January 2013 - cloud - Fedora Mailing-Lists

Fedora 18 RC1 Amazon EC2 images available for testing

by Matthew Miller

Release engineering has built the latest F18 cloud image spin. In region US East, ami-6145cc08 for 64-bit and ami-0d44cd64 for 32-bit. Please take a look at this and help validate them for final release next week. -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>

11 years, 3 months

5
6
0 / 0

Problems mirroring http://repos.fedorapeople.org/repos/openstack/*

by Jan van Eldik

Happy New Year to all! We are using mrepo to mirror from http://repos.fedorapeople.org/repos/openstack. However, mrepo chokes on these links: http://repos.fedorapeople.org/repos/openstack/openstack-grizzly/fedora-17... http://repos.fedorapeople.org/repos/openstack/openstack-folsom/fedora-17/... They seem to point to empty subdirectories. I am not sure why mrepo chokes on them, but I am not sure if these empty directories are useful either. Other repo's (like openstack-grizzly/epel-6/) do not seem to have such a SRPMS subdir. thanks, cheers, Jan

11 years, 3 months

5
6
0 / 0

Grow the root partition on boot

by Juerg Haefliger

Hi, I have a need for the growroot feature that comes with cloud-utils and cloud-initramfs-tools. I've noticed that these packages don't exist in Fedora/EPEL and was wondering if there are any specific reasons for that? Thanks ...Juerg

11 years, 3 months

4
8
0 / 0

F18 AMI Testing

by Tim Flink

I completely forgot about this with all the other F18 stuff going on but has anyone been testing the F18 AMIs? If so, are they working? If not, are there bugs filed about the parts that aren't working? Tim

11 years, 3 months

2
3
0 / 0

ec2/fedora-18-i386-ec2.ks ec2/fedora-18-x86_64-ec2.ks generic/fedora-18-x86_64-cloud.ks

by Matthew Miller

ec2/fedora-18-i386-ec2.ks | 2 +- ec2/fedora-18-x86_64-ec2.ks | 2 +- generic/fedora-18-x86_64-cloud.ks | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) New commits: commit 34edf0abd2b31c4155da50f2e63b5ffe26d5ff5f Author: Matthew Miller <mattdm(a)mattdm.org> Date: Wed Jan 2 15:10:34 2013 -0500 go back to 10gb size from previous fedoras, since micro instances don't grow from the size we make the images diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks index 2584f6d..5ff8d5b 100644 --- a/ec2/fedora-18-i386-ec2.ks +++ b/ec2/fedora-18-i386-ec2.ks @@ -25,7 +25,7 @@ services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,clo # This would let fussy grub2 install, but will break in EC2 #part biosboot --fstype=biosboot --size=1 --ondisk sda -part / --size 4096 --fstype ext4 --ondisk sda +part / --size 10000 --fstype ext4 --ondisk sda # Repositories repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks index 7e78e37..72bfcf9 100644 --- a/ec2/fedora-18-x86_64-ec2.ks +++ b/ec2/fedora-18-x86_64-ec2.ks @@ -25,7 +25,7 @@ services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,clo # This would let fussy grub2 install, but will break in EC2 #part biosboot --fstype=biosboot --size=1 --ondisk sda -part / --size 4096 --fstype ext4 --ondisk sda +part / --size 10000 --fstype ext4 --ondisk sda # Repositories repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch diff --git a/generic/fedora-18-x86_64-cloud.ks b/generic/fedora-18-x86_64-cloud.ks index 468c690..e919d99 100644 --- a/generic/fedora-18-x86_64-cloud.ks +++ b/generic/fedora-18-x86_64-cloud.ks @@ -25,7 +25,7 @@ network --bootproto=dhcp --device=eth0 --onboot=on services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final part biosboot --fstype=biosboot --size=1 --ondisk sda -part / --size 4096 --fstype ext4 --ondisk sda +part / --size 10000 --fstype ext4 --ondisk sda # Repositories repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch

11 years, 3 months

1
0
0 / 0

generic/fedora-18-i386-cloud.ks generic/fedora-18-i386.ks generic/fedora-18-i386-minimal.ks

by Matthew Miller

generic/fedora-18-i386-cloud.ks | 156 ++++++++++++++++++++++++++++++++++++++ generic/fedora-18-i386-minimal.ks | 156 ++++++++++++++++++++++++++++++++++++++ generic/fedora-18-i386.ks | 142 ++++++++++++++++++++++++++++++++++ 3 files changed, 454 insertions(+) New commits: commit e19cdc575c9f5f4809b77aa62be552a754182d90 Author: Matthew Miller <mattdm(a)mattdm.org> Date: Wed Jan 2 14:56:08 2013 -0500 add i386 (only difference right now is kernel-PAE) diff --git a/generic/fedora-18-i386-cloud.ks b/generic/fedora-18-i386-cloud.ks new file mode 100644 index 0000000..960c965 --- /dev/null +++ b/generic/fedora-18-i386-cloud.ks @@ -0,0 +1,156 @@ +# This is a basic Fedora 18 spin designed to work in OpenStack and other +# private cloud environments. It's configured with cloud-init so it will +# take advantage of ec2-compatible metadata services for provisioning +# ssh keys. That also currently creates an ec2-user account; we'll probably +# want to make that something generic by default. The root password is empty +# by default. +# +# Note that unlike the standard F18 install, this image has /tmp on disk +# rather than in tmpfs, since memory is usually at a premium. + +lang en_US.UTF-8 +keyboard us +timezone --utc America/New_York + +auth --useshadow --enablemd5 +selinux --enforcing + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=0 --location=mbr --driveorder=sda + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final + +part biosboot --fstype=biosboot --size=1 --ondisk sda +part / --size 10000 --fstype ext4 --ondisk sda + +# Repositories +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch + + +# Package list. +%packages --nobase +@core +kernel-PAE + +# cloud-init does magical things with EC2 metadata, including provisioning +# a user account with ssh keys. +cloud-init + +# Not needed with pv-grub (as in EC2). Would be nice to have +# something smaller for F19 (syslinux?), but this is what we have now. +grub2 + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# cherry-pick a few things from @standard +tmpwatch +tar +rsync + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-polkit + +%end + + + +%post --erroronfail + +echo -n "Writing fstab" +cat <<EOF > /etc/fstab +LABEL=_/ / ext4 defaults 1 1 +EOF +echo . + +echo -n "Grub tweaks" +echo GRUB_TIMEOUT=0 > /etc/default/grub +sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg +sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf +sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf +sed -i 's/^default=1/default=0/' /boot/grub/grub.conf +sed -i '/splashimage/d' /boot/grub/grub.conf +# need to file a bug on this one +sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf +echo . +if ! [[ -e /boot/grub/menu.lst ]]; then + echo -n "Linking menu.lst to old-style grub.conf for pv-grub" + ln /boot/grub/grub.conf /boot/grub/menu.lst + ln -sf /boot/grub/grub.conf /etc/grub.conf +fi + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# If you want to remove rsyslog and just use journald, also uncomment this. +#echo -n "Enabling persistent journal" +#mkdir /var/log/journal/ +#echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware + +# Remove firewalld; was supposed to be optional in F18, but is required to +# be present for install/image building. +echo "Removing firewalld." +yum -C -y remove firewalld + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +# Uncomment this if you want to use cloud init but suppress the creation +# of an "ec2-user" account. This will, in the absence of further config, +# cause the ssh key from a metadata source to be put in the root account. +#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg +#users: [] +#disable_root: 0 +#EOF + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end + diff --git a/generic/fedora-18-i386-minimal.ks b/generic/fedora-18-i386-minimal.ks new file mode 100644 index 0000000..3db2c71 --- /dev/null +++ b/generic/fedora-18-i386-minimal.ks @@ -0,0 +1,156 @@ +# This is a basic Fedora 18 spin designed to work in OpenStack and other +# private cloud environments. This particular kickstart is designed to +# be as obsessively minimal as we can be and still be Fedora. Because +# this has not traditionally been a priority, that's not particularly +# very small, making this in some ways an academic exercise, but it's also +# a base for the more complete kickstarts. +# +# If you're interested in making this more minimal, big problems to solve +# are the not-needed-for-cloud kernel modules and the gigantic locale +# database. After that, it's chipping at dependencies. + +lang en_US.UTF-8 +keyboard us +timezone --utc America/New_York + +auth --useshadow --enablemd5 +selinux --enforcing + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=0 --location=mbr --driveorder=sda + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables + + +part biosboot --fstype=biosboot --size=1 --ondisk sda +part / --size 1024 --fstype ext4 --ondisk sda + +# Repositories +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch +#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f18&arch=$basearch + + +# Packag list. +# "Obsessively minimal as we can reasonably get