diff --git a/confluent_osdeploy/suse15/profiles/hpc/autoyast b/confluent_osdeploy/suse15/profiles/hpc/autoyast
index b77fdaff..86507b64 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/autoyast
+++ b/confluent_osdeploy/suse15/profiles/hpc/autoyast
@@ -115,19 +115,27 @@ curl $proto://$mgr/confluent-public/os/$profile/scripts/pre.sh > /tmp/pre.sh
mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}')
profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //')
proto=$(grep ^protocol: /tmp/confluent.deploycfg |awk '{print $2}')
-curl $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /tmp/post.sh
-. /tmp/post.sh
-curl $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh
+curl $proto://$mgr/confluent-public/os/$profile/scripts/prechroot.sh > /tmp/prechroot.sh
+. /tmp/prechroot.sh
+curl -f $proto://$mgr/confluent-public/os/$profile/scripts/firstboot.sh > /mnt/etc/confluent/firstboot.sh
+curl -f $proto://$mgr/confluent-public/os/$profile/scripts/post.sh > /mnt/etc/confluent/post.sh
chmod +x /mnt/etc/confluent/firstboot.sh
+chmod +x /mnt/etc/confluent/post.sh
]]>
+
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
index 1f873835..cea4c664 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/firstboot.sh
@@ -8,3 +8,8 @@ profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^rootpassw
proto=$(grep ^protocol: /etc/confluent/confluent.deploycfg |awk '{print $2}')
apikey=$(cat /etc/confluent/confluent.apikey)
curl --capath /etc/confluent/tls -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $apikey" -f -X POST -d "status: complete" https://$mgr/confluent-api/self/updatestatus
+. /etc/confluent/functions
+
+# Custom scripts may go here
+# run_remote example.sh
+# run_remote_python example.py
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/functions b/confluent_osdeploy/suse15/profiles/hpc/scripts/functions
new file mode 100644
index 00000000..e84bc821
--- /dev/null
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/functions
@@ -0,0 +1,14 @@
+run_remote() {
+ cd $(mktemp -d)
+ curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
+ chmod +x $1
+ ./$1
+ cd -
+}
+
+run_remote_python() {
+ cd $(mktemp -d)
+ curl -f https://$mgr/confluent-public/os/$profile/scripts/$1 > $1
+ python3 $1
+ cd -
+}
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
index 41ac2208..1ece9901 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/post.sh
@@ -1,49 +1,22 @@
#!/bin/sh
-# This script runs when install is finished, but while the installer
-# is still running, with the to-be-booted system mounted in /mnt
+# This script runs at the end of install in the installed system
+# but still under the installer kernel.
-# Carry over install-time ssh material into installed system
-mkdir -p /mnt/root/.ssh/
-chmod 700 /mnt/root/.ssh/
-cp /root/.ssh/authorized_keys /mnt/root/.ssh/
-chmd 600 /mnt/root/.ssh/authorized_keys
-cp /etc/ssh/*key* /mnt/etc/ssh/
-for i in /etc/ssh/*-cert.pub; do
- echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
-done
-for i in /ssh/*.ca; do
- echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
-done
-# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
-echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
-echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
-echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
-echo Host '*' >> /mnt/etc/ssh/ssh_config
-echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
-echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
-# Limit the attempts of using host key. This prevents client from using 3 or 4
-# authentication attempts through host based attempts
-echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
+# This is a good place to run most customizations that do not have any
+# dependency upon the install target kernel being active.
-# In SUSE platform, setuid for ssh-keysign is required for host based,
-# and also must be opted into.
-echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
-chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
+# If there are dependencies on the kernel (drivers or special filesystems)
+# then firstboot.sh would be the script to customize.
-# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
-nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
-curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
-cp /tmp/allnodes /mnt/root/.shosts
-cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
+mgr=$(grep ^deploy_server /etc/confluent/confluent.deploycfg|awk '{print $2}')
+profile=$(grep ^profile: /etc/confluent/confluent.deploycfg|sed -e 's/^profile: //')
+nodename=$(grep ^NODENAME /etc/confluent/confluent.info|awk '{print $2}')
+export mgr profile nodename
+. /etc/confluennt/functions
-# carry over deployment configuration and api key for OS install action
-mkdir -p /mnt/etc/confluent
-chmod 700 /mnt/etc/confluent
-chmod 600 /tmp/confluent.*
-cp /tmp/confluent.* /mnt/etc/confluent/
-cp -a /tls /mnt/etc/confluent/
-cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
-cp -a /tls/* /mnt/var/lib/ca-certificates/pem
-cp -a /tls/*.pem /mnt/etc/pki/trust/anchors
+# Customizations may go here
+# Examples:
+# run_remote script.sh
+# run_remote_python script.py
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
index 296ae304..d8866be2 100644
--- a/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/pre.sh
@@ -19,6 +19,7 @@ for i in /etc/ssh/ssh_host*key.pub; do
echo HostCertificate $certname >> /etc/ssh/sshd_config
done
/usr/sbin/sshd
-curl -f https://$mgr/confluent-public/os/$profile/scripts/getinstalldisk > /tmp/getinstalldisk
-python3 /tmp/getinstalldisk
+curl -f https://$mgr/confluent-public/os/$profile/scripts/functions > /tmp/functions
+. /tmp/functions
+run_remote_python getinstalldisk
sed -e s!%%INSTDISK%%!/dev/$(cat /tmp/installdisk)! -e s!%%NODENAME%%!$nodename! -e "s?%%ROOTPASSWORD%%?${rootpw}?" /tmp/profile/autoinst.xml > /tmp/profile/modified.xml
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh
new file mode 100644
index 00000000..90f9d1dd
--- /dev/null
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/prechroot.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+# This script runs when install is finished, but while the installer
+# is still running, with the to-be-booted system mounted in /mnt
+
+# carry over deployment configuration and api key for OS install action
+mgr=$(grep ^deploy_server /tmp/confluent.deploycfg|awk '{print $2}')
+profile=$(grep ^profile: /tmp/confluent.deploycfg|sed -e 's/^profile: //')
+nodename=$(grep ^NODENAME /tmp/confluent.info|awk '{print $2}')
+export mgr profile nodename
+mkdir -p /mnt/etc/confluent
+chmod 700 /mnt/etc/confluent
+chmod 600 /tmp/confluent.*
+cp /tmp/functions /mnt/etc/confluent/
+. /tmp/functions
+cp /tmp/confluent.* /mnt/etc/confluent/
+cp -a /tls /mnt/etc/confluent/
+cp -a /tls/* /mnt/var/lib/ca-certificates/openssl
+cp -a /tls/* /mnt/var/lib/ca-certificates/pem
+cp -a /tls/*.pem /mnt/etc/pki/trust/anchors
+
+run_remote setupssh.sh
diff --git a/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh b/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh
new file mode 100644
index 00000000..cadd7a72
--- /dev/null
+++ b/confluent_osdeploy/suse15/profiles/hpc/scripts/setupssh.sh
@@ -0,0 +1,34 @@
+#!/bin/bash
+# Carry over install-time ssh material into installed system
+mkdir -p /mnt/root/.ssh/
+chmod 700 /mnt/root/.ssh/
+cp /root/.ssh/authorized_keys /mnt/root/.ssh/
+chmd 600 /mnt/root/.ssh/authorized_keys
+cp /etc/ssh/*key* /mnt/etc/ssh/
+for i in /etc/ssh/*-cert.pub; do
+ echo HostCertificate $i >> /mnt/etc/ssh/sshd_config
+done
+for i in /ssh/*.ca; do
+ echo '@cert-authority *' $(cat $i) >> /mnt/etc/ssh/ssh_known_hosts
+done
+# Enable ~/.shosts, for the sake of root user, who is forbidden from using shosts.equiv
+echo IgnoreRhosts no >> /mnt/etc/ssh/sshd_config
+echo HostbasedAuthentication yes >> /mnt/etc/ssh/sshd_config
+echo HostbasedUsesNameFromPacketOnly yes >> /mnt/etc/ssh/sshd_config
+echo Host '*' >> /mnt/etc/ssh/ssh_config
+echo " HostbasedAuthentication yes" >> /mnt/etc/ssh/ssh_config
+echo " EnableSSHKeysign yes" >> /mnt/etc/ssh/ssh_config
+# Limit the attempts of using host key. This prevents client from using 3 or 4
+# authentication attempts through host based attempts
+echo " HostbasedKeyTypes *ed25519*" >> /mnt/etc/ssh/ssh_config
+
+# In SUSE platform, setuid for ssh-keysign is required for host based,
+# and also must be opted into.
+echo /usr/lib/ssh/ssh-keysign root:root 4711 >> /mnt/etc/permissions.local
+chmod 4711 /mnt/usr/lib/ssh/ssh-keysign
+
+# Download list of nodes from confluent, and put it into shosts.equiv (for most users) and .shosts (for root)
+curl -f -H "CONFLUENT_NODENAME: $nodename" -H "CONFLUENT_APIKEY: $(cat /tmp/confluent.apikey)" https://$mgr/confluent-api/self/nodelist > /tmp/allnodes
+cp /tmp/allnodes /mnt/root/.shosts
+cp /tmp/allnodes /mnt/etc/ssh/shosts.equiv
+