# Generated by pykickstart v3.32
#version=RHEL7
# Install OS instead of upgrade
install
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# Reboot after installation
reboot
# Root password
rootpw --iscrypted --lock locked
# Use network installation
url --url="http://linuxsoft.cern.ch/cern/centos/7/os/x86_64"
# System language
lang en_US.UTF-8
# Firewall configuration
firewall --disabled
# Use text mode install
text
# SELinux configuration
selinux --enforcing
# Network information
network --bootproto=dhcp --device=eth0
repo --name="koji-override-0" --baseurl=https://koji.cern.ch/kojifiles/repos/cc7-image-7x-build/724603/x86_64
# System timezone
timezone Europe/Zurich --isUtc
# System bootloader configuration
bootloader --location=none
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --initlabel
# Disk partitioning information
part / --fstype="ext4" --size=3000
%pre
ARCH=`uname -m`
cat >> /etc/rsyslog.conf <<DELIM
\$template AnacondaTemplate, "<%PRI%>%TIMESTAMP:::date-rfc3339% image:cc7-base-docker-$ARCH %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
\$ActionForwardDefaultTemplate AnacondaTemplate
module(load="imfile" mode="inotify")
input(type="imfile"
File="/tmp/anaconda.log"
Tag="anaconda")
input(type="imfile"
File="/tmp/dnf.librepo.log"
Tag="dnf-librepo")
input(type="imfile"
File="/tmp/packaging.log"
Tag="packaging")
input(type="imfile"
File="/tmp/ks-script-*.log"
Tag="ks-pre")
input(type="imfile"
File="/mnt/sysroot/root/ks-post.log"
Tag="ks-post")
*.* @@linuxsoftadm.cern.ch:5014
DELIM
/usr/bin/systemctl restart rsyslog
%end
%post --logfile=/root/ks-post.log
# randomize root password and lock root account
dd if=/dev/urandom count=50 | md5sum | passwd --stdin root
passwd -l root
# create necessary devices
/sbin/MAKEDEV /dev/console
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-cern
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-kojiv2
# some packages get installed even though we ask for them not to be,
# and they don't have any external dependencies that should make
# anaconda install them
rpm -e kernel
yum -y remove bind-libs bind-libs-lite dhclient dhcp-common dhcp-libs \
dracut-network e2fsprogs e2fsprogs-libs ebtables ethtool file \
firewalld freetype gettext gettext-libs groff-base grub2 grub2-tools \
grubby initscripts iproute iptables kexec-tools libcroco libgomp \
libmnl libnetfilter_conntrack libnfnetlink libselinux-python lzo \
libunistring os-prober python-decorator python-slip python-slip-dbus \
snappy sysvinit-tools which linux-firmware
yum -y install centos-release-scl
# Make sure we're up to date
yum -y distro-sync
yum clean all
rm -rf /etc/firewalld
rm -rf /boot
#delete a few systemd things
rm -rf /etc/machine-id
rm -rf /usr/lib/systemd/system/multi-user.target.wants/getty.target
rm -rf /usr/lib/systemd/system/multi-user.target.wants/systemd-logind.service
# Add tsflags to keep yum from installing docs
sed -i '/distroverpkg=centos-release/a tsflags=nodocs' /etc/yum.conf
#Make it easier for systemd to run in Docker container
cp /usr/lib/systemd/system/dbus.service /etc/systemd/system/
sed -i 's/OOMScoreAdjust=-900//' /etc/systemd/system/dbus.service
#Mask mount units and getty service so that we don't get login prompt
systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service
#Generate installtime file record
/bin/date +%Y%m%d_%H%M > /etc/BUILDTIME
# man pages and documentation
find /usr/share/{man,doc,info,gnome/help} \
-type f | xargs /bin/rm
# ldconfig
rm -rf /etc/ld.so.cache
rm -rf /var/cache/ldconfig/*
rm -rf /var/cache/yum/*
rm -f /tmp/ks-script*
rm -f /usr/lib/locale/locale-archive
#Setup locale properly
localedef -v -c -i en_US -f UTF-8 en_US.UTF-8
# Create repo for systemd-container
#cat >/etc/yum.repos.d/systemd.repo <<EOF
#[systemdcontainer]
#name=CentOS-\$releasever - systemd-container
#baseurl=http://linuxsoft.cern.ch/mirror/dev.centos.org/centos/7/systemd-container/
#gpgcheck=1
#enabled=1
#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
#
#EOF
# Clean up after the installer.
rm -f /etc/rpm/macros.imgcreate
# Fix /run/lock breakage since it's not tmpfs in docker
umount /run
systemd-tmpfiles --create --boot
############# CERN'ify ########################################################
cat > /etc/krb5.conf <<EOF
[libdefaults]
default_realm = CERN.CH
ticket_lifetime = 25h
renew_lifetime = 120h
forwardable = true
proxiable = true
default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
allow_weak_crypto = true
chpw_prompt = true
[realms]
CERN.CH = {
default_domain = cern.ch
kpasswd_server = cerndc.cern.ch
admin_server = cerndc.cern.ch
kdc = cerndc.cern.ch
}
[domain_realm]
.cern.ch = CERN.CH
pam = {
external = true
krb4_convert = false
krb4_convert_524 = false
krb4_use_as_req = false
ticket_lifetime = 25h
use_shmem = sshd
}
EOF
cat > /etc/openldap/ldap.conf <<EOF
#
# LDAP CERN Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE DC=cern,DC=ch
#note cerndc provides gssapi auth, xldap does not.
#HOST cerndc.cern.ch # or xldap.cern.ch
#SIZELIMIT 12
#DEREF always
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
SSL start_tls
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
EOF
%end
%post --nochroot
# Make rsyslog send everything before the reboot
pkill -HUP rsyslogd
sleep 30s
rm -rf /mnt/sysroot/root/ks-post.log
%end
%packages --excludedocs --nocore
CERN-CA-certs
bash
bind-utils
centos-release
cern-wrappers
cyrus-sasl-gssapi
epel-release
firewalld
hepix
iproute
iputils
less
openldap-clients
rootfiles
shadow-utils
vim-minimal
yum-autoupdate
yum-plugin-ovl
-*firmware
-bind-license
-freetype
-gettext*
-kernel*
-libteam
-os-prober
-teamd
-yum-firstboot
%end