Added support for building redhat isos and updated simp rpm deps (#885)

Author: michael-riddle

Puppetfile.pinned

@@ -45,7 +45,7 @@ mod 'simp-environment',
 
 mod 'simp-gpgkeys',
   :git => 'https://github.com/simp/simp-gpgkeys',
-  :tag => '3.1.5'
+  :tag => '3.2.0'
 
 mod 'simp-simp_selinux_policy',
   :git => 'https://github.com/simp/simp-selinux-policy',
@@ -335,7 +335,7 @@ mod 'simp-selinux',
 
 mod 'simp-simp',
   :git => 'https://github.com/simp/pupmod-simp-simp',
-  :tag => '4.16.5'
+  :tag => '4.16.6'
 
 mod 'simp-simpkv',
   :git => 'https://github.com/simp/pupmod-simp-simpkv',

build/distributions/CentOS/8Stream/x86_64/DVD/ks/dvd/auto.cfg

@@ -328,7 +328,7 @@ baseurl=file://${SIMP_REPO_DIR}/SIMP
 enabled=1
 gpgcheck=1
 gpgkey=file:///var/www/yum/SIMP/GPGKEYS/RPM-GPG-KEY-SIMP-6
-    file:///var/www/yum/SIMP/GPGKEYS/RPM-GPG-KEY-SIMP
+    file:///var/ww/yum/SIMP/GPGKEYS/RPM-GPG-KEY-SICURA-CE-RELEASE
 $flocal_gpg_simp_lines
 
 [flocal-puppet]

build/distributions/CentOS/8Stream/x86_64/bolt_pulp3_config.yaml

@@ -391,7 +391,7 @@ AppStream:
   - name: javapackages-filesystem # provides javapackages-filesystem for java-1.8.0-openjdk-headless MODULE: javapackages-runtime:201801
 
 extras:
-- url: http://mirror.centos.org/centos/8-stream/extras/x86_64/os/
+  url: http://mirror.centos.org/centos/8-stream/extras/x86_64/os/
   #url: https://download.simp-project.com/simp/yum/experimental/simp6/el/8/x86_64/extras/
   rpms:
   - name: centos-release-advanced-virtualization
@@ -424,7 +424,7 @@ extras:
   - name: centos-release-storage-common
   - name: centos-release-stream
   - name: centos-release-virt-common
-  - name: centos-stream-repos
+  #- name: centos-stream-repos # This package doesn't exist in the streams version of extras
   - name: elrepo-release
   - name: epel-next-release
 

build/distributions/RedHat/8/x86_64/DVD/EFI/BOOT/grub.cfg

@@ -0,0 +1,73 @@
+set default="0"
+
+function load_video {
+  insmod efi_gop
+  insmod efi_uga
+  insmod video_bochs
+  insmod video_cirrus
+  insmod all_video
+}
+
+load_video
+set gfxpayload=keep
+insmod gzio
+insmod part_gpt
+insmod ext2
+
+set timeout=-1
+
+submenu 'SIMP images, FIPS enabled >' {
+  menuentry 'SIMP, FIPS enabled, STIG partitioning, disk encrypted' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg simp_disk_crypt simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'SIMP, FIPS enabled, STIG partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'SIMP, FIPS enabled, user-specified disk partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg simp_opt=prompt simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+}
+
+submenu 'SIMP images, FIPS disabled >' {
+  menuentry 'SIMP, FIPS disabled, STIG partitioning, disk encrypted' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg fips=0 simp_disk_crypt simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'SIMP, FIPS disabled, STIG partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg fips=0 simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'SIMP, FIPS disabled, user-specified disk partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/auto.cfg fips=0 simp_opt=prompt simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+}
+
+submenu 'Minimal Linux images >' {
+  menuentry 'Minimal Linux image, FIPS enabled, STIG partitioning, disk encryption' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/min.cfg simp_disk_crypt simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'Minimal Linux image, FIPS enabled, STIG partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/min.cfg simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'Minimal Linux image, FIPS disabled, STIG partitioning, disk encryption' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/min.cfg simp_disk_crypt fips=0 simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+  menuentry 'Minimal Linux image, FIPS disabled, STIG partitioning' {
+    linuxefi /images/pxeboot/vmlinuz ks=cdrom:/ks/dvd/min.cfg fips=0 simp_install=auto
+    initrdefi /images/pxeboot/initrd.img
+  }
+}
+
+submenu 'Other Options >' {
+  menuentry 'Rescue installed system' {
+    linuxefi /images/pxeboot/vmlinuz rescue askmethod
+    initrdefi /images/pxeboot/initrd.img
+  }
+}

build/distributions/RedHat/8/x86_64/DVD/isolinux/boot.msg

@@ -0,0 +1,20 @@
+
+
+
+ -  0aNOTE:07 To disable FIPS, add 0afips=007 to any option.
+
+ -  To auto-install SIMP, type 0asimp <ENTER>07.
+    - This will erase your existing system!
+    - You need at least 50GB of disk space for this to succeed.
+    - Disk will be encrypted and partitioned to be STIG compliant.
+    - Type 0asimp-nocrypt <ENTER>07 instead to disable encryption.
+
+ -  To install SIMP with disk prompt, type 0asimp-prompt <ENTER>07.
+    - This will erase your existing system!
+    - This will allow you to specify the system disk partitioning.
+
+ -  To auto-install a minimized system type 0alinux-min <ENTER>07.
+    - This will erase your existing system!
+    - You need at least 50GB of disk space for this to succeed.
+    - Disk will be encrypted and partitioned to be STIG compliant.
+    - Type 0alinux-min-nocrypt <ENTER>07 instead to disable encryption.

build/distributions/RedHat/8/x86_64/DVD/isolinux/isolinux.cfg

@@ -0,0 +1,24 @@
+default simp
+prompt 1
+display boot.msg
+label simp
+  kernel vmlinuz
+  append inst.ks=cdrom:/dev/cdrom:/ks/dvd/auto.cfg initrd=initrd.img simp_disk_crypt simp_install=auto
+label simp-nocrypt
+  kernel vmlinuz
+  append inst.ks=cdrom:/dev/cdrom:/ks/dvd/auto.cfg initrd=initrd.img simp_install=auto
+label simp-prompt
+  kernel vmlinuz
+  append inst.ks=cdrom:/dev/cdrom:/ks/dvd/auto.cfg initrd=initrd.img simp_opt=prompt simp_install=auto
+label linux-min
+  kernel vmlinuz
+  append inst.ks=cdrom:/dev/cdrom:/ks/dvd/min.cfg initrd=initrd.img simp_disk_crypt simp_install=auto
+label linux-min-nocrypt
+  kernel vmlinuz
+  append inst.ks=cdrom:/dev/cdrom:/ks/dvd/min.cfg initrd=initrd.img simp_install=auto
+label local
+  localboot 0
+label memtest86
+  kernel memtest
+  append -
+

build/distributions/RedHat/8/x86_64/DVD/ks/README

@@ -0,0 +1,15 @@
+= Intro =
+
+This directory has been set up as an example of how you can configure your
+kickstart directory.
+
+It should suffice for most clients built from the default load, but you may
+extend this kickstart space as fits your needs.
+
+It is suggested that you always start with the pupclient*.cfg files and only add
+additional diskdetect scripts to meet your space needs.  If you extend the
+kickstart files, particularly the package lists, then future management of the
+systems may become overly complicated.
+
+Remember, the premise of this system is that you start small and secure and you
+extend via Puppet to create your desired environment.

