As discussed previously, it is recommended for most tasks that you perform the post-build configuration with Ansible. However, let's take a simple and hypothetical example—suppose that, for security reasons, you need to disable root SSH logins immediately when the server is built, for security compliance. There is no directive in kickstart that can perform this task, and leaving the server with this enabled while it waits for Ansible to run against it may not be acceptable to a corporate security team, as there is a window of opportunity for a potential attacker. Luckily, at the bottom of our kickstart file, we can put a %post block in that runs any shellcode you put into it. Thus, we could run the sed utility from within the following code block: 

%post --log=/root/ks.log

/bin/sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

%end

This very simple block of code runs after the installation process has finished (but before the reboot), and logs its output into /root/ks.log. You could customize this as you see fit—however, here, for the sake of our simple example, we are performing a search and replace operation on the default SSH daemon configuration, to ensure that even on first boot, root logins over SSH are disabled.

In the next section, we'll see how the same thing is achieved in an Ubuntu pre-seed file.