Hey all,
I have sort of an odd request for you today in regards to Kickstart
configuration. I have recently created a kickstart configuration file to
better standardize the configuration aspect of my server installations.
I am having one issue and that is distributing a script (yum-check) via
the kickstart file (in %post section). Parts of the script get written
to the correct file (/usr/bin/yum-check & /etc/cron.daily/yum.cron)
however variables in the individual scripts I believe are getting parsed
by Kickstart. The parsing of these variables is preventing them from
being written to the respective file. I am wondering if any of you have
ever distributed a shell script via kickstart before and if so how did
you do it? I would also like to mention that I have attempted to wget
the script to the current directory (after cding into /usr/bin/ for
example) with no luck. I have attached my kickstart configuration file
so you can get a better picture of what I'm trying to do.
Thanks a lot,
Dan
# Kickstart file automatically generated by anaconda.
install
url --url=ftp://kickstart.example.com/install/CentOS/x86_64/5.3/
lang en_US.UTF-8
# Use text mode install
text
keyboard us
network --device eth0 --bootproto static --ip 192.168.101.161 --netmask 255.255.255.0 --gateway 192.168.101.1 --nameserver 192.168.101.14 --hostname guineapig.example.com
reboot
rootpw --iscrypted afdafsf0saf87
firewall --enabled --port=22:tcp
authconfig --enableshadow --enablemd5
selinux --enforcing
timezone --utc America/Chicago
bootloader --location=mbr --driveorder=sda
# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work
clearpart --all --initlabel
part / --fstype ext3 --size 7683
part swap --fstype swap --size 509
%packages --nobase --ignoremissing
@editors
@core
bind-utils.x86_64
bind-libs.x86_64
telnet.x86_64
mailx.x86_64
vixie-cron.x86_64
audit.x86_64
man.x86_64
wget.x86_64
sendmail.x86_64
sudo.x86_64
openldap-clients.x86_64
nss_ldap.x86_64
ntp.x86_64
%post
### System Configuration Files Section ###
yum update -y
# Update default hasing algorith for userPasswords
authconfig --passalgo=sha512 --update
# /etc/nsswitch.conf
cat << EOF1 > /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group ou=people,dc=example,dc=com?one
EOF1
# /etc/resolv.conf
cat << EOF2 > /etc/resolv.conf
# Created by Dan Burkland 8/17/2009
domain example.com
search example.com
nameserver 192.168.101.14
EOF2
# /etc/ssh/sshd_config
cat << EOF3 > /etc/ssh/sshd_config
#$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
ListenAddress 192.168.101.161
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 4
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
Banner /etc/issue
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF3
# /etc/pam.d/system-auth
cat << EOF4 > /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_ldap.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_ldap.so
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_ldap.so
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF4
# /etc/hosts
cat << EOF5 > /etc/hosts
127.0.0.1 localhost localhost.localdomain guineapig.example.com guineapig
EOF5
# /etc/issue
cat << EOF6 > /etc/issue
WARNING
This System is for the use of authorized users only. Individuals
using this computer without authority, or in excess of their
authority, are subject to having all of their activities on this
system monitored and recorded by system personnel. In the course
of monitoring individuals improperly using this system, or in the
course of system maintenance, the activities of authorized users
may also be monitored. Anyone using this system expressly
consents to such monitoring and is advised that if such
monitoring reveals possible criminal activity, system personnel
may provide the evidence of such monitoring to law enforcement
officials.
EOF6
# /etc/crontab modifications for NTP & Auditd log rotation
cat << EOF7 >> /etc/crontab
00 23 * * * root ntpdate north-america.pool.ntp.org
00 0 * * * root /etc/init.d/auditd rotate
EOF7
# /etc/ldap.conf
cat << EOF8 > /etc/ldap.conf
# /etc/ldap.conf - Created by: Dan Burkland 8/17/2009
uri ldaps://ldap.example.com
base dc=example,dc=com
timelimit 30
TLS_CACERT /etc/pki/tls/certs/cacert.pem
ssl on
nss_initgroups_ignoreusers root,haldaemon,dbus,ldap
EOF8
# /etc/pki/tls/certs/cacert.pem
cat << EOF9 > /etc/pki/tls/certs/cacert.pem
Certificate contents go here
EOF9
rm -f /etc/openldap/ldap.conf
ln -s /etc/ldap.conf /etc/openldap/ldap.conf
# Create /usr/bin/yum-check and make it executable
cat << EOF10 > /usr/bin/yum-check
#!/bin/sh
#
# Name: yum-check
# Author: Michael Heiming - 2005-03-11
# Function: Run from cron to check for yum updates
# and mail results
# Version: 0.7 (initial)
# 2005-03-12 0.8 randomize startup (cron only)
# Config: /etc/sysconfig/yum
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
maila=${MAILTO:=root}
yumdat="/tmp/yum-check-update.$$"
yumb="/usr/bin/yum"
# wait a random interval if there is not a controlling terminal,
# for load management
if ! [ -t ]
then
num=$RANDOM
let "num %= ${RANGE:=1}"
sleep $num
fi
rm -f ${yumdat%%[0-9]*}*
$yumb check-update >& $yumdat
yumstatus="$?"
