AlmaLinux 8.3 64bit kickstart

[更新: 2021年05月13日]

さくらのクラウド用パブリックアーカイブで使用している、AlmaLinux 8.3 用の kickstart ファイルです。その他の変更点は リリースノート をご覧ください。

# Kickstart for AlmaLinux Linux 8.3 x86_64

bootloader
firewall --enabled

cdrom
keyboard jp106
lang C

part biosboot --fstype=biosboot --onpart=vda1
part swap   --onpart=vda2
part /      --fstype=ext4 --onpart=vda3

rootpw password
selinux --disabled
text
timezone --utc Asia/Tokyo
eula --agreed
poweroff

repo --name=base --baseurl=http://ftp.sakura.ad.jp/almalinux/8/BaseOS/x86_64/os/ --cost=100
repo --name=appstream --baseurl=http://ftp.sakura.ad.jp/almalinux/8/AppStream/x86_64/os/ --cost=1000
repo --name=epel --baseurl=http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/8/Everything/x86_64/
services --enabled=fail2ban,firewalld,chronyd --disabled=auditd,kdump,messagebus,wpa_supplicant,abrt-ccpp,abrt-oops,abrt-vmcore,abrt-xorg,abrtd,avahi-daemon,lvm2-lvmetad.socket,lvm2-monitor,smartd,ntpdate

%packages
@^minimal-environment
@Development Tools
@Standard
cloud-utils-growpart
epel-release
fail2ban
gdisk
langpacks-ja
traceroute
-cockpit
-microcode_ctl

%end

%post

# network
cat << 'EOF' > /etc/sysconfig/network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
EOF

cat << 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO="dhcp"
ONBOOT="yes"
EOF

cat << 'EOF' > /etc/resolv.conf
nameserver 133.242.0.3
nameserver 133.242.0.4
EOF

cat >> /etc/sysctl.conf <<-EOF

# Do not accept RA
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.eth0.accept_ra=0
EOF

# Add elrepo&epel Repository
dnf -y install epel-release
perl -pi.orig -e 's/^(mirrorlist=)/#$1/; s/^#(baseurl=)/$1/' /etc/yum.repos.d/almalinux.repo
perl -pi -e 's/^(# baseurl=https:\/\/repo.almalinux.org)/baseurl=https:\/\/ftp.sakura.ad.jp\/pub\/linux/' /etc/yum.repos.d/almalinux.repo


# chrony
cat <<'EOF' >/etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.sakura.ad.jp iburst

# Ignore stratum in source selection.
stratumweight 0

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Allow NTP client access from local network.
#allow 192.168/16

# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

# Serve time even if not synchronized to any NTP server.
#local stratum 10

# Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys

# Specify key number for command authentication.
commandkey 1

# Generate new command key on start if missing.
generatecommandkey

# Disable logging of client accesses.
noclientlog

# Send message to syslog when clock adjustment is larger than 0.5 seconds.
logchange 0.5

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

# This option allows you to configure the port on which chronyd will listen for NTP requests.
# The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not open the server
# socket and will operate strictly in a client-only mode.
port 0

# User to which will chronyd switch on initialisation to drop root privileges.
user chrony

# Deny access to chronyc from other computers.
cmddeny all

# Lock chronyd into RAM so that it will never be paged out.
lock_all
EOF

#systemctl enable chronyd.service
#systemctl disable ntpdate.service
#systemctl disable ntpd.service

# sshd
sed -i -e "/\#MaxSessions 10$/a #AllowUsers\nDenyUsers toor administrator administrateur admin adm test guest info mysql user oracle" /etc/ssh/sshd_config
sed -i -e '/GSSAPIAuthentication yes$/d' /etc/ssh/sshd_config
sed -i -e '/^GSSAPICleanupCredentials yes$/d' /etc/ssh/sshd_config

# fail2ban
touch /var/log/fail2ban.log
sed -i -E 's/^(logtarget =).*/\1 \/var\/log\/fail2ban.log/' /etc/fail2ban/fail2ban.conf

# fail2ban local.conf
cat <<'EOL' >/etc/fail2ban/jail.d/local.conf
[DEFAULT]
banaction = firewallcmd-ipset
backend = systemd

[sshd]
enabled = true
EOL

#locale
cat <<'EOF' > /etc/locale.conf
LANG="ja_JP.utf8"
EOF

# grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=\"\(.*\)"/GRUB_CMDLINE_LINUX=\"consoleblank=0 net.ifnames=0 biosdevname=0\"/' /etc/default/grub
grub2-mkconfig -o /etc/grub2.cfg

# autofsck
echo 'AUTOFSCK_DEF_CHECK=yes' >> /etc/sysconfig/autofsck

# DNF
echo 'fastestmirror=true' >> /etc/dnf/dnf.conf

# Networking
sed -i -e 's/After=network.target/After=network-online.target/' /usr/lib/systemd/system/rc-local.service

dnf -y clean all
dnf -y update

# root lock
usermod -p '' root

# udev
rm -f /etc/udev/rules.d/70-persistent-net.rules
rm -f /etc/sysconfig/network-scripts/ifcfg-ens3

%end