Add custom kickstart file and root ca certificates to iso file
Introduction and goals
This is intended to be one of my longer posts. This article describes how to accomplish the following tasks:
- Insert custom kickstart files into an iso file
- Insert custom root CA certificates into the initrd.img of an iso file, so you can fetch a custom repository over https
- Write a sample kickstart file
- Open up the initrd.img to add more files
The example file used is Fedora-Workstation-netinst-x86_64-27-1.6.iso available from https://getfedora.org/en/workstation/download/
The files
You will need a few files, including:
- kickstart file
- Root certificate
Kickstart files
My 2 different kickstart files are fc27c-ks.cfg (saved to Wordpress as a .doc, but it is truly just a plain text file) fc27x-ks.cfg Quite a few things to note about the content: I had to use http for all my local repositories, even though I got the ca certficate loaded. I think how my ISP bounces back my https traffic causes enough slowdown on the ssl handshake it prevents anaconda from using it correctly. It was working earlier in the day but I had to disable it. Observe in the %pre scriptlet the lines
cp -p /run/install/repo/ca-ipa.example.com.crt /etc/pki/ca-trust/source/anchors 2>/dev/null || :
update-ca-trust || :
These 2 lines load up the root certificate authority cert into the running initrd trusted keys, so the ssl connections are trusted. Please see the attached or indicated files.
Root certificate
A root certificate is the certificate that signs other certificates for that namespace. I use my own in my ipa domain, and I use it on my web server. So to connect with ssl because I want to encrypt everything possible, I need this cert in the runtime environment on the iso disc image. My root ca file is not shared on this blog. Go get your own!
The steps
Mount original iso
mkdir -p /mnt/originaliso
mount -v -o loop /mnt/public/Support/SetupsBig/Linux/Fedora-Workstation-netinst-x86_64-27-1.6.iso /mnt/originaliso/
Copy contents to work directory
mkdir -p /mnt/newiso ; cd /mnt/
time cp -pr originaliso/* newiso/
Copy in kickstart files
cp -pf /mnt/public/Support/Platforms/Fedora/fc27{x,c}-ks.cfg /mnt/newiso/
chown root:root /mnt/newiso/*ks.cfg
echo done
Tell disc to use new ks file
This task:
- Adds xfce and cinnamon menu options
- Find all the append= lines, and add to the end this attribute: ks=hd:LABEL=fc26:/fc26x-ks.cfg
The important piece is to have the LABEL= the volume name that you give the mkisofs -V "label" a few commands later in this article. If you really want to use a file:/ks.cfg, then you have to open up the initrd, which Appendix A demonstrates.
Fedora 27 xfce and cinnamon
label=fc27
tf=/mnt/newiso/isolinux/isolinux.cfg
sed -r -e "/append/{s/LABEL=([A-Za-z0-9_\-]*)(\s|:)/LABEL=${label}\2/;s/quiet//;};" -e '/label linux/,/^\s*$/H;' -e '/^\s*$/{x;};' "${tf}" | \
awk "BEGIN{a=0;b=0;labels[1]=\"xfce\";labels[2]=\"cinnamon\";} /^label [^l]/{b=b+1} b < 1 && /label linux/{a=a+1;\$0=\$0\" \"labels[a];} b < 1 && /menu label/{\$0=\$0\" \"labels[a];} b < 1 && /append/{\$0=\$0\"ks=hd:LABEL=${label}:/${label}\"substr(labels[a],1,1)\"-ks.cfg\";} {print;}" > "${tf}.$$"
mv -f "${tf}.$$" "${tf}"
Centos 7
label=centos7
tf=/mnt/newiso/isolinux/isolinux.cfg
sed -r -e "/append/{s/LABEL=([A-Za-z0-9_\-]*)(\s|:)/LABEL=${label}\2/;s/quiet//;};" "${tf}" | \
awk "BEGIN{a=0;b=0;labels[1]=\"with my bgstack15 custom kickstart\";} /^label [^l]/{b=b+1} b < 1 && /label linux/{a=a+1;\$0=\$0\" \"labels[a];} b < 1 && /menu label/{\$0=\$0\" \"labels[a];} b < 1 && /append/{\$0=\$0\"ks=hd:LABEL=${label}:/${label}-ks.cfg\";} {print;}" > "${tf}.$$"
mv -f "${tf}.$$" "${tf}"
Copy in certificate file
This will be used by the kickstart file and injected into the running initrd so https connections can be trusted to download the repos.
