[node-patches] Change in ovirt-node[master]: recipe: include centos kickstart files based on rhevh6
charles_rose at dell.com
charles_rose at dell.com
Mon Sep 17 16:48:23 UTC 2012
Charles Rose has uploaded a new change for review.
Change subject: recipe: include centos kickstart files based on rhevh6
......................................................................
recipe: include centos kickstart files based on rhevh6
Updated centos6-pkgs and added the rest.
Change-Id: I3f98cb698bf987eed695e4d1ad890154dd29b516
Signed-off-by: Charles Rose <charles_rose at dell.com>
---
A recipe/centos6-install.ks
A recipe/centos6-minimizer.ks
M recipe/centos6-pkgs.ks
A recipe/centos6-post.ks
4 files changed, 269 insertions(+), 1 deletion(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/27/8027/1
diff --git a/recipe/centos6-install.ks b/recipe/centos6-install.ks
new file mode 100644
index 0000000..0bd7719
--- /dev/null
+++ b/recipe/centos6-install.ks
@@ -0,0 +1 @@
+services --enabled=auditd,ntpd,ntpdate,iptables,network,rsyslog,multipathd,snmpd,ovirt-early,ovirt-post,ovirt-cim,cgconfig --disabled=netfs,ovirt-awake,libvirt-guests,libvirtd
diff --git a/recipe/centos6-minimizer.ks b/recipe/centos6-minimizer.ks
new file mode 100644
index 0000000..9e2a998
--- /dev/null
+++ b/recipe/centos6-minimizer.ks
@@ -0,0 +1,9 @@
+# RHEL specific image minimization
+droprpm cvs
+droprpm gettext
+droprpm hesiod
+droprpm procmail
+droprpm sendmail
+drop /etc/rc.d/init.d/libvirt-guests
+drop /var/lib/yum
+drop /etc/yum.repos.d/C*
diff --git a/recipe/centos6-pkgs.ks b/recipe/centos6-pkgs.ks
index b4978c0..2770a42 100644
--- a/recipe/centos6-pkgs.ks
+++ b/recipe/centos6-pkgs.ks
@@ -1,4 +1,15 @@
collectd-virt
-virt-who
libguestfs-winsupport
qemu-kvm
+# workaround: vdsm-reg dep
+traceroute
+# supported hooks
+vdsm-hook-vhostmd
+# rhbz#641494 RFE - add libguestfs
+libguestfs-winsupport
+ltrace
+#VDSM
+vdsm-cli
+vdsm-reg
+# keyboard layout
+system-config-keyboard-base
diff --git a/recipe/centos6-post.ks b/recipe/centos6-post.ks
new file mode 100644
index 0000000..65eb3dd
--- /dev/null
+++ b/recipe/centos6-post.ks
@@ -0,0 +1,247 @@
+# add RHEV-H rwtab locations
+mkdir -p /rhev
+cat > /etc/rwtab.d/rhev << EOF_RWTAB_RHEVH
+empty /rhev
+files /var/lib/vdsm
+dirs /var/db
+dirs /var/lib/rhsm
+EOF_RWTAB_RHEVH
+
+# minimal lsb_release for vdsm-reg (bz#549147)
+cat > /usr/bin/lsb_release <<\EOF_LSB
+#!/bin/sh
+if [ "$1" = "-r" ]; then
+ printf "Release:\t$(cat /etc/rhev-hypervisor-release | awk '{print $7}')\n"
+else
+ echo RedHatEnterpriseVirtualizationHypervisor
+fi
+EOF_LSB
+chmod +x /usr/bin/lsb_release
+
+# CPE name rhbz#593463
+cat > /etc/system-release-cpe <<\EOF_CPE
+cpe:/o:redhat:enterprise_linux:6:update2:hypervisor
+EOF_CPE
+
+echo "Configuring SELinux"
+# custom module for node specific rules
+mkdir /tmp/SELinux
+cd /tmp/SELinux
+cat > ovirt.te << \EOF_OVIRT_TE
+module ovirt 1.0;
+require {
+ type initrc_t;
+ type initrc_tmp_t;
+ type mount_t;
+ type setfiles_t;
+ type shadow_t;
+ type unconfined_t;
+ class file { append mounton open getattr read execute ioctl lock entrypoint };
+ class fd { use };
+ class process { sigchld signull transition noatsecure siginh rlimitinh getattr };
+ class fifo_file { getattr open read write append lock ioctl };
+ class filesystem getattr;
+ class dir { getattr search open read lock ioctl };
+ class socket { read write };
+ class tcp_socket { read write };
+ class udp_socket { read write };
+ class rawip_socket { read write };
+ class netlink_socket { read write };
+ class packet_socket { read write };
