AlmaLinux 8.4 64bit kickstart¶
[更新: 2021年06月10日]
さくらのクラウド用パブリックアーカイブで使用している、AlmaLinux 8.4 用の kickstart ファイルです。その他の変更点は リリースノート をご覧ください。
# Kickstart for AlmaLinux Linux 8.4 x86_64
bootloader
firewall --enabled
cdrom
keyboard jp106
lang C
part biosboot --fstype=biosboot --onpart=vda1
part swap --onpart=vda2
part / --fstype=ext4 --onpart=vda3
rootpw password
selinux --disabled
text
timezone --utc Asia/Tokyo
eula --agreed
poweroff
repo --name=base --baseurl=http://ftp.sakura.ad.jp/almalinux/8/BaseOS/x86_64/os/ --cost=100
repo --name=appstream --baseurl=http://ftp.sakura.ad.jp/almalinux/8/AppStream/x86_64/os/ --cost=1000
repo --name=epel --baseurl=http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/8/Everything/x86_64/
services --enabled=fail2ban,firewalld,chronyd --disabled=auditd,kdump,messagebus,wpa_supplicant,abrt-ccpp,abrt-oops,abrt-vmcore,abrt-xorg,abrtd,avahi-daemon,lvm2-lvmetad.socket,lvm2-monitor,smartd,ntpdate
%packages
@^minimal-environment
@Development Tools
@Standard
cloud-utils-growpart
epel-release
fail2ban
gdisk
langpacks-ja
traceroute
-cockpit
-microcode_ctl
%end
%post
# network
cat << 'EOF' > /etc/sysconfig/network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
EOF
cat << 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO="dhcp"
ONBOOT="yes"
EOF
cat << 'EOF' > /etc/resolv.conf
nameserver 133.242.0.3
nameserver 133.242.0.4
EOF
cat >> /etc/sysctl.conf <<-EOF
# Do not accept RA
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.eth0.accept_ra=0
EOF
# Add elrepo&epel Repository
dnf -y install epel-release
perl -pi.orig -e 's/^(mirrorlist=)/#$1/; s/^#(baseurl=)/$1/' /etc/yum.repos.d/almalinux.repo
perl -pi -e 's/^(# baseurl=https:\/\/repo.almalinux.org)/baseurl=https:\/\/ftp.sakura.ad.jp\/pub\/linux/' /etc/yum.repos.d/almalinux.repo
# chrony
cat <<'EOF' >/etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.sakura.ad.jp iburst
# Ignore stratum in source selection.
stratumweight 0
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Allow NTP client access from local network.
#allow 192.168/16
# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
# Serve time even if not synchronized to any NTP server.
#local stratum 10
# Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys
# Specify key number for command authentication.
commandkey 1
# Generate new command key on start if missing.
generatecommandkey
# Disable logging of client accesses.
noclientlog
# Send message to syslog when clock adjustment is larger than 0.5 seconds.
logchange 0.5
# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking
# This option allows you to configure the port on which chronyd will listen for NTP requests.
# The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not open the server
# socket and will operate strictly in a client-only mode.
port 0
# User to which will chronyd switch on initialisation to drop root privileges.
user chrony
# Deny access to chronyc from other computers.
cmddeny all
# Lock chronyd into RAM so that it will never be paged out.
lock_all
EOF
#systemctl enable chronyd.service
#systemctl disable ntpdate.service
#systemctl disable ntpd.service
# sshd
sed -i -e "/\#MaxSessions 10$/a #AllowUsers\nDenyUsers toor administrator administrateur admin adm test guest info mysql user oracle" /etc/ssh/sshd_config
sed -i -e '/GSSAPIAuthentication yes$/d' /etc/ssh/sshd_config
sed -i -e '/^GSSAPICleanupCredentials yes$/d' /etc/ssh/sshd_config
# fail2ban
touch /var/log/fail2ban.log
sed -i -E 's/^(logtarget =).*/\1 \/var\/log\/fail2ban.log/' /etc/fail2ban/fail2ban.conf
# fail2ban local.conf
cat <<'EOL' >/etc/fail2ban/jail.d/local.conf
[DEFAULT]
banaction = firewallcmd-ipset
backend = systemd
[sshd]
enabled = true
EOL
#locale
cat <<'EOF' > /etc/locale.conf
LANG="ja_JP.utf8"
EOF
# grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=\"\(.*\)"/GRUB_CMDLINE_LINUX=\"consoleblank=0 net.ifnames=0 biosdevname=0\"/' /etc/default/grub
grub2-mkconfig -o /etc/grub2.cfg
# autofsck
echo 'AUTOFSCK_DEF_CHECK=yes' >> /etc/sysconfig/autofsck
# DNF
echo 'fastestmirror=true' >> /etc/dnf/dnf.conf
# Networking
sed -i -e 's/After=network.target/After=network-online.target/' /usr/lib/systemd/system/rc-local.service
dnf -y clean all
dnf -y update
# root lock
usermod -p '' root
# udev
rm -f /etc/udev/rules.d/70-persistent-net.rules
rm -f /etc/sysconfig/network-scripts/ifcfg-ens3
%end