generic/fedora-20-cloud.ks | 241 +++++++++++++++++++++++++++++++++++ generic/fedora-20-i386-cloud.ks | 244 ------------------------------------ generic/fedora-20-i386-minimal.ks | 211 ------------------------------- generic/fedora-20-i386.ks | 203 ----------------------------- generic/fedora-20-minimal.ks | 210 ++++++++++++++++++++++++++++++ generic/fedora-20-x86_64-cloud.ks | 241 ----------------------------------- generic/fedora-20-x86_64-minimal.ks | 210 ------------------------------ generic/fedora-20-x86_64.ks | 201 ----------------------------- generic/fedora-20.ks | 201 +++++++++++++++++++++++++++++ 9 files changed, 652 insertions(+), 1310 deletions(-) New commits: commit 78dea3f6331baee100133e9ebc79a6dc4b24917a Author: Matthew Miller <mattdm@xxxxxxxxxx> Date: Fri Aug 9 11:42:44 2013 -0400 no longer carrying arch-specific differences. diff --git a/generic/fedora-20-cloud.ks b/generic/fedora-20-cloud.ks new file mode 100644 index 0000000..2158ae7 --- /dev/null +++ b/generic/fedora-20-cloud.ks @@ -0,0 +1,241 @@ +# This is a basic Fedora 20 spin designed to work in OpenStack and other +# private cloud environments. It's configured with cloud-init so it will +# take advantage of ec2-compatible metadata services for provisioning ssh +# keys. Cloud-init creates a user account named "fedora" with passwordless +# sudo access. The root password is empty and locked by default. +# +# Note that unlike the standard F20 install, this image has /tmp on disk +# rather than in tmpfs, since memory is usually at a premium. +# +# This kickstart file is designed to be used with appliance-creator and +# may need slight modification for use with actual anaconda or other tools. +# We intend to target anaconda-in-a-vm style image building for F20. + +lang en_US.UTF-8 +keyboard us +timezone --utc Etc/UTC + +auth --useshadow --enablemd5 +selinux --enforcing +rootpw --lock --iscrypted locked + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=1 --append="console=ttyS0,115200n8 console=hvc0 console=tty0" extlinux + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final + + +part / --size 2048 --fstype ext4 + + +# Repositories +#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch +#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch + + +# Package list. +%packages --nobase +@core +grubby +kernel + +# cloud-init does magical things with EC2 metadata, including provisioning +# a user account with ssh keys. +cloud-init + +# need this for growpart, because parted doesn't yet support resizepart +# https://bugzilla.redhat.com/show_bug.cgi?id=966993 +cloud-utils-growpart + +# We need this image to be portable; also, rescue mode isn't useful here. +dracut-config-generic +-dracut-config-rescue + +# Not needed with pv-grub (as in EC2), and pulled in automatically +# by anaconda, but appliance-creator needs the hint +syslinux-extlinux + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# cherry-pick a few things from @standard +tar +rsync + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-iprutils +-kbd + +%end + + + +%post --erroronfail + +#link grub.conf to menu.lst for ec2 to work +if [[ -e /boot/grub/grub.conf ]]; then + echo -n "Linking menu.lst to old-style grub.conf for pv-grub" + ln -sf grub.conf /boot/grub/menu.lst + ln -sf /boot/grub/grub.conf /etc/grub.conf +fi + +# older versions of livecd-tools do not follow "rootpw --lock" line above +# https://bugzilla.redhat.com/show_bug.cgi?id=964299 +passwd -l root + +# Kickstart specifies timeout in seconds; syslinux uses 10ths. +# 0 means wait forever, so instead we'll go with 1. +sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# If you want to remove rsyslog and just use journald, remove this! +echo -n "Disabling persistent journal" +rmdir /var/log/journal/ +echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware + +# Remove firewalld; was supposed to be optional in F18+, but is required to +# be present for install/image building. +echo "Removing firewalld." +yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Another one needed at install time but not after that, and it pulls +# in some unneeded deps (like, newt and slang) +echo "Removing authconfig." +yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" + +echo -n "Getty fixes" +# although we want console output going to the serial console, we don't +# actually have the opportunity to login there. FIX. +# we don't really need to auto-spawn _any_ gettys. +sed -i '/^#NAutoVTs=.