+ class unix_stream_socket { read write create ioctl getattr lock setattr append bind connect getopt setopt shutdown connectto };
+ class unix_dgram_socket { read write };
+ class appletalk_socket { read write };
+ class netlink_route_socket { read write };
+ class netlink_firewall_socket { read write };
+ class netlink_tcpdiag_socket { read write };
+ class netlink_nflog_socket { read write };
+ class netlink_xfrm_socket { read write };
+ class netlink_selinux_socket { read write };
+ class netlink_audit_socket { read write };
+ class netlink_ip6fw_socket { read write };
+ class netlink_dnrt_socket { read write };
+ class netlink_kobject_uevent_socket { read write };
+ class tun_socket { read write };
+ class chr_file { getattr read write append ioctl lock open };
+ class lnk_file { getattr read };
+ class sock_file { getattr write open append };
+}
+allow mount_t shadow_t:file mounton;
+allow setfiles_t initrc_tmp_t:file append;
+type ovirt_exec_t;
+init_daemon_domain(unconfined_t,ovirt_exec_t)
+EOF_OVIRT_TE
+cat > ovirt.fc << \EOF_OVIRT_FC
+/etc/rc\.d/init\.d/ovirt-firstboot -- gen_context(system_u:object_r:ovirt_exec_t)
+/etc/rc\.d/init\.d/ovirt-post -- gen_context(system_u:object_r:ovirt_exec_t)
+EOF_OVIRT_FC
+make NAME=targeted -f /usr/share/selinux/devel/Makefile
+semodule -v -i ovirt.pp
+cd /
+rm -rf /tmp/SELinux
+
+echo "Configuring IPTables"
+# here, we need to punch the appropriate holes in the firewall
+cat > /etc/sysconfig/iptables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+# vdsm
+-A INPUT -p tcp --dport 54321 -j ACCEPT
+# libvirt tls
+-A INPUT -p tcp --dport 16514 -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+# snmp
+-A INPUT -p udp --dport 161 -j ACCEPT
+#
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+# configure IPv6 firewall, default is all ACCEPT
+cat > /etc/sysconfig/ip6tables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+# libvirt tls
+-A INPUT -p tcp --dport 16514 -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+# snmp
+-A INPUT -p udp --dport 161 -j ACCEPT
+# unblock ipv6 dhcp response
+-A INPUT -p udp --dport 546 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
+EOF
+
+# remove errors from /sbin/dhclient-script
+DHSCRIPT=/sbin/dhclient-script
+sed -i 's/mv /cp -p /g' $DHSCRIPT
+sed -i '/rm -f.*${interface}/d' $DHSCRIPT
+sed -i '/rm -f \/etc\/localtime/d' $DHSCRIPT
+sed -i '/rm -f \/etc\/ntp.conf/d' $DHSCRIPT
+sed -i '/rm -f \/etc\/yp.conf/d' $DHSCRIPT
+
+# prevent node from hanging on reboot due to /etc mounts
+patch -d /etc/init.d/ -p0 << \EOF_halt
+--- halt.orig 2009-12-05 00:44:29.000000000 +0000
++++ halt 2010-03-24 18:12:36.000000000 +0000
+@@ -138,7 +138,7 @@
+ $"Unmounting pipe file systems (retry): " \
+ -f
+
+-LANG=C __umount_loop '$2 ~ /^\/$|^\/proc|^\/dev/{next}
++LANG=C __umount_loop '$2 ~ /^\/$|^\/proc|^\/etc|^\/dev/{next}
+ $3 == "tmpfs" || $3 == "proc" {print $2 ; next}
+ /(loopfs|autofs|nfs|cifs|smbfs|ncpfs|sysfs|^none|^\/dev\/ram|^\/dev\/root$)/ {next}
+ {print $2}' /proc/mounts \
+EOF_halt
+
+# rhbz#675868
+# Modify rc.sysinit
+patch -d /etc/rc.d -p0 << \EOF_rc_sysinit
+--- rc.sysinit.orig 2012-08-27 12:59:56.181488153 +0530
++++ rc.sysinit 2012-08-27 13:02:45.554484158 +0530
+@@ -43,7 +43,7 @@
+ fi
+
+ if [ -n "$SELINUX_STATE" -a -x /sbin/restorecon ] && __fgrep " /dev " /proc/mounts >/dev/null 2>&1 ; then
+- /sbin/restorecon -R -F /dev 2>/dev/null
++ /sbin/restorecon -e /dev/.initramfs -R /dev 2>/dev/null
+ fi
+
+ disable_selinux() {
+@@ -503,9 +503,9 @@
+ # filesystems are NOT unmounted in single user mode.
