# kludge in syslinux in post url --url http://linux.seas.harvard.edu/fedora/linux/releases/18/Fedora/x86_64/os/ lang en_US.UTF-8 keyboard us timezone --utc America/New_York auth --useshadow --enablemd5 selinux --enforcing # this is actually not used, but a static firewall # matching these rules is generated below. firewall --service=ssh rootpw --iscrypted $6$EMPTY$EhNAfNMypasaVSl/JO22g/.SNPOiy8mRpEjXz71Z9.UJacIBW6fqnecN4N5NTxB3DhQT/BM0ZWflIcI/2.1fy0 bootloader --location=none network --bootproto=dhcp --device=eth0 --onboot=on services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final clearpart --all part / --size 2048 --fstype ext4 --ondisk vda # This keeps anaconda from going into GUI mode, making the install slightly # easier to follow for debugging text # Repositories repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch #repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f18&arch=$basearch reboot # Package list. %packages --nobase @core kernel # cloud-init does magical things with EC2 metadata, including provisioning # a user account with ssh keys. cloud-init syslinux-extlinux # Needed initially, but removed below. firewalld # Basic firewall. If you're going to rely on your cloud service's # security groups you can remove this. iptables-services # cherry-pick a few things from @standard tmpwatch tar rsync # Some things from @core we can do without in a minimal install -biosdevname -NetworkManager #-polkit -parted %end %post --erroronfail echo -n "Writing fstab" cat < /etc/fstab LABEL=root / ext4 defaults 1 1 EOF echo . echo "Labeling the root filesystem." e2label /dev/vda1 root echo -n "Removing MAC address from ethernet config" sed -i '/^HWADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0 # setup systemd to boot to the right runlevel echo -n "Setting default runlevel to multiuser text mode" rm -f /etc/systemd/system/default.target ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target echo . # If you want to remove rsyslog and just use journald, also uncomment this. #echo -n "Enabling persistent journal" #mkdir /var/log/journal/ #echo . # this is installed by default but we don't need it in virt echo "Removing linux-firmware package." yum -C -y remove linux-firmware echo "Removing grub2." yum -C -y remove grub2 grub2-tools fedora-logos os-prober gettext gettext-libs libgomp libcroco libunistring rm -vf /etc/grub.conf rm -vrf /boot/grub2 # Remove firewalld; was supposed to be optional in F18, but is required to # be present for install/image building. echo "Removing firewalld." yum -C -y remove firewalld ebtables pygobject3-base python-slip gobject-introspection python-decorator python-slip-dbus # Non-firewalld-firewall echo -n "Writing static firewall" cat < /etc/sysconfig/iptables # Simple static firewall loaded by iptables.service. Replace # this with your own custom rules, run lokkit, or switch to # shorewall or firewalld as your needs dictate. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT #-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT EOF echo . # Because memory is scarce resource in most cloud/virt environments, # and because this impedes forensics, we are differing from the Fedora # default of having /tmp on tmpfs. echo "Disabling tmpfs for /tmp." systemctl mask tmp.mount # appliance-creator does not make this important file. if [ ! -e /etc/sysconfig/kernel ]; then echo "Creating /etc/sysconfig/kernel." cat < /etc/sysconfig/kernel # UPDATEDEFAULT specifies if new-kernel-pkg should make # new kernels the default UPDATEDEFAULT=yes # DEFAULTKERNEL specifies the default kernel package type DEFAULTKERNEL=kernel EOF fi # Uncomment this if you want to use cloud init but suppress the creation # of an "ec2-user" account. This will, in the absence of further config, # cause the ssh key from a metadata source to be put in the root account. #cat < /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg #users: [] #disable_root: 0 #EOF echo "Creating extlinux.conf" cat < /boot/extlinux/extlinux.conf ui menu.c32 prompt 0 timeout 1 totaltimeout 9000 menu hidden menu title Fedora label Fedora ($(ls -v /boot/vmlinuz-*|tail -1|sed s/.*vmlinuz-//)) kernel $( ls -v /boot/vmlinuz-*|tail -1 ) append ro serial=tty0 console=ttyS0,115200n8 root=LABEL=root initrd=$( ls -v /boot/initramfs-*|tail -1 ) EOF echo "Installing extlinux" /sbin/extlinux --install /boot/extlinux yum clean all echo "Zeroing out empty space." # This forces the filesystem to reclaim space from deleted files dd bs=1M if=/dev/zero of=/var/tmp/zeros || : rm -f /var/tmp/zeros echo "(Don't worry -- that out-of-space error was expected.)" %end