{"id":146,"date":"2020-08-13T13:00:00","date_gmt":"2020-08-13T13:00:00","guid":{"rendered":"http:\/\/10.171.10.16:10000\/?p=146"},"modified":"2022-01-16T17:15:27","modified_gmt":"2022-01-16T17:15:27","slug":"centos-kickstart-more-automation","status":"publish","type":"post","link":"https:\/\/dannypayne.me\/?p=146","title":{"rendered":"CentOS kickstart: more automation!"},"content":{"rendered":"\n

This is the third post in a series on building\/setting up\/improving a PXE boot server with CentOS.
By the end of this post, we’ll have added a pre-installation block to gather network information before installation, and some post-installation scripts to our our kickstart file to allow for copying of files and automatic configuration of the SMTP service and randomisation of our root password.<\/p>\n\n\n\n

A requirement for this to work correctly is for you to have your own mail server, or an email account accessible to you – either via your own O365 or GSuite subscription, or a self-hosted mail solution like Modoboa <\/a>or IRedMail<\/a>. Personally I’m a fan of both self-hosted options, although in this example I’ll be using Modoboa. I’d previously it up and am using it to send alerts out from my lab (Veeam, monitoring, etc) to my own email account within GSuite.
If you do not<\/em> have any of the above, you can configure the SMTP<\/code> service to use a gmail\/yahoo\/etc account instead, however I won’t be covering that in this post.<\/p>\n\n\n\n

Prompting for network info<\/h3>\n\n\n\n

To get things started, we’re going to make the kickstart prompt us for the machines hostname and IP address, so there’s one less thing we have to do before we can start using the VM after it’s built.

open up the kickstart file we created previously, and delete lines 18 <\/strong>and 19<\/strong>, and replace them with the below text. <\/p>\n\n\n\n

# Network Information\n%include \/tmp\/network.ks\n\n%pre --interpreter=\/usr\/bin\/bash\nexec < \/dev\/tty6 > \/dev\/tty6 2> \/dev\/tty6\nchvt 6\n echo \"#######################################\"\n echo \"Kickstarted CentOS 7 x64\"\n echo \"Enter details to continue\"\n echo \"#######################################\"\n read -p \"Enter hostname: \" HOSTNAME\n read -p \"Enter IP address: \" IPADDR\n read -p \"Enter netmask: \" NETMASK\n read -p \"Enter default gateway: \" GATEWAY\n read -p \"Enter DNS server: \" DNSSERVER\necho\nsleep 1\n\necho \"network --bootproto=static --hostname=$HOSTNAME --device=ens192 --gateway=$GATEWAY --ip=$IPADDR --netmask=$NETMASK --nameserver=$DNSSERVER --noipv6 --onboot=on --activate\" > \/tmp\/network.ks\n\nchvt 1\nexec < \/dev\/tty1 > \/dev\/tty1 2> \/dev\/tty1\n%end<\/code><\/pre>\n\n\n\n
What’s basically happening here, is that when the machine is PXE booted and the kickstart selected, the installer will prompt you to enter the requested details. The interpreter will then set the listed variables to the entered details and then echo them into the \/tmp\/network.ks<\/code> file. 
The VM will then use this IP for the rest of the installation process, and once it reboots, the entered hostname and IP will be used for the completed VM build.<\/p>\n\n\n\n
Configure SSMTP<\/h3>\n\n\n\n
Next, we’re going to add the ssmtp<\/code> package to our kickstart file, and also create and edit the config files for the SSMTP<\/code> service.
Inside our kickstart file, we want to add ssmtp<\/code> to the  %packages<\/code> section like so:<\/p>\n\n\n\n
%packages\n@base\n@core\n...\nssmtp\n...\n%end<\/code><\/pre>\n\n\n\n
We also need to add a few lines into the kickstart file to create a temporary working directory in \/tmp<\/code> and also copy our script to configure ssmtp<\/code>. 
Why copy a script instead of making the kickstart create it for us? In my experience it just makes things simpler, and it means we can have a handful of kickstart files doing different<\/em> configs for the VMs but referencing back to our core<\/em> installation scripts. 
In other words, if we need to edit the ssmtp<\/code> setup process for multiple kickstart files, we only have to update that<\/em> script and not all the kickstart files. 