case $yumstatus in
100)
cat $yumdat |\
mail -s "Alert ${HOSTNAME} updates available!" $maila
exit 0
;;
0)
# Only send mail if debug is turned on
if [ ${CHECKWRK} = "yes" ];then
cat $yumdat |\
mail -s "Yum check succeeded ${HOSTNAME} zero patches available." $maila
fi
exit 0
;;
*)
# Unexpected yum return status
(echo "Undefined, yum return status: ${yumstatus}" && \
[ -e "${yumdat}" ] && cat "${yumdat}" )|\
mail -s "Alert ${HOSTNAME} problems running yum." $maila
esac
[ -e "${yumdat}" ] && rm ${yumdat}
EOF10
chmod +x /usr/bin/yum-check
# Create yum-check cronjob and make script executable
cat << EOF11 > /etc/cron.daily/yum.cron
#!/bin/sh
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
if [ -f /var/lock/subsys/yum ]; then
if [ ${CHECKONLY} = "yes" ];then
/usr/bin/yum-check
fi
else
/usr/bin/yum -R 10 -e 0 -d 0 -y update yum
/usr/bin/yum -R 120 -e 0 -d 0 -y update
fi
EOF11
chmod +x /etc/cron.daily/yum.cron
# Create yum-check configuration file
cat << EOF12 > /etc/sysconfig/yum-check
# yes sets yum to check for updates and mail only if patches are available
# no does enable autoupdate if /var/lock/subsys/yum is available
CHECKONLY="yes"
# defaults to root, leave empty if .forward/alias in place for root
MAILTO="dan@xxxxxxxxxxx"
# Set to yes for debugging only! You'll get a mail for each run!
CHECKWRK="no"
# Seconds to randomize startup, if running from cron to balance load
RANGE="3600"
EOF12
# Change logrotate to rotate daily instead of weekly
cat << EOF13 > /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
daily
# keep 4 days worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
minsize 1M
create 0664 root utmp
rotate 1
}
# system-specific logs may be also be configured here.
EOF13
# IPtables rule configuration
cat << EOF14 > /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
EOF14
# Disable USB mass storage module
cat << EOF15 > /etc/modprobe.d/blacklist-usbstorage
blacklist usb-storage
EOF15
# Restrict access to the "/root" folder
chmod 700 /root
# Set default umask to 077
sed -i 's/022/077/' /etc/bashrc
sed -i 's/022/077/' /etc/csh.cshrc
# Log out idle users after 15 minutes
cat << EOF16 > /etc/profile.d/autologout
readonly TMOUT=900
readonly HISTFILE
EOF16
# Make the os-security.sh executable
chmod +x /etc/profile.d/autologout
# Enable security-related sysctls
cat << EOF17 > /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
EOF17
# /etc/sudoers
cat << EOF18 > /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
##
## This file must be edited with the 'visudo' command.
## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhap using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem
## Command Aliases
## These are groups of related commands...
## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database
Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
#
# Disable "ssh hostname sudo <cmd>", because it will show the password in clear.
# You have to run "ssh -t hostname sudo <cmd>".
#
Defaults requiretty
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
_XKB_CHARSET XAUTHORITY"
## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
example ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now
EOF18
# /etc/nscd.conf
cat << EOF19 > /etc/nscd.conf
server-user nscd
debug-level 0
reload-count unlimited
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 3600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
enable-cache hosts no
EOF19
# Permantely prevent IPv6 module from being loaded
cat << EOF20 > /etc/modprobe.d/disableipv6
install ipv6 /bin/true
EOF20
# Disable another IPv6 related setting
cat << EOF21 >> /etc/sysconfig/network
NETWORKING_IPV6=no
EOF21
# Set secure permissions on /etc/sudoers file
chmod 440 /etc/sudoers
# Set secure permissions on /bin/su
chmod 700 /bin/su
# Enable/Disable necessary services
chkconfig sendmail on
chkconfig auditd on
chkconfig nscd on
chkconfig ip6tables off
chkconfig multipathd off
chkconfig netconsole off
chkconfig netfs off
chkconfig netplugd off
chkconfig rdisc off
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
