CentOS 7.7 (1908) 64bit kickstart

[更新: 2019年10月8日]

さくらのクラウド用パブリックアーカイブで使用している、CentOS 7.7 用の kickstart ファイルです。その他の変更点は リリースノート をご覧ください。

# Kickstart for CentOS 7.7.1908 x86_64

bootloader
firewall --enabled
install
url --url=http://ftp.sakura.ad.jp/pub/linux/centos/7/os/x86_64/
keyboard jp106
lang C

part biosboot --fstype=biosboot --onpart=vda1
part swap   --onpart=vda2
part /      --fstype=ext4 --onpart=vda3

rootpw password
selinux --disabled
text
timezone --utc Asia/Tokyo
zerombr
eula --agreed
poweroff

repo --name=base --baseurl=http://ftp.sakura.ad.jp/pub/linux/centos/7/os/x86_64 --cost=100
repo --name=updates --baseurl=http://ftp.sakura.ad.jp/pub/linux/centos/7/updates/x86_64 --cost=1000
repo --name=epel --baseurl=http://ftp.jaist.ac.jp/pub/Linux/Fedora/epel/7/x86_64/
services --enabled=fail2ban,firewalld,chronyd --disabled=auditd,kdump,messagebus,wpa_supplicant,abrt-ccpp,abrt-oops,abrt-vmcore,abrt-xorg,abrtd,avahi-daemon,lvm2-lvmetad.socket,lvm2-monitor,smartd,ntpdate,ntpd


%packages
@ Development Tools
@ X Window System
@ fonts

nss
libcurl
-ntp
yum-plugin-fastestmirror
-microcode_ctl
epel-release
fail2ban
tcpdump
traceroute
chrony
-rdma
%end

%pre
yum update -y
%end

%post

# network
cat << 'EOF' > /etc/sysconfig/network
NETWORKING=yes
#NETWORKING_IPV6=yes
HOSTNAME=localhost.localdomain
EOF

cat << 'EOF' > /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO="dhcp"
ONBOOT="yes"
EOF

cat << 'EOF' > /etc/resolv.conf
nameserver 133.242.0.3
nameserver 133.242.0.4
#nameserver 2403:3a00::1
EOF

cat >> /etc/sysctl.conf <<-EOF

# Do not accept RA
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.eth0.accept_ra=0
EOF

# Add elrepo&epel Repository
yum -y localinstall http://www.elrepo.org/elrepo-release-7.0-2.el7.elrepo.noarch.rpm
perl -pi.orig -e 's/^(mirrorlist=)/#$1/; s/^#(baseurl=)/$1/' /etc/yum.repos.d/CentOS-Base.repo
perl -pi -e 's/^(baseurl=http:\/\/mirror.centos.org)/baseurl=http:\/\/ftp.sakura.ad.jp\/pub\/linux/' /etc/yum.repos.d/CentOS-Base.repo

# ntp
cat <<'EOF' >/etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict -4 default ignore
restrict -6 default ignore
restrict ntp1.sakura.ad.jp kod nomodify notrap nopeer noquery
#restrict -6 ntp1.sakura.ad.jp kod nomodify notrap nopeer noquery

disable monitor

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict -4 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.sakura.ad.jp iburst

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
EOF

# chrony
cat <<'EOF' >/etc/chrony.conf
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.sakura.ad.jp iburst

# Ignore stratum in source selection.
stratumweight 0

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Allow NTP client access from local network.
#allow 192.168/16

# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

# Serve time even if not synchronized to any NTP server.
#local stratum 10

# Specify file containing keys for NTP and command authentication.
keyfile /etc/chrony.keys

# Specify key number for command authentication.
commandkey 1

# Generate new command key on start if missing.
generatecommandkey

# Disable logging of client accesses.
noclientlog

# Send message to syslog when clock adjustment is larger than 0.5 seconds.
logchange 0.5

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
#log measurements statistics tracking

# This option allows you to configure the port on which chronyd will listen for NTP requests.
# The compiled in default is udp/123, the standard NTP port. If set to 0, chronyd will not open the server
# socket and will operate strictly in a client-only mode.
port 0

# User to which will chronyd switch on initialisation to drop root privileges.
user chrony

# Deny access to chronyc from other computers.
cmddeny all

# Lock chronyd into RAM so that it will never be paged out.
lock_all
EOF

# sshd
sed -i -e "/\#MaxSessions 10$/a #AllowUsers\nDenyUsers toor administrator administrateur admin adm test guest info mysql user oracle" /etc/ssh/sshd_config
sed -i -e '/GSSAPIAuthentication yes$/d' /etc/ssh/sshd_config
sed -i -e '/^GSSAPICleanupCredentials yes$/d' /etc/ssh/sshd_config

# fail2ban
touch /var/log/fail2ban.log
sed -i -E 's/^(logtarget =).*/\1 \/var\/log\/fail2ban.log/' /etc/fail2ban/fail2ban.conf

# fail2ban local.conf
cat <<'EOL' >/etc/fail2ban/jail.d/local.conf
[DEFAULT]
banaction = firewallcmd-ipset
backend = systemd

[sshd]
enabled = true
EOL

#locale
cat <<'EOF' > /etc/locale.conf
LANG="ja_JP.UTF-8"
EOF

# postfix
sed -i -e 's/^#mynetworks_style = host$/mynetworks_style = host/' /etc/postfix/main.cf

# grub
sed -i -e 's/"crashkernel=auto rhgb quiet"/"consoleblank=0 net.ifnames=0 biosdevname=0\"/g' /etc/default/grub
grub2-mkconfig -o /etc/grub2.cfg

# autofsck
echo 'AUTOFSCK_DEF_CHECK=yes' >> /etc/sysconfig/autofsck

yum install -y gdisk
sgdisk -t 3:8300 /dev/vda
gdisk -l /dev/vda

# yum update
yum -y clean all
yum -y update

# root lock
usermod -p '' root

# udev
rm -f /etc/udev/rules.d/70-persistent-net.rules

%end