This is required to ensure that SELinux is configured properly while
building. It fixes the problem with building tar, and should be
installed in the other image types for consistency.
Resolves: rhbz#1645189
Most bootloaders used in Fedora already have BootLoaderSpec but extlinux
doesn't yet. So when using extlinux the old grubby must to be installed.
Resolves: rhbz#1649778
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Some files are created in non-reproducible way, including including
random data explicitly (/etc/machine-id), timestamps (fontconfig cache,
ldconfig aux-cache, certs cache), or entries in random order (groups,
systemd catalog, package list).
Fix this by either making the files reproducible, or removing them.
Images don't work without these fixes:
* Enable Network Manager.
* Disable cloud-init.
* Add Hyper-V modules into initramfs.
Fixes specific for RHEL:
* Create ifcfg-eth0 required by waagent.
* Install python3 and net-tools required by waagent.
Recommended changes:
* Use recommended kernel boot args.
* Disable kdump.
Since these images can be used to create multiple machines, they should
not have a unique machine-id attached to them. Replace /etc/machine-id
with an empty file so that it will be regenerated at boot time.
If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.
Users will need to do one of these things:
1. Use [[customizations.user]] in their blueprint to configure root or
another user.
2. Use [[customizations.sshkey]] to set a key for root
2. Install a package that configures a user at install time
3. Install a package that sets up a user at boot time (eg. cloud-init)
This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.
Resolves: rhbz#1626122
This differs from lmc's --make-ami in that creates a full disk image instead of
an fsimage. Create a raw disk image with a / and /boot partitions, and enable
sshd, chronyd, and cockpit by default.
The ostree compose process in pungi wants ISOs and it was the last part
of the ARMv7 components that weren't at parity with other architectures.
Add the missing functionality.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
ARMv7 will now support UEFI and grub2-efi so add those deps. We also don't
require uboot-tools as part of the install process so don't add that
explicitly, and drop grubby from the aarch64 explicit list as it's in the
general list, add grub2-tools-efi.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Currently we are making MBR disk images for qcow2 and partitioned disk,
so the UEFI packages aren't required at this point.
Move the clearpart command into compose.py so that in the futute it can
use clearpart --disklabel to create a GPT image, and add the required
packages to the package set.
As explained in detail in the bug, 'hostname' must be installed
for the dracut 95iscsi module to work (and thus for key iscsi
modules to be included in the initramfs generated by lorax). Up
till recently, we got it as a dependency of initscripts, but
when network-scripts split from initscripts, the dependency went
with it. Now nothing else pulls it in as a dep, so let's just
pull it in explicitly here.
Resolves: rhbz#1593657
Signed-off-by: Adam Williamson <awilliam@redhat.com>
We had only been indirectly pulling in GConf, and anyways
nothing was listening to these keys.
<kalev> I still think it's a fallout from 27a90d973f
Really in general, if we wanted to make changes like this
it'd probably be a lot simpler to do them on boot or so.
https://bugzilla.redhat.com/show_bug.cgi?id=1581838
"anaconda-install-deps" was the original placeholder name
of the metapackage and it looks like I forgot to change it
to "anaconda-install-env-deps", which is the final name
we have decided sounds better.
Oops! (it's even correct in the commit message...)
Use the anaconda-install-env-deps metapackage to pull in the
Anaconda dependencies needed in the installation environment.
The anaconda-install-env-deps metapackage lists all install time
dependencies and makes it possible for packages such as
Initial Setup to depend on Anaconda without pulling all
the (mainly storage related) install time dependencies
to the installed system.
The same is applicable for dirinstall which also does
not require the install time dependencies as it is just
installing to a local folder.
Also drop the tmux and gdb dependencies from the template as
both have been added to the metapackage to make install time
dependency tracking more consistent.
It looks like gnome-helper grew a dependency on it so let's not remove
it. From today's pungi run we can see this error in the verify:
```
libgstgl-1.0.so.0, needed by /usr/bin/gnome-help, not found
```
This reverts commit 13e234ae02.
system-logos is not needed in the runtime-install.tmpl because the
correct *-logos package is already installed by the _install_branding
code in treebuilder.py
The x86.tmpl explicitly references the syslinux-splash provided in
the system-logos package and fails if it's not there so implicitly
install it on arches where syslinux is supported to ensure it's
there. Fixes rhbz #1529239
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
The previous attempt to fix this failed because of operator
ordering, so we actually still tried to build EFI images on
i386, so i386 lives failed. This really fixes it. I tested. I
actually built a 32-bit live and it worked.
Resolves: rhbz#1539085
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This shouldn't have been turned on when we switched to doing ia32-efi
images on x86_64; just having the file available isn't where we want
that policy decision to be.
Resolves: rhbz#1539085
Signed-off-by: Peter Jones <pjones@redhat.com>
kernel-PAE has been intentionally removed from Rawhide kernel
builds; Fedora 27 will be the last release with kernel-PAE for
i686. So we need to not try and install it in future. See
http://pkgs.fedoraproject.org/rpms/kernel/c/21e4b8338 (it's a
big commit, but the change is in there, it's the second change
in kernel.spec).
Signed-off-by: Adam Williamson <awilliam@redhat.com>
pjones and I happened to notice this suspicious line in the
lmc log for a Fedora 27 live image compose:
2017-08-25 16:04:55,327 DEBUG pylorax.ltmpl: template line 25: installimg None usr/share/lorax//product/ images/product.img
That 'None' does not look right. I believe this is the problem.
The command is defined as `installimg ${compressargs} ...`, and
a few lines earlier, `compressargs` is initially assigned (in
Python) as `None`. `None`, in Python, stringifies to the string
'None'. So unless we're on i386 (where `compressargs` gets
defined to an actual string of arguments in a conditional), we
wind up passing in the string 'None' as the first arg to the
`installimg` command.
To fix this, `compressargs` should be initially set to the empty
string rather than `None`.
This enables Baytrail and similar atom CPUs that typically ship with a
32-bit firmware, but have a 64-bit capable CPU.
Signed-off-by: Peter Jones <pjones@redhat.com>
Per dledford, RDMA fundamentally cannot work reliably on 32-bit
ARM arches, so as part of the re-organization of the relevant
packages, building them on 32-bit ARM has been disabled (for
F27+). Thus we should adjust lorax not to try and install them
on 32-bit ARM. Also change the package name, the 'rdma' package
is obsoleted by 'rdma-core'. This commit should not be applied
to branches for older distros.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
When multiple units are passed to systemctl and one fails it doesn't
finish the others. Change the template command to call systemctl for
each unit individually.
This also removes the lvm2-activation-generator in runtime-cleanup.tmpl
This will allow anaconda to fetch kickstarts using https when installing
with fips=1
Leave vmlinuz and .vmlinuz.hmac in /boot
dracut-fips module needs the vmlinuz.hmac file in order to boot.
As of webkitgtk4-2.17.5-1.fc27 , it needs these two as well as
the others. This is breaking Rawhide composes at present.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
This is required in the future for anaconda to be able to inspect the
supported locales in Atomic Host installations. This is the same patch
as https://github.com/rhinstaller/lorax/pull/194 but for the master
branch.
Library libmenu.so is needed by lp_diag binary from ppc64-diag
package. It leads to incomplete finish of compose iso generation
on Power. Keeping libmenu.so on PowerPC should fix the problem.
Resolves: rhbz#1461775
Signed-off-by: Sinny Kumari <sinny@redhat.com>
rpm-ostree used to have a requirement on the ostree rpm. It no
longer has that dependency, but rather requires ostree-libs. However,
we call ostree directly in some cases so we need to have it installed.
Resolves: rhbz#1382611
The kernel messages will be read from journal so don't use additional imlkog
module to read them duplicitly.
Fixup of
commit 3eca8a0425
with readline 7 libreadline.so moved to libdir as a result it is
currently removed in the cleanup phase, however it is needed
Signed-off-by: Dennis Gilmore <dennis@ausil.us>
Signed-off-by: Brian C. Lane <bcl@redhat.com>
* `rsh` not used in anaconda now (can't find any mentions)
* `rsh` duplicates already existing ssh
* `rsh` not secure enough these days
Signed-off-by: Brian C. Lane <bcl@redhat.com>
The lulzbot-marlin-firmware pulls in cura-lulzbot and a bunch of other
deps that aren't needed for install so add it to the exceptions.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
aarch64 now has support for kexec and the associated tools so we can drop
the arch conditional now.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Follow-up of moving to sshd-keygen.target in anaconda-sshd.service
(#1331753)
* Do not remove /etc/ssh/moduli
* slogin symlink is already removed
* Do not remove sshd-keygen
Related: rhbz#1369439
Keep it same as in RHEL 7.2. They increase the size of the /tmp/syslog file
from ~280K to ~1M, and can be obtained from journal if needed.
Resolves: rhbz#1369439
Rsyslogd used to read messages from /dev/log together with systemd-journald
which resulted in NetworkManager messages not being passed to syslog due to a
race condition during starting NetworkManager and rsyslogd service. So use
imjournal rsyslog plugin that picks messages from journald instead of using the
/dev/log socket. Same as regular RHEL 7 system.
There's something racy here; in my Atomic Workstation CI/CD I'm seeing:
```
01:12:43 symlink /lib/systemd/system/rngd.service etc/systemd/system/basic.target.wants/rngd.service
01:12:43 FileNotFoundError: [Errno 2] No such file or directory: '/lib/systemd/system/rngd.service' -> '/var/tmp/lorax.7cgdtz1_/installtree/etc/systemd/system/basic.target.wants/rngd.service'
```
Rather than debug this right now, let's just make sure it exists,
like we do right above for `tmp.mount`.
The latest POWER platform allows a host machine to configure guests
running in a different endian mode. Guests configured in this way may
have their bootloader configuration file corrupted after installation if
the file was not fully written to disk. The host machine would read the
journal and try to finish writing the file in the wrong endian mode.
Issuing an fsfreeze and unfreeze gives more assurance that the
configuration file is properly written before a reboot; this patch adds
fsfreeze to the installer runtime environment.
Related: rhbz#1315468
With commit fe17f97 changing the default from optional to required there's
a few packages that aren't currently supported on aarch64 that break the
compose. In particular aarch64 currently still doesn't have kexec, with luck
that might change in the F-25 cycle but until it does we need to have an
exception.
Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org>
When using the template install command copying the same file to itself
shouldn't crash. Just log the error and continue.
Also copy the s390 configuration files for use with livemedia-creator
Resolves: rhbz#1269213
commit 66241f7cd7 added a check on
runtime_img to create UDF iso's. Ends up it is only in outroot for live,
so switch all the checks to look at it in inroot instead.
The sound, video and scanner firmware packages were removed during
cleanup. Instead, do not install them to begin with.
uhd-firmware is an addon package for a software radio tool and not
kernel firmware at all. Besides being 86MB on its own, it pulls in boost
and Tk, so leave all of that out.
webkitgtk4, a dependency of yelp, links to a lot of things. A lot of the
libraries pulled in through the dependency avalanche will never be used,
especially those that are dependencies of gstreamer plugins, so try to
clean some of it up.
Some images are becoming REALLY large. When a file is >= 4GiB we need to
pass -allow-limited-size to mkisofs to tell it to make a UDF image. Note
that the manpage says that this may result in it not booting on all
systems.
At the momenet some PPC and s390 arches don't have docker, in that case we get the following failure when running lorax.
DEBUG util.py:417: 2016-03-12 01:00:27,658: dnf.exceptions.DepsolveError: nothing provides docker-utils needed by docker-anaconda-addon-0.2-1.fc24.noarch
DEBUG util.py:417: dnf.exceptions.DepsolveError: nothing provides docker-utils needed by docker-anaconda-addon-0.2-1.fc24.noarch
DEBUG util.py:417: Traceback (most recent call last):
DEBUG util.py:417: File "/usr/sbin/lorax", line 353, in <module>
DEBUG util.py:417: main(sys.argv)
DEBUG util.py:417: File "/usr/sbin/lorax", line 209, in main
DEBUG util.py:417: remove_temp=True, verify=opts.verify)
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/pylorax/__init__.py", line 277, in run
DEBUG util.py:417: rb.install()
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/pylorax/treebuilder.py", line 119, in install
DEBUG util.py:417: self._runner.run("runtime-install.tmpl")
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/pylorax/ltmpl.py", line 219, in run
DEBUG util.py:417: self._run(commands)
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/pylorax/ltmpl.py", line 238, in _run
DEBUG util.py:417: f(*args)
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/pylorax/ltmpl.py", line 540, in run_pkg_transaction
DEBUG util.py:417: self.dbo.resolve()
DEBUG util.py:417: File "/usr/lib/python3.5/site-packages/dnf/base.py", line 547, in resolve
DEBUG util.py:417: raise exc
DEBUG util.py:417: dnf.exceptions.DepsolveError: nothing provides docker-utils needed by docker-anaconda-addon-0.2-1.fc24.noarch
DEBUG util.py:542: Child return code was: 1
Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org>
glibc recently split all of its locale data into subpackages, so if we
install no langpacks we get no locales. Explicitly install all of the
langpacks.
The ast module depends on:
drm,drm_kms_helper,ttm,syscopyarea,i2c-core,sysfillrect,sysimgblt,i2c-algo-bit
This retains the syscopyarea, sysfillrect, and sysimgblt modules.
Resolves: rhbz#1272658
since we no longer make the wrappend kernel and initrd for arm we need
to not put them in the .treeinfo file
Signed-off-by: Dennis Gilmore <dennis@ausil.us>
We have been defaulting to using raw kernels and initrds for awhile
now. Lets not make the legacy version anymore. Anyone that needs one
should be able to make their own with the correct variables.
Signed-off-by: Dennis Gilmore <dennis@ausil.us>
Gtk turned off the inspector keybindings by default, because they were
interfering with applications that use a lot of complicated keyboard
shortcuts. This is not a concern for anaconda, and the inspector is
pretty handy, so turn it back on.
The etc portion of systemd-tmpfiles creates a broken /etc/resolv.conf,
which breaks networking, and the rest of the stuff in the there is
already installed to the stage2.
fedup is deprecated and abandoned. Let's save time and disk by not
building `upgrade.img` when nothing is going to use it anymore.
For the record, performing upgrades using an initramfs from the new
system turns out to be fragile and hard to support:
* dracut initramfs isn't generic enough to handle booting all systems
(e.g. missing vconsole.conf means you get keymaps wrong, so users
can't unlock encrypted disks)
* The ABI differences between the two versions of plymouth, systemd,
etc. requires nasty workarounds at best and causes nightmarish
systemd crashes at worst
This patch removes all the code that built and installed `upgrade.img`.
For backwards compatibility, the API retains the `doupgrade` keyword
argument, and the `--noupgrade` flag is still accepted.
We really shouldn't need to run ldconfig on boot from read-only media,
unless someone messed up %post in a package. And the verify step will
catch that.
This reverts commit 3981ff5b79.
systemd-nspawn is some kind of container thing, and cairo-sphinx, as far
as I can tell (go ahead, try to google it) is a cairo debugging tool.
Neither of these are particularly useful on installer media and both use
libraries that are removed during cleanup.
In order for selinux to properly label the system it needs to see that
the config file exists.
Also remove the old code trying to copy in a selinux config file, it
never worked -- the removepkg would remove it.
So we can activate master connection instead of searching for and activating
slave connections.
Makes turning bond/team device on in network spoke work.
Resolves: rhbz#1172751
It also causes a device configured in dracut to be properly reactivated as a slave
if it is configured so by kickstart.
Resolves: rhbz#1134090
When it is left up to dnf to decide how to fulfill the kmod()
requirement from gfs2-utils it will pick kernel-debuginfo-* which adds
about 100M to the size of the iso.
Adding these packages first makes dnf choose them and the iso size is
back down around 450MB
iscsi-initator-utils and gobject-introspection actually are required via
anaconda rpm deps, so they aren't needed in runtime-install.tmpl.
Nothing seems to actually use python-imaging (i.e., python-pillow).
The executables for polkit, gnome-keyring and python-ethtool are removed
in runtime-cleanup, so if anything needs the libraries in these
packages, they can be pulled in through rpm dependencies. Among them,
only polkit is required.
For LUKS escrow stuff, keep the packages that provide the command-line
executables (volume_key, nss-tools), and remove the libraries. The
python2 libraries are no longer needed by blivet, and libblockdev will
install the C libraries it needs.
Install the dnf langpacks plugin instead of the yum one.
python-epdb is less useful now that anaconda is Python 3.
Add a 'lower' filter to the templates to replace string.lower which no
longer exists. Fix udev_escape, the strings are already unicode, and
drop --chdir from runcmd. It wasn't ever used, and passing cwd to the
new runcmd isn't supported.
I originally added --add-template to support doing something similar
to pungi, which injects content into the system to be used by default.
However, this causes the content to be part of the squashfs, which
means PXE installations have to download significantly more data that
they may not need (if they actually want to pull the tree data from
the network, which is not an unusual case).
What I actually need is to be able to modify *both* the runtime image
and the arch-specific content. For the runtime, I need to change
/usr/share/anaconda/interactive-defaults.ks to point to the new
content. (Although, potentially we could patch Anaconda itself to
auto-detect an ostree repository configured in disk image, similar to
what it does for yum repositories)
For the arch-specfic image, I want to drop my content into the ISO
root.
So this patch adds --add-arch-template and --add-arch-template-var
in order to do the latter, while preserving the --add-template
to affect the runtime image.
Further, the templates will automatically graft in a directory named
"iso-graft/" from the working directory (if it exists).
(I suggest that external templates create a subdirectory named
"content" to avoid clashes with any future lorax work)
Thus, this will be used by the Atomic Host lorax templates to inject
content/repo, but could be used by e.g. pungi to add content/rpms as
well.
I tried to avoid code deduplication by creating a new template for the
product.img bits and this, but that broke because the parent boot.iso
code needs access to the `${imggraft}` variable. I think a real fix
here would involve turning the product.img, content/, *and* boot.iso
into a new template.