Questions[scientific-linux](server)

I've been working on a kickstart script for a Scientific Linux install. My goal is to create a CD ISO so that someone can install it easily on a server. I've been able to do a decent amount with it but I'm still running into a few problems that I would like help on.

1. When the boot menu starts and I select "install" or "install (text mode)", it never goes directly to the install. It goes to a command prompt where I have to type in root and the run "liveinst".
2. When the install starts, I want to remove some of the options. Ex. - I am defining the time zone, language, etc in the kickstart script so I don't want anyone to be able to modify that.
3. It's not prompting me for the network information. I don't want to run firstboot, I just want it to ask me for the network during the intial setup. I've tried various things in the kickstart script such as "asknet", "network --query", and none seem to work.
4. The iptables setup doesn't work. I've tried adding "iptables --ssh --http --port:514" at the top of the kickstart script, I've tried echoing commands into /etc/sysconfig/iptables, I've tried rewriting the file completely, and none of it seems to work.

Any help or pointers would be greatly appreciated.

######################################################
## Custom Kickstart Script
######################################################

######################################################
## Include another kickstart script
######################################################

%include sl62-livecd-gnome.ks

######################################################
## Basic Settings
######################################################

cdrom
install
autopart
autostep
xconfig --startxonboot
rootpw testpassword

lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --disabled
services --enabled=iptables,rsyslog,sshd,ntpd,NetworkManager,network --disabled=sendmail,cups,firstboot,ip6tables

clearpart --all

######################################################
## Repos
######################################################
repo --name=base          --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/os/
repo --name=security   --baseurl=http://ftp.scientificlinux.org/linux/scientific/6.2/$basearch/updates/security/

######################################################
## Packages
######################################################

%packages

# Additional firmware support
aic94xx-firmware
netxen-firmware
atmel-firmware
bfa-firmware
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rt61pci-firmware
rt73usb-firmware
xorg-x11-drv-ati-firmware

# Remove these packages
-tigervnc-server
-tigervnc
-postfix
-pidgin
-cups
-pulseaudio-module-bluetooth
-gnome-bluetooth-libs
-gnome-bluetooth
-cheese
-evolution-data-server
-libgweather
-tsclient

/usr/sbin/lokkit

%end

######################################################
## Post Script --nochroot (nochroot environment allows you to copy from the build host environment to the livecd build enviroment)
######################################################
%post --nochroot

# Modify desktop background
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1280x1024_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/1920x1200_default.png
cp -f my_wallpaper.jpg $INSTALL_ROOT/usr/share/backgrounds/2048x1536_default.png

# Copy new splash screen for boot menu
cp -f splash.jpg $LIVE_ROOT/isolinux/

# Copy icons for the new applications
cp -f logo-16x16.png $INSTALL_ROOT/usr/share/icons/gnome/16x16/apps/logo.png
cp -f logo-22x22.png $INSTALL_ROOT/usr/share/icons/gnome/22x22/apps/logo.png
cp -f logo-24x24.png $INSTALL_ROOT/usr/share/icons/gnome/24x24/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/32x32/apps/logo.png
cp -f logo-32x32.png $INSTALL_ROOT/usr/share/icons/gnome/scalable/apps/logo.png

# Copy some files to the hard drive, will put them in the desktop later in the post script
cp -f system_stats $INSTALL_ROOT/usr/local/bin/

# Modify the boot menu
cat > $LIVE_ROOT/isolinux/isolinux.cfg << EOF_boot_menu

default vesamenu.c32
timeout 100

menu background splash.jpg
menu title Welcome to MyISO!
menu color border 0 #ffffffff #00000000
menu color sel 7 #ffffffff #ff000000
menu color title 0 #ffffffff #00000000
menu color tabmsg 0 #ffffffff #00000000
menu color unsel 0 #ffffffff #00000000
menu color hotsel 0 #ff000000 #ffffffff
menu color hotkey 7 #ffffffff #ff000000
menu color timeout_msg 0 #ffffffff #00000000
menu color timeout 0 #ffffffff #00000000
menu color cmdline 0 #ffffffff #00000000
menu hidden
menu hiddenrow 5
label install0
 menu label Install
 kernel vmlinuz0
 append initrd=initrd0.img root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  
menu default
EOF_boot_menu

%end

#####################################################
## Post Script (chroot environment isolates the livecd build environment form the host that is building the livecd)
#####################################################
%post

# Add a new user and modify permissions
/usr/sbin/useradd support -G wheel -c "Support" -d /home/support -s /bin/bash; echo password | passwd --stdin support

# Create the .ssh directory for root to have passwordless logins to the syslog server
mkdir /root/.ssh

# Create the keys
cat > /root/.ssh/id_rsa << EOF_id_rsa
PAST PRIVTE KEY HERE
EOF_id_rsa

cat > /root/.ssh/id_rsa.pub << EOF_id_rsa_pub
PAST PUBLIC KEY HERE
EOF_id_rsa_pub

# Modify the permissions for the ssh key
chown root:root -R /root/.ssh/
chmod 700 -R /root/.ssh/

# Allow wheel group sudo access
cat >> /etc/sudoers << EOF_sudoers

### Allow wheel group sudo access ###
%wheel ALL=(ALL) ALL'
EOF_sudoers

# Modify ssh_config
cat >> /etc/ssh/ssh_config << EOF_ssh_config

### Specific settings for timeouts
TCPKeepAlive yes
ServerAliveInterval 120
ServerAliveCountMax 3

### Don't prompt for host verification
StrictHostKeyChecking no
EOF_ssh_config

# Modify sshd_config
/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/sbin/service sshd restart

# Create a directory for rsyslog queuing
mkdir /var/spool/rsyslog

# Modify rsyslog configuration
cat >> /etc/rsyslog.conf << EOF_rsyslog

### Queuing Config ###
\$WorkDirectory /var/spool/rsyslog
\$ActionQueueType LinkedList
\$ActionQueueFileName remotequeue
\$ActionResumeRetryCount -1
\$ActionQueueSaveOnShutdown on
\$ActionQueueMaxFileSize 100m
\$ActionQueueMaxDiskSpace 5g

### Forwarding Rule ###
*.*     @@127.0.0.1:1514
EOF_rsyslog

# Start the SSH tunnel and ensure if it goes down, it will be restarted
cat >> /etc/rc.local << EOF_inittab
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected] > /dev/null 2>&1
EOF_inittab

cat >> /usr/local/bin/ssh_syslog << EOF_ssh_syslog
#!/bin/bash
if ps aux | grep "ssh -fnNTx" | grep -v "grep"
then
echo "Already Running"
else
echo "Starting now"
ssh -fnNTx -L 1514:127.0.0.1:514 [email protected]
fi
EOF_ssh_syslog

chmod 777 /usr/local/bin/ssh_syslog

cat >> /etc/crontab << EOF_ssh_cron
*/1 * * * * root /usr/local/bin/ssh_syslog
EOF_ssh_cron

# Allow forwarding (first line is for initial allowance, second line is to maintain during a reboot)
echo 1 > /proc/sys/net/ipv4/ip_forward
/bin/sed -i 's/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/' /etc/sysctl.conf

cat > /etc/sysconfig/iptables.script << EOF_iptables_script
#!/bin/bash
# Iptables configuration script

# Flush all current rules from iptables
/sbin/iptables -F

# Loopback address
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Established inbound rule
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Define new chain with all management IPs
/sbin/iptables -N MGT_IPS
/sbin/iptables -A INPUT -s 192.168.56.0/24 -j MGT_IPS

# Allow SSH , HTTP, ,HTTPS, and ping access to management IPs
/sbin/iptables -A MGT_IPS -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
/sbin/iptables -A MGT_IPS -p icmp -m icmp --icmp-type any -j ACCEPT

# Allow ICMP from internal IPs
/sbin/iptables -A INPUT -s 10.0.0.0/8 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 172.16.0.0/12 -p icmp -m icmp --icmp-type any -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.0.0/16 -p icmp -m icmp --icmp-type any -j ACCEPT

# Drop rules to prevent them from entering the logs
/sbin/iptables -A INPUT -p tcp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p udp -m multiport --dports 135,137,138 -j DROP
/sbin/iptables -A INPUT -p all -d 255.255.255.255 -j DROP

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "

# Set default policies for INPUT, FORWARD and OUTPUT chains
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT

# Save settings
/sbin/service iptables save

# List rules
/sbin/iptables -L -v
EOF_iptables_script

# Modify iptables.script permissions so it can run
chmod 700 /etc/sysconfig/iptables.script

# Add files to rc.local
cat >> /etc/rc.local << EOF_rclocal

# Run firewall script
/etc/sysconfig/iptables.script
EOF_rclocal

# Remove some files that are not needed (cups,tigervnc-server, libgweather won't allow me to remove them)
rpm -e --nodeps tigervnc
rpm -e --nodeps tigervnc-server
rpm -e --nodeps libgweather
rpm -e --nodeps pulseaudio
rpm -e --nodeps cups
rpm -e --nodeps sendmail

# Modify the applications menu
rm -f /usr/share/applications/gthumb*.desktop
rm -f /usr/share/applications/brasero*.desktop
rm -f /usr/share/applications/gnome-screens*.desktop
rm -f /usr/share/applications/about-this-computer.desktop
rm -f /usr/share/applications/gnome-about*.desktop
rm -f /usr/share/applications/gnome-dictionary.desktop
rm -f /usr/share/applications/gnome-gcalctool.desktop
rm -f /usr/share/applications/gnome-keybinding.desktop
rm -f /usr/share/applications/bluetooth-properties.desktop
rm -f /usr/share/applications/totem.desktop
rm -f /usr/share/applications/gnome-file-roller.desktop
rm -f /usr/share/applications/gnome-gucharmap.desktop
rm -f /usr/share/applications/gedit.desktop
rm -f /usr/share/applications/gnome-baobab.desktop
rm -f /usr/share/applications/gnome-system-monitor.desktop
rm -f /usr/share/applications/palimpsest.desktop
rm -f /usr/share/applications/gnome-nautilus-browser.desktop
rm -f /usr/share/applications/TUV.desktop
rm -f /usr/share/applications/sl-release-notes.desktop
rm -f /usr/share/applications/system-config-users.desktop
rm -f /usr/share/applications/authconfig.desktop
rm -f /usr/share/applications/system-config-firewall.desktop
rm -f /usr/share/applications/system-config-services.desktop
rm -f /usr/share/applications/gnome-network-properties.desktop
rm -f /usr/share/applications/gnome-volume-control.desktop
rm -f /usr/share/applications/gnome-default-application.desktop
rm -f /usr/share/applications/gnome-at-properties.desktop
rm -f /usr/share/applications/gnome-session-properties.desktop

/bin/sed -i 's/Categories=System;Settings;X-Red-Hat-Base;/Categories=Settings;/' /usr/share/applications/system-config-date.desktop

/bin/sed -i 's/NoDisplay=true/NoDisplay=false/' /home/customer_login/.local/share/applications/preferred-mail-reader.desktop

# Create a various scripts for customers to use
cat > /usr/local/bin/remote_support << EOF_remote_support
#!/bin/bash
# This script will open a reverse SSH tunnel for support.
ssh -fnNTx -R 2222:127.0.0.1:22 X.X.X.X
EOF_remote_support

chmod 777 /usr/local/bin/remote_support
chmod 777 /usr/local/bin/system_stats

# Add the scripts to the applications menu
cat > /usr/share/applications/remote-support.desktop << EOF_remote_sup_menu
[Desktop Entry]
Name=Remote Support
Comment=Support
Exec=remote_support
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_remote_sup_menu

cat > /usr/share/applications/system-stats.desktop << EOF_sys_stats_menu
[Desktop Entry]
Name=System Statistics
Comment=Basic system information
Exec=system_stats
StartupNotify=true
Terminal=true
Type=Application
Categories=System
Icon=/usr/share/icons/gnome/16x16/apps/logo.png
EOF_sys_stats_menu

chmod 644 /usr/share/applications/remote-support.desktop
chmod 644 /usr/share/applications/system-stats.desktop

%end

# Reboot after installation
reboot --eject

EDIT: I've figured out most of my problems. The only issue I have now is that I want the install procedure to skip the section where it prompts the user for a root password. I will auto set this later and don't want them having the power to do that.

EDIT2: Ok I updated my kickstart script above. Using this script it creates a live CD that instantly goes to the install process. Once I go through the install process it prompts me for root password, HD location, time zones, etc. Then it installs and all of my kickstart script works perfectly on the new system. However, I still want to make it where it doesn't prompt me for the root password during the initial install. I have tried adding the following to the kickstart script but it doesn't work

# Copy kickstart script to the live CD
cp -f test.ks $INSTALL_ROOT/root/

# Modified the boot menu to say
append initrd=initrd0.img ks=cdrom:/root/test.ks root=live:CDLABEL=MyISO rootfstype=auto ro liveimg liveinst noswap   rd_NO_LUKS rd_NO_MD rd_NO_DM  

On the ks= part I wasn't sure what was correct so I also tried ks=/root/test.ks and it still prompted me for the initial setup information.

EDIT3: I started working on this again over the last few days and I still can't get the ISO to auto step through the basic setting steps such as root password, time settings, keyboard, etc. I've tried various locations of putting the ks.cfg in /root/, on the live CD under that root directory and under isolinux. Every time it still asks for the info.

Basically I want an ARGV like usage on the PXE command line, but I can't see any documentation to do this.

basically I want to pass something like

scientific-linux-6 HOSTNAME VLAN

then in %pre hit some APIs to get the networking info I need to append it to the KS config. This part is easy, if I have the parameters.

Finally in %post I want to kick off a chef run and boot strap to chef server. This also needs to know hostname / domain name ( basically have hostname -f not blow up ), but this shouldn't be too bad if I can complete the above. Sadly, this was my original goal, but then it failed when I realized I didn't have the hostname set yet.

Here is what I have learned so far.

$ cat linux-install/msgs/param.msg 



                        09Kernel Parameter Help07

Some kernel parameters can be specified on the command line and will be
passed to the running kernel.  This does not include options to modules
such as ethernet cards or devices such as CD-ROM drives.

To pass an option to the kernel, use the following format:
     0flinux <options>07
If a different installation mode is desired, enter it after the option(s).

For example, to install on a system with 128MB of RAM using expert mode, 
type the following:
     0flinux mem=128M expert07

To pass options to modules, you will need to use the expert mode to disable
PCI autoprobing.  When the installation asks for your device type that needs
an option or parameter passed to it, there will be a place to type those
in at that time. 

Sweet!? So that means on PXE I can go like...

scientific-linux-6 linux ARGV_APPEND

Right?

Then getting things into %pre and %post I found This presentation and a few other mentions

Stick this at the top of the %pre section, and it will take anything of the form var=value
from /proc/cmdline and turn it into a variable you can use directly

set -- `cat /proc/cmdline`

for I in $*; do case "$I" in *=*) eval $I;; esac; done

So that means I can say

scientific-linux-6 linux HOSTNAME=foo.example.com, VLAN=ddd

Right?

Then in %pre That means I can

Hit my API to get IP, mask, gateway and then change network to something like

network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0
 --gateway=10.0.2.254 --nameserver=10.0.2.1

As described Here

Then that sets up us in %post for our chef-client run.

My question is. Does it sound like this will work? Is there a better way? Surely someone else has done this before?

Update ( Solution implemented based on answer )

On the PXE command line I ended up passing options

$ hotbox linux prefix_varname="foo" prefix_another_var="bar"

( everything after linux is put on /proc/cmdline . hotbox was the PXE label. ) Then in %post I parsed /proc/cmdline (in Ruby) looking for all the variables that matched /prefix_*/ and turned them into a hash. This lead to passing it off the chef for further configuration based on the results of a web request.

Note: Razor wasn't around when I did all this. I personally wasn't satisfied with razor, and we are still using more or less the above method.

We have machines running RedHat-based distros such as CentOS or Scientific Linux. We want the systems to automatically notify us if there are any known vulnerabilities to the installed packages. FreeBSD does this with the ports-mgmt/portaudit port.

RedHat provides yum-plugin-security, which can check for vulnerabilities by their Bugzilla ID, CVE ID or advisory ID. In addition, Fedora recently started to support yum-plugin-security. I believe this was added in Fedora 16.

Scientific Linux 6 did not support yum-plugin-security as of late 2011. It does ship with /etc/cron.daily/yum-autoupdate, which updates RPMs daily. I don't think this handles Security Updates only, however.

CentOS does not support yum-plugin-security.

I monitor the CentOS and Scientific Linux mailinglists for updates, but this is tedious and I want something which can be automated.

For those of us who maintain CentOS and SL systems, are there any tools which can:

1. Automatically (Progamatically, via cron) inform us if there are known vulnerabilities with my current RPMs.
2. Optionally, automatically install the minimum upgrade required to address a security vulnerability, which would probably be yum update-minimal --security on the commandline?

I have considered using yum-plugin-changelog to print out the changelog for each package, and then parse the output for certain strings. Are there any tools which do this already?

I have a brand new Scientific Linux 6 instance (Similar to RHEL6 & CentOS6), running on Parallels.

The home directory is in a non-standard location, which I'll call /homedir

When I ssh into this box I get an error:

laptop $ ssh 192.168.1.100
[email protected]'s password: 
Could not chdir to home directory /homedir/stefanl: Permission denied

But then immediately afterwards I can chdir to that directory, without an error:

[stefanl@localhost /]$ cd /homedir/stefanl
[stefanl@localhost ~]$ touch foo
[stefanl@localhost ~]$ ls -la
total 28
drwx------. 3 stefanl wheel   4096 Sep 14 17:53 .
drwxr-xr-x. 5 root    root    4096 Sep 14 17:16 ..
-rw-------. 1 stefanl stefanl  303 Sep 14 18:16 .bash_history
-rw-r--r--. 1 stefanl stefanl   18 May 26 08:46 .bash_logout
-rw-r--r--. 1 stefanl stefanl  176 May 26 08:46 .bash_profile
-rw-r--r--. 1 stefanl stefanl  124 May 26 08:46 .bashrc
-rw-rw-r--. 1 stefanl stefanl    0 Sep 14 17:46 foo

In addition, as root I can su to my account and it seems to work fine. If I didn't have permission to chdir to this directory, I would expect to see an error.

[stefanl@localhost ~]$ pwd
/data/homedir/stefanl
[stefanl@localhost ~]$ touch bar
[stefanl@localhost ~]$ 

Why do I get an error during the initial login, but then I can cd to that same directory immediately afterwards?

On Scientific linux 6.0(RH like linux) I accidentally removed python, so yum removed as well.µ

How to install yum with rpm?

EDIT

I try to install python but it is somehow looped the dependences:

rpm -Uvh http://ftp2.scientificlinux.org/linux/scientific/6.0/x86_64/os/Packages/python-libs-2.6.5-3.el6.x86_64.rpm
    Retrieving http://ftp2.scientificlinux.org/linux/scientific/6.0/x86_64/os/Packages/python-libs-2.6.5-3.el6.x86_64.rpm
    error: Failed dependencies:
            python = 2.6.5-3.el6 is needed by python-libs-2.6.5-3.el6.x86_64

Then:

 rpm -Uvh http://ftp2.scientificlinux.org/linux/scientific/6.0/x86_64/os/Packages/python
-2.6.5-3.el6.x86_64.rpm
Retrieving http://ftp2.scientificlinux.org/linux/scientific/6.0/x86_64/os/Packages/python-2.6.5-3.el6.x86_64.rpm
error: Failed dependencies:
        libpython2.6.so.1.0()(64bit) is needed by python-2.6.5-3.el6.x86_64