forked from sig_core/toolkit
Compare commits
20 Commits
Author | SHA1 | Date | |
---|---|---|---|
1470e590d3 | |||
546f8b4687 | |||
7f3a4b4761 | |||
4906749ed0 | |||
1a45143b00 | |||
fc0b738c75 | |||
689e7aa793 | |||
9c1b828ab7 | |||
448b8c035b | |||
a6f4632d66 | |||
08d8995344 | |||
333f3614f9 | |||
dc53a5be9e | |||
678c807741 | |||
f482ef6e1f | |||
eba3593cfd | |||
b53afe66e2 | |||
30a84cfed5 | |||
5e6427ea4b | |||
8c775c308c |
@ -31,7 +31,6 @@
|
|||||||
- 'AppStream'
|
- 'AppStream'
|
||||||
- 'CRB'
|
- 'CRB'
|
||||||
- 'HighAvailability'
|
- 'HighAvailability'
|
||||||
- 'ResilientStorage'
|
|
||||||
- 'RT'
|
- 'RT'
|
||||||
- 'NFV'
|
- 'NFV'
|
||||||
- 'SAP'
|
- 'SAP'
|
||||||
@ -47,6 +46,7 @@
|
|||||||
images:
|
images:
|
||||||
dvd:
|
dvd:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: False
|
||||||
variant: 'AppStream'
|
variant: 'AppStream'
|
||||||
repos:
|
repos:
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -54,6 +54,7 @@
|
|||||||
minimal:
|
minimal:
|
||||||
disc: True
|
disc: True
|
||||||
isoskip: True
|
isoskip: True
|
||||||
|
reposcan: False
|
||||||
repos:
|
repos:
|
||||||
- 'minimal'
|
- 'minimal'
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -188,9 +189,6 @@
|
|||||||
HighAvailability:
|
HighAvailability:
|
||||||
- BaseOS
|
- BaseOS
|
||||||
- AppStream
|
- AppStream
|
||||||
ResilientStorage:
|
|
||||||
- BaseOS
|
|
||||||
- AppStream
|
|
||||||
RT:
|
RT:
|
||||||
- BaseOS
|
- BaseOS
|
||||||
- AppStream
|
- AppStream
|
||||||
|
@ -31,7 +31,6 @@
|
|||||||
- 'AppStream'
|
- 'AppStream'
|
||||||
- 'CRB'
|
- 'CRB'
|
||||||
- 'HighAvailability'
|
- 'HighAvailability'
|
||||||
- 'ResilientStorage'
|
|
||||||
- 'RT'
|
- 'RT'
|
||||||
- 'NFV'
|
- 'NFV'
|
||||||
- 'SAP'
|
- 'SAP'
|
||||||
@ -47,6 +46,7 @@
|
|||||||
images:
|
images:
|
||||||
dvd:
|
dvd:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: True
|
||||||
variant: 'AppStream'
|
variant: 'AppStream'
|
||||||
repos:
|
repos:
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -54,6 +54,7 @@
|
|||||||
minimal:
|
minimal:
|
||||||
disc: True
|
disc: True
|
||||||
isoskip: True
|
isoskip: True
|
||||||
|
reposcan: False
|
||||||
repos:
|
repos:
|
||||||
- 'minimal'
|
- 'minimal'
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -188,9 +189,6 @@
|
|||||||
HighAvailability:
|
HighAvailability:
|
||||||
- BaseOS
|
- BaseOS
|
||||||
- AppStream
|
- AppStream
|
||||||
ResilientStorage:
|
|
||||||
- BaseOS
|
|
||||||
- AppStream
|
|
||||||
RT:
|
RT:
|
||||||
- BaseOS
|
- BaseOS
|
||||||
- AppStream
|
- AppStream
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
---
|
---
|
||||||
'9-beta':
|
'9-beta':
|
||||||
fullname: 'Rocky Linux 9.4'
|
fullname: 'Rocky Linux 9.5'
|
||||||
revision: '9.4'
|
revision: '9.5'
|
||||||
rclvl: 'BETA1'
|
rclvl: 'BETA1'
|
||||||
major: '9'
|
major: '9'
|
||||||
minor: '4'
|
minor: '5'
|
||||||
profile: '9-beta'
|
profile: '9-beta'
|
||||||
disttag: 'el9'
|
disttag: 'el9'
|
||||||
code: "Blue Onyx"
|
code: "Blue Onyx"
|
||||||
@ -20,7 +20,7 @@
|
|||||||
- ppc64le
|
- ppc64le
|
||||||
- s390x
|
- s390x
|
||||||
provide_multilib: True
|
provide_multilib: True
|
||||||
project_id: 'df5bcbfc-ba83-4da8-84d6-ae0168921b4d'
|
project_id: 'ae163d6a-f050-484f-bbaa-100ca673f146'
|
||||||
repo_symlinks:
|
repo_symlinks:
|
||||||
NFV: 'nfv'
|
NFV: 'nfv'
|
||||||
renames:
|
renames:
|
||||||
@ -53,12 +53,14 @@
|
|||||||
images:
|
images:
|
||||||
dvd:
|
dvd:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: True
|
||||||
variant: 'AppStream'
|
variant: 'AppStream'
|
||||||
repos:
|
repos:
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
- 'AppStream'
|
- 'AppStream'
|
||||||
minimal:
|
minimal:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: False
|
||||||
isoskip: True
|
isoskip: True
|
||||||
repos:
|
repos:
|
||||||
- 'minimal'
|
- 'minimal'
|
||||||
|
@ -53,6 +53,7 @@
|
|||||||
images:
|
images:
|
||||||
dvd:
|
dvd:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: True
|
||||||
variant: 'AppStream'
|
variant: 'AppStream'
|
||||||
repos:
|
repos:
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -60,6 +61,7 @@
|
|||||||
minimal:
|
minimal:
|
||||||
disc: True
|
disc: True
|
||||||
isoskip: True
|
isoskip: True
|
||||||
|
reposcan: False
|
||||||
repos:
|
repos:
|
||||||
- 'minimal'
|
- 'minimal'
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
---
|
---
|
||||||
'9-lookahead':
|
'9-lookahead':
|
||||||
fullname: 'Rocky Linux 9.5'
|
fullname: 'Rocky Linux 9.6'
|
||||||
revision: '9.5'
|
revision: '9.6'
|
||||||
rclvl: 'LH1'
|
rclvl: 'LH1'
|
||||||
major: '9'
|
major: '9'
|
||||||
minor: '5'
|
minor: '6'
|
||||||
profile: '9-lookahead'
|
profile: '9-lookahead'
|
||||||
disttag: 'el9'
|
disttag: 'el9'
|
||||||
code: "Blue Onyx"
|
code: "Blue Onyx"
|
||||||
@ -20,7 +20,7 @@
|
|||||||
- ppc64le
|
- ppc64le
|
||||||
- s390x
|
- s390x
|
||||||
provide_multilib: True
|
provide_multilib: True
|
||||||
project_id: '6794b5a8-290b-4d0d-ad5a-47164329cbb0'
|
project_id: 'ae163d6a-f050-484f-bbaa-100ca673f146'
|
||||||
repo_symlinks:
|
repo_symlinks:
|
||||||
NFV: 'nfv'
|
NFV: 'nfv'
|
||||||
renames:
|
renames:
|
||||||
@ -53,6 +53,7 @@
|
|||||||
images:
|
images:
|
||||||
dvd:
|
dvd:
|
||||||
disc: True
|
disc: True
|
||||||
|
reposcan: True
|
||||||
variant: 'AppStream'
|
variant: 'AppStream'
|
||||||
repos:
|
repos:
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
@ -60,6 +61,7 @@
|
|||||||
minimal:
|
minimal:
|
||||||
disc: True
|
disc: True
|
||||||
isoskip: True
|
isoskip: True
|
||||||
|
reposcan: False
|
||||||
repos:
|
repos:
|
||||||
- 'minimal'
|
- 'minimal'
|
||||||
- 'BaseOS'
|
- 'BaseOS'
|
||||||
|
@ -560,7 +560,7 @@ class RepoSync:
|
|||||||
|
|
||||||
#print(entry_name_list)
|
#print(entry_name_list)
|
||||||
for pod in entry_name_list:
|
for pod in entry_name_list:
|
||||||
podman_cmd_entry = '{} run -d -it -v "{}:{}" -v "{}:{}:z" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
podman_cmd_entry = '{} run -d -it --security-opt label=disable -v "{}:{}" -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
||||||
cmd,
|
cmd,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
@ -714,7 +714,7 @@ class RepoSync:
|
|||||||
|
|
||||||
self.log.info('Spawning pods for %s' % repo)
|
self.log.info('Spawning pods for %s' % repo)
|
||||||
for pod in repoclosure_entry_name_list:
|
for pod in repoclosure_entry_name_list:
|
||||||
podman_cmd_entry = '{} run -d -it -v "{}:{}" -v "{}:{}:z" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
podman_cmd_entry = '{} run -d -it --security-opt label=disable -v "{}:{}" -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
||||||
cmd,
|
cmd,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
@ -1509,7 +1509,7 @@ class RepoSync:
|
|||||||
|
|
||||||
self.log.info('Spawning pods for %s' % repo)
|
self.log.info('Spawning pods for %s' % repo)
|
||||||
for pod in repoclosure_entry_name_list:
|
for pod in repoclosure_entry_name_list:
|
||||||
podman_cmd_entry = '{} run -d -it -v "{}:{}" -v "{}:{}:z" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
podman_cmd_entry = '{} run -d -it --security-opt label=disable -v "{}:{}" -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
||||||
cmd,
|
cmd,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
@ -2045,7 +2045,7 @@ class SigRepoSync:
|
|||||||
|
|
||||||
#print(entry_name_list)
|
#print(entry_name_list)
|
||||||
for pod in entry_name_list:
|
for pod in entry_name_list:
|
||||||
podman_cmd_entry = '{} run -d -it -v "{}:{}" -v "{}:{}:z" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
