[CentOS] Customising a CentOS 6.6 installation disk

Fri Jan 9 09:50:37 UTC 2015
James Bishop <james.bishop at jrc.ec.europa.eu>

On 08/01/15 20:30, Greg Bailey wrote:
> On 01/08/2015 11:18 AM, James Bishop wrote:
>> I apologise if this is not the appropriate list for the following
>> issue, but...
>> Is it possible to upgrade the Linux kernel on a kickstart CD?
>> I've changed the vmlinuz and initrd.img files in the isolinux
>> directory from the distro's ISO image; so kernel
>> 2.6.32-504.3.3.el6.i686 now boots from a DVD, and loads the
>> appropriate modules and firmware from the stage 1 initrd.img.
>> However, anaconda (13.21.229) exits abnormally with a DBusException
>> (org.freedesktop.DBus.Error.NoReply); possibly because NetworkManager
>> is unable to launch the wpa_supplicant.
>> Anaconda appears to be choking during initialisation:
>>     anaconda.id = instClass.installDataClass(anaconda, extraModules,
>> opts.display_mode, anaconda.backend)
>>   File "/usr/lib/anaconda/instdata.py", line 324, in __init__
>>     self.reset()
>>   File "/usr/lib/anaconda/instdata.py", line 64, in reset
>>     self.network = network.Network()
>>   File "/usr/lib/anaconda/network.py", line 308, in __init__
>>     self.update()
>>   File "/usr/lib/anaconda/network.py", line 326, in update
>>     devhash = isys.getDeviceProperties(dev=none)
>>   File "/usr/lib/anaconda/isys.py", line 375, in getDeviceProperties
>>     bus = dbus.SystemBus()
>>   File "/usr/lib/python2.6/site-packages/dbus/_dbus.py", line 202, in
>> __new__
>>     private=private()
>>   File "/usr/lib/python2.6/site-packages/dbus/_dbus.py", line 108, in
>> __new__
>>     bus = BusConnection.__new__(subclass, bus_type, mainloop=mainloop)
>>   File "/usr/lib/python2.6/site-packages/dbus/bus.py", line 125, in
>> __new__
>>     bus = cls._new_for_bus(address_or_type, mainloop=mainloop)
>> dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did
>> not receive a reply. Possible causes include: the remote application
>> did not send a reply, the message bus security policy blocked the
>> reply, the reply timeout expired, or the network connection was broken.
>> install exited abnormally [1/1]
>> The system will be rebooted when you press Ctrl-C or Ctrl-Alt-Delete.
>> The shell prompt is available on tty2; and so I can see the syslog,
>> which has repeated messages at its tail end:
>> INFO NetworkManager: <info> Trying to start the supplicant
>> So, something needs to be changed somewhere (kernel recompilation?
>> missing module? wpa_supplicant / NM upgrade? stage 2 install.img?)
>> which is where I'm stuck. Do I need to hack Wifi NIC related lines out
>> of anaconda?
>> The reason that I'd like the final kernel version to be running during
>> the install, is that it's needed to compile the low-level driver for a
>> FIPS-140 crypto coprocessor. The target system will be an off-line
>> certification authority system, and will certainly not need Wifi (in
>> fact the hardening procedure foresees removal of most network hardware
>> drivers).
>> I know I could do everything in three stages (initial install -
>> software upgrade - crypto driver install); but being able to do
>> everything in one go would simplify business continuity / bare metal
>> recovery.
>> In the meantime, I'm very happy to have learned something about
>> anaconda / kickstart and so on, which will be very useful in future.
>> If there's a quick fix to the above issues, I'd be happy to hear it.
>> Thanks in advance
>> James Bishop
> Sounds like the "Rolling media" announced in:
> http://lists.centos.org/pipermail/centos-announce/2014-December/020807.html
> could be useful to you, although judging by the kernel version you
> mentioned, it looks like you're looking for CentOS 6 updates.
> Unfortunately, it appears the rolling media is only available for CentOS
> 7 at the moment.
> Did you update modules.dep and modules.alias in the stage1 image?
> -Greg
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Thanks Greg,

I think so: I used depmod in the attached bash script 
(update_initrd.sh); on my system, the command expands to:

/sbin/depmod -b /tmp/initrd -F 
/tmp/root/boot/System-map-2.6.32-504.3.3.el6.i686 2.6.32-504.3.3.el6.i686

where /tmp/initrd is the working directory for preparing the initrd file 
system; /tmp/root is where the kernel and kernel-firmware packages have 
been extracted.

The script is my attempt at copying only the kernel modules already 
present in the original initrd. It also looks for RPMs required by the 
latest kernel version (it identified kernel-firmware, initscripts and 
iproute), and copies changed executables (only the ip command).

Thankyou for suggesting the Rolling media; I'll take a look at that.

I'm using CentOS 6 because I based my hardening process on the DISA STIG 
for RHEL6; I haven't checked to see if there is now an equivalent for 
CentOS 7.


James Bishop
European Commission - Joint Research Centre
IPSC Unit G.5 (TP.723)
Via E.Fermi, 2749
I - 21027 Ispra (VA)

Tel.:   +39 0332 786225
Fax.:   +39 0332 786280
e-mail: james.bishop at jrc.ec.europa.eu