jbarber/rhel5.ks

## rhel5.ks
# Example Kickstart config file for RHEL5, change $VARIABLES to suitable values
# for your site
# Usage from linux kernel boot prompt:
# linux ks=http://$SERVER_ADDR/ks/rhel5-example.ks ip=$IPADDR netmask=$NETMASK gateway=$GATEWAY [nokill] [keymap=pt-latin1] [noipv6] [debug]
#
# More boot options at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch-bootopts-x86.html

# Options for this section can be found at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/s1-kickstart2-options.html

install
text
skipx
reboot
# Change if you're not in Portugal!
keyboard   pt-latin1
timezone   Europe/Lisbon
url        --url http://$SERVER_ADDR/mrepo/rhel5u4-x86_64/disc1
key        --skip
lang       en_US.UTF-8
network    --device eth0 --bootproto static --ip $IPADDR --netmask $NETMASK --gateway $GATEWAY --hostname $HOSTNAME
# if --iscrypted, $YOUMUSTCHANGEME is the hash of the password
rootpw     $YOUMUSTCHANGEME
firewall   --disabled
# selinux  --disabled | --enabled | --permissive
selinux    --disabled
authconfig --enableshadow --enablemd5

# Disk configuration - small boot partition, then LVM with VG spanning rest of
# volume. Assumes first disk is sda, fails on HP's (as disks are /dev/cciss)
bootloader --location=mbr
clearpart  --all --initlabel
part /boot --fstype ext3 --size=100 --ondisk=sda --asprimary
part pv.1  --size=0 --grow --ondisk=sda --asprimary
volgroup   vg00 pv.1
logvol /             --name=lv_root         --fstype ext3 --vgname=vg00 --size=3072
logvol /var          --name=lv_var          --fstype ext3 --vgname=vg00 --size=384
logvol /home         --name=lv_home         --fstype ext3 --vgname=vg00 --size=128
logvol /tmp          --name=lv_tmp          --fstype ext3 --vgname=vg00 --size=1024
logvol swap          --name=lv_swap         --fstype swap --vgname=vg00 --size=1024

# Use '%packages --nobase' for a smaller install, but it's probably not worth it
# Use '%packages --excludedocs' and %_excludedocs RPM macro to not install documentation (not much of a space saving)
# Use '%packages --ignoremissing' to not prompt on missing/mispelt package names
# Not supported in RHEL5u4:
# Use '%packages --instLangs=en_US.utf8' and %_install_langs RPM macro to reduce the size of /usr/share/locale
%packages --ignoremissing
# These packages are ones that I really want to maintain a system and aren't in
# @core. You could probably remove perl if you don't care for it and write all
# of your scripts in python/ruby instead
perl
e2fsprogs
strace
net-snmp
curl
wget
yum
# For puppet
ruby-rdoc
ruby
ruby-libs
libselinux-ruby

# Don't seem to be able to get rid of the following packages
-Deployment_Guide-en_US
-wireless-tools
-rhpl

# Other packages that I don't need on servers
-gpm
-isdn4k-utils
-pcmcia-cs
-wpa_supplicant
-bluez-utils
-bluez-hcidump
-bluez-libs
-bluez-bluefw
-irda-utils

# For HP Proliant Support Pack hpsum utility (4.0.1)
#freetype
#libXrender
#libXrandr
#libXfixes
#libXcursor
#fontconfig
#net-snmp
#libnl
#gcc

%post
# This disables all of the services we don't usually need
# It's longer than required by the packages specified above because I use it on
# servers that weren't installed with such a small base
cat <<EOF | while read i j; do chkconfig $i off; done
gpm
sendmail # Current $JOB doesn't like to have mail daemons running
readahead
readahead_early
smartd
xinetd
cups
ipmi
openibd
autofs
avahi-daemon
portmap
rpcgssd
rpcidmapd
nfslock
pcscd
rhnsd
snmpd
iptables
ip6tables
lm_sensors
yum-updatesd
xfs
hidd
EOF

# Add my SSH key
mkdir -m 700 /root/.ssh
echo "ssh-rsa ..." >> /root/.ssh/authorized_keys

# See notes for %packages
if false; then
  #echo "%_excludedocs 1" >> /etc/rpm/macros

  # Notice this is different to lang
  #LANGS="en_US.utf8"
  #echo %_install_langs $LANGS >> /etc/rpm/macros
  # Doesn't seem to do anything - maybe my archive isn't very bloated
  #localedef --list-archive | grep -xvi -e ${LANGS// / -e } | xargs localedef --delete-from-archive
  #build-locale-archive
  #find /usr/lib/locale -maxdepth 1 -type d -printf "%f\n" | grep -xvi -e ${LANGS// / -e } | while read i; do rm -rf /usr/lib/locale/$i; done
fi

# No graphical image for grub
if true; then
  sed -i '/^splashimage/d' /boot/grub/grub.conf
fi

# Configure yum
if true; then
	export RELEASE=$(rpm -q redhat-release --qf '%{RELEASE}\n' | awk -F. '{print $1"u"$2}')
	# Note the indenting here is with tabs because of the Here doc
	cat <<-EOF > /etc/yum.repos.d/rhel5.repo
		[rhel$RELEASE]
		name=\$id
		baseurl=http://$SERVER_ADDR/mrepo/rhel$RELEASE-\$basearch/RPMS.os
		gpgcheck=0
		enabled=1
	EOF

# Disable RHN
	if [ -e /etc/yum/pluginconf.d/rhnplugin.conf ]; then
		sed -i 's/enabled = 1/enabled = 0/' /etc/yum/pluginconf.d/rhnplugin.conf
	fi
fi

# Configure LDAP authentication against AD
if false; then
	cat <<-EOF > /etc/openldap/ldap.conf
		BASE ou=yourcorp,dc=corp,dc=com
		TLS_CACERTDIR /etc/openldap/cacerts
		HOST $LDAP_SERVER
	EOF

	cat <<-EOF > /etc/ldap.conf
		host   $LDAP_SERVER
		base   ou=yourcorp,dc=corp,dc=com
		binddn cn=authuser,ou=yourcorp,dc=corp,dc=com
		bindpw seckret

		pam_filter objectclass=user
		pam_login_attribute sAMAccountName
		ssl no

		tls_cacertdir /etc/openldap/cacerts
	EOF

	cat <<-EOF > /etc/pam.d/system-auth
	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth        required      pam_env.so
	auth        sufficient    pam_unix.so nullok try_first_pass
	auth        sufficient    pam_ldap.so use_first_pass
	auth        requisite     pam_succeed_if.so uid >= 500 quiet
	auth        required      pam_deny.so

	account     required      pam_unix.so
	account     sufficient    pam_succeed_if.so uid < 500 quiet
	account     required      pam_permit.so

	password    requisite     pam_cracklib.so try_first_pass retry=3
	password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
	password    required      pam_deny.so

	session     optional      pam_keyinit.so revoke
	session     required      pam_limits.so
	session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session     required      pam_unix.so
	EOF
fi

# Puppet - the $SERVER_ADDR has the RPMs for puppet (from EPEL) under /ks/puppet
# directory, replace with yum if you have a local mirror. These packages are:
# ruby-shadow
# auguess-libs
# ruby-augueas
# facter
# puppet
if true; then
  echo $SERVER_ADDR puppet >> /etc/hosts

  if type -p wget >/dev/null; then
    wget http://$SERVER_ADDR/ks/puppet/ -A.rpm -nd -l 1 -r
    rpm -ihv *.rpm
    rm -f *.rpm
  fi
fi

# Install VMware tools if needed. Done last as it can break the network
# Don't use "-s" argument for dmidecode as I try to keep this script compatable
# with RHEL4 which doesn't have it
if dmidecode | grep -qi "Manufacturer: .*vmware"; then
  rpm -ihv http://$SERVER_ADDR/vmware/VMwareTools-3.5.0-153875.i386.rpm && \
    chkconfig vmware-tools on && \
    vmware-config-tools.pl --default
fi
	# Example Kickstart config file for RHEL5, change $VARIABLES to suitable values
	# for your site
	# Usage from linux kernel boot prompt:
	# linux ks=http://$SERVER_ADDR/ks/rhel5-example.ks ip=$IPADDR netmask=$NETMASK gateway=$GATEWAY [nokill] [keymap=pt-latin1] [noipv6] [debug]
	#
	# More boot options at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch-bootopts-x86.html

	# Options for this section can be found at http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/s1-kickstart2-options.html

	install
	text
	skipx
	reboot
	# Change if you're not in Portugal!
	keyboard pt-latin1
	timezone Europe/Lisbon
	url --url http://$SERVER_ADDR/mrepo/rhel5u4-x86_64/disc1
	key --skip
	lang en_US.UTF-8
	network --device eth0 --bootproto static --ip $IPADDR --netmask $NETMASK --gateway $GATEWAY --hostname $HOSTNAME
	# if --iscrypted, $YOUMUSTCHANGEME is the hash of the password
	rootpw $YOUMUSTCHANGEME
	firewall --disabled
	# selinux --disabled \| --enabled \| --permissive
	selinux --disabled
	authconfig --enableshadow --enablemd5

	# Disk configuration - small boot partition, then LVM with VG spanning rest of
	# volume. Assumes first disk is sda, fails on HP's (as disks are /dev/cciss)
	bootloader --location=mbr
	clearpart --all --initlabel
	part /boot --fstype ext3 --size=100 --ondisk=sda --asprimary
	part pv.1 --size=0 --grow --ondisk=sda --asprimary
	volgroup vg00 pv.1
	logvol / --name=lv_root --fstype ext3 --vgname=vg00 --size=3072
	logvol /var --name=lv_var --fstype ext3 --vgname=vg00 --size=384
	logvol /home --name=lv_home --fstype ext3 --vgname=vg00 --size=128
	logvol /tmp --name=lv_tmp --fstype ext3 --vgname=vg00 --size=1024
	logvol swap --name=lv_swap --fstype swap --vgname=vg00 --size=1024

	# Use '%packages --nobase' for a smaller install, but it's probably not worth it
	# Use '%packages --excludedocs' and %_excludedocs RPM macro to not install documentation (not much of a space saving)
	# Use '%packages --ignoremissing' to not prompt on missing/mispelt package names
	# Not supported in RHEL5u4:
	# Use '%packages --instLangs=en_US.utf8' and %_install_langs RPM macro to reduce the size of /usr/share/locale
	%packages --ignoremissing
	# These packages are ones that I really want to maintain a system and aren't in
	# @core. You could probably remove perl if you don't care for it and write all
	# of your scripts in python/ruby instead
	perl
	e2fsprogs
	strace
	net-snmp
	curl
	wget
	yum
	# For puppet
	ruby-rdoc
	ruby
	ruby-libs
	libselinux-ruby

	# Don't seem to be able to get rid of the following packages
	-Deployment_Guide-en_US
	-wireless-tools
	-rhpl

	# Other packages that I don't need on servers
	-gpm
	-isdn4k-utils
	-pcmcia-cs
	-wpa_supplicant
	-bluez-utils
	-bluez-hcidump
	-bluez-libs
	-bluez-bluefw
	-irda-utils

	# For HP Proliant Support Pack hpsum utility (4.0.1)
	#freetype
	#libXrender
	#libXrandr
	#libXfixes
	#libXcursor
	#fontconfig
	#net-snmp
	#libnl
	#gcc

	%post
	# This disables all of the services we don't usually need
	# It's longer than required by the packages specified above because I use it on
	# servers that weren't installed with such a small base
	cat <<EOF \| while read i j; do chkconfig $i off; done
	gpm
	sendmail # Current $JOB doesn't like to have mail daemons running
	readahead
	readahead_early
	smartd
	xinetd
	cups
	ipmi
	openibd
	autofs
	avahi-daemon
	portmap
	rpcgssd
	rpcidmapd
	nfslock
	pcscd
	rhnsd
	snmpd
	iptables
	ip6tables
	lm_sensors
	yum-updatesd
	xfs
	hidd
	EOF

	# Add my SSH key
	mkdir -m 700 /root/.ssh
	echo "ssh-rsa ..." >> /root/.ssh/authorized_keys

	# See notes for %packages
	if false; then
	#echo "%_excludedocs 1" >> /etc/rpm/macros

	# Notice this is different to lang
	#LANGS="en_US.utf8"
	#echo %_install_langs $LANGS >> /etc/rpm/macros
	# Doesn't seem to do anything - maybe my archive isn't very bloated
	#localedef --list-archive \| grep -xvi -e ${LANGS// / -e } \| xargs localedef --delete-from-archive
	#build-locale-archive
	#find /usr/lib/locale -maxdepth 1 -type d -printf "%f\n" \| grep -xvi -e ${LANGS// / -e } \| while read i; do rm -rf /usr/lib/locale/$i; done
	fi

	# No graphical image for grub
	if true; then
	sed -i '/^splashimage/d' /boot/grub/grub.conf
	fi

	# Configure yum
	if true; then
	export RELEASE=$(rpm -q redhat-release --qf '%{RELEASE}\n' \| awk -F. '{print $1"u"$2}')
	# Note the indenting here is with tabs because of the Here doc
	cat <<-EOF > /etc/yum.repos.d/rhel5.repo
	[rhel$RELEASE]
	name=\$id
	baseurl=http://$SERVER_ADDR/mrepo/rhel$RELEASE-\$basearch/RPMS.os
	gpgcheck=0
	enabled=1
	EOF

	# Disable RHN
	if [ -e /etc/yum/pluginconf.d/rhnplugin.conf ]; then
	sed -i 's/enabled = 1/enabled = 0/' /etc/yum/pluginconf.d/rhnplugin.conf
	fi
	fi

	# Configure LDAP authentication against AD
	if false; then
	cat <<-EOF > /etc/openldap/ldap.conf
	BASE ou=yourcorp,dc=corp,dc=com
	TLS_CACERTDIR /etc/openldap/cacerts
	HOST $LDAP_SERVER
	EOF

	cat <<-EOF > /etc/ldap.conf
	host $LDAP_SERVER
	base ou=yourcorp,dc=corp,dc=com
	binddn cn=authuser,ou=yourcorp,dc=corp,dc=com
	bindpw seckret

	pam_filter objectclass=user
	pam_login_attribute sAMAccountName
	ssl no

	tls_cacertdir /etc/openldap/cacerts
	EOF

	cat <<-EOF > /etc/pam.d/system-auth
	#%PAM-1.0
	# This file is auto-generated.
	# User changes will be destroyed the next time authconfig is run.
	auth required pam_env.so
	auth sufficient pam_unix.so nullok try_first_pass
	auth sufficient pam_ldap.so use_first_pass
	auth requisite pam_succeed_if.so uid >= 500 quiet
	auth required pam_deny.so

	account required pam_unix.so
	account sufficient pam_succeed_if.so uid < 500 quiet
	account required pam_permit.so

	password requisite pam_cracklib.so try_first_pass retry=3
	password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
	password required pam_deny.so

	session optional pam_keyinit.so revoke
	session required pam_limits.so
	session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
	session required pam_unix.so
	EOF
	fi

	# Puppet - the $SERVER_ADDR has the RPMs for puppet (from EPEL) under /ks/puppet
	# directory, replace with yum if you have a local mirror. These packages are:
	# ruby-shadow
	# auguess-libs
	# ruby-augueas
	# facter
	# puppet
	if true; then
	echo $SERVER_ADDR puppet >> /etc/hosts

	if type -p wget >/dev/null; then
	wget http://$SERVER_ADDR/ks/puppet/ -A.rpm -nd -l 1 -r
	rpm -ihv *.rpm
	rm -f *.rpm
	fi
	fi

	# Install VMware tools if needed. Done last as it can break the network
	# Don't use "-s" argument for dmidecode as I try to keep this script compatable
	# with RHEL4 which doesn't have it
	if dmidecode \| grep -qi "Manufacturer: .*vmware"; then
	rpm -ihv http://$SERVER_ADDR/vmware/VMwareTools-3.5.0-153875.i386.rpm && \
	chkconfig vmware-tools on && \
	vmware-config-tools.pl --default
	fi