*/ a\ +NAutoVTs=0' /etc/systemd/logind.conf + +echo -n "Network fixes" +# initscripts don't like this file to be missing. +cat > /etc/sysconfig/network << EOF +NETWORKING=yes +NOZEROCONF=yes +EOF + +# For cloud images, 'eth0' _is_ the predictable device name, since +# we don't want to be tied to specific virtual (!) hardware +rm -f /etc/udev/rules.d/70* +ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules + +# simple eth0 config, again not hard-coded to the build hardware +cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF +DEVICE="eth0" +BOOTPROTO="dhcp" +ONBOOT="yes" +TYPE="Ethernet" +EOF + +# generic localhost names +cat > /etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF +echo . + + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +# appliance-creator does not make this important file. +if [ ! -e /etc/sysconfig/kernel ]; then +echo "Creating /etc/sysconfig/kernel." +cat <<EOF > /etc/sysconfig/kernel +# UPDATEDEFAULT specifies if new-kernel-pkg should make +# new kernels the default +UPDATEDEFAULT=yes + +# DEFAULTKERNEL specifies the default kernel package type +DEFAULTKERNEL=kernel +EOF +fi + +# make sure firstboot doesn't start +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +# workaround https://bugzilla.redhat.com/show_bug.cgi?id=966888 +if ! grep -q growpart /etc/cloud/cloud.cfg; then + sed -i 's/ - resizefs/ - growpart\n - resizefs/' /etc/cloud/cloud.cfg +fi + +# Uncomment this if you want to use cloud init but suppress the creation +# of an "ec2-user" account. This will, in the absence of further config, +# cause the ssh key from a metadata source to be put in the root account. +#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg +#users: [] +#disable_root: 0 +#EOF + +# This is a temporary fix to change the default user to "fedora"; this +# change will be in an upcoming cloud-init update +sed -i 's/ec2-user/fedora/;s/EC2 user/Fedora Cloud User/' /etc/cloud/cloud.cfg + +echo "Removing random-seed so it's not the same in every image." +rm -f /var/lib/random-seed + +echo "Cleaning old yum repodata." +yum clean all +truncate -c -s 0 /var/log/yum.log + +echo "Fixing SELinux contexts." +/usr/sbin/fixfiles -R -a restore + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end + diff --git a/generic/fedora-20-i386-cloud.ks b/generic/fedora-20-i386-cloud.ks deleted file mode 100644 index 456a1f9..0000000 --- a/generic/fedora-20-i386-cloud.ks +++ /dev/null @@ -1,244 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. It's configured with cloud-init so it will -# take advantage of ec2-compatible metadata services for provisioning ssh -# keys. Cloud-init creates a user account named "fedora" with passwordless -# sudo access. The root password is empty and locked by default. -# -# Note that unlike the standard F20 install, this image has /tmp on disk -# rather than in tmpfs, since memory is usually at a premium. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --append="console=ttyS0,115200n8 console=hvc0 console=tty0" extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final - - -part / --size 2048 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -%packages --nobase -@core -grubby -kernel-PAE - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# cloud-init does magical things with EC2 metadata, including provisioning -# a user account with ssh keys. -cloud-init - -# need this for growpart, because parted doesn't yet support resizepart -# https://bugzilla.redhat.com/show_bug.cgi?id=966993 -cloud-utils-growpart - - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# cherry-pick a few things from @standard -tar -rsync - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -%end - - - -%post --erroronfail - -#link grub.conf to menu.lst for ec2 to work -if [[ -e /boot/grub/grub.conf ]]; then - echo -n "Linking menu.lst to old-style grub.conf for pv-grub" - ln -sf grub.conf /boot/grub/menu.lst - ln -sf /boot/grub/grub.conf /etc/grub.conf -fi - -# workaround xen performance issue (bz 651861; see also bz 708406) -echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# If you want to remove rsyslog and just use journald, remove this! -echo -n "Disabling persistent journal" -rmdir /var/log/journal/ -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld." -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Getty fixes" -# although we want console output going to the serial console, we don't -# actually have the opportunity to login there. FIX. -# we don't really need to auto-spawn _any_ gettys. -sed -i '/^#NAutoVTs=.*/ a\ -NAutoVTs=0' /etc/systemd/logind.conf - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel-PAE -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -# workaround https://bugzilla.redhat.com/show_bug.cgi?id=966888 -if ! grep -q growpart /etc/cloud/cloud.cfg; then - sed -i 's/ - resizefs/ - growpart\n - resizefs/' /etc/cloud/cloud.cfg -fi - -# Uncomment this if you want to use cloud init but suppress the creation -# of an "ec2-user" account. This will, in the absence of further config, -# cause the ssh key from a metadata source to be put in the root account. -#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg -#users: [] -#disable_root: 0 -#EOF - -# This is a temporary fix to change the default user to "fedora"; this -# change will be in an upcoming cloud-init update -sed -i 's/ec2-user/fedora/;s/EC2 user/Fedora Cloud User/' /etc/cloud/cloud.cfg - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20-i386-minimal.ks b/generic/fedora-20-i386-minimal.ks deleted file mode 100644 index c94c476..0000000 --- a/generic/fedora-20-i386-minimal.ks +++ /dev/null @@ -1,211 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. This particular kickstart is designed to -# be as obsessively minimal as we can be and still be Fedora. Because -# this has not traditionally been a priority, that's not particularly -# very small, making this in some ways an academic exercise, but it's also -# a base for the more complete kickstarts. -# -# If you're interested in making this more minimal, big problems to solve -# are the not-needed-for-cloud kernel modules and the gigantic locale -# database. After that, it's chipping at dependencies. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables - - -part / --size 2048 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -# "Obsessively minimal as we can reasonably get and still be Fedora." -%packages --nobase -@core -grubby -kernel-PAE - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -# These are "leaf" packages which can be done without in an ultra-minimal -# install, but which actually remove typical functionality --e2fsprogs --audit --rsyslog --parted --openssh-clients --polkit --rootfiles --sendmail --sudo - -%end - - - -%post --erroronfail - -# workaround xen performance issue (bz 651861; see also bz 708406) -echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld and dependencies" -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel-PAE -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20-i386.ks b/generic/fedora-20-i386.ks deleted file mode 100644 index 6509aa0..0000000 --- a/generic/fedora-20-i386.ks +++ /dev/null @@ -1,203 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. This flavor isn't configured with cloud-init -# or any other metadata service; you'll need your own say of getting -# user (or root) credentials on the system. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables - - -part / --size 10000 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -# Just the basics, here. - -%packages --nobase -@core -grubby -kernel-PAE - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# cherry-pick a few things from @standard -tar -rsync - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -%end - - - -%post --erroronfail - -# workaround xen performance issue (bz 651861; see also bz 708406) -echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# If you want to remove rsyslog and just use journald, remove this! -echo -n "Disabling persistent journal" -rmdir /var/log/journal/ -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld." -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel-PAE -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20-minimal.ks b/generic/fedora-20-minimal.ks new file mode 100644 index 0000000..c28aee7 --- /dev/null +++ b/generic/fedora-20-minimal.ks @@ -0,0 +1,210 @@ +# This is a basic Fedora 20 spin designed to work in OpenStack and other +# private cloud environments. This particular kickstart is designed to +# be as obsessively minimal as we can be and still be Fedora. Because +# this has not traditionally been a priority, that's not particularly +# very small, making this in some ways an academic exercise, but it's also +# a base for the more complete kickstarts. +# +# If you're interested in making this more minimal, big problems to solve +# are the not-needed-for-cloud kernel modules and the gigantic locale +# database. After that, it's chipping at dependencies. +# +# This kickstart file is designed to