6 commits - generic/fedora-18-x86_64-cloud.ks generic/fedora-18-x86_64.ks generic/fedora-18-x86_64-minimal.ks
Matthew Miller
mattdm at fedoraproject.org
Thu Dec 13 22:09:53 UTC 2012
generic/fedora-18-x86_64-cloud.ks | 135 ++++++++++++++++++++++++++++--------
generic/fedora-18-x86_64-minimal.ks | 14 ++-
generic/fedora-18-x86_64.ks | 132 +++++++++++++++++++++++++++--------
3 files changed, 218 insertions(+), 63 deletions(-)
New commits:
commit 33d2a933ca055d39984a338d164e389279600a49
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 15:39:14 2012 -0500
bring changes from other files into this one
diff --git a/generic/fedora-18-x86_64-cloud.ks b/generic/fedora-18-x86_64-cloud.ks
index 72225ec..cd8b30a 100644
--- a/generic/fedora-18-x86_64-cloud.ks
+++ b/generic/fedora-18-x86_64-cloud.ks
@@ -4,69 +4,146 @@
# ssh keys. That also currently creates an ec2-user account; we'll probably
# want to make that something generic by default. The root password is empty
# by default.
+#
+# Note that unlike the standard F18 install, this image has /tmp on disk
+# rather than in tmpfs, since memory is usually at a premium.
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
+
auth --useshadow --enablemd5
selinux --enforcing
-firewall --service=ssh
-bootloader --timeout=3 --location=mbr --driveorder=sda
-network --bootproto=dhcp --device=eth0 --onboot=on
-services --enabled=network,sshd,rsyslog
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh --service=http --service=https
+
+bootloader --timeout=0 --location=mbr --driveorder=sda
+
+network --bootproto=dhcp --device=eth0 --onboot=on
+services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
-# Define how large you want your rootfs to be
part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 4000 --fstype ext4 --ondisk sda
+part / --size 4096 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
-# We start with @core, and then add a few more packages to make a nice
-# functional Fedora-like but still reasonably minimal cloud image.
+
+# Package list.
%packages --nobase
@core
-cloud-init
kernel
+
+# cloud-init does magical things with EC2 metadata, including provisioning
+# a user account with ssh keys.
+cloud-init
+
+# Not needed with pv-grub (as in EC2). Would be nice to have
+# something smaller for F19 (syslinux?), but this is what we have now.
grub2
-# if we're not going to be installing firewalld, we need this
+
+# Needed initially, but removed below.
+firewalld
+
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
iptables-services
-# and, some things from @core we can do without
+# cherry-pick a few things from @standard
+logrotate
+tmpwatch
+tar
+rsync
+
+# Some things from @core we can do without in a minimal install
-biosdevname
-plymouth
--linux-firmware
-NetworkManager
-polkit
%end
-# more ec2-ify
-%post --erroronfail
-cat <<EOL > /etc/fstab
-LABEL=_/ / ext4 defaults 1 1
-proc /proc proc defaults 0 0
-sysfs /sys sysfs defaults 0 0
-devpts /dev/pts devpts gid=5,mode=620 0 0
-tmpfs /dev/shm tmpfs defaults 0 0
-EOL
+%post --erroronfail
-# grub tweaks
-cat <<EOL > /etc/default/grub
-GRUB_TIMEOUT=0
-EOL
-sed -ie 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+echo -n "Writing fstab"
+cat <<EOF > /etc/fstab
+LABEL=_/ / ext4 defaults 1 1
+EOF
+echo .
+
+echo -n "Grub tweaks"
+echo GRUB_TIMEOUT=0 > /etc/default/grub
+sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub2/grub.cfg
+sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
+# need to file a bug on this one
+sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
+echo .
+echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
+mv /boot/grub/grub.conf /boot/grub/menu.lst
+ln -s /boot/grub/menu.lst /etc/grub.conf
-# for EC2, need to figure out how to set up menu.list for pv-grub
# setup systemd to boot to the right runlevel
+echo -n "Setting default runlevel to multiuser text mode"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
-
-# TODO: fix firewall
+echo .
+
+# If you want to remove rsyslog and just use journald, also uncomment this.
+#echo -n "Enabling persistent journal"
+#mkdir /var/log/journal/
+#echo .
+
+# this is installed by default but we don't need it in virt
+echo "Removing linux-firmware package."
+yum -C -y remove linux-firmware
+
+# Remove firewalld; was supposed to be optional in F18, but is required to
+# be present for install/image building.
+echo "Removing firewalld and dependencies"
+yum -C -y remove firewalld
+# These are all pulled in by firewalld (libselinux-python is too, but
+# is also required by cloud-init).
+yum -C -y remove cairo dbus-glib dbus-python ebtables fontconfig fontpackages-filesystem gobject-introspection js libdrm libpciaccess libpng libwayland-client libwayland-server libX11 libX11-common libXau libxcb libXdamage libXext libXfixes libXrender libXxf86vm mesa-libEGL mesa-libgbm mesa-libGL mesa-libglapi pixman polkit pycairo pygobject2 pygobject3 python-decorator python-slip python-slip-dbus
+
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
+
+# Because memory is scarce resource in most cloud/virt environments,
+# and because this impedes forensics, we are differing from the Fedora
+# default of having /tmp on tmpfs.
+echo "Disabling tmpfs for /tmp."
+systemctl mask tmp.mount
+
+echo "Zeroing out empty space."
+# This forces the filesystem to reclaim space from deleted files
+dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
+rm -f /var/tmp/zeros
+echo "(Don't worry -- that out-of-space error was expected.)"
%end
commit b191d941256245f6c504d3c251dea4e14f9480b4
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 14:55:51 2012 -0500
tar and rsync for staging files to images (small, add no new deps)
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index 11a1647..a49ad26 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -48,6 +48,8 @@ iptables-services
# cherry-pick a few things from @standard
logrotate
tmpwatch
+tar
+rsync
# Some things from @core we can do without in a minimal install
-biosdevname
commit a470988f6dffb9f69074d775d9751f9e5ca10fed
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 14:55:04 2012 -0500
use rsyslog in this version, and include tmpwatch and logrotate to keep the
system clean.
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index 27047d2..11a1647 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -45,6 +45,10 @@ firewalld
# security groups you can remove this.
iptables-services
+# cherry-pick a few things from @standard
+logrotate
+tmpwatch
+
# Some things from @core we can do without in a minimal install
-biosdevname
-plymouth
@@ -82,10 +86,10 @@ rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
echo .
-# because we didn't install rsyslog, enable persistent journal
-echo -n "Enabling persistent journal"
-mkdir /var/log/journal/
-echo .
+# If you want to remove rsyslog and just use journald, also uncomment this.
+#echo -n "Enabling persistent journal"
+#mkdir /var/log/journal/
+#echo .
# this is installed by default but we don't need it in virt
echo "Removing linux-firmware package."
commit 6a583eff6c8ef06c9941c3cd325342d54756e945
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 14:40:56 2012 -0500
4GB image size instead of 1GB
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index c67ec31..27047d2 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -21,7 +21,7 @@ services --enabled=network,sshd,rsyslog,iptables
part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 1024 --fstype ext4 --ondisk sda
+part / --size 4096 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
commit 35d5ce5415307da7f45c87c74c51000a93e871a5
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 14:32:31 2012 -0500
copy in everything from the -minimal version, but take out the
ultra-minimalization
diff --git a/generic/fedora-18-x86_64.ks b/generic/fedora-18-x86_64.ks
index dd0b1f7..c67ec31 100644
--- a/generic/fedora-18-x86_64.ks
+++ b/generic/fedora-18-x86_64.ks
@@ -1,68 +1,136 @@
# This is a basic Fedora 18 spin designed to work in OpenStack and other
-# private cloud environments. This version is _not_ configured with cloud
-# init. The root password is empty by default.
+# private cloud environments. This flavor isn't configured with cloud-init
+# or any other metadata service; you'll need your own say of getting
+# user (or root) credentials on the system.
lang en_US.UTF-8
keyboard us
timezone --utc America/New_York
+
auth --useshadow --enablemd5
selinux --enforcing
-firewall --service=ssh
-bootloader --timeout=3 --location=mbr --driveorder=sda
+
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh --service=http --service=https
+
+bootloader --timeout=0 --location=mbr --driveorder=sda
+
network --bootproto=dhcp --device=eth0 --onboot=on
-services --enabled=network,sshd,rsyslog
+services --enabled=network,sshd,rsyslog,iptables
-# Define how large you want your rootfs to be
part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 4000 --fstype ext4 --ondisk sda
+part / --size 1024 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
-# We start with @core, and then add a few more packages to make a nice
-# functional Fedora-like but still reasonably minimal cloud image.
+
+# Package list.
+# Just the basics, here.
+
%packages --nobase
@core
kernel
+
+# Not needed with pv-grub (as in EC2). Would be nice to have
+# something smaller for F19 (syslinux?), but this is what we have now.
grub2
-# if we're not going to be installing firewalld, we need this
+
+# Needed initially, but removed below.
+firewalld
+
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
iptables-services
-# and, some things from @core we can do without
+# Some things from @core we can do without in a minimal install
-biosdevname
-plymouth
--linux-firmware
-NetworkManager
-polkit
%end
-# more ec2-ify
-%post --erroronfail
-cat <<EOL > /etc/fstab
-LABEL=_/ / ext4 defaults 1 1
-proc /proc proc defaults 0 0
-sysfs /sys sysfs defaults 0 0
-devpts /dev/pts devpts gid=5,mode=620 0 0
-tmpfs /dev/shm tmpfs defaults 0 0
-EOL
+%post --erroronfail
-# grub tweaks
-cat <<EOL > /etc/default/grub
-GRUB_TIMEOUT=0
-EOL
-sed -ie 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+echo -n "Writing fstab"
+cat <<EOF > /etc/fstab
+LABEL=_/ / ext4 defaults 1 1
+EOF
+echo .
+
+echo -n "Grub tweaks"
+echo GRUB_TIMEOUT=0 > /etc/default/grub
+sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub2/grub.cfg
+sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
+# need to file a bug on this one
+sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
+echo .
+echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
+mv /boot/grub/grub.conf /boot/grub/menu.lst
+ln -s /boot/grub/menu.lst /etc/grub.conf
-# for EC2, need to figure out how to set up menu.list for pv-grub
# setup systemd to boot to the right runlevel
+echo -n "Setting default runlevel to multiuser text mode"
rm -f /etc/systemd/system/default.target
ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
-
-# TODO: fix firewall
+echo .
+
+# because we didn't install rsyslog, enable persistent journal
+echo -n "Enabling persistent journal"
+mkdir /var/log/journal/
+echo .
+
+# this is installed by default but we don't need it in virt
+echo "Removing linux-firmware package."
+yum -C -y remove linux-firmware
+
+# Remove firewalld; was supposed to be optional in F18, but is required to
+# be present for install/image building.
+echo "Removing firewalld and dependencies"
+yum -C -y remove firewalld
+# These are all pulled in by firewalld
+yum -C -y remove cairo dbus-glib dbus-python ebtables fontconfig fontpackages-filesystem gobject-introspection js libdrm libpciaccess libpng libselinux-python libwayland-client libwayland-server libX11 libX11-common libXau libxcb libXdamage libXext libXfixes libXrender libXxf86vm mesa-libEGL mesa-libgbm mesa-libGL mesa-libglapi pixman polkit pycairo pygobject2 pygobject3 python-decorator python-slip python-slip-dbus
+
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
+
+# Because memory is scarce resource in most cloud/virt environments,
+# and because this impedes forensics, we are differing from the Fedora
+# default of having /tmp on tmpfs.
+echo "Disabling tmpfs for /tmp."
+systemctl mask tmp.mount
+
+echo "Zeroing out empty space."
+# This forces the filesystem to reclaim space from deleted files
+dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
+rm -f /var/tmp/zeros
+echo "(Don't worry -- that out-of-space error was expected.)"
%end
commit d63f76a48e2b5d9fa5f660b09dd4fd8481196998
Author: Matthew Miller <mattdm at mattdm.org>
Date: Thu Dec 13 14:30:21 2012 -0500
update note on ultra-minimal
diff --git a/generic/fedora-18-x86_64-minimal.ks b/generic/fedora-18-x86_64-minimal.ks
index 82d4ea7..d317b7e 100644
--- a/generic/fedora-18-x86_64-minimal.ks
+++ b/generic/fedora-18-x86_64-minimal.ks
@@ -1,9 +1,13 @@
# This is a basic Fedora 18 spin designed to work in OpenStack and other
-# private cloud environments. It's configured with cloud-init so it will
-# take advantage of ec2-compatible metadata services for provisioning
-# ssh keys. That also currently creates an ec2-user account; we'll probably
-# want to make that something generic by default. The root password is empty
-# by default.
+# private cloud environments. This particular kickstart is designed to
+# be as obsessively minimal as we can be and still be Fedora. Because
+# this has not traditionally been a priority, that's not particularly
+# very small, making this in some ways an academic exercise, but it's also
+# a base for the more complete kickstarts.
+#
+# If you're interested in making this more minimal, big problems to solve
+# are the not-needed-for-cloud kernel modules and the gigantic locale
+# database. After that, it's chipping at dependencies.
lang en_US.UTF-8
keyboard us
More information about the cloud
mailing list