/bin/cp -pf /mnt/public/www/example/certs/ca-ipa.example.com.crt /mnt/newiso/
chown root:root /mnt/newiso/*.crt
Make new iso
Fedora 27
label=fc27
ti="${label}manual.iso"; cd /mnt/newiso;
rm -f /mnt/newiso/"${ti:-NOTHINGTODELETE}" ; __func() { mkisofs -V "${label}" -m '*.iso' -o "../${ti}" -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -r -J -v -T . ; implantisomd5 "/mnt/${ti}" ; } ; time __func
CentOS 7
ti=centos7manual.iso ; cd /mnt/newiso ;
rm -f /mnt/newiso/"${ti:-NOTHINGTODELETE}" ; __func() { mkisofs -V "${label}" -m '*.iso' -o "../${ti}" -b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -r -J -v -T . ; implantisomd5 "/mnt/${ti}" ; } ; time __func
Copy to server so vm1 can access
time su bgstack15 -c "cp -pf /mnt/${ti} /mnt/public/Support/SetupsBig/Linux/";
echo done
Next steps
After that, the iso is ready to be burned to disc or used by virt-install. I have not actually tried burning a disc or usb drive, but I assume it's pretty similar to a regular Live iso. For virt-install, I was simply unable to get my fancy customized iso to work fully automatically. For a regular, unattended vm install, I use the regular Fedora netinstall iso and I inject my kickstart file.
vm=fc27x-02a ; time sudo virt-install -n "${vm}" --memory 2048 --vcpus=1 --os-variant=fedora25 --accelerate -v --disk path=/var/lib/libvirt/images/"${vm}".qcow2,size=20 -l /mnt/public/Support/SetupsBig/Linux/Fedora-Workstation-netinst-x86_64-27-1.6.iso --initrd-inject=/mnt/public/Support/Platforms/Fedora/fc27x-ks.cfg --extra-args "ks=file:/fc27x-ks.cfg SERVERNAME=${vm} NOTIFYEMAIL=myemailhere@gmail.com" --debug --network type=direct,source=eno1
And to destroy that vm when I'm done with it:
vm=fc27x-02a; sudo virsh destroy "${vm}"; sudo virsh undefine --remove-all-storage "${vm}";
But this custom iso that we built is ready to be inserted into a vm, where you can manually select the xfce or the cinnamon option. After that initial menu choice, everything else is automatic and unattended.
Appendices</h1
Appendix A: Modify initrd.img file
Right after step "Copy in certificate file," if you want to modify the initrd.img file, you can use these steps:
Open initrd.img xz file
mkdir -p /mnt/initrd1; cd /mnt/initrd1; time xzcat /mnt/originaliso/isolinux/initrd.img | cpio -d -i -m
Perform any file modifications to that filesystem in /mnt/initrd1.
Assemble new initrd.img file
cd /mnt/initrd1 ; time find . | cpio -o -H newc | xz --check=crc32 --x86 --lzma2=dict=512KiB > /mnt/newiso/isolinux/initrd.img
References
Weblinks
- https://serverfault.com/questions/549121/kickstart-installation-from-usb-kickstart-location#783512
- https://access.redhat.com/discussions/762253
- https://duckduckgo.com/?q=initrd+ks%3Dcdrom%3A&t=ffab&ia=qa
- https://serverfault.com/questions/549121/kickstart-installation-from-usb-kickstart-location
- http://www.smorgasbork.com/2012/01/04/building-a-custom-centos-6-kickstart-disc-part-3/
- https://unix.stackexchange.com/questions/90913/how-to-open-the-clonezilla-initrd-img
- https://tutel.me/c/unix/questions/391000/customized+iso+will+not+install+from+a+local+kickstart+on+the+installation+cd
Internal documents
~/2017/Systems/guides/Add custom kickstart to iso file.odt
Comments