and still be Fedora." +%packages --nobase +@core +kernel-PAE + +# Not needed with pv-grub (as in EC2). Would be nice to have +# something smaller for F19 (syslinux?), but this is what we have now. +grub2 + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-polkit + +# These are "leaf" packages which can be done without in an ultra-minimal +# install, but which actually remove typical functionality +-e2fsprogs +-audit +-rsyslog +-parted +-openssh-clients +-rootfiles +-sendmail +-sudo + +%end + + + +%post --erroronfail + +echo -n "Writing fstab" +cat <<EOF > /etc/fstab +LABEL=_/ / ext4 defaults 1 1 +EOF +echo . + +echo -n "Grub tweaks" +echo GRUB_TIMEOUT=0 > /etc/default/grub +sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg +sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf +sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf +sed -i '/splashimage/d' /boot/grub/grub.conf +# need to file a bug on this one +sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf +echo . +if ! [[ -e /boot/grub/menu.lst ]]; then + echo -n "Linking menu.lst to old-style grub.conf for pv-grub" + ln /boot/grub/grub.conf /boot/grub/menu.lst + ln -sf /boot/grub/grub.conf /etc/grub.conf +fi + + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# because we didn't install rsyslog, enable persistent journal +echo -n "Enabling persistent journal" +mkdir /var/log/journal/ +echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware + +# Remove firewalld; was supposed to be optional in F18, but is required to +# be present for install/image building. +echo "Removing firewalld and dependencies" +yum -C -y remove firewalld +# These are all pulled in by firewalld +yum -C -y remove cairo dbus-glib dbus-python ebtables gobject-introspection libselinux-python pygobject3-base python-slip python-slip-dbus + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end + diff --git a/generic/fedora-18-i386.ks b/generic/fedora-18-i386.ks new file mode 100644 index 0000000..3238877 --- /dev/null +++ b/generic/fedora-18-i386.ks @@ -0,0 +1,142 @@ +# This is a basic Fedora 18 spin designed to work in OpenStack and other +# private cloud environments. This flavor isn't configured with cloud-init +# or any other metadata service; you'll need your own say of getting +# user (or root) credentials on the system. + +lang en_US.UTF-8 +keyboard us +timezone --utc America/New_York + +auth --useshadow --enablemd5 +selinux --enforcing + +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh + +bootloader --timeout=0 --location=mbr --driveorder=sda + +network --bootproto=dhcp --device=eth0 --onboot=on +services --enabled=network,sshd,rsyslog,iptables + + +part biosboot --fstype=biosboot --size=1 --ondisk sda +part / --size 4096 --fstype ext4 --ondisk sda + +# Repositories +repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch + + +# Package list. +# Just the basics, here. + +%packages --nobase +@core +kernel-PAE + +# Not needed with pv-grub (as in EC2). Would be nice to have +# something smaller for F19 (syslinux?), but this is what we have now. +grub2 + +# Needed initially, but removed below. +firewalld + +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + +# cherry-pick a few things from @standard +tmpwatch +tar +rsync + +# Some things from @core we can do without in a minimal install +-biosdevname +-plymouth +-NetworkManager +-polkit + +%end + + + +%post --erroronfail + +echo -n "Writing fstab" +cat <<EOF > /etc/fstab +LABEL=_/ / ext4 defaults 1 1 +EOF +echo . + +echo -n "Grub tweaks" +echo GRUB_TIMEOUT=0 > /etc/default/grub +sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg +sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf +sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf +sed -i '/splashimage/d' /boot/grub/grub.conf +# need to file a bug on this one +sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf +echo . +if ! [[ -e /boot/grub/menu.lst ]]; then + echo -n "Linking menu.lst to old-style grub.conf for pv-grub" + ln /boot/grub/grub.conf /boot/grub/menu.lst + ln -sf /boot/grub/grub.conf /etc/grub.conf +fi + + +# setup systemd to boot to the right runlevel +echo -n "Setting default runlevel to multiuser text mode" +rm -f /etc/systemd/system/default.target +ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target +echo . + +# If you want to remove rsyslog and just use journald, also uncomment this. +#echo -n "Enabling persistent journal" +#mkdir /var/log/journal/ +#echo . + +# this is installed by default but we don't need it in virt +echo "Removing linux-firmware package." +yum -C -y remove linux-firmware + +# Remove firewalld; was supposed to be optional in F18, but is required to +# be present for install/image building. +echo "Removing firewalld." +yum -C -y remove firewalld + +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . + +# Because memory is scarce resource in most cloud/virt environments, +# and because this impedes forensics, we are differing from the Fedora +# default of having /tmp on tmpfs. +echo "Disabling tmpfs for /tmp." +systemctl mask tmp.mount + +echo "Zeroing out empty space." +# This forces the filesystem to reclaim space from deleted files +dd bs=1M if=/dev/zero of=/var/tmp/zeros || : +rm -f /var/tmp/zeros +echo "(Don't worry -- that out-of-space error was expected.)" + +%end +

11 years, 3 months

1
0
0 / 0

2 commits - ec2/fedora-18-i386-ec2.ks ec2/fedora-18-x86_64-ec2.ks

by Matthew Miller

ec2/fedora-18-i386-ec2.ks | 37 +++++++++++++++++++++++++++++++------ ec2/fedora-18-x86_64-ec2.ks | 3 +++ 2 files changed, 34 insertions(+), 6 deletions(-) New commits: commit 327bbe79ed8c493828ea14d1f1351fe5d4933377 Author: Matthew Miller <mattdm(a)mattdm.org> Date: Wed Jan 2 09:04:37 2013 -0500 amazon is still carrying this tweak in their own images diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks index 32da6cc..2584f6d 100644 --- a/ec2/fedora-18-i386-ec2.ks +++ b/ec2/fedora-18-i386-ec2.ks @@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1 EOF echo . +# workaround xen performance issue (bz 651861) +echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf + echo -n "Grub tweaks" echo GRUB_TIMEOUT=0 > /etc/default/grub sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks index 8e33752..7e78e37 100644 --- a/ec2/fedora-18-x86_64-ec2.ks +++ b/ec2/fedora-18-x86_64-ec2.ks @@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1 EOF echo . +# workaround xen performance issue (bz 651861) +echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf + echo -n "Grub tweaks" echo GRUB_TIMEOUT=0 > /etc/default/grub sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf commit 855c218eb387bcb9defed1acb95d0524e3c999c3 Author: Matthew Miller <mattdm(a)mattdm.org> Date: Wed Jan 2 09:00:46 2013 -0500 bring in changes from x86_64 config diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks index 1f0dcbb..32da6cc 100644 --- a/ec2/fedora-18-i386-ec2.ks +++ b/ec2/fedora-18-i386-ec2.ks @@ -6,11 +6,6 @@ # # Note that unlike the standard F18 install, this image has /tmp on disk # rather than in tmpfs, since memory is usually at a premium. -# -# It additionally configures _no_ local firewall, in line with EC2 -# recommendations that security groups be used instead. - - lang en_US.UTF-8 keyboard us @@ -19,7 +14,9 @@ timezone --utc America/New_York auth --useshadow --enablemd5 selinux --enforcing -firewall --disabled +# this is actually not used, but a static firewall +# matching these rules is generated below. +firewall --service=ssh bootloader --timeout=0 --location=mbr --driveorder=sda @@ -46,6 +43,10 @@ cloud-init # Needed initially, but removed below. firewalld +# Basic firewall. If you're going to rely on your cloud service's +# security groups you can remove this. +iptables-services + # cherry-pick a few things from @standard tmpwatch tar @@ -104,6 +105,27 @@ yum -C -y remove linux-firmware echo "Removing firewalld." yum -C -y remove firewalld +# Non-firewalld-firewall +echo -n "Writing static firewall" +cat <<EOF > /etc/sysconfig/iptables +# Simple static firewall loaded by iptables.service. Replace +# this with your own custom rules, run lokkit, or switch to +# shorewall or firewalld as your needs dictate. +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT +#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +echo . # Because memory is scarce resource in most cloud/virt environments, # and because this impedes forensics, we are differing from the Fedora

11 years, 3 months

1
0
0 / 0

AWS VM created with ami-e3a433d9 - ssh times out . .

by Philip Rhoades

People, I successfully created a VM with the default AMI image in the Virginia region and after allocating an EIP, could ssh to it with no problems but after creating a Sydney VM with ami-e3a433d9 and allocating an EIP, trying to to ssh eg: ssh -i sydney.pem root(a)xxx.xxx.xxx.xxx fails with timeouts . . I have tried rebooting the VM with no improvement - any other suggestions? I am also having trouble with getting Java running on F17 x64 (IcedTea is installed) so I can't use the Java SSH client either . . Even though the VM seems to be OK and nmap reports that the host is up but that all ports are filtered . . Any ideas/suggestions? Thanks, Phil. -- Philip Rhoades GPO Box 3411 Sydney NSW 2001 Australia E-mail: phil(a)pricom.com.au

11 years, 3 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

cloud January 2013