AutoYaST - Is there a way to specify the LSM to use in the autoinst.xml control file?
I've created an AutoYaST control file (autoinst.xml) which installs an openSUSE Tumbleweed system for use as a Virtual Machine OS. There are three issues I've not been able to fing a solution/workaround for: 1. There doesn't seem to be a way to specify which Linux Security Module is selected via autoinst.xml. This means that my attempts to remove apparmor related patterns / packages fail and it requires manual intervention. As far as I can tell, the LSM is specified in the control.xml file in the openSUSE installation media's /x86_64/openSUSE-release-*.rpm package and I don't know how I can override it. 2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file? <?xml version="1.0"?> <!DOCTYPE profile> <profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> <add-on t="map"> <add_on_others t="list"> <listentry t="map"> <alias>download.opensuse.org-oss</alias> <media_url>https://mirrorcache-eu.opensuse.org/tumbleweed/repo/oss/</media_url> <name>Main Repository (OSS)</name> <priority t="integer">99</priority> <product_dir>/</product_dir> </listentry> <listentry t="map"> <alias>download.opensuse.org-non-oss</alias> <media_url>https://mirrorcache-eu.opensuse.org/tumbleweed/repo/non-oss/</media_url> <name>Main Repository (NON-OSS)</name> <priority t="integer">99</priority> <product_dir>/</product_dir> </listentry> <listentry t="map"> <alias>download.opensuse.org-tumbleweed</alias> <media_url>https://mirrorcache-eu.opensuse.org/update/tumbleweed/</media_url> <name>Main Update Repository</name> <priority t="integer">99</priority> <product_dir>/</product_dir> </listentry> </add_on_others> </add-on> <bootloader t="map"> <global t="map"> <append>mitigations=auto loglevel=4 systemd.log_level=warning udev.log_level=warning</append> <cpu_mitigations>auto</cpu_mitigations> <hiddenmenu>false</hiddenmenu> <os_prober>false</os_prober> <secure_boot>true</secure_boot> <terminal>console</terminal> <timeout t="integer">10</timeout> </global> <loader_type>grub2-efi</loader_type> </bootloader> <general t="map"> <ask-list t="list"> <ask> <pathlist t="list"> <path>networking,dns,hostname</path> </pathlist> <question>Enter a FQDN Hostname (Long Format) for this machine</question> <stage>initial</stage> <default>localhost.localdomain</default> <help>Provide a fully qualified hostname for this machine.</help> <title>Hostname</title> <type>string</type> </ask> </ask-list> <semi-automatic t="list"> <semi-automatic_entry>networking</semi-automatic_entry> <semi-automatic_entry>partitioning</semi-automatic_entry> </semi-automatic> <mode t="map"> <confirm t="boolean">true</confirm> <second_stage t="boolean">false</second_stage> </mode> </general> <groups t="list"> <group t="map"> <encrypted t="boolean">true</encrypted> <gid>100</gid> <group_password>x</group_password> <groupname>users</groupname> <userlist/> </group> <group t="map"> <encrypted t="boolean">true</encrypted> <gid>0</gid> <group_password>x</group_password> <groupname>root</groupname> <userlist/> </group> </groups> <host t="map"> <hosts t="list"> <hosts_entry t="map"> <host_address>127.0.0.1</host_address> <names t="list"> <name>localhost</name> <name>localhost.localdomain</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>::1</host_address> <names t="list"> <name>localhost ipv6-localhost ipv6-loopback</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>fe00::0</host_address> <names t="list"> <name>ipv6-localnet</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>ff00::0</host_address> <names t="list"> <name>ipv6-mcastprefix</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>ff02::1</host_address> <names t="list"> <name>ipv6-allnodes</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>ff02::2</host_address> <names t="list"> <name>ipv6-allrouters</name> </names> </hosts_entry> <hosts_entry t="map"> <host_address>ff02::3</host_address> <names t="list"> <name>ipv6-allhosts</name> </names> </hosts_entry> </hosts> </host> <language t="map"> <language>en_GB</language> <languages>en_GB</languages> </language> <networking t="map"> <dns t="map"> <hostname>foo</hostname> <domain>bar</domain> <dhcp_hostname t="boolean">false</dhcp_hostname> <resolv_conf_policy>auto</resolv_conf_policy> </dns> <backend>wicked</backend> </networking> <services-manager t="map"> <default_target>multi-user</default_target> </services-manager> <software t="map"> <install_recommended t="boolean">true</install_recommended> <packages t="list"> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Minimal packages | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <package>glibc-locale</package> <package>curl</package> </packages> <patterns