Commit Graph

2001 Commits

Author SHA1 Message Date
Brian C. Lane
99d867db65 lorax-composer: Install selinux-policy-targeted in images
This is required to ensure that SELinux is configured properly while
building. It fixes the problem with building tar, and should be
installed in the other image types for consistency.

Resolves: rhbz#1645189
(cherry picked from commit 9ac4508135)
2018-11-29 11:11:28 -08:00
Brian C. Lane
4a4a415f88 Remove setfiles from mkrootfsimage
SELinux applies the correct labels, setfiles is no longer needed.
This allows lorax to run with SELinux in Enforcing mode.

(cherry picked from commit 8b11705ea0)
2018-11-29 11:11:28 -08:00
Brian C. Lane
080705e8e6 Remove SELinux Permissive checks
Anaconda, Lorax, lorax-composer, and livemedia-creator can all now run
with SELinux in Enforcing mode. It does not need to be disabled and if
there are denials they should be reported as a bug.

Log the current state of SELinux when starting, update the
documentation.

(cherry picked from commit 35b8957f12)
2018-11-29 11:11:28 -08:00
Brian C. Lane
43ff505804 Add --no-system-repos to lorax-composer
Running lorax-composer --no-system-repos will prevent it from copying
the dnf repositories from /etc/yum.repos.d/ into the lorax-composer repo
directory. It will *only* use repositories setup using the sources api
or written to /var/lib/lorax/composer/repos.d/

If lorax-composer has previously been run without this switch the system
repos will need to be removed from the composer/repos.d/ directory. It
would also be a good idea to remove the cached metadata in
/var/tmp/composer/

Resolves: rhbz#1650363
2018-11-29 11:11:28 -08:00
Brian C. Lane
a357c42f2d Automatic commit of package [lorax] release [29.20-1].
Created by command:

/usr/bin/tito tag
2018-10-29 15:52:25 -07:00
Brian C. Lane
5cf54c6f29 New lorax documentation - 29.20 2018-10-29 15:04:22 -07:00
Brian C. Lane
1006af4232 Add tests for ltmpl.py
This covers things like installing globbed package names from multiple
repos, pinned package versions, and ltmpl functions

Related: rhbz#1548586
(cherry picked from commit a4783ba29f)
2018-10-29 14:49:49 -07:00
Brian C. Lane
8a53d5e310 Move get_dnf_base_object into a module
This allows it to be imported by tests.

(cherry picked from commit befa3128d7)
2018-10-29 14:49:39 -07:00
Brian C. Lane
d9b282150e Build manpages for composer-cli and lorax-composer
Add manpage creation to make docs target to keep them updated.

(cherry picked from commit 7500a17f27)
2018-10-29 14:49:15 -07:00
Brian C. Lane
bdbd8258f0 Fix singlerepo test for f29 2018-10-29 14:48:40 -07:00
Brian C. Lane
88a0b475e9 Update the projects tests to use DNF Repo object
Stop using fake dnf object, use the real thing. This will help catch
problems with dnf returning unexpected types like VectorString.

(cherry picked from commit 27aff75aa3)
2018-10-29 14:27:23 -07:00
Brian C. Lane
af28b25e50 dnf changed the type of gpgkey to a tuple
And in an intermediate version it returns a VectorString object which
isn't serializable by the json or toml modules.

So convert it to a list so that the type is consistent in the sources
code.

(cherry picked from commit e9e5139750)
2018-10-29 14:27:13 -07:00
Brian C. Lane
4192dfc709 Install python3-librepo in the test container
(cherry picked from commit e1dc54ea8c)
2018-10-29 14:13:05 -07:00
Brian C. Lane
49db5403b8 Automatic commit of package [lorax] release [29.19-1].
Created by command:

/usr/bin/tito tag
2018-10-12 16:03:19 -07:00
Brian C. Lane
eafc2796a1 Update depsolving with suggestions from dnf (#1636239)
The previous method worked, but wasn't exactly idiomatic. This is more
correct, and appears to work the same (templates depsolve, version globs
work, multiple repos work).

