diff --git a/cmd/k8e/main.go b/cmd/k8e/main.go
index 60a79e37..3ac05bb2 100644
--- a/cmd/k8e/main.go
+++ b/cmd/k8e/main.go
@@ -48,6 +48,7 @@ func main() {
 		cmds.NewCRICTL(externalCLIAction("crictl", dataDir)),
 		cmds.NewCtrCommand(externalCLIAction("ctr", dataDir)),
 		cmds.NewCheckConfigCommand(externalCLIAction("check-config", dataDir)),
+		cmds.NewInitOSConfigCommand(externalCLIAction("init-os-config", dataDir)),
 		cmds.NewEtcdSnapshotCommand(etcdsnapshotCommand,
 			cmds.NewEtcdSnapshotSubcommands(
 				etcdsnapshotCommand,
diff --git a/contrib/install.sh b/contrib/install.sh
index ff35bf8e..fc6e5c92 100644
--- a/contrib/install.sh
+++ b/contrib/install.sh
@@ -514,7 +514,8 @@ download_and_verify() {
 
 # --- check-config  ---
 check_config() {
-    info "Checking k8e configuration"
+    info "init OS config && Checking k8e config"
+    $SUDO $BIN_DIR/k8e init-os
     $SUDO $BIN_DIR/k8e check-config
 }
 
diff --git a/contrib/util/cilium-sysctlfix.sh b/contrib/util/cilium-sysctlfix.sh
deleted file mode 100644
index 381e6fbe..00000000
--- a/contrib/util/cilium-sysctlfix.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/sh
-set -e
-set -o noglob
-
-# fix Ubuntu 20.04 systemd bug for rp_filter sysctl setting
-
-# --- helper functions for logs ---
-info()
-{
-    echo '[INFO] ' "$@"
-}
-warn()
-{
-    echo '[WARN] ' "$@" >&2
-}
-fatal()
-{
-    echo '[ERROR] ' "$@" >&2
-    exit 1
-}
-
-
-# --- sysctl fix for rp_filter ---
-do_cilium_sysctlfix() {
-    info "Fixing rp_filter sysctl setting for Cilium on Ubuntu 20.04"
-    if [ -f /etc/sysctl.d/99-zzz-override_cilium.conf ]; then
-        warn "File /etc/sysctl.d/99-zzz-override_cilium.conf already exists"
-        return
-    fi
-    cat > /etc/sysctl.d/99-zzz-override_cilium.conf <<EOF
-# Disable rp_filter on Cilium interfaces since it may cause mangled packets to be dropped
-net.ipv4.conf.lxc*.rp_filter = 0
-net.ipv4.conf.cilium_*.rp_filter = 0
-# The kernel uses max(conf.all, conf.{dev}) as its value, so we need to set .all. to 0 as well.
-# Otherwise it will overrule the device specific settings.
-net.ipv4.conf.all.rp_filter = 0
-EOF
-
-sudo systemctl restart systemd-sysctl
-info "Done fixing rp_filter sysctl setting"
-}
-
-
-# --- run the install process --
-{
-    do_cilium_sysctlfix
-}
diff --git a/contrib/initOS.sh b/contrib/util/init-os-config.sh
similarity index 81%
rename from contrib/initOS.sh
rename to contrib/util/init-os-config.sh
index 0fa4da66..77587d15 100644
--- a/contrib/initOS.sh
+++ b/contrib/util/init-os-config.sh
@@ -1,21 +1,12 @@
 #!/usr/bin/env bash
-# Copyright 2020 The KubeSphere Authors.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+
+# bits of this were adapted from initOS.sh for kubekey
+# see also https://github.com/kubesphere/kubekey/blob/b5bb4acbebaa5ef04d9de743274171be1ebad3fd/cmd/kk/pkg/bootstrap/os/templates/init_script.go
+
 swapoff -a
 sed -i /^[^#]*swap*/s/^/\#/g /etc/fstab
 	# See https://github.com/kubernetes/website/issues/14457
-if [ -f /etc/selinux/config ]; then 
+if [ -f /etc/selinux/config ]; then
 	  sed -ri 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
 fi
 # for ubuntu: sudo apt install selinux-utils
@@ -81,15 +72,6 @@ if [ $? -eq 0 ]; then
 	         echo 'nf_conntrack' > /etc/modules-load.d/kube_proxy-ipvs.conf
 fi
 sysctl -p
-sed -i ':a;$!{N;ba};s@# kubekey hosts BEGIN.*# kubekey hosts END@@' /etc/hosts
-sed -i '/^$/N;/\n$/N;//D' /etc/hosts
-cat >>/etc/hosts<<EOF
-# kubekey hosts BEGIN
-{{- range .Hosts }}
-{{ . }}
-{{- end }}
-# kubekey hosts END
-EOF
 echo 3 > /proc/sys/vm/drop_caches
 # Make sure the iptables utility doesn't use the nftables backend.
 update-alternatives --set iptables /usr/sbin/iptables-legacy >/dev/null 2>&1 || true
diff --git a/hack/package-cli b/hack/package-cli
index d014fb76..90fc6847 100755
--- a/hack/package-cli
+++ b/hack/package-cli
@@ -13,6 +13,7 @@ for i in crictl kubectl k8e-agent k8e-server k8e-etcd-snapshot k8e-secrets-encry
 done
 
 cp contrib/util/check-config.sh bin/check-config
+cp contrib/util/init-os-config.sh bin/init-os-config
 
 rm -rf build/data
 mkdir -p build/data build/out
diff --git a/pkg/cli/cmds/check-config.go b/pkg/cli/cmds/check-config.go
index ead97e47..5484b384 100644
--- a/pkg/cli/cmds/check-config.go
+++ b/pkg/cli/cmds/check-config.go
@@ -13,3 +13,13 @@ func NewCheckConfigCommand(action func(*cli.Context) error) cli.Command {
 		Action:          action,
 	}
 }
+
+func NewInitOSConfigCommand(action func(*cli.Context) error) cli.Command {
+	return cli.Command{
+		Name:            "init-os-config",
+		Usage:           "Initialize OS configuration",
+		SkipFlagParsing: true,
+		SkipArgReorder:  true,
+		Action:          action,
+	}
+}