nicolas
/
red-hat-kiosk
mirror of https://github.com/nmasse-itix/red-hat-kiosk.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
37 Commits
4 Branches
0 Tags
195 KiB
 
 
 
 
 
Tree: 448808889f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '448808889f'
${ noResults }
red-hat-kiosk/documentation/INSTALL_RHEL9.md

9.5 KiB
Raw Blame History

Installation on RHEL 9

Pre-requisites

RHEL 9 pre-requisites :

  • RHEL 9 is installed
  • The Red Hat repositories baseos and appstream are reachable

Microshift pre-requisites :

  • RHEL 9.2 or 9.3
  • LVM volume group (VG) with unused space

Install Pre-requisites

sudo subscription-manager register --username $RHN_LOGIN --auto-attach
sudo subscription-manager attach --pool=$RHN_POOL_ID
sudo dnf install -y osbuild-composer composer-cli cockpit-composer
sudo systemctl enable --now osbuild-composer.socket
sudo systemctl enable --now cockpit.socket
sudo systemctl restart osbuild-composer
sudo usermod -a -G weldr "$(id -un)"

Check that os-composer is working.

$ source /etc/bash_completion.d/composer-cli
$ composer-cli status show
API server status:
    Database version:   0
    Database supported: true
    Schema version:     0
    API version:        1
    Backend:            osbuild-composer
    Build:              NEVRA:osbuild-composer-88.3-1.el9_3.x86_64

$ composer-cli sources list
appstream
baseos

Clone this repository

git clone https://github.com/ePietry/red-hat-kiosk.git
cd red-hat-kiosk
export GIT_REPO_CLONE="$PWD"

Create the container image

Install podman and buildah.

sudo dnf install -y podman buildah

Define the target image properties.

REGISTRY="quay.io"
IMAGE_NAME="nmasse_itix/kiosk-app"
IMAGE_TAG="latest"

Build and push the image to the registry.

cd "$GIT_REPO_CLONE/application"
podman build -t localhost/kiosk-app:latest .
podman login "$REGISTRY"
podman tag localhost/kiosk-app:latest "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"
podman push "$REGISTRY/$IMAGE_NAME:$IMAGE_TAG"

Nginx configuration

Install and configure nginx.

sudo dnf install -y nginx
sudo systemctl enable --now nginx.service
sudo firewall-cmd --permanent --add-port={80/tcp,443/tcp}
sudo firewall-cmd --reload
sudo mkdir -p /var/www
sudo restorecon -Rv /var/www
sudo sed -i.${EPOCHREALTIME:-bak} 's|/usr/share/nginx/html|/var/www|g' /etc/nginx/nginx.conf
sudo systemctl restart nginx.service

Find the IP address of the current server.

MYIP="$(ip -4 -br addr show scope global | awk 'NR == 1 { split($3, parts, "/"); print parts[1]; }')"

Create the initial ostree repo

Define two helper functions.

function compose_status () {
  composer-cli compose info "$1" | awk 'NR == 1 { print $2 }'
}
function wait_for_compose () {
  status="$(compose_status "$1")"

  while [ "$status" == "RUNNING" ]; do
    echo "Waiting for build $1 to finish..."
    sleep 5
    status="$(compose_status "$1")"
  done

  echo "Build status of $1 is: $status."
  if [ "$status" == "FINISHED" ]; then
    return 0
  fi

  return 1
}

Bootstrap the initial ostree repository with ref = rhel/9/x86_64/edge.

composer-cli blueprints push /dev/fd/0 <<EOF
name = "minimal-rhel9"
description = "minimal blueprint for ostree commit"
version = "1.1.0"
modules = []
groups = []
distro = "rhel-93"
EOF
BUILDID=$(composer-cli compose start-ostree minimal-rhel9 edge-commit | awk '{print $2}')
echo "Build $BUILDID is running..."
wait_for_compose "$BUILDID"
composer-cli compose image "$BUILDID"
sudo rm -rf /var/www/repo
sudo tar -xf "$BUILDID-commit.tar" -C /var/www
ostree --repo=/var/www/repo refs

Create an empty commit with ref = empty.

[!TIP] This is an optimization in order to trim 800 MB from the installer ISO image.

sudo mkdir -p /tmp/empty-tree
sudo ostree --repo=/var/www/repo commit -b "empty" --tree=dir=/tmp/empty-tree
ostree --repo=/var/www/repo refs

Build the RPMS

Pre-requisites

sudo dnf install -y git rpm-build rpmdevtools
rm -f $HOME/rpmbuild
ln -sf "$GIT_REPO_CLONE/rpms" $HOME/rpmbuild

Build the kiosk-config RPM

spectool -g -R $HOME/rpmbuild/SPECS/kiosk-config.spec
rpmbuild -ba $HOME/rpmbuild/SPECS/kiosk-config.spec

Build the microshift-manifests RPM

spectool -g -R $HOME/rpmbuild/SPECS/microshift-manifests.spec
rpmbuild -ba $HOME/rpmbuild/SPECS/microshift-manifests.spec

Rebuild the Google Chrome RPM

mkdir $HOME/rpmbuild/VENDOR
curl -s -Lo $HOME/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm
rpmrebuild -s $HOME/rpmbuild/SPECS/google-chrome-stable.spec -p $HOME/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm
RPM=$(rpm -q $HOME/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm)
mkdir -p $HOME/rpmbuild/BUILDROOT/$RPM/
rpm2cpio $HOME/rpmbuild/VENDOR/google-chrome-stable_current_x86_64.rpm | cpio -idmv -D $HOME/rpmbuild/BUILDROOT/$RPM/
(
  set -Eeuo pipefail
  cd $HOME/rpmbuild/BUILDROOT/$RPM/
  mv opt/google/ usr/bin/
  cd usr/bin/
  rm -f google-chrome-stable
  ln -s google/chrome/google-chrome google-chrome-stable
  ln -s google/chrome/google-chrome chrome
) || echo 'Repackaging failed!'
sed -i.${EPOCHREALTIME:-bak} 's|/opt/google|/usr/bin/google|g' $HOME/rpmbuild/SPECS/google-chrome-stable.spec
rpmbuild -bb $HOME/rpmbuild/SPECS/google-chrome-stable.spec
ls -l $HOME/rpmbuild/RPMS/x86_64/

Repository Creation

Customize the desired location of the RPM repository:

REPO_LOCATION="/opt/custom-rpms/"

Create the custom RPM repository:

sudo dnf install -y createrepo
sudo mkdir -p "$REPO_LOCATION"
sudo cp $HOME/rpmbuild/RPMS/x86_64/* "$REPO_LOCATION"
sudo createrepo "$REPO_LOCATION"
sudo tee /etc/yum.repos.d/custom.repo <<EOF
[custom]  
name = Custom RPMS  
baseurl = file://$REPO_LOCATION
enabled = 1  
gpgcheck = 0
EOF

Verify all packages are present.

sudo dnf clean all
sudo dnf info kiosk-config google-chrome-stable microshift-manifests

Blueprint preparation

Customize the admin user password if desired. Set the admin user SSH public key (if it's not you).

ADMIN_PASSWORD="$(openssl rand -base64 9)"
echo "Admin password is '$ADMIN_PASSWORD'"
ADMIN_SSH_PUBLIC_KEY="$(ssh-add -L | head -n 1)"
echo "Admin SSH public key: $ADMIN_SSH_PUBLIC_KEY"

Prepare the os-builder blueprint.

sudo subscription-manager repos --enable rhocp-4.14-for-rhel-9-$(uname -m)-rpms --enable fast-datapath-for-rhel-9-$(uname -m)-rpms
sudo dnf info microshift
sudo dnf install -y mkpasswd podman
cd "$GIT_REPO_CLONE/imagebuilder"
ADMIN_PASSWORD_HASH="$(mkpasswd -m bcrypt "$ADMIN_PASSWORD")"
sed -i.${EPOCHREALTIME:-bak} "s|__ADMIN_PASSWORD__|$ADMIN_PASSWORD_HASH|" kiosk.toml
sed -i.${EPOCHREALTIME:-bak} "s|__ADMIN_SSH_PUBLIC_KEY__|$ADMIN_SSH_PUBLIC_KEY|" kiosk.toml
composer-cli sources add /dev/fd/0 <<EOF
check_gpg = false
check_ssl = false
id = "custom"
name = "custom packages for RHEL"
system = false
type = "yum-baseurl"
url = "file://$REPO_LOCATION"
EOF
composer-cli sources add /dev/fd/0 <<EOF
id = "rhocp-4.14"
name = "Red Hat OpenShift Container Platform 4.14 for RHEL 9"
type = "yum-baseurl"
url = "https://cdn.redhat.com/content/dist/layered/rhel9/$(uname -m)/rhocp/4.14/os"
check_gpg = true
check_ssl = true
system = false
rhsm = true
EOF
composer-cli sources add /dev/fd/0 <<EOF
id = "fast-datapath"
name = "Fast Datapath for RHEL 9"
type = "yum-baseurl"
url = "https://cdn.redhat.com/content/dist/layered/rhel9/$(uname -m)/fast-datapath/os"
check_gpg = true
check_ssl = true
system = false
rhsm = true
EOF
composer-cli sources add /dev/fd/0 <<EOF
id = "epel"
name = "Extra Packages for Enterprise Linux"
type = "yum-baseurl"
url = "http://mirror.in2p3.fr/pub/epel/9/Everything/x86_64/"
check_gpg = false
check_ssl = false
system = false
rhsm = false
EOF
composer-cli blueprints push kiosk.toml

Ostree construction

Create the ostree image and add it to the ostree repository with ref = rhel/9/x86_64/edge-kiosk.

composer-cli blueprints depsolve kiosk
BUILDID=$(composer-cli compose start-ostree kiosk edge-commit --url http://$MYIP/repo --ref "rhel/9/$(uname -m)/edge-kiosk" --parent "rhel/9/$(uname -m)/edge" | awk '{print $2}')
echo "Build $BUILDID is running..."
wait_for_compose "$BUILDID"
composer-cli compose image "${BUILDID}"
mkdir -p "/tmp/${BUILDID}-commit"
tar -xf "${BUILDID}-commit.tar" -C "/tmp/${BUILDID}-commit"
sudo ostree --repo=/var/www/repo pull-local "/tmp/${BUILDID}-commit/repo"
ostree --repo=/var/www/repo refs
ostree --repo=/var/www/repo log rhel/9/x86_64/edge-kiosk

Generate the Installer ISO image

Generate the ISO image of the installer.

composer-cli blueprints push /dev/fd/0 <<EOF
name = "microshift-installer"

description = ""
version = "0.0.0"
modules = []
groups = []
packages = []
EOF
BUILDID=$(composer-cli compose start-ostree --url http://localhost/repo/ --ref empty microshift-installer edge-installer | awk '{print $2}')
echo "Build $BUILDID is running..."
wait_for_compose "$BUILDID"
composer-cli compose image "${BUILDID}"

[!CAUTION] While it is possible to use the stock RHEL 9.3 Boot ISO image here, there are subtle differences between the stock ISO image and the one generated here.

Prepare the Kickstart script

Generate a pull secret and set the MICROSHIFT_PULL_SECRET variable.

MICROSHIFT_PULL_SECRET='' # Generate one on https://console.redhat.com/openshift/install/pull-secret

Prepare the Kickstart script.

cd "$GIT_REPO_CLONE/imagebuilder"
sed -i.${EPOCHREALTIME:-bak} "s|__MICROSHIFT_PULL_SECRET__|$MICROSHIFT_PULL_SECRET|" kiosk.ks
sed -i.${EPOCHREALTIME:-bak} "s|__MYIP__|$MYIP|" kiosk.ks

Inject the Kickstart in the ISO

sudo dnf install -y lorax pykickstart
ksvalidator kiosk.ks || echo "Kickstart has errors, please fix them!"
rm -f kiosk.iso && mkksiso -r "inst.ks" --ks kiosk.ks "${BUILDID}-installer.iso" kiosk.iso
ls -lh kiosk.iso
file kiosk.iso