Commit Graph

1905 Commits

Author SHA1 Message Date
Brian C. Lane
91257da87e lorax-composer: Install selinux-policy-targeted in images
This is required to ensure that SELinux is configured properly while
building. It fixes the problem with building tar, and should be
installed in the other image types for consistency.

Resolves: rhbz#1645189
(cherry picked from commit 99d867db65)
2018-11-29 11:34:40 -08:00
Brian C. Lane
8105443bc6 Remove setfiles from mkrootfsimage
SELinux applies the correct labels, setfiles is no longer needed.
This allows lorax to run with SELinux in Enforcing mode.

(cherry picked from commit 4a4a415f88)
2018-11-29 11:34:35 -08:00
Brian C. Lane
e52d40216c Remove SELinux Permissive checks
Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.

Log the current state of SELinux when starting, update the
documentation.

(cherry picked from commit 080705e8e6)
2018-11-29 11:34:29 -08:00
Brian C. Lane
a5c5cb457e Add --no-system-repos to lorax-composer
Running lorax-composer --no-system-repos will prevent it from copying
the dnf repositories from /etc/yum.repos.d/ into the lorax-composer repo
directory. It will *only* use repositories setup using the sources api
or written to /var/lib/lorax/composer/repos.d/

If lorax-composer has previously been run without this switch the system
repos will need to be removed from the composer/repos.d/ directory. It
would also be a good idea to remove the cached metadata in
/var/tmp/composer/

Resolves: rhbz#1650363
(cherry picked from commit 43ff505804)
2018-11-29 11:33:16 -08:00
Brian C. Lane
8129e5a9f8 Automatic commit of package [lorax] release [28.20-1].
Created by command:

/usr/bin/tito tag
2018-10-29 15:48:24 -07:00
Brian C. Lane
bb1349cade New lorax documentation - 28.20 2018-10-29 15:25:10 -07:00
Brian C. Lane
f5732d21bf Build manpages for composer-cli and lorax-composer
Add manpage creation to make docs target to keep them updated.

(cherry picked from commit 7500a17f27)
(cherry picked from commit d9b282150e)
2018-10-29 15:22:38 -07:00
Brian C. Lane
4e46d776d5 Add tests for ltmpl.py
This covers things like installing globbed package names from multiple
repos, pinned package versions, and ltmpl functions

Related: rhbz#1548586
2018-10-29 13:53:59 -07:00
Brian C. Lane
71be466bde Move get_dnf_base_object into a module
This allows it to be imported by tests.
2018-10-25 11:20:42 -07:00
Brian C. Lane
6e57bfe11d lorax: Fix dnf problems with selecting highest NEVRA from multiple repos
When using package name globs and multiple repos dnf doesn't choose the
highest NEVRA as you would expect, work around this by applying max() to
the duplicate package names in installpkg.

Resolves: rhbz#1548586
2018-10-25 11:15:03 -07:00
Brian C. Lane
32156bd349 Automatic commit of package [lorax] release [28.19-1].
Created by command:

/usr/bin/tito tag
2018-10-12 15:51:00 -07:00
Brian C. Lane
9c758c7c4b Fix directory creation for blueprints
Depending on how lorax-composer is run setting up an empty blueprints
directory can fail. So this moves checking/creation until after the
other directories are created and uses make_owned_dir to make sure
ownership is correct.
2018-10-10 14:25:51 -07:00
Brian C. Lane
1a7b6c74b4 Update the tests for new make_dnf_dir arguments.
Use the uid and gid that the test is running as instead of hard-coding
0.
2018-10-10 14:25:51 -07:00
Brian C. Lane
d170622357 Change make_dnf_dirs to be run as root
It needs to be root in order to set the ownership and permissions on the
directories that are under /var/lib/lorax/composer/

Refactor the directory creation into a utility function, and use a umask
of 0o006 to ensure that the parent directories created do not have o+rw
set on them (makedirs behavior is different between Python 3.6 and 3.7
so umask of 0 doesn't work consistently).
2018-10-10 14:25:51 -07:00
Brian C. Lane
0a96c1eedb Disable false context-manager pylint error 2018-10-09 15:47:38 -07:00
Brian C. Lane
0037f10205 Add an openstack image type
This is a qcow2 image with cloud-init in the template.
2018-10-09 15:17:45 -07:00
David Shea
8908ae8a7a Add cloud-init to vhd images.
cloud-init can be used in Azure now
2018-10-09 15:17:34 -07:00
David Shea
e401f36496 Replace /etc/machine-id with an empty file
Since these images can be used to create multiple machines, they should
not have a unique machine-id attached to them. Replace /etc/machine-id
with an empty file so that it will be regenerated at boot time.
2018-10-09 15:17:24 -07:00
Brian C. Lane
9d73975c9f Update cli tests to use composer-cli name 2018-10-09 15:17:13 -07:00
Brian C. Lane
a0fc9eb7ad Work around dnf problem with multiple repos
If a package is in multiple repos dnf may return more than 1 of them
when using best...glob so we pick the highest NEVRA one and install
that.