t="list"> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Minimal patterns | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <pattern>base</pattern> <pattern>minimal_base</pattern> </patterns> <remove-packages t="list"> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Packages to remove | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <package>adjtimex</package> <package>apparmor-abstractions</package> <package>augeas-lenses</package> <package>cpio-mt</package> <package>cracklib</package> <package>dmraid</package> <package>dnsmasq</package> <package>dump-rmt</package> <package>ibmtss-base</package> <package>irqbalance</package> <package>kernel-firmware-all</package> <package>kernel-firmware</package> <package>ModemManager</package> <package>mt-st</package> <package>numactl</package> <package>patterns-base-apparmor</package> <package>rp-pppoe</package> <package>schily-mt</package> <package>schily-rmt</package> <package>sg3_utils</package> <package>sound-theme-freedesktop</package> <package>tar-rmt</package> <package>ucode-amd</package> <package>ucode-intel</package> <package>zypper-lifecycle-plugin</package> </remove-packages> <remove-patterns t="list"> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Patterns to remove | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <pattern>apparmor</pattern> </remove-patterns> <products t="list"> <product>openSUSE</product> </products> </software> <timezone t="map"> <hwclock>UTC</hwclock> <timezone>Europe/London</timezone> </timezone> <keyboard> <keymap>english-uk</keymap> </keyboard> <user_defaults t="map"> <expire/> <group>100</group> <groups/> <home>/home</home> <inactive>-1</inactive> <no_groups t="boolean">true</no_groups> <shell>/bin/bash</shell> <skel>/etc/skel</skel> <umask>022</umask> </user_defaults> <users t="list"> <user t="map"> <authorized_keys t="list"/> <encrypted t="boolean">false</encrypted> <fullname>root</fullname> <gid>0</gid> <home>/root</home> <home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume> <password_settings t="map"> <expire/> <flag/> <inact/> <max/> <min/> <warn/> </password_settings> <shell>/bin/bash</shell> <uid>0</uid> <user_password>Passw0rd</user_password> <username>root</username> </user> </users> <scripts t="map"> <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | After installation is finished, the scripts and the output logs can be | | found under the directory /var/adm/autoinstall. | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --> <chroot-scripts t="list"> <script> <chrooted t="boolean">true</chrooted> <filename>chroot-post.sh</filename> <interpreter>/bin/bash -x</interpreter> <notification>Please wait while chroot-post.sh script is running...</notification> <source><![CDATA[#!/usr/bin/env bash echo "### Placeholder for things to configure:" ]]> </source> </script> </chroot-scripts> </scripts> </profile> 3. The following does not provide the user the ability to manually configure the network settings but they can configure customise the disk partitioning. Am I missing something? <semi-automatic t="list"> <semi-automatic_entry>networking</semi-automatic_entry> <semi-automatic_entry>partitioning</semi-automatic_entry> </semi-automatic> regards, Jinesh
El dom, 06-02-2022 a las 13:07 +0000, Jinesh Choksi escribió:
I've created an AutoYaST control file (autoinst.xml) which installs an openSUSE Tumbleweed system for use as a Virtual Machine OS. There are three issues I've not been able to fing a solution/workaround for:
Hi Jinesh,
1. There doesn't seem to be a way to specify which Linux Security Module is selected via autoinst.xml. This means that my attempts to remove apparmor related patterns / packages fail and it requires manual intervention. As far as I can tell, the LSM is specified in the control.xml file in the openSUSE installation media's /x86_64/openSUSE-release-*.rpm package and I don't know how I can override it.
Good news! This feature was introduced recently :-). It is included in yast2-security 4.4.10, so it will be available in openSUSE Leap 15.4 and it is already available in the latest Tumbleweed version (20220204). The LSM is selected within the <security/> section: <security> <lsm_select>selinux</lsm_select> </security> You can select "selinux", "apparmor" and "none". The documentation is being updated. Of course, you might need to remove the apparmor patterns/packages from the software section.
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
3. The following does not provide the user the ability to manually configure the network settings but they can configure customise the disk partitioning. Am I missing something?