be used with appliance-creator and +# may need slight modification for use with actual anaconda or other tools. +# We intend to target anaconda-in-a-vm style image building for F20. + +lang en_US.UTF-8 +keyboard us +timezone --utc Etc/UTC + +auth --useshadow --enablemd5 +selinux --enforcing +rootpw --lock --iscrypted locked + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=1 --extlinux + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables + + + +part / --size 2048 --fstype ext4 + + +# Repositories +#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch +#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch + + +# Package list. +# "Obsessively minimal as we can reasonably get and still be Fedora." +%packages --nobase +@core +grubby +kernel + +# Not needed with pv-grub (as in EC2), and pulled in automatically +# by anaconda, but appliance-creator needs the hint +syslinux-extlinux + +# We need this image to be portable; also, rescue mode isn't useful here. +dracut-config-generic +-dracut-config-rescue + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-iprutils +-kbd + +# These are "leaf" packages which can be done without in an ultra-minimal +# install, but which actually remove typical functionality +-e2fsprogs +-audit +-rsyslog +-parted +-openssh-clients +-polkit +-rootfiles +-sendmail +-sudo + +%end + + + +%post --erroronfail + +# older versions of livecd-tools do not follow "rootpw --lock" line above +# https://bugzilla.redhat.com/show_bug.cgi?id=964299 +passwd -l root + +# Kickstart specifies timeout in seconds; syslinux uses 10ths. +# 0 means wait forever, so instead we'll go with 1. +sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware --setopt="clean_requirements_on_remove=1" + +# Remove firewalld; was supposed to be optional in F18+, but is required to +# be present for install/image building. +echo "Removing firewalld and dependencies" +yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Another one needed at install time but not after that, and it pulls +# in some unneeded deps (like, newt and slang) +echo "Removing authconfig." +yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" + +echo -n "Network fixes" +# initscripts don't like this file to be missing. +cat > /etc/sysconfig/network << EOF +NETWORKING=yes +NOZEROCONF=yes +EOF + +# For cloud images, 'eth0' _is_ the predictable device name, since +# we don't want to be tied to specific virtual (!) hardware +rm -f /etc/udev/rules.d/70* +ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules + +# simple eth0 config, again not hard-coded to the build hardware +cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF +DEVICE="eth0" +BOOTPROTO="dhcp" +ONBOOT="yes" +TYPE="Ethernet" +EOF + +# generic localhost names +cat > /etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF +echo . + + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +# appliance-creator does not make this important file. +if [ ! -e /etc/sysconfig/kernel ]; then +echo "Creating /etc/sysconfig/kernel." +cat <<EOF > /etc/sysconfig/kernel +# UPDATEDEFAULT specifies if new-kernel-pkg should make +# new kernels the default +UPDATEDEFAULT=yes + +# DEFAULTKERNEL specifies the default kernel package type +DEFAULTKERNEL=kernel +EOF +fi + +# make sure firstboot doesn't start +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +echo "Removing random-seed so it's not the same in every image." +rm -f /var/lib/random-seed + +echo "Cleaning old yum repodata." +yum clean all +truncate -c -s 0 /var/log/yum.log + +echo "Fixing SELinux contexts." +/usr/sbin/fixfiles -R -a restore + + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end + diff --git a/generic/fedora-20-x86_64-cloud.ks b/generic/fedora-20-x86_64-cloud.ks deleted file mode 100644 index 2158ae7..0000000 --- a/generic/fedora-20-x86_64-cloud.ks +++ /dev/null @@ -1,241 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. It's configured with cloud-init so it will -# take advantage of ec2-compatible metadata services for provisioning ssh -# keys. Cloud-init creates a user account named "fedora" with passwordless -# sudo access. The root password is empty and locked by default. -# -# Note that unlike the standard F20 install, this image has /tmp on disk -# rather than in tmpfs, since memory is usually at a premium. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --append="console=ttyS0,115200n8 console=hvc0 console=tty0" extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final - - -part / --size 2048 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -%packages --nobase -@core -grubby -kernel - -# cloud-init does magical things with EC2 metadata, including provisioning -# a user account with ssh keys. -cloud-init - -# need this for growpart, because parted doesn't yet support resizepart -# https://bugzilla.redhat.com/show_bug.cgi?id=966993 -cloud-utils-growpart - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# cherry-pick a few things from @standard -tar -rsync - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -%end - - - -%post --erroronfail - -#link grub.conf to menu.lst for ec2 to work -if [[ -e /boot/grub/grub.conf ]]; then - echo -n "Linking menu.lst to old-style grub.conf for pv-grub" - ln -sf grub.conf /boot/grub/menu.lst - ln -sf /boot/grub/grub.conf /etc/grub.conf -fi - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# If you want to remove rsyslog and just use journald, remove this! -echo -n "Disabling persistent journal" -rmdir /var/log/journal/ -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld." -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Getty fixes" -# although we want console output going to the serial console, we don't -# actually have the opportunity to login there. FIX. -# we don't really need to auto-spawn _any_ gettys. -sed -i '/^#NAutoVTs=.*/ a\ -NAutoVTs=0' /etc/systemd/logind.conf - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -# workaround https://bugzilla.redhat.com/show_bug.cgi?id=966888 -if ! grep -q growpart /etc/cloud/cloud.cfg; then - sed -i 's/ - resizefs/ - growpart\n - resizefs/' /etc/cloud/cloud.cfg -fi - -# Uncomment this if you want to use cloud init but suppress the creation -# of an "ec2-user" account. This will, in the absence of further config, -# cause the ssh key from a metadata source to be put in the root account. -#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg -#users: [] -#disable_root: 0 -#EOF - -# This is a temporary fix to change the default user to "fedora"; this -# change will be in an upcoming cloud-init update -sed -i 's/ec2-user/fedora/;s/EC2 user/Fedora Cloud User/' /etc/cloud/cloud.cfg - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20-x86_64-minimal.ks b/generic/fedora-20-x86_64-minimal.ks deleted file mode 100644 index c28aee7..0000000 --- a/generic/fedora-20-x86_64-minimal.ks +++ /dev/null @@ -1,210 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. This particular kickstart is designed to -# be as obsessively minimal as we can be and still be Fedora. Because -# this has not traditionally been a priority, that's not particularly -# very small, making this in some ways an academic exercise, but it's also -# a base for the more complete kickstarts. -# -# If you're interested in making this more minimal, big problems to solve -# are the not-needed-for-cloud kernel modules and the gigantic locale -# database. After that, it's chipping at dependencies. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables - - - -part / --size 2048 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -# "Obsessively minimal as we can reasonably get and still be Fedora." -%packages --nobase -@core -grubby -kernel - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -# These are "leaf" packages which can be done without in an ultra-minimal -# install, but which actually remove typical functionality --e2fsprogs --audit --rsyslog --parted --openssh-clients --polkit --rootfiles --sendmail --sudo - -%end - - - -%post --erroronfail - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware --setopt="clean_requirements_on_remove=1" - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld and dependencies" -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20-x86_64.ks b/generic/fedora-20-x86_64.ks deleted file mode 100644 index 1e788c5..0000000 --- a/generic/fedora-20-x86_64.ks +++ /dev/null @@ -1,201 +0,0 @@ -# This is a basic Fedora 20 spin designed to work in OpenStack and other -# private cloud environments. This flavor isn't configured with cloud-init -# or any other metadata service; you'll need your own say of getting -# user (or root) credentials on the system. -# -# This kickstart file is designed to be used with appliance-creator and -# may need slight modification for use with actual anaconda or other tools. -# We intend to target anaconda-in-a-vm style image building for F20. - -lang en_US.UTF-8 -keyboard us -timezone --utc Etc/UTC - -auth --useshadow --enablemd5 -selinux --enforcing -rootpw --lock --iscrypted