infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity
kubernetes/setup/fedora-k8s-node.ks

157 lines
4.2 KiB
Bash
Raw Blame History

# vim: set ft=sh :
text
url --metalink https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
repo --name=updates --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
repo --name=fedora-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-modular-$releasever&arch=$basearch
repo --name=updates-modular --metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-modular-f$releasever&arch=$basearch
lang en_US.UTF-8
keyboard us
timezone --utc UTC
rootpw --lock
reboot
ignoredisk --only-use vda
bootloader --location mbr
clearpart --all --initlabel
reqpart
part /boot --fstype ext4 --size=1024
part btrfs.0 --fstype btrfs --size 4096
part btrfs.1 --fstype btrfs --grow
btrfs none --label fedora btrfs.0
btrfs none --label data btrfs.1
btrfs / --subvol --name root LABEL=fedora
btrfs /home --subvol --name home LABEL=data
btrfs /var --subvol --name var LABEL=data
btrfs /etc/cni/net.d --subvol --name cni-net LABEL=data
btrfs /usr/libexec/kubernetes/kubelet-plugins --subvol --name kubelet-plugins LABEL=data
btrfs /opt --subvol --name opt LABEL=data
%pre
echo '%packages' > /tmp/packages.ks
sys_vendor=$(tr A-Z a-z < /sys/devices/virtual/dmi/id/sys_vendor)
case "${sys_vendor}" in
kvm|bochs|qemu)
install_qga=1
;;
esac
if [ ${install_qga:-0} -eq 1 ]; then
echo 'qemu-guest-agent' >> /tmp/packages.ks
fi
echo '%end' >> /tmp/packages.ks
%end
%include /tmp/packages.ks
module --name cri-o --stream 1.22
%packages --exclude-weakdeps
-NetworkManager
-authconfig
-dhcp-client
-dnf-plugins-core
-dnf-yum
-dracut-config-rescue
-e2fsprogs
-firewalld
-man-db
-openssh-clients
-parted
-plymouth
-sssd-common
-sssd-kcm
-sudo
-yum
-zram-generator
-zram-generator-defaults
chrony
cri-o
cri-tools
dnf
dnf-command(system-upgrade)
e2fsprogs
ethtool
grubby
iproute-tc
iptables-nft
iscsi-initiator-utils
kitty-terminfo
kubernetes-client
kubernetes-kubeadm
kubernetes-node
openssh-server
rng-tools
selinux-policy-targeted
systemd-networkd
%end
services --enabled crio,iscsid,kubelet,systemd-networkd,systemd-resolved
%addon com_redhat_kdump --disable
%end
%post --erroronfail
echo 'install_weak_deps=0' >> /etc/dnf/dnf.conf
echo 'deltarpm=0' >> /etc/dnf/dnf.conf
echo '%_excludedocs 1' >> /etc/rpm/macros
systemctl mask systemd-journald-audit.socket
sed -i \
-e 's:.*AuthorizedKeysCommand .*:AuthorizedKeysCommand /usr/local/libexec/ssh-authorized-keys %u %t:' \
-e 's:.*AuthorizedKeysCommandUser .*:AuthorizedKeysCommandUser nobody:' \
/etc/ssh/sshd_config
cat > /usr/local/libexec/ssh-authorized-keys <<"EOF"
#!/bin/sh
USER="${1}"
KEYTYPE="${2}"
curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub
EOF
chmod +x /usr/local/libexec/ssh-authorized-keys
chcon -t bin_t /usr/local/libexec/ssh-authorized-keys
setsebool -NP authlogin_yubikey on
rm -rf /etc/sysconfig/network-scripts /etc/sysconfig/network
cat > /etc/systemd/network/99-default.network <<EOF
[Match]
Name=en*
Type=ether
[Network]
DHCP=true
EOF
ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
# Generate SSH host keys before first boot, since / will be read-only then
/usr/libexec/openssh/sshd-keygen ecdsa
/usr/libexec/openssh/sshd-keygen ed25519
/usr/libexec/openssh/sshd-keygen rsa
cat > /etc/modules-load.d/k8s.conf <<'EOF'
br_netfilter
EOF
cat > /etc/sysctl.d/k8s.conf <<'EOF'
# Required for Kubernetes
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
sed -i 's/^driver = .*/driver = "btrfs"/' /etc/containers/storage.conf
# Anaconda always creates a partition on the disk and formats that, instead of
# just formatting the whole disk. This makes it difficult to extend the disk
# later. The only way to use the whole disk is to format it ourselves.
mkfs.ext4 -L longhorn /dev/vdb
mkdir -p /var/lib/longhorn
mount LABEL=longhorn /var/lib/longhorn
chcon -t container_var_lib_t /var/lib/longhorn
echo 'LABEL=longhorn /var/lib/longhorn ext4 defaults 0 0' >> /etc/fstab
# Enable read-only rootfs. This cannot be done with part/logvol, as that would
# make Anaconda mount it read-only befor the installation starts.
sed -i -r '/\S+\s+\/\s+/s/subvol=root/ro,&/' /etc/fstab
%end
View Git Blame Copy Permalink