Re: [osinfo-db 1/2] install-script, suse: Add install-scripts for SLES 12+

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 02, 2017 at 09:25:00PM +0200, Fabiano Fidêncio wrote:
> On Tue, May 2, 2017 at 1:48 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote:
> > On Sun, Apr 23, 2017 at 12:41:30AM +0200, Fabiano Fidêncio wrote:
> >> The install-scripts added support SLES 12, SLES 12 SP1 and SLES 12 SP2.
> >>
> >> Those scripts were completely based on the openSUSE ones and tested
> >> against the "free for download" ISOs provided by SUSE, that you can find
> >> in: https://www.suse.com/download-linux/
> >>
> >> Signed-off-by: Fabiano Fidêncio <fabiano@xxxxxxxxxxxx>
> >> ---
> >>  .../suse.com/suse-autoyast-desktop.xml.in          | 287 +++++++++++++++++++++
> >>  .../suse.com/suse-autoyast-jeos.xml.in             | 201 +++++++++++++++
> >>  data/os/suse.com/sles-12.1.xml.in                  |   7 +-
> >>  data/os/suse.com/sles-12.2.xml.in                  |  13 +-
> >>  data/os/suse.com/sles-12.xml.in                    |   7 +-
> >>  5 files changed, 509 insertions(+), 6 deletions(-)
> >>  create mode 100644 data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >>  create mode 100644 data/install-script/suse.com/suse-autoyast-jeos.xml.in
> >>
> >> diff --git a/data/install-script/suse.com/suse-autoyast-desktop.xml.in b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >> new file mode 100644
> >> index 0000000..acb38c1
> >> --- /dev/null
> >> +++ b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >> @@ -0,0 +1,287 @@
> >> +<libosinfo version="0.0.1">
> >> +<!-- Licensed under the GNU General Public License version 2 or later.
> >> +     See http://www.gnu.org/licenses/ for a copy of the license text -->
> >> +
> >> +  <!-- DESKTOP PROFILE -->
> >> +  <install-script id='http://suse.com/suse/autoyast/desktop'>
> >> +    <profile>desktop</profile>
> >> +    <expected-filename>autoinst.xml</expected-filename>
> >> +    <config>
> >> +      <!-- Localization options -->
> >> +      <param name="l10n-keyboard" policy="optional" value-map="http://x.org/x11-keyboard"/>
> >> +      <param name="l10n-language" policy="optional"/>
> >> +      <param name="l10n-timezone" policy="optional"/>
> >> +
> >> +      <!-- Network options -->
> >> +      <param name="hostname" policy="optional"/>
> >> +      <param name="domain" policy="optional"/>
> >> +
> >> +      <!-- Account options -->
> >> +      <param name="admin-password" policy="optional"/>
> >> +      <param name="user-fullname" policy="optional"/>
> >> +      <param name="user-login" policy="required"/>
> >> +      <param name="user-password" policy="optional"/>
> >> +      <param name="avatar-location" policy="optional"/>
> >> +      <param name="avatar-disk" policy="optional"/>
> >> +    </config>
> >> +    <injection-method>disk</injection-method>
> >> +
> >> +    <template>
> >> +      <xsl:stylesheet
> >> +        xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
> >> +        version="1.0">
> >> +
> >> +        <xsl:output method="xml" indent="yes" omit-xml-declaration="yes"/>
> >> +
> >> +        <xsl:template name="l10n-language">
> >> +          <xsl:choose>
> >> +            <xsl:when test="config/l10n-language != '' and config/l10n-language != 'C'">
> >> +              <xsl:value-of select="config/l10n-language"/>
> >> +            </xsl:when>
> >> +            <xsl:otherwise>
> >> +              <xsl:text>en_US</xsl:text>
> >> +            </xsl:otherwise>
> >> +          </xsl:choose>
> >> +        </xsl:template>
> >> +
> >> +        <xsl:template name="l10n-keyboard">
> >> +          <xsl:choose>
> >> +            <xsl:when test="config/l10n-keyboard != '' and config/l10n-keyboard != 'C'">
> >> +              <xsl:value-of select="config/l10n-keyboard"/>
> >> +            </xsl:when>
> >> +            <xsl:otherwise>
> >> +              <xsl:text>us</xsl:text>
> >> +            </xsl:otherwise>
> >> +          </xsl:choose>
> >> +        </xsl:template>
> >> +
> >> +        <xsl:template match="/command-line">
> >> +            <xsl:text>autoyast=device://sda/</xsl:text>
> >
> > I guess vda is not valid there?
> 
> Nops. That's the same case for OpenSUSE.
> 
> >
