Linux Kickstart Scipts

I've been working on a kickstart script for a Scientific Linux install. My goal is to create a CD ISO so that someone can install it easily on a server. I've been able to do a decent amount with it but I'm still running into a few problems that I would like help on.

1. When the boot menu starts and I select "install" or "install (text mode)", it never goes directly to the install. It goes to a command prompt where I have to type in root and the run "liveinst".
2. When the install starts, I want to remove some of the options. Ex. - I am defining the time zone, language, etc in the kickstart script so I don't want anyone to be able to modify that.
3. It's not prompting me for the network information. I don't want to run firstboot, I just want it to ask me for the network during the intial setup. I've tried various things in the kickstart script such as "asknet", "network --query", and none seem to work.
4. The iptables setup doesn't work. I've tried adding "iptables --ssh --http --port:514" at the top of the kickstart script, I've tried echoing commands into /etc/sysconfig/iptables, I've tried rewriting the file completely, and none of it seems to work.

Any help or pointers would be greatly appreciated.

######################################################
## Custom Kickstart Script
######################################################

######################################################
## Include another kickstart script
######################################################

%include sl62-livecd-gnome.ks

######################################################
## Basic Settings
######################################################

cdrom
install
autopart
autostep
xconfig --startxonboot
rootpw testpassword

lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables

clearpart --all

######################################################
## Repos
######################################################
repo --name=base          --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/
repo --name=security   --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/

######################################################
## Packages
######################################################

%packages

# Additional firmware support
aic94xx-firmware
netxen-firmware
atmel-firmware
bfa-firmware
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rt61pci-firmware
rt73usb-firmware
xorg-x11-drv-ati-firmware

# Remove these packages
-tigervnc-server
-tigervnc
-postfix
-pidgin
-cups
-pulseaudio-module-bluetooth
-gnome-bluetooth-libs
-gnome-bluetooth
-cheese
-evolution-data-server
-libgweather
-tsclient

/usr/sbin/lokkit

%end

######################################################
## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment)
######################################################
%post --nochroot

# Modify desktop background
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png

# Copy new splash screen for boot menu
cp -f splash.jpg $LIVE_ROOT/isolinux/

# Copy icons for the new applications
cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png
cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png
cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png

# Copy some files to the hard drive, will put them in the desktop later in the post script
cp -f system_stats $INSTALL_ROOT/usr/local/bin/

# Modify the boot menu
cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu

default vesamenu.c32
timeout 100

menu background splash.jpg
menu title Welcome to MyISO!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color timeout_msg 0 #ffffffff #00000000
menu color timeout 0 #ffffffff #00000000
menu color cmdline 0 #ffffffff #00000000
menu hidden
menu hiddenrow 5
label install0
 menu label Install
 kernel vmlinuz0
 append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  
menu default
EOF_boot_menu

%end

#####################################################
## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd)
#####################################################
%post

# Add a new user and modify permissions
/usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support

# Create the .ssh directory for root to have passwordless logins to the syslog server
mkdir /root/.ssh

# Create the keys
cat > /root/.ssh/id_rsa << EOF_id_rsa
PAST PRIVTE KEY HERE
EOF_id_rsa

cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub
PAST PUBLIC KEY HERE
EOF_id_rsa_pub

# Modify the permissions for the ssh key
chown root:root -R /root/.ssh/
chmod 700 -R /root/.ssh/

# Allow wheel group sudo access
cat >> /etc/sudoers << EOF_sudoers

### Allow wheel group sudo access ###
%wheel ALL=(ALL) ALL'
EOF_sudoers

# Modify ssh_config
cat >> /etc/ssh/ssh_config << EOF_ssh_config

### Specific settings for timeouts
TCPKeepAlive yes
ServerAliveInterval 120
ServerAliveCountMax 3

### Don't prompt for host verification
StrictHostKeyChecking no
EOF_ssh_config

# Modify sshd_config
/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/sbin/service sshd restart

# Create a directory for rsyslog queuing
mkdir /var/spool/rsyslog

# Modify rsyslog configuration
cat >> /etc/rsyslog.conf << EOF_rsyslog

### Queuing Config ###
\$WorkDirectory /var/spool/rsyslog
\$ActionQueueType LinkedList
\$ActionQueueFileName remotequeue
\$ActionResumeRetryCount -1
\$ActionQueueSaveOnShutdown on
\$ActionQueueMaxFileSize 100m
\$ActionQueueMaxDiskSpace 5g

### Forwarding Rule ###
*.*     @@127.0.0.1:1514
EOF_rsyslog

# Start the SSH tunnel and ensure if it goes down, it will be restarted
cat >> /etc/rc.local << EOF_inittab
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] > /dev/null 2>&1
EOF_inittab

cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog
#!/bin/bash
if ps aux | grep "ssh -fnNTx" | grep -v "grep"
then
echo "Already Running"
else
echo "Starting now"
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]
fi
EOF_ssh_syslog

chmod 777 /usr/local/bin/ssh_syslog

cat >> /etc/crontab << EOF_ssh_cron
*/1 * * * * root /usr/local/bin/ssh_syslog
EOF_ssh_cron

# Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf

cat > /etc/sysconfig/iptables.script << EOF_iptables_script
#!/bin/bash
# Iptables configuration script

# Flush all current rules from iptables
/sbin/iptables -F

# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Established inbound rule
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Define new chain with all management IPs
/sbin/iptables -N MGT_IPS
/sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS

# Allow SSH , HTTP, ,HTTPS, and ping access to management IPs
/sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
/sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow ICMP from internal IPs
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT

# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "

# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Save settings
/sbin/service iptables save

# List rules
/sbin/iptables -L -v
EOF_iptables_script

# Modify iptables.script permissions so it can run
chmod 700 /etc/sysconfig/iptables.script

# Add files to rc.local
cat >> /etc/rc.local << EOF_rclocal

# Run firewall script
/etc/sysconfig/iptables.script
EOF_rclocal

# Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them)
rpm -e --nodeps tigervnc
rpm -e --nodeps tigervnc-server
rpm -e --nodeps libgweather
rpm -e --nodeps pulseaudio
rpm -e --nodeps cups
rpm -e --nodeps sendmail

# Modify the applications menu
rm -f /usr/share/applications/gthumb*.desktop
rm -f /usr/share/applications/brasero*.desktop
rm -f /usr/share/applications/gnome-screens*.desktop
rm -f /usr/share/applications/about-this-computer.desktop
rm -f /usr/share/applications/gnome-about*.desktop
rm -f /usr/share/applications/gnome-dictionary.desktop
rm -f /usr/share/applications/gnome-gcalctool.desktop
rm -f /usr/share/applications/gnome-keybinding.desktop
rm -f /usr/share/applications/bluetooth-properties.desktop
rm -f /usr/share/applications/totem.desktop
rm -f /usr/share/applications/gnome-file-roller.desktop
rm -f /usr/share/applications/gnome-gucharmap.desktop
rm -f /usr/share/applications/gedit.desktop
rm -f /usr/share/applications/gnome-baobab.desktop
rm -f /usr/share/applications/gnome-system-monitor.desktop
rm -f /usr/share/applications/palimpsest.desktop
rm -f /usr/share/applications/gnome-nautilus-browser.desktop
rm -f /usr/share/applications/TUV.desktop
rm -f /usr/share/applications/sl-release-notes.desktop
rm -f /usr/share/applications/system-config-users.desktop
rm -f /usr/share/applications/authconfig.desktop
rm -f /usr/share/applications/system-config-firewall.desktop
rm -f /usr/share/applications/system-config-services.desktop
rm -f /usr/share/applications/gnome-network-properties.desktop
rm -f /usr/share/applications/gnome-volume-control.desktop
rm -f /usr/share/applications/gnome-default-application.desktop
rm -f /usr/share/applications/gnome-at-properties.desktop
rm -f /usr/share/applications/gnome-session-properties.desktop

/bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop

/bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop

# Create a various scripts for customers to use
cat > /usr/local/bin/remote_support << EOF_remote_support
#!/bin/bash
# This script will open a reverse SSH tunnel for support.
ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X
EOF_remote_support

chmod 777 /usr/local/bin/remote_support
chmod 777 /usr/local/bin/system_stats

# Add the scripts to the applications menu
cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu
[Desktop Entry]
Name=Remote Support
Comment=Support
Exec=remote_support
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_remote_sup_menu

cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu
[Desktop Entry]
Name=System Statistics
Comment=Basic system information
Exec=system_stats
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_sys_stats_menu

chmod 644 /usr/share/applications/remote-support.desktop
chmod 644 /usr/share/applications/system-stats.desktop

%end

# Reboot after installation
reboot --eject

EDIT: I've figured out most of my problems. The only issue I have now is that I want the install procedure to skip the section where it prompts the user for a root password. I will auto set this later and don't want them having the power to do that.

EDIT2: Ok I updated my kickstart script above. Using this script it creates a live CD that instantly goes to the install process. Once I go through the install process it prompts me for root password, HD location, time zones, etc. Then it installs and all of my kickstart script works perfectly on the new system. However, I still want to make it where it doesn't prompt me for the root password during the initial install. I have tried adding the following to the kickstart script but it doesn't work

# Copy kickstart script to the live CD
cp -f test.ks $INSTALL_ROOT/root/

# Modified the boot menu to say
append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  

On the ks= part I wasn't sure what was correct so I also tried ks=/root/test.ks and it still prompted me for the initial setup information.

EDIT3: I started working on this again over the last few days and I still can't get the ISO to auto step through the basic setting steps such as root password, time settings, keyboard, etc. I've tried various locations of putting the ks.cfg in /root/, on the live CD under that root directory and under isolinux. Every time it still asks for the info.

I looked at my /root/anaconda-ks.cfg file and it doesn't have much there. (install, lang, keyboard, rootpw, firewall, authconfig, selinux, timezone, bootloader) All of these settings are identical to my currently kickstart script that isn't working.

Looking at what you posted above, I assume you're doing a graphical environment. One thing I did notice is that there's no "firstboot --disable" for where you want to disable the firstboot option (which you mentioned). Also, there's a GUI tool to assist you in setting all these options if your hand-jammed one isn't working. Have you tried booting using the kickstart file that was automatically generated to see if that works as you are hoping your manual one will?

I have disabled firstboot under services. I originally had "firstboot --disable" and it had the same affect as me having it under "services --disabled=firstboot". I've tried using the GUI tool before but haven't had much luck with it. As far as trying to use livecd-creator and using the anaconda-ks.cfg file, it won't work due to there not being any packages listed in the file. The file only has the few sections I stated above. Do you have an example of one of your kickstart scripts that I can look at and try to modify?

@Eric, I'll build one out tonight or tomorrow and get it to you.

At the bottom of this page there is a link to an additional site with many ready-made examples. wiki.centos.org/TipsAndTricks/KickStart (nazar.karan.org/cgit/bluecain/tree) I learned a ton from these.

I used to have that option on there, and it did set the root password on the livecd. However it still prompted the user to enter a new root password during the installation.

So I would have to add something along the lines of "cp -f mykick.ks $INSTALL_ROOT/root/" and then add ks=/root/mykick.ks?

Do you mean for this to be an interactive Kickstart, then? I don't see the interactive option up there so it should just go through the install unattended.

I don't want it to be interactive at all. I use livecd-creator and I supply it with my kickstart script. From here it goes through the install process. Once installed, a lot of my post scripts are there and they work fine. However it doesn't appear that the "live cd install process" is accepting my kickstart script like I want it to. I see that NcA below says I have to call my ks.cfg file within my isolinux file as well. So basically I would use livecd-creator and say run ks.cfg and then within the ks.cfg recall it again?

Not familiar with any LiveCD process as it is related to Kickstart. My experience is with Kickstarting RHEL/CentOS but it should be similar enough to help you with Scientific Linux. If the CD is just for provisioning, does it need to be a LiveCD at all? Seems to be introducing extra complexity.

I have actually used that and the kickstart script worked very well. However we have to have this on on a CD. Which I can technically do with that method, I'd just have to remove a lot of packages. Last time I played with it I was able to get the 3.6 Gb image down to 1.1Gb by getting rid of a lot of necessary items.

Ohhh... no DVD-ROM? Could you host the installation packages on an internal web server and just use boot media in the servers?