Hey all,
I have sort of an odd request for you today in regards to Kickstart configuration. I have recently created a kickstart configuration file to better standardize the configuration aspect of my server installations. I am having one issue and that is distributing a script (yum-check) via the kickstart file (in %post section). Parts of the script get written to the correct file (/usr/bin/yum-check & /etc/cron.daily/yum.cron) however variables in the individual scripts I believe are getting parsed by Kickstart. The parsing of these variables is preventing them from being written to the respective file. I am wondering if any of you have ever distributed a shell script via kickstart before and if so how did you do it? I would also like to mention that I have attempted to wget the script to the current directory (after cding into /usr/bin/ for example) with no luck. I have attached my kickstart configuration file so you can get a better picture of what I'm trying to do.
Thanks a lot,
Dan
# Kickstart file automatically generated by anaconda.
install url --url=ftp://kickstart.example.com/install/CentOS/x86_64/5.3/ lang en_US.UTF-8 # Use text mode install text keyboard us network --device eth0 --bootproto static --ip 192.168.101.161 --netmask 255.255.255.0 --gateway 192.168.101.1 --nameserver 192.168.101.14 --hostname guineapig.example.com reboot rootpw --iscrypted afdafsf0saf87 firewall --enabled --port=22:tcp authconfig --enableshadow --enablemd5 selinux --enforcing timezone --utc America/Chicago bootloader --location=mbr --driveorder=sda # The following is the partition information you requested # Note that any partitions you deleted are not expressed # here so unless you clear all partitions first, this is # not guaranteed to work clearpart --all --initlabel part / --fstype ext3 --size 7683 part swap --fstype swap --size 509
%packages --nobase --ignoremissing @editors @core bind-utils.x86_64 bind-libs.x86_64 telnet.x86_64 mailx.x86_64 vixie-cron.x86_64 audit.x86_64 man.x86_64 wget.x86_64 sendmail.x86_64 sudo.x86_64 openldap-clients.x86_64 nss_ldap.x86_64 ntp.x86_64
%post
### System Configuration Files Section ###
yum update -y
# Update default hasing algorith for userPasswords authconfig --passalgo=sha512 --update
# /etc/nsswitch.conf cat << EOF1 > /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far #
# To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis
passwd: files ldap shadow: files ldap group: files ldap
#hosts: db files nisplus nis dns hosts: files dns
# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus aliases: files nisplus
nss_base_passwd ou=people,dc=example,dc=com?one nss_base_shadow ou=people,dc=example,dc=com?one nss_base_group ou=people,dc=example,dc=com?one EOF1
# /etc/resolv.conf cat << EOF2 > /etc/resolv.conf # Created by Dan Burkland 8/17/2009 domain example.com search example.com nameserver 192.168.101.14 EOF2
# /etc/ssh/sshd_config cat << EOF3 > /etc/ssh/sshd_config #$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See # sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value.