Related: rhbz#1636239
2018-10-09 15:17:00 -07:00
Lars Karlitski
577618a1fc Add and enable cloud-init for ami images
Images don't work at all on AWS without cloud-init.

Fixes #492
2018-10-09 15:16:49 -07:00
David Shea
955631b872 Make no-virt generated images sparser
At the end of disk image installs, use fstrim on the generated filesystem to
discard any blocks that were allocated during the install and are now unused.
This will allow tools such as qemu-img to create images that do not include
deleted data.

For raw disk images that do not go through qemu-img, use fallocate --dig-holes
to create sparse holes in place of the unused blocks.
2018-10-09 15:16:38 -07:00
Brian C. Lane
fb1dfc9488 Report an error if the blueprint doesn't exist
composer-cli uses TOML for 'blueprints save' which was returning an
empty 200 response if the blueprint didn't exist. Change this to return
a standard 400 error response if the blueprint doesn't exist.

composer-cli is already setup to handle receiving json when an error is
returned so just the toml API response for `blueprints/save` needed to
be changed.
2018-10-09 15:16:20 -07:00
Lars Karlitski
bb40856f3e cli: Clarify error message for unprivileged access
`os.path.exists("/run/weldr/api.socket")` returns False for users which have no
access. This leads to composer printing that the file does not exist, which is
misleading.

Since it's no possible to distinguish the two cases, fix this problem by
combining them and showing a single error message.
2018-10-09 15:15:57 -07:00
Brian C. Lane
c2b0e8a8bb Write a rootpw line if no root customizations in the blueprint
Anaconda requires the root password to be set or locked, so if there
isn't anything setting it we write out 'rootpw --lock'

Also adds tests for this.

Resolves: rhbz#1626122
2018-10-09 15:15:42 -07:00
Brian C. Lane
558fdecde5 Add beakerlib to Dockerfile.test
Also kill the lorax-composer process and remove /run/weldr/api.socket
so that when this is run with podman you don't get an error about
attempting to tar up the socket.
2018-10-09 15:15:23 -07:00
Brian C. Lane
0a71478ac4 Adjust the new templates for locked root
also remote the auth line so that it uses the defaults.

Related: rhbz#1628645
Related: rhbz#1628646
Related: rhbz#1628647
Related: rhbz#1628648
2018-10-09 15:14:53 -07:00
Brian C. Lane
13e6a68154 Always update repo metadata when building an image
When the kickstart is handed off to Anaconda for building it will
download its own copy of the metadata and re-run the depsolve. So if the
dnf cache isn't current there will be a mismatch and the build will
fail to find some of the versions in final-kickstart.ks

This adds a new context to DNFLock, .lock_check, that will force a check
of the metadata. It also implements its own timeout and forces a
refresh of the metadata when that expires because the dnf expiration
doesn't always work as expected.

Resolves: rhbz#1631561
2018-10-09 15:13:48 -07:00
Brian C. Lane
f5679f61b1 Add a test for repo metadata expiration
This tests to make sure that the metadata timer is working (by setting
it to 10s and adding a new package to the repo), and that
DNFLock.lock_check immediately picks up a new package.

This depends on rpmfluff which is available from Fedora or EPEL repos.

Related: rhbz#1631561
2018-10-09 15:12:21 -07:00
Brian C. Lane
8479319621 Add tests for setting root password and ssh key with blueprints
Related: rhbz#1626120
2018-10-09 15:12:09 -07:00
Brian C. Lane
a1f11f943d Use rootpw for setting the root password instead of user
Ends up you cannot use the kickstart user command on root, since it
already exists, so we have to translate that into a rootpw command.

So [[customizations.user]] with name = "root" only support key, which
will set the ssh key, and password which will use rootpw to set the
password. plain text or encrypted are supported.

Related: rhbz#1626122
2018-10-09 15:12:01 -07:00
Brian C. Lane
0cb4d04479 Lock the root account, except on live-iso
If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.

Users will need to do one of these things:
 1. Use [[customizations.user]] in their blueprint to configure root or
    another user.
 2. Use [[customizations.sshkey]] to set a key for root
 2. Install a package that configures a user at install time
 3. Install a package that sets up a user at boot time (eg. cloud-init)

This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.

Resolves: rhbz#1626122
2018-10-09 15:11:51 -07:00
David Shea
3ea07ed44a Add new compose types to compose sanity test 2018-10-09 15:11:36 -07:00
Lars Karlitski
9ae690e3b6 Also run make check on travis 2018-10-09 15:10:45 -07:00
Lars Karlitski
d8cb1a19f8 Fix pylint errors and warnings
Remove `except` block which immediately raises the same exception again (it's
not a subclass of another caught exception, so this is safe).

Remove a false positive, because it is not emitted from the code base.

Disable subprocess-popen-preexec-fn in startProgram, which is not used
internally.
2018-10-09 15:04:43 -07:00
Alexander Todorov
ca1bf01b03 New cli test covering basic compose commands
- need to specify --sharedir so lorax-composer can find its
  kickstart files

- each test script writes results into a separate directory to
  avoid a passing test overwriting the results from a failing one.
  To avoid reporting failures in case of previously failing tests
  (e.g. during development) remove the temporary directories holding
  tets results before execution!
2018-10-09 15:03:24 -07:00
Alexander Todorov
ee62425388 Execute bash tests for composer-cli
these are built on top of beakerlib and we use its internal
protocol to figure out the result without relying on the full
test runner that is tipically used inside of a RHEL environment!

Includes a disabled test snippet for Issue #460
2018-10-09 15:02:57 -07:00
Stef Walter
e95c09dd7e Start a HACKING.md file and document how to run the tests 2018-10-09 15:02:38 -07:00
Stef Walter
5cb1748908 Ignore files created by tests 2018-10-09 15:01:26 -07:00
Stef Walter
5891879ae4 Makefile: Fix the 'make install' target
This fixes the 'make install' target to work on a typical RHEL or
Fedora system. We now by default install to a prefix of /usr instead
of /usr/local

The prefix is overridable like so:

     $ make install PREFIX=/opt/
2018-10-09 15:01:14 -07:00
Brian C. Lane
48f7ad780d lorax: Only run depmod on the installed kernels
In the near-future there may be /lib/modules/ directories for older
kernels with weak dependencies listed. These may not match the installed
kernel(s) so we cannot depend on them to drive generate_module_data.

Instead use the existing findkernels() function to get the list of
installed kernels and iterate those, running depmod on them.

Resolves: rhbz#1622213
2018-10-09 14:51:05 -07:00
David Shea
2304a73676 Add virt guest agents to the qcow2 compose
(cherry picked from commit d5a1993640)
2018-10-02 12:56:56 -04:00
David Shea
de6e1d027e Add a vmdk compose type.
This is similar to the AMI type, but also adds open-vm-tools and does not do
anything special to the partitioning

(cherry picked from commit 1056bfc25b)
2018-10-02 12:56:52 -04:00
David Shea
68c1a7aa96 Add a vhd compose type for Azure images
This does pretty much the same things as the AMI compose type, but also
replaces NetworkManager with the Azure linux agent.

(cherry picked from commit e0c236ff36)
2018-10-02 12:56:47 -04:00
David Shea
f79fd46f1f Add an ami compose type for AWS images
This differs from lmc's --make-ami in that creates a full disk image instead of
an fsimage. Create a raw disk image with a / and /boot partitions, and enable
sshd, chronyd, and cockpit by default.

(cherry picked from commit 18188bf6cf)
2018-10-02 12:56:33 -04:00
David Shea
09b34889bc Remove --fstype from the generated part line
Instead of specifying the fstype, just let anaconda use the default.

(cherry picked from commit 847fff4e11)
2018-10-02 12:56:03 -04:00
Brian C. Lane
7823d46747 New lorax documentation - 28.18 2018-09-06 10:41:38 -07:00
Brian C. Lane
6eb357e71e Fix /compose/cancel API documentation
It said /blueprints/cancel which is incorrect.
2018-08-29 10:08:15 -07:00
Brian C. Lane
a951bf083d Automatic commit of package [lorax] release [28.18-1].
Created by command:

/usr/bin/tito tag
2018-08-27 15:47:16 -07:00
Brian C. Lane
a286e9b3dc Fix composer-cli blueprints changes to get correct total
blueprints/changes is different, each blueprint has it's own total,
limited by the call's limit. So it needs to find the max total of all
the requested blueprints.

(cherry picked from commit 57674c9a1a)
2018-08-27 12:02:39 -07:00