CentOS6_x86_64-CloudStack-6.5_20140201.ks

## CentOS CloudStack instance
skipx
text
install

url --url=http://mirrors.coreix.net/centos/6/os/x86_64/
repo --name=Updates --baseurl=http://mirrors.coreix.net/centos/6/updates/x86_64/
repo --name=epel --baseurl=http://mirrors.coreix.net/fedora-epel/6/x86_64/
repo --name=rdo --baseurl=http://repos.fedorapeople.org/repos/openstack/cloud-init/epel-6/
repo --name=acsscripts --baseurl=http://li.nux.ro/download/cloudstack/rpms/el6/

lang en_GB.UTF-8
keyboard uk

timezone --utc Europe/London

network --onboot yes --device=eth0 --bootproto=dhcp


# we disable the firewall as the Security Groups will be used instead
firewall --disabled

# No reason Selinux can't stay on
selinux --enforcing 

authconfig --enableshadow --passalgo=sha512
# will randomise passwd later
rootpw password

zerombr yes
clearpart --initlabel --all
# One partition to rule them all, no swap
part / --size=1024 --grow --fstype ext4 --asprimary

# we add serial tty for `virsh console`
bootloader --location=mbr --driveorder=vda --append="console=ttyS0,9600 console=tty0"
services --enabled=network,acpid,ntpd,sshd,qemu-ga,cloud-init,tuned --disabled=kdump
shutdown

%packages --excludedocs --nobase
openssl
openssh-server
# cloud-init and growroot will expand the partition and filesystem to match the underlying image
cloud-init
python-jsonpatch
dracut-modules-growroot
cloud-utils-growpart
qemu-guest-agent
ntp
wget
acpid
tuned
#do we want EPEL?
#epel-release
-*-firmware
-NetworkManager
-b43-openfwwf
-biosdevname
-fprintd
-fprintd-pam
-gtk2
-libfprint
-mcelog
-redhat-support-tool
-system-config-*
-wireless-tools
%end

%post --erroronfail 
## sysprep stuff
# remove existing SSH keys - if generated - as they need to be unique
rm -rf /etc/ssh/*key*
# remove udev rules otherwise our NIC will be renamed to ethX+1
rm -f /etc/udev/rules.d/*-persistent-*
touch /etc/udev/rules.d/75-persistent-net-generator.rules
# the MAC address will change
sed -i '/HWADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0
sed -i '/UUID/d' /etc/sysconfig/network-scripts/ifcfg-eth0 
# disable monitor feature in ntpd as it's used in nasty NTP amplification attacks
# https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300
echo  disable monitor >> /etc/ntp.conf
# remove logs and temp files
yum -y clean all
rm -f /root/anaconda-ks.cfg
rm -f /root/install.log
rm -f /root/install.log.syslog
find /var/log -type f -delete
# remove the random seed, it needs to be unique and it will be autogenerated
rm -f /var/lib/random-seed 
# Kdump can use quite a bit of memory, do we want to keep it?
# sed -i s/crashkernel=auto/crashkernel=0@0/g /boot/grub/grub.conf

# tell the system to autorelabel? this takes some time and memory, maybe not advised
# touch /.autorelabel

## set cloudstack as data source in cloud-init with the modifications from exoscale.ch - thanks
cat << EOF > /etc/cloud/cloud.cfg.d/99_cloudstack.cfg
datasource:
  CloudStack: {}
  None: {}
datasource_list:
  - CloudStack
EOF
#fix userdata url issue with ending slash
sed -i '385i \ \ \ \ #cloudstack fix remove ending slash' /usr/lib/python2.6/site-packages/boto/utils.py
sed -i '386i \ \ \ \ ud_url = ud_url[:-1]' /usr/lib/python2.6/site-packages/boto/utils.py
sed -i 's,disable_root: 1,disable_root: 0,' /etc/cloud/cloud.cfg
sed -i 's,ssh_pwauth:   0,ssh_pwauth:   1,' /etc/cloud/cloud.cfg
sed -i 's,name: cloud-user,name: root,' /etc/cloud/cloud.cfg

mkdir -p /var/lib/cloud/scripts/per-boot
cat > /var/lib/cloud/scripts/per-boot/10_cloud-set-guest-password << "EOF"
#!/bin/bash
#
# Init file for Password Download Client
#
# chkconfig: 345 98 02
# description: Password Download Client

# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
# 
#   http://www.apache.org/licenses/LICENSE-2.0
# 
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.


# Modify this line to specify the user (default is root)
user=root

# Add your DHCP lease folders here
DHCP_FOLDERS="/var/lib/dhclient/* /var/lib/dhcp3/* /var/lib/dhcp/*"
password_received=0
file_count=0
error_count=0

for DHCP_FILE in $DHCP_FOLDERS
do
	if [ -f $DHCP_FILE ]
	then
		file_count=$((file_count+1))
		PASSWORD_SERVER_IP=$(grep dhcp-server-identifier $DHCP_FILE | tail -1 | awk '{print $NF}' | tr -d '\;')

		if [ -n "$PASSWORD_SERVER_IP" ]
		then
			logger -t "cloud" "Found password server IP $PASSWORD_SERVER_IP in $DHCP_FILE"
			logger -t "cloud" "Sending request to password server at $PASSWORD_SERVER_IP"
			password=$(wget -q -t 3 -T 20 -O - --header "DomU_Request: send_my_password" $PASSWORD_SERVER_IP:8080)
			password=$(echo $password | tr -d '\r')

			if [ $? -eq 0 ]
			then
				logger -t "cloud" "Got response from server at $PASSWORD_SERVER_IP"

				case $password in
				
				"")					logger -t "cloud" "Password server at $PASSWORD_SERVER_IP did not have any password for the VM"
									continue
									;;
				
				"bad_request")		logger -t "cloud" "VM sent an invalid request to password server at $PASSWORD_SERVER_IP"
									error_count=$((error_count+1))
									continue
									;;
									
				"saved_password") 	logger -t "cloud" "VM has already saved a password from the password server at $PASSWORD_SERVER_IP"
									continue
									;;
									
				*)					logger -t "cloud" "VM got a valid password from server at $PASSWORD_SERVER_IP"
									password_received=1
									break
									;;
									
				esac
			else
				logger -t "cloud" "Failed to send request to password server at $PASSWORD_SERVER_IP"
				error_count=$((error_count+1))
			fi
		else
			logger -t "cloud" "Could not find password server IP in $DHCP_FILE"
			error_count=$((error_count+1))
		fi
	fi
done

if [ "$password_received" == "0" ]
then
	if [ "$error_count" == "$file_count" ]
	then
		logger -t "cloud" "Failed to get password from any server"
		exit 1
	else
		logger -t "cloud" "Did not need to change password."
		exit 0
	fi
fi

logger -t "cloud" "Changing password ..."
echo $user:$password | chpasswd
						
if [ $? -gt 0 ]
then
	usermod -p `mkpasswd -m SHA-512 $password` $user
		
	if [ $? -gt 0 ]
	then
		logger -t "cloud" "Failed to change password for user $user"
		exit 1
	else
		logger -t "cloud" "Successfully changed password for user $user"
	fi
fi
						
logger -t "cloud" "Sending acknowledgment to password server at $PASSWORD_SERVER_IP"
wget -t 3 -T 20 -O - --header "DomU_Request: saved_password" $PASSWORD_SERVER_IP:8080
exit 0
EOF

chmod +x /var/lib/cloud/scripts/per-boot/10_cloud-set-guest-password

chmod +x /sbin/ifup-local
chcon --reference /sbin/ifup /sbin/ifup-local

# Enable the serial console login
echo ttyS0 >> /etc/securetty
sed -i 's@ACTIVE_CONSOLES=/dev/tty\[1-6\]@ACTIVE_CONSOLES="/dev/tty\[1-6\] /dev/ttyS0"@g' /etc/sysconfig/init

#bz912801
# prevent udev rules from remapping nics
touch /etc/udev/rules.d/75-persistent-net-generator.rules

#bz 1011013
# set eth0 to recover from dhcp errors
echo PERSISTENT_DHCLIENT="1" >> /etc/sysconfig/network-scripts/ifcfg-eth0

# set virtual-guest as default profile for tuned
echo "virtual-guest" > /etc/tune-profiles/active-profile

# randomise root password
openssl rand -base64 32 | passwd --stdin root

%end