CentOS 7下anaconda-ks.cfg配置

Posted on Views:

用于自动化安装 CentOS 7 的 Kickstart 文件 (anaconda-ks.cfg),通常用于配置虚拟机(如 Vagrant 环境)或物理机的操作系统安装过程。它定义了安装选项、分区设置、软件包选择以及安装后的配置脚本。

anaconda-ks.cfg

#version=DEVEL

# System authorization information
auth --enableshadow --enablemd5

# Install OS instead of upgrade
install

# Use text mode install
text

# Firewall configuration
firewall --disabled
firstboot --disable
ignoredisk --only-use=vda

# Keyboard layouts
# old format: keyboard us
# new format:
keyboard --vckeymap=us --xlayouts=''
# System language
lang en_US.UTF-8

# Network information
network  --bootproto=dhcp --device=eth0 --activate
network  --hostname=localhost.localdomain

# Reboot after installation
reboot
repo --name="koji-override-0" --baseurl=http://mirror.centos.org/centos/7/extras/x86_64/
repo --name="koji-override-1" --baseurl=http://mirror.centos.org/centos/7/updates/x86_64/

# Use network installation
url --url="http://mirror.centos.org/centos/7/os/x86_64/"

# Root password
rootpw --plaintext vagrant

# SELinux configuration
selinux --enforcing

# System services
services --enabled="vmtoolsd,chronyd"

# Do not configure the X Window System
skipx

# System timezone
timezone UTC --isUtc
user --name=vagrant --password=vagrant

# System bootloader configuration
bootloader --append="no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop crashkernel=auto" --location=mbr --timeout=1 --boot-drive=vda

# Clear the Master Boot Record
zerombr

# Partition clearing information
clearpart --all --drives=vda

# Disk partitioning information
part / --asprimary --fstype="xfs" --ondisk=vda --size=40959

%post
# configure swap to a file (fallocate doesn't work with c7 xfs)
dd if=/dev/zero of=/swapfile bs=1M count=2048
chmod 600 /swapfile
mkswap /swapfile
echo "/swapfile none swap defaults 0 0" >> /etc/fstab

# sudo
echo "%vagrant ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/vagrant
chmod 0440 /etc/sudoers.d/vagrant

# Fix for https://github.com/CentOS/sig-cloud-instance-build/issues/38
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
PERSISTENT_DHCLIENT="yes"
EOF

# sshd: disable password authentication and DNS checks
ex -s /etc/ssh/sshd_config <<EOF
:%substitute/^\(PasswordAuthentication\) yes$/\1 no/
:%substitute/^#\(UseDNS\) yes$/&\r\1 no/
:update
:quit
EOF
cat >>/etc/sysconfig/sshd <<EOF

# Decrease connection time by preventing reverse DNS lookups
# (see https://lists.centos.org/pipermail/centos-devel/2016-July/014981.html
#  and man sshd for more information)
OPTIONS="-u0"
EOF

# Default insecure vagrant key
mkdir -m 0700 -p /home/vagrant/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> /home/vagrant/.ssh/authorized_keys
chmod 600 /home/vagrant/.ssh/authorized_keys
chown -R vagrant:vagrant /home/vagrant/.ssh

# Fix for issue #76, regular users can gain admin privileges via su
ex -s /etc/pam.d/su <<'EOF'
# allow vagrant to use su, but prevent others from becoming root or vagrant
/^account\s\+sufficient\s\+pam_succeed_if.so uid = 0 use_uid quiet$/
:append
account		[success=1 default=ignore] \\
                pam_succeed_if.so user = vagrant use_uid quiet
account		required	pam_succeed_if.so user notin root:vagrant
.
:update
:quit
EOF

# systemd should generate a new machine id during the first boot, to
# avoid having multiple Vagrant instances with the same id in the local
# network. /etc/machine-id should be empty, but it must exist to prevent
# boot errors (e.g.  systemd-journald failing to start).
:>/etc/machine-id

echo 'vag' > /etc/yum/vars/infra

# Blacklist the floppy module to avoid probing timeouts
echo blacklist floppy > /etc/modprobe.d/nofloppy.conf
chcon -u system_u -r object_r -t modules_conf_t /etc/modprobe.d/nofloppy.conf

