-
Notifications
You must be signed in to change notification settings - Fork 2
/
fedora-18-x86_64-cloud.ks
170 lines (137 loc) · 5.29 KB
/
fedora-18-x86_64-cloud.ks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# This is a basic Fedora 18 spin designed to work in OpenStack and other
# private cloud environments. It's configured with cloud-init so it will
# take advantage of ec2-compatible metadata services for provisioning
# ssh keys. That also currently creates an ec2-user account; we'll probably
# want to make that something generic by default. The root password is empty
# by default.
#
# Note that unlike the standard F18 install, this image has /tmp on disk
# rather than in tmpfs, since memory is usually at a premium.
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --enforcing
# this is actually not used, but a static firewall
# matching these rules is generated below.
firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
network --bootproto=dhcp --device=eth0 --onboot=on
services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
part biosboot --fstype=biosboot --size=1 --ondisk sda
part / --size 10000 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f18&arch=$basearch
# Package list.
%packages --nobase
@core
kernel
# cloud-init does magical things with EC2 metadata, including provisioning
# a user account with ssh keys.
cloud-init
# Not needed with pv-grub (as in EC2). Would be nice to have
# something smaller for F19 (syslinux?), but this is what we have now.
grub2
# Needed initially, but removed below.
firewalld
# Basic firewall. If you're going to rely on your cloud service's
# security groups you can remove this.
iptables-services
# cherry-pick a few things from @standard
tmpwatch
tar
rsync
# Some things from @core we can do without in a minimal install
-biosdevname
-plymouth
-NetworkManager
-polkit
%end
%post --erroronfail
echo -n "Writing fstab"
cat <<EOF > /etc/fstab
LABEL=_/ / ext4 defaults 1 1
EOF
echo .
echo -n "Grub tweaks"
echo GRUB_TIMEOUT=0 > /etc/default/grub
sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
sed -i 's/^default=1/default=0/' /boot/grub/grub.conf
sed -i '/splashimage/d' /boot/grub/grub.conf
# need to file a bug on this one
sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
echo .
if ! [[ -e /boot/grub/menu.lst ]]; then
echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
ln /boot/grub/grub.conf /boot/grub/menu.lst
ln -sf /boot/grub/grub.conf /etc/grub.conf
fi
# setup systemd to boot to the right runlevel
echo -n "Setting default runlevel to multiuser text mode"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
echo .
# If you want to remove rsyslog and just use journald, also uncomment this.
#echo -n "Enabling persistent journal"
#mkdir /var/log/journal/
#echo .
# this is installed by default but we don't need it in virt
echo "Removing linux-firmware package."
yum -C -y remove linux-firmware
# Remove firewalld; was supposed to be optional in F18, but is required to
# be present for install/image building.
echo "Removing firewalld."
yum -C -y remove firewalld
# Non-firewalld-firewall
echo -n "Writing static firewall"
cat <<EOF > /etc/sysconfig/iptables
# Simple static firewall loaded by iptables.service. Replace
# this with your own custom rules, run lokkit, or switch to
# shorewall or firewalld as your needs dictate.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
echo .
# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
# default of having /tmp on tmpfs.
echo "Disabling tmpfs for /tmp."
systemctl mask tmp.mount
# appliance-creator does not make this important file.
if [ ! -e /etc/sysconfig/kernel ]; then
echo "Creating /etc/sysconfig/kernel."
cat <<EOF > /etc/sysconfig/kernel
# UPDATEDEFAULT specifies if new-kernel-pkg should make
# new kernels the default
UPDATEDEFAULT=yes
# DEFAULTKERNEL specifies the default kernel package type
DEFAULTKERNEL=kernel
EOF
fi
# Uncomment this if you want to use cloud init but suppress the creation
# of an "ec2-user" account. This will, in the absence of further config,
# cause the ssh key from a metadata source to be put in the root account.
#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg
#users: []
#disable_root: 0
#EOF
echo "Zeroing out empty space."
# This forces the filesystem to reclaim space from deleted files
dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
rm -f /var/tmp/zeros
echo "(Don't worry -- that out-of-space error was expected.)"
%end