# fedora-livecd-ovirt-node.ks
#
# Description:
# - a small scaled down version of Fedora used solely to hosts virtual machine guests
#
# Maintainers:
# - Joey Boggs <jboggs@redhat.com>
# - Alan Pevec <apevec@redhat.com>
# - Mike Burns <mburns@redhat.com>

repo --name=rawhide --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=rawhide&arch=$basearch
#repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
#repo --name=updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch
#repo --name=updates-testing --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f$releasever&arch=$basearch

device virtio_blk
device virtio_pci
device scsi_wait_scan
device dm-multipath
device dm-round-robin
device dm-emc
device dm-rdac
device dm-hp-sw
device scsi_dh_rdac
device 3w-9xxx
device 3w-sas
device 3w-xxxx
device a100u2w
device aacraid
device aic79xx
device aic94xx
device arcmsr
device atp870u
device be2iscsi
device bfa
device BusLogic
device cciss
device cxgb3i
device dc395x
device fnic
device gdth
device hpsa
device hptiop
device imm
device initio
device ips
device libosd
device libsas
device libsrp
device lpfc
device megaraid
device megaraid_mbox
device megaraid_mm
device megaraid_sas
device mpt2sas
device mvsas
device osd
device osst
device pm8001
device pmcraid
device qla1280
device qla2xxx
device qla4xxx
device qlogicfas408
device stex
device tmscsim
# System authorization information
auth --useshadow --enablemd5
# System keyboard
keyboard us
# System language
lang en_US.UTF-8
# SELinux configuration
selinux --enforcing
# Installation logging level
logging --level=info
# Firewall configuration
firewall --disabled
# System services
services --enabled="auditd,ntpd,ntpdate,iptables,network,rsyslog,multipathd,snmpd,ovirt-early,ovirt,ovirt-post,anyterm,collectd,libvirt-qpid"
# System timezone
timezone --isUtc UTC
# System bootloader configuration
bootloader --append="nomodeset check rootflags=ro crashkernel=512M-2G:64M,2G-:128M elevator=deadline processor.max_cstate=1 install quiet" --location=mbr --timeout=30
# Disk partitioning information
part / --fstype="ext2" --size=1024

%post
# -*-Shell-script-*-
echo "Starting Kickstart Post"
PATH=/sbin:/usr/sbin:/bin:/usr/bin
export PATH

# cleanup rpmdb to allow non-matching host and chroot RPM versions
rm -f /var/lib/rpm/__db*

echo "Creating shadow files"
# because we aren't installing authconfig, we aren't setting up shadow
# and gshadow properly.  Do it by hand here
pwconv
grpconv

# set SELinux booleans
# rhbz#502779 restrict certain memory protection operations
#     keep allow_execmem on for grub
# rhbz#642209 allow virt images on NFS
semanage  boolean -m -S targeted -F /dev/stdin  << \EOF_semanage
allow_execstack=0
virt_use_nfs=1
EOF_semanage

# make sure we don't autostart virbr0 on libvirtd startup
rm -f /etc/libvirt/qemu/networks/autostart/default.xml

# remove the /etc/krb5.conf file; it will be fetched on bootup
rm -f /etc/krb5.conf

# Remove the default logrotate daily cron job
# since we run it every 10 minutes instead.
rm -f /etc/cron.daily/logrotate

# root's bash profile
cat >> /root/.bashrc << \EOF_bashrc
# aliases used for the temporary
function mod_vi() {
  /bin/vi $@
  restorecon -v $@
}
alias vi="mod_vi"
alias ping='ping -c 3'
export MALLOC_CHECK_=1
EOF_bashrc

# directories required in the image with the correct perms
# config persistance currently handles only regular files
mkdir -p /root/.ssh
chmod 700 /root/.ssh
mkdir -p /boot
mkdir -p /boot-kdump
mkdir -p /config
mkdir -p /data
mkdir -p /data2
mkdir -p /live
mkdir -p /liveos
mkdir -p /root/.uml
mkdir -p /var/cache/multipathd
touch /var/lib/random-seed
echo "/dev/HostVG/Config /config ext4 defaults,noauto,noatime 0 0" >> /etc/fstab

