Last active
March 4, 2020 15:02
-
-
Save kondor6c/4d011d987c2b355df53af38b0c58665d to your computer and use it in GitHub Desktop.
qemu-packer-centos
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SCAP Security Guide profile kickstart for Red Hat Enterprise Linux 7 Server | |
# Version: 0.0.2 | |
# Date: 2015-08-02 | |
# | |
# Based on: | |
# http://fedoraproject.org/wiki/Anaconda/Kickstart | |
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Installation_Guide/sect-kickstart-syntax.html | |
# http://usgcb.nist.gov/usgcb/content/configuration/workstation-ks.cfg | |
# Install a fresh new system (optional) | |
install | |
# Set language to use during installation and the default language to use on the installed system (required) | |
lang en_US.UTF-8 | |
text | |
skipx | |
eula --agreed | |
# Set system keyboard type / layout (required) | |
keyboard us | |
# Configure network information for target system and activate network devices in the installer environment (optional) | |
# --onboot enable device at a boot time | |
# --device device to be activated and / or configured with the network command | |
# --bootproto method to obtain networking configuration for device (default dhcp) | |
# --noipv6 disable IPv6 on this device | |
network --onboot yes --device eth0 --bootproto dhcp --noipv6 | |
# Set the system's root password (required) | |
# Plaintext password is: server | |
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create | |
# encrypted password form for different plaintext password | |
rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0 | |
# Configure firewall settings for the system (optional) | |
# --enabled reject incoming connections that are not in response to outbound requests | |
# --ssh allow sshd service through the firewall | |
firewall --disable | |
# Set up the authentication options for the system (required) | |
# --enableshadow enable shadowed passwords by default | |
# --passalgo hash / crypt algorithm for new passwords | |
# See the manual page for authconfig for a complete list of possible options. | |
authconfig --enableshadow --passalgo=sha512 | |
services --disabled="chronyd" --enabled="sshd" | |
# State of SELinux on the installed system (optional) | |
# Defaults to enforcing | |
selinux --enforcing | |
# Set the system time zone (required) | |
timezone --utc America/New_York | |
# Specify how the bootloader should be installed (required) | |
# Plaintext password is: password | |
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create | |
# encrypted password form for different plaintext password | |
bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$rhel6usgcb$kOzIfC4zLbuo3ECp1er99NRYikN419wxYMmons8Vm/37Qtg0T8aB9dKxHwqapz8wWAFuVkuI/UJqQBU92bA5C0 | |
# Initialize (format) all disks (optional) | |
zerombr | |
# The following partition layout scheme assumes disk of size 20GB or larger | |
# Modify size of partitions appropriately to reflect actual machine's hardware | |
# | |
# Remove Linux partitions from the system prior to creating new ones (optional) | |
# --linux erase all Linux partitions | |
# --initlabel initialize the disk label to the default based on the underlying architecture | |
ignoredisk --only-use=vda | |
clearpart --linux --initlabel | |
user --name=centos --uid=2222 --gid=2000 --gecos=automated | |
# Create primary system partitions (required for installs) | |
part /boot --fstype=xfs --size=512 | |
part pv.01 --grow --size=1 | |
# Create a Logical Volume Management (LVM) group (optional) | |
volgroup VolGroup --pesize=4096 pv.01 | |
# Create particular logical volumes (optional) | |
logvol / --fstype=xfs --name=rootfs --vgname=VolGroup --size=12288 | |
# CCE-26557-9: Ensure /home Located On Separate Partition | |
logvol /home --fstype=xfs --name=home --vgname=VolGroup --size=1024 --fsoptions="nodev" | |
# CCE-26435-8: Ensure /tmp Located On Separate Partition | |
logvol /tmp --fstype=xfs --name=tmp --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid" | |
# CCE-26639-5: Ensure /var Located On Separate Partition | |
logvol /var --fstype=xfs --name=var --vgname=VolGroup --size=2048 --mkfsoptions="-n ftype=1" --fsoptions="nodev" | |
