118 lines
3.5 KiB
INI
118 lines
3.5 KiB
INI
%post --nochroot --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
# Change GUID of backup partition
|
|
change_guid=/tmp/backup-guid-change.sh
|
|
if [ -f "$change_guid" ]; then
|
|
sh $change_guid || report_post_failure_with_logfile "ERROR: Failed to update platform backup GUID"
|
|
fi
|
|
|
|
%end
|
|
|
|
%post --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
# Turn off locale support for i18n if is not installed
|
|
if [ ! -d /usr/share/i18n ] ; then
|
|
rm -f /etc/sysconfig/i18n
|
|
fi
|
|
# Unset the hostname
|
|
rm /etc/hostname
|
|
|
|
# If using a serial install make sure to add a getty on the tty1
|
|
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
|
|
if [ -n "$conarg" ] ; then
|
|
echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
|
|
fi
|
|
|
|
#### SECURITY PROFILE HANDLING (Post Installation) ####
|
|
# Check if the Security profile mode is enabled
|
|
# and load the appropriate kernel modules
|
|
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
|
|
if [ -n "$secprofile" ]; then
|
|
echo "In Extended Security profile mode. Loading IMA kernel module"
|
|
systemctl enable auditd.service
|
|
# Add the securityfs mount for the IMA Runtime measurement list
|
|
echo "securityfs /sys/kernel/security securityfs defaults,nodev 0 0" >> /etc/fstab
|
|
else
|
|
# Disable audit daemon in the Standard Security Profile
|
|
systemctl disable auditd
|
|
fi
|
|
|
|
. /etc/platform/platform.conf
|
|
|
|
# Delete the CentOS yum repo files
|
|
rm -f /etc/yum.repos.d/CentOS-*
|
|
|
|
# Create platform yum repo file
|
|
cat >/etc/yum.repos.d/platform.repo <<EOF
|
|
[platform-base]
|
|
name=platform-base
|
|
baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
|
|
gpgcheck=0
|
|
enabled=1
|
|
|
|
[platform-updates]
|
|
name=platform-updates
|
|
baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
|
|
gpgcheck=0
|
|
enabled=1
|
|
EOF
|
|
|
|
# Persist the boot device naming as UDEV rules so that if the network device
|
|
# order changes post-install that we will still be able to DHCP from the
|
|
# correct interface to reach the active controller. For most nodes only the
|
|
# management/boot interface needs to be persisted but because we require both
|
|
# controllers to be identically configured and controller-0 and controller-1
|
|
# are installed differently (e.g., controller-0 from USB and controller-1 from
|
|
# network) it is not possible to know which interface to persist for
|
|
# controller-0. The simplest solution is to persist all interfaces.
|
|
#
|
|
mkdir -p /etc/udev/rules.d
|
|
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
|
|
for dir in /sys/class/net/*; do
|
|
if [ -e ${dir}/device ]; then
|
|
dev=$(basename ${dir})
|
|
mac_address=$(cat /sys/class/net/${dev}/address)
|
|
echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
|
|
fi
|
|
done
|
|
|
|
# Mark the sysadmin password as expired immediately
|
|
chage -d 0 sysadmin
|
|
|
|
# Lock the root password
|
|
passwd -l root
|
|
|
|
# Enable tmpfs mount for /tmp
|
|
# delete /var/tmp so that it can similinked in
|
|
rm -rf /var/tmp
|
|
systemctl enable tmp.mount
|
|
|
|
# Disable automount of /dev/hugepages
|
|
systemctl mask dev-hugepages.mount
|
|
|
|
# Disable firewall
|
|
systemctl disable firewalld
|
|
|
|
# Disable libvirtd
|
|
systemctl disable libvirtd.service
|
|
|
|
# Enable rsyncd
|
|
systemctl enable rsyncd.service
|
|
|
|
# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
|
|
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root
|
|
|
|
# Make fstab just root read/writable
|
|
chmod 600 /etc/fstab
|
|
|
|
# Create first_boot flag
|
|
touch /etc/platform/.first_boot
|
|
|
|
%end
|