lang en_US keyboard us timezone America/New_York --isUtc rootpw $1$qrBNJr0C$8J4stpPzjQZywX33wnMn7. --iscrypted #platform x86, AMD64, or Intel EM64T reboot --eject cdrom bootloader --location=mbr --append="rhgb quiet crashkernel=auto" zerombr clearpart --all --initlabel # === include partitioning scheme generated in pre === %include /tmp/part-include # ==================================================== auth --passalgo=sha512 --useshadow selinux --enforcing firewall --enabled --ssh skipx firstboot --disable user --name=tuxoper --password=$1$qrBNJr0C$8J4stpPzjQZywX33wnMn7. --iscrypted user --name=tuxagent --password=$1$qrBNJr0C$8J4stpPzjQZywX33wnMn7. --iscrypted %packages @base policycoreutils-python libseccomp PyYAML-3.10-11.el7 python-jinja2 python-pyasn1 nfs-utils lksctp-tools pexpect screen nmap-ncat telnet lftp lshw tmux cairo numactl perf ltrace dstat iotop iptraf-ng net-snmp-utils lldpad %include /tmp/virtual %end %pre --erroronfail --log=/tmp/ks-pre.log part_table=$(kpartx -r /dev/sda) if [ -n "$part_table" ]; then whiptail --fb --title "WARNING" --yesno --defaultno "This system contains partition table. Installation will DELETE EXISTING DATA on this system. Continue?" 12 50 > /dev/console if [ $? -ne 0 ]; then reboot fi fi # === storage minimum capacity settings === bm_storage_min_size=400 vm_storage_min_size=16 # ========================================= sleep 20 hw=$(virt-what | head -1) sleep 10 # === read tux_node type from grub menuentry parameter === tux_node_type=$(cat /proc/cmdline | cut -f 3 -d '=' | cut -f 1 -d ' ') if [ -z "$hw" ]; then whiptail --infobox --title "HARDWARE DETECTION" "Detected hardware: Bare Metal" 10 40 > /dev/console sleep 10 capacity=$(fdisk -l | grep /dev/sda | cut -f 3 -d " " | cut -f 1 -d ".") sleep 1 if [ "$capacity" -lt "$bm_storage_min_size" ]; then whiptail --infobox --title "HARD DISK REQUIREMENTS" "ERROR: Minimum hard disk capacity for Bare Metal installation is $bm_storage_min_size GB. Will reboot now." 10 50 > /dev/console sleep 15 reboot --eject else # === open-vm-tools dummy replacement for bare metal === echo "" > /tmp/virtual if [ "$tux_node_type" == "manager" ]; then # =================== generate partitioning scheme for bare metal ========================== echo "part /boot/efi --size=200 --ondisk=sda --fstype=vfat --label=EFIBOOT" > /tmp/part-include echo "part /boot --size=512 --ondisk=sda --asprimary --fstype=ext4 --label=boot --fsoptions=acl,user_xattr,errors=remount-ro,nodev,noexec,nosuid" >> /tmp/part-include echo "part pv.00 --size=150000 --asprimary --ondisk=sda" >> /tmp/part-include echo "part pv.01 --size=1 --grow --asprimary --ondisk=sda" >> /tmp/part-include echo "volgroup vg_root pv.00" >> /tmp/part-include echo "volgroup vg_app pv.01" >> /tmp/part-include echo "logvol swap --name=swap --vgname=vg_root --size=32000" >> /tmp/part-include echo "logvol / --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=30000 --name=root --vgname=vg_root" >> /tmp/part-include echo "logvol /var --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=1 --grow --vgname=vg_root" >> /tmp/part-include echo "logvol /var/log --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=20000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/log/audit --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=20000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/crash --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=24000 --vgname=vg_root" >> /tmp/part-include echo "logvol /home --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=2000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/docker-volumes --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=100000 --vgname=vg_app" >> /tmp/part-include echo "logvol /var/esdata --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=50000 --vgname=vg_app" >> /tmp/part-include echo "logvol /var/lib/docker --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=16000 --vgname=vg_app" >> /tmp/part-include # =========================================================================================== elif [ "$tux_node_type" == "collector" ]; then # =================== generate partitioning scheme for bare metal ========================== echo "part /boot/efi --size=200 --ondisk=sda --fstype=vfat --label=EFIBOOT" > /tmp/part-include echo "part /boot --size=512 --ondisk=sda --asprimary --fstype=ext4 --label=boot --fsoptions=acl,user_xattr,errors=remount-ro,nodev,noexec,nosuid" >> /tmp/part-include echo "part pv.00 --size=150000 --asprimary --ondisk=sda" >> /tmp/part-include echo "part pv.01 --size=1 --grow --asprimary --ondisk=sda" >> /tmp/part-include echo "volgroup vg_root pv.00" >> /tmp/part-include echo "volgroup vg_app pv.01" >> /tmp/part-include echo "logvol swap --name=swap --vgname=vg_root --size=32000" >> /tmp/part-include echo "logvol / --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=30000 --name=root --vgname=vg_root" >> /tmp/part-include echo "logvol /var --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=1 --grow --vgname=vg_root" >> /tmp/part-include echo "logvol /var/log --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=20000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/log/audit --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=20000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/crash --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=24000 --vgname=vg_root" >> /tmp/part-include echo "logvol /home --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=2000 --vgname=vg_root" >> /tmp/part-include echo "logvol /var/docker-volumes --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=100000 --vgname=vg_app" >> /tmp/part-include echo "logvol /var/lib/docker --fstype=ext4 --fsoptions=acl,user_xattr,errors=remount-ro --size=16000 --vgname=vg_app" >> /tmp/part-include # =========================================================================================== fi fi elif [ "$hw" == "vmware" ]; then whiptail --infobox --title "HARDWARE DETECTION" "Detected hardware: VMWare" 10 40 > /dev/console sleep 10 capacity=$(fdisk -l | grep /dev/sda | cut -f 3 -d " " | cut -f 1 -d ".") sleep 1 if [ "$capacity" -lt "$vm_storage_min_size" ]; then whiptail --infobox --title "HARD DISK REQUIREMENTS" "ERROR: Minimum hard disk capacity for VMWare installation is $vm_storage_min_size GB. Will reboot now." 10 50 > /dev/console sleep 15 reboot else # === open-vm-tools installation for vmware only === echo "open-vm-tools" > /tmp/virtual # ============== generate partitioning scheme for vmware ==================================== echo "autopart" > /tmp/part-include # =========================================================================================== fi elif [ "$hw" == "virtualbox" ]; then whiptail --infobox --title "HARDWARE DETECTION" "Detected hardware: VirtualBox" 10 40 > /dev/console sleep 10 capacity=$(fdisk -l | grep /dev/sda | cut -f 3 -d " " | cut -f 1 -d ".") sleep 1 if [ "$capacity" -lt "$vm_storage_min_size" ]; then whiptail --infobox --title "HARD DISK REQUIREMENTS" "ERROR: Minimum hard disk capacity for VirtualBox installation is $vm_storage_min_size GB. Will reboot now." 10 50 > /dev/console sleep 15 reboot else # === open-vm-tools dummy replacement for virtualbox === echo "" > /tmp/virtual # ============== generate partitioning scheme for virtualbox ================================ echo "autopart" > /tmp/part-include # =========================================================================================== fi else whiptail --infobox --title "HARDWARE DETECTION" "WARNING: This Operating System is not released for recognized hardware: $hw. Will reboot now." 10 40 > /dev/console sleep 10 reboot fi %end %post --nochroot --log=/mnt/sysimage/tmp/ks-post-nochroot.log cd /run/install/repo/soft/docker rpm -ivh --root /mnt/sysimage *.rpm cp docker-compose /mnt/sysimage/usr/local/bin/ chmod 755 /mnt/sysimage/usr/local/bin/docker-compose cd /run/install/repo/soft/ansible rpm -ivh --root /mnt/sysimage *.rpm cd /run/install/repo/soft/utils rpm -ivh --root /mnt/sysimage python-GnuPGInterface*.rpm rpm -ivh --root /mnt/sysimage python-lockfile*.rpm rpm -ivh --root /mnt/sysimage ncftp*.rpm rpm -ivh --root /mnt/sysimage python2-pyasn1*.rpm rpm -ivh --root /mnt/sysimage python2-rsa*.rpm rpm -ivh --root /mnt/sysimage python2-boto*.rpm rpm -ivh --root /mnt/sysimage ngrep*.rpm rpm -ivh --root /mnt/sysimage librsync*.rpm rpm -ivh --root /mnt/sysimage duplicity*.rpm rpm -ivh --root /mnt/sysimage duply*.rpm cd /run/install/repo/soft/performance rpm -ivh --root /mnt/sysimage *.rpm %end %post --log=/tmp/ks-post-chroot.log # === enable docker service === systemctl enable docker.service # === disable RHN unit services systemctl disable rhnsd.service rhsmcertd.service # === disable postfix unit service === systemctl disable postfix.service # === add tuxoper to sudoers === echo "# Allow tuxoper to run any commands anywhere" >> /etc/sudoers echo "tuxoper ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers # === set ssh keys for tuxoper === su - tuxoper -c "ssh-keygen -t rsa -f /home/tuxoper/.ssh/id_rsa -N ''" # === set kernel parameters === echo "kernel.exec-shield = 1" >> /etc/sysctl.conf echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" >> /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf # === set security options === echo "tuxoper soft nofile 4096" >> /etc/security/limits.conf echo "tuxoper hard nofile 10240" >> /etc/security/limits.conf echo "tuxoper soft nproc 200000" >> /etc/security/limits.conf echo "tuxoper hard nproc 270000" >> /etc/security/limits.conf echo "tuxagent soft nofile 4096" >> /etc/security/limits.conf echo "tuxagent hard nofile 10240" >> /etc/security/limits.conf echo "tuxagent soft nproc 200000" >> /etc/security/limits.conf echo "tuxagent hard nproc 270000" >> /etc/security/limits.conf # === set journalctl past boots logging === echo "Storage=persistent" >> /etc/systemd/journald.conf echo "SystemMaxUse=5G" >> /etc/systemd/journald.conf # === read tux_node type from grub menuentry parameter === tux_node_type=$(cat /proc/cmdline | cut -f 3 -d '=' | cut -f 1 -d ' ') # === set global system aliases === echo "# Reload the shell (i.e. invoke as a login shell)" >> /etc/bashrc echo "alias reload='exec \$SHELL -l'" >> /etc/bashrc echo "# Print each PATH entry in a separate line" >> /etc/bashrc echo "alias path='echo \$PATH | tr : \"\\n\"'" >> /etc/bashrc # === set global system variables === cat < /etc/profile.d/tux.sh # /etc/profile.d/tux.sh TUX_DETECTED_FUNCTION=$tux_node_type TUX_NODE_FUNCTION=\$TUX_DETECTED_FUNCTION TUX_LOG_DIR=/var/log/tux TUX_INSTALL_LOG_DIR=\$TUX_LOG_DIR/install TUX_MANAGER_LOG_DIR=\$TUX_LOG_DIR/manager TUX_COLLECTOR_LOG_DIR=\$TUX_LOG_DIR/collector EOF # === disable host key checking in ansible == sed -i 's/#host_key_checking = False/host_key_checking = False/g' /etc/ansible/ansible.cfg # === verify rpm consistency === rpm --verify -a %end %post # === generate install log === source /etc/profile.d/tux.sh mkdir -p $TUX_INSTALL_LOG_DIR mv /tmp/ks-post-chroot.log $TUX_INSTALL_LOG_DIR/ks-post-chroot.log mv /tmp/ks-post-nochroot.log $TUX_INSTALL_LOG_DIR/ks-post-nochroot.log %end