infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity
kubernetes/setup/fedora-k8s-node.ks

165 lines
4.5 KiB
Bash
Raw Permalink Blame History

# vim: set ft=sh :
text
url --metalink https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
repo --name=updates --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
repo --name=fedora-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
repo --name=updates-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
lang en_US.UTF-8
keyboard us
timezone --utc UTC
rootpw --lock
reboot
ignoredisk --only-use vda
bootloader --location mbr
clearpart --all --initlabel
reqpart
part /boot --fstype ext4 --size=512
part pv.01 --size=1 --grow
volgroup fedora pv.01
logvol / --fstype ext4 --name=root --vgname=fedora --size=4096
logvol /home --fstype ext4 --name=home --vgname=fedora --size=100
logvol /var --fstype ext4 --name=var --vgname=fedora --size=1024 --grow
logvol /var/log --fstype ext4 --name=var_log --vgname=fedora --size=1024
logvol /var/lib/.k8s --fstype ext4 --name=k8s --vgname=fedora --size=512
%pre
echo '%packages' > /tmp/packages.ks
sys_vendor=$(tr A-Z a-z < /sys/devices/virtual/dmi/id/sys_vendor)
case "${sys_vendor}" in
kvm|bochs|qemu)
install_qga=1
;;
esac
if [ ${install_qga:-0} -eq 1 ]; then
echo 'qemu-guest-agent' >> /tmp/packages.ks
fi
echo '%end' >> /tmp/packages.ks
%end
%include /tmp/packages.ks
module --name cri-o --stream 1.22
%packages --exclude-weakdeps
-NetworkManager
-authconfig
-dhcp-client
-dnf-plugins-core
-dnf-yum
-dracut-config-rescue
-e2fsprogs
-firewalld
-man-db
-openssh-clients
-parted
-plymouth
-sssd-common
-sssd-kcm
-sudo
-yum
-zram-generator
-zram-generator-defaults
chrony
cri-o
cri-tools
dnf
dnf-command(system-upgrade)
e2fsprogs
ethtool
grubby
iproute-tc
iptables-nft
iscsi-initiator-utils
kitty-terminfo
kubernetes-client
kubernetes-kubeadm
kubernetes-node
openssh-server
rng-tools
selinux-policy-targeted
systemd-networkd
%end
services --enabled crio,iscsid,kubelet,systemd-networkd,systemd-resolved
%addon com_redhat_kdump --disable
%end
%post --erroronfail
echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
echo 'deltarpm=0' >> /etc/dnf/dnf.conf
echo '%_excludedocs 1' >> /etc/rpm/macros
systemctl mask systemd-journald-audit.socket
sed -i \
-e 's:.*AuthorizedKeysCommand .*:AuthorizedKeysCommand /usr/local/libexec/ssh-authorized-keys %u %t:' \
-e 's:.*AuthorizedKeysCommandUser .*:AuthorizedKeysCommandUser nobody:' \
/etc/ssh/sshd_config
cat > /usr/local/libexec/ssh-authorized-keys <<"EOF"
#!/bin/sh
USER="${1}"
KEYTYPE="${2}"
curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub
EOF
chmod +x /usr/local/libexec/ssh-authorized-keys
chcon -t bin_t /usr/local/libexec/ssh-authorized-keys
setsebool -NP authlogin_yubikey on
rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
cat > /etc/systemd/network/99-default.network <<EOF
[Match]
Name=en*
Type=ether
[Network]
DHCP=true
EOF
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
# Generate SSH host keys before first boot, since / will be read-only then
/usr/libexec/openssh/sshd-keygen ecdsa
/usr/libexec/openssh/sshd-keygen ed25519
/usr/libexec/openssh/sshd-keygen rsa
printf 'InitiatorName=%s\n' "$(/usr/sbin/iscsi-iname)" \
> /etc/iscsi/initiatorname.iscsi
cat > /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
EOF
cat > /etc/sysctl.d/k8s.conf <<'EOF'
# Required for Kubernetes
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# Anaconda does not provide any way to express bind mounts
mkdir -p /etc/cni/net.d
mkdir -p /opt/cni
mkdir -p /usr/libexec/kubernetes/kubelet-plugins
cat >> /etc/fstab <<'EOF'
/var/lib/.k8s/cni-net.d /etc/cni/net.d none bind 0 0
/var/lib/.k8s/cni-bin /opt/cni none bind 0 0
/var/lib/.k8s/kubelet-plugins /usr/libexec/kubernetes/kubelet-plugins none bind 0 0
EOF
# Anaconda always creates a partition on the disk and formats that, instead of
# just formatting the whole disk. This makes it difficult to extend the disk
# later. The only way to use the whole disk is to format it ourselves.
mkfs.ext4 -L longhorn /dev/vdb
mkdir -p /var/lib/longhorn
mount LABEL=longhorn /var/lib/longhorn
chcon -t container_var_lib_t /var/lib/longhorn
echo 'LABEL=longhorn /var/lib/longhorn ext4 defaults 0 0' >> /etc/fstab
# Enable read-only rootfs. This cannot be done with part/logvol, as that would
# make Anaconda mount it read-only befor the installation starts.
sed -i -r '/\S+\s+\/\s+/s/defaults/ro/' /etc/fstab
%end
View Git Blame Copy Permalink