# CCE-26215-4: Ensure /var/log Located On Separate Partition | |
logvol /var/log --fstype=xfs --name=var_log --vgname=VolGroup --size=1024 --fsoptions="nodev" | |
# CCE-26436-6: Ensure /var/log/audit Located On Separate Partition | |
logvol /var/log/audit --fstype=xfs --name=var_log_audit --vgname=VolGroup --size=512 --fsoptions="nodev" | |
logvol swap --name=lv_swap --vgname=VolGroup --size=2016 | |
#%addon org_fedora_oscap | |
# content-type = scap-security-guide | |
# profile = ospp-rhel7-server | |
#%end | |
# Packages selection (%packages section is required) | |
%packages | |
# Require 'Server with GUI' package environment to be installed | |
@^minimal | |
@core | |
-aic94xx-firmware | |
-atmel-firmware | |
-b43-openfwwf | |
-bfa-firmware | |
-ipw2100-firmware | |
-ipw2200-firmware | |
-ivtv-firmware | |
-iwl100-firmware | |
-iwl1000-firmware | |
-iwl3945-firmware | |
-iwl4965-firmware | |
-iwl5000-firmware | |
-iwl5150-firmware | |
-iwl6000-firmware | |
-iwl6000g2a-firmware | |
-iwl6050-firmware | |
-libertas-usb8388-firmware | |
-ql2100-firmware | |
-ql2200-firmware | |
-ql23xx-firmware | |
-ql2400-firmware | |
-ql2500-firmware | |
-rt61pci-firmware | |
-rt73usb-firmware | |
-zd1211-firmware | |
sudo | |
rsyslog | |
openssh-server | |
# Install selected additional packages (required by PCI-DSS profile) | |
# CCE-27024-9: Install AIDE | |
aide | |
%end # End of %packages section | |
%post --log /root/oscap.log | |
yum update -y | |
%end # End of %post section | |
# Reboot after the installation is complete (optional) | |
# --eject attempt to eject CD or DVD media before rebooting | |
reboot --eject |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"variables": { | |
"ssh_name": "root", | |
"ssh_pass": "server" | |
}, | |
"builders": [{ | |
"boot_command": [ | |
"<esc>", | |
"<tab> linux text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/nist-cent7.ks<enter>" | |
], | |
"type": "qemu", | |
"headless": false, | |
"disk_size": "20512M", | |
"accelerator": "kvm", | |
"format": "qcow2", | |
"qemuargs": [ | |
[ "-m", "2048M" ], | |
[ "-M", "q35" ], | |
[ "-vga", "virtio"], | |
[ "-smp", "cpus=2,maxcpus=16,cores=4" ] | |
], | |
"vm_name": "packer-build", | |
"ssh_pty" : "true", | |
"iso_checksum_type": "none", | |
"iso_url": "/home/kondor6c/mnt/virt/CentOS-7-x86_64-Minimal-1908/CentOS-7-x86_64-Minimal-1908.iso", | |
"iso_checksum": "9a2c47d97b9975452f7d582264e9fc16d108ed8252ac6816239a3b58cef5c53d", | |
"output_directory": "cent-qemu-shell", | |
"boot_wait": "1s", | |
"disk_interface": "virtio", | |
"net_device": "virtio-net", | |
"http_directory": "httpdir", | |
"ssh_username": "{{user `ssh_name`}}", | |
"ssh_password": "{{user `ssh_pass`}}", | |
"ssh_port": "22", | |
"ssh_wait_timeout": "750s", | |
"shutdown_command": "echo {{ user `ssh_pass` }} |sudo -S /sbin/shutdown -h -F now " | |
}], | |
"provisioners": [ | |
{ | |
"type": "file", | |
"source": "/home/kondor6c/.ssh/id_ed25519.pub", | |
"destination": "/tmp/authorized_keys" | |
}, | |
{ | |
"type": "shell", | |
"remote_path": "/usr/local/bin/hashicorp_packer_init.sh", | |
"inline": [ | |
"mkdir /home/centos/.ssh", | |
"chmod 700 /home/centos/.ssh", | |
"mv /tmp/authorized_keys /home/centos/.ssh/authorized_keys", | |
"chown centos:centos /home/centos/.ssh -R", | |
"chmod 0600 /home/centos/.ssh/authorized_keys", | |
"yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm", | |
"yum -y install python2-pip cloud-init cloud-utils-growpart dracut-modules-growroot ansible tmux libselinux-python rsync curl lsof ", | |
"passwd -d root" | |
] | |
}, | |
"post-processors": [ { | |
"type": "amazon-import", | |
"access_key": "{{ user `aws_access_key_id` }}", | |
"secret_key": "{{ user `aws_secret_access_key` }}", | |
"region": "{{ user `aws_default_region` }}", | |
"s3_bucket_name": "cloud-operations", | |
"license_type": "BYOL", | |
"ami_description": "generated from iso", | |
"ami_kms_key": "aws/ebs", | |
"ami_name": "centos7-iso-ansible", | |
"ami_users": "{{ user `acct_ids` }}", | |
"s3_encryption": "aws:kms" | |
"tags": { "Description": "packer amazon import " } | |
} ] | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"variables": { | |
"ssh_name": "root", | |
"ssh_pass": "server" | |
}, | |
"builders": [{ | |
"boot_command": [ | |
"<esc>", | |
"<tab> linux text ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/nist-cent7.ks<en ter>" | |
], | |
"type": "qemu", | |
"headless": true, | |
"disk_size": 20512, | |
"accelerator": "kvm", | |
"format": "qcow2", | |
"qemuargs": [ | |
[ "-m", "2048M" ], | |
[ "-smp", "cpus=2,maxcpus=16,cores=4" ] | |
], | |
"vm_name": "packer-build", | |
"ssh_pty" : "true", | |
"iso_checksum_type": "none", | |
"iso_url": "CentOS-7-x86_64-Minimal-1908.iso", | |
"iso_checksum": "9a2c47d97b9975452f7d582264e9fc16d108ed8252ac6816239a3b58cef 5c53d", | |
"output_directory": "cent-qemu-shell", | |
"boot_wait": "1s", | |
"disk_interface": "virtio", | |
"net_device": "virtio-net", | |
"http_directory": "httpdir", | |
"ssh_username": "{{user `ssh_name`}}", | |
"ssh_password": "{{user `ssh_pass`}}", | |
"ssh_port": "22", | |
"ssh_wait_timeout": "750s", | |
"shutdown_command": "echo {{ user `ssh_pass` }} |sudo -S /sbin/shutdown -h - F now " | |
}], | |
"provisioners": [ | |
{ | |
"type": "file", | |
"source": "/home/kondor6c/.ssh/id_ed25519.pub", | |
"destination": "/tmp/authorized_keys" | |
}, | |
{ | |
"type": "shell", | |
"remote_path": "/usr/local/bin/hashicorp_packer_init.sh", | |
"inline": [ | |
"rpm -ql centos-release |grep 'yum.repos.d/*repo' |xargs -I{} rm -f {}", | |
"mkdir /home/centos/.ssh", | |
"chmod 700 /home/centos/.ssh", | |
"mv /tmp/authorized_keys /home/centos/.ssh/authorized_keys", | |
"chown centos:centos /home/centos/.ssh -R", | |
"chmod 0600 /home/centos/.ssh/authorized_keys" | |
] | |
}, | |
{ | |
"type": "shell", | |
"remote_path": "/home/centos/ansible.sh", | |
"inline": [ | |
"rpm -ql centos-release |grep 'yum.repos.d/*repo' |xargs -I{} rm -f {}", | |
"ls /etc/yum.repos.d/*repo", | |
"rm -f /etc/yum.repos.d/CentOS-*", | |
"ls /etc/yum.repos.d/*repo | xargs -I{} cat {}", | |
"yum install --nogpgcheck -y cloud-init ansible" | |
] | |
}, | |
{ | |
"type": "ansible-local", | |
"playbook_file": "ansible/playbooks/image_build.yml", | |
"group_vars": "ansible/group_vars/", | |
"extra_arguments": [ | |
"--skip-tags futures,storage,runtime" | |
], | |
"host_vars": "ansible/host_vars/machine__local", | |
"role_paths": [ | |
"ansible/roles/ansible_linux_common", | |
"ansible/roles/cloud-operations", | |
"ansible/roles/ansible_linux_hardening" | |
], | |
"clean_staging_directory": "true", | |
"staging_directory": "/root/ansible", | |
"inventory_file": "ansible/inventory/local.ini" | |
}, | |
{ | |
"type": "shell", | |
"remote_path": "/home/centos/reboot.sh", | |
"expect_disconnect": "true", | |
"inline": [ | |
"echo 'tests the ability for the machine to come back online after grub, s ysctl, audit changes'", | |
"shutdown -r -F now" | |
] | |
}, | |
{ | |
"type": "ansible-local", | |
"pause_before": "15s", | |
"playbook_file": "ansible/playbooks/container_users.yml", | |
"group_vars": "ansible/group_vars/", | |
"host_vars": "ansible/host_vars/machine__local", | |
"role_paths": [ | |
"ansible/roles/ansible_linux_common", | |
"ansible/roles/linux_container_deploy" | |
], | |
"clean_staging_directory": "true", | |
"staging_directory": "/root/ansible", | |
"inventory_file": "ansible/inventory/local.ini" | |
}, | |
{ | |
"type": "shell", | |
"remote_path": "/home/centos/last-step.sh", | |
"inline": [ | |
"restorecon -R /", | |
"passwd -d root" | |
] | |
} | |
], | |
"post-processors": [ | |
{ | |
"type": "shell-local", | |
"script": "./helper_convert_to_vmdk.sh" | |
}, | |
{ | |
"type": "artifice", | |
"files": "centos-kvm-shell.vmdk" | |
}, | |
{ | |
"type": "amazon-import", | |
"access_key": "{{ user `aws_access_key_id` }}", | |
"secret_key": "{{ user `aws_secret_access_key` }}", | |
"region": "{{ user `aws_default_region` }}", | |
"ami_users": "{{ user `aws_acct_ids` }}", | |
"s3_bucket_name": "bucket", | |
"license_type": "BYOL", | |
"ami_description": "generated from iso", | |
"ami_name": "centos7-iso-ansible", | |
"tags": { "Description": "packer amazon import " } | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment