# vim: set ft=sh : text url --metalink https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch repo --name=updates --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch repo --name=fedora-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch repo --name=updates-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch lang en_US.UTF-8 keyboard us timezone --utc UTC rootpw --lock reboot ignoredisk --only-use vda bootloader --location mbr clearpart --all --initlabel reqpart part /boot --fstype ext4 --size=512 part pv.01 --size=1 --grow volgroup fedora pv.01 logvol / --fstype ext4 --name=root --vgname=fedora --size=4096 logvol /home --fstype ext4 --name=home --vgname=fedora --size=100 logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024 logvol /var/lib/.k8s --fstype ext4 --name=k8s --vgname=fedora --size=512 %pre echo '%packages' > /tmp/packages.ks sys_vendor=$(tr A-Z a-z < /sys/devices/virtual/dmi/id/sys_vendor) case "${sys_vendor}" in kvm|bochs|qemu) install_qga=1 ;; esac if [ ${install_qga:-0} -eq 1 ]; then echo 'qemu-guest-agent' >> /tmp/packages.ks fi echo '%end' >> /tmp/packages.ks %end %include /tmp/packages.ks module --name cri-o --stream 1.22 %packages --exclude-weakdeps -NetworkManager -authconfig -dhcp-client -dnf-plugins-core -dnf-yum -dracut-config-rescue -e2fsprogs -firewalld -man-db -openssh-clients -parted -plymouth -sssd-common -sssd-kcm -sudo -yum -zram-generator -zram-generator-defaults chrony cri-o cri-tools dnf dnf-command(system-upgrade) e2fsprogs ethtool grubby iproute-tc iptables-nft iscsi-initiator-utils kitty-terminfo kubernetes-client kubernetes-kubeadm kubernetes-node openssh-server rng-tools selinux-policy-targeted systemd-networkd %end services --enabled crio,iscsid,kubelet,systemd-networkd,systemd-resolved %addon com_redhat_kdump --disable %end %post --erroronfail echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf echo 'deltarpm=0' >> /etc/dnf/dnf.conf echo '%_excludedocs 1' >> /etc/rpm/macros systemctl mask systemd-journald-audit.socket sed -i \ -e 's:.*AuthorizedKeysCommand .*:AuthorizedKeysCommand /usr/local/libexec/ssh-authorized-keys %u %t:' \ -e 's:.*AuthorizedKeysCommandUser .*:AuthorizedKeysCommandUser nobody:' \ /etc/ssh/sshd_config cat > /usr/local/libexec/ssh-authorized-keys <<"EOF" #!/bin/sh USER="${1}" KEYTYPE="${2}" curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub EOF chmod +x /usr/local/libexec/ssh-authorized-keys chcon -t bin_t /usr/local/libexec/ssh-authorized-keys setsebool -NP authlogin_yubikey on rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network cat > /etc/systemd/network/99-default.network < /etc/modules-load.d/k8s.conf <<'EOF' br_netfilter EOF cat > /etc/sysctl.d/k8s.conf <<'EOF' # Required for Kubernetes net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 EOF # Anaconda does not provide any way to express bind mounts mkdir -p /etc/cni/net.d mkdir -p /opt/cni mkdir -p /usr/libexec/kubernetes/kubelet-plugins cat >> /etc/fstab <<'EOF' /var/lib/.k8s/cni-net.d /etc/cni/net.d none bind 0 0 /var/lib/.k8s/cni-bin /opt/cni none bind 0 0 /var/lib/.k8s/kubelet-plugins /usr/libexec/kubernetes/kubelet-plugins none bind 0 0 EOF # Anaconda always creates a partition on the disk and formats that, instead of # just formatting the whole disk. This makes it difficult to extend the disk # later. The only way to use the whole disk is to format it ourselves. mkfs.ext4 -L longhorn /dev/vdb mkdir -p /var/lib/longhorn mount LABEL=longhorn /var/lib/longhorn chcon -t container_var_lib_t /var/lib/longhorn echo 'LABEL=longhorn /var/lib/longhorn ext4 defaults 0 0' >> /etc/fstab # Enable read-only rootfs. This cannot be done with part/logvol, as that would # make Anaconda mount it read-only befor the installation starts. sed -i -r '/\S+\s+\/\s+/s/defaults/ro/' /etc/fstab %end