Fedora 18 RC1 Amazon EC2 images available for testing
by Matthew Miller
Release engineering has built the latest F18 cloud image spin.
In region US East,
ami-6145cc08 for 64-bit and
ami-0d44cd64 for 32-bit.
Please take a look at this and help validate them for final release next
week.
--
Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ <mattdm(a)fedoraproject.org>
11 years, 3 months
Grow the root partition on boot
by Juerg Haefliger
Hi,
I have a need for the growroot feature that comes with cloud-utils and
cloud-initramfs-tools. I've noticed that these packages don't exist in
Fedora/EPEL and was wondering if there are any specific reasons for
that?
Thanks
...Juerg
11 years, 3 months
F18 AMI Testing
by Tim Flink
I completely forgot about this with all the other F18 stuff going on
but has anyone been testing the F18 AMIs? If so, are they working? If
not, are there bugs filed about the parts that aren't working?
Tim
11 years, 3 months
ec2/fedora-18-i386-ec2.ks ec2/fedora-18-x86_64-ec2.ks generic/fedora-18-x86_64-cloud.ks
by Matthew Miller
ec2/fedora-18-i386-ec2.ks | 2 +-
ec2/fedora-18-x86_64-ec2.ks | 2 +-
generic/fedora-18-x86_64-cloud.ks | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
New commits:
commit 34edf0abd2b31c4155da50f2e63b5ffe26d5ff5f
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Wed Jan 2 15:10:34 2013 -0500
go back to 10gb size from previous fedoras, since micro instances don't grow
from the size we make the images
diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks
index 2584f6d..5ff8d5b 100644
--- a/ec2/fedora-18-i386-ec2.ks
+++ b/ec2/fedora-18-i386-ec2.ks
@@ -25,7 +25,7 @@ services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,clo
# This would let fussy grub2 install, but will break in EC2
#part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 4096 --fstype ext4 --ondisk sda
+part / --size 10000 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks
index 7e78e37..72bfcf9 100644
--- a/ec2/fedora-18-x86_64-ec2.ks
+++ b/ec2/fedora-18-x86_64-ec2.ks
@@ -25,7 +25,7 @@ services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,clo
# This would let fussy grub2 install, but will break in EC2
#part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 4096 --fstype ext4 --ondisk sda
+part / --size 10000 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
diff --git a/generic/fedora-18-x86_64-cloud.ks b/generic/fedora-18-x86_64-cloud.ks
index 468c690..e919d99 100644
--- a/generic/fedora-18-x86_64-cloud.ks
+++ b/generic/fedora-18-x86_64-cloud.ks
@@ -25,7 +25,7 @@ network --bootproto=dhcp --device=eth0 --onboot=on
services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
part biosboot --fstype=biosboot --size=1 --ondisk sda
-part / --size 4096 --fstype ext4 --ondisk sda
+part / --size 10000 --fstype ext4 --ondisk sda
# Repositories
repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
11 years, 3 months
generic/fedora-18-i386-cloud.ks generic/fedora-18-i386.ks generic/fedora-18-i386-minimal.ks
by Matthew Miller
generic/fedora-18-i386-cloud.ks | 156 ++++++++++++++++++++++++++++++++++++++
generic/fedora-18-i386-minimal.ks | 156 ++++++++++++++++++++++++++++++++++++++
generic/fedora-18-i386.ks | 142 ++++++++++++++++++++++++++++++++++
3 files changed, 454 insertions(+)
New commits:
commit e19cdc575c9f5f4809b77aa62be552a754182d90
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Wed Jan 2 14:56:08 2013 -0500
add i386 (only difference right now is kernel-PAE)
diff --git a/generic/fedora-18-i386-cloud.ks b/generic/fedora-18-i386-cloud.ks
new file mode 100644
index 0000000..960c965
--- /dev/null
+++ b/generic/fedora-18-i386-cloud.ks
@@ -0,0 +1,156 @@
+# This is a basic Fedora 18 spin designed to work in OpenStack and other
+# private cloud environments. It's configured with cloud-init so it will
+# take advantage of ec2-compatible metadata services for provisioning
+# ssh keys. That also currently creates an ec2-user account; we'll probably
+# want to make that something generic by default. The root password is empty
+# by default.
+#
+# Note that unlike the standard F18 install, this image has /tmp on disk
+# rather than in tmpfs, since memory is usually at a premium.
+
+lang en_US.UTF-8
+keyboard us
+timezone --utc America/New_York
+
+auth --useshadow --enablemd5
+selinux --enforcing
+
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
+
+bootloader --timeout=0 --location=mbr --driveorder=sda
+
+network --bootproto=dhcp --device=eth0 --onboot=on
+services --enabled=network,sshd,rsyslog,iptables,cloud-init,cloud-init-local,cloud-config,cloud-final
+
+part biosboot --fstype=biosboot --size=1 --ondisk sda
+part / --size 10000 --fstype ext4 --ondisk sda
+
+# Repositories
+repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
+
+
+# Package list.
+%packages --nobase
+@core
+kernel-PAE
+
+# cloud-init does magical things with EC2 metadata, including provisioning
+# a user account with ssh keys.
+cloud-init
+
+# Not needed with pv-grub (as in EC2). Would be nice to have
+# something smaller for F19 (syslinux?), but this is what we have now.
+grub2
+
+# Needed initially, but removed below.
+firewalld
+
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
+# cherry-pick a few things from @standard
+tmpwatch
+tar
+rsync
+
+# Some things from @core we can do without in a minimal install
+-biosdevname
+-plymouth
+-NetworkManager
+-polkit
+
+%end
+
+
+
+%post --erroronfail
+
+echo -n "Writing fstab"
+cat <<EOF > /etc/fstab
+LABEL=_/ / ext4 defaults 1 1
+EOF
+echo .
+
+echo -n "Grub tweaks"
+echo GRUB_TIMEOUT=0 > /etc/default/grub
+sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
+sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
+sed -i 's/^default=1/default=0/' /boot/grub/grub.conf
+sed -i '/splashimage/d' /boot/grub/grub.conf
+# need to file a bug on this one
+sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
+echo .
+if ! [[ -e /boot/grub/menu.lst ]]; then
+ echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
+ ln /boot/grub/grub.conf /boot/grub/menu.lst
+ ln -sf /boot/grub/grub.conf /etc/grub.conf
+fi
+
+# setup systemd to boot to the right runlevel
+echo -n "Setting default runlevel to multiuser text mode"
+rm -f /etc/systemd/system/default.target
+ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+echo .
+
+# If you want to remove rsyslog and just use journald, also uncomment this.
+#echo -n "Enabling persistent journal"
+#mkdir /var/log/journal/
+#echo .
+
+# this is installed by default but we don't need it in virt
+echo "Removing linux-firmware package."
+yum -C -y remove linux-firmware
+
+# Remove firewalld; was supposed to be optional in F18, but is required to
+# be present for install/image building.
+echo "Removing firewalld."
+yum -C -y remove firewalld
+
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
+
+# Because memory is scarce resource in most cloud/virt environments,
+# and because this impedes forensics, we are differing from the Fedora
+# default of having /tmp on tmpfs.
+echo "Disabling tmpfs for /tmp."
+systemctl mask tmp.mount
+
+# Uncomment this if you want to use cloud init but suppress the creation
+# of an "ec2-user" account. This will, in the absence of further config,
+# cause the ssh key from a metadata source to be put in the root account.
+#cat <<EOF > /etc/cloud/cloud.cfg.d/50_suppress_ec2-user_use_root.cfg
+#users: []
+#disable_root: 0
+#EOF
+
+echo "Zeroing out empty space."
+# This forces the filesystem to reclaim space from deleted files
+dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
+rm -f /var/tmp/zeros
+echo "(Don't worry -- that out-of-space error was expected.)"
+
+%end
+
diff --git a/generic/fedora-18-i386-minimal.ks b/generic/fedora-18-i386-minimal.ks
new file mode 100644
index 0000000..3db2c71
--- /dev/null
+++ b/generic/fedora-18-i386-minimal.ks
@@ -0,0 +1,156 @@
+# This is a basic Fedora 18 spin designed to work in OpenStack and other
+# private cloud environments. This particular kickstart is designed to
+# be as obsessively minimal as we can be and still be Fedora. Because
+# this has not traditionally been a priority, that's not particularly
+# very small, making this in some ways an academic exercise, but it's also
+# a base for the more complete kickstarts.
+#
+# If you're interested in making this more minimal, big problems to solve
+# are the not-needed-for-cloud kernel modules and the gigantic locale
+# database. After that, it's chipping at dependencies.
+
+lang en_US.UTF-8
+keyboard us
+timezone --utc America/New_York
+
+auth --useshadow --enablemd5
+selinux --enforcing
+
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
+
+bootloader --timeout=0 --location=mbr --driveorder=sda
+
+network --bootproto=dhcp --device=eth0 --onboot=on
+services --enabled=network,sshd,rsyslog,iptables
+
+
+part biosboot --fstype=biosboot --size=1 --ondisk sda
+part / --size 1024 --fstype ext4 --ondisk sda
+
+# Repositories
+repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
+#repo --name=fedora-updates --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-testing-f18&arch=$basearch
+
+
+# Packag list.
+# "Obsessively minimal as we can reasonably get and still be Fedora."
+%packages --nobase
+@core
+kernel-PAE
+
+# Not needed with pv-grub (as in EC2). Would be nice to have
+# something smaller for F19 (syslinux?), but this is what we have now.
+grub2
+
+# Needed initially, but removed below.
+firewalld
+
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
+# Some things from @core we can do without in a minimal install
+-biosdevname
+-plymouth
+-NetworkManager
+-polkit
+
+# These are "leaf" packages which can be done without in an ultra-minimal
+# install, but which actually remove typical functionality
+-e2fsprogs
+-audit
+-rsyslog
+-parted
+-openssh-clients
+-rootfiles
+-sendmail
+-sudo
+
+%end
+
+
+
+%post --erroronfail
+
+echo -n "Writing fstab"
+cat <<EOF > /etc/fstab
+LABEL=_/ / ext4 defaults 1 1
+EOF
+echo .
+
+echo -n "Grub tweaks"
+echo GRUB_TIMEOUT=0 > /etc/default/grub
+sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
+sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
+sed -i '/splashimage/d' /boot/grub/grub.conf
+# need to file a bug on this one
+sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
+echo .
+if ! [[ -e /boot/grub/menu.lst ]]; then
+ echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
+ ln /boot/grub/grub.conf /boot/grub/menu.lst
+ ln -sf /boot/grub/grub.conf /etc/grub.conf
+fi
+
+
+# setup systemd to boot to the right runlevel
+echo -n "Setting default runlevel to multiuser text mode"
+rm -f /etc/systemd/system/default.target
+ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+echo .
+
+# because we didn't install rsyslog, enable persistent journal
+echo -n "Enabling persistent journal"
+mkdir /var/log/journal/
+echo .
+
+# this is installed by default but we don't need it in virt
+echo "Removing linux-firmware package."
+yum -C -y remove linux-firmware
+
+# Remove firewalld; was supposed to be optional in F18, but is required to
+# be present for install/image building.
+echo "Removing firewalld and dependencies"
+yum -C -y remove firewalld
+# These are all pulled in by firewalld
+yum -C -y remove cairo dbus-glib dbus-python ebtables gobject-introspection libselinux-python pygobject3-base python-slip python-slip-dbus
+
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
+
+# Because memory is scarce resource in most cloud/virt environments,
+# and because this impedes forensics, we are differing from the Fedora
+# default of having /tmp on tmpfs.
+echo "Disabling tmpfs for /tmp."
+systemctl mask tmp.mount
+
+echo "Zeroing out empty space."
+# This forces the filesystem to reclaim space from deleted files
+dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
+rm -f /var/tmp/zeros
+echo "(Don't worry -- that out-of-space error was expected.)"
+
+%end
+
diff --git a/generic/fedora-18-i386.ks b/generic/fedora-18-i386.ks
new file mode 100644
index 0000000..3238877
--- /dev/null
+++ b/generic/fedora-18-i386.ks
@@ -0,0 +1,142 @@
+# This is a basic Fedora 18 spin designed to work in OpenStack and other
+# private cloud environments. This flavor isn't configured with cloud-init
+# or any other metadata service; you'll need your own say of getting
+# user (or root) credentials on the system.
+
+lang en_US.UTF-8
+keyboard us
+timezone --utc America/New_York
+
+auth --useshadow --enablemd5
+selinux --enforcing
+
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
+
+bootloader --timeout=0 --location=mbr --driveorder=sda
+
+network --bootproto=dhcp --device=eth0 --onboot=on
+services --enabled=network,sshd,rsyslog,iptables
+
+
+part biosboot --fstype=biosboot --size=1 --ondisk sda
+part / --size 4096 --fstype ext4 --ondisk sda
+
+# Repositories
+repo --name=fedora --mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-18&arch=$basearch
+
+
+# Package list.
+# Just the basics, here.
+
+%packages --nobase
+@core
+kernel-PAE
+
+# Not needed with pv-grub (as in EC2). Would be nice to have
+# something smaller for F19 (syslinux?), but this is what we have now.
+grub2
+
+# Needed initially, but removed below.
+firewalld
+
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
+# cherry-pick a few things from @standard
+tmpwatch
+tar
+rsync
+
+# Some things from @core we can do without in a minimal install
+-biosdevname
+-plymouth
+-NetworkManager
+-polkit
+
+%end
+
+
+
+%post --erroronfail
+
+echo -n "Writing fstab"
+cat <<EOF > /etc/fstab
+LABEL=_/ / ext4 defaults 1 1
+EOF
+echo .
+
+echo -n "Grub tweaks"
+echo GRUB_TIMEOUT=0 > /etc/default/grub
+sed -i 's/^set timeout=5/set timeout=0/' /boot/grub2/grub.cfg
+sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
+sed -i 's/^timeout=5/timeout=0/' /boot/grub/grub.conf
+sed -i '/splashimage/d' /boot/grub/grub.conf
+# need to file a bug on this one
+sed -i 's/root=.*/root=LABEL=_\//' /boot/grub/grub.conf
+echo .
+if ! [[ -e /boot/grub/menu.lst ]]; then
+ echo -n "Linking menu.lst to old-style grub.conf for pv-grub"
+ ln /boot/grub/grub.conf /boot/grub/menu.lst
+ ln -sf /boot/grub/grub.conf /etc/grub.conf
+fi
+
+
+# setup systemd to boot to the right runlevel
+echo -n "Setting default runlevel to multiuser text mode"
+rm -f /etc/systemd/system/default.target
+ln -s /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
+echo .
+
+# If you want to remove rsyslog and just use journald, also uncomment this.
+#echo -n "Enabling persistent journal"
+#mkdir /var/log/journal/
+#echo .
+
+# this is installed by default but we don't need it in virt
+echo "Removing linux-firmware package."
+yum -C -y remove linux-firmware
+
+# Remove firewalld; was supposed to be optional in F18, but is required to
+# be present for install/image building.
+echo "Removing firewalld."
+yum -C -y remove firewalld
+
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
+
+# Because memory is scarce resource in most cloud/virt environments,
+# and because this impedes forensics, we are differing from the Fedora
+# default of having /tmp on tmpfs.
+echo "Disabling tmpfs for /tmp."
+systemctl mask tmp.mount
+
+echo "Zeroing out empty space."
+# This forces the filesystem to reclaim space from deleted files
+dd bs=1M if=/dev/zero of=/var/tmp/zeros || :
+rm -f /var/tmp/zeros
+echo "(Don't worry -- that out-of-space error was expected.)"
+
+%end
+
11 years, 3 months
2 commits - ec2/fedora-18-i386-ec2.ks ec2/fedora-18-x86_64-ec2.ks
by Matthew Miller
ec2/fedora-18-i386-ec2.ks | 37 +++++++++++++++++++++++++++++++------
ec2/fedora-18-x86_64-ec2.ks | 3 +++
2 files changed, 34 insertions(+), 6 deletions(-)
New commits:
commit 327bbe79ed8c493828ea14d1f1351fe5d4933377
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Wed Jan 2 09:04:37 2013 -0500
amazon is still carrying this tweak in their own images
diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks
index 32da6cc..2584f6d 100644
--- a/ec2/fedora-18-i386-ec2.ks
+++ b/ec2/fedora-18-i386-ec2.ks
@@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1
EOF
echo .
+# workaround xen performance issue (bz 651861)
+echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf
+
echo -n "Grub tweaks"
echo GRUB_TIMEOUT=0 > /etc/default/grub
sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks
index 8e33752..7e78e37 100644
--- a/ec2/fedora-18-x86_64-ec2.ks
+++ b/ec2/fedora-18-x86_64-ec2.ks
@@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1
EOF
echo .
+# workaround xen performance issue (bz 651861)
+echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf
+
echo -n "Grub tweaks"
echo GRUB_TIMEOUT=0 > /etc/default/grub
sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
commit 855c218eb387bcb9defed1acb95d0524e3c999c3
Author: Matthew Miller <mattdm(a)mattdm.org>
Date: Wed Jan 2 09:00:46 2013 -0500
bring in changes from x86_64 config
diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks
index 1f0dcbb..32da6cc 100644
--- a/ec2/fedora-18-i386-ec2.ks
+++ b/ec2/fedora-18-i386-ec2.ks
@@ -6,11 +6,6 @@
#
# Note that unlike the standard F18 install, this image has /tmp on disk
# rather than in tmpfs, since memory is usually at a premium.
-#
-# It additionally configures _no_ local firewall, in line with EC2
-# recommendations that security groups be used instead.
-
-
lang en_US.UTF-8
keyboard us
@@ -19,7 +14,9 @@ timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --enforcing
-firewall --disabled
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -46,6 +43,10 @@ cloud-init
# Needed initially, but removed below.
firewalld
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
# cherry-pick a few things from @standard
tmpwatch
tar
@@ -104,6 +105,27 @@ yum -C -y remove linux-firmware
echo "Removing firewalld."
yum -C -y remove firewalld
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
11 years, 3 months
AWS VM created with ami-e3a433d9 - ssh times out . .
by Philip Rhoades
People,
I successfully created a VM with the default AMI image in the Virginia
region and after allocating an EIP, could ssh to it with no problems but
after creating a Sydney VM with ami-e3a433d9 and allocating an EIP,
trying to to ssh eg:
ssh -i sydney.pem root(a)xxx.xxx.xxx.xxx
fails with timeouts . .
I have tried rebooting the VM with no improvement - any other
suggestions?
I am also having trouble with getting Java running on F17 x64 (IcedTea
is installed) so I can't use the Java SSH client either . .
Even though the VM seems to be OK and nmap reports that the host is up
but that all ports are filtered . .
Any ideas/suggestions?
Thanks,
Phil.
--
Philip Rhoades
GPO Box 3411
Sydney NSW 2001
Australia
E-mail: phil(a)pricom.com.au
11 years, 3 months