mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-22 09:32:21 +00:00
5f610b64b7
When processes may update the certificate authorities, the confluent CA trust would be lost. Place it appropriately so that update-ca-trust will keep it in the appropriate place.
115 lines
4.5 KiB
Plaintext
115 lines
4.5 KiB
Plaintext
# In this OS profile, data is largely filled in during the %pre
|
|
# phase, rather than the kickstart actually having the content.
|
|
# None of the files shall be replaced during an upgrade in
|
|
# /var/lib/confluent/public/os/<profile>, so customization should
|
|
# be done by modifying files in /var/lib/confluent/public/os/<profile>
|
|
|
|
# /tmp/rootpw will provide a 'rootpw' line, either locking password if not configured
|
|
# or the crypted form.
|
|
%include /tmp/rootpw
|
|
|
|
# timezone is fetched from confluent server, which provides the
|
|
# timezone that the management server itself is in by default.
|
|
%include /tmp/timezone
|
|
|
|
# similar to timezone, confluent is asked to provide the
|
|
# deployment servers language info and replicate that
|
|
# to the deployment target.
|
|
%include /tmp/langinfo
|
|
|
|
# bootloader may be specified if crypted.grubpassword is set on
|
|
# a node. This will become a bootloader line if a password
|
|
# was specified
|
|
%include /tmp/grubpw
|
|
|
|
# The default partition scheme is applied to a single drive, using
|
|
# the getinstalldisk script to make a best guess as to the most
|
|
# appropriate device. See pre.sh and getinstalldisk to customize
|
|
# the automatic behavior, or comment out/delete the
|
|
# following line and provide your own manual partition plan
|
|
# instead
|
|
%include /tmp/partitioning
|
|
|
|
reboot
|
|
|
|
%packages
|
|
@^minimal-environment
|
|
#-kernel-uek # This can opt out of the UEK for the relevant distribution
|
|
bind-utils
|
|
chrony
|
|
pciutils
|
|
python3
|
|
rsync
|
|
tar
|
|
-iwl*-firmware
|
|
%include /tmp/addonpackages
|
|
%include /tmp/cryptpkglist
|
|
%end
|
|
|
|
# A kickstart.custom file is provided to enable easily adding
|
|
# kickstart content without modifying the stock file.
|
|
# While the stock file may be safely modified, using the .custom
|
|
# files may allow for more easily rebasing custom profiles to newer
|
|
# stock profiles
|
|
%include /tmp/kickstart.custom
|
|
|
|
%pre
|
|
v4cfg=$(grep ^ipv4_method: /etc/confluent/confluent.deploycfg)
|
|
v4cfg=${v4cfg#ipv4_method: }
|
|
if [ "$v4cfg" = "static" ] || [ "$v4cfg" = "dhcp" ]; then
|
|
confluent_mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server: }
|
|
else
|
|
confluent_mgr=$(grep ^deploy_server_v6: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server_v6: }
|
|
confluent_mgr="[$confluent_mgr]"
|
|
fi
|
|
confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg |awk '{print $2}')
|
|
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/pre.sh > /tmp/preinst.sh
|
|
. /tmp/preinst.sh
|
|
%end
|
|
|
|
%post --nochroot
|
|
mkdir -p /mnt/sysimage/etc/confluent
|
|
confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg |awk '{print $2}')
|
|
v4cfg=$(grep ^ipv4_method: /etc/confluent/confluent.deploycfg)
|
|
v4cfg=${v4cfg#ipv4_method: }
|
|
if [ "$v4cfg" = "static" ] || [ "$v4cfg" = "dhcp" ]; then
|
|
confluent_mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server: }
|
|
else
|
|
confluent_mgr=$(grep ^deploy_server_v6: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server_v6: }
|
|
confluent_mgr="[$confluent_mgr]"
|
|
fi
|
|
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/prechroot.sh > /tmp/postinst.sh
|
|
. /tmp/postinst.sh
|
|
|
|
# Hook firstboot.sh
|
|
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/firstboot.service > /mnt/sysimage/etc/systemd/system/firstboot.service
|
|
mkdir -p /mnt/sysimage/opt/confluent/bin
|
|
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/firstboot.sh > /mnt/sysimage/opt/confluent/bin/firstboot.sh
|
|
chmod +x /mnt/sysimage/opt/confluent/bin/firstboot.sh
|
|
%end
|
|
|
|
%post
|
|
cat /etc/confluent/tls/*.pem >> /etc/pki/tls/certs/ca-bundle.crt
|
|
cp /etc/confluent/tls/*.pem /etc/pki/ca-trust/source/anchors
|
|
systemctl enable firstboot
|
|
chgrp ssh_keys /etc/ssh/ssh*key
|
|
restorecon /etc/ssh/ssh*key /root/.shosts /etc/ssh/shosts.equiv /etc/ssh/ssh_config.d/* /opt/confluent/bin/firstboot.sh
|
|
confluent_profile=$(grep ^profile: /etc/confluent/confluent.deploycfg |awk '{print $2}')
|
|
v4cfg=$(grep ^ipv4_method: /etc/confluent/confluent.deploycfg)
|
|
v4cfg=${v4cfg#ipv4_method: }
|
|
if [ "$v4cfg" = "static" ] || [ "$v4cfg" = "dhcp" ]; then
|
|
confluent_mgr=$(grep ^deploy_server: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server: }
|
|
else
|
|
confluent_mgr=$(grep ^deploy_server_v6: /etc/confluent/confluent.deploycfg)
|
|
confluent_mgr=${confluent_mgr#deploy_server_v6: }
|
|
confluent_mgr="[$confluent_mgr]"
|
|
fi
|
|
curl -f https://$confluent_mgr/confluent-public/os/$confluent_profile/scripts/post.sh > /tmp/postinst.sh
|
|
. /tmp/postinst.sh
|
|
%end
|