# Customize the initramfs
pushd /etc/dracut.conf.d
# Enable VMware PVSCSI support for VMware Fusion guests.
echo 'add_drivers+=" vmw_pvscsi "' > vmware-fusion-drivers.conf
echo 'add_drivers+=" hv_netvsc hv_storvsc hv_utils hv_vmbus hid-hyperv "' > hyperv-drivers.conf
# There's no floppy controller, but probing for it generates timeouts
echo 'omit_drivers+=" floppy "' > nofloppy.conf
popd
# Fix the SELinux context of the new files
restorecon -f - <<EOF
/etc/sudoers.d/vagrant
/etc/dracut.conf.d/vmware-fusion-drivers.conf
/etc/dracut.conf.d/hyperv-drivers.conf
/etc/dracut.conf.d/nofloppy.conf
EOF

# Rerun dracut for the installed kernel (not the running kernel):
KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
dracut -f /boot/initramfs-${KERNEL_VERSION}.img ${KERNEL_VERSION}

# Seal for deployment
rm -rf /etc/ssh/ssh_host_*
hostnamectl set-hostname localhost.localdomain
rm -rf /etc/udev/rules.d/70-*
%end

%packages --instLangs=en
bash-completion
bzip2
chrony
cifs-utils
deltarpm
hyperv-daemons
kexec-tools
man-pages
nfs-utils
open-vm-tools
rsync
yum-utils
-aic94xx-firmware
-alsa-firmware
-alsa-tools-firmware
-dracut-config-rescue
-ivtv-firmware
-iwl100-firmware
-iwl1000-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-iwl7260-firmware
-iwl7265-firmware
-kexec-tools
-linux-firmware
-microcode_ctl
-plymouth

%end

%addon com_redhat_kdump --enable --reserve-mb='auto'

%end

anaconda-ks.cfg解读

1. 基本配置

  • #version=DEVEL: 表示 Kickstart 文件的版本为开发版,通常用于测试或非正式环境。
  • auth --enableshadow --enablemd5: 配置系统认证,启用 /etc/shadow 文件存储密码并使用 MD5 加密(CentOS 7 默认已使用更安全的算法,这里可能是遗留配置)。
  • install: 指定全新安装操作系统,而不是升级现有系统。
  • text: 使用文本模式安装,而非图形界面。
  • firewall --disabled: 禁用防火墙。
  • firstboot --disable: 禁用首次启动时的配置向导。
  • ignoredisk --only-use=vda: 只使用指定的磁盘 vda,常见于虚拟化环境(如 KVM 或 VirtualBox)。
  • keyboard --vckeymap=us --xlayouts='': 设置键盘布局为美国标准键盘。
  • lang en_US.UTF-8: 系统语言设置为美式英语(UTF-8 编码)。

2. 网络配置

  • network --bootproto=dhcp --device=eth0 --activate: 配置网络接口 eth0,使用 DHCP 自动获取 IP,并在安装时激活。
  • network --hostname=localhost.localdomain: 设置主机名为 localhost.localdomain

3. 安装源与方式

  • reboot: 安装完成后自动重启。
  • repo: 定义了两个额外的软件仓库:
    • "koji-override-0": 来自 CentOS 7 的 extras 仓库。
    • "koji-override-1": 来自 CentOS 7 的 updates 仓库。
  • url --url="http://mirror.centos.org/centos/7/os/x86_64/": 指定网络安装源为 CentOS 7 的基本操作系统镜像。

4. 系统安全与用户

  • rootpw --plaintext vagrant: 设置 root 用户密码为明文 vagrant(不安全,仅用于测试环境)。
  • selinux --enforcing: 启用 SELinux 并设置为强制模式。
  • user --name=vagrant --password=vagrant: 创建用户 vagrant,密码为 vagrant

5. 系统服务与界面

  • services --enabled="vmtoolsd,chronyd": 启用 VMware Tools 服务(vmtoolsd)和时间同步服务(chronyd)。
  • skipx: 不配置 X Window System(即无图形界面)。

6. 时区与引导

  • timezone UTC --isUtc: 设置时区为 UTC。
  • bootloader: 配置引导加载程序:
    • --append="...": 添加内核参数,禁用定时检查,设置控制台输出等,优化虚拟化环境(如串口 ttyS0)。
    • --location=mbr**: 将引导加载程序安装到主引导记录(MBR)。
    • --timeout=1**: 引导等待时间为 1 秒。
    • --boot-drive=vda**: 指定引导磁盘为 vda

7. 磁盘分区

  • zerombr: 清除磁盘的主引导记录。
  • clearpart --all --drives=vda: 清除磁盘 vda 上的所有分区。
  • part / --asprimary --fstype="xfs" --ondisk=vda --size=40959: 创建主分区 /,文件系统为 XFS,大小为 40959 MB(约 40 GB)。

8. 安装后脚本 (%post)

%post 部分在系统安装完成后运行,用于进一步定制系统。

交换空间

  • 创建 2 GB 的交换文件(/swapfile),因为 XFS 不支持 fallocate,这里用 dd 创建。
  • 设置权限并添加到 /etc/fstab 以启用交换。

Sudo 配置

  • vagrant 用户配置无需密码的 sudo 权限。

网络修复

  • 配置 eth0 网络接口,启用 DHCP 并确保开机启动。

SSH 配置

  • 禁用密码认证,仅允许密钥登录。
  • 禁用 DNS 反向解析以加速 SSH 连接。
  • 添加 Vagrant 默认的不安全公钥,便于开发测试。

PAM 配置

  • 修改 /etc/pam.d/su,限制普通用户通过 su 提升权限,仅允许 vagrant 用户。

系统优化

  • 清空 /etc/machine-id,确保首次启动时生成唯一机器 ID。
  • 删除 SSH 主机密钥(/etc/ssh/ssh_host_*),首次启动时重新生成。
  • 清理 udev 规则(/etc/udev/rules.d/70-*)。
  • 设置 YUM 变量 infra=vag(可能是自定义基础设施标记)。

硬件支持

  • 禁用软盘模块(floppy)以避免探测超时。
  • 添加 VMware 和 Hyper-V 的驱动支持到 dracut 配置。
  • 重新生成 initramfs 以应用驱动更新。

SELinux 修复

  • 使用 restorecon 修复新文件的 SELinux 上下文。

9. 软件包选择 (%packages)

  • 安装基本工具和服务(如 bash-completion, chrony, open-vm-tools)。
  • 移除不必要的固件和驱动(如 Wi-Fi 固件、linux-firmware 等),优化虚拟化环境。

-xxx 移除,xxx安装

10. Kdump 配置 (%addon)

  • 启用内核崩溃转储(kdump),内存预留为自动。

总结

这个 Kickstart 文件旨在创建一个最小化的 CentOS 7 系统,专为 Vagrant 或虚拟化环境(如 VMware、Hyper-V)优化。它:

  • 使用网络安装方式。
  • 配置了基本的网络、SSH(带 Vagrant 默认密钥)、分区和用户。
  • 通过 %post 脚本进行了细致的定制,包括交换空间、权限、网络优化和驱动支持。
  • 禁用了图形界面和不必要的硬件支持,适合轻量级虚拟机。

centos7 original-ks.cfg

#version=RHEL7
# Install OS instead of upgrade
install
# Keyboard layouts
keyboard 'us'
# Reboot after installation
reboot
# Root password
rootpw --plaintext vagrant
# Use network installation
url --url="http://mirror.centos.org/centos/7/os/x86_64/"
# System language
lang en_US.UTF-8
user --name=vagrant --password=vagrant
# Firewall configuration
firewall --disabled
repo --name="koji-override-0" --baseurl=http://mirror.centos.org/centos/7/extras/x86_64/
repo --name="koji-override-1" --baseurl=http://mirror.centos.org/centos/7/updates/x86_64/
# System authorization information
auth --enableshadow --enablemd5
# Use text mode install
text
# SELinux configuration
selinux --enforcing
# Do not configure the X Window System
skipx

# System services
services --enabled="vmtoolsd"
# Network information
network  --bootproto=dhcp --device=eth0
# System timezone
timezone UTC --isUtc
# System bootloader configuration
bootloader --append="no_timer_check console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 elevator=noop" --location=mbr --timeout=1
# Clear the Master Boot Record
zerombr
# Partition clearing information
clearpart --all --drives=vda
# Disk partitioning information
part / --asprimary --fstype="xfs" --grow --ondisk=vda --size=1024

%post
# configure swap to a file (fallocate doesn't work with c7 xfs)
dd if=/dev/zero of=/swapfile bs=1M count=2048
chmod 600 /swapfile
mkswap /swapfile
echo "/swapfile none swap defaults 0 0" >> /etc/fstab

# sudo
echo "%vagrant ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/vagrant
chmod 0440 /etc/sudoers.d/vagrant

# Fix for https://github.com/CentOS/sig-cloud-instance-build/issues/38
cat > /etc/sysconfig/network-scripts/ifcfg-eth0 << EOF
DEVICE="eth0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Ethernet"
PERSISTENT_DHCLIENT="yes"
EOF

# sshd: disable password authentication and DNS checks
ex -s /etc/ssh/sshd_config <<EOF
:%substitute/^\(PasswordAuthentication\) yes$/\1 no/
:%substitute/^#\(UseDNS\) yes$/&\r\1 no/
:update
:quit
EOF
cat >>/etc/sysconfig/sshd <<EOF

# Decrease connection time by preventing reverse DNS lookups
# (see https://lists.centos.org/pipermail/centos-devel/2016-July/014981.html
#  and man sshd for more information)
OPTIONS="-u0"
EOF

# Default insecure vagrant key
mkdir -m 0700 -p /home/vagrant/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6NF8iallvQVp22WDkTkyrtvp9eWW6A8YVr+kz4TjGYe7gHzIw+niNltGEFHzD8+v1I2YJ6oXevct1YeS0o9HZyN1Q9qgCgzUFtdOKLv6IedplqoPkcmF0aYet2PkEDo3MlTBckFXPITAMzF8dJSIFo9D8HfdOV0IAdx4O7PtixWKn5y2hMNG0zQPyUecp4pzC6kivAIhyfHilFR61RGL+GPXQ2MWZWFYbAGjyiYJnAmCP3NOTd0jMZEnDkbUvxhMmBYSdETk1rRgm+R4LOzFUGaHqHDLKLX+FIPKcF96hrucXzcWyLbIbEgE98OHlnVYCzRdK8jlqm8tehUc9c9WhQ== vagrant insecure public key" >> /home/vagrant/.ssh/authorized_keys
chmod 600 /home/vagrant/.ssh/authorized_keys
chown -R vagrant:vagrant /home/vagrant/.ssh

# Fix for issue #76, regular users can gain admin privileges via su
ex -s /etc/pam.d/su <<'EOF'
# allow vagrant to use su, but prevent others from becoming root or vagrant
/^account\s\+sufficient\s\+pam_succeed_if.so uid = 0 use_uid quiet$/
:append
account		[success=1 default=ignore] \\
                pam_succeed_if.so user = vagrant use_uid quiet
account		required	pam_succeed_if.so user notin root:vagrant
.
:update
:quit
EOF

# systemd should generate a new machine id during the first boot, to
# avoid having multiple Vagrant instances with the same id in the local
# network. /etc/machine-id should be empty, but it must exist to prevent
# boot errors (e.g.  systemd-journald failing to start).
:>/etc/machine-id

echo 'vag' > /etc/yum/vars/infra

# Blacklist the floppy module to avoid probing timeouts
echo blacklist floppy > /etc/modprobe.d/nofloppy.conf
chcon -u system_u -r object_r -t modules_conf_t /etc/modprobe.d/nofloppy.conf

# Customize the initramfs
pushd /etc/dracut.conf.d
# Enable VMware PVSCSI support for VMware Fusion guests.
echo 'add_drivers+=" vmw_pvscsi "' > vmware-fusion-drivers.conf
echo 'add_drivers+=" hv_netvsc hv_storvsc hv_utils hv_vmbus hid-hyperv "' > hyperv-drivers.conf
# There's no floppy controller, but probing for it generates timeouts
echo 'omit_drivers+=" floppy "' > nofloppy.conf
popd
# Fix the SELinux context of the new files
restorecon -f - <<EOF
/etc/sudoers.d/vagrant
/etc/dracut.conf.d/vmware-fusion-drivers.conf
/etc/dracut.conf.d/hyperv-drivers.conf
/etc/dracut.conf.d/nofloppy.conf
EOF

# Rerun dracut for the installed kernel (not the running kernel):
KERNEL_VERSION=$(rpm -q kernel --qf '%{version}-%{release}.%{arch}\n')
dracut -f /boot/initramfs-${KERNEL_VERSION}.img ${KERNEL_VERSION}

# Seal for deployment
rm -rf /etc/ssh/ssh_host_*
hostnamectl set-hostname localhost.localdomain
rm -rf /etc/udev/rules.d/70-*
%end

%packages --instLangs=en
bash-completion
bzip2
chrony
cifs-utils
deltarpm
hyperv-daemons
man-pages
nfs-utils
open-vm-tools
rsync
yum-utils
-aic94xx-firmware
-alsa-firmware
-alsa-tools-firmware
-dracut-config-rescue
-ivtv-firmware
-iwl100-firmware
-iwl1000-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-iwl7260-firmware
-iwl7265-firmware
-kexec-tools
-linux-firmware
-microcode_ctl
-plymouth

%end