bbaassssiiee/fedora-kickstarts
1
0
Fork 0
forked from srbala/fedora-kickstarts
Code Issues Pull Requests Releases Activity
72a583d4a4
fedora-kickstarts/fedora-docker-base.ks
Colin Walters 7a6f83699b docker: Don't use a hardcoded root password 
Best practice is to use unprivileged service daemons inside Docker
containers.  But with this hardcoded root password, in the case of
remote code execution, an attacker could trivially escalate their
privileges to root/uid 0.  And while that's uid 0 inside a container,
that's a much larger attack surface.

Instead, do the same thing we're doing for the Cloud images: lock the
root password, create a user to make Anaconda happy, then delete the
user in %post.

https://bugzilla.redhat.com/show_bug.cgi?id=1175997
2015-05-06 14:37:19 -04:00

81 lines
2.5 KiB
Plaintext
Raw Blame History

# This is a minimal Fedora install designed to serve as a Docker base image.
#
# To keep this image minimal it only installs English language. You need to change
# yum configuration in order to enable other languages.
#
### Hacking on this image ###
# This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),
# but you can run imagefactory locally too.
#
# To do so, testing local changes, first you'll need a TDL file. I store one here:
# https://git.fedorahosted.org/cgit/fedora-atomic.git/tree/fedora-atomic-rawhide.tdl
#
# Then, once you have imagefactory and imagefactory-plugins installed, run:
#
# imagefactory --debug target_image --template /path/to/fedora-atomic-rawhide.tdl --parameter offline_icicle true --file-parameter install_script $(pwd)/fedora-docker-base.ks docker
#
cmdline
bootloader --location=none
timezone --isUtc --nontp Etc/UTC
rootpw --lock --iscrypted locked
user --name=none
keyboard us
zerombr
clearpart --all
part / --size 3000 --fstype ext4
network --bootproto=dhcp --device=link --activate --onboot=on
reboot
%packages --excludedocs --instLangs=en --nocore
bash
fedora-release
rootfiles
vim-minimal
dnf
dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29
#fakesystemd #TODO: waiting for review https://bugzilla.redhat.com/show_bug.cgi?id=1118740
-kernel
%end
%post --log=/tmp/anaconda-post.log
# Set the language rpm nodocs transaction flag persistently in the
# image yum.conf and rpm macros
# remove the user anaconda forces us to make
userdel -r none
LANG="en_US"
echo "%_install_lang $LANG" > /etc/rpm/macros.image-language-conf
awk '(NF==0&&!done){print "override_install_langs='$LANG'\ntsflags=nodocs";done=1}{print}' \
< /etc/yum.conf > /etc/yum.conf.new
mv /etc/yum.conf.new /etc/yum.conf
echo "Import RPM GPG key"
releasever=$(rpm -q --qf '%{version}\n' fedora-release)
basearch=$(uname -i)
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
rm -f /usr/lib/locale/locale-archive
#Setup locale properly
localedef -v -c -i en_US -f UTF-8 en_US.UTF-8
rm -rf /var/cache/yum/*
rm -f /tmp/ks-script*
#Make it easier for systemd to run in Docker container
cp /usr/lib/systemd/system/dbus.service /etc/systemd/system/
sed -i 's/OOMScoreAdjust=-900//' /etc/systemd/system/dbus.service
#Mask mount units and getty service so that we don't get login prompt
systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service
rm -f /etc/machine-id
%end
Reference in New Issue View Git Blame Copy Permalink