> >> +            <xsl:value-of select="script/expected-filename"/>
> >> +        </xsl:template>
> >> +
> >> +        <xsl:template match="/install-script-config">
> >> +          <profile xmlns="http://www.suse.com/1.0/yast2ns"; xmlns:config="http://www.suse.com/1.0/configns";>
> >> +            <bootloader>
> >> +              <device_map config:type="list">
> >> +                <device_map_entry>
> >> +                  <firmware>hd0</firmware>
> >> +                  <linux>/dev/vda</linux>
> >> +                </device_map_entry>
> >> +              </device_map>
> >> +              <global>
> >> +                <activate>true</activate>
> >> +                <append>resume=/dev/vda1 splash=silent quiet showopts</append>
> >> +                <boot_boot>false</boot_boot>
> >> +                <boot_extended>false</boot_extended>
> >> +                <boot_mbr>false</boot_mbr>
> >> +                <boot_root>true</boot_root>
> >> +                <default>0</default>
> >> +                <distributor/>
> >> +                <failsafe_disabled>true</failsafe_disabled>
> >> +                <generic_mbr>true</generic_mbr>
> >> +                <gfxmode>auto</gfxmode>
> >> +                <os_prober>true</os_prober>
> >> +                <terminal>gfxterm</terminal>
> >> +                <timeout config:type="integer">8</timeout>
> >> +                <vgamode/>
> >> +              </global>
> >> +              <loader_type>grub2</loader_type>
> >> +            </bootloader>
> >> +            <firewall>
> >> +              <enable_firewall config:type="boolean">false</enable_firewall>
> >> +              <start_firewall config:type="boolean">false</start_firewall>
> >> +            </firewall>
> >
> > Any particular reason to disable firewall?
> 
> No particular reason. I'll remove it in a v2.
> 
> >
> >> +            <general>
> >> +              <ask-list config:type="list"/>
> >> +              <mode>
> >> +                <confirm config:type="boolean">false</confirm>
> >> +                <final_reboot config:type="boolean">true</final_reboot>
> >> +              </mode>
> >> +              <proposals config:type="list"/>
> >> +              <signature-handling>
> >> +                <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum>
> >> +                <accept_non_trusted_gpg_key config:type="boolean">true</accept_non_trusted_gpg_key>
> >> +                <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key>
> >> +                <accept_unsigned_file config:type="boolean">true</accept_unsigned_file>
> >> +                <accept_verification_failed config:type="boolean">false</accept_verification_failed>
> >> +                <import_gpg_key config:type="boolean">true</import_gpg_key>
> >> +              </signature-handling>
> >
> > This seems fairly unsecure too, is this required?
> 
> Hmm. I'll double check, but I do believe I can drop those for SLES.
> 
> >
> >
> >> +              <storage>
> >> +                <partition_alignment config:type="symbol">align_optimal</partition_alignment>
> >> +                <start_multipath config:type="boolean">false</start_multipath>
> >> +              </storage>
> >> +            </general>
> >> +            <keyboard>
> >> +              <keyboard_values>
> >> +                <delay/>
> >> +                <discaps config:type="boolean">false</discaps>
> >> +                <numlock>bios</numlock>
> >> +                <rate/>
> >> +              </keyboard_values>
> >> +              <keymap><xsl:call-template name="l10n-keyboard"/></keymap>
> >> +            </keyboard>
> >> +            <language><xsl:call-template name="l10n-language"/></language>
> >> +          <networking>
> >> +            <managed config:type="boolean">false</managed>
> >> +            <interfaces  config:type="list">
> >> +              <interface>
> >> +                <bootproto>dhcp</bootproto>
> >> +                  <device>eth0</device>
> >> +                  <startmode>auto</startmode>
> >> +                  <usercontrol>no</usercontrol>
> >> +                </interface>
> >> +            </interfaces>
> >> +          </networking>
> >> +          <partitioning config:type="list">
> >> +            <drive>
