forked from theforeman/foreman-discovery-image
-
Notifications
You must be signed in to change notification settings - Fork 1
/
25-minimize.ks
76 lines (61 loc) · 2.36 KB
/
25-minimize.ks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Try to minimize the image a bit
%post
# Ensure we don't have the same random seed on every image, which
# could be bad for security at a later point...
echo " * purge existing random seed to avoid identical seeds everywhere"
rm -f /var/lib/random-seed
# I can't tell if this should force a new SSH key, or force a fixed one,
# but for now we can ensure that we generate new keys when SSHD is finally
# fined up on the nodes...
#
# We also disable SSHd automatic startup in the final image.
echo " * disable sshd and purge existing SSH host keys"
rm -f /etc/ssh/ssh_host_*key{,.pub}
systemctl disable sshd.service
# This seems to cause 'reboot' resulting in a shutdown on certain platforms
# See https://tickets.puppetlabs.com/browse/RAZOR-100
echo " * disable the mei_me module"
mkdir -p /etc/modprobe.d
cat > /etc/modprobe.d/mei.conf <<EOMEI
blacklist mei_me
install mei_me /bin/true
blacklist mei
install mei /bin/true
EOMEI
echo " * compressing cracklib dictionary"
gzip -9 /usr/share/cracklib/pw_dict.pwd
# remove things only needed during the build process
echo " * purging packages needed only during build"
rpm -e syslinux mtools acl
# 100MB of locale archive is kind unnecessary; we only do en_US.utf8
# this will clear out everything we don't need; 100MB => 2.1MB.
echo " * minimizing locale-archive binary / memory size"
localedef --list-archive | grep -iv 'en_US' | xargs localedef -v --delete-from-archive
mv /usr/lib/locale/locale-archive /usr/lib/locale/locale-archive.tmpl
/usr/sbin/build-locale-archive
echo " * purging all other locale data"
rm -rf /usr/share/locale*
echo " * truncating various logfiles"
for log in yum.log dracut.log lastlog yum.log; do
truncate -c -s 0 /var/log/${log}
done
echo " * removing /boot, since that lives on the ISO side"
rm -rf /boot*
echo " * removing python precompiled *.pyc files"
find /usr/lib64/python*/ -name *pyc -print0 | xargs -0 rm -f
echo " * removing trusted CA certificates"
truncate -s0 /usr/share/pki/ca-trust-source/ca-bundle.trust.crt
update-ca-trust
echo " * setting up hostname"
echo fdi > /etc/hostname
echo " * locking root account"
passwd -l root
echo " * cleaning up yum cache and removing rpm database"
yum clean all
rm -rf /var/lib/{yum,rpm}/*
# fix the vim syntax markup */
%end
%post --nochroot
echo " * disquieting the microkernel boot process"
sed -i -e's/ rhgb//g' -e's/ quiet//g' $LIVE_ROOT/isolinux/isolinux.cfg
%end