Linux Kickstart Scipts
I use CentOS, but the easiest way I've found to configure a system via kickstart is to install and configure a system the way I want it to be, then look at /root/anaconda-ks.cfg. That file is a kickstart the install you just did. I assume that Scientific has this file as well.
Once you have that file, I've found it much easier to modify (add/remove) what I want from that and it's taken care of the funny network, SELinux, iptables config, etc, for me.
Cheers, Josh
Related videos on Youtube
Eric
Updated on September 18, 2022Comments
-
Eric almost 2 years
I've been working on a kickstart script for a Scientific Linux install. My goal is to create a CD ISO so that someone can install it easily on a server. I've been able to do a decent amount with it but I'm still running into a few problems that I would like help on.
- When the boot menu starts and I select "install" or "install (text mode)", it never goes directly to the install. It goes to a command prompt where I have to type in root and the run "liveinst".
- When the install starts, I want to remove some of the options. Ex. - I am defining the time zone, language, etc in the kickstart script so I don't want anyone to be able to modify that.
- It's not prompting me for the network information. I don't want to run firstboot, I just want it to ask me for the network during the intial setup. I've tried various things in the kickstart script such as "asknet", "network --query", and none seem to work.
- The iptables setup doesn't work. I've tried adding "iptables --ssh --http --port:514" at the top of the kickstart script, I've tried echoing commands into /etc/sysconfig/iptables, I've tried rewriting the file completely, and none of it seems to work.
Any help or pointers would be greatly appreciated.
###################################################### ## Custom Kickstart Script ###################################################### ###################################################### ## Include another kickstart script ###################################################### %include sl62-livecd-gnome.ks ###################################################### ## Basic Settings ###################################################### cdrom install autopart autostep xconfig --startxonboot rootpw testpassword lang en_US.UTF-8 keyboard us timezone --utc America/New_York auth --useshadow --enablemd5 selinux --disabled services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables clearpart --all ###################################################### ## Repos ###################################################### repo --name=base --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/ repo --name=security --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/ ###################################################### ## Packages ###################################################### %packages # Additional firmware support aic94xx-firmware netxen-firmware atmel-firmware bfa-firmware ql2100-firmware ql2200-firmware ql23xx-firmware ql2400-firmware ql2500-firmware rt61pci-firmware rt73usb-firmware xorg-x11-drv-ati-firmware # Remove these packages -tigervnc-server -tigervnc -postfix -pidgin -cups -pulseaudio-module-bluetooth -gnome-bluetooth-libs -gnome-bluetooth -cheese -evolution-data-server -libgweather -tsclient /usr/sbin/lokkit %end ###################################################### ## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment) ###################################################### %post --nochroot # Modify desktop background cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png # Copy new splash screen for boot menu cp -f splash.jpg $LIVE_ROOT/isolinux/ # Copy icons for the new applications cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png # Copy some files to the hard drive, will put them in the desktop later in the post script cp -f system_stats $INSTALL_ROOT/usr/local/bin/ # Modify the boot menu cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu default vesamenu.c32 timeout 100 menu background splash.jpg menu title Welcome to MyISO! menu color border 0 #ffffffff #00000000 menu color sel 7 #ffffffff #ff000000 menu color title 0 #ffffffff #00000000 menu color tabmsg 0 #ffffffff #00000000 menu color unsel 0 #ffffffff #00000000 menu color hotsel 0 #ff000000 #ffffffff menu color hotkey 7 #ffffffff #ff000000 menu color timeout_msg 0 #ffffffff #00000000 menu color timeout 0 #ffffffff #00000000 menu color cmdline 0 #ffffffff #00000000 menu hidden menu hiddenrow 5 label install0 menu label Install kernel vmlinuz0 append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM menu default EOF_boot_menu %end ##################################################### ## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd) ##################################################### %post # Add a new user and modify permissions /usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support # Create the .ssh directory for root to have passwordless logins to the syslog server mkdir /root/.ssh # Create the keys cat > /root/.ssh/id_rsa << EOF_id_rsa PAST PRIVTE KEY HERE EOF_id_rsa cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub PAST PUBLIC KEY HERE EOF_id_rsa_pub # Modify the permissions for the ssh key chown root:root -R /root/.ssh/ chmod 700 -R /root/.ssh/ # Allow wheel group sudo access cat >> /etc/sudoers << EOF_sudoers ### Allow wheel group sudo access ### %wheel ALL=(ALL) ALL' EOF_sudoers # Modify ssh_config cat >> /etc/ssh/ssh_config << EOF_ssh_config ### Specific settings for timeouts TCPKeepAlive yes ServerAliveInterval 120 ServerAliveCountMax 3 ### Don't prompt for host verification StrictHostKeyChecking no EOF_ssh_config # Modify sshd_config /bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config /sbin/service sshd restart # Create a directory for rsyslog queuing mkdir /var/spool/rsyslog # Modify rsyslog configuration cat >> /etc/rsyslog.conf << EOF_rsyslog ### Queuing Config ### \$WorkDirectory /var/spool/rsyslog \$ActionQueueType LinkedList \$ActionQueueFileName remotequeue \$ActionResumeRetryCount -1 \$ActionQueueSaveOnShutdown on \$ActionQueueMaxFileSize 100m \$ActionQueueMaxDiskSpace 5g ### Forwarding Rule ### *.* @@127.0.0.1:1514 EOF_rsyslog # Start the SSH tunnel and ensure if it goes down, it will be restarted cat >> /etc/rc.local << EOF_inittab ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] > /dev/null 2>&1 EOF_inittab cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog #!/bin/bash if ps aux | grep "ssh -fnNTx" | grep -v "grep" then echo "Already Running" else echo "Starting now" ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] fi EOF_ssh_syslog chmod 777 /usr/local/bin/ssh_syslog cat >> /etc/crontab << EOF_ssh_cron */1 * * * * root /usr/local/bin/ssh_syslog EOF_ssh_cron # Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot) echo 1 > /proc/sys/net/ipv4/ip_forward /bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf cat > /etc/sysconfig/iptables.script << EOF_iptables_script #!/bin/bash # Iptables configuration script # Flush all current rules from iptables /sbin/iptables -F # Loopback address /sbin/iptables -A INPUT -i lo -j ACCEPT # Established inbound rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Define new chain with all management IPs /sbin/iptables -N MGT_IPS /sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS # Allow SSH , HTTP, ,HTTPS, and ping access to management IPs /sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT /sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT # Allow ICMP from internal IPs /sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT /sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT /sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT # Drop rules to prevent them from entering the logs /sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP /sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP /sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP # Log dropped traffic /sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: " # Set default policies for INPUT, FORWARD and OUTPUT chains /sbin/iptables -P INPUT DROP /sbin/iptables -P FORWARD DROP /sbin/iptables -P OUTPUT ACCEPT # Save settings /sbin/service iptables save # List rules /sbin/iptables -L -v EOF_iptables_script # Modify iptables.script permissions so it can run chmod 700 /etc/sysconfig/iptables.script # Add files to rc.local cat >> /etc/rc.local << EOF_rclocal # Run firewall script /etc/sysconfig/iptables.script EOF_rclocal # Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them) rpm -e --nodeps tigervnc rpm -e --nodeps tigervnc-server rpm -e --nodeps libgweather rpm -e --nodeps pulseaudio rpm -e --nodeps cups rpm -e --nodeps sendmail # Modify the applications menu rm -f /usr/share/applications/gthumb*.desktop rm -f /usr/share/applications/brasero*.desktop rm -f /usr/share/applications/gnome-screens*.desktop rm -f /usr/share/applications/about-this-computer.desktop rm -f /usr/share/applications/gnome-about*.desktop rm -f /usr/share/applications/gnome-dictionary.desktop rm -f /usr/share/applications/gnome-gcalctool.desktop rm -f /usr/share/applications/gnome-keybinding.desktop rm -f /usr/share/applications/bluetooth-properties.desktop rm -f /usr/share/applications/totem.desktop rm -f /usr/share/applications/gnome-file-roller.desktop rm -f /usr/share/applications/gnome-gucharmap.desktop rm -f /usr/share/applications/gedit.desktop rm -f /usr/share/applications/gnome-baobab.desktop rm -f /usr/share/applications/gnome-system-monitor.desktop rm -f /usr/share/applications/palimpsest.desktop rm -f /usr/share/applications/gnome-nautilus-browser.desktop rm -f /usr/share/applications/TUV.desktop rm -f /usr/share/applications/sl-release-notes.desktop rm -f /usr/share/applications/system-config-users.desktop rm -f /usr/share/applications/authconfig.desktop rm -f /usr/share/applications/system-config-firewall.desktop rm -f /usr/share/applications/system-config-services.desktop rm -f /usr/share/applications/gnome-network-properties.desktop rm -f /usr/share/applications/gnome-volume-control.desktop rm -f /usr/share/applications/gnome-default-application.desktop rm -f /usr/share/applications/gnome-at-properties.desktop rm -f /usr/share/applications/gnome-session-properties.desktop /bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop /bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop # Create a various scripts for customers to use cat > /usr/local/bin/remote_support << EOF_remote_support #!/bin/bash # This script will open a reverse SSH tunnel for support. ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X EOF_remote_support chmod 777 /usr/local/bin/remote_support chmod 777 /usr/local/bin/system_stats # Add the scripts to the applications menu cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu [Desktop Entry] Name=Remote Support Comment=Support Exec=remote_support StartupNotify=true Terminal=true Type=Application Categories=System Icon=/usr/share/icons/gnome/16x16/apps/logo.png EOF_remote_sup_menu cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu [Desktop Entry] Name=System Statistics Comment=Basic system information Exec=system_stats StartupNotify=true Terminal=true Type=Application Categories=System Icon=/usr/share/icons/gnome/16x16/apps/logo.png EOF_sys_stats_menu chmod 644 /usr/share/applications/remote-support.desktop chmod 644 /usr/share/applications/system-stats.desktop %end # Reboot after installation reboot --eject
EDIT: I've figured out most of my problems. The only issue I have now is that I want the install procedure to skip the section where it prompts the user for a root password. I will auto set this later and don't want them having the power to do that.