# prepare for STATE_MOUNT in rc.sysinit
augtool << \EOF_readonly-root
set /files/etc/sysconfig/readonly-root/STATE_LABEL CONFIG
set /files/etc/sysconfig/readonly-root/STATE_MOUNT /config
set /files/etc/sysconfig/readonly-root/READONLY yes
save
EOF_readonly-root

# comment out /etc/* entries in rwtab to prevent overlapping mounts
sed -i '/^files	\/etc*/ s/^/#/' /etc/rwtab
cat > /etc/rwtab.d/ovirt << \EOF_rwtab_ovirt
files	/etc
dirs	/var/lib/multipath
dirs	/var/lib/net-snmp
dirs    /var/lib/dnsmasq
files	/root/.ssh
dirs	/root/.uml
files	/var/cache/libvirt
files	/var/empty/sshd/etc/localtime
files	/var/lib/libvirt
files   /var/lib/multipath
files   /var/cache/multipathd
empty	/mnt
empty	/live
empty	/boot
empty	/boot-kdump
EOF_rwtab_ovirt

#use all hard-coded defaults for multipath
cat /dev/null > /etc/multipath.conf

# fix iSCSI/LVM startup issue
sed -i 's/node\.session\.initial_login_retry_max.*/node.session.initial_login_retry_max = 60/' /etc/iscsi/iscsid.conf

#lvm.conf should use /dev/mapper and /dev/sdX devices
# and not /dev/dm-X devices
sed -i 's/preferred_names = \[ "^\/dev\/mpath\/", "^\/dev\/mapper\/mpath", "^\/dev\/\[hs\]d" \]/preferred_names = \[ "^\/dev\/mapper", "^\/dev\/\[hsv\]d" \]/g' /etc/lvm/lvm.conf

# unset AUDITD_LANG to prevent boot errors
sed -i '/^AUDITD_LANG*/ s/^/#/' /etc/sysconfig/auditd

# kdump configuration
augtool << \EOF_kdump
set /files/etc/sysconfig/kdump/KDUMP_BOOTDIR /boot-kdump
set /files/etc/sysconfig/kdump/MKDUMPRD_ARGS --allow-missing
save
EOF_kdump

echo 'OPTIONS="-v -Lf /dev/null"' >> /etc/sysconfig/snmpd
cat > /etc/snmp/snmpd.conf << \EOF_snmpd
master agentx
dontLogTCPWrappersConnects yes
rwuser root auth .1
EOF_snmpd

# add admin user for configuration ui
useradd admin
usermod -G wheel admin
usermod -s /usr/libexec/ovirt-admin-shell admin
echo "%wheel	ALL=(ALL)	NOPASSWD: ALL" >> /etc/sudoers

# load modules required by crypto swap
cat > /etc/sysconfig/modules/swap-crypt.modules << \EOF_swap-crypt
#!/bin/sh

modprobe aes >/dev/null 2>&1
modprobe dm_mod >/dev/null 2>&1
modprobe dm_crypt >/dev/null 2>&1
modprobe cryptoloop >/dev/null 2>&1
modprobe cbc >/dev/null 2>&1
modprobe sha256 >/dev/null 2>&1

EOF_swap-crypt
chmod +x /etc/sysconfig/modules/swap-crypt.modules

#strip out all unncesssary locales
localedef --list-archive | grep -v -i -E 'en_US.utf8' |xargs localedef --delete-from-archive
mv /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl
/usr/sbin/build-locale-archive

# use static RPC ports, to avoid collisions
augtool << \EOF_nfs
set /files/etc/sysconfig/nfs/RQUOTAD_PORT 875
set /files/etc/sysconfig/nfs/LOCKD_TCPPORT 32803
set /files/etc/sysconfig/nfs/LOCKD_UDPPORT 32769
set /files/etc/sysconfig/nfs/MOUNTD_PORT 892
set /files/etc/sysconfig/nfs/STATD_PORT 662
set /files/etc/sysconfig/nfs/STATD_OUTGOING_PORT 2020
save
EOF_nfs

cat >> /etc/rc.d/rc.local << \EOF_rc.local
. /usr/libexec/ovirt-functions

# successfull boot from /dev/HostVG/Root
if grep -q -w root=live:LABEL=Root /proc/cmdline; then
    # set first boot entry as permanent default
    ln -snf /dev/.initramfs/live/grub /boot/grub
    mount -o rw,remount LABEL=Root /dev/.initramfs/live > /tmp/grub-savedefault.log 2>&1
    echo "savedefault --default=0" | grub >> /tmp/grub-savedefault.log 2>&1
    mount -o ro,remount LABEL=Root /dev/.initramfs/live >> /tmp/grub-savedefault.log 2>&1
fi

