[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Libosinfo] [osinfo-db 1/2] install-script, suse: Add install-scripts for SLES 12+



On Tue, May 2, 2017 at 1:48 PM, Christophe Fergeau <cfergeau redhat com> wrote:
> On Sun, Apr 23, 2017 at 12:41:30AM +0200, Fabiano Fidêncio wrote:
>> The install-scripts added support SLES 12, SLES 12 SP1 and SLES 12 SP2.
>>
>> Those scripts were completely based on the openSUSE ones and tested
>> against the "free for download" ISOs provided by SUSE, that you can find
>> in: https://www.suse.com/download-linux/
>>
>> Signed-off-by: Fabiano Fidêncio <fabiano fidencio org>
>> ---
>>  .../suse.com/suse-autoyast-desktop.xml.in          | 287 +++++++++++++++++++++
>>  .../suse.com/suse-autoyast-jeos.xml.in             | 201 +++++++++++++++
>>  data/os/suse.com/sles-12.1.xml.in                  |   7 +-
>>  data/os/suse.com/sles-12.2.xml.in                  |  13 +-
>>  data/os/suse.com/sles-12.xml.in                    |   7 +-
>>  5 files changed, 509 insertions(+), 6 deletions(-)
>>  create mode 100644 data/install-script/suse.com/suse-autoyast-desktop.xml.in
>>  create mode 100644 data/install-script/suse.com/suse-autoyast-jeos.xml.in
>>
>> diff --git a/data/install-script/suse.com/suse-autoyast-desktop.xml.in b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
>> new file mode 100644
>> index 0000000..acb38c1
>> --- /dev/null
>> +++ b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
>> @@ -0,0 +1,287 @@
>> +<libosinfo version="0.0.1">
>> +<!-- Licensed under the GNU General Public License version 2 or later.
>> +     See http://www.gnu.org/licenses/ for a copy of the license text -->
>> +
>> +  <!-- DESKTOP PROFILE -->
>> +  <install-script id='http://suse.com/suse/autoyast/desktop'>
>> +    <profile>desktop</profile>
>> +    <expected-filename>autoinst.xml</expected-filename>
>> +    <config>
>> +      <!-- Localization options -->
>> +      <param name="l10n-keyboard" policy="optional" value-map="http://x.org/x11-keyboard"/>
>> +      <param name="l10n-language" policy="optional"/>
>> +      <param name="l10n-timezone" policy="optional"/>
>> +
>> +      <!-- Network options -->
>> +      <param name="hostname" policy="optional"/>
>> +      <param name="domain" policy="optional"/>
>> +
>> +      <!-- Account options -->
>> +      <param name="admin-password" policy="optional"/>
>> +      <param name="user-fullname" policy="optional"/>
>> +      <param name="user-login" policy="required"/>
>> +      <param name="user-password" policy="optional"/>
>> +      <param name="avatar-location" policy="optional"/>
>> +      <param name="avatar-disk" policy="optional"/>
>> +    </config>
>> +    <injection-method>disk</injection-method>
>> +
>> +    <template>
>> +      <xsl:stylesheet
>> +        xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
>> +        version="1.0">
>> +
>> +        <xsl:output method="xml" indent="yes" omit-xml-declaration="yes"/>
>> +
>> +        <xsl:template name="l10n-language">
>> +          <xsl:choose>
>> +            <xsl:when test="config/l10n-language != '' and config/l10n-language != 'C'">
>> +              <xsl:value-of select="config/l10n-language"/>
>> +            </xsl:when>
>> +            <xsl:otherwise>
>> +              <xsl:text>en_US</xsl:text>
>> +            </xsl:otherwise>
>> +          </xsl:choose>
>> +        </xsl:template>
>> +
>> +        <xsl:template name="l10n-keyboard">
>> +          <xsl:choose>
>> +            <xsl:when test="config/l10n-keyboard != '' and config/l10n-keyboard != 'C'">
>> +              <xsl:value-of select="config/l10n-keyboard"/>
>> +            </xsl:when>
>> +            <xsl:otherwise>
>> +              <xsl:text>us</xsl:text>
>> +            </xsl:otherwise>
>> +          </xsl:choose>
>> +        </xsl:template>
>> +
>> +        <xsl:template match="/command-line">
>> +            <xsl:text>autoyast=device://sda/</xsl:text>
>
> I guess vda is not valid there?

Nops. That's the same case for OpenSUSE.

>
>> +            <xsl:value-of select="script/expected-filename"/>
>> +        </xsl:template>
>> +
>> +        <xsl:template match="/install-script-config">
>> +          <profile xmlns="http://www.suse.com/1.0/yast2ns"; xmlns:config="http://www.suse.com/1.0/configns";>
>> +            <bootloader>
>> +              <device_map config:type="list">
>> +                <device_map_entry>
>> +                  <firmware>hd0</firmware>
>> +                  <linux>/dev/vda</linux>
>> +                </device_map_entry>
>> +              </device_map>
>> +              <global>
>> +                <activate>true</activate>
>> +                <append>resume=/dev/vda1 splash=silent quiet showopts</append>
>> +                <boot_boot>false</boot_boot>
>> +                <boot_extended>false</boot_extended>
>> +                <boot_mbr>false</boot_mbr>
>> +                <boot_root>true</boot_root>
>> +                <default>0</default>
>> +                <distributor/>
>> +                <failsafe_disabled>true</failsafe_disabled>
>> +                <generic_mbr>true</generic_mbr>
>> +                <gfxmode>auto</gfxmode>
>> +                <os_prober>true</os_prober>
>> +                <terminal>gfxterm</terminal>
>> +                <timeout config:type="integer">8</timeout>
>> +                <vgamode/>
>> +              </global>
>> +              <loader_type>grub2</loader_type>
>> +            </bootloader>
>> +            <firewall>
>> +              <enable_firewall config:type="boolean">false</enable_firewall>
>> +              <start_firewall config:type="boolean">false</start_firewall>
>> +            </firewall>
>
> Any particular reason to disable firewall?

No particular reason. I'll remove it in a v2.

>
>> +            <general>
>> +              <ask-list config:type="list"/>
>> +              <mode>
>> +                <confirm config:type="boolean">false</confirm>
>> +                <final_reboot config:type="boolean">true</final_reboot>
>> +              </mode>
>> +              <proposals config:type="list"/>
>> +              <signature-handling>
>> +                <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum>
>> +                <accept_non_trusted_gpg_key config:type="boolean">true</accept_non_trusted_gpg_key>
>> +                <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key>
>> +                <accept_unsigned_file config:type="boolean">true</accept_unsigned_file>
>> +                <accept_verification_failed config:type="boolean">false</accept_verification_failed>
>> +                <import_gpg_key config:type="boolean">true</import_gpg_key>
>> +              </signature-handling>
>
> This seems fairly unsecure too, is this required?

Hmm. I'll double check, but I do believe I can drop those for SLES.

>
>
>> +              <storage>
>> +                <partition_alignment config:type="symbol">align_optimal</partition_alignment>
>> +                <start_multipath config:type="boolean">false</start_multipath>
>> +              </storage>
>> +            </general>
>> +            <keyboard>
>> +              <keyboard_values>
>> +                <delay/>
>> +                <discaps config:type="boolean">false</discaps>
>> +                <numlock>bios</numlock>
>> +                <rate/>
>> +              </keyboard_values>
>> +              <keymap><xsl:call-template name="l10n-keyboard"/></keymap>
>> +            </keyboard>
>> +            <language><xsl:call-template name="l10n-language"/></language>
>> +          <networking>
>> +            <managed config:type="boolean">false</managed>
>> +            <interfaces  config:type="list">
>> +              <interface>
>> +                <bootproto>dhcp</bootproto>
>> +                  <device>eth0</device>
>> +                  <startmode>auto</startmode>
>> +                  <usercontrol>no</usercontrol>
>> +                </interface>
>> +            </interfaces>
>> +          </networking>
>> +          <partitioning config:type="list">
>> +            <drive>
>> +              <device>/dev/vda</device>
>> +              <type config:type="symbol">CT_DISK</type>
>> +              <use>all</use>
>> +            </drive>
>> +          </partitioning>
>> +            <report>
>> +              <errors>
>> +                <log config:type="boolean">true</log>
>> +                <show config:type="boolean">true</show>
>> +                <timeout config:type="integer">0</timeout>
>> +              </errors>
>> +              <messages>
>> +                <log config:type="boolean">true</log>
>> +                <show config:type="boolean">true</show>
>> +                <timeout config:type="integer">10</timeout>
>> +              </messages>
>> +              <warnings>
>> +                <log config:type="boolean">true</log>
>> +                <show config:type="boolean">true</show>
>> +                <timeout config:type="integer">10</timeout>
>> +              </warnings>
>> +              <yesno_messages>
>> +                <log config:type="boolean">true</log>
>> +                <show config:type="boolean">true</show>
>> +                <timeout config:type="integer">10</timeout>
>> +              </yesno_messages>
>> +            </report>
>> +            <scripts>
>> +              <chroot-scripts config:type="list">
>> +                <script>
>> +                  <chrooted config:type="boolean">true</chrooted>
>> +                  <source>
>> +
>> +if test -z '<xsl:value-of select="config/user-password"/>'; then
>> +pam-config -a --unix-nullok
>> +pam-config -a --nullok
>
> Shouldn't this be conditional on the SUSE version as done below?

Nops. It's needed for all versions to allow setting a user with no password.

>
>> +
>> +<xsl:if test="os/version = 12">
>> +useradd <xsl:value-of select="config/user-login"/> -m -G users
>> +passwd -d <xsl:value-of select="config/user-login"/>
>> +</xsl:if>
>
> Does this mean we are not setting a password on older suse?

There's no older SUSE script at this point.

For 12 SP1 and 12 SP2 we can do this using the <users> XML tag, while
for 12 the only way that worked was by actually adding the user as
done above.

>
>> +
>> +#Enable passwordless login for users that are part of the nopasswdlogin group
>> +sed -i '4 i auth sufficient pam_succeed_if.so user ingroup nopasswdlogin' /etc/pam.d/gdm-password
>> +fi
>> +
>> +if test -n '<xsl:value-of select="config/avatar-location"/>'; then
>> +# Set user avatar
>> +mkdir /mnt/unattended-media
>> +mount <xsl:value-of select='config/avatar-disk'/> /mnt/unattended-media
>> +cp /mnt/unattended-media<xsl:value-of select="config/avatar-location"/> /var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
>> +umount /mnt/unattended-media
>> +
>> +echo "
>> +[User]
>> +Language=<xsl:value-of select="config/l10n-language"/>.UTF-8
>> +XSession=gnome
>> +Icon=/var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
>> +" >> /var/lib/AccountsService/users/<xsl:value-of select="config/user-login"/>
>> +fi
>> +                  </source>
>> +                </script>
>> +              </chroot-scripts>
>> +            </scripts>
>> +            <services-manager>
>> +              <default_target>graphical</default_target>
>> +            </services-manager>
>> +            <software>
>> +              <packages config:type="list">
>> +                <package>autoyast2-installation</package>
>> +                <package>gdm</package>
>> +              </packages>
>> +              <patterns config:type="list">
>> +                <pattern>Minimal</pattern>
>> +                <pattern>apparmor</pattern>
>> +                <pattern>base</pattern>
>> +                <pattern>gnome-basic</pattern>
>> +                <pattern>printing</pattern>
>> +                <xsl:if test="os/version &gt; 12">
>> +                  <pattern>smt</pattern>
>> +                </xsl:if>
>> +                <pattern>x11</pattern>
>> +              </patterns>
>> +            </software>
>> +            <sysconfig config:type="list">
>> +              <sysconfig_entry>
>> +                <sysconfig_key>DISPLAYMANAGER</sysconfig_key>
>> +                <sysconfig_path>/etc/sysconfig/displaymanager</sysconfig_path>
>> +                <sysconfig_value>gdm</sysconfig_value>
>> +              </sysconfig_entry>
>> +              <sysconfig_entry>
>> +                <sysconfig_key>DEFAULT_WM</sysconfig_key>
>> +                <sysconfig_path>/etc/sysconfig/windowmanager</sysconfig_path>
>> +                <sysconfig_value>gnome</sysconfig_value>
>> +              </sysconfig_entry>
>> +            </sysconfig>
>> +            <timezone>
>> +              <hwclock>UTC</hwclock>
>> +              <timezone><xsl:value-of select="config/l10n-timezone"/></timezone>
>> +            </timezone>
>> +            <user_defaults>
>> +              <expire/>
>> +              <group>100</group>
>> +              <groups/>
>> +              <home>/home</home>
>> +              <inactive>-1</inactive>
>> +              <no_groups config:type="boolean">true</no_groups>
>> +              <shell>/bin/bash</shell>
>> +              <skel>/etc/skel</skel>
>> +              <umask>022</umask>
>> +            </user_defaults>
>
> Same question, a bit below you check for suse version before allowing
> empty passwords, should the condition be here too?

That's not the case here. The group "nopasswdlogin" must be created in
any SLES version in order to allow passwordless login.

>
>> +            <xsl:if test="config/user-password = ''">
>> +              <groups config:type="list">
>> +                <group>
>> +                  <group_password>x</group_password>
>> +                  <groupname>nopasswdlogin</groupname>
>> +                  <userlist><xsl:value-of select="config/user-login"/></userlist>
>> +                </group>
>> +              </groups>
>> +            </xsl:if>
>> +            <users config:type="list">
>> +              <user>
>> +                <encrypted config:type="boolean">false</encrypted>
>> +                <fullname>root</fullname>
>> +                <gid>0</gid>
>> +                <home>/root</home>
>> +                <shell>/bin/bash</shell>
>> +                <uid>0</uid>
>> +                <user_password><xsl:value-of select="config/admin-password"/></user_password>
>> +                <username>root</username>
>> +              </user>
>> +              <!--
>> +                While SLES 12 doesn't allow creating a user without a password,
>> +                it's okay to do so on the newer versions
>> +                -->
>> +              <xsl:if test="config/user-password != '' or os/version &gt; 12">
>> +                <user>
>> +                  <encrypted config:type="boolean">false</encrypted>
>> +                  <fullname><xsl:value-of select="config/user-fullname"/></fullname>
>> +                  <user_password><xsl:value-of select="config/user-password"/></user_password>
>> +                  <username><xsl:value-of select="config/user-login"/></username>
>> +                </user>
>> +              </xsl:if>
>
> So we don't set a user password on older suse?

We do!

At this point the only supported versions are:
SLES 12:
 - passwordless users must be created by useradd
 - normal user creating can be done through <user> XML tag
SLES 12 SP1 and SLES 12 SP2:
 - both normal and passwordless users can be created through the
<user> XML tag.

>
> Christophe
>
> _______________________________________________
> Libosinfo mailing list
> Libosinfo redhat com
> https://www.redhat.com/mailman/listinfo/libosinfo
>

Best Regards,
-- 
Fabiano Fidêncio


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]