EDIT2: Ok I updated my kickstart script above. Using this script it creates a live CD that instantly goes to the install process. Once I go through the install process it prompts me for root password, HD location, time zones, etc. Then it installs and all of my kickstart script works perfectly on the new system. However, I still want to make it where it doesn't prompt me for the root password during the initial install. I have tried adding the following to the kickstart script but it doesn't work
# Copy kickstart script to the live CD cp -f test.ks $INSTALL_ROOT/root/ # Modified the boot menu to say append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap rd_NO_LUKS rd_NO_MD rd_NO_DM
On the ks= part I wasn't sure what was correct so I also tried ks=/root/test.ks and it still prompted me for the initial setup information.
EDIT3: I started working on this again over the last few days and I still can't get the ISO to auto step through the basic setting steps such as root password, time settings, keyboard, etc. I've tried various locations of putting the ks.cfg in /root/, on the live CD under that root directory and under isolinux. Every time it still asks for the info.
-
Eric about 12 yearsI looked at my /root/anaconda-ks.cfg file and it doesn't have much there. (install, lang, keyboard, rootpw, firewall, authconfig, selinux, timezone, bootloader) All of these settings are identical to my currently kickstart script that isn't working.
-
Mountainerd about 12 yearsLooking at what you posted above, I assume you're doing a graphical environment. One thing I did notice is that there's no "firstboot --disable" for where you want to disable the firstboot option (which you mentioned). Also, there's a GUI tool to assist you in setting all these options if your hand-jammed one isn't working. Have you tried booting using the kickstart file that was automatically generated to see if that works as you are hoping your manual one will?
-
Eric about 12 yearsI have disabled firstboot under services. I originally had "firstboot --disable" and it had the same affect as me having it under "services --disabled=firstboot". I've tried using the GUI tool before but haven't had much luck with it. As far as trying to use livecd-creator and using the anaconda-ks.cfg file, it won't work due to there not being any packages listed in the file. The file only has the few sections I stated above. Do you have an example of one of your kickstart scripts that I can look at and try to modify?
-
Mountainerd about 12 years@Eric, I'll build one out tonight or tomorrow and get it to you.
-
Aaron Copley about 12 yearsAt the bottom of this page there is a link to an additional site with many ready-made examples. wiki.centos.org/TipsAndTricks/KickStart (nazar.karan.org/cgit/bluecain/tree) I learned a ton from these.
-
Eric about 12 yearsI used to have that option on there, and it did set the root password on the livecd. However it still prompted the user to enter a new root password during the installation.
-
Eric about 12 yearsSo I would have to add something along the lines of "cp -f mykick.ks $INSTALL_ROOT/root/" and then add ks=/root/mykick.ks?
-
Aaron Copley about 12 yearsDo you mean for this to be an interactive Kickstart, then? I don't see the
interactive
option up there so it should just go through the install unattended. -
Eric about 12 yearsI don't want it to be interactive at all. I use livecd-creator and I supply it with my kickstart script. From here it goes through the install process. Once installed, a lot of my post scripts are there and they work fine. However it doesn't appear that the "live cd install process" is accepting my kickstart script like I want it to. I see that NcA below says I have to call my ks.cfg file within my isolinux file as well. So basically I would use livecd-creator and say run ks.cfg and then within the ks.cfg recall it again?
-
Aaron Copley about 12 yearsNot familiar with any LiveCD process as it is related to Kickstart. My experience is with Kickstarting RHEL/CentOS but it should be similar enough to help you with Scientific Linux. If the CD is just for provisioning, does it need to be a LiveCD at all? Seems to be introducing extra complexity.
-
Eric about 12 yearsI have actually used that and the kickstart script worked very well. However we have to have this on on a CD. Which I can technically do with that method, I'd just have to remove a lot of packages. Last time I played with it I was able to get the 3.6 Gb image down to 1.1Gb by getting rid of a lot of necessary items.
-
Aaron Copley about 12 yearsOhhh... no DVD-ROM? Could you host the installation packages on an internal web server and just use boot media in the servers?