Commit graph

16 commits

Author SHA1 Message Date
Ian Wienand
672705831f Add a best-effort sudo safety check
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00
Moshe Levi
9074f5f1fc Add lshw package to ironic-agent
This patch add the lshw utils to allow the agent
to retrive the vendor name. It also keeps the
/usr/share/misc/pci.ids file for Ubuntu distro.

Change-Id: I2828a7e585449f63887ad5a2e338b4e043d68e63
2016-03-09 12:54:57 +02:00
Martin André
bc2199144e Selectively prune /root for ironic-agent ramdisk
Previously all files in /root were ignored when building the
ironic-agent ramdisk. This prevented for example to use the
local-config element to connect to the ramdisk via ssh as root user.

This commit change the exclude rule on /root to only ignore the
/root/.cache directory.

Change-Id: I18d839e8d97636f5f2164ba407f252407d9bc956
Closes-Bug: #1451668
2015-10-26 11:19:28 +09:00
Derek Higgins
bdcd03d604 Avoid transcending /proc with find
Find doesn't like listings disappearing while its trying to find them,
in this case if a PID directory disappears while find is running. Using
-xdev prevents find from going into ./proc and as a side effect /dev
will also be avoided which is mounted on boot so not needed either.

Change-Id: Iaa282e58d81d533ad4445da0a44200dd14bf0850
Closes-bug: #1502142
2015-10-08 12:16:23 +01:00
Jenkins
ea94034331 Merge "agent: ensure vmlinuz file does not exist before hard-linking into it" 2015-10-05 20:56:09 +00:00
Derek Higgins
68856c6006 Restrict search for python object files to ./usr
Traversing the /proc filesystem causes find to error if it changes
while its being searched.

We have had a lot of ci failures on this find command since it was
added in Ibe40e6b8b884f37e3b5aeab6e7654593bcd63123

Change-Id: Ia8cfc923cce749a69d5108e588db2360238d866c
Closes-Bug: #1501949
2015-10-02 10:36:05 +01:00
Dmitry Tantsur
afda063697 agent: ensure vmlinuz file does not exist before hard-linking into it
Otherwise on rebuilding the agent the following error is produced:
    failed to create hard link /home/stack/ironic-agent.vmlinuz
and the vmlinuz file is not updated.

Change-Id: I2015da889c932a854727235b1e34256a28e9eac6
2015-09-30 11:37:28 +02:00
Gary Duan
398494568a Contains the directory name of /sys and /proc
When a ubuntu/IPA ramdisk is used to boot a baremetal machine with
ironic agent-ilo driver, it fails at the point of mounting /proc
and /sys. After the vmlinuz(kernel) is started and it tries to
load the partitions on ramdisk. It need the directory of "/sys"
and "/proc" to mount the corresponding filesystems.
In order to fix this issue, the directories of "sys" and "proc"
are retained but the subdirectories or files under them are empty.
With this change, the directories of "/sys" and "/proc" shows
up in the ramdisk and kernel will mount sys and proc filesystems
on them respectively.

Closes-Bug: #1488445
Change-Id: Iad5d62f373b73789118f23db4c932ea6e9a784c3
Signed-off-by: Gary Duan <duanlg@live.cn>
2015-09-25 16:51:44 +08:00
Jenkins
626bf5d68e Merge "ironic-agent element to output a .kernel file" 2015-09-24 13:13:41 +00:00
Lucas Alvares Gomes
ba808fa6ec ironic-agent element to output a .kernel file
The ironic-agent element is created using the disk-image-create utility
(even being a ramdisk) and outputs a .vmlinuz file for the kernel
(different than the ramdisk-image-create which outputs a .kernel file
for the kernel). This is inconsistent and make scripting against the
diskimage-builder more complicated if one wants to support different
types of ramdisk.

This patch creates a hard link for the .vmlinuz file to a .kernel file
at the end of the process (to keep backward compatibility) and print a
deprecation message.

Depends-On: I81400305f166d62aa4612aab54602abb8178b64c
Change-Id: I476f9ec9ec4206ece0261eaaf2b4182c6bcbd802
Closes-Bug: #1482606
2015-09-23 19:02:54 -04:00
Dmitry Tantsur
79ffe86e34 ironic-agent: remove python object files
Makes the compressed ramdisk 2MiB smaller

Change-Id: Ibe40e6b8b884f37e3b5aeab6e7654593bcd63123
2015-09-21 13:10:47 +02:00
Lucas Alvares Gomes
1181fb8543 Reduce the size of the ironic-agent ramdisk
This patch is reducing the size of the ramdisk image generated by the
ironic-agent element. It does remove extra packages (graphical stuff,
dev stuff, miscs, docs, etc...) and purges directories that are not
needed for a ramdisk (like /boot since it boots using an external
kernel)

Currently it was tested generating a Fedora 22 image and reduced the
size of the final image from 464 MB to 211MB compacted (54% decrease).

I was able to boot a VM with 1.3 GiB of ram instead of the previous 3 GiB
needed.

Change-Id: Id6333ca5d99716ccad75ea1964896acf371fa72a
2015-08-06 16:34:30 +01:00
Pino Toscano
92dab2c82a ironic-agent: exclude content of /tmp from initramfs
/tmp does not contain anything useful anyway, and excluding its content
makes the initramfs smaller too.

Change-Id: Ia72867e0cdebacf668ac1a1f551a965da0d69694
2015-03-10 19:03:04 +01:00
Ian Wienand
36b59c001c Standarise tracing for scripts
There is a wide variety of tracing options through the various shell
scripts.  Some use "set -eux", others explicity set xtrace and others
do nothing.  There is a "-x" option to bin/disk-image-create but it
doesn't flow down to the many scripts it calls.

This adds a global integer variable set by disk-image-create
DIB_DEBUG_TRACE.  All scripts have a stanza added to detect this and
turn on tracing.  Any other tracing methods are rolled into this.  So
the standard header is

---
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail
---

Multiple -x options can be specified to dib-create-image, which
increases the value of DIB_DEBUG_TRACE.  If script authors feel their
script should only trace at higher levels, they should modify the
"-gt" value.  If they feel it should trace by default, they can modify
the default value also.

Changes to pachset 16 : scripts which currently trace themselves by
default have retained this behaviour with DIB_DEBUG_TRACE defaulting
to "1".  This was done by running [1] on patch set 15.  See the thread
beginning at [2]

dib-lint is also updated to look for the variable being matched.

[1] https://gist.github.com/ianw/71bbda9e6acc74ccd0fd
[2] http://lists.openstack.org/pipermail/openstack-dev/2014-November/051575.html

Change-Id: I6c5a962260741dcf6f89da9a33b96372a719b7b0
2015-02-12 10:41:32 +11:00
Clint Byrum
4dceacd5ed Allow absolute path to image with ironic-agent
The element was prepending the work directory forcibly, which will have
problems when the image name has an absolute path, which is allowed.

Change-Id: I0cb7b96e24daab8ee73611936af72074c70ac1aa
Closes-Bug: #1400405
2014-12-16 10:40:55 -08:00
Yuriy Zveryanskyy
676b1b738d Add element for building ramdisk with ironic-python-agent
This element creates kernel and ramdisk files based on Fedora,
example:
disk-image-create -a i386 -o test fedora ironic-agent disable-selinux

Change-Id: Ifa133d1680b81cb87d32a405aa7d7b40fe91f835
2014-11-13 19:30:44 +02:00