> >> +              <device>/dev/vda</device>
> >> +              <type config:type="symbol">CT_DISK</type>
> >> +              <use>all</use>
> >> +            </drive>
> >> +          </partitioning>
> >> +            <report>
> >> +              <errors>
> >> +                <log config:type="boolean">true</log>
> >> +                <show config:type="boolean">true</show>
> >> +                <timeout config:type="integer">0</timeout>
> >> +              </errors>
> >> +              <messages>
> >> +                <log config:type="boolean">true</log>
> >> +                <show config:type="boolean">true</show>
> >> +                <timeout config:type="integer">10</timeout>
> >> +              </messages>
> >> +              <warnings>
> >> +                <log config:type="boolean">true</log>
> >> +                <show config:type="boolean">true</show>
> >> +                <timeout config:type="integer">10</timeout>
> >> +              </warnings>
> >> +              <yesno_messages>
> >> +                <log config:type="boolean">true</log>
> >> +                <show config:type="boolean">true</show>
> >> +                <timeout config:type="integer">10</timeout>
> >> +              </yesno_messages>
> >> +            </report>
> >> +            <scripts>
> >> +              <chroot-scripts config:type="list">
> >> +                <script>
> >> +                  <chrooted config:type="boolean">true</chrooted>
> >> +                  <source>
> >> +
> >> +if test -z '<xsl:value-of select="config/user-password"/>'; then
> >> +pam-config -a --unix-nullok
> >> +pam-config -a --nullok
> >
> > Shouldn't this be conditional on the SUSE version as done below?
> 
> Nops. It's needed for all versions to allow setting a user with no password.
> 
> >
> >> +
> >> +<xsl:if test="os/version = 12">
> >> +useradd <xsl:value-of select="config/user-login"/> -m -G users
> >> +passwd -d <xsl:value-of select="config/user-login"/>
> >> +</xsl:if>
> >
> > Does this mean we are not setting a password on older suse?
> 
> There's no older SUSE script at this point.
> 
> For 12 SP1 and 12 SP2 we can do this using the <users> XML tag, while
> for 12 the only way that worked was by actually adding the user as
> done above.
> 
> >
> >> +
> >> +#Enable passwordless login for users that are part of the nopasswdlogin group
> >> +sed -i '4 i auth sufficient pam_succeed_if.so user ingroup nopasswdlogin' /etc/pam.d/gdm-password
> >> +fi
> >> +
> >> +if test -n '<xsl:value-of select="config/avatar-location"/>'; then
> >> +# Set user avatar
> >> +mkdir /mnt/unattended-media
> >> +mount <xsl:value-of select='config/avatar-disk'/> /mnt/unattended-media
> >> +cp /mnt/unattended-media<xsl:value-of select="config/avatar-location"/> /var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
> >> +umount /mnt/unattended-media
> >> +
> >> +echo "
> >> +[User]
> >> +Language=<xsl:value-of select="config/l10n-language"/>.UTF-8
> >> +XSession=gnome
> >> +Icon=/var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
> >> +" >> /var/lib/AccountsService/users/<xsl:value-of select="config/user-login"/>
> >> +fi
> >> +                  </source>
> >> +                </script>
> >> +              </chroot-scripts>
> >> +            </scripts>
> >> +            <services-manager>
> >> +              <default_target>graphical</default_target>
> >> +            </services-manager>
> >> +            <software>
> >> +              <packages config:type="list">
> >> +                <package>autoyast2-installation</package>
> >> +                <package>gdm</package>
> >> +              </packages>
> >> +              <patterns config:type="list">
> >> +                <pattern>Minimal</pattern>
> >> +                <pattern>apparmor</pattern>
> >> +                <pattern>base</pattern>
> >> +                <pattern>gnome-basic</pattern>
> >> +                <pattern>printing</pattern>
> >> +                <xsl:if test="os/version &gt; 12">
> >> +                  <pattern>smt</pattern>
> >> +                </xsl:if>
> >> +                <pattern>x11</pattern>
> >> +              </patterns>
> >> +            </software>
> >> +            <sysconfig config:type="list">
> >> +              <sysconfig_entry>
> >> +                <sysconfig_key>DISPLAYMANAGER</sysconfig_key>
> >> +                <sysconfig_path>/etc/sysconfig/displaymanager</sysconfig_path>
> >> +                <sysconfig_value>gdm</sysconfig_value>
> >> +              </sysconfig_entry>
> >> +              <sysconfig_entry>
> >> +                <sysconfig_key>DEFAULT_WM</sysconfig_key>
> >> +                <sysconfig_path>/etc/sysconfig/windowmanager</sysconfig_path>
> >> +                <sysconfig_value>gnome</sysconfig_value>
> >> +              </sysconfig_entry>
> >> +            </sysconfig>
> >> +            <timezone>
> >> +              <hwclock>UTC</hwclock>
> >> +              <timezone><xsl:value-of select="config/l10n-timezone"/></timezone>
> >> +            </timezone>
> >> +            <user_defaults>
> >> +              <expire/>
> >> +              <group>100</group>
> >> +              <groups/>
> >> +              <home>/home</home>
> >> +              <inactive>-1</inactive>
> >> +              <no_groups config:type="boolean">true</no_groups>
> >> +              <shell>/bin/bash</shell>
> >> +              <skel>/etc/skel</skel>
> >> +              <umask>022</umask>
> >> +            </user_defaults>
> >
> > Same question, a bit below you check for suse version before allowing
> > empty passwords, should the condition be here too?
> 
> That's not the case here. The group "nopasswdlogin" must be created in
> any SLES version in order to allow passwordless login.
> 
> >
> >> +            <xsl:if test="config/user-password = ''">
> >> +              <groups config:type="list">
> >> +                <group>
> >> +                  <group_password>x</group_password>
> >> +                  <groupname>nopasswdlogin</groupname>
> >> +                  <userlist><xsl:value-of select="config/user-login"/></userlist>
> >> +                </group>
> >> +              </groups>
> >> +            </xsl:if>
> >> +            <users config:type="list">
> >> +              <user>
> >> +                <encrypted config:type="boolean">false</encrypted>
> >> +                <fullname>root</fullname>
> >> +                <gid>0</gid>
> >> +                <home>/root</home>
> >> +                <shell>/bin/bash</shell>
> >> +                <uid>0</uid>
> >> +                <user_password><xsl:value-of select="config/admin-password"/></user_password>
> >> +                <username>root</username>
> >> +              </user>
> >> +              <!--
> >> +                While SLES 12 doesn't allow creating a user without a password,
> >> +                it's okay to do so on the newer versions
> >> +                -->
> >> +              <xsl:if test="config/user-password != '' or os/version &gt; 12">
> >> +                <user>
> >> +                  <encrypted config:type="boolean">false</encrypted>
> >> +                  <fullname><xsl:value-of select="config/user-fullname"/></fullname>
> >> +                  <user_password><xsl:value-of select="config/user-password"/></user_password>
> >> +                  <username><xsl:value-of select="config/user-login"/></username>
> >> +                </user>
> >> +              </xsl:if>
> >
> > So we don't set a user password on older suse?
> 
> We do!
> 
> At this point the only supported versions are:
> SLES 12:
>  - passwordless users must be created by useradd
>  - normal user creating can be done through <user> XML tag
> SLES 12 SP1 and SLES 12 SP2:
>  - both normal and passwordless users can be created through the
> <user> XML tag.

Ok, so I think it's the comment which confused me:
+              <!--
+                While SLES 12 doesn't allow creating a user without a password,
+                it's okay to do so on the newer versions
+                -->

It doesn't allow creating a user without a password *in this <user>
section*, this needs to be done with useradd instead (I'd add a similar
comment before the useradd part).

It's more clear to me now, thanks!

Christophe

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Libosinfo mailing list
Libosinfo@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libosinfo

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Fedora Users]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux