password
|
|
passwd -l root
|
|
|
|
# Enable tmpfs mount for /tmp
|
|
# delete /var/tmp so that it can similinked in
|
|
rm -rf /var/tmp
|
|
systemctl enable tmp.mount
|
|
|
|
# Disable automount of /dev/hugepages
|
|
systemctl mask dev-hugepages.mount
|
|
|
|
# Disable firewall
|
|
systemctl disable firewalld
|
|
|
|
# Disable libvirtd
|
|
systemctl disable libvirtd.service
|
|
|
|
# Enable rsyncd
|
|
systemctl enable rsyncd.service
|
|
|
|
# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
|
|
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root
|
|
|
|
# Make fstab just root read/writable
|
|
chmod 600 /etc/fstab
|
|
|
|
# Create first_boot flag
|
|
touch /etc/platform/.first_boot
|
|
|
|
%end
|