Skip to content

Instantly share code, notes, and snippets.

@williamcaban
Last active October 20, 2020 11:04
Show Gist options
  • Save williamcaban/877c97ca3b510c02f5ab7e328cf190c8 to your computer and use it in GitHub Desktop.
Save williamcaban/877c97ca3b510c02f5ab7e328cf190c8 to your computer and use it in GitHub Desktop.
#version=RHEL8
ignoredisk --only-use=vda
# System bootloader configuration
bootloader --disabled
autopart --type=plain --fstype=ext4 --nohome --noboot --noswap
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all
# Reboot after installation
reboot
# Use text mode install
text
# Keyboard layouts
# old format: keyboard us
# new format:
keyboard --vckeymap=us --xlayouts=''
# System language
lang en_US.UTF-8
# Network information
network --bootproto=dhcp --device=link --activate
repo --name="koji-override-0" --baseurl=http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/c
ompose/BaseOS/x86_64/os
repo --name="koji-override-1" --baseurl=http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/c
ompose/AppStream/x86_64/os
# Use network installation
url --url="http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/compose/BaseOS/x86_64/os/"
# Root password
rootpw --iscrypted --lock locked
firstboot --disable
# Do not configure the X Window System
skipx
# System services
services --disabled="chronyd"
# System timezone
timezone Etc/UTC --isUtc --nontp
%post --logfile=/root/anaconda-post.log --erroronfail
set -eux
# Support for subscription-manager secrets
ln -s /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -s /run/secrets/rhsm /etc/rhsm-host
#https://bugzilla.redhat.com/show_bug.cgi?id=1201663
rm -f /etc/systemd/system/multi-user.target.wants/rhsmcertd.service
#fips mode
# secrets patch creates /run/secrets/system-fips if /etc/system-fips exists on the host
#in turn, openssl in the container checks /etc/system-fips but dangling symlink counts as nonexistent
ln -s /run/secrets/system-fips /etc/system-fips
# Set install langs macro so that new rpms that get installed will
# only install langs that we limit it to.
LANG="C.utf8"
echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf
echo "LANG=C.utf8" > /etc/locale.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1400682
# https://bugzilla.redhat.com/show_bug.cgi?id=1672230
echo "Import RPM GPG key"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#echo "# fstab intentionally empty for containers" > /etc/fstab
#this is not possible, guestmount needs fstab => brew build crashes without it
#fstab is removed in TDL when tar-ing files
# Remove network configuration files leftover from anaconda installation
# https://bugzilla.redhat.com/show_bug.cgi?id=1713089
rm -f /etc/sysconfig/network-scripts/ifcfg-*
# Remove machine-id on pre generated images
rm -f /etc/machine-id
touch /etc/machine-id
%end
%post --logfile=/root/anaconda-post.log --erroronfail
# Mask mount units and getty service so that we don't get login prompt
# https://bugzilla.redhat.com/show_bug.cgi?id=1418327
systemctl mask systemd-logind.service getty.target console-getty.service sys-fs-fuse-connections.mount systemd-remount-fs.service dev-hugepages.mount
# a list of things that may be removed but should not, for the sake of consistency:
# remove some random help txt files
#rm -fv usr/share/gnupg/help*.txt
# Pruning random things
#rm usr/lib/rpm/rpm.daily
#rm -rfv usr/lib64/nss/unsupported-tools/ # unsupported
# Statically linked crap
#rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln}
#ln usr/bin/ln usr/sbin/sln
#some random not-that-useful binaries
#rm -fv /usr/bin/pinky
# we lose presets by removing /usr/lib/systemd but we do not care
# Maybe we do care. Don't remove these for now. rhbz 1619244
#rm -rfv /usr/lib/systemd
# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
# actually, do not. bind mounting does not work if you lose the name of the symlink target
# reinstalling is hassle, rpm database complains, bugs appear
# keep tzdata where they are
# https://bugzilla.redhat.com/show_bug.cgi?id=1668185
#rm -fv /etc/localtime
#mv /usr/share/zoneinfo/UTC /etc/localtime
#rm -rfv /usr/share/zoneinfo
#udev hardware database not needed in a container
#rm -f /etc/udev/hwdb.bin
#rm -rf /usr/lib/udev/hwdb.d/*
# don't need icons
#rm -rfv /usr/share/icons/*
# Remove some dnf info
rm -rfv /var/lib/dnf
# Final pruning
rm -rfv /var/cache/* /var/log/* /tmp/*
#syntax highlighting goes crazy after a star */
# remove the original RHEL8 EULA
# TODO: This affects the integrity of the installed rpm. Find a better way.
rm -f /usr/share/redhat-release/EULA
# install the repofile
cat > /etc/yum.repos.d/ubi.repo <<EOF
[ubi-8-baseos]
name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-baseos-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-baseos-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream]
name = Red Hat Universal Base Image 8 (RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder]
name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
EOF
%end
%post --nochroot --logfile=/mnt/sysimage/root/anaconda-post-nochroot.log --erroronfail
set -eux
# https://bugzilla.redhat.com/show_bug.cgi?id=1343138
# Fix /run/lock breakage since it's not tmpfs in docker
# This unmounts /run (tmpfs) and then recreates the files
# in the /run directory on the root filesystem of the container
# NOTE: run this in nochroot because "umount" does not exist in chroot
umount /mnt/sysimage/run
# The file that specifies the /run/lock tmpfile is
# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd
# rpm that isn't included in this image. We'll create the /run/lock
# file here manually with the settings from legacy.conf
# NOTE: chroot to run "install" because it is not in anaconda env
chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816
# NOTE: run this in nochroot because "find" does not exist in chroot
# actually, do not delete at all. this is probably not needed with glibc langpacks
#KEEPLANG=en_US
#for dir in locale i18n; do
# find /mnt/sysimage/usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rfv {} +
#done
%end
%packages --excludedocs --nocore --instLangs=en --excludeWeakdeps
bash
coreutils-single
dnf-plugin-subscription-manager
findutils
gdb-gdbserver
glibc-minimal-langpack
gzip
redhat-release
rootfiles
subscription-manager
tar
vim-minimal
yum
-dosfstools
-e2fsprogs
-fuse-libs
-gnupg2-smime
-kernel
-libss
-pinentry
-qemu-guest-agent
-shared-mime-info
-trousers
-xfsprogs
-xkeyboard-config
%end
%addon com_redhat_kdump --disable --reserve-mb='128'
%end
#version=F26
# Keyboard layouts
keyboard 'us'
# Root password
rootpw --iscrypted --lock locked
# Use network installation
url --url="http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/compose/BaseOS/x86_64/os"
repo --name="koji-override-0" --baseurl=http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/c
ompose/BaseOS/x86_64/os
repo --name="koji-override-1" --baseurl=http://download-node-02.eng.bos.redhat.com/rhel-8/devel/candidate-trees/RHEL-8/RHEL-8.2.1-updates-20200901.0/c
ompose/AppStream/x86_64/os
# Reboot after installation
reboot
# Network information
network --bootproto=dhcp --device=link --activate
# System timezone
timezone Etc/UTC --isUtc --nontp
# Use text mode install
text
# System bootloader configuration
bootloader --disabled
autopart --type=plain --fstype=ext4 --nohome --noboot --noswap
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all
%post --logfile /root/anaconda-post.log --erroronfail
set -eux
# Support for subscription-manager secrets
ln -s /run/secrets/etc-pki-entitlement /etc/pki/entitlement-host
ln -s /run/secrets/rhsm /etc/rhsm-host
#https://bugzilla.redhat.com/show_bug.cgi?id=1201663
rm -f /etc/systemd/system/multi-user.target.wants/rhsmcertd.service
# secrets patch creates /run/secrets/system-fips if /etc/system-fips exists on the host
#in turn, openssl in the container checks /etc/system-fips but dangling symlink counts as nonexistent
ln -s /run/secrets/system-fips /etc/system-fips
# Set install langs macro so that new rpms that get installed will
# only install langs that we limit it to.
LANG="C.utf8"
echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf
echo "LANG=C.utf8" > /etc/locale.conf
# https://bugzilla.redhat.com/show_bug.cgi?id=1400682
# https://bugzilla.redhat.com/show_bug.cgi?id=1672230
echo "Import RPM GPG key"
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#echo "# fstab intentionally empty for containers" > /etc/fstab
#this is not possible, guestmount needs fstab => brew build crashes without it
#fstab is removed in TDL when tar-ing files
# Remove network configuration files leftover from anaconda installation
# https://bugzilla.redhat.com/show_bug.cgi?id=1713089
rm -f /etc/sysconfig/network-scripts/ifcfg-*
# Remove machine-id on pre generated images
rm -f /etc/machine-id
touch /etc/machine-id
%end
%post --logfile /root/anaconda-post.log --erroronfail
# Mask mount units and getty service so that we don't get login prompt
# https://bugzilla.redhat.com/show_bug.cgi?id=1418327
systemctl mask systemd-logind.service getty.target console-getty.service sys-fs-fuse-connections.mount systemd-remount-fs.service dev-hugepages.mount
# a list of things that may be removed but should not, for the sake of consistency:
# remove some random help txt files
#rm -fv usr/share/gnupg/help*.txt
# Pruning random things
#rm usr/lib/rpm/rpm.daily
#rm -rfv usr/lib64/nss/unsupported-tools/ # unsupported
# Statically linked crap
#rm -fv usr/sbin/{glibc_post_upgrade.x86_64,sln}
#ln usr/bin/ln usr/sbin/sln
#some random not-that-useful binaries
#rm -fv /usr/bin/pinky
# we lose presets by removing /usr/lib/systemd but we do not care
# Maybe we do care. Don't remove these for now. rhbz 1619244
#rm -rfv /usr/lib/systemd
# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
# actually, do not. bind mounting does not work if you lose the name of the symlink target
# reinstalling is hassle, rpm database complains, bugs appear
# keep tzdata where they are
# https://bugzilla.redhat.com/show_bug.cgi?id=1668185
#rm -fv /etc/localtime
#mv /usr/share/zoneinfo/UTC /etc/localtime
#rm -rfv /usr/share/zoneinfo
#udev hardware database not needed in a container
#rm -f /etc/udev/hwdb.bin
#rm -rf /usr/lib/udev/hwdb.d/*
# don't need icons
#rm -rfv /usr/share/icons/*
# Remove some dnf info
rm -rfv /var/lib/dnf
# Final pruning
rm -rfv /var/cache/* /var/log/* /tmp/*
#syntax highlighting goes crazy after a star */
# remove the original RHEL8 EULA
# TODO: This affects the integrity of the installed rpm. Find a better way.
rm -f /usr/share/redhat-release/EULA
# install the repofile
cat > /etc/yum.repos.d/ubi.repo <<EOF
[ubi-8-baseos]
name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-baseos-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-baseos-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - BaseOS
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/baseos/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream]
name = Red Hat Universal Base Image 8 (RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-appstream-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - AppStream
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/appstream/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder]
name = Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/os
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder-debug]
name = Red Hat Universal Base Image 8 (Debug RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/debug
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
[ubi-8-codeready-builder-source]
name = Red Hat Universal Base Image 8 (Source RPMs) - CodeReady Builder
baseurl = https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/\$basearch/codeready-builder/source/SRPMS
enabled = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
EOF
%end
%post --nochroot --logfile /mnt/sysimage/root/anaconda-post-nochroot.log --erroronfail
set -eux
# https://bugzilla.redhat.com/show_bug.cgi?id=1343138
# Fix /run/lock breakage since it's not tmpfs in docker
# This unmounts /run (tmpfs) and then recreates the files
# in the /run directory on the root filesystem of the container
# NOTE: run this in nochroot because "umount" does not exist in chroot
umount /mnt/sysimage/run
# The file that specifies the /run/lock tmpfile is
# /usr/lib/tmpfiles.d/legacy.conf, which is part of the systemd
# rpm that isn't included in this image. We'll create the /run/lock
# file here manually with the settings from legacy.conf
# NOTE: chroot to run "install" because it is not in anaconda env
chroot /mnt/sysimage install -d /run/lock -m 0755 -o root -g root
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1051816
# NOTE: run this in nochroot because "find" does not exist in chroot
# actually, do not delete at all. this is probably not needed with glibc langpacks
#KEEPLANG=en_US
#for dir in locale i18n; do
# find /mnt/sysimage/usr/share/${dir} -mindepth 1 -maxdepth 1 -type d -not \( -name "${KEEPLANG}" -o -name POSIX \) -exec rm -rfv {} +
#done
%end
%addon com_redhat_kdump --disable
%end
%packages --excludedocs --nocore --instLangs=en --excludeWeakdeps
bash
coreutils-single
dnf-plugin-subscription-manager
findutils
gdb-gdbserver
glibc-minimal-langpack
gzip
redhat-release
rootfiles
subscription-manager
tar
vim-minimal
yum
-dosfstools
-e2fsprogs
-fuse-libs
-gnupg2-smime
-kernel
-libss
-pinentry
-qemu-guest-agent
-shared-mime-info
-trousers
-xfsprogs
-xkeyboard-config
%end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment