File suse-csb-release-15.4.suseitinfra.a21e705.obscpio of Package suse-csb-release
07070100000000000081A4000003E9000000640000000162BEF39C0000042D000000000000000000000000000000000000003200000000suse-csb-release-15.4.suseitinfra.a21e705/LICENSEMIT License
Copyright (c) 2022 Lubos Kocman
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
07070100000001000081A4000003E9000000640000000162BEF39C000009E3000000000000000000000000000000000000003400000000suse-csb-release-15.4.suseitinfra.a21e705/README.md# suse-csb-release
## Project Description
SUSE IT needs help from fellow geekos with release engineering skills to define the requirements, process, infrastructure, and tools for building an openSUSE-based distribution bundled with SUSE IT-supported application stack. The resulting OS build will be offered as a standard distribution for new SUSE employees in addition to the existing Operating System library.
## Goal for this Hackweek
* Define requirements (and name) for the build.
* Selected features implemented for the MVP.
* Define a process for updating the image with the future releases of openSUSE.
* Identify and deploy required infrastructure and repositories.
* Produce an installable OS image that can be used by volunteers across the company.
* Document everything.
* Have a lot of fun in the process.
## MVP requirements
* the deployment do the end-user machine is unattended
* machine has disk encrypted
* once the machine is provisioned, it is added to asset DB (serial number + asset owner)
* productivity tools are installed
* Details are tracked here: https://en.opensuse.org/Portal:Leap:CSBRequirements
## Combustion example usecase for SUSEIT
About combustion https://en.opensuse.org/Portal:MicroOS/Combustion
### What does our combustion example?
* set root password (by default unset)
* enforce that user has to specify root password while using sudo (root access controlled by SUSE IT)
* change the default btrfs/luks password (set to suse-it by default). This part doesn't work for some reason.
### Firstboot wizzard for user
**The rest of the configuration will be done by the user as part of the first boot. This is handled by gnome-initial-setup.**
Once the gnome-initial-setup is finished and network connectivity is established, additional SUSE-it pre-selected non-rpm software will be deployed via mod-firstboot. This is handled by gnome-branding-Leap.
### Instructions for SUSE IT###
Copy combustion directory from this git repo on a root of flash drive formatted as ext4 disk has to be labeled as "ignition".
Tweak password for luks and root in the config script on the USB drive.
**Ensure that the USB drive is plugged on the first boot to the employee machine.**
The machine will be rebooted afterward due to a one-shot reboot service (livecd/openSUSE/config.sh).
Perhaps you could do what Vadim did with fido?
TODO: do not print debug output into /etc/issue.d/combustion
### Credit
Big thanks to Richard Brown and his work on MicroOS, as this is heavily based on his setup.
07070100000002000081A4000003E9000000640000000162BEF39C0000A347000000000000000000000000000000000000003700000000suse-csb-release-15.4.suseitinfra.a21e705/autoinst.xml<?xml version="1.0"?>
<!DOCTYPE profile>
<profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns">
<add-on t="map">
<add_on_others t="list">
<listentry t="map">
<alias>isv_Rancher_stable</alias>
<media_url>https://download.opensuse.org/repositories/isv:/Rancher:/stable/rpm/</media_url>
<name>Rancher stable packages (rpm)</name>
<priority t="integer">99</priority>
<product_dir/>
</listentry>
<listentry t="map">
<alias>isv_SUSE_suse-it-infra</alias>
<media_url>https://download.opensuse.org/repositories/isv:/SUSE:/suse-it-infra/15.4/</media_url>
<name>isv:SUSE:suse-it-infra (15.4)</name>
<priority t="integer">99</priority>
<product_dir/>
</listentry>
<listentry t="map">
<alias>repo-backports-update</alias>
<media_url>http://download.opensuse.org/update/leap/15.4/backports/</media_url>
<name>Update repository of openSUSE Backports</name>
<priority t="integer">99</priority>
<product_dir>/</product_dir>
</listentry>
<listentry t="map">
<alias>repo-sle-update</alias>
<media_url>http://download.opensuse.org/update/leap/15.4/sle/</media_url>
<name>Update repository with updates from SUSE Linux Enterprise 15</name>
<priority t="integer">99</priority>
<product_dir>/</product_dir>
</listentry>
</add_on_others>
</add-on>
<bootloader t="map">
<global t="map">
<append>\$ignition_firstboot</append>
<cpu_mitigations>manual</cpu_mitigations>
<gfxmode>auto</gfxmode>
<hiddenmenu>false</hiddenmenu>
<secure_boot>true</secure_boot>
<terminal>gfxterm</terminal>
<timeout t="integer">10</timeout>
<update_nvram>true</update_nvram>
</global>
<loader_type>grub2-efi</loader_type>
</bootloader>
<firewall t="map">
<default_zone>public</default_zone>
<enable_firewall t="boolean">true</enable_firewall>
<log_denied_packets>off</log_denied_packets>
<start_firewall t="boolean">true</start_firewall>
<zones t="list">
<zone t="map">
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>block</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Block</short>
<target>%%REJECT%%</target>
</zone>
<zone t="map">
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>dmz</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>DMZ</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list">
<interface>docker0</interface>
</interfaces>
<masquerade t="boolean">false</masquerade>
<name>docker</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>docker</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>drop</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Drop</short>
<target>DROP</target>
</zone>
<zone t="map">
<description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">true</masquerade>
<name>external</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>ssh</service>
</services>
<short>External</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>home</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Home</short>
<target>default</target>
</zone>
<zone t="map">
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>internal</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>mdns</service>
<service>samba-client</service>
<service>ssh</service>
</services>
<short>Internal</short>
<target>default</target>
</zone>
<zone t="map">
<description><![CDATA[ This zone is used internally by NetworkManager when activating a profile that uses connection sharing and doesn't have an explicit firewall zone set. Block all traffic to the local machine except ICMP, ICMPv6, DHCP and DNS. Allow all forwarded traffic. Note that future package updates may change the definition of the zone unless you overwrite it with your own definition. ]]></description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>nm-shared</name>
<ports t="list"/>
<protocols t="list">
<listentry>icmp</listentry>
<listentry>ipv6-icmp</listentry>
</protocols>
<services t="list">
<service>dhcp</service>
<service>dns</service>
<service>ssh</service>
</services>
<short>NetworkManager Shared</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>public</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Public</short>
<target>default</target>
</zone>
<zone t="map">
<description>All network connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>trusted</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list"/>
<short>Trusted</short>
<target>ACCEPT</target>
</zone>
<zone t="map">
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interfaces t="list"/>
<masquerade t="boolean">false</masquerade>
<name>work</name>
<ports t="list"/>
<protocols t="list"/>
<services t="list">
<service>dhcpv6-client</service>
<service>ssh</service>
</services>
<short>Work</short>
<target>default</target>
</zone>
</zones>
</firewall>
<general t="map">
<mode t="map">
<confirm t="boolean">false</confirm>
</mode>
</general>
<groups t="list">
<group t="map">
<gid>100</gid>
<groupname>users</groupname>
<userlist/>
</group>
<group t="map">
<gid>488</gid>
<groupname>input</groupname>
<userlist/>
</group>
<group t="map">
<gid>65533</gid>
<groupname>nogroup</groupname>
<userlist/>
</group>
<group t="map">
<gid>472</gid>
<groupname>scard</groupname>
<userlist/>
</group>
<group t="map">
<gid>499</gid>
<groupname>messagebus</groupname>
<userlist/>
</group>
<group t="map">
<gid>42</gid>
<groupname>trusted</groupname>
<userlist/>
</group>
<group t="map">
<gid>491</gid>
<groupname>cdrom</groupname>
<userlist/>
</group>
<group t="map">
<gid>469</gid>
<groupname>gdm</groupname>
<userlist/>
</group>
<group t="map">
<gid>62</gid>
<groupname>man</groupname>
<userlist/>
</group>
<group t="map">
<gid>483</gid>
<groupname>video</groupname>
<userlist>gdm</userlist>
</group>
<group t="map">
<gid>476</gid>
<groupname>avahi</groupname>
<userlist/>
</group>
<group t="map">
<gid>485</gid>
<groupname>sgx</groupname>
<userlist/>
</group>
<group t="map">
<gid>482</gid>
<groupname>srvGeoClue</groupname>
<userlist/>
</group>
<group t="map">
<gid>480</gid>
<groupname>pulse</groupname>
<userlist/>
</group>
<group t="map">
<gid>477</gid>
<groupname>audit</groupname>
<userlist/>
</group>
<group t="map">
<gid>493</gid>
<groupname>utmp</groupname>
<userlist/>
</group>
<group t="map">
<gid>484</gid>
<groupname>tape</groupname>
<userlist/>
</group>
<group t="map">
<gid>486</gid>
<groupname>render</groupname>
<userlist/>
</group>
<group t="map">
<gid>470</gid>
<groupname>nm-openvpn</groupname>
<userlist/>
</group>
<group t="map">
<gid>478</gid>
<groupname>wheel</groupname>
</group>
<group t="map">
<gid>496</gid>
<groupname>systemd-network</groupname>
<userlist/>
</group>
<group t="map">
<gid>497</gid>
<groupname>systemd-journal</groupname>
<userlist/>
</group>
<group t="map">
<gid>481</gid>
<groupname>pulse-access</groupname>
<userlist/>
</group>
<group t="map">
<gid>490</gid>
<groupname>dialout</groupname>
<userlist/>
</group>
<group t="map">
<gid>489</gid>
<groupname>disk</groupname>
<userlist/>
</group>
<group t="map">
<gid>492</gid>
<groupname>audio</groupname>
<userlist>pulse</userlist>
</group>
<group t="map">
<gid>487</gid>
<groupname>lp</groupname>
<userlist/>
</group>
<group t="map">
<gid>5</gid>
<groupname>tty</groupname>
<userlist/>
</group>
<group t="map">
<gid>494</gid>
<groupname>kmem</groupname>
<userlist/>
</group>
<group t="map">
<gid>475</gid>
<groupname>nscd</groupname>
<userlist/>
</group>
<group t="map">
<gid>474</gid>
<groupname>polkitd</groupname>
<userlist/>
</group>
<group t="map">
<gid>65534</gid>
<groupname>nobody</groupname>
<userlist/>
</group>
<group t="map">
<gid>498</gid>
<groupname>lock</groupname>
<userlist/>
</group>
<group t="map">
<gid>36</gid>
<groupname>kvm</groupname>
<userlist>qemu</userlist>
</group>
<group t="map">
<gid>0</gid>
<groupname>root</groupname>
<userlist/>
</group>
<group t="map">
<gid>1</gid>
<groupname>bin</groupname>
<userlist>daemon</userlist>
</group>
<group t="map">
<gid>2</gid>
<groupname>daemon</groupname>
<userlist/>
</group>
<group t="map">
<gid>107</gid>
<groupname>qemu</groupname>
<userlist/>
</group>
<group t="map">
<gid>473</gid>
<groupname>rtkit</groupname>
<userlist/>
</group>
<group t="map">
<gid>71</gid>
<groupname>ntadmin</groupname>
<userlist/>
</group>
<group t="map">
<gid>105</gid>
<groupname>sshd</groupname>
<userlist/>
</group>
<group t="map">
<gid>495</gid>
<groupname>systemd-timesync</groupname>
<userlist/>
</group>
<group t="map">
<gid>479</gid>
<groupname>flatpak</groupname>
<userlist/>
</group>
<group t="map">
<gid>471</gid>
<groupname>nm-openconnect</groupname>
<userlist/>
</group>
<group t="map">
<gid>15</gid>
<groupname>shadow</groupname>
<userlist/>
</group>
</groups>
<host t="map">
<hosts t="list">
<hosts_entry t="map">
<host_address>127.0.0.1</host_address>
<names t="list">
<name>localhost</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>::1</host_address>
<names t="list">
<name>localhost ipv6-localhost ipv6-loopback</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>fe00::0</host_address>
<names t="list">
<name>ipv6-localnet</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff00::0</host_address>
<names t="list">
<name>ipv6-mcastprefix</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::1</host_address>
<names t="list">
<name>ipv6-allnodes</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::2</host_address>
<names t="list">
<name>ipv6-allrouters</name>
</names>
</hosts_entry>
<hosts_entry t="map">
<host_address>ff02::3</host_address>
<names t="list">
<name>ipv6-allhosts</name>
</names>
</hosts_entry>
</hosts>
</host>
<kdump t="map">
<add_crash_kernel t="boolean">false</add_crash_kernel>
</kdump>
<networking t="map">
<dns t="map">
<dhcp_hostname t="boolean">false</dhcp_hostname>
<hostname>localhost.localdomain</hostname>
<resolv_conf_policy>auto</resolv_conf_policy>
</dns>
<ipv6 t="boolean">true</ipv6>
<keep_install_network t="boolean">true</keep_install_network>
<managed t="boolean">true</managed>
</networking>
<ntp-client t="map">
<ntp_policy>auto</ntp_policy>
<ntp_servers t="list"/>
<ntp_sync>manual</ntp_sync>
</ntp-client>
<partitioning t="list">
<drive t="map">
<device>/dev/nvme0n1</device>
<disklabel>gpt</disklabel>
<enable_snapshots t="boolean">true</enable_snapshots>
<partitions t="list">
<partition t="map">
<create t="boolean">true</create>
<format t="boolean">false</format>
<partition_id t="integer">263</partition_id>
<partition_nr t="integer">1</partition_nr>
<resize t="boolean">false</resize>
<size>2097152</size>
</partition>
<partition t="map">
<create t="boolean">true</create>
<filesystem t="symbol">vfat</filesystem>
<format t="boolean">true</format>
<label>EFI</label>
<mount>/boot/efi</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">259</partition_id>
<partition_nr t="integer">2</partition_nr>
<resize t="boolean">false</resize>
<size>20971520</size>
</partition>
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">false</create_subvolumes>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<label>BOOT</label>
<mount>/boot</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">3</partition_nr>
<quotas t="boolean">false</quotas>
<resize t="boolean">false</resize>
<size>314572800</size>
<subvolumes t="list"/>
<subvolumes_prefix/>
</partition>
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">true</create_subvolumes>
<crypt_key>ENTER KEY HERE</crypt_key>
<crypt_method t="symbol">luks1</crypt_method>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<label>ROOT</label>
<loop_fs t="boolean">true</loop_fs>
<mount>/</mount>
<mountby t="symbol">uuid</mountby>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">4</partition_nr>
<quotas t="boolean">true</quotas>
<resize t="boolean">false</resize>
<size>249720643072</size>
<subvolumes t="list">
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>home</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>opt</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>root</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>srv</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>tmp</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">false</copy_on_write>
<path>var</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/writable</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>usr/local</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/grub2/i386-pc</path>
</subvolume>
<subvolume t="map">
<copy_on_write t="boolean">true</copy_on_write>
<path>boot/grub2/x86_64-efi</path>
</subvolume>
</subvolumes>
<subvolumes_prefix>@</subvolumes_prefix>
</partition>
</partitions>
<type t="symbol">CT_DISK</type>
<use>all</use>
</drive>
<drive t="map">
<device>/dev/sda</device>
<disklabel>msdos</disklabel>
<partitions t="list">
<partition t="map">
<create t="boolean">true</create>
<create_subvolumes t="boolean">false</create_subvolumes>
<filesystem t="symbol">btrfs</filesystem>
<format t="boolean">true</format>
<partition_id t="integer">131</partition_id>
<partition_nr t="integer">1</partition_nr>
<partition_type>primary</partition_type>
<quotas t="boolean">false</quotas>
<resize t="boolean">false</resize>
<size>1000203837440</size>
<subvolumes t="list"/>
<subvolumes_prefix/>
</partition>
</partitions>
<type t="symbol">CT_DISK</type>
<use>all</use>
</drive>
</partitioning>
<proxy t="map">
<enabled t="boolean">false</enabled>
</proxy>
<services-manager t="map">
<default_target>graphical</default_target>
<services t="map">
<enable t="list">
<service>ModemManager</service>
<service>NetworkManager</service>
<service>NetworkManager-dispatcher</service>
<service>NetworkManager-wait-online</service>
<service>YaST2-Firstboot</service>
<service>YaST2-Second-Stage</service>
<service>apparmor</service>
<service>auditd</service>
<service>avahi-daemon</service>
<service>bluetooth</service>
<service>klog</service>
<service>firewalld</service>
<service>display-manager</service>
<service>fixupbootloader</service>
<service>ignition-delete-config</service>
<service>ignition-firstboot-complete</service>
<service>irqbalance</service>
<service>iscsi</service>
<service>issue-generator</service>
<service>kbdsettings</service>
<service>langset</service>
<service>lvm2-monitor</service>
<service>mcelog</service>
<service>nscd</service>
<service>nvmefc-boot-connections</service>
<service>rsyslog</service>
<service>smartd</service>
<service>systemd-fsck-root</service>
<service>systemd-remount-fs</service>
</enable>
<on_demand t="list">
<listentry>iscsid</listentry>
<listentry>pcscd</listentry>
</on_demand>
</services>
</services-manager>
<software t="map">
<install_recommended t="boolean">true</install_recommended>
<instsource/>
<packages t="list">
<package>zypper</package>
<package>zstd</package>
<package>zip</package>
<package>yast2-trans-zh_CN</package>
<package>yast2-trans-pl</package>
<package>yast2-trans-es</package>
<package>yast2-trans-de</package>
<package>yast2-storage-ng</package>
<package>yast2-proxy</package>
<package>yast2-network</package>
<package>yast2-hardware-detection</package>
<package>yast2-bootloader</package>
<package>xz</package>
<package>xfsprogs</package>
<package>xf86-video-voodoo</package>
<package>xf86-video-vmware</package>
<package>xf86-video-vesa</package>
<package>xf86-video-v4l</package>
<package>xf86-video-tdfx</package>
<package>xf86-video-sisusb</package>
<package>xf86-video-savage</package>
<package>xf86-video-r128</package>
<package>xf86-video-qxl</package>
<package>xf86-video-nv</package>
<package>xf86-video-nouveau</package>
<package>xf86-video-neomagic</package>
<package>xf86-video-i128</package>
<package>xf86-video-fbdev</package>
<package>xdm</package>
<package>wpa_supplicant</package>
<package>wireless-regdb</package>
<package>xf86-video-chips</package>
<package>util-linux</package>
<package>udev</package>
<package>thai-fonts</package>
<package>xf86-video-sis</package>
<package>suse-csb-release</package>
<package>smbios-utils-python</package>
<package>smartmontools</package>
<package>skelcd-control-openSUSE</package>
<package>shim</package>
<package>rsync</package>
<package>rancher-desktop</package>
<package>quota</package>
<package>quadrapassel</package>
<package>spice-vdagent</package>
<package>setxkbmap</package>
<package>pptp</package>
<package>xf86-video-siliconmotion</package>
<package>pam-config</package>
<package>pam</package>
<package>openSUSE-release</package>
<package>ntfs-3g</package>
<package>patch</package>
<package>nano</package>
<package>multipath-tools</package>
<package>mpt-firmware</package>
<package>memtest86+</package>
<package>lvm2</package>
<package>lsb-release</package>
<package>lklug-fonts</package>
<package>live-net-installer</package>
<package>live-langset-data</package>
<package>live-add-yast-repos</package>
<package>xfsdump</package>
<package>ntfsprogs</package>
<package>libatm1</package>
<package>sysvinit-tools</package>
<package>kernel-firmware</package>
<package>jfsutils</package>
<package>jeos-firstboot</package>
<package>iw</package>
<package>ipw-firmware</package>
<package>indic-fonts</package>
<package>ignition-dracut-grub2</package>
<package>ignition</package>
<package>gtk2-branding-openSUSE</package>
<package>nvme-cli</package>
<package>grub2-x86_64-efi</package>
<package>grub2-branding-openSUSE</package>
<package>growpart-generator</package>
<package>gparted</package>
<package>xf86-video-ati</package>
<package>gnome-sudoku</package>
<package>zd1211-firmware</package>
<package>gnome-mines</package>
<package>yast2-trans-zh_TW</package>
<package>gnome-initial-setup</package>
<package>xf86-video-mga</package>
<package>xf86-video-ark</package>
<package>gnome-branding-Leap</package>
<package>glibc</package>
<package>filesystem</package>
<package>fdupes</package>
<package>fcoe-utils</package>
<package>exfatprogs</package>
<package>tar</package>
<package>efibootmgr</package>
<package>e2fsprogs</package>
<package>dracut-kiwi-oem-repart</package>
<package>dracut-kiwi-oem-dump</package>
<package>dosfstools</package>
<package>dmraid</package>
<package>dmidecode</package>
<package>device-mapper</package>
<package>cryptsetup</package>
<package>crda</package>
<package>cracklib-dict-full</package>
<package>combustion</package>
<package>btrfsprogs</package>
<package>branding-openSUSE</package>
<package>bluez-firmware</package>
<package>bcache-tools</package>
<package>b43-fwcutter</package>
<package>atmel-firmware</package>
<package>arabic-kacst-fonts</package>
<package>alsa-firmware</package>
<package>adobe-sourcecodepro-fonts</package>
<package>adaptec-firmware</package>
<package>aaa_base</package>
<package>yast2-country</package>
<package>NetworkManager-applet</package>
<package>mdadm</package>
</packages>
<patterns t="list">
<pattern>apparmor</pattern>
<pattern>base</pattern>
<pattern>basesystem</pattern>
<pattern>documentation</pattern>
<pattern>enhanced_base</pattern>
<pattern>games</pattern>
<pattern>gnome</pattern>
<pattern>gnome_basic</pattern>
<pattern>gnome_basis</pattern>
<pattern>gnome_games</pattern>
<pattern>gnome_imaging</pattern>
<pattern>gnome_internet</pattern>
<pattern>gnome_multimedia</pattern>
<pattern>gnome_office</pattern>
<pattern>gnome_utilities</pattern>
<pattern>gnome_x11</pattern>
<pattern>gnome_yast</pattern>
<pattern>imaging</pattern>
<pattern>minimal_base</pattern>
<pattern>multimedia</pattern>
<pattern>office</pattern>
<pattern>sw_management</pattern>
<pattern>sw_management_gnome</pattern>
<pattern>x11</pattern>
<pattern>x11_yast</pattern>
<pattern>yast2_basis</pattern>
<pattern>yast2_install_wf</pattern>
</patterns>
<products t="list">
<product>Leap</product>
</products>
</software>
<ssh_import t="map">
<copy_config t="boolean">false</copy_config>
<import t="boolean">false</import>
</ssh_import>
<timezone t="map">
<timezone/>
</timezone>
<user_defaults t="map">
<expire/>
<group>100</group>
<home>/home</home>
<inactive>-1</inactive>
<shell>/bin/bash</shell>
<umask>022</umask>
</user_defaults>
<users t="list">
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname/>
<gid>100</gid>
<home>/run/gnome-initial-setup/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>488</uid>
<user_password>!</user_password>
<username>gnome-initial-setup</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>PulseAudio daemon</fullname>
<gid>480</gid>
<home>/var/lib/pulseaudio</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>493</uid>
<user_password>!</user_password>
<username>pulse</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>RealtimeKit</fullname>
<gid>473</gid>
<home>/proc</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/false</shell>
<uid>103</uid>
<user_password>!</user_password>
<username>rtkit</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for GeoClue D-Bus service</fullname>
<gid>482</gid>
<home>/var/lib/srvGeoClue</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>494</uid>
<user_password>!</user_password>
<username>srvGeoClue</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for Avahi</fullname>
<gid>476</gid>
<home>/run/avahi-daemon</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>490</uid>
<user_password>!</user_password>
<username>avahi</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>qemu user</fullname>
<gid>107</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>107</uid>
<user_password>!</user_password>
<username>qemu</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NetworkManager user for OpenConnect</fullname>
<gid>471</gid>
<home>/var/lib/nm-openconnect</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>498</uid>
<user_password>!</user_password>
<username>nm-openconnect</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Flatpak system helper</fullname>
<gid>479</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>491</uid>
<user_password>!</user_password>
<username>flatpak</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Network Management</fullname>
<gid>496</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>496</uid>
<user_password>!*</user_password>
<username>systemd-network</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NetworkManager user for OpenVPN</fullname>
<gid>470</gid>
<home>/var/lib/openvpn</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>497</uid>
<user_password>!</user_password>
<username>nm-openvpn</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>NFS statd daemon</fullname>
<gid>65533</gid>
<home>/var/lib/nfs</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>101</uid>
<user_password>!</user_password>
<username>statd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>systemd Time Synchronization</fullname>
<gid>495</gid>
<home>/</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>495</uid>
<user_password>!*</user_password>
<username>systemd-timesync</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>SSH daemon</fullname>
<gid>105</gid>
<home>/var/lib/sshd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>105</uid>
<user_password>!</user_password>
<username>sshd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Printing daemon</fullname>
<gid>487</gid>
<home>/var/spool/lpd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>492</uid>
<user_password>!</user_password>
<username>lp</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for D-Bus</fullname>
<gid>499</gid>
<home>/run/dbus</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/bin/false</shell>
<uid>499</uid>
<user_password>!</user_password>
<username>messagebus</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Smart Card Reader</fullname>
<gid>472</gid>
<home>/run/pcscd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>100</uid>
<user_password>!</user_password>
<username>scard</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for nscd</fullname>
<gid>475</gid>
<home>/run/nscd</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>106</uid>
<user_password>!</user_password>
<username>nscd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>user for rpcbind</fullname>
<gid>65534</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>102</uid>
<user_password>!</user_password>
<username>rpc</username>
</user>
<user t="map">
<authorized_keys t="list"/>
<encrypted t="boolean">true</encrypted>
<fullname>root</fullname>
<gid>0</gid>
<home>/root</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>0</uid>
<!-- default is: suseit -->
<user_password>$6$lC/eFDuIpdzgA964$v0DbeCRR6DL8GK7T4JRveCC5rb2WNnAB7lQTTMC/KoMgZ.I6lA9z3z/7spR0pW0.pmM/o8jcvSf.tNXR1MYHY.</user_password>
<username>root</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Manual pages viewer</fullname>
<gid>62</gid>
<home>/var/lib/empty</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>13</uid>
<user_password>!</user_password>
<username>man</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Daemon</fullname>
<gid>2</gid>
<home>/sbin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>2</uid>
<user_password>!</user_password>
<username>daemon</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>Gnome Display Manager daemon</fullname>
<gid>469</gid>
<home>/var/lib/gdm</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>489</uid>
<user_password>!</user_password>
<username>gdm</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>bin</fullname>
<gid>1</gid>
<home>/bin</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/usr/sbin/nologin</shell>
<uid>1</uid>
<user_password>!</user_password>
<username>bin</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>User for polkitd</fullname>
<gid>474</gid>
<home>/var/lib/polkit</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/sbin/nologin</shell>
<uid>104</uid>
<user_password>!</user_password>
<username>polkitd</username>
</user>
<user t="map">
<encrypted t="boolean">true</encrypted>
<fullname>nobody</fullname>
<gid>65534</gid>
<home>/var/lib/nobody</home>
<home_btrfs_subvolume t="boolean">false</home_btrfs_subvolume>
<password_settings t="map">
<expire/>
<flag/>
<inact/>
<max/>
<min/>
<warn/>
</password_settings>
<shell>/bin/bash</shell>
<uid>65534</uid>
<user_password>!</user_password>
<username>nobody</username>
</user>
</users>
</profile>
07070100000003000041ED000003E9000000640000000162BEF39C00000000000000000000000000000000000000000000003500000000suse-csb-release-15.4.suseitinfra.a21e705/combustion07070100000004000081ED000003E9000000640000000162BEF39C000007BA000000000000000000000000000000000000003C00000000suse-csb-release-15.4.suseitinfra.a21e705/combustion/script#!/bin/bash
# combustion: network
# Redirect output to the console
# Example taken from https://en.opensuse.org/Portal:MicroOS/Combustion
exec > >(exec tee -a /dev/tty0) 2>&1
# Leave a marker
echo "openSUSE Leap based CBS Configured by SUSE IT combustion" > /etc/issue.d/combustion
# change by default unset root password to "suseit"
# generated by openssl passwd -6
echo 'root:$6$/Ipu/DzM1oX2MoYx$s/rxTh7yiTdduPaGUa4dht6.loJIUF84rYas///sguPOdqTphdfSv8ecGwMcsO4Zr1/y2Pr94TbHxume2b7pA0' | chpasswd -e
# TODO for the future tpm2!
#systemd-cryptenroll --wipe-slot=empty --tpm2-device=auto --tpm2-pcrs=4+7+8+9 /dev/sda3
# return line above "luks" match in lsblk output, strip any non-alphanumeric characters
# expected result e.g. /dev/nvme0n1p4
LUKSDEV="`lsblk | grep luks -B 1 |head -1 | awk '{ print $1 }' | tr -cd '[:alnum:]._-'`"
DEFAULTPASSWD="suseit"
NEWLUKSPASSWD="pleasechangeme"
if [[ ! -z "$LUKSDEV" ]]; then
echo -e "${DEFAULTPASSWD}\n${NEWLUKSPASSWD}\n${NEWLUKSPASSWD}" | cryptsetup luksChangeKey -S 0 "/dev/${LUKSDEV}"
echo "luksChangeKey passed" >> /etc/issue.d/combustion
else
echo "WARNING: Could not find luks encrypted device. Skipping luksChangeKey" >> /etc/issue.d/combustion
fi
cat > /etc/sudoers <<-EOF
# Configured by SUSE IT combustion script
# https://github.com/SUSE/suse-csb-release
Defaults targetpw # ask for the password of the target user i.e. root
ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
Defaults always_set_home
Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin"
Defaults env_reset
Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
Defaults !insults
root ALL=(ALL:ALL) ALL
%wheel ALL=(ALL:ALL) ALL
@includedir /etc/sudoers.d
EOF
echo "INFO: SUSE IT owns the root access" >> /etc/issue.d/combustion
07070100000005000081A4000003E9000000640000000162BEF39C00000109000000000000000000000000000000000000004200000000suse-csb-release-15.4.suseitinfra.a21e705/isv_Rancher_stable.repo[isv_Rancher_stable]
name=Rancher stable packages (rpm)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/isv:/Rancher:/stable/rpm/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/isv:/Rancher:/stable/rpm/repodata/repomd.xml.key
enabled=1
07070100000006000081A4000003E9000000640000000162BEF39C0000012C000000000000000000000000000000000000004600000000suse-csb-release-15.4.suseitinfra.a21e705/isv_SUSE_suse-it-infra.repo[isv_SUSE_suse-it-infra]
name=isv:SUSE:suse-it-infra ($releasever)
type=rpm-md
baseurl=https://download.opensuse.org/repositories/isv:/SUSE:/suse-it-infra/$releasever/
gpgcheck=1
gpgkey=https://download.opensuse.org/repositories/isv:/SUSE:/suse-it-infra/$releasever/repodata/repomd.xml.key
enabled=1
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!97 blocks
