Commit Graph

24 Commits

Author SHA1 Message Date
Gabriele Cerami
5e957f6350 secure_path in sudoers: deal with possible quotes
Sometimes the secure_path option value in /etc/sudoers is surrounded by
quotes, in this case the current command creates an invalid entry and
it's not possible to sudo anymore.
This fix adjust the sed command to deal with possible quotes

Change-Id: Ifd6f9e29b3c0d04d6f65d3f55524ad202fb3294e
2016-08-03 15:24:07 +02:00
James Slagle
1d629ccd46 Check sudoers file after editing
"visudo -c" should be run after the sudoers file has been edited. This
will ensure that the file is still syntactically correct, and exit 1 if
it isn't.  Otherwise, obscure errors can occur later on, and it is
difficult to track them back to this script as the source of the error.

Change-Id: Id0e5114d72c0779952a0c2c2c06696929c6c8b17
2016-07-07 09:51:43 -04:00
Ian Wienand
6a1eb2457c Move selinux restore to end of finalise
After a bit of spelunking, I90d0c96d5659326ba67d6119b96d9a4113adf7fe
was the original change that introduced the setfiles here rather than
autorelabel at boot time.

Touching the autorelabel file probably makes sense somewhere low, but
when we start relabling the file system we really should be doing that
as late as possible so we fix up everything that has come before.
Move this to 90 to capture this.

Change-Id: Iae0afe850f52ec3b59c49507fa9bbcc1c8f8cfa1
2016-04-20 13:52:37 +10:00
Abel Lopez
570ecf16a5 Set and export DIB_RELEASE for centos7
The default value was set in the centos7 element, but not
exported, which caused issues in rpm-distro. Also changed
a test in rpm-distro to only check for DIB_RELEASE > 22
if it's fedora.

Closes-Bug: #1477172

Change-Id: Ib6f4227411c2e8f1965c3b78bc318512c59a7876
2015-08-04 08:35:20 -07:00
Ian Wienand
b183e024ba Work around yum/dnf differences
Some minor workarounds for Fedora >= 22 where dnf is the default
package manager. The changes are documented on the Fedora release
notes https://fedoraproject.org/wiki/Changes/ReplaceYumWithDNF

Change-Id: I7d7d6f5d294980dcb217d6190a1efd9e0bbea9a6
2015-06-24 09:20:45 +10:00
Gregory Haynes
fe559242cb Dont fail if were missing setfiles
We are using which to find the location of setfiles. Our script is set
-e though, and we need to also be able to handle the case where setfiles
does not exist (like on centos-minimal).

Change-Id: If53c7a80efc081b95b143c28be64d39b12bfb469
2015-06-11 01:47:07 +00:00
Abel Lopez
7514fc066f Use environment setfiles
Hard coded path fails on Distros (such as el6) with setfiles bin
in different places, for example, rhel6 has this in /sbin/setfiles

Change-Id: I7aff9cdadd9aed9cfc806a1010acbf36b7b6d0e7
2015-05-21 14:59:31 -07:00
Ian Wienand
36b59c001c Standarise tracing for scripts
There is a wide variety of tracing options through the various shell
scripts.  Some use "set -eux", others explicity set xtrace and others
do nothing.  There is a "-x" option to bin/disk-image-create but it
doesn't flow down to the many scripts it calls.

This adds a global integer variable set by disk-image-create
DIB_DEBUG_TRACE.  All scripts have a stanza added to detect this and
turn on tracing.  Any other tracing methods are rolled into this.  So
the standard header is

---
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
    set -x
fi
set -eu
set -o pipefail
---

Multiple -x options can be specified to dib-create-image, which
increases the value of DIB_DEBUG_TRACE.  If script authors feel their
script should only trace at higher levels, they should modify the
"-gt" value.  If they feel it should trace by default, they can modify
the default value also.

Changes to pachset 16 : scripts which currently trace themselves by
default have retained this behaviour with DIB_DEBUG_TRACE defaulting
to "1".  This was done by running [1] on patch set 15.  See the thread
beginning at [2]

dib-lint is also updated to look for the variable being matched.

[1] https://gist.github.com/ianw/71bbda9e6acc74ccd0fd
[2] http://lists.openstack.org/pipermail/openstack-dev/2014-November/051575.html

Change-Id: I6c5a962260741dcf6f89da9a33b96372a719b7b0
2015-02-12 10:41:32 +11:00
Jenkins
807e89f063 Merge "setfiles consistently" 2015-02-04 22:56:15 +00:00
Abel Lopez
9009b18869 setfiles consistently
Working on host systems without selinux, where the guest image
does have selinux, creates a situation where the instance will
have about a 1 minute delay on first boot because it must relabel.
The previous check for sysfs assumes that the host system has
selinux, which is not needed for the guest setfiles to work.

Change-Id: Ic186a45991b6d80880ad635e9c80985612f53a05
Closes-bug: 1414200
2015-02-03 09:00:07 -08:00
yogananth subramanian
15ccf776be Add support for using local PowerPC VM image
Patch adds support for PowerPC Big-endian and Little-endian local
fedora VM images and using VM images with two partitions,  PReP
boot and root partition. Since PowerPC requires PReP boot
partition to be present.

Change-Id: Iba03226e187609df898732c13b1aa5f895b156e3
Closes-Bug: 1413487
2015-01-23 05:11:08 +05:30
Monty Taylor
bec83686f4 Unset requiretty if it exists in sudoers
Fedora sets requiretty globally by default. This makes sense for
interactive machines with lots of password typing, but is pretty
attrocious for machines that might need users who remotely sudo to do
things. Just remove the setting.

Change-Id: Ic32bd92061a73f854683cc0d2d8919071dabe8cf
2014-11-28 11:35:00 -05:00
Ghe Rivero
6484b9b026 Move install bin from rpm-distro to yum
rpm-distro element was trying to install bin programs into the
image but it doesn't provide any. Move that logic into the yum
element which provides the install-packages bin.

Change-Id: Id5339fc7ffbef6327fe41f50a3e39ab30b6d0320
2014-10-08 07:43:19 +00:00
Ben Nemec
dde3d24213 Allow custom rootfs labels
Per [1], our current root label of cloudimg-root does not work with
XFS because XFS only allows 12 character labels.  This change
addresses that by allowing a custom rootfs label to be specified
in the call to disk-image-create.  There should be no backwards
compatibility concerns as the default label is unchanged.  Any
external elements dealing with the label would need to be updated
to support this new feature, but should continue to work as before
as long as a custom label is not specified.

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1139584

Change-Id: I596104d1a63b5dc6549e8460a1ae3da00165ef04
2014-09-26 17:44:08 -05:00
Victor Lowther
e92398a318 Relabel filesystem if SELinux is available
Relabel the filesystem during image builds if SELinux is supported
in the kernel of the build machine and userspace tools are available.

Otherwise touch /.autorelabel to schedule a relabel the first time
the image boots. We relabel when possible because it decreases first
boot time.

Change-Id: I0bec885d6e5d4f4e1106f3bd2a90ba5f86395b07
Partial-Bug: 1347845
2014-08-04 17:56:33 -07:00
Richard Su
4e68a7965b Remove fixfiles from rpm-distro finalize
Running fixfiles after setfiles is redundant. setfiles
already corrected the SELinux file security contexts.

Change-Id: I48067f06968c5add48fa91a1496b9bf36944546c
Closes-Bug: #1316241
2014-07-03 11:47:10 +10:00
Dan Prince
3145e4a970 Name 01-install-bin uniquely
While an end user would never use these elements at the same time we
should always use unique names for things per DIB conventions.

Change-Id: I53b10522183e8566c62922b91878e5cf767fe2c6
2014-06-11 08:16:41 -04:00
Gonéri Le Bouder
ea3f4dd459 4 spaces indent
ensure 4 spaces indentation is used everywhere.

Change-Id: Ieb48faacb4c96b7b358771d70c17f2f22d0354f4
2014-05-10 11:17:29 +02:00
Ben Nemec
16be6d7ce0 set -u and -o pipefail everywhere
As with the previous similar changes, this is intended to catch
problems as they happen instead of ignoring them and continuing on
to potentially fail later.  Setting this on all existing scripts
will allow us to enforce use via Jenkins.

Change-Id: Iad2d490c86dceab148ea9ab08f457c49a5d5352e
2014-05-06 15:51:07 -05:00
Ben Nemec
f6ba2aeaf4 set -e all the things
Using set -e in all of our scripts will prevent some subtle bugs
from slipping in, and will allow us to enforce use of set -e with
tooling.

This change also adds -u and set -o pipefail in the less complex
scripts where it is unlikely to cause problems.  A follow-up change
will enable those options in the complex scripts so that if it
breaks something it can be reverted easily.

Change-Id: I0ad358ccb98da7277a0ee2e9ce8fda98438675eb
2014-04-25 17:38:51 -05:00
James Slagle
ea257c96d9 Skip relabel unless SELinux is enforcing
The SELinux relabel of the filesystem is taking almost 2 minutes and
isn't needed unless you actually plan to run with SELinux enforcing.
Plus, it appears to "leak" out of the chroot, referencing filesystems on
partitions that aren't even mounted in the chroot.

Note you just can't use getenforce or selinuxenabled here to get the
state of SELinux because those commands are not accurate inside a
chroot.

TBH, a downside of this is that if someone goes to try to enable SELinux
in an image where it was built with it not enabled, the file contexts
are going to be wrong. So they'd need to relabel themselves at that
point. However, this saves me quite a bit of time during image builds,
so I thought I'd submit to get other folks opinion on it.

Change-Id: I2132060d573fc93cf974f3560fdc651ff8ba38b4
2014-01-23 15:29:29 -05:00
Victor Lowther
43b70ce224 /bin/bash all the things.
Since we are using bash syntax in some of the element fragments,
we should make sure we use bash for all of them, so that things don't
break on systems where /bin/sh != /bin/bash.

Change-Id: If2f043c57aa4e1492b7f9839213ef6123f683612
2013-11-17 16:59:31 -06:00
Derek Higgins
64f4323ae7 Allow heat-admin to sudo without tty
This is needed to run scripts from devtest, in particular so that
swift ring files can be distributed.

Change-Id: Icbe8c5b24a0d494730357983f230a37a7f078de7
2013-11-12 20:26:11 +00:00
Chris Alfonso
301c3c4475 Extracting common functionality for rpm based distros
Rather than dublicating code to implement rhel or any
other derivitive, this patch introduces an rpm-distro
element that should be used as a dependency.

Change-Id: I8a92bb041764d03f430b438f0013704f79a8674c
2013-08-20 16:44:19 -04:00