sig_cloud/diskimage-builder
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2,257 Commits 1 Branch 0 Tags 5.4 MiB
Shell 54.1%
Python 45.7%
Jinja 0.2%
672705831f
Go to file
Ian Wienand 672705831f Add a best-effort sudo safety check 
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00
bin Add a best-effort sudo safety check 2016-05-09 15:41:38 +10:00
diskimage_builder Remove outdated translation files 2016-01-31 20:31:29 +01:00
doc/source Add a best-effort sudo safety check 2016-05-09 15:41:38 +10:00
elements Add a best-effort sudo safety check 2016-05-09 15:41:38 +10:00
lib Use fstrim to prep the block device 2016-03-13 16:24:59 +00:00
releasenotes Add releasenotes 2016-04-21 13:19:53 +10:00
tests Fix disk usage report 2016-04-08 07:07:00 +10:00
.gitignore Ignore manifest outputs more carefully. 2014-06-26 04:29:51 +12:00
.gitreview Update stackforge references to openstack 2013-08-17 22:58:26 -04:00
.testr.conf Add unit test for cache-url 2014-09-30 16:39:21 -05:00
babel.cfg Make it possible for openstack-CI to run tests 2013-02-04 22:26:17 -08:00
LICENSE Fix copyrights for HP work. 2012-11-15 16:20:32 +13:00
MANIFEST.in Remove old entries from MANIFEST.in 2015-09-02 15:15:13 +10:00
README.rst Make README.rst a bit more generic 2015-09-16 13:52:43 +10:00
requirements.txt Updated from global requirements 2016-04-15 01:52:46 +00:00
setup.cfg Remove deprecated disk-image-get-kernel 2015-07-06 16:44:07 +00:00
setup.py Updated from global requirements 2015-09-22 09:17:08 +00:00
test-requirements.txt Updated from global requirements 2016-04-21 18:11:09 +00:00
tox.ini Add releasenotes 2016-04-21 13:19:53 +10:00

README.rst 

Image building tools for OpenStack
==================================

``diskimage-builder`` is a flexible suite of components for building a
wide-range of disk images, filesystem images and ramdisk images for
use with OpenStack.

This repository has the core functionality for building such images,
both virtual and bare metal.  Images are composed using `elements`;
while fundamental elements are provided here, individual projects have
the flexibility to customise the image build with their own elements.

For example::

  $ DIB_RELEASE=trusty disk-image-create -o ubuntu-trusty.qcow2 vm ubuntu

will create a bootable Ubuntu Trusty based ``qcow2`` image.

``diskimage-builder`` is useful to anyone looking to produce
customised images for deployment into clouds.  These tools are the
components of `TripleO <https://wiki.openstack.org/wiki/TripleO>`__
that are responsible for building disk images.  They are also used
extensively to build images for testing OpenStack itself, particularly
with `nodepool
<http://docs.openstack.org/infra/system-config/nodepool.html>`__.
Platforms supported include Ubuntu, CentOS, RHEL and Fedora.

Full documentation, the source of which is in ``doc/source/``, is
published at:

* http://docs.openstack.org/developer/diskimage-builder/

Copyright
=========

Copyright 2012 Hewlett-Packard Development Company, L.P.
Copyright (c) 2012 NTT DOCOMO, INC.

All Rights Reserved.

Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.