[Libosinfo] [osinfo-db 1/2] install-script, suse: Add install-scripts for SLES 12+
Christophe Fergeau
cfergeau at redhat.com
Thu May 4 14:00:20 UTC 2017
On Tue, May 02, 2017 at 09:25:00PM +0200, Fabiano Fidêncio wrote:
> On Tue, May 2, 2017 at 1:48 PM, Christophe Fergeau <cfergeau at redhat.com> wrote:
> > On Sun, Apr 23, 2017 at 12:41:30AM +0200, Fabiano Fidêncio wrote:
> >> The install-scripts added support SLES 12, SLES 12 SP1 and SLES 12 SP2.
> >>
> >> Those scripts were completely based on the openSUSE ones and tested
> >> against the "free for download" ISOs provided by SUSE, that you can find
> >> in: https://www.suse.com/download-linux/
> >>
> >> Signed-off-by: Fabiano Fidêncio <fabiano at fidencio.org>
> >> ---
> >> .../suse.com/suse-autoyast-desktop.xml.in | 287 +++++++++++++++++++++
> >> .../suse.com/suse-autoyast-jeos.xml.in | 201 +++++++++++++++
> >> data/os/suse.com/sles-12.1.xml.in | 7 +-
> >> data/os/suse.com/sles-12.2.xml.in | 13 +-
> >> data/os/suse.com/sles-12.xml.in | 7 +-
> >> 5 files changed, 509 insertions(+), 6 deletions(-)
> >> create mode 100644 data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >> create mode 100644 data/install-script/suse.com/suse-autoyast-jeos.xml.in
> >>
> >> diff --git a/data/install-script/suse.com/suse-autoyast-desktop.xml.in b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >> new file mode 100644
> >> index 0000000..acb38c1
> >> --- /dev/null
> >> +++ b/data/install-script/suse.com/suse-autoyast-desktop.xml.in
> >> @@ -0,0 +1,287 @@
> >> +<libosinfo version="0.0.1">
> >> +<!-- Licensed under the GNU General Public License version 2 or later.
> >> + See http://www.gnu.org/licenses/ for a copy of the license text -->
> >> +
> >> + <!-- DESKTOP PROFILE -->
> >> + <install-script id='http://suse.com/suse/autoyast/desktop'>
> >> + <profile>desktop</profile>
> >> + <expected-filename>autoinst.xml</expected-filename>
> >> + <config>
> >> + <!-- Localization options -->
> >> + <param name="l10n-keyboard" policy="optional" value-map="http://x.org/x11-keyboard"/>
> >> + <param name="l10n-language" policy="optional"/>
> >> + <param name="l10n-timezone" policy="optional"/>
> >> +
> >> + <!-- Network options -->
> >> + <param name="hostname" policy="optional"/>
> >> + <param name="domain" policy="optional"/>
> >> +
> >> + <!-- Account options -->
> >> + <param name="admin-password" policy="optional"/>
> >> + <param name="user-fullname" policy="optional"/>
> >> + <param name="user-login" policy="required"/>
> >> + <param name="user-password" policy="optional"/>
> >> + <param name="avatar-location" policy="optional"/>
> >> + <param name="avatar-disk" policy="optional"/>
> >> + </config>
> >> + <injection-method>disk</injection-method>
> >> +
> >> + <template>
> >> + <xsl:stylesheet
> >> + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> >> + version="1.0">
> >> +
> >> + <xsl:output method="xml" indent="yes" omit-xml-declaration="yes"/>
> >> +
> >> + <xsl:template name="l10n-language">
> >> + <xsl:choose>
> >> + <xsl:when test="config/l10n-language != '' and config/l10n-language != 'C'">
> >> + <xsl:value-of select="config/l10n-language"/>
> >> + </xsl:when>
> >> + <xsl:otherwise>
> >> + <xsl:text>en_US</xsl:text>
> >> + </xsl:otherwise>
> >> + </xsl:choose>
> >> + </xsl:template>
> >> +
> >> + <xsl:template name="l10n-keyboard">
> >> + <xsl:choose>
> >> + <xsl:when test="config/l10n-keyboard != '' and config/l10n-keyboard != 'C'">
> >> + <xsl:value-of select="config/l10n-keyboard"/>
> >> + </xsl:when>
> >> + <xsl:otherwise>
> >> + <xsl:text>us</xsl:text>
> >> + </xsl:otherwise>
> >> + </xsl:choose>
> >> + </xsl:template>
> >> +
> >> + <xsl:template match="/command-line">
> >> + <xsl:text>autoyast=device://sda/</xsl:text>
> >
> > I guess vda is not valid there?
>
> Nops. That's the same case for OpenSUSE.
>
> >
> >> + <xsl:value-of select="script/expected-filename"/>
> >> + </xsl:template>
> >> +
> >> + <xsl:template match="/install-script-config">
> >> + <profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
> >> + <bootloader>
> >> + <device_map config:type="list">
> >> + <device_map_entry>
> >> + <firmware>hd0</firmware>
> >> + <linux>/dev/vda</linux>
> >> + </device_map_entry>
> >> + </device_map>
> >> + <global>
> >> + <activate>true</activate>
> >> + <append>resume=/dev/vda1 splash=silent quiet showopts</append>
> >> + <boot_boot>false</boot_boot>
> >> + <boot_extended>false</boot_extended>
> >> + <boot_mbr>false</boot_mbr>
> >> + <boot_root>true</boot_root>
> >> + <default>0</default>
> >> + <distributor/>
> >> + <failsafe_disabled>true</failsafe_disabled>
> >> + <generic_mbr>true</generic_mbr>
> >> + <gfxmode>auto</gfxmode>
> >> + <os_prober>true</os_prober>
> >> + <terminal>gfxterm</terminal>
> >> + <timeout config:type="integer">8</timeout>
> >> + <vgamode/>
> >> + </global>
> >> + <loader_type>grub2</loader_type>
> >> + </bootloader>
> >> + <firewall>
> >> + <enable_firewall config:type="boolean">false</enable_firewall>
> >> + <start_firewall config:type="boolean">false</start_firewall>
> >> + </firewall>
> >
> > Any particular reason to disable firewall?
>
> No particular reason. I'll remove it in a v2.
>
> >
> >> + <general>
> >> + <ask-list config:type="list"/>
> >> + <mode>
> >> + <confirm config:type="boolean">false</confirm>
> >> + <final_reboot config:type="boolean">true</final_reboot>
> >> + </mode>
> >> + <proposals config:type="list"/>
> >> + <signature-handling>
> >> + <accept_file_without_checksum config:type="boolean">true</accept_file_without_checksum>
> >> + <accept_non_trusted_gpg_key config:type="boolean">true</accept_non_trusted_gpg_key>
> >> + <accept_unknown_gpg_key config:type="boolean">true</accept_unknown_gpg_key>
> >> + <accept_unsigned_file config:type="boolean">true</accept_unsigned_file>
> >> + <accept_verification_failed config:type="boolean">false</accept_verification_failed>
> >> + <import_gpg_key config:type="boolean">true</import_gpg_key>
> >> + </signature-handling>
> >
> > This seems fairly unsecure too, is this required?
>
> Hmm. I'll double check, but I do believe I can drop those for SLES.
>
> >
> >
> >> + <storage>
> >> + <partition_alignment config:type="symbol">align_optimal</partition_alignment>
> >> + <start_multipath config:type="boolean">false</start_multipath>
> >> + </storage>
> >> + </general>
> >> + <keyboard>
> >> + <keyboard_values>
> >> + <delay/>
> >> + <discaps config:type="boolean">false</discaps>
> >> + <numlock>bios</numlock>
> >> + <rate/>
> >> + </keyboard_values>
> >> + <keymap><xsl:call-template name="l10n-keyboard"/></keymap>
> >> + </keyboard>
> >> + <language><xsl:call-template name="l10n-language"/></language>
> >> + <networking>
> >> + <managed config:type="boolean">false</managed>
> >> + <interfaces config:type="list">
> >> + <interface>
> >> + <bootproto>dhcp</bootproto>
> >> + <device>eth0</device>
> >> + <startmode>auto</startmode>
> >> + <usercontrol>no</usercontrol>
> >> + </interface>
> >> + </interfaces>
> >> + </networking>
> >> + <partitioning config:type="list">
> >> + <drive>
> >> + <device>/dev/vda</device>
> >> + <type config:type="symbol">CT_DISK</type>
> >> + <use>all</use>
> >> + </drive>
> >> + </partitioning>
> >> + <report>
> >> + <errors>
> >> + <log config:type="boolean">true</log>
> >> + <show config:type="boolean">true</show>
> >> + <timeout config:type="integer">0</timeout>
> >> + </errors>
> >> + <messages>
> >> + <log config:type="boolean">true</log>
> >> + <show config:type="boolean">true</show>
> >> + <timeout config:type="integer">10</timeout>
> >> + </messages>
> >> + <warnings>
> >> + <log config:type="boolean">true</log>
> >> + <show config:type="boolean">true</show>
> >> + <timeout config:type="integer">10</timeout>
> >> + </warnings>
> >> + <yesno_messages>
> >> + <log config:type="boolean">true</log>
> >> + <show config:type="boolean">true</show>
> >> + <timeout config:type="integer">10</timeout>
> >> + </yesno_messages>
> >> + </report>
> >> + <scripts>
> >> + <chroot-scripts config:type="list">
> >> + <script>
> >> + <chrooted config:type="boolean">true</chrooted>
> >> + <source>
> >> +
> >> +if test -z '<xsl:value-of select="config/user-password"/>'; then
> >> +pam-config -a --unix-nullok
> >> +pam-config -a --nullok
> >
> > Shouldn't this be conditional on the SUSE version as done below?
>
> Nops. It's needed for all versions to allow setting a user with no password.
>
> >
> >> +
> >> +<xsl:if test="os/version = 12">
> >> +useradd <xsl:value-of select="config/user-login"/> -m -G users
> >> +passwd -d <xsl:value-of select="config/user-login"/>
> >> +</xsl:if>
> >
> > Does this mean we are not setting a password on older suse?
>
> There's no older SUSE script at this point.
>
> For 12 SP1 and 12 SP2 we can do this using the <users> XML tag, while
> for 12 the only way that worked was by actually adding the user as
> done above.
>
> >
> >> +
> >> +#Enable passwordless login for users that are part of the nopasswdlogin group
> >> +sed -i '4 i auth sufficient pam_succeed_if.so user ingroup nopasswdlogin' /etc/pam.d/gdm-password
> >> +fi
> >> +
> >> +if test -n '<xsl:value-of select="config/avatar-location"/>'; then
> >> +# Set user avatar
> >> +mkdir /mnt/unattended-media
> >> +mount <xsl:value-of select='config/avatar-disk'/> /mnt/unattended-media
> >> +cp /mnt/unattended-media<xsl:value-of select="config/avatar-location"/> /var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
> >> +umount /mnt/unattended-media
> >> +
> >> +echo "
> >> +[User]
> >> +Language=<xsl:value-of select="config/l10n-language"/>.UTF-8
> >> +XSession=gnome
> >> +Icon=/var/lib/AccountsService/icons/<xsl:value-of select="config/user-login"/>
> >> +" >> /var/lib/AccountsService/users/<xsl:value-of select="config/user-login"/>
> >> +fi
> >> + </source>
> >> + </script>
> >> + </chroot-scripts>
> >> + </scripts>
> >> + <services-manager>
> >> + <default_target>graphical</default_target>
> >> + </services-manager>
> >> + <software>
> >> + <packages config:type="list">
> >> + <package>autoyast2-installation</package>
> >> + <package>gdm</package>
> >> + </packages>
> >> + <patterns config:type="list">
> >> + <pattern>Minimal</pattern>
> >> + <pattern>apparmor</pattern>
> >> + <pattern>base</pattern>
> >> + <pattern>gnome-basic</pattern>
> >> + <pattern>printing</pattern>
> >> + <xsl:if test="os/version > 12">
> >> + <pattern>smt</pattern>
> >> + </xsl:if>
> >> + <pattern>x11</pattern>
> >> + </patterns>
> >> + </software>
> >> + <sysconfig config:type="list">
> >> + <sysconfig_entry>
> >> + <sysconfig_key>DISPLAYMANAGER</sysconfig_key>
> >> + <sysconfig_path>/etc/sysconfig/displaymanager</sysconfig_path>
> >> + <sysconfig_value>gdm</sysconfig_value>
> >> + </sysconfig_entry>
> >> + <sysconfig_entry>
> >> + <sysconfig_key>DEFAULT_WM</sysconfig_key>
> >> + <sysconfig_path>/etc/sysconfig/windowmanager</sysconfig_path>
> >> + <sysconfig_value>gnome</sysconfig_value>
> >> + </sysconfig_entry>
> >> + </sysconfig>
> >> + <timezone>
> >> + <hwclock>UTC</hwclock>
> >> + <timezone><xsl:value-of select="config/l10n-timezone"/></timezone>
> >> + </timezone>
> >> + <user_defaults>
> >> + <expire/>
> >> + <group>100</group>
> >> + <groups/>
> >> + <home>/home</home>
> >> + <inactive>-1</inactive>
> >> + <no_groups config:type="boolean">true</no_groups>
> >> + <shell>/bin/bash</shell>
> >> + <skel>/etc/skel</skel>
> >> + <umask>022</umask>
> >> + </user_defaults>
> >
> > Same question, a bit below you check for suse version before allowing
> > empty passwords, should the condition be here too?
>
> That's not the case here. The group "nopasswdlogin" must be created in
> any SLES version in order to allow passwordless login.
>
> >
> >> + <xsl:if test="config/user-password = ''">
> >> + <groups config:type="list">
> >> + <group>
> >> + <group_password>x</group_password>
> >> + <groupname>nopasswdlogin</groupname>
> >> + <userlist><xsl:value-of select="config/user-login"/></userlist>
> >> + </group>
> >> + </groups>
> >> + </xsl:if>
> >> + <users config:type="list">
> >> + <user>
> >> + <encrypted config:type="boolean">false</encrypted>
> >> + <fullname>root</fullname>
> >> + <gid>0</gid>
> >> + <home>/root</home>
> >> + <shell>/bin/bash</shell>
> >> + <uid>0</uid>
> >> + <user_password><xsl:value-of select="config/admin-password"/></user_password>
> >> + <username>root</username>
> >> + </user>
> >> + <!--
> >> + While SLES 12 doesn't allow creating a user without a password,
> >> + it's okay to do so on the newer versions
> >> + -->
> >> + <xsl:if test="config/user-password != '' or os/version > 12">
> >> + <user>
> >> + <encrypted config:type="boolean">false</encrypted>
> >> + <fullname><xsl:value-of select="config/user-fullname"/></fullname>
> >> + <user_password><xsl:value-of select="config/user-password"/></user_password>
> >> + <username><xsl:value-of select="config/user-login"/></username>
> >> + </user>
> >> + </xsl:if>
> >
> > So we don't set a user password on older suse?
>
> We do!
>
> At this point the only supported versions are:
> SLES 12:
> - passwordless users must be created by useradd
> - normal user creating can be done through <user> XML tag
> SLES 12 SP1 and SLES 12 SP2:
> - both normal and passwordless users can be created through the
> <user> XML tag.
Ok, so I think it's the comment which confused me:
+ <!--
+ While SLES 12 doesn't allow creating a user without a password,
+ it's okay to do so on the newer versions
+ -->
It doesn't allow creating a user without a password *in this <user>
section*, this needs to be done with useradd instead (I'd add a similar
comment before the useradd part).
It's more clear to me now, thanks!
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libosinfo/attachments/20170504/03563da9/attachment.sig>
More information about the Libosinfo
mailing list