Fix up RHEL kickstarts #10499
Merged
Fix up RHEL kickstarts #10499
Commits on Apr 26, 2023
-
remove @base from RHEL kickstarts
The @base group is normally hidden (does not show up in 'dnf group list') and generally meant to be used as a base for other, more visible, groups. While the @base group itself is not deprecated, it likely makes more sense to just rely on the default, which is "Minimal install", a.k.a. @core, and let the users opt-into additional packages. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
-
install RHEL stig_gui kickstarts with 'Server with GUI' packages
The '@^graphical-server-environment' is just an internal name for the human name, 'Server with GUI', which is consistent across RHEL releases. The need for '^' on RHEL-7 is due to it being an "environment group" as opposed to a regular "package group". RHEL-8+ Anaconda does not have this distinction. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
-
remove unnecessary --pesize from RHEL kickstarts
This is an optional optimization, setting the Physical Extent size of the LVM Volume Group, a.k.a. the smallest atomic object. When set properly, this can lessen the impact of LV fragmentation, but the default of 4MB is already reasonable. The current --pesize=4096 doesn't even change this default, so literally nothing changes with this change. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
-
remove --location=mbr from RHEL kickstarts
This is unnecessary - Anaconda automatically detects the type of bootloader. In fact, the documentation clearly says that: In most cases, this option does not need to be specified. Signed-off-by: Jiri Jaburek <comps@nomail.dom> -
remove default --append arguments from RHEL kickstarts
'rhgb' and 'quiet' are already added by Anaconda by default, as its documentation mentions: The rhgb and quiet parameters are always used, even if you do not specify them here or do not use the --append= command at all. And the 'crashkernel=auto' is already the default for RHEL-7+, with specific sizes (Anaconda-generated) sometimes appearing instead of 'auto', likely on low-memory systems, see also: https://access.redhat.com/solutions/59432 In either case, we likely shouldn't touch the default. In fact, specifying it actually reduces security somewhat, and some profiles already disable kdump anyway. Signed-off-by: Jiri Jaburek <comps@nomail.dom> -
use keyboard --vckeymap in RHEL kickstarts
The Anaconda documentation, even RHEL-7, states that: Either the --vckeymap or the --xlayouts option must be used. The older syntax was likely supported due to ancient RHEL compatibility, but is no longer valid for recent Fedoras, and therefore probably RHEL-10+. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Commits on Apr 27, 2023
-
fix broken bootloader passwords in RHEL kickstarts
There's more layers of breakage. First, the missing --iscrypted made Anaconda treat the provided crypt-style string as plaintext, resulting in the password never actually working. Second, the referenced https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw is not even for the right kickstart command (!!!), referencing 'rootpw' instead of 'bootloader'. When this crypt-style password is used (correctly with --iscrypted), the installer actually catches this issue: GRUB2 encrypted password must be in grub.pbkdf2 format. The RHEL-7+ Anaconda documentation mentions the correct procedure: To generate an encrypted password, use the grub2-mkpasswd-pbkdf2 command, enter the password you want to use, and copy the command's output (the hash starting with grub.pbkdf2) into the Kickstart file. Curiously enough, this was correctly done for 'ssg-rhel8-cis-ks.cfg', but it is broken everywhere else. To make things consistent and avoid generating another salt, I have just copy/pasted the hashed password from 'ssg-rhel8-cis-ks.cfg' to others. Signed-off-by: Jiri Jaburek <comps@nomail.dom> -
remove wrong temporary password disablement in pci-dss RHEL kickstarts
This comes from ComplianceAsCode#3660 which mentions RHBZ#1651624 (from 2018) as the reason. That bugzilla was never valid - the original 'bootloader' line used incorrect password syntax, likely copy/pasted from a SCAP Content kickstart. All that was needed was to just use the correct syntax, so re-enable the grub2 password, using a hash identical to other kickstarts. Signed-off-by: Jiri Jaburek <comps@nomail.dom> -
add required partitions to CIS server/workstation l1 RHEL kickstarts
The new additions are based on the 'cis' (L2) profiles for each respective RHEL major individually. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
-
unify logvol naming in RHEL kickstarts
Get rid of the vague LogVol123 names, use something meaningful. Signed-off-by: Jiri Jaburek <comps@nomail.dom>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.