Fedora 20 RC1 AMIs

Daniel J Walsh dwalsh at redhat.com
Thu Dec 12 19:18:56 UTC 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/12/2013 11:44 AM, Matthew Miller wrote:
> On Thu, Dec 12, 2013 at 03:18:31PM +0100, Vitaly Kuznetsov wrote:
>>> ami-3b361952 : us-east-1 image for i386 ami-1337187a : us-east-1 image
>>> for x86_64
>> Compared to TC5 images: 1) iptables-services package is missing in RC1
> 
> This is intentional and by popular demand -- in an IaaS environment, the 
> cloud provider's security groups or equivalent concept provides the 
> firewall. If one wants defense-in-depth it's easy to install 
> iptables-services or firewalld with cloud-init.
> 
>> 2) SELinux contexts. It gets better :-) In TC5 if you remember we had: #
>> restorecon -R -v -n -e /proc -e /sys -e /tmp -e /run -e /dev / restorecon
>> reset /boot/extlinux/ldlinux.sys context
>> system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0 restorecon reset
>> /var/cache/yum context
>> system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0 
>> restorecon reset /var/log/boot.log context
>> system_u:object_r:var_log_t:s0->system_u:object_r:plymouthd_var_log_t:s0 
>> restorecon reset /var/log/cron context
>> system_u:object_r:var_log_t:s0->system_u:object_r:cron_log_t:s0
> 
> I'm pre-creating the two log files, so they end up right.
> 
>> In RC1 we have only these: # restorecon -R -v -n -e /proc -e /sys -e /tmp
>> -e /run -e /dev / restorecon reset /var/cache/yum context
>> system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0 
>> restorecon reset /boot/extlinux/ldlinux.sys context
>> system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0
> 
> I tried to be clever with changing ldlinux.sys from immutable and back
> again but apparently that doesn't do it. (Since this isn't ever actually
> run on the system, only _before_ the system, and not on EC2 at all, the 
> side-effects of a wrong context should be small.)
> 
> I'm more concerned about /var/cache/yum, since that is already precreated 
> and should already be right.
> 
Any chance this is something mounted on that directory?  That the relabel is
not hitting the inode?

Another option would be to just remove this directory.  Especially if there is
not content.  yum would recreate it on the update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKqDCAACgkQrlYvE4MpobNp+wCghhrcEdRESombmys7Pu73lbzH
7KQAnj+dM94shsnCtg9z+8ynyZ26RvaB
=wArP
-----END PGP SIGNATURE-----


More information about the cloud mailing list