On Tue, May 2, 2017 at 1:48 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > On Sun, Apr 23, 2017 at 12:41:30AM +0200, Fabiano Fidêncio wrote: >> The install-scripts added support SLES 12, SLES 12 SP1 and SLES 12 SP2. >> >> Those scripts were completely based on the openSUSE ones and tested >> against the "free for download" ISOs provided by SUSE, that you can find >> in: https://www.suse.com/download-linux/ >> >> Signed-off-by: Fabiano Fidêncio <fabiano@xxxxxxxxxxxx> >> --- >> .../suse.com/suse-autoyast-desktop.xml.in | 287 +++++++++++++++++++++ >> .../suse.com/suse-autoyast-jeos.xml.in | 201 +++++++++++++++ >> data/os/suse.com/sles-12.1.xml.in | 7 +- >> data/os/suse.com/sles-12.2.xml.in | 13 +- >> data/os/suse.com/sles-12.xml.in | 7 +- >> 5 files changed, 509 insertions(+), 6 deletions(-) >> create mode 100644 data/install-script/suse.com/suse-autoyast-desktop.xml.in >> create mode 100644 data/install-script/suse.com/suse-autoyast-jeos.xml.in >> >> diff --git a/data/install-script/suse.com/suse-autoyast-desktop.xml.in b/data/install-script/suse.com/suse-autoyast-desktop.xml.in >> new file mode 100644 >> index 0000000..acb38c1 >> --- /dev/null >> +++ b/data/install-script/suse.com/suse-autoyast-desktop.xml.in >> @@ -0,0 +1,287 @@ >> +<libosinfo version="0.0.1"> >> +<!-- Licensed under the GNU General Public License version 2 or later. >> + See http://www.gnu.org/licenses/ for a copy of the license text --> >> + >> + <!-- DESKTOP PROFILE --> >> + <install-script id='http://suse.com/suse/autoyast/desktop'> >> + <profile>desktop</profile> >> + <expected-filename>autoinst.xml</expected-filename> >> + <config> >> + <!-- Localization options --> >> + <param name="l10n-keyboard" policy="optional" value-map="http://x.org/x11-keyboard"/> >> + <param name="l10n-language" policy="optional"/> >> + <param name="l10n-timezone" policy="optional"/> >> + >> + <!-- Network options --> >> + <param name="hostname" policy="optional"/> >> + <param name="domain" policy="optional"/> >> + >> + <!-- Account options --> >> + <param name="admin-password" policy="optional"/> >> + <param name="user-fullname" policy="optional"/> >> + <param name="user-login" policy="required"/> >> + <param name="user-password" policy="optional"/> >> + <param name="avatar-location" policy="optional"/> >> + <param name="avatar-disk" policy="optional"/> >> + </config> >> + <injection-method>disk</injection-method> >> + >> + <template> >> + <xsl:stylesheet >> + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; >> + version="1.0"> >> + >> + <xsl:output method="xml" indent="yes" omit-xml-declaration="yes"/> >> + >> + <xsl:template name="l10n-language"> >> + <xsl:choose> >> + <xsl:when test="config/l10n-language != '' and config/l10n-language != 'C'"> >> + <xsl:value-of select="config/l10n-language"/> >> + </xsl:when> >> + <xsl:otherwise> >> + <xsl:text>en_US</xsl:text> >> + </xsl:otherwise> >> + </xsl:choose> >> + </xsl:template> >> + >> + <xsl:template name="l10n-keyboard"> >> + <xsl:choose> >> + <xsl:when test="config/l10n-keyboard != '' and config/l10n-keyboard != 'C'"> >> + <xsl:value-of select="config/l10n-keyboard"/> >> + </xsl:when> >> + <xsl:otherwise> >> + <xsl:text>us</xsl:text> >> + </xsl:otherwise> >> + </xsl:choose> >> + </xsl:template> >> + >> + <xsl:template match="/command-line"> >> + <xsl:text>autoyast=device://sda/</xsl:text> > > I guess vda is not valid there? Nops. That's the same case for OpenSUSE. > >> + <xsl:value-of select="script/expected-filename"/> >> + </xsl:template> >> + >> + <xsl:template match="/install-script-config"> >> + <profile xmlns="http://www.suse.com/1.0/yast2ns"; xmlns:config="http://www.suse.com/1.0/configns";> >> + <bootloader> >> + <device_map config:type="list"> >> + <device_map_entry> >> + <firmware>hd0</firmware> >> + <linux>/dev/vda</linux> >> + </device_map_entry> >> + </device_map> >> + <global> >> + <activate>true</activate> >> + <append>resume=/dev/vda1 splash=silent quiet showopts</append> >> + <boot_boot>false</boot_boot> >> + <boot_extended>false</boot_extended> >> + <boot_mbr>false</boot_mbr> >> + <boot_root>true</boot_root> >> + <default>0</default> >> + <distributor/> >> + <failsafe_disabled>true</failsafe_disabled> >> + <generic_mbr>true</generic_mbr> >> + <gfxmode>auto</gfxmode> >> + <os_prober>true</os_prober> >> + <terminal>gfxterm</terminal> >> + <timeout config:type="integer">8</timeout> >> + <vgamode/> >> + </global> >> + <loader_type>grub2</loader_type> >> + </bootloader> >> + <firewall> >> + <enable_firewall config:type="boolean">false</enable_firewall> >> + <start_firewall config:type="boolean">false</start_firewall> >> + </firewall> > > Any particular reason to disable firewall? No particular reason. I'll remove it in a v2. > >> + <general> >> + <ask-list config:type="list"/> >> + <mode> >> + <confirm config:type="boolean">false</confirm> >> + <final_reboot config:type="boolean">true</final_reboot> >> + </mode> >> + <proposals config:type="list"/> >> + <signature-handling> >> + <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum> >> + <accept_non_trusted_gpg_key config:type="boolean">true</accept_non_trusted_gpg_key> >> + <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key> >> + <accept_unsigned_file config:type="boolean">true</accept_unsigned_file> >> + <accept_verification_failed config:type="boolean">false</accept_verification_failed> >> + <import_gpg_key config:type="boolean">true</import_gpg_key> >> + </signature-handling> > > This seems fairly unsecure too, is this required? Hmm. I'll double check, but I do believe I can drop those for SLES. > > >> + <storage> >> + <partition_alignment config:type="symbol">align_optimal</partition_alignment> >> + <start_multipath config:type="boolean">false</start_multipath> >> + </storage> >> + </general> >> + <keyboard> >> + <keyboard_values> >> + <delay/> >> + <discaps config:type="boolean">false</discaps> >> + <numlock>bios</numlock> >> + <rate/> >> + </keyboard_values> >> + <keymap><xsl:call-template name="l10n-keyboard"/></keymap> >> + </keyboard> >> + <language><xsl:call-template name="l10n-language"/></language> >> + <networking> >> + <managed config:type="boolean">false</managed> >> + <interfaces config:type="list"> >> + <interface> >> + <bootproto>dhcp</bootproto> >> + <device>eth0</device> >> + <startmode>auto</startmode> >> + <usercontrol>no</usercontrol> >> + </interface> >> + </interfaces> >> + </networking> >> + <partitioning config:type="list"> >> + <drive> >> + <device>/dev/vda</device> >> + <type config:type="symbol">CT_DISK</type> >> + <use>all</use> >> + </drive> >> + </partitioning> >> + <report> >> + <errors> >> + <log config:type="boolean">true</log> >> + <show config:type="boolean">true</show> >> + <timeout config:type="integer">0</timeout> >> + </errors> >> + <messages> >> + <log config:type="boolean">true</log> >> + <show config:type="boolean">true</show> >> + <timeout config:type="integer">10</timeout> >> + </messages> >> + <warnings> >> + <log config:type="boolean">true</log> >> + <show config:type="boolean">true</show> >> + <timeout config:type="integer">10</timeout> >> + </warnings> >> + <yesno_messages> >> + <log config:type="boolean">true</log> >> + <show config:type="boolean">true</show> >> + <timeout config:type="integer">10</timeout> >> + </yesno_messages> >> + </report> >> + <scripts> >> + <chroot-scripts config:type="list"> >> + <script> >> + <chrooted config:type="boolean">true</chrooted> >> + <source> >> + >> +if test -z '<xsl:value-of select="config/user-password"/>'; then >> +pam-config -a --unix-nullok >> +pam-config -a --nullok > > Shouldn't this be conditional on the SUSE version as done below? Nops. It's needed for all versions to allow setting a user with no password. > >> + >> +<xsl:if test="os/version = 12"> >> +useradd <xsl:value-of select="config/user-login"/> -m -G users >> +passwd -d <xsl:value-of select="config/user-login"/> >> +</xsl:if> > > Does this mean we are not setting a password on older suse? There's no older SUSE script at this point. For 12 SP1 and 12 SP2 we can do this using the <users> XML tag, while for 12 the only way that worked was by actually adding the user as done above. > >> + >> +#Enable passwordless login for users that are part of the nopasswdlogin group >> +sed -i '4 i auth sufficient pam_succeed_if.so user ingroup nopasswdlogin' /etc/pam.d/gdm-password >> +fi >> + >> +if test -n '<xsl:value-of select="config/avatar-location"/>'; then >> +# Set user avatar >> +mkdir /mnt/unattended-media >> +mount <xsl:value-of select='config/avatar-disk'/> /mnt/unattended-media >> +cp /mnt/unattended-media<xsl:value-of select="config/avatar-location"/> /var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/> >> +umount /mnt/unattended-media >> + >> +echo " >> +[User] >> +Language=<xsl:value-of select="config/l10n-language"/>.UTF-8 >> +XSession=gnome >> +Icon=/var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/> >> +" >> /var/lib/AccountsService/users/<xsl:value-of select="config/user-login"/> >> +fi >> + </source> >> + </script> >> + </chroot-scripts> >> + </scripts> >> + <services-manager> >> + <default_target>graphical</default_target> >> + </services-manager> >> + <software> >> + <packages config:type="list"> >> + <package>autoyast2-installation</package> >> + <package>gdm</package> >> + </packages> >> + <patterns config:type="list"> >> + <pattern>Minimal</pattern> >> + <pattern>apparmor</pattern> >> + <pattern>base</pattern> >> + <pattern>gnome-basic</pattern> >> + <pattern>printing</pattern> >> + <xsl:if test="os/version > 12"> >> + <pattern>smt</pattern> >> + </xsl:if> >> + <pattern>x11</pattern> >> + </patterns> >> + </software> >> + <sysconfig config:type="list"> >> + <sysconfig_entry> >> + <sysconfig_key>DISPLAYMANAGER</sysconfig_key> >> + <sysconfig_path>/etc/sysconfig/displaymanager</sysconfig_path> >> + <sysconfig_value>gdm</sysconfig_value> >> + </sysconfig_entry> >> + <sysconfig_entry> >> + <sysconfig_key>DEFAULT_WM</sysconfig_key> >> + <sysconfig_path>/etc/sysconfig/windowmanager</sysconfig_path> >> + <sysconfig_value>gnome</sysconfig_value> >> + </sysconfig_entry> >> + </sysconfig> >> + <timezone> >> + <hwclock>UTC</hwclock> >> + <timezone><xsl:value-of select="config/l10n-timezone"/></timezone> >> + </timezone> >> + <user_defaults> >> + <expire/> >> + <group>100</group> >> + <groups/> >> + <home>/home</home> >> + <inactive>-1</inactive> >> + <no_groups config:type="boolean">true</no_groups> >> + <shell>/bin/bash</shell> >> + <skel>/etc/skel</skel> >> + <umask>022</umask> >> + </user_defaults> > > Same question, a bit below you check for suse version before allowing > empty passwords, should the condition be here too? That's not the case here. The group "nopasswdlogin" must be created in any SLES version in order to allow passwordless login. > >> + <xsl:if test="config/user-password = ''"> >> + <groups config:type="list"> >> + <group> >> + <group_password>x</group_password> >> + <groupname>nopasswdlogin</groupname> >> + <userlist><xsl:value-of select="config/user-login"/></userlist> >> + </group> >> + </groups> >> + </xsl:if> >> + <users config:type="list"> >> + <user> >> + <encrypted config:type="boolean">false</encrypted> >> + <fullname>root</fullname> >> + <gid>0</gid> >> + <home>/root</home> >> + <shell>/bin/bash</shell> >> + <uid>0</uid> >> + <user_password><xsl:value-of select="config/admin-password"/></user_password> >> + <username>root</username> >> + </user> >> + <!-- >> + While SLES 12 doesn't allow creating a user without a password, >> + it's okay to do so on the newer versions >> + --> >> + <xsl:if test="config/user-password != '' or os/version > 12"> >> + <user> >> + <encrypted config:type="boolean">false</encrypted> >> + <fullname><xsl:value-of select="config/user-fullname"/></fullname> >> + <user_password><xsl:value-of select="config/user-password"/></user_password> >> + <username><xsl:value-of select="config/user-login"/></username> >> + </user> >> + </xsl:if> > > So we don't set a user password on older suse? We do! At this point the only supported versions are: SLES 12: - passwordless users must be created by useradd - normal user creating can be done through <user> XML tag SLES 12 SP1 and SLES 12 SP2: - both normal and passwordless users can be created through the <user> XML tag. > > Christophe > > _______________________________________________ > Libosinfo mailing list > Libosinfo@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libosinfo > Best Regards, -- Fabiano Fidêncio _______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo
