-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix up RHEL kickstarts #10499
Fix up RHEL kickstarts #10499
Commits on Apr 26, 2023
-
remove @base from RHEL kickstarts
The @base group is normally hidden (does not show up in 'dnf group list') and generally meant to be used as a base for other, more visible, groups. While the @base group itself is not deprecated, it likely makes more sense to just rely on the default, which is "Minimal install", a.k.a. @core, and let the users opt-into additional packages. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 724e7ba - Browse repository at this point
Copy the full SHA 724e7baView commit details -
install RHEL stig_gui kickstarts with 'Server with GUI' packages
The '@^graphical-server-environment' is just an internal name for the human name, 'Server with GUI', which is consistent across RHEL releases. The need for '^' on RHEL-7 is due to it being an "environment group" as opposed to a regular "package group". RHEL-8+ Anaconda does not have this distinction. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 075887b - Browse repository at this point
Copy the full SHA 075887bView commit details -
remove unnecessary --pesize from RHEL kickstarts
This is an optional optimization, setting the Physical Extent size of the LVM Volume Group, a.k.a. the smallest atomic object. When set properly, this can lessen the impact of LV fragmentation, but the default of 4MB is already reasonable. The current --pesize=4096 doesn't even change this default, so literally nothing changes with this change. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 603b220 - Browse repository at this point
Copy the full SHA 603b220View commit details -
remove --location=mbr from RHEL kickstarts
This is unnecessary - Anaconda automatically detects the type of bootloader. In fact, the documentation clearly says that: In most cases, this option does not need to be specified. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 774e234 - Browse repository at this point
Copy the full SHA 774e234View commit details -
remove default --append arguments from RHEL kickstarts
'rhgb' and 'quiet' are already added by Anaconda by default, as its documentation mentions: The rhgb and quiet parameters are always used, even if you do not specify them here or do not use the --append= command at all. And the 'crashkernel=auto' is already the default for RHEL-7+, with specific sizes (Anaconda-generated) sometimes appearing instead of 'auto', likely on low-memory systems, see also: https://access.redhat.com/solutions/59432 In either case, we likely shouldn't touch the default. In fact, specifying it actually reduces security somewhat, and some profiles already disable kdump anyway. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for e523581 - Browse repository at this point
Copy the full SHA e523581View commit details -
use keyboard --vckeymap in RHEL kickstarts
The Anaconda documentation, even RHEL-7, states that: Either the --vckeymap or the --xlayouts option must be used. The older syntax was likely supported due to ancient RHEL compatibility, but is no longer valid for recent Fedoras, and therefore probably RHEL-10+. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for ba482c0 - Browse repository at this point
Copy the full SHA ba482c0View commit details
Commits on Apr 27, 2023
-
fix broken bootloader passwords in RHEL kickstarts
There's more layers of breakage. First, the missing --iscrypted made Anaconda treat the provided crypt-style string as plaintext, resulting in the password never actually working. Second, the referenced https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw is not even for the right kickstart command (!!!), referencing 'rootpw' instead of 'bootloader'. When this crypt-style password is used (correctly with --iscrypted), the installer actually catches this issue: GRUB2 encrypted password must be in grub.pbkdf2 format. The RHEL-7+ Anaconda documentation mentions the correct procedure: To generate an encrypted password, use the grub2-mkpasswd-pbkdf2 command, enter the password you want to use, and copy the command's output (the hash starting with grub.pbkdf2) into the Kickstart file. Curiously enough, this was correctly done for 'ssg-rhel8-cis-ks.cfg', but it is broken everywhere else. To make things consistent and avoid generating another salt, I have just copy/pasted the hashed password from 'ssg-rhel8-cis-ks.cfg' to others. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 7652489 - Browse repository at this point
Copy the full SHA 7652489View commit details -
remove wrong temporary password disablement in pci-dss RHEL kickstarts
This comes from ComplianceAsCode#3660 which mentions RHBZ#1651624 (from 2018) as the reason. That bugzilla was never valid - the original 'bootloader' line used incorrect password syntax, likely copy/pasted from a SCAP Content kickstart. All that was needed was to just use the correct syntax, so re-enable the grub2 password, using a hash identical to other kickstarts. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 5b8aef6 - Browse repository at this point
Copy the full SHA 5b8aef6View commit details -
add required partitions to CIS server/workstation l1 RHEL kickstarts
The new additions are based on the 'cis' (L2) profiles for each respective RHEL major individually. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for 715e8f7 - Browse repository at this point
Copy the full SHA 715e8f7View commit details -
unify logvol naming in RHEL kickstarts
Get rid of the vague LogVol123 names, use something meaningful. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Configuration menu - View commit details
-
Copy full SHA for ee32f2c - Browse repository at this point
Copy the full SHA ee32f2cView commit details