kubernetes/setup/fedora-k8s-ctrl.ks

# vim: set ft=sh :
text
url --metalink https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
repo --name=updates --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
repo --name=fedora-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
repo --name=updates-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
lang en_US.UTF-8
keyboard us
timezone --utc UTC
rootpw --lock
reboot

bootloader --location mbr
clearpart --all --initlabel
reqpart
part /boot --fstype ext4 --size=512
part pv.01 --size=1 --grow
volgroup fedora pv.01
logvol / --fstype ext4 --name=root --vgname=fedora --size=4096
logvol /home --fstype ext4 --name=home --vgname=fedora --size=100
logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow
logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024
logvol /var/lib/.k8s --fstype ext4 --name=k8s --vgname=fedora --size=512

%pre
echo '%packages' > /tmp/packages.ks
sys_vendor=$(tr A-Z a-z < /sys/devices/virtual/dmi/id/sys_vendor)
case "${sys_vendor}" in
kvm|bochs|qemu)
    install_qga=1
    ;;
esac
if [ ${install_qga:-0} -eq 1 ]; then
    echo 'qemu-guest-agent' >> /tmp/packages.ks
fi
echo '%end' >> /tmp/packages.ks
%end
%include /tmp/packages.ks

module --name cri-o --stream 1.22

%packages --exclude-weakdeps
-NetworkManager
-authconfig
-dhcp-client
-dnf-plugins-core
-dnf-yum
-dracut-config-rescue
-e2fsprogs
-firewalld
-man-db
-openssh-clients
-parted
-plymouth
-sssd-common
-sssd-kcm
-sudo
-yum
-zram-generator
-zram-generator-defaults
chrony
cri-o
cri-tools
dnf
dnf-command(system-upgrade)
ethtool
grubby
iproute-tc
iptables-nft
kitty-terminfo
kubernetes-client
kubernetes-kubeadm
kubernetes-node
openssh-server
rng-tools
selinux-policy-targeted
systemd-networkd
%end

services --enabled crio,kubelet,systemd-networkd,systemd-resolved

%addon com_redhat_kdump --disable
%end

%post --erroronfail
echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
echo 'deltarpm=0' >> /etc/dnf/dnf.conf
echo '%_excludedocs 1' >> /etc/rpm/macros

systemctl mask systemd-journald-audit.socket

sed -i \
    -e 's:.*AuthorizedKeysCommand .*:AuthorizedKeysCommand /usr/local/libexec/ssh-authorized-keys %u %t:' \
    -e 's:.*AuthorizedKeysCommandUser .*:AuthorizedKeysCommandUser nobody:' \
    /etc/ssh/sshd_config
cat > /usr/local/libexec/ssh-authorized-keys <<"EOF"
#!/bin/sh

USER="${1}"
KEYTYPE="${2}"

curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub
EOF
chmod +x /usr/local/libexec/ssh-authorized-keys
chcon -t bin_t /usr/local/libexec/ssh-authorized-keys
setsebool -NP authlogin_yubikey on

rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network

cat > /etc/systemd/network/99-default.network <<EOF
[Match]
Name=en*
Type=ether

[Network]
DHCP=true
EOF
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

# Generate SSH host keys before first boot, since / will be read-only then
/usr/libexec/openssh/sshd-keygen ecdsa
/usr/libexec/openssh/sshd-keygen ed25519
/usr/libexec/openssh/sshd-keygen rsa

cat > /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
EOF

cat > /etc/sysctl.d/k8s.conf <<'EOF'
# Required for Kubernetes
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF

# Anaconda does not provide any way to express bind mounts
mkdir -p /etc/cni/net.d
mkdir -p /opt/cni
mkdir -p /usr/libexec/kubernetes/kubelet-plugins
cat >> /etc/fstab <<'EOF'
/var/lib/.k8s/cni-net.d /etc/cni/net.d none bind 0 0
/var/lib/.k8s/cni-bin /opt/cni none bind 0 0
/var/lib/.k8s/kubelet-plugins /usr/libexec/kubernetes/kubelet-plugins none bind 0 0
EOF

# Enable read-only rootfs. This cannot be done with part/logvol, as that would
# make Anaconda mount it read-only befor the installation starts.
sed -i -r '/\S+\s+\/\s+/s/defaults/ro/' /etc/fstab
%end