Best practice is to use unprivileged service daemons inside Docker
containers. But with this hardcoded root password, in the case of
remote code execution, an attacker could trivially escalate their
privileges to root/uid 0. And while that's uid 0 inside a container,
that's a much larger attack surface.
Instead, do the same thing we're doing for the Cloud images: lock the
root password, create a user to make Anaconda happy, then delete the
user in %post.
https://bugzilla.redhat.com/show_bug.cgi?id=1175997
We control the actual size of the virtual disks with options on the
koji command line. This change will allow the Vagrant root
partition to grow to the 40 GB we allocate in the koji image build
while the base cloud image will remain essentially unchanged, as it
is set to 3 GB in the rel-eng koji call.
It gets installed at box launch time anyway. Save users the
annoyance of having to wait. This is in line with the Atomic
Vagrant images as well, which contain rsync in the composed tree.
Comps commit b802fd1c8472bcf5eb2587cd9ba20fb301bbaa6e changed
workstation-product-environment to include the whole of @firefox group,
as opposed to just including the firefox package in the
workstation-product group. This commit syncs the change here too.
I committed this 5 years ago with only a minimum of review, its main
feature was easier SSH key injection, a problem which has been solved
much better by the cloud image which uses `cloud-init`, as well as the
Vagrant boxes which use hardcoded vagrant SSH keys.
it is not included in f22 and will need ot be re reviewed and sumbitted
if interested parties step up and want to actively maintain and test
Signed-off-by: Dennis Gilmore <dennis@ausil.us>
boswars is building again and no longer has a library conflict.
Hower this will put the games spin very close to 4 GiB and some
more tweaking might be needed.
Even though it's silly, the ImageFactory-in-Koji use case calls into
libguestfs to introspect the target system, and libguestfs relies on
/etc/fstab to detect installed operating systems.
rpm-ostree-toolbox always uses this code path now; we spawn an "ostree
trivial-httpd" even for local use. That way the same template can be
used for both remote repositories and local ones.
Now that cloud-init is enabled in the systemd unit, that change
goes in /usr/lib...which we can't easily change. There are
two potentially sane solutions:
- Refactor the kickstarts here
- Some support for systemd presets in kickstart files would
allow us to have a later override here