Custom CentOS 7 bootable ISO / Support UEFI & Secure boot

centos_bstick.sh

#!/bin/bash
# create custom bootable iso for CentOS 7 with kickstart

if [ $# -lt 2 ]
then
    echo "Usage1: $0 path2iso path2kickstart"
    exit 1
else
    if [ ! -f $1 ]
    then
        echo "File $1 does not exist!"
        exit 0
    elif [ ! -f $2 ]
    then
        echo "File $2 does not exist!"
        exit 0
    else
        INNAME="$1"
        echo "Source file - $INNAME"
        KSFILE="$2"
        echo "Kickstart file - $KSFILE"
    fi
fi

# original ISO file of CentOS 7
ISO_ORIGINAL=$INNAME

# out file name
OUTNAME=$(basename "$INNAME" | cut -d. -f1)"-KS-UEFI".iso

# working directory
WORK=$PWD/WORK

# Delete possible previous results
rm -rf $WORK

# create a new working directory
echo "Create working directory - $WORK"
mkdir $WORK

# dir to mount original ISO - SRC
SRC=$WORK/SRC

# dir for customised ISO
DST=$WORK/DST

# Dir for mount EFI image
EFI=$WORK/EFI

# mount ISO to SRC dir
echo "Create $SRC"
mkdir $SRC
echo "Mount original $ISO_ORIGINAL to $SRC"
mount -o loop $ISO_ORIGINAL $SRC

# create dir for  ISO customisation
echo "Create dir $DST for customisation"
mkdir $DST

# copy orginal files to destination dir
# use dot after SRC dir (SRC/.) to help copy hidden files also
cp -v -r $SRC/. $DST/

echo "Umount original ISO $SRC"
umount $SRC

# create dir for EFI image
echo "Create dir for EFIBOOT image - $EFI"
mkdir $EFI

# change rights for rw
echo "Make EFIBOOT RW"
chmod 644 $DST/images/efiboot.img

echo "Mount EFIBOOT image to $EFI"
mount -o loop $DST/images/efiboot.img $EFI/

# add boot menu grab.cfg for UEFI mode
cp -v $(dirname $0)/cfg/efi-boot-grub.cfg $EFI/EFI/BOOT/grub.cfg

# unmount image
echo "Unmount $EFI"
umount $EFI/

# back RO rights
echo "Make EFIBOOT RO"
chmod 444 $DST/images/efiboot.img

# add boot menu grab.cfg for UEFI mode
# It is the second place where boot menu is exists for EFI.
# /images/efiboot.img/{grub.cfg} has the working menu
# /EFI/BOOT/grub.cfg just present (this case has to be discovered)
cp -v $(dirname $0)/cfg/efi-boot-grub.cfg $DST/EFI/BOOT/grub.cfg

# add boot menu with kickstart option to /isolinux (BIOS)
cp -v $(dirname $0)/cfg/isolinux.cfg $DST/isolinux/isolinux.cfg

# put kickstart file custom-ks.cfg to isolinux/ks.cfg
cp -v $KSFILE $DST/isolinux/ks.cfg

# create dir for custom scripts
mkdir -p $DST/extras/ansible/
cp -v -r $(dirname $0)/../ansible/. $DST/extras/ansible/

# copy custom rc.local
cp -v -r $(dirname $0)/cfg/rc.local $DST/extras/

# copy extra RPM to Packages
echo "Copy custom RPM to $DST/Packages"
PACKAGES="$(dirname $0)/packages.txt"
while IFS='' read -r pname || [[ -n "$pname" ]]; do
    cp -v $(dirname $0)/Packages/$pname $DST/Packages/
done < "$PACKAGES"

# update RPM repository index
echo "Update repository index"
(
    cd $DST/;
    chmod u+w repodata/*;
    createrepo -g repodata/*comps.xml . --update;
)

# create output directory
OUTPUT=$WORK/OUTPUT
mkdir $OUTPUT

(
    echo "$PWD - Create custom ISO";
    cd $DST;
    genisoimage \
        -V "CentOS 7 x86_64" \
        -A "CentOS 7 x86_64" \
        -o $OUTPUT/$OUTNAME \
        -joliet-long \
        -b isolinux/isolinux.bin \
        -c isolinux/boot.cat \
        -no-emul-boot \
        -boot-load-size 4 \
        -boot-info-table \
        -eltorito-alt-boot -e images/efiboot.img \
        -no-emul-boot \
        -R -J -v -T \
        $DST \
        > $WORK/out.log 2>&1
)

echo "Isohybrid - make custom iso bootable"
sudo isohybrid --uefi $OUTPUT/$OUTNAME

efi-boot-grub.cfg

set default="0"

function load_video {
  insmod efi_gop
  insmod efi_uga
  insmod video_bochs
  insmod video_cirrus
  insmod all_video
}

load_video
set gfxpayload=keep
insmod gzio
insmod part_gpt
insmod ext2

set timeout=60
### END /etc/grub.d/00_header ###

search --no-floppy --set=root -l 'CentOS 7 x86_64'

### BEGIN /etc/grub.d/10_linux ###
menuentry 'Install CentOS 7 KS' --class fedora --class gnu-linux --class gnu --class os {
        linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 inst.ks=hd:LABEL=CentOS\x207\x20x86_64:/isolinux/ks.cfg text
        initrdefi /images/pxeboot/initrd.img
}
menuentry 'Test this media & install CentOS 7' --class fedora --class gnu-linux --class gnu --class os {
        linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 rd.live.check quiet
        initrdefi /images/pxeboot/initrd.img
}
submenu 'Troubleshooting -->' {
        menuentry 'Install CentOS 7 in basic graphics mode' --class fedora --class gnu-linux --class gnu --class os {
                linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 xdriver=vesa nomodeset quiet
                initrdefi /images/pxeboot/initrd.img
        }
        menuentry 'Rescue a CentOS system' --class fedora --class gnu-linux --class gnu --class os {
                linuxefi /images/pxeboot/vmlinuz inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 rescue quiet
                initrdefi /images/pxeboot/initrd.img
        }
}

isolinux.cfg

default vesamenu.c32
timeout 600

display boot.msg

# Clear the screen when exiting the menu, instead of leaving the menu displayed.
# For vesamenu, this means the graphical background is still displayed without
# the menu itself for as long as the screen remains in graphics mode.
menu clear
menu background splash.png
menu title CentOS 7
menu vshift 8
menu rows 18
menu margin 8
#menu hidden
menu helpmsgrow 15
menu tabmsgrow 13

# Border Area
menu color border * #00000000 #00000000 none

# Selected item
menu color sel 0 #ffffffff #00000000 none

# Title bar
menu color title 0 #ff7ba3d0 #00000000 none

# Press [Tab] message
menu color tabmsg 0 #ff3a6496 #00000000 none

# Unselected menu item
menu color unsel 0 #84b8ffff #00000000 none

# Selected hotkey
menu color hotsel 0 #84b8ffff #00000000 none

# Unselected hotkey
menu color hotkey 0 #ffffffff #00000000 none

# Help text
menu color help 0 #ffffffff #00000000 none

# A scrollbar of some type? Not sure.
menu color scrollbar 0 #ffffffff #ff355594 none

# Timeout msg
menu color timeout 0 #ffffffff #00000000 none
menu color timeout_msg 0 #ffffffff #00000000 none

# Command prompt text
menu color cmdmark 0 #84b8ffff #00000000 none
menu color cmdline 0 #ffffffff #00000000 none

# Do not display the actual menu unless the user presses a key. All that is displayed is a timeout message.

menu tabmsg Press Tab for full configuration options on menu items.

menu separator # insert an empty line
menu separator # insert an empty line

label linux
  menu label ^Install CentOS 7 KS
  menu default
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 inst.stage2=hd:LABEL=CentOS\x207\x20x86_64:/isolinux/ks.cfg text

label check
  menu label Test this ^media & install CentOS 7
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 rd.live.check quiet

menu separator # insert an empty line

# utilities submenu
menu begin ^Troubleshooting
  menu title Troubleshooting

label vesa
  menu indent count 5
  menu label Install CentOS 7 in ^basic graphics mode
  text help
        Try this option out if you're having trouble installing
        CentOS 7.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 xdriver=vesa nomodeset quiet

label rescue
  menu indent count 5
  menu label ^Rescue a CentOS system
  text help
        If the system will not boot, this lets you access files
        and edit config files to try to get it booting again.
  endtext
  kernel vmlinuz
  append initrd=initrd.img inst.stage2=hd:LABEL=CentOS\x207\x20x86_64 rescue quiet

label memtest
  menu label Run a ^memory test
  text help
        If your system is having issues, a problem with your
        system's memory may be the cause. Use this utility to
        see if the memory is working correctly.
  endtext
  kernel memtest

menu separator # insert an empty line

label local
  menu label Boot from ^local drive
  localboot 0xffff

menu separator # insert an empty line
menu separator # insert an empty line

label returntomain
  menu label Return to ^main menu
  menu exit

menu end

ks.cfg

#version=DEVEL
# System authorization information
auth --enableshadow --passalgo=sha512
# Use CDROM installation media
cdrom
# Use text install
text
# Run the Setup Agent on first boot
firstboot --enable
ignoredisk --only-use=sdb,sdc
# Keyboard layouts
keyboard --vckeymap=us --xlayouts='us'
# System language
lang en_US.UTF-8

# Network information
network  --bootproto=dhcp --device=eno1 --noipv6 --activate
network  --bootproto=dhcp --device=enp5s0 --onboot=off --noipv6
network  --hostname=localhost.localdomain

# Root password 
rootpw --iscrypted $6$jlaU.DRbpb/lugun$JfnIkJadI.fFfd3WX9ktSLeRwerGgTiykdvVWS.jmSz1RakRS86Wpo1OL2fP2M0SkFCf0b3ki34Pmt3cYU6Ii0
# System timezone
timezone America/New_York --isUtc
# System bootloader configuration
bootloader --location=mbr --boot-drive=sdb
# Partition clearing information
clearpart --all --initlabel --drives=sdb,sdc
# Disk partitioning information
part /boot --fstype="xfs" --size=500
part pv.764 --fstype="lvmpv" --ondisk=sdb --size=476239
part pv.770 --fstype="lvmpv" --ondisk=sdc --size=2861587
part /boot/efi --fstype="efi" --size=200 --fsoptions="umask=0077,shortname=winnt"
volgroup centos00 --pesize=4096 pv.764 pv.770
logvol /home  --fstype="xfs" --grow --size=500 --name=home --vgname=centos00
logvol /  --fstype="xfs" --grow --maxsize=51200 --size=1024 --name=root --vgname=centos00
logvol swap  --fstype="swap" --size=32192 --name=swap --vgname=centos00

%packages --nobase
ansible

%end

%post --nochroot
# redirect the output to the log file
exec >/mnt/sysimage/root/ks-post-anaconda-chroot.log 2>&1
# show the output on the 7th console
tail -f /mnt/sysimage/root/ks-post-anaconda-chroot.log >/dev/tty7 &
# changing to VT 7 that we can see what's going on
/usr/bin/chvt 7

export SRCDIR="/run/install/repo"
export DSTDIR="/mnt/sysimage"

cp -v -r $SRCDIR/extras/. $DSTDIR/root/
find $DSTDIR/root/ -name "TRANS.TBL" -delete

mv -v $DSTDIR/etc/rc.d/rc.local $DSTDIR/etc/rc.d/rc.local-backup
mv -v $SRCDIR/extras/rc.local $DSTDIR/etc/rc.d/rc.local
chmod +x $DSTDIR/etc/rc.d/rc.local

echo "Ready to reboot!"

%end

%post
# redirect the output to the log file
exec >/root/ks-post-anaconda-chroot.log 2>&1
# show the output on the 8th console
tail -f /root/ks-post-anaconda-chroot.log >/dev/tty8 &
# changing to VT 8 that we can see what's going on
/usr/bin/chvt 8

mv -v /root/bin/custom-setup.service /usr/lib/systemd/system/custom-setup.service
systemctl enable custom-setup.service

echo "Ready to reboot!"

%end

%addon com_redhat_kdump --disable --reserve-mb='auto'

%end

rc.local

#!/bin/bash
# Put custom instructions in the script. Keep copy of previous rc.local in /etc/rc.d/rc.local-backup to replace after booting

# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

/bin/ansible-playbook -i /root/ansible/localhost /root/ansible/bootstrap.yml -vvvv > /root/ansible-run.log
mv /etc/rc.d/rc.local-backup /etc/rc.d/rc.local

mkdir efi
mount -o loop $ISO_MNT_DIR_DEST/images/efiboot.img efi
cp cfg/efi-boot-grub.cfg efi/EFI/BOOT/grub.cfg
umount efi

Mount EFIBOOT image to /home/msh/WORK/EFI
cp: cannot stat ‘./cfg/efi-boot-grub.cfg’: No such file or directory
Unmount /home/msh/WORK/EFI
Make EFIBOOT RO
cp: cannot stat ‘./cfg/efi-boot-grub.cfg’: No such file or directory
cp: cannot stat ‘./cfg/isolinux.cfg’: No such file or directory
‘custom-ks.cfg’ -> ‘/home/msh/WORK/DST/ks.cfg’
cp: cannot stat ‘./../ansible/.’: No such file or directory
cp: cannot stat ‘./cfg/rc.local’: No such file or directory
Copy custom RPM to /home/msh/WORK/DST/Packages
./bstick.sh: line 114: ./packages.txt: No such file or directory
Update repository index
Spawning worker 0 with 4021 pkgs
Workers Finished
Saving Primary metadata
Saving file lists metadata
Saving other metadata
Generating sqlite DBs
Sqlite DBs complete

I'm using CentOS-7-x86_64-DVD-1810.iso. The ISO boots up fine Anaconda can't find the kickstart file. I mounted the image ( CentOS-7-x86_64-DVD-1810-KS-UEFI.iso ) and ks.cfg is in isolinux. I think you need to change the append syntax in isolinux.cfg to point at ks.cfg.

append initrd=initrd.img inst.repo=cdrom ks=cdrom:/ks.cfg

Thank you for producing a nice clean example.

Can you add copyright and a license to this code. I know this is in public but I would like to make sure I don't step on your copyright.

GPL, BSD or CC are preferred.

Nick
2020.04.04 - :)

Why

$ sudo mount -o loop efiboot.img efiboot
[sudo] password for rongtao: 
mount: /home/rongtao/efiboot: wrong fs type, bad option, bad superblock on /dev/loop1, missing codepage or helper program, or other error.

hi, can we have a more brief explanation of this? i noticed that unless you create a directory on ../ansible the script wont terminate well. same as we need a file under ./packages.txt. i managed to put these in place but the boot fails (dracut...) before anaconda starts, well you guessed it. so can i find a more detailed howto of this?

thank you so much