Created
March 21, 2017 15:22
-
-
Save alfredodeza/648ff6733514cb642057c508a4e876f6 to your computer and use it in GitHub Desktop.
Customize a (rhel/centos) qcow2 image so that it can be used with Vagrant
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash -x | |
# Setup hostname vagrant-something. | |
FQDN="vagrant-rhel7" | |
if grep '^HOSTNAME=' /etc/sysconfig/network > /dev/null; then | |
sed -i 's/HOSTNAME=\(.*\)/HOSTNAME='${FQDN}'/' /etc/sysconfig/network | |
else | |
echo "HOSTNAME=${FQDN}" >> /etc/sysconfig/network | |
fi | |
# Cannot install any software since the box will lack entitlements. Both | |
# NetworkManager and cloud-init can complicate network setup of the box so they | |
# get removed here. | |
yum remove -y NetworkManager cloud-init | |
# Setup the vagrant user and password, ensure the group is correct | |
echo 'vagrant' | passwd --stdin root | |
grep 'vagrant' /etc/passwd > /dev/null | |
if [ $? -ne 0 ]; then | |
echo '* Creating user vagrant.' | |
useradd vagrant | |
echo 'vagrant' | passwd --stdin vagrant | |
fi | |
grep '^admin:' /etc/group > /dev/null || groupadd admin | |
usermod -G admin vagrant | |
echo 'Defaults env_keep += "SSH_AUTH_SOCK"' >> /etc/sudoers | |
echo '%admin ALL=NOPASSWD: ALL' >> /etc/sudoers | |
sed -i 's/Defaults\s*requiretty/Defaults !requiretty/' /etc/sudoers | |
# SSH setup | |
# Add Vagrant ssh key for root and vagrant accouts. | |
sed -i 's/.*UseDNS.*/UseDNS no/' /etc/ssh/sshd_config | |
[ -d ~root/.ssh ] || mkdir ~root/.ssh | |
chmod 700 ~root/.ssh | |
cat > ~root/.ssh/authorized_keys << EOF | |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key | |
EOF | |
chmod 600 ~root/.ssh/authorized_keys | |
[ -d ~vagrant/.ssh ] || mkdir ~vagrant/.ssh | |
chmod 700 ~vagrant/.ssh | |
cat > ~vagrant/.ssh/authorized_keys << EOF | |
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key | |
EOF | |
chmod 600 ~vagrant/.ssh/authorized_keys | |
# this script runs as root so any changes to the .ssh directory of the vagrant | |
# user must be chown back again | |
chown -R vagrant:vagrant ~vagrant/.ssh | |
# Disable firewall and switch SELinux to permissive mode. The box will refuse | |
# to start with SELinux on so we are forced to fully disable it when shipping | |
# converting. | |
chkconfig iptables off | |
chkconfig ip6tables off | |
# Disable firewall | |
systemctl disable firewalld | |
# Enable sshd | |
systemctl enable sshd | |
cat > /etc/selinux/config << EOF | |
# This file controls the state of SELinux on the system. | |
# SELINUX= can take one of these three values: | |
# enforcing - SELinux security policy is enforced. | |
# permissive - SELinux prints warnings instead of enforcing. | |
# disabled - No SELinux policy is loaded. | |
SELINUX=disabled | |
# SELINUXTYPE= type of policy in use. Possible values are: | |
# targeted - Only targeted network daemons are protected. | |
# strict - Full SELinux protection. | |
SELINUXTYPE=targeted | |
EOF | |
# Networking setup... | |
# Don't fix ethX names to hw address. | |
rm -f /etc/udev/rules.d/*persistent-net.rules | |
rm -f /etc/udev/rules.d/*-net.rules | |
rm -rf /var/lib/dhclient/* # remove any old leases that could be around... | |
# XXX: unsure if this will help, but we'll try it out: | |
# Problem situation: Two interfaces are connected to same network. One interface | |
# wants to renew DHCP lease and asks server for address. DHCPACK message from | |
# server arrives, client moves to BOUND state. The client performs a check on | |
# the suggested address to ensure that the address is not already in use. On | |
# arping for specified IP address, other interface replies and that's why | |
# dhclient-script replies with DHCPDECLINE message. (See RFC2131, 4.4.1.). | |
# Solution: Set sysctl to reply only if the target IP address is local address | |
# configured on the incoming interface. (See kernel documentation | |
# Documentation/networking/ip-sysctl.txt) | |
set_sysctl() { | |
grep "$1" /etc/sysctl.conf > /dev/null | |
[ $? -eq 0 ] && sed -i '/'$1'/d' /etc/sysctl.conf | |
echo "$1 = $2" >> /etc/sysctl.conf | |
} | |
set_sysctl 'net.ipv4.conf.all.arp_ignore' 1 | |
set_sysctl 'net.ipv4.conf.all.arp_announce' 2 | |
set_sysctl 'net.ipv4.conf.all.rp_filter' 3 | |
# Interface eth0 should get IP address via dhcp. | |
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF | |
DEVICE="eth0" | |
BOOTPROTO="dhcp" | |
ONBOOT="yes" | |
NM_CONTROLLED="no" | |
EOF | |
# Do some cleanup.. | |
rm -f ~root/.bash_history |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment