# This is a basic Fedora 19 spin designed to work in OpenStack and other # private cloud environments. This flavor isn't configured with cloud-init # or any other metadata service; you'll need your own say of getting # user (or root) credentials on the system. # # This kickstart file is designed to be used with appliance-creator and # may need slight modification for use with actual anaconda or other tools. # We intend to target anaconda-in-a-vm style image building for F20. text lang en_US.UTF-8 keyboard us timezone --utc Etc/UTC auth --useshadow --enablemd5 selinux --enforcing rootpw verybad # this is actually not used, but a static firewall # matching these rules is generated below. firewall --service=ssh bootloader --timeout=1 --extlinux network --bootproto=dhcp --device=eth0 --onboot=on services --enabled=network,sshd,rsyslog,iptables clearpart --all autopart # Repositories repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-19&arch=$basearch repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f19&arch=$basearch # Package list. # Just the basics, here. %packages --nobase @core kernel # We need this image to be portable; also, rescue mode isn't useful here. dracut-nohostonly dracut-norescue # Not needed with pv-grub (as in EC2), and pulled in automatically # by anaconda, but appliance-creator needs the hint syslinux-extlinux # Needed initially, but removed below. firewalld # Basic firewall. If you're going to rely on your cloud service's # security groups you can remove this. iptables-services # cherry-pick a few things from @standard tar rsync # Some things from @core we can do without in a minimal install -biosdevname -plymouth -NetworkManager -iprutils %end %post # Kickstart specifies timeout in seconds; syslinux uses 10ths. # 0 means wait forever, so instead we'll go with 1. sed -i 's/^timeout 10/timeout 1/' /boot/extlinux/extlinux.conf # setup systemd to boot to the right runlevel echo -n "Setting default runlevel to multiuser text mode" rm -f /etc/systemd/system/default.target ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target echo . # If you want to remove rsyslog and just use journald, also uncomment this. #echo -n "Enabling persistent journal" #mkdir /var/log/journal/ #echo . # this is installed by default but we don't need it in virt echo "Removing linux-firmware package." yum -C -y remove linux-firmware # Remove firewalld; was supposed to be optional in F19, but is required to # be present for install/image building. echo "Removing firewalld." yum -C -y remove firewalld --setopt="clean_requirements_on_remove=1" # Non-firewalld-firewall echo -n "Writing static firewall" cat < /etc/sysconfig/iptables # Simple static firewall loaded by iptables.service. Replace # this with your own custom rules, run lokkit, or switch to # shorewall or firewalld as your needs dictate. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT EOF echo . echo -n "Network fixes" # initscripts don't like this file to be missing. cat > /etc/sysconfig/network << EOF NETWORKING=yes EOF # For cloud images, 'eth0' _is_ the predictable device name, since # we don't want to be tied to specific virtual (!) hardware rm -f /etc/udev/rules.d/70* ln -s /dev/null /etc/udev/rules.d/80-net-name-slot.rules # simple eth0 config, again not hard-coded to the build hardware cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF DEVICE="eth0" BOOTPROTO="dhcp" ONBOOT="yes" TYPE="Ethernet" EOF # generic localhost names cat > /etc/hosts << EOF 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 EOF echo . # Because memory is scarce resource in most cloud/virt environments, # and because this impedes forensics, we are differing from the Fedora # default of having /tmp on tmpfs. echo "Disabling tmpfs for /tmp." systemctl mask tmp.mount # appliance-creator does not make this important file. if [ ! -e /etc/sysconfig/kernel ]; then echo "Creating /etc/sysconfig/kernel." cat < /etc/sysconfig/kernel # UPDATEDEFAULT specifies if new-kernel-pkg should make # new kernels the default UPDATEDEFAULT=yes # DEFAULTKERNEL specifies the default kernel package type DEFAULTKERNEL=kernel EOF fi # make sure firstboot doesn't start echo "RUN_FIRSTBOOT=NO" > /etc/sysconfig/firstboot echo "Cleaning old yum repodata." yum clean all echo "Zeroing out empty space with fstrim." /usr/sbin/fstrim / %end