-
Notifications
You must be signed in to change notification settings - Fork 69
/
Copy path22-discovery.ks
163 lines (132 loc) · 5.84 KB
/
22-discovery.ks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
%post
echo " * ensure hostname resolves quickly"
cat >/etc/hosts <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 fdi
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 fdi
EOF
echo " * ensure /etc/os-release is present (needed for RHEL 7.0)"
touch /etc/os-release
echo " * disabling legacy network services (needed for RHEL 7.0)"
systemctl disable network.service
echo " * disabling kdump crash service"
systemctl disable kdump.service
echo " * configuring NetworkManager and udev/nm-prepare"
cat > /etc/NetworkManager/NetworkManager.conf <<'NM'
[main]
monitor-connection-files=no
no-auto-default=*
[logging]
level=DEBUG
NM
cat > /etc/udev/rules.d/81-nm-prepare.rules <<'UDEV'
ACTION=="add", SUBSYSTEM=="net", NAME!="lo", RUN+="/usr/bin/systemd-cat -t nm-prepare /usr/bin/nm-prepare %k"
UDEV
echo " * configuring TFTP firewall modules"
echo -e "ip_conntrack_tftp\nnf_conntrack_netbios_ns" > /etc/modules-load.d/tftp-firewall.conf
# https://blog.thewatertower.org/2019/05/01/tftp-part-2-the-tftp-client-requires-a-firewalld-as-well/
firewall-offline-cmd --new-policy hostTftpTraffic
firewall-offline-cmd --policy hostTftpTraffic --add-ingress-zone HOST
firewall-offline-cmd --policy hostTftpTraffic --add-egress-zone ANY
firewall-offline-cmd --policy hostTftpTraffic --add-service tftp
echo " * enabling NetworkManager system services (needed for RHEL 7.0)"
systemctl enable NetworkManager.service
systemctl enable NetworkManager-dispatcher.service
systemctl enable NetworkManager-wait-online.service
echo " * enabling nm-prepare service"
systemctl enable nm-prepare.service
echo " * enabling required system services"
systemctl enable ipmi.service
systemctl enable foreman-proxy.service
systemctl enable discovery-fetch-extensions.path
systemctl enable discovery-start-extensions.service
systemctl enable discovery-menu.service
systemctl enable discovery-script-pxe.service
systemctl enable discovery-script-pxeless.service
# register service is started manually from discovery-menu
systemctl disable discovery-register.service
echo " * disabling some unused system services"
systemctl disable ipmi.service
echo " * open foreman-proxy port via firewalld"
firewall-offline-cmd --zone=public --add-port=8443/tcp --add-port=8448/tcp
echo " * setting up foreman proxy service"
sed -i 's/After=.*/After=basic.target network-online.target nm-prepare.service/' /usr/lib/systemd/system/foreman-proxy.service
sed -i 's/Wants=.*/Wants=basic.target network-online.target nm-prepare.service/' /usr/lib/systemd/system/foreman-proxy.service
sed -i '/\[Unit\]/a ConditionPathExists=/etc/NetworkManager/system-connections/primary' /usr/lib/systemd/system/foreman-proxy.service
sed -i '/\[Service\]/a EnvironmentFile=-/etc/default/discovery' /usr/lib/systemd/system/foreman-proxy.service
sed -i '/\[Service\]/a ExecStartPre=/usr/bin/generate-proxy-cert' /usr/lib/systemd/system/foreman-proxy.service
sed -i '/\[Service\]/a PermissionsStartOnly=true' /usr/lib/systemd/system/foreman-proxy.service
sed -i '/\[Service\]/a TimeoutStartSec=9999' /usr/lib/systemd/system/foreman-proxy.service
/sbin/usermod -a -G tty foreman-proxy
cat >/etc/foreman-proxy/settings.yml <<'CFG'
---
:settings_directory: /etc/foreman-proxy/settings.d
# certificate is generated by /usr/bin/generate-proxy-cert
:ssl_certificate: /etc/foreman-proxy/cert.pem
:ssl_ca_file: /etc/foreman-proxy/cert.pem
:ssl_private_key: /etc/foreman-proxy/key.pem
:daemon: true
:http_port: 8448
:https_port: 8443
:log_file: SYSLOG
:log_level: DEBUG
:log_buffer: 1000
:log_buffer_errors: 500
CFG
cat >/etc/foreman-proxy/settings.d/discovery_image.yml <<'CFG'
---
:enabled: true
CFG
cat >/etc/foreman-proxy/settings.d/bmc.yml <<'CFG'
---
:enabled: true
:bmc_default_provider: shell
CFG
cat >/etc/foreman-proxy/settings.d/facts.yml <<'CFG'
---
:enabled: true
CFG
cat >/etc/foreman-proxy/settings.d/logs.yml <<'CFG'
---
:enabled: true
CFG
echo " * setting up systemd"
echo "DumpCore=no" >> /etc/systemd/system.conf
echo " * setting multi-user.target as default"
systemctl set-default multi-user.target
echo " * setting up journald and ttys"
systemctl disable getty@tty1.service getty@tty2.service
systemctl mask getty@tty1.service getty@tty2.service
echo "Storage=volatile" >> /etc/systemd/journald.conf
echo "RuntimeMaxUse=25M" >> /etc/systemd/journald.conf
echo "ForwardToSyslog=no" >> /etc/systemd/journald.conf
echo "ForwardToConsole=no" >> /etc/systemd/journald.conf
systemctl enable journalctl.service
echo " * setting suid bits"
chmod +s /sbin/ethtool
chmod +s /usr/sbin/dmidecode
chmod +s /usr/bin/ipmitool
# Add foreman-proxy user to sudo and disable interactive tty for reboot
echo " * setting up sudo"
sed -i -e 's/^Defaults.*requiretty/Defaults !requiretty/g' /etc/sudoers
echo "foreman-proxy ALL=NOPASSWD: /usr/sbin/reboot" >> /etc/sudoers
echo "foreman-proxy ALL=NOPASSWD: /usr/sbin/shutdown" >> /etc/sudoers
echo "foreman-proxy ALL=NOPASSWD: /usr/sbin/kexec" >> /etc/sudoers
echo " * dropping some friendly aliases"
echo "alias vim=vi" >> /root/.bashrc
echo "alias halt=poweroff" >> /root/.bashrc
# Base env for extracting zip extensions
mkdir -p /opt/extension/{bin,lib,lib/ruby,facts}
echo " * setting up lldp service"
systemctl enable lldpad.socket
cat > /etc/udev/rules.d/82-enable-lldp.rules <<'UDEV'
ACTION=="add", SUBSYSTEM=="net", NAME!="lo", TAG+="systemd", ENV{SYSTEMD_WANTS}="enable-lldp@%k.service"
UDEV
echo " * enable promiscuous mode on all physical network interfaces"
cat > /etc/udev/rules.d/83-enable-promiscuous-mode.rules <<'UDEV'
ACTION=="add", SUBSYSTEM=="net", NAME!="lo", TAG+="systemd", ENV{SYSTEMD_WANTS}="enable-promiscuous-mode@%k.service"
UDEV
echo " * disable flushing log data"
systemctl mask systemd-journal-flush.service
# extra modules for livecd-creator/livemedia-creator
echo 'add_drivers+="mptbase mptscsih mptspi hv_storvsc hid_hyperv hv_netvsc hv_vmbus"' > /etc/dracut.conf.d/99-discovery.conf
%end