# remove old persisted lvm.conf
if is_persisted /etc/lvm/lvm.conf; then
  remove_config /etc/lvm/lvm.conf
  # should be only one, loop just in case
  for rpmnew in /etc/lvm/lvm.conf.rpmnew-*
  do
    cp -pv "$rpmnew" /etc/lvm/lvm.conf
  done
  pvscan
fi
EOF_rc.local


# XXX someting is wrong with readonly-root and dracut
# see modules.d/95rootfs-block/mount-root.sh
sed -i "s/defaults,noatime/defaults,ro,noatime/g" /etc/fstab
# ovirt-install-node-stateless
# ovirt_setup_libvirtd()
    # just to get a boot warning to shut up
    touch /etc/resolv.conf

    # make libvirtd listen on the external interfaces
    sed -i -e 's/^#\(LIBVIRTD_ARGS="--listen"\).*/\1/' \
       /etc/sysconfig/libvirtd

    # set up qemu daemon to allow outside VNC connections
    sed -i -e 's/^[[:space:]]*#[[:space:]]*\(vnc_listen = "0.0.0.0"\).*/\1/' \
       /etc/libvirt/qemu.conf
    # set up libvirtd to listen on TCP (for kerberos)
    sed -i -e "s/^[[:space:]]*#[[:space:]]*\(listen_tcp\)\>.*/\1 = 1/" \
       -e "s/^[[:space:]]*#[[:space:]]*\(listen_tls\)\>.*/\1 = 0/" \
       /etc/libvirt/libvirtd.conf

    # with libvirt (0.4.0), make sure we we setup gssapi in the mech_list
    sasl_conf=/etc/sasl2/libvirt.conf
    if ! grep -qE "^mech_list: gssapi" $sasl_conf ; then
       sed -i -e "s/^\([[:space:]]*mech_list.*\)/#\1/" $sasl_conf
       echo "mech_list: gssapi" >> $sasl_conf
    fi

#ovirt_setup_anyterm()
   # configure anyterm
   cat >> /etc/sysconfig/anyterm << \EOF_anyterm
ANYTERM_CMD="sudo /usr/bin/virsh console %p"
ANYTERM_LOCAL_ONLY=false
EOF_anyterm

   # permit it to run the virsh console
   echo "anyterm ALL=NOPASSWD: /usr/bin/virsh console *" >> /etc/sudoers

# rwtab changes from upstream
patch -d /etc/ -p1 << \EOF_PATCH
diff --git a/rwtab b/rwtab
index cfcb814..7dcb846 100644
--- a/rwtab
+++ b/rwtab
@@ -1,9 +1,7 @@
 dirs	/var/cache/man
 dirs	/var/gdm
 dirs	/var/lib/xkb
-dirs	/var/lock
 dirs	/var/log
-dirs	/var/run
 dirs	/var/puppet
 dirs	/var/lib/dbus
 dirs	/var/lib/nfs
@@ -25,7 +23,6 @@ empty /var/lib/pulse
 empty	/var/lib/ups
 empty	/var/tmp
 empty	/var/tux
-empty	/media

 files	/etc/adjtime
 files	/etc/ntp.conf
EOF_PATCH

# systemd configuration
# set default runlevel to multi-user(3)

rm -rf /etc/systemd/system/default.target
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target

# setup ovirt-firstboot multi-user dependency
cat >> /lib/systemd/system/ovirt-firstboot.service << \EOF_firstboot
[Unit]
Description=firstboot configuration program (text mode)
After=livesys.service plymouth-quit.service
Before=systemd-user-sessions.service

[Service]
Environment=RUNLEVEL=3
ExecStart=/etc/init.d/ovirt-firstboot start
TimeoutSec=0
RemainAfterExit=yes
Type=oneshot
SysVStartPriority=99
StandardInput=tty