Port 22 #Protocol 2,1 Protocol 2 #AddressFamily any ListenAddress 192.168.101.161 #ListenAddress ::
# HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768
# Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO
# Authentication:
LoginGraceTime 1m PermitRootLogin no #StrictModes yes MaxAuthTries 4
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes
# Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no
# Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no
# GSSAPI options #GSSAPIAuthentication no GSSAPIAuthentication yes #GSSAPICleanupCredentials yes GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication mechanism. # Depending on your PAM configuration, this may bypass the setting of # PasswordAuthentication, PermitEmptyPasswords, and # "PermitRootLogin without-password". If you just want the PAM account and # session checks to run without PAM authentication, then enable this but set # ChallengeResponseAuthentication=no #UsePAM no UsePAM yes
# Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no
# no default banner path Banner /etc/issue
# override default of no subsystems Subsystem sftp /usr/libexec/openssh/sftp-server EOF3
# /etc/pam.d/system-auth cat << EOF4 > /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so auth required pam_tally2.so deny=3 onerr=fail unlock_time=60
account sufficient pam_ldap.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so account required pam_tally2.so per_user
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_ldap.so password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session optional pam_ldap.so session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF4
# /etc/hosts cat << EOF5 > /etc/hosts 127.0.0.1 localhost localhost.localdomain guineapig.example.com guineapig EOF5
# /etc/issue cat << EOF6 > /etc/issue WARNING
This System is for the use of authorized users only. Individuals using this computer without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
EOF6
# /etc/crontab modifications for NTP & Auditd log rotation cat << EOF7 >> /etc/crontab 00 23 * * * root ntpdate north-america.pool.ntp.org 00 0 * * * root /etc/init.d/auditd rotate EOF7
# /etc/ldap.conf cat << EOF8 > /etc/ldap.conf # /etc/ldap.conf - Created by: Dan Burkland 8/17/2009 uri ldaps://ldap.example.com base dc=example,dc=com timelimit 30
TLS_CACERT /etc/pki/tls/certs/cacert.pem
ssl on
nss_initgroups_ignoreusers root,haldaemon,dbus,ldap EOF8
# /etc/pki/tls/certs/cacert.pem cat << EOF9 > /etc/pki/tls/certs/cacert.pem Certificate contents go here EOF9
rm -f /etc/openldap/ldap.conf ln -s /etc/ldap.conf /etc/openldap/ldap.conf
# Create /usr/bin/yum-check and make it executable cat << EOF10 > /usr/bin/yum-check #!/bin/sh # # Name: yum-check # Author: Michael Heiming - 2005-03-11 # Function: Run from cron to check for yum updates # and mail results # Version: 0.7 (initial) # 2005-03-12 0.8 randomize startup (cron only) # Config: /etc/sysconfig/yum
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
maila=${MAILTO:=root} yumdat="/tmp/yum-check-update.$$" yumb="/usr/bin/yum"
# wait a random interval if there is not a controlling terminal, # for load management if ! [ -t ] then num=$RANDOM let "num %= ${RANGE:=1}" sleep $num fi
rm -f ${yumdat%%[0-9]*}*
$yumb check-update >& $yumdat
yumstatus="$?"
case $yumstatus in 100) cat $yumdat |\ mail -s "Alert ${HOSTNAME} updates available!" $maila exit 0 ;; 0) # Only send mail if debug is turned on if [ ${CHECKWRK} = "yes" ];then cat $yumdat |\ mail -s "Yum check succeeded ${HOSTNAME} zero patches available." $maila fi exit 0 ;; *) # Unexpected yum return status (echo "Undefined, yum return status: ${yumstatus}" && \ [ -e "${yumdat}" ] && cat "${yumdat}" )|\ mail -s "Alert ${HOSTNAME} problems running yum." $maila esac
[ -e "${yumdat}" ] && rm ${yumdat} EOF10
chmod +x /usr/bin/yum-check
# Create yum-check cronjob and make script executable cat << EOF11 > /etc/cron.daily/yum.cron #!/bin/sh
# Pull in sysconfig settings
. /etc/sysconfig/yum-check
if [ -f /var/lock/subsys/yum ]; then
if [ ${CHECKONLY} = "yes" ];then
/usr/bin/yum-check fi else /usr/bin/yum -R 10 -e 0 -d 0 -y update yum /usr/bin/yum -R 120 -e 0 -d 0 -y update fi EOF11
chmod +x /etc/cron.daily/yum.cron
# Create yum-check configuration file cat << EOF12 > /etc/sysconfig/yum-check # yes sets yum to check for updates and mail only if patches are available # no does enable autoupdate if /var/lock/subsys/yum is available CHECKONLY="yes" # defaults to root, leave empty if .forward/alias in place for root MAILTO="dan@example.com" # Set to yes for debugging only! You'll get a mail for each run! CHECKWRK="no" # Seconds to randomize startup, if running from cron to balance load RANGE="3600" EOF12
# Change logrotate to rotate daily instead of weekly cat << EOF13 > /etc/logrotate.conf # see "man logrotate" for details # rotate log files weekly daily
# keep 4 days worth of backlogs rotate 4
# create new (empty) log files after rotating old ones create
# uncomment this if you want your log files compressed #compress
# RPM packages drop log rotation information into this directory include /etc/logrotate.d
# no packages own wtmp -- we'll rotate them here /var/log/wtmp { monthly minsize 1M create 0664 root utmp rotate 1 }
# system-specific logs may be also be configured here. EOF13
# IPtables rule configuration cat << EOF14 > /etc/sysconfig/iptables *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT COMMIT EOF14
# Disable USB mass storage module cat << EOF15 > /etc/modprobe.d/blacklist-usbstorage blacklist usb-storage EOF15
# Restrict access to the "/root" folder chmod 700 /root
# Set default umask to 077 sed -i 's/022/077/' /etc/bashrc sed -i 's/022/077/' /etc/csh.cshrc
# Log out idle users after 15 minutes cat << EOF16 > /etc/profile.d/autologout readonly TMOUT=900 readonly HISTFILE EOF16
# Make the os-security.sh executable chmod +x /etc/profile.d/autologout
# Enable security-related sysctls cat << EOF17 > /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding net.ipv4.ip_forward = 0
# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1
Controls the maximum size of a message, in bytes kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages kernel.shmall = 4294967296
net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.tcp_max_syn_backlog = 1280 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_timestamps = 0 EOF17
# /etc/sudoers cat << EOF18 > /etc/sudoers ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command.
## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhap using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2
## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem
## Command Aliases ## These are groups of related commands...
## Networking Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
## Installation and management of software Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
## Services Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
## Updating the locate database Cmnd_Alias LOCATE = /usr/bin/updatedb
## Storage Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
## Delegating permissions Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
## Processes Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
## Drivers Cmnd_Alias DRIVERS = /sbin/modprobe
# Defaults specification
# # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty
Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY"
## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL example ALL=(ALL) ALL
## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS
## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL
## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL
## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now EOF18
# /etc/nscd.conf cat << EOF19 > /etc/nscd.conf server-user nscd debug-level 0 reload-count unlimited paranoia no
enable-cache passwd yes positive-time-to-live passwd 3600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432
enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432
enable-cache hosts no EOF19
# Permantely prevent IPv6 module from being loaded cat << EOF20 > /etc/modprobe.d/disableipv6 install ipv6 /bin/true EOF20
# Disable another IPv6 related setting cat << EOF21 >> /etc/sysconfig/network NETWORKING_IPV6=no EOF21
# Set secure permissions on /etc/sudoers file chmod 440 /etc/sudoers
# Set secure permissions on /bin/su chmod 700 /bin/su
# Enable/Disable necessary services chkconfig sendmail on chkconfig auditd on chkconfig nscd on chkconfig ip6tables off chkconfig multipathd off chkconfig netconsole off chkconfig netfs off chkconfig netplugd off chkconfig rdisc off
Daniel Burkland wrote:
Hey all,
I have sort of an odd request for you today in regards to Kickstart configuration. I have recently created a kickstart configuration file to better standardize the configuration aspect of my server installations.
hmm, take a look at my config, I use wget to output files directly to /usr/local/bin without an issue, I'd avoid trying to cat files the way your doing since as you see the variables can be auto expanded(perhaps not if you escape them?)
Anyways try wget again, if all else fails make an rpm and install that. One thing I do like about rpm is being able to install direct from a web server(I do this many times in my kickstart configs). I go the lazy route when building rpms and just build a tarball then use alien to convert it to an RPM, for the most part it works fine
http://portal.aphroland.org/~aphro/centos_5_2_32.cfg
nate
On Thu, 3 Sep 2009, Daniel Burkland wrote:
Hey all,
I have sort of an odd request for you today in regards to Kickstart configuration. I have recently created a kickstart configuration file to better standardize the configuration aspect of my server installations. I am having one issue and that is distributing a script (yum-check) via the kickstart file (in %post section). Parts of the script get written to the correct file (/usr/bin/yum-check & /etc/cron.daily/yum.cron) however variables in the individual scripts I believe are getting parsed by Kickstart. The parsing of these variables is preventing them from being written to the respective file. I am wondering if any of you have ever distributed a shell script via kickstart before and if so how did you do it? I would also like to mention that I have attempted to wget the script to the current directory (after cding into /usr/bin/ for example) with no luck. I have attached my kickstart configuration file so you can get a better picture of what I'm trying to do.
Instead of use wget instead. It's "safer". Second, implement somthing like puppet to ensure consistency after installation.
Hi,
Daniel Burkland dan@dburkland.com schrieb am 04.09.2009 02:16:31:
# Create /usr/bin/yum-check and make it executable cat << EOF10 > /usr/bin/yum-check
First of all, I don't think this is a kickstart problem, I think you'd have the same problem doing that on the console. Compare:
# cat <<EOF10 > echo $USER > EOF10 echo root
with
# cat <<'EOF10' > echo $USER > EOF10 echo $USER
For details lookup Here documents in e.g. bash(1)
Frank.
For simple scripts I do them right inside of the kickstart file like you do, but for more complex ones I store them up on the kickstart server and use wget inside the kickstart script to put them in the right place.
Hi,
On Thu, Sep 3, 2009 at 20:16, Daniel Burklanddan@dburkland.com wrote:
variables in the individual scripts I believe are getting parsed by Kickstart. The parsing of these variables is preventing them from being written to the respective file.
You need to put the EOF string between single quotes, like this:
cat <<'EOF' >/path/to/file ... EOF
BTW, you may use the same EOF string for all the files, you don't have to add a different number to each of them.
I am having one issue and that is distributing a script (yum-check) via the kickstart file (in %post section). I am wondering if any of you have ever distributed a shell script via kickstart before and if so how did you do it?
As said above, there is an easy fix to your specific problem, but I would advise you *not* to create scripts from the %post section of your kickstart (unless for trivial stuff), otherwise it might become a maintenance nightmare in the future. If you need to update the script, not only will you have to update the kickstart but also all the machines installed with an old version of that kickstart file. Also, you will tipically need more than one kickstart for machines with slightly different hardware and partitioning information, so you will start getting many copies of that script and that may quickly become a mess of old versions if you ever need to update it.
Although it would take more work, I would advise you to create an RPM package with all your internal scripts. If you need to tweak config of software packages (like the chkconfig's above or disabling IPv6) you can even do it in the %post of that RPM package instead of in the %post of your kickstart (provided that you check if the RPM package is being upgraded, or better yet if a particular setting has already been done, so that you don't do it twice which can make a difference when appending). Then set up a small yum repository and refer to it from your kickstarts. Add the package to your packagelist and you're done.
The advantage is that, if you ever need to change *anything* in your scripts or base configuration, all you have to do is generate a new RPM with a new version, publish it to your yum repository and that's it! Any new machine installed with that kickstart will get the new one automatically, and any old machine will get updated as soon as you run "yum update" there. Plus, if you want to check which version is running on a specific machine, a "rpm -q <packagename>" is all you need to find that out. Bonus points if you keep the scripts and specfile in a source code repository like Subversion and keep the %changelog of the specfile always updated to track which changes were introduced where. Extra kudos if you get your RPM package signed with a GPG key.
Yes, I know it's a lot of work, but in the end it pays off. If you manage as many machines as to make it worth to use kickstarts, it's certainly enough to make it worth to keep your scripts in an RPM in a yum repository as well.
An alternative, as already suggested, is using "puppet" (or the older "cfengine") to automate this kind of tasks. From my point of view, it offers some extra features, but it's not as good to track versions as with an RPM... YMMV.
HTH, Filipe
I have sort of an odd request for you today in regards to Kickstart configuration. I have recently created a kickstart configuration file to better standardize the configuration aspect of my server installations.
Just a suggestion, but there's no point in doing a yum update in your script, just add a repo line and install anything newer than what's on the inhouse repo while doing the install.
jlc