<semi-automatic t="list"> <semi-automatic_entry>networking</semi-automatic_entry> <semi-automatic_entry>partitioning</semi-automatic_entry> </semi-automatic>
The networking client will not run in these situations: a) you already specified the interfaces configuration in the networking section of the AutoYaST profile. b) you are using NetworkManager. Now that we have basic support for NetworkManager, I would say that we should run the client *always*. In case we want to keep a), we need to improve the detection of such a situation (e.g., if your system is already connected to the network in order to read the AutoYaST profile, we consider the network as already configured -and perhaps we should not-). But maybe I am missing something. Knut/Michal, could you clarify?
regards,
Regards, Imo -- Imobach González Sosa YaST Team at SUSE LLC https://imobachgs.github.io/
El lun, 07-02-2022 a las 12:12 +0000, Imobach Gonzalez Sosa escribió: [..]
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
Finally, this one is a legit bug: https://bugzilla.suse.com/show_bug.cgi?id=1195630 Thanks for noticing! Regards, Imo -- Imobach González Sosa YaST Team at SUSE LLC https://imobachgs.github.io/
On Montag, 7. Februar 2022 13:22:17 CET Imobach Gonzalez Sosa wrote:
El lun, 07-02-2022 a las 12:12 +0000, Imobach Gonzalez Sosa escribió:
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
Finally, this one is a legit bug: https://bugzilla.suse.com/show_bug.cgi?id=1195630
It is non public: You are not authorized to access bug #1195630. To see this bug, you must first log in to an account with the appropriate permissions. Can you please open it? -- Mit freundlichen Gruessen, Andreas Vetter
On 2/7/22 14:12, Andreas Vetter wrote:
On Montag, 7. Februar 2022 13:22:17 CET Imobach Gonzalez Sosa wrote:
El lun, 07-02-2022 a las 12:12 +0000, Imobach Gonzalez Sosa escribió:
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
Finally, this one is a legit bug: https://bugzilla.suse.com/show_bug.cgi?id=1195630
It is non public: You are not authorized to access bug #1195630. To see this bug, you must first log in to an account with the appropriate permissions.
Can you please open it?
I moved it from the product "SLES-15-SP4" to the product "Public SLES-15-SP4". Please verify it's accessible now. Cheers. -- Ancor González Sosa YaST Team at SUSE Software Solutions
On Montag, 7. Februar 2022 15:13:45 CET Ancor Gonzalez Sosa wrote:
On 2/7/22 14:12, Andreas Vetter wrote:
On Montag, 7. Februar 2022 13:22:17 CET Imobach Gonzalez Sosa wrote:
El lun, 07-02-2022 a las 12:12 +0000, Imobach Gonzalez Sosa escribió:
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
Finally, this one is a legit bug: https://bugzilla.suse.com/show_bug.cgi?id=1195630
It is non public: You are not authorized to access bug #1195630. To see this bug, you must first log in to an account with the appropriate permissions.
Can you please open it?
I moved it from the product "SLES-15-SP4" to the product "Public SLES-15-SP4". Please verify it's accessible now.
Cheers.
Thank you, it is open now. -- Mit freundlichen Gruessen, Andreas Vetter
El lun, 07-02-2022 a las 12:22 +0000, Imobach Gonzalez Sosa escribió:
El lun, 07-02-2022 a las 12:12 +0000, Imobach Gonzalez Sosa escribió:
[..]
2. After looking at examples on how to prompt the user for a hostname, I believe I've configured the control file correctly but it never sets the machine's hostname to the value the user provides. It always sets it to the literal value of the <hostname>...</hostname> tag. Does anyone see anything wrong with the control file?
I can confirm this problem. I am having a look into it.
Finally, this one is a legit bug: https://bugzilla.suse.com/show_bug.cgi?id=1195630
Hi all, We have submitted a fix for the problems in points 2) and 3). When autoyast2 4.4.29 enters in Tumbleweed: * The hostname should be set correctly. * You should see the networking configuration module during installation. If you are in a hurry, you can get our packages from the YaST:Head repository[1] and build a Driver Update Disk to be used during installation: mkdud --create your.dud --dist tw --install instsys *.rpm Do not forget to include "autoyast2" and "autoyast2-installation" RPMs. Then, when booting the installation, you need to set the dud= boot option so AutoYaST can find the update. See SDB:Linuxrc[2] for further information. If you are not in a hurry, you could just wait for a few days until the fix is included 🙂 Do not hesitate to ask if you have more questions. Thanks! Regards, Imo [1] https://build.opensuse.org/package/show/YaST:Head/autoyast2 [2] https://en.opensuse.org/SDB:Linuxrc#p_dud -- Imobach González Sosa YaST Team at SUSE LLC https://imobachgs.github.io/
participants (4)
-
Ancor Gonzalez Sosa -
Andreas Vetter -
Imobach Gonzalez Sosa -
Jinesh Choksi