podman_cmd_entry = '{} run -d -it --security-opt label=disable -v "{}:{}" -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
||||||
cmd,
|
cmd,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
|
@ -81,12 +81,11 @@ class IsoBuild:
|
|||||||
self.compose_root = config['compose_root']
|
self.compose_root = config['compose_root']
|
||||||
self.compose_base = config['compose_root'] + "/" + major
|
self.compose_base = config['compose_root'] + "/" + major
|
||||||
self.current_arch = config['arch']
|
self.current_arch = config['arch']
|
||||||
self.required_pkgs = rlvars['iso_map']['lorax']['required_pkgs']
|
#self.required_pkgs = rlvars['iso_map']['lorax']['required_pkgs']
|
||||||
self.mock_work_root = config['mock_work_root']
|
self.mock_work_root = config['mock_work_root']
|
||||||
self.lorax_result_root = config['mock_work_root'] + "/" + "lorax"
|
self.lorax_result_root = config['mock_work_root'] + "/" + "lorax"
|
||||||
self.mock_isolation = isolation
|
self.mock_isolation = isolation
|
||||||
self.iso_map = rlvars['iso_map']
|
self.iso_map = rlvars['iso_map']
|
||||||
#self.livemap = rlvars['livemap']
|
|
||||||
self.cloudimages = rlvars['cloudimages']
|
self.cloudimages = rlvars['cloudimages']
|
||||||
self.release_candidate = rc
|
self.release_candidate = rc
|
||||||
self.s3 = s3
|
self.s3 = s3
|
||||||
@ -253,6 +252,7 @@ class IsoBuild:
|
|||||||
mock_iso_path = '/var/tmp/lorax-' + self.release + '.cfg'
|
mock_iso_path = '/var/tmp/lorax-' + self.release + '.cfg'
|
||||||
mock_sh_path = '/var/tmp/isobuild.sh'
|
mock_sh_path = '/var/tmp/isobuild.sh'
|
||||||
iso_template_path = '/var/tmp/buildImage.sh'
|
iso_template_path = '/var/tmp/buildImage.sh'
|
||||||
|
required_pkgs = self.iso_map['lorax']['required_pkgs']
|
||||||
|
|
||||||
rclevel = ''
|
rclevel = ''
|
||||||
if self.release_candidate:
|
if self.release_candidate:
|
||||||
@ -294,7 +294,7 @@ class IsoBuild:
|
|||||||
builddir=self.mock_work_root,
|
builddir=self.mock_work_root,
|
||||||
lorax_work_root=self.lorax_result_root,
|
lorax_work_root=self.lorax_result_root,
|
||||||
bugurl=self.bugurl,
|
bugurl=self.bugurl,
|
||||||
squashfs_only=self.iso_map['lorax']['squashfs_only'],
|
squashfs_only=self.iso_map['lorax'].get('squashfs_only', None),
|
||||||
)
|
)
|
||||||
|
|
||||||
with open(mock_iso_path, "w+") as mock_iso_entry:
|
with open(mock_iso_path, "w+") as mock_iso_entry:
|
||||||
@ -725,8 +725,7 @@ class IsoBuild:
|
|||||||
|
|
||||||
def _extra_iso_build_wrap(self):
|
def _extra_iso_build_wrap(self):
|
||||||
"""
|
"""
|
||||||
Try to figure out where the build is going, we only support mock for
|
Try to figure out where the build is going, podman or mock.
|
||||||
now.
|
|
||||||
"""
|
"""
|
||||||
work_root = os.path.join(
|
work_root = os.path.join(
|
||||||
self.compose_latest_dir,
|
self.compose_latest_dir,
|
||||||
@ -737,15 +736,23 @@ class IsoBuild:
|
|||||||
if self.arch:
|
if self.arch:
|
||||||
arches_to_build = [self.arch]
|
arches_to_build = [self.arch]
|
||||||
|
|
||||||
images_to_build = self.iso_map['images']
|
images_to_build = list(self.iso_map['images'].keys())
|
||||||
if self.extra_iso:
|
if self.extra_iso:
|
||||||
images_to_build = [self.extra_iso]
|
images_to_build = [self.extra_iso]
|
||||||
|
|
||||||
|
images_to_skip = []
|
||||||
|
|
||||||
for y in images_to_build:
|
for y in images_to_build:
|
||||||
if 'isoskip' in self.iso_map['images'][y] and self.iso_map['images'][y]['isoskip']:
|
if 'isoskip' in self.iso_map['images'][y] and self.iso_map['images'][y]['isoskip']:
|
||||||
self.log.info(Color.WARN + 'Skipping ' + y + ' image')
|
self.log.info(Color.WARN + f'Skipping {y} image')
|
||||||
|
images_to_skip.append(y)
|
||||||
continue
|
continue
|
||||||
|
|
||||||
|
reposcan = True
|
||||||
|
if 'reposcan' in self.iso_map['images'][y] and not self.iso_map['images'][y]['reposcan']:
|
||||||
|
self.log.info(Color.WARN + f"Skipping compose repository scans for {y}")
|
||||||
|
reposcan = False
|
||||||
|
|
||||||
# Kind of hacky, but if we decide to have more than boot/dvd iso's,
|
# Kind of hacky, but if we decide to have more than boot/dvd iso's,
|
||||||
# we need to make sure volname matches the initial lorax image,
|
# we need to make sure volname matches the initial lorax image,
|
||||||
# which the volid contains "dvd". AKA, file name doesn't always
|
# which the volid contains "dvd". AKA, file name doesn't always
|
||||||
@ -770,6 +777,7 @@ class IsoBuild:
|
|||||||
a,
|
a,
|
||||||
y,
|
y,
|
||||||
self.iso_map['images'][y]['repos'],
|
self.iso_map['images'][y]['repos'],
|
||||||
|
reposcan=reposcan
|
||||||
)
|
)
|
||||||
self._extra_iso_local_config(a, y, grafts, work_root, volname)
|
self._extra_iso_local_config(a, y, grafts, work_root, volname)
|
||||||
|
|
||||||
@ -782,7 +790,14 @@ class IsoBuild:
|
|||||||
raise SystemExit()
|
raise SystemExit()
|
||||||
|
|
||||||
if self.extra_iso_mode == 'podman':
|
if self.extra_iso_mode == 'podman':
|
||||||
self._extra_iso_podman_run(arches_to_build, images_to_build, work_root)
|
# I can't think of a better way to do this
|
||||||
|
images_to_build_podman = images_to_build.copy()
|
||||||
|
for item in images_to_build_podman[:]:
|
||||||
|
for skip in images_to_skip:
|
||||||
|
if item == skip:
|
||||||
|
images_to_build_podman.remove(item)
|
||||||
|
|
||||||
|
self._extra_iso_podman_run(arches_to_build, images_to_build_podman, work_root)
|
||||||
|
|
||||||
def _extra_iso_local_config(self, arch, image, grafts, work_root, volname):
|
def _extra_iso_local_config(self, arch, image, grafts, work_root, volname):
|
||||||
"""
|
"""
|
||||||
@ -829,6 +844,7 @@ class IsoBuild:
|
|||||||
isoname = f'{self.shortname}-{self.release}{rclevel}{datestamp}-{arch}-{image}.iso'
|
isoname = f'{self.shortname}-{self.release}{rclevel}{datestamp}-{arch}-{image}.iso'
|
||||||
generic_isoname = f'{self.shortname}-{arch}-{image}.iso'
|
generic_isoname = f'{self.shortname}-{arch}-{image}.iso'
|
||||||
latest_isoname = f'{self.shortname}-{self.major_version}-latest-{arch}-{image}.iso'
|
latest_isoname = f'{self.shortname}-{self.major_version}-latest-{arch}-{image}.iso'
|
||||||
|
required_pkgs = self.iso_map['lorax']['required_pkgs']
|
||||||
|
|
||||||
lorax_pkg_cmd = '/usr/bin/dnf install {} -y {}'.format(
|
lorax_pkg_cmd = '/usr/bin/dnf install {} -y {}'.format(
|
||||||
' '.join(required_pkgs),
|
' '.join(required_pkgs),
|
||||||
@ -1006,7 +1022,7 @@ class IsoBuild:
|
|||||||
checksum_list.append(latestname)
|
checksum_list.append(latestname)
|
||||||
|
|
||||||
for pod in entry_name_list:
|
for pod in entry_name_list:
|
||||||
podman_cmd_entry = '{} run -d -it -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
podman_cmd_entry = '{} run -d -it --security-opt label=disable -v "{}:{}" -v "{}:{}" --name {} --entrypoint {}/{} {}'.format(
|
||||||
cmd,
|
cmd,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
self.compose_root,
|
self.compose_root,
|
||||||
@ -1090,6 +1106,7 @@ class IsoBuild:
|
|||||||
arch,
|
arch,
|
||||||
iso,
|
iso,
|
||||||
variants,
|
variants,
|
||||||
|
reposcan: bool = True,
|
||||||
):
|
):
|
||||||
"""
|
"""
|
||||||
Get a list of packages for an extras ISO. This should NOT be called
|
Get a list of packages for an extras ISO. This should NOT be called
|
||||||
@ -1119,26 +1136,28 @@ class IsoBuild:
|
|||||||
# actually get the boot data
|
# actually get the boot data
|
||||||
files = self._get_grafts([lorax_for_var, extra_files_for_var])
|
files = self._get_grafts([lorax_for_var, extra_files_for_var])
|
||||||
|
|
||||||
# This is to get all the packages for each repo
|
# Some variants cannot go through a proper scan.
|
||||||
for repo in variants:
|
if reposcan:
|
||||||
pkg_for_var = os.path.join(
|
# This is to get all the packages for each repo
|
||||||
self.compose_latest_sync,
|
for repo in variants:
|
||||||
repo,
|
pkg_for_var = os.path.join(
|
||||||
arch,
|
self.compose_latest_sync,
|
||||||
self.structure['packages']
|
repo,
|
||||||
)
|
arch,
|
||||||
rd_for_var = os.path.join(
|
self.structure['packages']
|
||||||
self.compose_latest_sync,
|
)
|
||||||
repo,
|
rd_for_var = os.path.join(
|
||||||
arch,
|
self.compose_latest_sync,
|
||||||
self.structure['repodata']
|
repo,
|
||||||
)
|
arch,
|
||||||
|
self.structure['repodata']
|
||||||
|
)
|
||||||
|
|
||||||
for k, v in self._get_grafts([pkg_for_var]).items():
|
for k, v in self._get_grafts([pkg_for_var]).items():
|
||||||
files[os.path.join(repo, "Packages", k)] = v
|
files[os.path.join(repo, "Packages", k)] = v
|
||||||
|
|
||||||
for k, v in self._get_grafts([rd_for_var]).items():
|
for k, v in self._get_grafts([rd_for_var]).items():
|
||||||
files[os.path.join(repo, "repodata", k)] = v
|
files[os.path.join(repo, "repodata", k)] = v
|
||||||
|
|
||||||
grafts = f'{lorax_base_dir}/{iso}-{arch}-grafts'
|
grafts = f'{lorax_base_dir}/{iso}-{arch}-grafts'
|
||||||
|
|
||||||
@ -1518,7 +1537,7 @@ class LiveBuild:
|
|||||||
self.compose_base = config['compose_root'] + "/" + major
|
self.compose_base = config['compose_root'] + "/" + major
|
||||||
self.current_arch = config['arch']
|
self.current_arch = config['arch']
|
||||||
self.livemap = rlvars['livemap']
|
self.livemap = rlvars['livemap']
|
||||||
self.required_pkgs = rlvars['livemap']['required_pkgs']
|
#self.required_pkgs = rlvars['livemap']['required_pkgs']
|
||||||
self.mock_work_root = config['mock_work_root']
|
self.mock_work_root = config['mock_work_root']
|
||||||
self.live_result_root = config['mock_work_root'] + "/lmc"
|
self.live_result_root = config['mock_work_root'] + "/lmc"
|
||||||
self.mock_isolation = isolation
|
self.mock_isolation = isolation
|
||||||
|
@ -47,7 +47,6 @@ class common:
|
|||||||
'CRB': ['aarch64', 'ppc64le', 's390x', 'x86_64'],
|
'CRB': ['aarch64', 'ppc64le', 's390x', 'x86_64'],
|
||||||
'HighAvailability': ['aarch64', 'ppc64le', 's390x', 'x86_64'],
|
'HighAvailability': ['aarch64', 'ppc64le', 's390x', 'x86_64'],
|
||||||
'NFV': ['x86_64'],
|
'NFV': ['x86_64'],
|
||||||
'ResilientStorage': ['ppc64le', 's390x', 'x86_64'],
|
|
||||||
'RT': ['x86_64'],
|
'RT': ['x86_64'],
|
||||||
'SAP': ['ppc64le', 's390x', 'x86_64'],
|
'SAP': ['ppc64le', 's390x', 'x86_64'],
|
||||||
'SAPHANA': ['ppc64le', 'x86_64']
|
'SAPHANA': ['ppc64le', 'x86_64']
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
# To be sourced by scripts to use
|
# To be sourced by scripts to use
|
||||||
|
|
||||||
REPO=("BaseOS" "AppStream" "CRB" "HighAvailability" "ResilientStorage" "NFV" "RT" "SAP" "SAPHANA")
|
REPO=("BaseOS" "AppStream" "CRB" "HighAvailability" "NFV" "RT" "SAP" "SAPHANA")
|
||||||
ARCH=("aarch64" "ppc64le" "s390x" "x86_64")
|
ARCH=("aarch64" "ppc64le" "s390x" "x86_64")
|
||||||
|
|
||||||
MAJOR="10"
|
MAJOR="10"
|
||||||
|
@ -12,6 +12,8 @@ IGNORES = [
|
|||||||
'insights-client',
|
'insights-client',
|
||||||
'lorax-templates-rhel',
|
'lorax-templates-rhel',
|
||||||
'shim',
|
'shim',
|
||||||
|
'shim-unsigned-x64',
|
||||||
|
'shim-unsigned-aarch64',
|
||||||
'redhat-cloud-client-configuration',
|
'redhat-cloud-client-configuration',
|
||||||
'rhc',
|
'rhc',
|
||||||
'rhc-worker-playbook',
|
'rhc-worker-playbook',
|
||||||
|
@ -20,6 +20,9 @@ REPOS = switcher.rlver(results.version,
|
|||||||
# Source packages we do not ship or are rocky branded
|
# Source packages we do not ship or are rocky branded
|
||||||
IGNORES = [
|
IGNORES = [
|
||||||
'insights-client',
|
'insights-client',
|
||||||
|
'shim',
|
||||||
|
'shim-unsigned-x64',
|
||||||
|
'shim-unsigned-aarch64',
|
||||||
'redhat-cloud-client-configuration',
|
'redhat-cloud-client-configuration',
|
||||||
'rhc',
|
'rhc',
|
||||||
'rhc-worker-playbook',
|
'rhc-worker-playbook',
|
||||||
|
30
mangle/ipa/ipaaudit-noipa
Executable file
30
mangle/ipa/ipaaudit-noipa
Executable file
@ -0,0 +1,30 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# Wrapper for ipaauditor.py audit
|
||||||
|
|
||||||
|
source /etc/os-release
|
||||||
|
case "$ID" in
|
||||||
|
rocky|centos|rhel)
|
||||||
|
case "${VERSION_ID:0:1}" in
|
||||||
|
5|6|7)
|
||||||
|
echo "Not supported."
|
||||||
|
exit 3
|
||||||
|
;;
|
||||||
|
8)
|
||||||
|
PYTHON_EXEC="/usr/libexec/platform-python"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
PYTHON_EXEC="/usr/bin/python3"
|
||||||
|
;;
|
||||||
|
esac ;;
|
||||||
|
ubuntu|debian)
|
||||||
|
PYTHON_EXEC="/usr/bin/python3"
|
||||||
|
;;
|
||||||
|
fedora)
|
||||||
|
PYTHON_EXEC="/usr/bin/python3"
|
||||||
|
esac
|
||||||
|
|
||||||
|
$PYTHON_EXEC ipaauditor.py --user test \
|
||||||
|
--password test \
|
||||||
|
--server test \
|
||||||
|
--library python_freeipa \
|
||||||
|
audit "$@"
|
@ -58,6 +58,9 @@ audit_parser = subparser.add_parser('audit', epilog='Use this to perform audits
|
|||||||
parser.add_argument('--library', type=str, default='ipalib',
|
parser.add_argument('--library', type=str, default='ipalib',
|
||||||
help='Choose the ipa library to use for the auditor',
|
help='Choose the ipa library to use for the auditor',
|
||||||
choices=('ipalib', 'python_freeipa'))
|
choices=('ipalib', 'python_freeipa'))
|
||||||
|
parser.add_argument('--user', type=str, default='', help='Set the username (python_freeipa only)')
|
||||||
|
parser.add_argument('--password', type=str, default='', help='Set the password (python_freeipa only)')
|
||||||
|
parser.add_argument('--server', type=str, default='', help='Set the server (python_freeipa only)')
|
||||||
|
|
||||||
audit_parser.add_argument('--type', type=str, required=True,
|
audit_parser.add_argument('--type', type=str, required=True,
|
||||||
help='Type of audit: hbac, rbac, group, user',
|
help='Type of audit: hbac, rbac, group, user',
|
||||||
@ -106,7 +109,7 @@ class EtcIPADefault:
|
|||||||
outter_info['ipa_joined_name'] = __config['global']['host']
|
outter_info['ipa_joined_name'] = __config['global']['host']
|
||||||
outter_info['ipa_domain'] = __config['global']['domain']
|
outter_info['ipa_domain'] = __config['global']['domain']
|
||||||
outter_info['ipa_realm'] = __config['global']['realm']
|
outter_info['ipa_realm'] = __config['global']['realm']
|
||||||
outter_info['registered_dc'] = __config['global']['server']
|
outter_info['registered_dc'] = __config['global']['host'] if not __config['global'].get('server', None) else __config['global']['server']
|
||||||
return outter_info
|
return outter_info
|
||||||
|
|
||||||
class SssctlInfo:
|
class SssctlInfo:
|
||||||
@ -274,16 +277,89 @@ class IPAAudit:
|
|||||||
@staticmethod
|
@staticmethod
|
||||||
def user_pull(api, name, deep):
|
def user_pull(api, name, deep):
|
||||||
"""
|
"""
|
||||||
Gets requested rbac info
|
Gets requested user info
|
||||||
"""
|
"""
|
||||||
print()
|
try:
|
||||||
|
user_results = IPAQuery.user_data(api, name)
|
||||||
|
except:
|
||||||
|
print(f'Could not find {name}', sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
user_first = '' if not user_results.get('givenname', None) else user_results['givenname'][0]
|
||||||
|
user_last = '' if not user_results.get('sn', None) else user_results['sn'][0]
|
||||||
|
user_uid = '' if not user_results.get('uid', None) else user_results['uid'][0]
|
||||||
|
user_uidnum = '' if not user_results.get('uidnumber', None) else user_results['uidnumber'][0]
|
||||||
|
user_gidnum = '' if not user_results.get('gidnumber', None) else user_results['gidnumber'][0]
|
||||||
|
user_groups = '' if not user_results.get('memberof_group', None) else '\n '.join(user_results['memberof_group'])
|
||||||
|
user_hbachosts = '' if not user_results.get('memberof_hbacrule', None) else '\n '.join(user_results['memberof_hbacrule'])
|
||||||
|
user_indhbachosts = '' if not user_results.get('memberofindirect_hbacrule', None) else '\n '.join(user_results['memberofindirect_hbacrule'])
|
||||||
|
|
||||||
|
starter_user = {
|
||||||
|
'User name': user_uid,
|
||||||
|
'First name': user_first,
|
||||||
|
'Last name': user_last,
|
||||||
|
'UID': user_uidnum,
|
||||||
|
'GID': user_gidnum,
|
||||||
|
'Groups': user_groups,
|
||||||
|
}
|
||||||
|
|
||||||
|
print('User Information')
|
||||||
|
print('------------------------------------------')
|
||||||
|
for key, value in starter_user.items():
|
||||||
|
if len(value) > 0:
|
||||||
