Hi, I was working on the same problem. This template detects SSD or NVME and acts accordingly. I tried to get nvme format
to work but it failed with an error that the disk was in use even though I verified that the disk wasn’t mounted. So I went with the more heavy handed “dd” against NVME disks partition 1. Which is the only partition that has sensitive data in our org.
<%#
kind: provision
name: wipe-ssd-nvme
model: ProvisioningTemplate
oses:
- AlmaLinux
- CentOS
- CentOS_Stream
- Fedora
- RedHat
- Rocky
locations:
- redacted
organizations:
- default
-%>
auth --useshadow --passalgo=sha512
System bootloader configuration
bootloader --location=mbr
Partition clearing information
clearpart --all --initlabel
Use text mode install
text
Firewall configuration
firewall --disable
Run the Setup Agent on first boot
firstboot --disable
System keyboard
keyboard us
System language
lang en_US
Use network installation
url --url=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky92-x86_64-baseos/
repo --install --name=rocky9-x86_64-baseos --baseurl=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky9-x86_64-baseos/
repo --install --name=rocky92-x86_64-baseos --baseurl=http://redacted/pulp/content/MFE/Library/custom/rocky9/rocky92-x86_64-baseos/
Reboot after installation
reboot
#Root password
rootpw --iscrypted redacted
SELinux configuration
selinux --disabled
System timezone
timezone America/Vancouver
Clear the Master Boot Record
zerombr
Allow anaconda to partition the system as needed
part /boot/efi --fstype vfat --size=200
part /boot --fstype ext2 --size=750
part swap --recommended
part pv.00 --size=1 --grow
volume_name variable passed from provisioning template.
volgroup vg_root pv.00
logvol / --fstype ext4 --name=lv_root --vgname=vg_root --size=10240 --grow
%pre
%end
%packages
nvme-cli
%end
%post --log=/root/post.log
<%= snippet ‘built’ %> # foreman snippet that sets “pending installation” to “installed”
%end
%post --nochroot
Log file location
LOGFILE=“/mnt/sysimage/root/wipe_log.txt”
Start logging
exec > $LOGFILE 2>&1
Disable gpgcheck which is enabled by default in kickstart.
sed -i 's/^gpgcheck.//g’ /mnt/sysimage/etc/yum.repos.d/ && sed -i ‘s/enabled=1/enabled=1 \ngpgcheck=0/g’ /mnt/sysimage/etc/yum.repos.d/*
dnf install -y nvme-cli util-linux
for DEV in /mnt/sysimage/sys/block/*; do
DEVICE_NAME=$(basename $DEV)
# Skip loop devices
if [[ "$DEVICE_NAME" == loop* || "$DEVICE_NAME" == dm-* ]]; then
continue
fi
# Check if the device is NVMe, SSD, or HDD
if [[ "$DEVICE_NAME" == nvme* ]]; then
echo "NVMe drive detected ($DEVICE_NAME). Performing secure erase..."
dd if=/mnt/sysimage/dev/urandom of=/mnt/sysimage/dev/nvme0n1 bs=4M status=progress
# nvme format /mnt/sysimage/dev/$DEVICE_NAME --ses=1
else
ROTATIONAL=$(cat /mnt/sysimage/sys/block/$DEVICE_NAME/queue/rotational)
if [[ "$ROTATIONAL" == 0 ]]; then
echo "SSD drive detected ($DEVICE_NAME). Performing secure wipe using blkdiscard..."
blkdiscard -f /mnt/sysimage/dev/$DEVICE_NAME
else
echo "HDD drive detected ($DEVICE_NAME). Skipping..."
fi
fi
done
sync
%end
I tried to keep it as unparameterized as possible other than the “built” snippet to remove “pending installation”
I was wondering if I could get this to work without assigning to a group and OS and reinstalling an OS first before wiping it, but it failed before I added those. Maybe it was unrelated, but I figured it only adds a couple of minutes and can’t hurt overwriting with a fresh install before doing the wipe anyway. Anyway, I used this against 75 rental machines before we sent them back and the disks showed being raw and hosts failed to boot.