[Install]
WantedBy=multi-user.target
EOF_firstboot

systemctl enable ovirt-firstboot.service >/dev/null 2>&1

# force /dev/root to mount read only or systemd will remount as default options
sed -i "s/defaults,noatime/defaults,ro,noatime/g" /etc/fstab
%end

%post --nochroot

PRODUCT='oVirt Node Hypervisor'
PRODUCT_SHORT='oVirt Node Hypervisor'
PACKAGE=ovirt-node-image
VERSION=2.0.0
RELEASE=

# store image version info in the ISO and rootfs
cat > $LIVE_ROOT/isolinux/version <<EOF
PRODUCT='$PRODUCT'
PRODUCT_SHORT='${PRODUCT_SHORT}'
PRODUCT_CODE=$PRODUCT_CODE
RECIPE_SHA256=$RECIPE_SHA256
RECIPE_RPM=$RECIPE_RPM
PACKAGE=$PACKAGE
VERSION=$VERSION
RELEASE=$RELEASE
EOF
cp $LIVE_ROOT/isolinux/version $INSTALL_ROOT/etc/default/
%end

%post

# rebuild initramfs to include multipath rhbz#627647
echo -n "Rebuilding initramfs for multipath and disk cleanup..."
kernel="$(rpm -q --qf '%{VERSION}-%{RELEASE}.%{ARCH}\n' kernel)"
/sbin/dracut -f -a "ovirtnode" -a "multipath" /initrd0.img "$kernel"
echo "done."

%end

%post
echo "Removing python source files"
find / -name '*.py' -exec rm -f {} \;
find / -name '*.pyo' -exec rm -f {} \;

%end

%post
echo -n "Creating manifest"
# Create post-image processing manifests
rpm -qa --qf '%{name}-%{version}-%{release}.%{arch} (%{SIGGPG:pgpsig})\n' | \
    sort > /manifest-rpm.txt
rpm -qa --qf '%{sourcerpm}\n' | sort -u > /manifest-srpm.txt
# collect all included licenses rhbz#601927
rpm -qa --qf '%{license}\n' | sort -u > /manifest-license.txt
# dependencies
rpm -qa | xargs -n1 rpm -e --test 2> /manifest-deps.txt
echo -n "."
find / -xdev -print -exec rpm -qf {} \; > /manifest-owns.txt
# this one is kept in root for ovirt-rpmquery
rpm -qa --qf '%{NAME}\t%{VERSION}\t%{RELEASE}\t%{BUILDTIME}\n' | \
    sort > /rpm-qa.txt
echo -n "."

du -akx --exclude=/var/cache/yum / > /manifest-file.txt
du -x --exclude=/var/cache/yum / > /manifest-dir.txt
echo -n "."
bzip2 /manifest-deps.txt /manifest-owns.txt /manifest-file.txt /manifest-dir.txt
echo -n "."

%end

%packages --excludedocs --nobase
/usr/sbin/lokkit
PyPAM
acpid
aic94xx-firmware
anyterm
audit
bc
bfa-firmware
checkpolicy
collectd
collectd-rrdtool
cpuspeed
cracklib-python
cryptsetup-luks
db4
device-mapper-multipath
dhclient
dosfstools
dracut-network
e2fsprogs
ethtool
febootstrap-supermin-helper
file
gdb
generic-logos
glusterfs-client
hdparm
hwdata
irqbalance
isomd5sum
kernel
kexec-tools
kpartx
kvm
less
libguestfs
libguestfs-tools-c
libmlx4
libvirt-qpid
lsof
lsscsi
ltrace
make
matahari
net-snmp
newt-python
numactl
openssh-clients
openssh-server
ovirt-node
passwd
patch
pciutils
policycoreutils
policycoreutils-python
psmisc
python
python-gudev
python-hivex
python-libguestfs
python-libs
python-setuptools
python-virtinst
qemu-kvm-tools
ql2100-firmware
ql2200-firmware
ql23xx-firmware
ql2400-firmware
ql2500-firmware
rootfiles
selinux-policy-targeted
sos
strace
sudo
sysfsutils
sysstat
systemtap-runtime
tcpdump
usbutils
vconfig
vhostmd
vim-minimal
-dmraid
-fedora-logos
-fedora-release
-fedora-release-notes
-libselinux-python
-prelink
-setserial
-usermode
-which
-wireless-tools
%end