build/distributions/RedHat/8/x86_64/DVD/ks/diskdetect.sh

@@ -0,0 +1,110 @@
+#!/bin/sh
+
+DISK=""
+
+for disk in \
+  /sys/block/sd[a-z] \
+  /sys/block/sd[a-z][a-z] \
+  /sys/block/cciss!c[0-9]d[0-9] \
+  /sys/block/cciss!c[0-9]d[0-9][0-9] \
+  /sys/block/cciss!c[0-9][0-9]d[0-9] \
+  /sys/block/cciss!c[0-9][0-9]d[0-9][0-9] \
+  /sys/block/xvd[a-z] \
+  /sys/block/xvd[a-z][a-z] \
+  /sys/block/vd[a-z] \
+  /sys/block/vd[a-z][a-z] \
+  /sys/block/hd[a-z] \
+  /sys/block/nvme[0-9]n[0-9] \
+  ;
+do
+  [ -d "$disk" ] || continue
+
+  # Ignore removable and virtual devices.
+
+  if [ -f "$disk"/removable ]; then
+    if read removable junk < "$disk"/removable; then
+      [ "$removable" != "0" ] && continue
+    fi
+  fi
+
+  if [ -f "$disk"/device/vendor -a -f "$disk"/device/model ]; then
+    if read vendor junk < "$disk"/device/vendor && \
+       read model junk < "$disk"/device/model; then
+      [ "$vendor" != "VMware" -a "$model" = "Virtual" ] && continue
+    fi
+  fi
+
+  # Found the first disk.
+
+  # Convert cciss!c0d0 to cciss/c0d0
+  DISK="`basename $disk | sed 's@!@/@g'`"
+  break
+done
+
+touch /tmp/part-include
+
+# To automatically decrypt your system, the cryptfile needs to be located in an
+# unencrypted portion of the system. This is *not* secure but does allow users
+# to go in later and change the password without needing to reformat their
+# systems.
+
+# For EL6
+if [ ! -d /boot ]; then
+  mkdir /boot
+fi
+
+grep -q simp_disk_crypt /proc/cmdline || grep -q simp_crypt_disk /proc/cmdline
+encrypt=$?
+
+if [ $encrypt -eq 0 ]; then
+  cat /dev/random | LC_CTYPE=C tr -dc "[:alnum:]" | head -c 256 > /boot/disk_creds
+  passphrase=`cat /boot/disk_creds`
+
+  echo $DISK > /boot/crypt_disk
+fi
+
+# This parses out some command line options generally only used by the
+# DVD, but available to PXE clients as well.
+
+simp_opt=`awk -F "simp_opt=" '{print $2}' /proc/cmdline | cut -f1 -d' '`
+
+if [ "$simp_opt" == "prompt" ]; then
+  # This is the recommended workaround for a RedHat bug (BZ#1954408) where
+  # the installation program attempts to perform automatic partitioning, even
+  # when you do not specify any partitioning commands in the kickstart file.
+  # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/known-issues#known-issue_installer-and-image-creation
+  # This will cause the "Installation Destination" icon to show an "Kickstart
+  # insufficient" error, which, in turn, will force the user to partition the
+  # disks manually.
+  echo "reqpart" > /tmp/part-include
+else
+  cat << EOF > /tmp/part-include
+clearpart --all --initlabel --drives=${DISK}
+part /boot --fstype=ext4 --size=1024 --ondisk ${DISK} --asprimary --fsoptions=nosuid,nodev
+part /boot/efi --fstype=efi --size=400 --ondisk ${DISK} --asprimary
+EOF
+
+# In EL8 (8.2) the partitioning fails if --encrypted  is used and the size=1.
+# The size was set to equal the sum of all the logical partitions (20G) to prevent this.
+# You can probably use a smaller size but we have not, at this time, determined how
+# small the initial size of the partion can to be to prevent the error.
+
+  if [ $encrypt -eq 0 ]; then
+    echo "part pv.01 --size=20480 --grow --ondisk ${DISK} --encrypted --passphrase=${passphrase}" >> /tmp/part-include
+  else
+    echo "part pv.01 --size=1 --grow --ondisk ${DISK}" >> /tmp/part-include
+  fi
+fi
+
+if [ "$simp_opt" != "prompt" ]; then
+  cat << EOF >> /tmp/part-include
+volgroup VolGroup00 pv.01
+logvol swap --fstype=swap --name=SwapVol --vgname=VolGroup00 --size=1024
+logvol / --fstype=ext4 --name=RootVol --vgname=VolGroup00 --size=10240 --fsoptions=iversion
+logvol /tmp --fstype=ext4 --name=TmpVol --vgname=VolGroup00 --size=2048 --fsoptions=nosuid,noexec,nodev
+logvol /home --fstype=ext4 --name=HomeVol --vgname=VolGroup00 --size=1024 --fsoptions=nosuid,noexec,nodev,iversion
+logvol /var --fstype=ext4 --name=VarVol --vgname=VolGroup00 --size=1024 --grow
+logvol /var/log --fstype=ext4 --name=VarLogVol --vgname=VolGroup00 --size=4096 --fsoptions=nosuid,noexec,nodev
+logvol /var/log/audit --fstype=ext4 --name=VarLogAuditVol --vgname=VolGroup00 --size=1024 --fsoptions=nosuid,noexec,nodev
+EOF
+fi