I've been working on a kickstart script for a Scientific Linux install. My goal is to create a CD ISO so that someone can install it easily on a server. I've been able to do a decent amount with it but I'm still running into a few problems that I would like help on.
- When the boot menu starts and I select "install" or "install (text mode)", it never goes directly to the install. It goes to a command prompt where I have to type in root and the run "liveinst".
- When the install starts, I want to remove some of the options. Ex. – I am defining the time zone, language, etc in the kickstart script so I don't want anyone to be able to modify that.
- It's not prompting me for the network information. I don't want to run firstboot, I just want it to ask me for the network during the intial setup. I've tried various things in the kickstart script such as "asknet", "network –query", and none seem to work.
- The iptables setup doesn't work. I've tried adding "iptables –ssh –http –port:514" at the top of the kickstart script, I've tried echoing commands into /etc/sysconfig/iptables, I've tried rewriting the file completely, and none of it seems to work.
Any help or pointers would be greatly appreciated.
######################################################
## Custom Kickstart Script
######################################################
######################################################
## Include another kickstart script
######################################################
%include sl62-livecd-gnome.ks
######################################################
## Basic Settings
######################################################
cdrom
install
autopart
autostep
xconfig --startxonboot
rootpw testpassword
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables
clearpart --all
######################################################
## Repos
######################################################
repo --name=base --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/
repo --name=security --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/
######################################################
## Packages
######################################################
%packages
# Additional firmware support
aic94xx-firmware
netxen-firmware
atmel-firmware
bfa-firmware
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rt61pci-firmware
rt73usb-firmware
xorg-x11-drv-ati-firmware
# Remove these packages
-tigervnc-server
-tigervnc
-postfix
-pidgin
-cups
-pulseaudio-module-bluetooth
-gnome-bluetooth-libs
-gnome-bluetooth
-cheese
-evolution-data-server
-libgweather
-tsclient
/usr/sbin/lokkit
%end
######################################################
## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment)
######################################################
%post --nochroot
# Modify desktop background
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png
# Copy new splash screen for boot menu
cp -f splash.jpg $LIVE_ROOT/isolinux/
# Copy icons for the new applications
cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png
cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png
cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png
# Copy some files to the hard drive, will put them in the desktop later in the post script
cp -f system_stats $INSTALL_ROOT/usr/local/bin/
# Modify the boot menu
cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu
default vesamenu.c32
timeout 100
menu background splash.jpg
menu title Welcome to MyISO!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color timeout_msg 0 #ffffffff #00000000
menu color timeout 0 #ffffffff #00000000
menu color cmdline 0 #ffffffff #00000000
menu hidden
menu hiddenrow 5
label install0
menu label Install
kernel vmlinuz0
append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM
menu default
EOF_boot_menu
%end
#####################################################
## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd)
#####################################################
%post
# Add a new user and modify permissions
/usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support
# Create the .ssh directory for root to have passwordless logins to the syslog server
mkdir /root/.ssh
# Create the keys
cat > /root/.ssh/id_rsa << EOF_id_rsa
PAST PRIVTE KEY HERE
EOF_id_rsa
cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub
PAST PUBLIC KEY HERE
EOF_id_rsa_pub
# Modify the permissions for the ssh key
chown root:root -R /root/.ssh/
chmod 700 -R /root/.ssh/
# Allow wheel group sudo access
cat >> /etc/sudoers << EOF_sudoers
### Allow wheel group sudo access ###
%wheel ALL=(ALL) ALL'
EOF_sudoers
# Modify ssh_config
cat >> /etc/ssh/ssh_config << EOF_ssh_config
### Specific settings for timeouts
TCPKeepAlive yes
ServerAliveInterval 120
ServerAliveCountMax 3
### Don't prompt for host verification
StrictHostKeyChecking no
EOF_ssh_config
# Modify sshd_config
/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/sbin/service sshd restart
# Create a directory for rsyslog queuing
mkdir /var/spool/rsyslog
# Modify rsyslog configuration
cat >> /etc/rsyslog.conf << EOF_rsyslog
### Queuing Config ###
\$WorkDirectory /var/spool/rsyslog
\$ActionQueueType LinkedList
\$ActionQueueFileName remotequeue
\$ActionResumeRetryCount -1
\$ActionQueueSaveOnShutdown on
\$ActionQueueMaxFileSize 100m
\$ActionQueueMaxDiskSpace 5g
### Forwarding Rule ###
*.* @@127.0.0.1:1514
EOF_rsyslog
# Start the SSH tunnel and ensure if it goes down, it will be restarted
cat >> /etc/rc.local << EOF_inittab
ssh -fnNTx -L 1514:127.0.0.1:514 syslog_user@192.168.56.110 > /dev/null 2>&1
EOF_inittab
cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog
#!/bin/bash
if ps aux | grep "ssh -fnNTx" | grep -v "grep"
then
echo "Already Running"
else
echo "Starting now"
ssh -fnNTx -L 1514:127.0.0.1:514 syslog_user@192.168.56.110
fi
EOF_ssh_syslog
chmod 777 /usr/local/bin/ssh_syslog
cat >> /etc/crontab << EOF_ssh_cron
*/1 * * * * root /usr/local/bin/ssh_syslog
EOF_ssh_cron
# Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf
cat > /etc/sysconfig/iptables.script << EOF_iptables_script
#!/bin/bash
# Iptables configuration script
# Flush all current rules from iptables
/sbin/iptables -F
# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Established inbound rule
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Define new chain with all management IPs
/sbin/iptables -N MGT_IPS
/sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS
# Allow SSH , HTTP, ,HTTPS, and ping access to management IPs
/sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
/sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT
# Allow ICMP from internal IPs
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT
# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP
# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
# Save settings
/sbin/service iptables save
# List rules
/sbin/iptables -L -v
EOF_iptables_script
# Modify iptables.script permissions so it can run
chmod 700 /etc/sysconfig/iptables.script
# Add files to rc.local
cat >> /etc/rc.local << EOF_rclocal
# Run firewall script
/etc/sysconfig/iptables.script
EOF_rclocal
# Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them)
rpm -e --nodeps tigervnc
rpm -e --nodeps tigervnc-server
rpm -e --nodeps libgweather
rpm -e --nodeps pulseaudio
rpm -e --nodeps cups
rpm -e --nodeps sendmail
# Modify the applications menu
rm -f /usr/share/applications/gthumb*.desktop
rm -f /usr/share/applications/brasero*.desktop
rm -f /usr/share/applications/gnome-screens*.desktop
rm -f /usr/share/applications/about-this-computer.desktop
rm -f /usr/share/applications/gnome-about*.desktop
rm -f /usr/share/applications/gnome-dictionary.desktop
rm -f /usr/share/applications/gnome-gcalctool.desktop
rm -f /usr/share/applications/gnome-keybinding.desktop
rm -f /usr/share/applications/bluetooth-properties.desktop
rm -f /usr/share/applications/totem.desktop
rm -f /usr/share/applications/gnome-file-roller.desktop
rm -f /usr/share/applications/gnome-gucharmap.desktop
rm -f /usr/share/applications/gedit.desktop
rm -f /usr/share/applications/gnome-baobab.desktop
rm -f /usr/share/applications/gnome-system-monitor.desktop
rm -f /usr/share/applications/palimpsest.desktop
rm -f /usr/share/applications/gnome-nautilus-browser.desktop
rm -f /usr/share/applications/TUV.desktop
rm -f /usr/share/applications/sl-release-notes.desktop
rm -f /usr/share/applications/system-config-users.desktop
rm -f /usr/share/applications/authconfig.desktop
rm -f /usr/share/applications/system-config-firewall.desktop
rm -f /usr/share/applications/system-config-services.desktop
rm -f /usr/share/applications/gnome-network-properties.desktop
rm -f /usr/share/applications/gnome-volume-control.desktop
rm -f /usr/share/applications/gnome-default-application.desktop
rm -f /usr/share/applications/gnome-at-properties.desktop
rm -f /usr/share/applications/gnome-session-properties.desktop
/bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop
/bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop
# Create a various scripts for customers to use
cat > /usr/local/bin/remote_support << EOF_remote_support
#!/bin/bash
# This script will open a reverse SSH tunnel for support.
ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X
EOF_remote_support
chmod 777 /usr/local/bin/remote_support
chmod 777 /usr/local/bin/system_stats
# Add the scripts to the applications menu
cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu
[Desktop Entry]
Name=Remote Support
Comment=Support
Exec=remote_support
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_remote_sup_menu
cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu
[Desktop Entry]
Name=System Statistics
Comment=Basic system information
Exec=system_stats
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_sys_stats_menu
chmod 644 /usr/share/applications/remote-support.desktop
chmod 644 /usr/share/applications/system-stats.desktop
%end
# Reboot after installation
reboot --eject
EDIT: I've figured out most of my problems. The only issue I have now is that I want the install procedure to skip the section where it prompts the user for a root password. I will auto set this later and don't want them having the power to do that.
EDIT2: Ok I updated my kickstart script above. Using this script it creates a live CD that instantly goes to the install process. Once I go through the install process it prompts me for root password, HD location, time zones, etc. Then it installs and all of my kickstart script works perfectly on the new system. However, I still want to make it where it doesn't prompt me for the root password during the initial install. I have tried adding the following to the kickstart script but it doesn't work
# Copy kickstart script to the live CD
cp -f test.ks $INSTALL_ROOT/root/
# Modified the boot menu to say
append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM
On the ks= part I wasn't sure what was correct so I also tried ks=/root/test.ks and it still prompted me for the initial setup information.
EDIT3: I started working on this again over the last few days and I still can't get the ISO to auto step through the basic setting steps such as root password, time settings, keyboard, etc. I've tried various locations of putting the ks.cfg in /root/, on the live CD under that root directory and under isolinux. Every time it still asks for the info.
Best Answer
I use CentOS, but the easiest way I've found to configure a system via kickstart is to install and configure a system the way I want it to be, then look at /root/anaconda-ks.cfg. That file is a kickstart the install you just did. I assume that Scientific has this file as well.
Once you have that file, I've found it much easier to modify (add/remove) what I want from that and it's taken care of the funny network, SELinux, iptables config, etc, for me.
Cheers, Josh