+ # The 'no' applies to all listed filesystem types. See mount(8).
+ if [ "$READONLY" != "yes" ] ; then
+- action $"Mounting local filesystems: " mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2 -O no_netdev
++ action $"Mounting local filesystems: " mount -a -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2,noproc,nosysfs,nodevpts -O no_netdev
+ else
+- action $"Mounting local filesystems: " mount -a -n -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2 -O no_netdev
++ action $"Mounting local filesystems: " mount -a -n -t nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2,noproc,nosysfs,nodevpts -O no_netdev
+ fi
+
+ # Update quotas if necessary
+EOF_rc_sysinit
+
+# rhbz#675868
+# Modify start_udev
+patch -d /sbin -p0 << \EOF_start_udev
+--- start_udev.orig 2011-03-30 12:32:03.000000000 +0000
++++ start_udev 2011-09-02 17:16:57.954610422 +0000
+@@ -121,7 +121,7 @@
+ #/bin/chown root:root /dev/fuse
+
+ if [ -x /sbin/restorecon ]; then
+- /sbin/restorecon -R /dev
++ /sbin/restorecon -e /dev/.initramfs -R /dev
+ fi
+
+ if [ -x "$MAKEDEV" ]; then
+EOF_start_udev
+
+# semanage is not present in the image and virt_use_nfs is on (see rhbz#642209)
+# remove it from vdsmd startup script to avoid error
+sed -i 's#/usr/sbin/semanage#/bin/true#' /etc/rc.d/init.d/vdsmd
+
+# libvirtd upstart job is already configured on rhevh
+sed -i 's/ && start_libvirtd$//' /etc/rc.d/init.d/vdsmd
+
+# chkconfig results (symlinks) cannnot be peristed
+sed -i 's#/sbin/chkconfig \$srv off##' /etc/rc.d/init.d/vdsmd
+
+# reserve vdsm port 54321
+augtool << \EOF_sysctl
+set /files/etc/sysctl.conf/net.ipv4.ip_local_reserved_ports 54321
+save
+EOF_sysctl
+
+# set maxlogins to 3
+echo "* - maxlogins 3" >> /etc/security/limits.conf
+
+# rhbz#738170
+patch -d /sbin -p0 << \EOF_mkdumprd
+--- /sbin/mkdumprd.orig 2011-10-06 06:37:49.000000000 +0000
++++ /sbin/mkdumprd 2011-11-01 04:21:19.000000000 +0000
+@@ -583,7 +583,7 @@
+ eth*.*)
+ modalias=8021q
+ ;;
+- br*)
++ rhevm|br*)
+ modalias=bridge
+ ;;
+ *)
+@@ -756,7 +756,7 @@
+ echo >> $MNTIMAGE/etc/ifcfg-$dev
+ echo "BUS_ID=\"Bonding\"" >> $MNTIMAGE/etc/ifcfg-$dev
+ ;;
+- br*)
++ rhevm|br*)
+ for j in `ls /sys/class/net/$dev/brif`
+ do
+ handlenetdev $j
+
+EOF_mkdumprd
--
To view, visit http://gerrit.ovirt.org/8027
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I3f98cb698bf987eed695e4d1ad890154dd29b516
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Charles Rose <charles_rose at dell.com>
More information about the node-patches
mailing list