locked - -# this is actually not used, but a static firewall -# matching these rules is generated below. -firewall --service=ssh - -bootloader --timeout=1 --extlinux - -network --bootproto=dhcp --device=eth0 --onboot=on -services --enabled=network,sshd,rsyslog,iptables - - - -part / --size 10000 --fstype ext4 - - -# Repositories -#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch -#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch -repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch - - -# Package list. -# Just the basics, here. - -%packages --nobase -@core -grubby -kernel - -# We need this image to be portable; also, rescue mode isn't useful here. -dracut-config-generic --dracut-config-rescue - -# Not needed with pv-grub (as in EC2), and pulled in automatically -# by anaconda, but appliance-creator needs the hint -syslinux-extlinux - -# Needed initially, but removed below. -firewalld - -# Basic firewall. If you're going to rely on your cloud service's -# security groups you can remove this. -iptables-services - -# cherry-pick a few things from @standard -tar -rsync - -# Some things from @core we can do without in a minimal install --biosdevname --plymouth --NetworkManager --iprutils --kbd - -%end - - - -%post --erroronfail - -# older versions of livecd-tools do not follow "rootpw --lock" line above -# https://bugzilla.redhat.com/show_bug.cgi?id=964299 -passwd -l root - -# Kickstart specifies timeout in seconds; syslinux uses 10ths. -# 0 means wait forever, so instead we'll go with 1. -sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf - -# setup systemd to boot to the right runlevel -echo -n "Setting default runlevel to multiuser text mode" -rm -f /etc/systemd/system/default.target -ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target -echo . - -# If you want to remove rsyslog and just use journald, remove this! -echo -n "Disabling persistent journal" -rmdir /var/log/journal/ -echo . - -# this is installed by default but we don't need it in virt -echo "Removing linux-firmware package." -yum -C -y remove linux-firmware - -# Remove firewalld; was supposed to be optional in F18+, but is required to -# be present for install/image building. -echo "Removing firewalld." -yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" - -# Non-firewalld-firewall -echo -n "Writing static firewall" -cat <<EOF > /etc/sysconfig/iptables -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT -#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT -EOF -echo . - -# Another one needed at install time but not after that, and it pulls -# in some unneeded deps (like, newt and slang) -echo "Removing authconfig." -yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" - -echo -n "Network fixes" -# initscripts don't like this file to be missing. -cat > /etc/sysconfig/network << EOF -NETWORKING=yes -NOZEROCONF=yes -EOF - -# For cloud images, 'eth0' _is_ the predictable device name, since -# we don't want to be tied to specific virtual (!) hardware -rm -f /etc/udev/rules.d/70* -ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules - -# simple eth0 config, again not hard-coded to the build hardware -cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF -DEVICE="eth0" -BOOTPROTO="dhcp" -ONBOOT="yes" -TYPE="Ethernet" -EOF - -# generic localhost names -cat > /etc/hosts << EOF -127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 -::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 - -EOF -echo . - - -# Because memory is scarce resource in most cloud/virt environments, -# and because this impedes forensics, we are differing from the Fedora -# default of having /tmp on tmpfs. -echo "Disabling tmpfs for /tmp." -systemctl mask tmp.mount - -# appliance-creator does not make this important file. -if [ ! -e /etc/sysconfig/kernel ]; then -echo "Creating /etc/sysconfig/kernel." -cat <<EOF > /etc/sysconfig/kernel -# UPDATEDEFAULT specifies if new-kernel-pkg should make -# new kernels the default -UPDATEDEFAULT=yes - -# DEFAULTKERNEL specifies the default kernel package type -DEFAULTKERNEL=kernel -EOF -fi - -# make sure firstboot doesn't start -echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot - -echo "Removing random-seed so it's not the same in every image." -rm -f /var/lib/random-seed - -echo "Cleaning old yum repodata." -yum clean all -truncate -c -s 0 /var/log/yum.log - -echo "Fixing SELinux contexts." -/usr/sbin/fixfiles -R -a restore - -echo "Zeroing out empty space." -# This forces the filesystem to reclaim space from deleted files -dd bs=1M if=/dev/zero of=/var/tmp/zeros || : -rm -f /var/tmp/zeros -echo "(Don't worry -- that out-of-space error was expected.)" - -%end - diff --git a/generic/fedora-20.ks b/generic/fedora-20.ks new file mode 100644 index 0000000..1e788c5 --- /dev/null +++ b/generic/fedora-20.ks @@ -0,0 +1,201 @@ +# This is a basic Fedora 20 spin designed to work in OpenStack and other +# private cloud environments. This flavor isn't configured with cloud-init +# or any other metadata service; you'll need your own say of getting +# user (or root) credentials on the system. +# +# This kickstart file is designed to be used with appliance-creator and +# may need slight modification for use with actual anaconda or other tools. +# We intend to target anaconda-in-a-vm style image building for F20. + +lang en_US.UTF-8 +keyboard us +timezone --utc Etc/UTC + +auth --useshadow --enablemd5 +selinux --enforcing +rootpw --lock --iscrypted locked + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=1 --extlinux + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables + + + +part / --size 10000 --fstype ext4 + + +# Repositories +#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-20&arch=$basearch +#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f20&arch=$basearch +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch + + +# Package list. +# Just the basics, here. + +%packages --nobase +@core +grubby +kernel + +# We need this image to be portable; also, rescue mode isn't useful here. +dracut-config-generic +-dracut-config-rescue + +# Not needed with pv-grub (as in EC2), and pulled in automatically +# by anaconda, but appliance-creator needs the hint +syslinux-extlinux + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# cherry-pick a few things from @standard +tar +rsync + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-iprutils +-kbd + +%end + + + +%post --erroronfail + +# older versions of livecd-tools do not follow "rootpw --lock" line above +# https://bugzilla.redhat.com/show_bug.cgi?id=964299 +passwd -l root + +# Kickstart specifies timeout in seconds; syslinux uses 10ths. +# 0 means wait forever, so instead we'll go with 1. +sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# If you want to remove rsyslog and just use journald, remove this! +echo -n "Disabling persistent journal" +rmdir /var/log/journal/ +echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware + +# Remove firewalld; was supposed to be optional in F18+, but is required to +# be present for install/image building. +echo "Removing firewalld." +yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Another one needed at install time but not after that, and it pulls +# in some unneeded deps (like, newt and slang) +echo "Removing authconfig." +yum -C -y remove authconfig --setopt="clean_requirements_on_remove=1" + +echo -n "Network fixes" +# initscripts don't like this file to be missing. +cat > /etc/sysconfig/network << EOF +NETWORKING=yes +NOZEROCONF=yes +EOF + +# For cloud images, 'eth0' _is_ the predictable device name, since +# we don't want to be tied to specific virtual (!) hardware +rm -f /etc/udev/rules.d/70* +ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules + +# simple eth0 config, again not hard-coded to the build hardware +cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF +DEVICE="eth0" +BOOTPROTO="dhcp" +ONBOOT="yes" +TYPE="Ethernet" +EOF + +# generic localhost names +cat > /etc/hosts << EOF +127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 +::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 + +EOF +echo . + + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +# appliance-creator does not make this important file. +if [ ! -e /etc/sysconfig/kernel ]; then +echo "Creating /etc/sysconfig/kernel." +cat <<EOF > /etc/sysconfig/kernel +# UPDATEDEFAULT specifies if new-kernel-pkg should make +# new kernels the default +UPDATEDEFAULT=yes + +# DEFAULTKERNEL specifies the default kernel package type +DEFAULTKERNEL=kernel +EOF +fi + +# make sure firstboot doesn't start +echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot + +echo "Removing random-seed so it's not the same in every image." +rm -f /var/lib/random-seed + +echo "Cleaning old yum repodata." +yum clean all +truncate -c -s 0 /var/log/yum.log + +echo "Fixing SELinux contexts." +/usr/sbin/fixfiles -R -a restore + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end + _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud