--- recipe/common-blacklist.ks | 161 +++++++++++++++++++++++++++++++++++++++++ recipe/common-install.ks | 19 +++++ recipe/common-pkgs.ks | 75 +++++++++++++++++++ recipe/common-post.ks | 170 ++++++++++++++++++++++++++++++++++++++++++++ recipe/ovirt-node-image.ks | 118 ++++++++++++++++++++++++++++++ 5 files changed, 543 insertions(+), 0 deletions(-) create mode 100644 recipe/common-blacklist.ks create mode 100644 recipe/common-install.ks create mode 100644 recipe/common-pkgs.ks create mode 100644 recipe/common-post.ks create mode 100644 recipe/ovirt-node-image.ks
diff --git a/recipe/common-blacklist.ks b/recipe/common-blacklist.ks new file mode 100644 index 0000000..81f46d6 --- /dev/null +++ b/recipe/common-blacklist.ks @@ -0,0 +1,161 @@ +# -*-Shell-script-*- +%post + +echo "Removing excess RPMs" + +# kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python, +# and livecd-tools needs lokkit to configure SELinux. +# However, this is just an install-time dependency; we can remove +# it afterwards, which we do here +RPMS="system-config-firewall-tui system-config-network-tui rhpl \ + rpm-python kudzu libsemanage-python" + +RPMS="$RPMS mkinitrd isomd5sum dmraid checkpolicy" + +# Remove additional RPMs forcefully +RPMS="$RPMS gamin pm-utils kbd usermode vbetool ConsoleKit hdparm \ + efibootmgr linux-atm-libs fedora-release-notes \ + psmisc cryptsetup-luks pciutils mtools syslinux \ + wireless-tools radeontool libicu gnupg2 \ + fedora-logos" + +# cronie pulls in exim (sendmail) which pulls in all kinds of perl deps +RPMS="$RPMS exim perl-version perl-Pod-Simple perl-libs perl-Module-Pluggable \ + perl-Pod-Escapes perl" + +RPMS="$RPMS sysklogd" + +# workaround for gpxe issue with the virt-preview qemu on F11 host kernel +# https://bugzilla.redhat.com/show_bug.cgi?id=512358 +RPMS="$RPMS gpxe-roms-qemu" +ln -snf ../etherboot/e1000-82542.zrom /usr/share/qemu/pxe-e1000.bin +ln -snf ../etherboot/ne.zrom /usr/share/qemu/pxe-ne2k_pci.bin +ln -snf ../etherboot/pcnet32.zrom /usr/share/qemu/pxe-pcnet.bin +ln -snf ../etherboot/rtl8139.zrom /usr/share/qemu/pxe-rtl8139.bin +ln -snf ../etherboot/virtio-net.zrom /usr/share/qemu/pxe-virtio.bin + +# Things we could probably remove if libvirt didn't link against them +#RPMS="$RPMS avahi PolicyKit xen-libs" + +# Things we could probably remove if qemu-kvm didn't link against them +#RPMS="$RPMS SDL alsa-lib" + +# Pam complains when this is missing +#RPMS="$RPM ConsoleKit-libs" + +for rpm in $RPMS; do + rpm -v -e --nodeps $rpm 2> /dev/null +done + +# the following are lists of kernel modules we are pretty sure we won't need; +# note that these can be single files or whole directories. They are specified +# starting at $MODULES; so if you want to remove the NLS stuff from the +# fs subdir, your mods entry would be "fs/nls" +fs_mods="fs/nls fs/9p fs/affs fs/autofs fs/autofs4 fs/befs fs/bfs fs/cifs \ + fs/coda fs/cramfs fs/dlm fs/ecryptfs fs/efs fs/exportfs fs/ext4 \ + fs/freevxfs fs/gfs2 fs/hfs fs/hfsplus fs/jbd2 fs/jffs \ + fs/jffs2 fs/jfs fs/minix fs/ncpfs fs/ocfs2 fs/qnx4 fs/reiserfs \ + fs/romfs fs/sysv fs/udf fs/ufs fs/xfs" + +net_mods="net/9p net/appletalk net/atm net/ax25 \ + net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx net/irda \ + net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc \ + net/wanrouter net/wireless" + +driver_mods="drivers/auxdisplay drivers/net/appletalk \ + drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \ + drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \ + drivers/acpi drivers/char/drm drivers/char/mwave \ + drivers/char/ipmp drivers/char/pcmcia drivers/crypto drivers/dca \ + drivers/firmware drivers/memstick drivers/mmc drivers/mfs \ + drivers/parport drivers/video drivers/watchdog drivers/net/ppp* \ + drivers/usb/serial drivers/usb/misc drivers/usb/class \ + drivers/usb/image drivers/rtc drivers/char/lp*" + +misc_mods="drivers/bluetooth drivers/firewire drivers/i2c drivers/isdn \ + drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1 sound \ + drivers/input drivers/pcmcia drivers/scsi/pcmcia" + +echo "Removing excess kernel modules" +MODULES="/lib/modules/*/kernel" +RM="rm -rf" + +for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do + $RM $MODULES/$mods +done + +echo "Removing all timezones except for UTC" +find /usr/share/zoneinfo -regextype egrep -type f \ + ! -regex ".*/UTC|.*/GMT" -exec $RM {} \; + +echo "Removing blacklisted files and directories" +blacklist="/etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \ + /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \ + /usr/share/firstboot /usr/share/lua /usr/share/kde4 /usr/share/pixmaps \ + /usr/share/hwdata/videodrivers /usr/share/icons /usr/share/fedora-release \ + /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \ + /usr/share/tc /usr/share/emacs /usr/share/info \ + /usr/src /usr/etc /usr/games /usr/include /usr/local \ + /usr/sbin/{dell*,sasldblistusers2,build-locale-archive,glibc_post_upgrade.*}" +blacklist_lib="/usr/{,lib64}/tc \ + /usr/lib{,64}/tls /usr/lib{,64}/sse2 \ + /usr/lib{,64}/pkgconfig /usr/lib{,64}/nss \ + /usr/lib{,64}/games /usr/lib{,64}/alsa-lib /usr/lib{,64}/fs/reiserfs \ + /usr/lib{,64}/krb5 /usr/lib{,64}/hal /usr/lib{,64}/gio \ + /usr/lib/locale /usr/lib/syslinux" +blacklist_pango="/usr/lib{,64}/pango /usr/lib{,64}/libpango* \ + /etc/pango /usr/bin/pango*" +blacklist_hal="/usr/bin/hal-disable-polling \ + /usr/bin/hal-is-caller-locked-out /usr/bin/hal-is-caller-privileged \ + /usr/bin/hal-lock /usr/bin/hal-set-property /usr/bin/hal-setup-keymap" +blacklist_ssh="/usr/bin/sftp /usr/bin/slogin /usr/bin/ssh /usr/bin/ssh-add \ + /usr/bin/ssh-agent /usr/bin/ssh-copy-id /usr/bin/ssh-keyscan" +blacklist_docs="/usr/share/omf /usr/share/gnome /usr/share/doc \ + /usr/share/locale /usr/share/libthai /usr/share/man \ + /usr/share/X11 /usr/share/i18n" + +eval $RM $blacklist $blacklist_lib $blacklist_pango $blacklist_hal \ + $blacklist_ssh $blacklist_docs + +echo "Cleanup empty directory structures in /usr/share" +find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1 + +echo "Cleanup excess selinux modules" +$RM /usr/share/selinux + +echo "Removing python source files" +find / -name '*.py' -exec rm -f {} \; +find / -name '*.pyo' -exec rm -f {} \; + +echo "Running image-minimizer..." +%end + +%post --nochroot --interpreter image-minimizer +drop /usr/lib/libboost* +keep /usr/lib/libboost_program_options.so* +keep /usr/lib/libboost_filesystem.so* +keep /usr/lib/libboost_thread-mt.so* +keep /usr/lib/libboost_system.so* +drop /usr/lib64/libboost* +keep /usr/lib64/libboost_program_options.so* +keep /usr/lib64/libboost_filesystem.so* +keep /usr/lib64/libboost_thread-mt.so* +keep /usr/lib64/libboost_system.so* +drop /usr/kerberos +keep /usr/kerberos/bin/kinit +keep /usr/kerberos/bin/klist +drop /lib/firmware +keep /lib/firmware/3com +keep /lib/firmware/acenic +keep /lib/firmware/adaptec +keep /lib/firmware/advansys +keep /lib/firmware/bnx2 +keep /lib/firmware/cxgb3 +keep /lib/firmware/e100 +keep /lib/firmware/myricom +keep /lib/firmware/qlogic +keep /lib/firmware/sun +keep /lib/firmware/tehuti +keep /lib/firmware/tigon +%end + diff --git a/recipe/common-install.ks b/recipe/common-install.ks new file mode 100644 index 0000000..d6620f7 --- /dev/null +++ b/recipe/common-install.ks @@ -0,0 +1,19 @@ +lang C +keyboard us +timezone --utc UTC +auth --useshadow --enablemd5 +selinux --enforcing +firewall --disabled +part / --size 650 --fstype ext2 +services --enabled=auditd,ntpd,ntpdate,collectd,iptables,network,rsyslog,libvirt-qpid,multipathd +# This requires a new fixed version of livecd-creator to honor the --append settings. +bootloader --timeout=30 --append="console=tty0 console=ttyS0,115200n8" + +# not included by default in Fedora 10 livecd initramfs +device virtio_blk +device virtio_pci +device scsi_wait_scan + +# multipath kmods +device dm-multipath +device dm-round-robin diff --git a/recipe/common-pkgs.ks b/recipe/common-pkgs.ks new file mode 100644 index 0000000..daff195 --- /dev/null +++ b/recipe/common-pkgs.ks @@ -0,0 +1,75 @@ +audit +bc +kernel +hwdata +passwd +policycoreutils +rootfiles +dhclient +openssh-clients +openssh-server +kvm +libmlx4 +ovirt-node +-selinux-policy-targeted +selinux-policy-minimum +vim-minimal +sudo +python +python-libs +python-setuptools +db4 +vconfig +python-virtinst +matahari +#debugging +hdparm +sos +gdb +ltrace +strace +sysstat +tcpdump +pstack +pciutils +numactl +file +lsof +newt-python +/usr/bin/kvmtrace +#remove +-audit-libs-python +-ustr +-authconfig +-wireless-tools +-setserial +-prelink +-newt-python +-newt +-kudzu +-libselinux-python +-rhpl +-kbd +-usermode +-fedora-logos +-dmraid +-gzip +-less +-which +-parted +-nash +-tar +-libuser +-mtools +-cpio +-sysklogd +/usr/sbin/lokkit +isomd5sum +irqbalance +cpuspeed +acpid +device-mapper-multipath +kpartx +# workaround for gpxe issue with the virt-preview qemu on F11 host kernel +# https://bugzilla.redhat.com/show_bug.cgi?id=512358 +etherboot-zroms-kvm diff --git a/recipe/common-post.ks b/recipe/common-post.ks new file mode 100644 index 0000000..7cebef0 --- /dev/null +++ b/recipe/common-post.ks @@ -0,0 +1,170 @@ +# -*-Shell-script-*- +echo "Starting Kickstart Post" +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +# Import SELinux Modules +echo "Enabling selinux modules" +SEMODULES="base automount avahi consolekit cyrus dhcp dnsmasq guest hal ipsec \ +iscsi kerberos kerneloops ldap lockdev logadm mozilla ntp ovirt-node-selinux \ +polkit portmap qemu rpcbind sasl snmp stunnel sysstat tcpd unprivuser \ +unconfined usbmodules userhelper virt" + +lokkit -v --selinuxtype=minimum +tmpdir=$(mktemp -d) + +for semodule in $SEMODULES; do + found=0 + pp_file=/usr/share/selinux/minimum/$semodule.pp + if [ -f $pp_file.bz2 ]; then + bzip2 -dc $pp_file.bz2 > "$tmpdir/$semodule.pp" + rm $pp_file.bz2 + found=1 + elif [ -f $pp_file ]; then + mv $pp_file "$tmpdir" + found=1 + fi + # Don't put "base.pp" on the list. + test $semodule = base \ + && continue + test $found=1 \ + && modules="$modules $semodule.pp" +done + +if test -n "$modules"; then + (cd "$tmpdir" \ + && test -f base.pp \ + && semodule -v -b base.pp -i $modules \ + && semodule -v -B ) +fi +rm -rf "$tmpdir" + +echo "Running ovirt-install-node-stateless" +ovirt-install-node-stateless + +echo "Creating shadow files" +# because we aren't installing authconfig, we aren't setting up shadow +# and gshadow properly. Do it by hand here +pwconv +grpconv + +echo "Forcing C locale" +# force logins (via ssh, etc) to use C locale, since we remove locales +cat >> /etc/profile << \EOF +# oVirt: force our locale to C since we don't have locale stuff' +export LC_ALL=C LANG=C +EOF + +echo "Configuring IPTables" +# here, we need to punch the appropriate holes in the firewall +cat > /etc/sysconfig/iptables << \EOF +# oVirt automatically generated firewall configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# libvirt +-A INPUT -p tcp --dport 16509 -j ACCEPT +# SSH +-A INPUT -p tcp --dport 22 -j ACCEPT +# anyterm +-A INPUT -p tcp --dport 81 -j ACCEPT +# guest consoles +-A INPUT -p tcp -m multiport --dports 5800:6000 -j ACCEPT +# migration +-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +# configure IPv6 firewall, default is all ACCEPT +cat > /etc/sysconfig/ip6tables << \EOF +# oVirt automatically generated firewall configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# libvirt +-A INPUT -p tcp --dport 16509 -j ACCEPT +# SSH +-A INPUT -p tcp --dport 22 -j ACCEPT +# anyterm +-A INPUT -p tcp --dport 81 -j ACCEPT +# guest consoles +-A INPUT -p tcp -m multiport --dports 5800:6000 -j ACCEPT +# migration +-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited +COMMIT +EOF + +# remove errors from /sbin/dhclient-script +DHSCRIPT=/sbin/dhclient-script +sed -i 's/mv /cp -p /g' $DHSCRIPT +sed -i '/rm -f.*${interface}/d' $DHSCRIPT +sed -i '/rm -f \/etc\/localtime/d' $DHSCRIPT +sed -i '/rm -f \/etc\/ntp.conf/d' $DHSCRIPT +sed -i '/rm -f \/etc\/yp.conf/d' $DHSCRIPT + +if rpm -q --qf '%{release}' ovirt-node | grep -q "^0\." ; then + echo "Building in developer mode, leaving root account unlocked" + augtool <<\EOF +set /files/etc/ssh/sshd_config/PermitEmptyPasswords yes +save +EOF +else + echo "Building in production mode, locking root account" + passwd -l root +fi + +# directories required in the image with the correct perms +# config persistance currently handles only regular files +mkdir -p /root/.ssh +chmod 700 /root/.ssh + +# fix iSCSI/LVM startup issue +sed -i 's/node\.session\.initial_login_retry_max.*/node.session.initial_login_retry_max = 60/' /etc/iscsi/iscsid.conf + +# root's bash profile +cat >> /root/.bashrc <<EOF +# aliases used for the temporary +function mod_vi() { + /bin/vi \$@ + restorecon -v \$@ +} +alias vi="mod_vi" +alias ping='ping -c 3' +EOF + +# copy logos +cp /usr/share/ovirt-node/grub-splash.xpm.gz /boot/grub/splash.xpm.gz +cp /usr/share/ovirt-node/syslinux-vesa-splash.jpg usr/lib/anaconda-runtime/syslinux-vesa-splash.jpg + +# Remove the default logrotate daily cron job +# since we run it every 10 minutes instead. +rm -f /etc/cron.daily/logrotate + +# comment out /etc/* entries in rwtab to prevent overlapping mounts +touch /var/lib/random-seed +mkdir /live +mkdir /boot +sed -i '/^files \/etc*/ s/^/#/' /etc/rwtab +cat > /etc/rwtab.d/ovirt <<EOF +dirs /var/lib/multipath +files /etc +files /var/cache/libvirt +files /var/cache/hald +files /var/empty/sshd/etc/localtime +files /var/lib/dbus +files /var/lib/libvirt +empty /mnt +empty /live +empty /boot +EOF diff --git a/recipe/ovirt-node-image.ks b/recipe/ovirt-node-image.ks new file mode 100644 index 0000000..6b9e2ac --- /dev/null +++ b/recipe/ovirt-node-image.ks @@ -0,0 +1,118 @@ +%include common-install.ks + +%include repos.ks + +%packages --excludedocs --nobase +%include common-pkgs.ks + +%end + +%post +# cleanup rpmdb to allow non-matching host and chroot RPM versions +rm -f /var/lib/rpm/__db* +%include common-post.ks + +touch /.autorelabel + +# prepare for STATE_MOUNT in rc.sysinit +augtool <<\EOF +set /files/etc/sysconfig/readonly-root/TEMPORARY_STATE NOT_OVIRT_FIRSTBOOT +set /files/etc/sysconfig/readonly-root/STATE_LABEL CONFIG +set /files/etc/sysconfig/readonly-root/STATE_MOUNT /config +set /files/etc/sysconfig/readonly-root/READONLY yes +save +EOF +# use persistent state unless firstboot is forced +# XXX auges shellvars lens does not accept this value +sed -i 's...@not_ovirt_firstboot@$(if cat /proc/cmdline|grep -qv ovirt_firstboot; then printf "yes"; else printf "no"; fi)@' /etc/sysconfig/readonly-root +# prepare mount points for local storage +mkdir -p /boot +mkdir -p /config +mkdir -p /data +mkdir -p /liveos +echo "/dev/HostVG/Config /config ext3 defaults,noauto 0 0" >> /etc/fstab +%end + +%post +# Create initial manifests +manifests=/tmp/manifests +mkdir -p $manifests +rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}\n' | sort \ + > $manifests/rpm-manifest.txt +rpm -qa --qf '%{sourcerpm}\n' | sort -u > $manifests/srpm-manifest.txt +du -akx --exclude=/var/cache/yum / > $manifests/file-manifest.txt +du -x --exclude=/var/cache/yum / > $manifests/dir-manifest.txt +%end + +%include common-blacklist.ks + +%post --nochroot +if [ -f "ovirt-authorized_keys" ]; then + echo "Adding authorized_keys to Image" + mkdir -p $INSTALL_ROOT/root/.ssh + cp -v ovirt-authorized_keys $INSTALL_ROOT/root/.ssh/authorized_keys + chown -R root:root $INSTALL_ROOT/root/.ssh + chmod 755 $INSTALL_ROOT/root/.ssh + chmod 644 $INSTALL_ROOT/root/.ssh/authorized_keys +fi + +echo "Fixing boot menu" +# remove quiet from Node bootparams, added by livecd-creator +sed -i -e 's/ quiet//' $LIVE_ROOT/isolinux/isolinux.cfg + +# add stand-alone boot entry +awk ' +BEGIN { + # append additional default boot parameters + add_boot_params="check" +} +/^label linux0/ { linux0=1 } +linux0==1 && $1=="append" { + $0=$0 " " add_boot_params + append0=$0 +} +linux0==1 && $1=="label" && $2!="linux0" { + linux0=2 + print "label stand-alone" + print " menu label Boot in stand-alone mode" + print " kernel vmlinuz0" + gsub("console=tty0", "", append0) + print append0" ovirt_standalone console=tty0" +} +{ print } +' $LIVE_ROOT/isolinux/isolinux.cfg > $LIVE_ROOT/isolinux/isolinux.cfg.standalone +mv $LIVE_ROOT/isolinux/isolinux.cfg.standalone $LIVE_ROOT/isolinux/isolinux.cfg + +%end + +%post +# Create post-image processing manifests +manifests=/tmp/manifests +mkdir -p $manifests +rpm -qa --qf '%{name}-%{version}-%{release}.%{arch}\n' | sort \ + > $manifests/rpm-manifest-post.txt +rpm -qa --qf '%{sourcerpm}\n' | sort -u > $manifests/srpm-manifest-post.txt +du -akx --exclude=/var/cache/yum / > $manifests/file-manifest-post.txt +du -x --exclude=/var/cache/yum / > $manifests/dir-manifest-post.txt + +ver=$(rpm -q --qf '%{version}' ovirt-node) +rel=$(rpm -q --qf '%{release}' ovirt-node) +arch=$(rpm -q --qf '%{arch}' ovirt-node) +echo "oVirt Node release $ver-$rel-$arch" > $manifests/ovirt-release +tar -cvf ovirt-node-image-manifests-$ver-$rel.$arch.tar -C /tmp manifests +ln -nf ovirt-node-image-manifests-$ver-$rel.$arch.tar ovirt-node-image-manifests.tar +rm -Rf $manifests +%end + +%post --nochroot +# Move manifest tar to build directory +mv $INSTALL_ROOT/ovirt-node-image-manifests*.tar . + +# only works on x86, x86_64 +if [ "$(uname -i)" = "i386" -o "$(uname -i)" = "x86_64" ]; then + if [ ! -d $LIVE_ROOT/LiveOS ]; then mkdir -p $LIVE_ROOT/LiveOS ; fi + cp /usr/bin/livecd-iso-to-disk $LIVE_ROOT/LiveOS + cp /usr/bin/livecd-iso-to-pxeboot $LIVE_ROOT/LiveOS +fi +%end + -- 1.6.2.5 _______________________________________________ Ovirt-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/ovirt-devel
