AlmaLinux 8.7 64bit kickstart¶
[更新: 2023年3月2日]
さくらのクラウド用パブリックアーカイブで使用している、AlmaLinux 8.7 用の kickstart ファイルです。その他の変更点は リリースノート をご覧ください。
# Kickstart for AlmaLinux 8.7 x86_64 2023.2.17
bootloader
firewall --enabled
network --bootproto=dhcp --device=link --activate --onboot=on
#install
keyboard jp106
lang C
ignoredisk --only-use=vda
bootloader --location=mbr --driveorder="vda" --boot-drive=vda --append="consoleblank=0"
zerombr
part biosboot --fstype=biosboot --onpart=vda1
part swap --onpart=vda2
part / --fstype=ext4 --onpart=vda3
rootpw password
selinux --disabled
text
timezone --utc Asia/Tokyo
eula --agreed
shutdown
services --enabled=firewalld,chronyd --disabled=auditd,kdump,messagebus,wpa_supplicant,abrt-ccpp,abrt-oops,abrt-vmcore,abrt-xorg,abrtd,avahi-daemon,lvm2-lvmetad.socket,lvm2-monitor,smartd,ntpdate
%packages
@^minimal-environment
@Development Tools
@Standard
cloud-utils-growpart
gdisk
langpacks-ja
traceroute
# Not required firmware for virtual machines
-aic94xx-firmware
-alsa-firmware
-alsa-lib
-alsa-tools-firmware
-ivtv-firmware
-iwl1000-firmware
-iwl100-firmware
-iwl105-firmware
-iwl135-firmware
-iwl2000-firmware
-iwl2030-firmware
-iwl3160-firmware
-iwl3945-firmware
-iwl4965-firmware
-iwl5000-firmware
-iwl5150-firmware
-iwl6000-firmware
-iwl6000g2a-firmware
-iwl6000g2b-firmware
-iwl6050-firmware
-iwl7260-firmware
-libertas-sd8686-firmware
-libertas-sd8787-firmware
-libertas-usb8388-firmware
# Not required
-cockpit
-microcode_ctl
-qemu-guest-agent
# Performance improvement
tuned
%end
%pre
sed -i 's/metadata_csum,64bit,//' /etc/mke2fs.conf
sgdisk -Z -n 1::+1M -t 1:ef02 -c 1:"BIOS boot partition" -n2::+4G -t 2:8200 -c 2:swap -n 3:: -t 3:8300 -c 3:"Linux filesystem" /dev/vda
%end
%post
#set -x
# network
cat << 'EOF' > /etc/sysconfig/network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
EOF
cat << 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO="dhcp"
ONBOOT="yes"
EOF
cat << 'EOF' > /etc/resolv.conf
nameserver 133.242.0.3
nameserver 133.242.0.4
#nameserver 2403:3a00::1
EOF
cat >> /etc/sysctl.conf <<-EOF
# Do not accept RA
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.eth0.accept_ra=0
EOF
# Add elrepo&epel Repository
dnf -y install epel-release
systemctl enable fail2ban
# sshd
sed -i -e "/\#MaxSessions 10$/a #AllowUsers\nDenyUsers toor administrator administrateur admin adm test guest info mysql user oracle" /etc/ssh/sshd_config
sed -i -e '/GSSAPIAuthentication yes$/d' /etc/ssh/sshd_config
sed -i -e '/^GSSAPICleanupCredentials yes$/d' /etc/ssh/sshd_config
# ntp
sed -i 's/^pool.*iburst$/server ntp1.sakura.ad.jp iburst/' /etc/chrony.conf
# fail2ban
yum -y install fail2ban --enablerepo=epel
systemctl enable fail2ban
touch /var/log/fail2ban.log
sed -i -E 's/^(logtarget =).*/\1 \/var\/log\/fail2ban.log/' /etc/fail2ban/fail2ban.conf
# fail2ban local.conf
cat <<'EOL' >/etc/fail2ban/jail.d/local.conf
[DEFAULT]
banaction = firewallcmd-ipset
backend = systemd
[sshd]
enabled = true
EOL
#locale
cat <<'EOF' > /etc/locale.conf
LANG="ja_JP.utf8"
EOF
# postfix
sed -i -e 's/^#mynetworks_style = host$/mynetworks_style = host/' /etc/postfix/main.cf
# grub
sed -i -e 's/^GRUB_CMDLINE_LINUX=\"\(.*\)"/GRUB_CMDLINE_LINUX=\"consoleblank=0 net.ifnames=0 biosdevname=0\"/' /etc/default/grub
grub2-mkconfig -o /etc/grub2.cfg
# autofsck
echo 'AUTOFSCK_DEF_CHECK=yes' >> /etc/sysconfig/autofsck
# DNF
echo 'fastestmirror=true' >> /etc/dnf/dnf.conf
# Networking
sed -i -e 's/After=network.target/After=network-online.target/' /usr/lib/systemd/system/rc-local.service
# yum update
dnf -y clean all
dnf -y update
# root lock
passwd -d root
# udev
rm -f /etc/udev/rules.d/70-persistent-net.rules
rm -f /etc/sysconfig/network-scripts/ifcfg-ens3
# remove random-seed
rm -fv /var/lib/systemd/random-seed
# remove machine-id
cat /dev/null > /etc/machine-id
cat /dev/null > /var/lib/dbus/machine-id
%end