On Tue, May 02, 2017 at 09:25:00PM +0200, Fabiano Fidêncio wrote: > On Tue, May 2, 2017 at 1:48 PM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > > On Sun, Apr 23, 2017 at 12:41:30AM +0200, Fabiano Fidêncio wrote: > >> The install-scripts added support SLES 12, SLES 12 SP1 and SLES 12 SP2. > >> > >> Those scripts were completely based on the openSUSE ones and tested > >> against the "free for download" ISOs provided by SUSE, that you can find > >> in: https://www.suse.com/download-linux/ > >> > >> Signed-off-by: Fabiano Fidêncio <fabiano@xxxxxxxxxxxx> > >> --- > >> .../suse.com/suse-autoyast-desktop.xml.in | 287 +++++++++++++++++++++ > >> .../suse.com/suse-autoyast-jeos.xml.in | 201 +++++++++++++++ > >> data/os/suse.com/sles-12.1.xml.in | 7 +- > >> data/os/suse.com/sles-12.2.xml.in | 13 +- > >> data/os/suse.com/sles-12.xml.in | 7 +- > >> 5 files changed, 509 insertions(+), 6 deletions(-) > >> create mode 100644 data/install-script/suse.com/suse-autoyast-desktop.xml.in > >> create mode 100644 data/install-script/suse.com/suse-autoyast-jeos.xml.in > >> > >> diff --git a/data/install-script/suse.com/suse-autoyast-desktop.xml.in b/data/install-script/suse.com/suse-autoyast-desktop.xml.in > >> new file mode 100644 > >> index 0000000..acb38c1 > >> --- /dev/null > >> +++ b/data/install-script/suse.com/suse-autoyast-desktop.xml.in > >> @@ -0,0 +1,287 @@ > >> +<libosinfo version="0.0.1"> > >> +<!-- Licensed under the GNU General Public License version 2 or later. > >> + See http://www.gnu.org/licenses/ for a copy of the license text --> > >> + > >> + <!-- DESKTOP PROFILE --> > >> + <install-script id='http://suse.com/suse/autoyast/desktop'> > >> + <profile>desktop</profile> > >> + <expected-filename>autoinst.xml</expected-filename> > >> + <config> > >> + <!-- Localization options --> > >> + <param name="l10n-keyboard" policy="optional" value-map="http://x.org/x11-keyboard"/> > >> + <param name="l10n-language" policy="optional"/> > >> + <param name="l10n-timezone" policy="optional"/> > >> + > >> + <!-- Network options --> > >> + <param name="hostname" policy="optional"/> > >> + <param name="domain" policy="optional"/> > >> + > >> + <!-- Account options --> > >> + <param name="admin-password" policy="optional"/> > >> + <param name="user-fullname" policy="optional"/> > >> + <param name="user-login" policy="required"/> > >> + <param name="user-password" policy="optional"/> > >> + <param name="avatar-location" policy="optional"/> > >> + <param name="avatar-disk" policy="optional"/> > >> + </config> > >> + <injection-method>disk</injection-method> > >> + > >> + <template> > >> + <xsl:stylesheet > >> + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" > >> + version="1.0"> > >> + > >> + <xsl:output method="xml" indent="yes" omit-xml-declaration="yes"/> > >> + > >> + <xsl:template name="l10n-language"> > >> + <xsl:choose> > >> + <xsl:when test="config/l10n-language != '' and config/l10n-language != 'C'"> > >> + <xsl:value-of select="config/l10n-language"/> > >> + </xsl:when> > >> + <xsl:otherwise> > >> + <xsl:text>en_US</xsl:text> > >> + </xsl:otherwise> > >> + </xsl:choose> > >> + </xsl:template> > >> + > >> + <xsl:template name="l10n-keyboard"> > >> + <xsl:choose> > >> + <xsl:when test="config/l10n-keyboard != '' and config/l10n-keyboard != 'C'"> > >> + <xsl:value-of select="config/l10n-keyboard"/> > >> + </xsl:when> > >> + <xsl:otherwise> > >> + <xsl:text>us</xsl:text> > >> + </xsl:otherwise> > >> + </xsl:choose> > >> + </xsl:template> > >> + > >> + <xsl:template match="/command-line"> > >> + <xsl:text>autoyast=device://sda/</xsl:text> > > > > I guess vda is not valid there? > > Nops. That's the same case for OpenSUSE. > > > > >> + <xsl:value-of select="script/expected-filename"/> > >> + </xsl:template> > >> + > >> + <xsl:template match="/install-script-config"> > >> + <profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> > >> + <bootloader> > >> + <device_map config:type="list"> > >> + <device_map_entry> > >> + <firmware>hd0</firmware> > >> + <linux>/dev/vda</linux> > >> + </device_map_entry> > >> + </device_map> > >> + <global> > >> + <activate>true</activate> > >> + <append>resume=/dev/vda1 splash=silent quiet showopts</append> > >> + <boot_boot>false</boot_boot> > >> + <boot_extended>false</boot_extended> > >> + <boot_mbr>false</boot_mbr> > >> + <boot_root>true</boot_root> > >> + <default>0</default> > >> + <distributor/> > >> + <failsafe_disabled>true</failsafe_disabled> > >> + <generic_mbr>true</generic_mbr> > >> + <gfxmode>auto</gfxmode> > >> + <os_prober>true</os_prober> > >> + <terminal>gfxterm</terminal> > >> + <timeout config:type="integer">8</timeout> > >> + <vgamode/> > >> + </global> > >> + <loader_type>grub2</loader_type> > >> + </bootloader> > >> + <firewall> > >> + <enable_firewall config:type="boolean">false</enable_firewall> > >> + <start_firewall config:type="boolean">false</start_firewall> > >> + </firewall> > > > > Any particular reason to disable firewall? > > No particular reason. I'll remove it in a v2. > > > > >> + <general> > >> + <ask-list config:type="list"/> > >> + <mode> > >> + <confirm config:type="boolean">false</confirm> > >> + <final_reboot config:type="boolean">true</final_reboot> > >> + </mode> > >> + <proposals config:type="list"/> > >> + <signature-handling> > >> + <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum> > >> + <accept_non_trusted_gpg_key config:type="boolean">true</accept_non_trusted_gpg_key> > >> + <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key> > >> + <accept_unsigned_file config:type="boolean">true</accept_unsigned_file> > >> + <accept_verification_failed config:type="boolean">false</accept_verification_failed> > >> + <import_gpg_key config:type="boolean">true</import_gpg_key> > >> + </signature-handling> > > > > This seems fairly unsecure too, is this required? > > Hmm. I'll double check, but I do believe I can drop those for SLES. > > > > > > >> + <storage> > >> + <partition_alignment config:type="symbol">align_optimal</partition_alignment> > >> + <start_multipath config:type="boolean">false</start_multipath> > >> + </storage> > >> + </general> > >> + <keyboard> > >> + <keyboard_values> > >> + <delay/> > >> + <discaps config:type="boolean">false</discaps> > >> + <numlock>bios</numlock> > >> + <rate/> > >> + </keyboard_values> > >> + <keymap><xsl:call-template name="l10n-keyboard"/></keymap> > >> + </keyboard> > >> + <language><xsl:call-template name="l10n-language"/></language> > >> + <networking> > >> + <managed config:type="boolean">false</managed> > >> + <interfaces config:type="list"> > >> + <interface> > >> + <bootproto>dhcp</bootproto> > >> + <device>eth0</device> > >> + <startmode>auto</startmode> > >> + <usercontrol>no</usercontrol> > >> + </interface> > >> + </interfaces> > >> + </networking> > >> + <partitioning config:type="list"> > >> + <drive> > >> + <device>/dev/vda</device> > >> + <type config:type="symbol">CT_DISK</type> > >> + <use>all</use> > >> + </drive> > >> + </partitioning> > >> + <report> > >> + <errors> > >> + <log config:type="boolean">true</log> > >> + <show config:type="boolean">true</show> > >> + <timeout config:type="integer">0</timeout> > >> + </errors> > >> + <messages> > >> + <log config:type="boolean">true</log> > >> + <show config:type="boolean">true</show> > >> + <timeout config:type="integer">10</timeout> > >> + </messages> > >> + <warnings> > >> + <log config:type="boolean">true</log> > >> + <show config:type="boolean">true</show> > >> + <timeout config:type="integer">10</timeout> > >> + </warnings> > >> + <yesno_messages> > >> + <log config:type="boolean">true</log> > >> + <show config:type="boolean">true</show> > >> + <timeout config:type="integer">10</timeout> > >> + </yesno_messages> > >> + </report> > >> + <scripts> > >> + <chroot-scripts config:type="list"> > >> + <script> > >> + <chrooted config:type="boolean">true</chrooted> > >> + <source> > >> + > >> +if test -z '<xsl:value-of select="config/user-password"/>'; then > >> +pam-config -a --unix-nullok > >> +pam-config -a --nullok > > > > Shouldn't this be conditional on the SUSE version as done below? > > Nops. It's needed for all versions to allow setting a user with no password. > > > > >> + > >> +<xsl:if test="os/version = 12"> > >> +useradd <xsl:value-of select="config/user-login"/> -m -G users > >> +passwd -d <xsl:value-of select="config/user-login"/> > >> +</xsl:if> > > > > Does this mean we are not setting a password on older suse? > > There's no older SUSE script at this point. > > For 12 SP1 and 12 SP2 we can do this using the <users> XML tag, while > for 12 the only way that worked was by actually adding the user as > done above. > > > > >> + > >> +#Enable passwordless login for users that are part of the nopasswdlogin group > >> +sed -i '4 i auth sufficient pam_succeed_if.so user ingroup nopasswdlogin' /etc/pam.d/gdm-password > >> +fi > >> + > >> +if test -n '<xsl:value-of select="config/avatar-location"/>'; then > >> +# Set user avatar > >> +mkdir /mnt/unattended-media > >> +mount <xsl:value-of select='config/avatar-disk'/> /mnt/unattended-media > >> +cp /mnt/unattended-media<xsl:value-of select="config/avatar-location"/> /var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/> > >> +umount /mnt/unattended-media > >> + > >> +echo " > >> +[User] > >> +Language=<xsl:value-of select="config/l10n-language"/>.UTF-8 > >> +XSession=gnome > >> +Icon=/var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/> > >> +" >> /var/lib/AccountsService/users/<xsl:value-of select="config/user-login"/> > >> +fi > >> + </source> > >> + </script> > >> + </chroot-scripts> > >> + </scripts> > >> + <services-manager> > >> + <default_target>graphical</default_target> > >> + </services-manager> > >> + <software> > >> + <packages config:type="list"> > >> + <package>autoyast2-installation</package> > >> + <package>gdm</package> > >> + </packages> > >> + <patterns config:type="list"> > >> + <pattern>Minimal</pattern> > >> + <pattern>apparmor</pattern> > >> + <pattern>base</pattern> > >> + <pattern>gnome-basic</pattern> > >> + <pattern>printing</pattern> > >> + <xsl:if test="os/version > 12"> > >> + <pattern>smt</pattern> > >> + </xsl:if> > >> + <pattern>x11</pattern> > >> + </patterns> > >> + </software> > >> + <sysconfig config:type="list"> > >> + <sysconfig_entry> > >> + <sysconfig_key>DISPLAYMANAGER</sysconfig_key> > >> + <sysconfig_path>/etc/sysconfig/displaymanager</sysconfig_path> > >> + <sysconfig_value>gdm</sysconfig_value> > >> + </sysconfig_entry> > >> + <sysconfig_entry> > >> + <sysconfig_key>DEFAULT_WM</sysconfig_key> > >> + <sysconfig_path>/etc/sysconfig/windowmanager</sysconfig_path> > >> + <sysconfig_value>gnome</sysconfig_value> > >> + </sysconfig_entry> > >> + </sysconfig> > >> + <timezone> > >> + <hwclock>UTC</hwclock> > >> + <timezone><xsl:value-of select="config/l10n-timezone"/></timezone> > >> + </timezone> > >> + <user_defaults> > >> + <expire/> > >> + <group>100</group> > >> + <groups/> > >> + <home>/home</home> > >> + <inactive>-1</inactive> > >> + <no_groups config:type="boolean">true</no_groups> > >> + <shell>/bin/bash</shell> > >> + <skel>/etc/skel</skel> > >> + <umask>022</umask> > >> + </user_defaults> > > > > Same question, a bit below you check for suse version before allowing > > empty passwords, should the condition be here too? > > That's not the case here. The group "nopasswdlogin" must be created in > any SLES version in order to allow passwordless login. > > > > >> + <xsl:if test="config/user-password = ''"> > >> + <groups config:type="list"> > >> + <group> > >> + <group_password>x</group_password> > >> + <groupname>nopasswdlogin</groupname> > >> + <userlist><xsl:value-of select="config/user-login"/></userlist> > >> + </group> > >> + </groups> > >> + </xsl:if> > >> + <users config:type="list"> > >> + <user> > >> + <encrypted config:type="boolean">false</encrypted> > >> + <fullname>root</fullname> > >> + <gid>0</gid> > >> + <home>/root</home> > >> + <shell>/bin/bash</shell> > >> + <uid>0</uid> > >> + <user_password><xsl:value-of select="config/admin-password"/></user_password> > >> + <username>root</username> > >> + </user> > >> + <!-- > >> + While SLES 12 doesn't allow creating a user without a password, > >> + it's okay to do so on the newer versions > >> + --> > >> + <xsl:if test="config/user-password != '' or os/version > 12"> > >> + <user> > >> + <encrypted config:type="boolean">false</encrypted> > >> + <fullname><xsl:value-of select="config/user-fullname"/></fullname> > >> + <user_password><xsl:value-of select="config/user-password"/></user_password> > >> + <username><xsl:value-of select="config/user-login"/></username> > >> + </user> > >> + </xsl:if> > > > > So we don't set a user password on older suse? > > We do! > > At this point the only supported versions are: > SLES 12: > - passwordless users must be created by useradd > - normal user creating can be done through <user> XML tag > SLES 12 SP1 and SLES 12 SP2: > - both normal and passwordless users can be created through the > <user> XML tag. Ok, so I think it's the comment which confused me: + <!-- + While SLES 12 doesn't allow creating a user without a password, + it's okay to do so on the newer versions + --> It doesn't allow creating a user without a password *in this <user> section*, this needs to be done with useradd instead (I'd add a similar comment before the useradd part). It's more clear to me now, thanks! Christophe
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Libosinfo mailing list Libosinfo@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libosinfo