Note that this does use a private dnf attribute ._goal, but the word is
that this is going to become a public api soon, so yes it is there on
purpose.
2018-10-12 11:02:13 -07:00
Brian C. Lane
f3cbeb8808 Disable false context-manager pylint error 2018-10-11 10:30:04 -07:00
Brian C. Lane
6fb5910acd Fix directory creation for blueprints
Depending on how lorax-composer is run setting up an empty blueprints
directory can fail. So this moves checking/creation until after the
other directories are created and uses make_owned_dir to make sure
ownership is correct.
2018-10-10 14:25:38 -07:00
Brian C. Lane
708cadee82 Update the tests for new make_dnf_dir arguments.
Use the uid and gid that the test is running as instead of hard-coding
0.
2018-10-10 14:25:38 -07:00
Brian C. Lane
3499426b2d Change make_dnf_dirs to be run as root
It needs to be root in order to set the ownership and permissions on the
directories that are under /var/lib/lorax/composer/

Refactor the directory creation into a utility function, and use a umask
of 0o006 to ensure that the parent directories created do not have o+rw
set on them (makedirs behavior is different between Python 3.6 and 3.7
so umask of 0 doesn't work consistently).
2018-10-10 14:25:38 -07:00
Brian C. Lane
5efce31772 Automatic commit of package [lorax] release [29.18-1].
Created by command:

/usr/bin/tito tag
2018-10-09 11:39:23 -07:00
Brian C. Lane
ce6fa9c05f Add an openstack image type
This is a qcow2 image with cloud-init in the template.
2018-10-09 11:07:46 -07:00
David Shea
a76aad36f6 Add cloud-init to vhd images.
cloud-init can be used in Azure now
2018-10-09 11:34:19 -04:00
David Shea
e116a5f4be Replace /etc/machine-id with an empty file
Since these images can be used to create multiple machines, they should
not have a unique machine-id attached to them. Replace /etc/machine-id
with an empty file so that it will be regenerated at boot time.
2018-10-09 11:34:17 -04:00
Brian C. Lane
f86aaa5d37 Automatic commit of package [lorax] release [29.17-1].
Created by command:

/usr/bin/tito tag
2018-10-08 16:03:05 -07:00
Brian C. Lane
d03e6e8c7e Update cli tests to use composer-cli name 2018-10-08 15:53:15 -07:00
Brian C. Lane
e63da65ad1 Revert "Rename composer-cli to composer"
This reverts commit d540ba3a23.

It conflicts with the PHP dependency manager project named 'composer'
2018-10-08 15:51:24 -07:00
Brian C. Lane
16dccde87f Automatic commit of package [lorax] release [29.16-1].
Created by command:

/usr/bin/tito tag
2018-10-05 14:55:28 -07:00
Brian C. Lane
f24f84282d Work around dnf problem with multiple repos
If a package is in multiple repos dnf may return more than 1 of them
when using best...glob so we pick the highest NEVRA one and install
that.

Related: rhbz#1636239
2018-10-05 09:44:16 -07:00
Lars Karlitski
8f1bc6e882 Add and enable cloud-init for ami images
Images don't work at all on AWS without cloud-init.

Fixes #492
2018-10-05 09:09:10 -07:00
Brian C. Lane
29fe174b6b Switch default platform id to f29 2018-10-05 09:09:10 -07:00
Brian C. Lane
d65a502861 Report an error if the blueprint doesn't exist
composer-cli uses TOML for 'blueprints save' which was returning an
empty 200 response if the blueprint didn't exist. Change this to return
a standard 400 error response if the blueprint doesn't exist.

composer-cli is already setup to handle receiving json when an error is
returned so just the toml API response for `blueprints/save` needed to
be changed.
2018-10-05 09:09:10 -07:00
Lars Karlitski
ec47fe12a9 cli: Clarify error message for unprivileged access
`os.path.exists("/run/weldr/api.socket")` returns False for users which have no
access. This leads to composer printing that the file does not exist, which is
misleading.

Since it's no possible to distinguish the two cases, fix this problem by
combining them and showing a single error message.
2018-10-05 09:09:10 -07:00
Brian C. Lane
c7b4dce2b6 Write a rootpw line if no root customizations in the blueprint
Anaconda requires the root password to be set or locked, so if there
isn't anything setting it we write out 'rootpw --lock'

Also adds tests for this.

Resolves: rhbz#1626122
2018-10-05 09:09:10 -07:00
Brian C. Lane
b35fe9d32a Add beakerlib to Dockerfile.test
Also kill the lorax-composer process and remove /run/weldr/api.socket
so that when this is run with podman you don't get an error about
attempting to tar up the socket.
2018-10-05 09:09:10 -07:00
Brian C. Lane
75523f7a49 Adjust the new templates for locked root
also remote the auth line so that it uses the defaults.

Related: rhbz#1628645
Related: rhbz#1628646
Related: rhbz#1628647
Related: rhbz#1628648
2018-10-05 09:09:10 -07:00
Brian C. Lane
1f514a3e55 Adjust projects test for DNF 3.6.1 tuple issue 2018-10-05 09:09:10 -07:00
Adam Williamson
8bc6282083 Don't try to append to DNF config value that can't take it
See https://bugzilla.redhat.com/show_bug.cgi?id=1595917 and
https://github.com/rpm-software-management/dnf/pull/1200 for
more on this. Briefly, DNF before 3.0 presented this config
value as a list...and mutating it worked. DNF from 3.0 until
3.6 presented it as a list...mutating it didn't work, but also
didn't *fail*, so this has actually not been doing anything on
DNF 3.x but we haven't noticed.

In DNF 3.6 values like this are presented as tuples instead of
lists, to try and catch usages like this, and it worked! We
need to change this one.

There is an additional weirdness here. tsflags is actually, in
libdnf terms, an OptionStringListAppend option: that means that
when something tries to *set* its value, the new value is just
appended to the existing list of values. This is very weird
behaviour when you're interacting with it like this, but
happens to be quite useful, as we can just 'set' the value to
a list like this and it will actually get appended (which is
what we want), and this one syntax happens to work correctly in
DNF 2.x, 3.0 through 3.5.1, and 3.6.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2018-10-05 09:09:10 -07:00
Brian C. Lane
6e86328865 Always update repo metadata when building an image
When the kickstart is handed off to Anaconda for building it will
download its own copy of the metadata and re-run the depsolve. So if the
dnf cache isn't current there will be a mismatch and the build will
fail to find some of the versions in final-kickstart.ks

This adds a new context to DNFLock, .lock_check, that will force a check
of the metadata. It also implements its own timeout and forces a
refresh of the metadata when that expires because the dnf expiration
doesn't always work as expected.

Resolves: rhbz#1631561
2018-10-05 09:09:10 -07:00
Brian C. Lane
5184ccef9f Add a test for repo metadata expiration
This tests to make sure that the metadata timer is working (by setting
it to 10s and adding a new package to the repo), and that
DNFLock.lock_check immediately picks up a new package.

This depends on rpmfluff which is available from Fedora or EPEL repos.

Related: rhbz#1631561
2018-10-05 09:09:10 -07:00
Brian C. Lane
1c0705f4e0 Add tests for setting root password and ssh key with blueprints
Related: rhbz#1626120
2018-10-05 09:09:10 -07:00
Brian C. Lane
891729528f Use rootpw for setting the root password instead of user
Ends up you cannot use the kickstart user command on root, since it
already exists, so we have to translate that into a rootpw command.

So [[customizations.user]] with name = "root" only support key, which
will set the ssh key, and password which will use rootpw to set the
password. plain text or encrypted are supported.

Related: rhbz#1626122
2018-10-05 09:09:10 -07:00
Brian C. Lane
8963c33e16 Lock the root account, except on live-iso
If we leave the root account w/o a password people will use it that way,
leading to insecure images. Also if we use a default password. So lock
the root account in the templates.

Users will need to do one of these things:
 1. Use [[customizations.user]] in their blueprint to configure root or
    another user.
 2. Use [[customizations.sshkey]] to set a key for root
 2. Install a package that configures a user at install time
 3. Install a package that sets up a user at boot time (eg. cloud-init)

This also drops the auth line from the kickstart templates, allowing it
to use the default password algoritm instead of md5.

Resolves: rhbz#1626122
2018-10-05 09:09:10 -07:00
David Shea
3ad5a5cccf Add new compose types to compose sanity test 2018-10-05 09:09:10 -07:00
David Shea
bd8fdb8c0e Add virt guest agents to the qcow2 compose 2018-10-05 09:09:10 -07:00
David Shea
ecd4327a01 Add a vmdk compose type.
This is similar to the AMI type, but also adds open-vm-tools and does not do
anything special to the partitioning
2018-10-05 09:09:10 -07:00
David Shea
d6274ec413 Add a vhd compose type for Azure images
This does pretty much the same things as the AMI compose type, but also
replaces NetworkManager with the Azure linux agent.
2018-10-05 09:09:10 -07:00
David Shea
af3cab0dfe Add an ami compose type for AWS images
This differs from lmc's --make-ami in that creates a full disk image instead of
an fsimage. Create a raw disk image with a / and /boot partitions, and enable
sshd, chronyd, and cockpit by default.
2018-10-05 09:09:10 -07:00
David Shea
0e629f3d2a Remove --fstype from the generated part line
Instead of specifying the fstype, just let anaconda use the default.
2018-10-05 09:09:10 -07:00
Lars Karlitski
3cd4a3cb49 Also run make check on travis 2018-10-05 09:09:10 -07:00
Lars Karlitski
e559418ec4 Fix pylint errors and warnings
Remove `except` block which immediately raises the same exception again (it's
not a subclass of another caught exception, so this is safe).

Remove a false positive, because it is not emitted from the code base.

Disable subprocess-popen-preexec-fn in startProgram, which is not used
internally.
2018-10-05 09:09:10 -07:00