|
print(f'{key: <16}{value}')
|
||||||
|
print('')
|
||||||
|
|
||||||
|
if deep:
|
||||||
|
group_list = [] if not user_results.get('memberof_group', None) else user_results['memberof_group']
|
||||||
|
hbac_list = [] if not user_results.get('memberof_hbacrule', None) else user_results['memberof_hbacrule']
|
||||||
|
IPAAudit.user_deep_list(api, name, group_list, hbac_list)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def group_pull(api, name, deep):
|
def group_pull(api, name, deep):
|
||||||
"""
|
"""
|
||||||
Gets requested rbac info
|
Gets requested rbac info
|
||||||
"""
|
"""
|
||||||
print()
|
try:
|
||||||
|
group_results = IPAQuery.group_data(api, name)
|
||||||
|
except:
|
||||||
|
print(f'Could not find {name}', sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
group_name = '' if not group_results.get('cn', None) else group_results['cn'][0]
|
||||||
|
group_gidnum = '' if not group_results.get('gidnumber', None) else group_results['gidnumber'][0]
|
||||||
|
group_members_direct = [] if not group_results.get('member_user', None) else group_results['member_user']
|
||||||
|
group_members_indirect = [] if not group_results.get('memberindirect_user', None) else group_results['memberindirect_user']
|
||||||
|
group_members = list(group_members_direct) + list(group_members_indirect)
|
||||||
|
num_of_group_members = str(len(group_members))
|
||||||
|
|
||||||
|
group_hbacs_direct = [] if not group_results.get('memberof_hbacrule', None) else group_results['memberof_hbacrule']
|
||||||
|
group_hbacs_indirect = [] if not group_results.get('memberofindirect_hbacrule', None) else group_results['memberofindirect_hbacrule']
|
||||||
|
group_hbacs = list(group_hbacs_direct) + list(group_hbacs_indirect)
|
||||||
|
num_of_hbacs = str(len(group_hbacs))
|
||||||
|
|
||||||
|
group_sudo_direct = [] if not group_results.get('memberof_sudorule', None) else group_results['memberof_sudorule']
|
||||||
|
group_sudo_indirect = [] if not group_results.get('memberofindirect_sudorule', None) else group_results['memberofindirect_sudorule']
|
||||||
|
group_sudos = list(group_sudo_direct) + list(group_sudo_indirect)
|
||||||
|
num_of_sudos = str(len(group_sudos))
|
||||||
|
|
||||||
|
starter_group = {
|
||||||
|
'Group name': group_name,
|
||||||
|
'GID': group_gidnum,
|
||||||
|
'Number of Users': num_of_group_members,
|
||||||
|
'Number of HBAC Rules': num_of_hbacs,
|
||||||
|
'Number of SUDO Rules': num_of_sudos,
|
||||||
|
}
|
||||||
|
|
||||||
|
print('Group Information')
|
||||||
|
print('------------------------------------------')
|
||||||
|
for key, value in starter_group.items():
|
||||||
|
if len(value) > 0:
|
||||||
|
print(f'{key: <24}{value}')
|
||||||
|
print('')
|
||||||
|
|
||||||
|
if deep:
|
||||||
|
IPAAudit.group_deep_list(api, name, group_members, group_hbacs, group_sudos)
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def hbac_pull(api, name, deep):
|
def hbac_pull(api, name, deep):
|
||||||
@ -369,7 +445,7 @@ class IPAAudit:
|
|||||||
if perm not in starting_perms:
|
if perm not in starting_perms:
|
||||||
starting_perms.append(perm)
|
starting_perms.append(perm)
|
||||||
|
|
||||||
print(f'Permissions Applied to this Role')
|
print('Permissions Applied to this Role')
|
||||||
print('----------------------------------------')
|
print('----------------------------------------')
|
||||||
for item in starting_perms:
|
for item in starting_perms:
|
||||||
print(item)
|
print(item)
|
||||||
@ -427,13 +503,63 @@ class IPAAudit:
|
|||||||
print(f'{key: <24}{value}')
|
print(f'{key: <24}{value}')
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def user_deep_list(api, user):
|
def user_deep_list(api, user, groups, hbacs):
|
||||||
"""
|
"""
|
||||||
Does a recursive dig on a user
|
Does a recursive dig on a user
|
||||||
"""
|
"""
|
||||||
|
hbac_rule_list = list(hbacs)
|
||||||
|
hbac_rule_all_hosts = []
|
||||||
|
host_list = []
|
||||||
|
for group in groups:
|
||||||
|
group_results = IPAQuery.group_data(api, group)
|
||||||
|
hbac_list = [] if not group_results.get('memberof_hbacrule', None) else group_results['memberof_hbacrule']
|
||||||
|
hbacind_list = [] if not group_results.get('memberofindirect_hbacrule', None) else group_results['memberofindirect_hbacrule']
|
||||||
|
hbac_rule_list.extend(hbac_list)
|
||||||
|
hbac_rule_list.extend(hbacind_list)
|
||||||
|
|
||||||
|
# TODO: Add HBAC list (including services)
|
||||||
|
# TODO: Add RBAC list
|
||||||
|
|
||||||
|
hbac_host_dict = {}
|
||||||
|
for hbac in hbac_rule_list:
|
||||||
|
hbac_hosts = []
|
||||||
|
hbac_results = IPAQuery.hbac_data(api, hbac)
|
||||||
|
hbac_host_list = [] if not hbac_results.get('memberhost_host', None) else hbac_results['memberhost_host']
|
||||||
|
hbac_hostgroup_list = [] if not hbac_results.get('memberhost_hostgroup', None) else hbac_results['memberhost_hostgroup']
|
||||||
|
if hbac_results.get('hostcategory'):
|
||||||
|
hbac_rule_all_hosts.append(hbac)
|
||||||
|
|
||||||
|
for host in hbac_host_list:
|
||||||
|
hbac_hosts.append(host)
|
||||||
|
|
||||||
|
for hostgroup in hbac_hostgroup_list:
|
||||||
|
hostgroup_data = IPAQuery.hostgroup_data(api, hostgroup)
|
||||||
|
host_list = [] if not hostgroup_data.get('member_host', None) else hostgroup_data['member_host']
|
||||||
|
hbac_hosts.extend(host_list)
|
||||||
|
|
||||||
|
hbac_host_dict[hbac] = hbac_hosts
|
||||||
|
|
||||||
|
#new_hbac_hosts = sorted(set(hbac_hosts))
|
||||||
|
print('User Has Access To These Hosts')
|
||||||
|
print('------------------------------------------')
|
||||||
|
if len(hbac_rule_all_hosts) > 0:
|
||||||
|
print('!! Notice: User has access to ALL hosts from the following rules:')
|
||||||
|
hbac_rule_all_hosts = sorted(set(hbac_rule_all_hosts))
|
||||||
|
for allrule in hbac_rule_all_hosts:
|
||||||
|
print(allrule)
|
||||||
|
else:
|
||||||
|
for hrule in hbac_host_dict:
|
||||||
|
print()
|
||||||
|
print(f'HBAC Rule: {hrule}')
|
||||||
|
print('==========================================')
|
||||||
|
for h in hbac_host_dict[hrule]:
|
||||||
|
print(h)
|
||||||
|
|
||||||
|
if len(hbac_host_dict[hrule]) == 0:
|
||||||
|
print('(No hosts set for this rule)')
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def group_deep_list(api, group):
|
def group_deep_list(api, group, members, hbacs, sudos):
|
||||||
"""
|
"""
|
||||||
Does a recursive dig on a group
|
Does a recursive dig on a group
|
||||||
"""
|
"""
|
||||||
@ -567,7 +693,7 @@ memberOf:{groups}
|
|||||||
return api.hbacsvcgroup_show(hbacsvcgroup)['result']
|
return api.hbacsvcgroup_show(hbacsvcgroup)['result']
|
||||||
|
|
||||||
# start main
|
# start main
|
||||||
def get_api(ipa_library='ipalib'):
|
def get_api(ipa_library='ipalib', user='', password='', server=''):
|
||||||
"""
|
"""
|
||||||
Gets and returns the right API entrypoint
|
Gets and returns the right API entrypoint
|
||||||
"""
|
"""
|
||||||
@ -586,7 +712,13 @@ def get_api(ipa_library='ipalib'):
|
|||||||
print('WARNING: No kerberos credentials\n')
|
print('WARNING: No kerberos credentials\n')
|
||||||
command_api = None
|
command_api = None
|
||||||
elif ipa_library == 'python_freeipa':
|
elif ipa_library == 'python_freeipa':
|
||||||
print()
|
api = ClientMeta(server)
|
||||||
|
try:
|
||||||
|
api.login(user, password)
|
||||||
|
command_api = api
|
||||||
|
except:
|
||||||
|
print('ERROR: Unable to login, check user/password/server')
|
||||||
|
command_api = None
|
||||||
else:
|
else:
|
||||||
print('Unsupported ipa library', sys.stderr)
|
print('Unsupported ipa library', sys.stderr)
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
@ -597,7 +729,8 @@ def main():
|
|||||||
"""
|
"""
|
||||||
Main function entrypoint
|
Main function entrypoint
|
||||||
"""
|
"""
|
||||||
command_api = get_api()
|
command_api = get_api(ipa_library=results.library, user=results.user,
|
||||||
|
password=results.password, server=results.server)
|
||||||
if command == 'audit':
|
if command == 'audit':
|
||||||
IPAAudit.entry(command_api, results.type, results.name, results.deep)
|
IPAAudit.entry(command_api, results.type, results.name, results.deep)
|
||||||
elif command == 'info':
|
elif command == 'info':
|
||||||
|
Loading…
Reference in New Issue
Block a user