At the top of the %post<\/code> section of our kickstart, we’ll need to add the following<\/p>\n\n\n\n
%post --log=\/tmp\/post-build.log\n...\n#########################################\n# Create our temporary working directory\nmkdir \/tmp\/build\n\n#########################################\n# Copy ssmtp setup script\nwget -O \/tmp\/build\/ssmtpsetup.sh ftp:\/\/10.176.40.10\/centos7\/config\/ssmtpsetup.sh\nchmod +x \/tmp\/build\/ssmtpsetup.sh\n\/bin\/bash \/tmp\/build\/ssmtpsetup.sh\n\n%end<\/code><\/pre>\n\n\n\n
For ssmtp<\/code> to work correctly, there’s 2 files that need to be configured: ssmtp.conf<\/code> and revaliases<\/code> – these can both be found in \/etc\/ssmtp<\/code>. 
To make it easier for the files to be accessed from the kickstart file, we’re going to put them in the following location: \/var\/ftp\/centos7\/config<\/code>.<\/p>\n\n\n\n
We’re going to create our ssmtp.conf<\/code> file, making sure to set the username\/password\/server to your own, or a public mail service:<\/p>\n\n\n\n
root=alerts@yourdomain.tld\nmailhub=mail.yourdomain.tld:587\nhostname=BLANKHOSTNAME.AD.YOURDOMAIN.TLD\nAuthUser=alerts@yourdomain.tld\nAuthPass=yourpassword\nAuthMethod=LOGIN\nUseSTARTTLS=YES\nTLS_CA_File=\/etc\/pki\/tls\/certs\/ca-bundle.crt\nFromLineOverride=YES<\/code><\/pre>\n\n\n\n
Next we’re going to create the revaliases<\/code> file, again making sure to set the details to your own:<\/p>\n\n\n\n
root:alerts@yourdomain.tld:mail.yourdomain.tld:587<\/code><\/pre>\n\n\n\n
Finally, we’re going to create our ssmtpsetup.sh<\/code> script:<\/p>\n\n\n\n
#!\/bin\/sh\n# Get ssmtp config files\nwget -O \/tmp\/build\/ssmtp.conf ftp:\/\/10.176.40.10\/centos7\/config\/ssmtp.conf\nwget -O \/tmp\/build\/revaliases ftp:\/\/10.176.40.10\/centos7\/config\/revaliases\n\n# Fix hostname in ssmtp.conf\nsed -i s^'BLANKHOSTNAME'^\"$HOSTNAME\"^ \/tmp\/build\/ssmtp.conf\n\n# Copy files\ncp -rf \/tmp\/build\/ssmtp.conf \/etc\/ssmtp\/\ncp -rf \/tmp\/build\/revaliases \/etc\/ssmtp\/\n\n# Disable sendmail and symlink to ssmtp\nmv \/usr\/sbin\/sendmail \/usr\/sbin\/sendmail.ORIG\nln -s \/usr\/sbin\/ssmtp \/usr\/sbin\/sendmail\nmv \/usr\/lib\/sendmail \/usr\/lib\/sendmail.ORIG\nln -s \/usr\/sbin\/ssmtp \/usr\/lib\/sendmail\n<\/code><\/pre>\n\n\n\n
The above is essentially wget<\/code>-ing the files we just created from the FTP server and storing them in the \/tmp\/<\/code>directory. We replace BLANKHOSTNAME<\/code> in the ssmtp.conf<\/code> file with the VM’s actual<\/em> hostname as required, and then copy the files to the correct location. We also rename the default sendmail<\/code> files and replace them with symlinks to ssmtp<\/code>. <\/p>\n\n\n\n
Randomised root password<\/h3>\n\n\n\n
The next thing we’re going to tackle here is randomly generating our root password – from a security standpoint, it’s more secure to have different<\/em> root passwords across multiple machines. If an attacker is able to breach one<\/em> of your machines, in theory they shouldn’t be able to access anything else if each VM’s root password is different. <\/p>\n\n\n\n
One again, we need to open up our kickstart file and add a few lines into it. 
Essentially this snip is generating a random string of 100 alphanumerical characters and then grabs the first 15<\/strong> (or value for HOWLONG<\/code>) characters. We then create and set permissions on a temporary password file, and echo the NEWPW<\/code> value to the passwd<\/code> command and also our temporary password file. <\/p>\n\n\n\n
%post --log=\/tmp\/post-build.log\n...\n#########################################\n# Generate random root password\n# https:\/\/serverfault.com\/a\/976598\nHOWLONG=15 # How long our root password should be\nNEWPW=$(< \/dev\/urandom tr -dc A-Za-z0-9 | head -c100 | head -c$((20+($RANDOM%20))) | tail -c$((20+($RANDOM%20))) | head -c${HOWLONG});\necho \"${NEWPW}\" |  passwd --stdin  root\ntouch \/tmp\/build\/password\nchmod 777 \/tmp\/build\/password\necho \"${NEWPW}\" >> \/tmp\/build\/password\n...\n%end<\/code><\/pre>\n\n\n\n
Next, we need to add the following underneath the above. Once again, we’re wget<\/code>-ing a script to our temp working directory, making it executable and then adding a line to the root crontab to make the script execute after the VM has rebooted.  <\/p>\n\n\n\n
%post --log=\/tmp\/post-build.log\n...\n#########################################\n# Copy our build cleanup script\nwget -O \/tmp\/build\/buildcleanup.sh ftp:\/\/10.176.10.2\/centos7\/config\/buildcleanup.sh\nchmod + \/tmp\/build\/buildcleanup.sh\necho \"@reboot sleep 60 && \/tmp\/build\/buildcleanup.sh && \/sbin\/shutdown -r now\" > \/var\/spool\/cron\/root\n...\n%end<\/code><\/pre>\n\n\n\n
And here’s the buildcleanup<\/code> script we need to create in our FTP directory. This script restarts the postfix service, and then emails out the password file created above to the recipient set in MAILTO<\/code>. The script also deletes our temporary working directory and resets the root crontab. <\/p>\n\n\n\n
#!\/bin\/bash\nsystemctl restart postfix\nsleep 15\nMAILTO='admin@yourdomain.tld'\nPASSWORDFILE=$(cat \/tmp\/build\/password)\necho \"The root password is $PASSWORDFILE\" | mail -s \"$HOSTNAME build complete!\" $MAILTO\nsleep 30\n\/bin\/rm -rf \/tmp\/build\/\n\/bin\/crontab -r<\/code><\/pre>\n\n\n\n
Bringing it all together<\/h3>\n\n\n\n
So at this point we’ve modified our kickstart file a bunch, and created a bunch of files in our \/var\/ftp\/centos7\/config<\/code> directory, so now what?
Before we do anything else, now is a good time to run ksvalidator<\/code> against the kickstart to make sure there’s nothing wrong with it. everything good? Let’s try to build a VM!<\/p>\n\n\n\n
PXE boot a VM and run through the process the same as before – however, we’ll be promoted to enter a hostname, IP, subnet, default gateway and DNS server before<\/em> the build starts. <\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Once the build has finished, you’ll be sent to a login screen – after a couple of minutes, the VM should reboot once more, and you’ll receive an email from the VM containing the root password. <\/p>\n\n\n\n
\"\"<\/figure><\/div>\n\n\n\n
Now, if all has gone to plan, we should be able to successfully login with the root account and the password in the above email<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Finally, for the purpose of demonstration, I commented out line 9<\/strong> of the buildcleanup.sh<\/code> script so the password file was not removed. If we now cat<\/code> the \/tmp\/build\/password<\/code> file, we’ll see that it contains our root password. <\/p>\n\n\n\n
Wrapping up<\/h3>\n\n\n\n
In this post we’ve covered the process of customising our kickstart file more by making it prompt us for a hostname\/IP address details, install more packages, copy files to configure a package, randomly generate our root password, and then email us once everything is completed so we know the VM is ready to be used. <\/p>\n\n\n\n
In the next post I’m going to cover automatically joining our VM to Active Directory so we can both login with an AD username, and also use AD to manage user permissions on the VM. <\/p>\n","protected":false},"excerpt":{"rendered":"
This is the third post in a series on building\/setting up\/improving a PXE boot server with CentOS.<\/p>\n
Read moreCentOS kickstart: more automation!<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":179,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[12,6],"tags":[],"class_list":["post-146","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-archive","category-homelab","excerpt","zoom","full-without-featured","even","excerpt-0"],"jetpack_featured_media_url":"https:\/\/dannypayne.me\/wp-content\/uploads\/2020\/08\/2020-08-16-14_29_26-B-PXEBOOT-VMware-Workstation.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/posts\/146","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dannypayne.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=146"}],"version-history":[{"count":28,"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/posts\/146\/revisions"}],"predecessor-version":[{"id":190,"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/posts\/146\/revisions\/190"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dannypayne.me\/index.php?rest_route=\/wp\/v2\/media\/179"}],"wp:attachment":[{"href":"https:\/\/dannypayne.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=146"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dannypayne.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=146"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dannypayne.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=146"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}