-
Notifications
You must be signed in to change notification settings - Fork 155
/
fedora-coreos-base.yaml
185 lines (165 loc) · 5.66 KB
/
fedora-coreos-base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
# Base packages for a Fedora CoreOS like system
include: minimal.yaml
# Modern defaults we want
boot_location: new
tmp-is-dir: true
# Required by Ignition, and makes the system not compatible with Anaconda
machineid-compat: false
releasever: "29"
automatic_version_prefix: "29"
repos:
- fedora
- fedora-updates
- fedora-updates-testing
- dustymabe-ignition
- rfairley-console-login-helper-messages
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
# https://github.com/projectatomic/rpm-ostree/issues/1542#issuecomment-419684977
for x in /etc/yum.repos.d/*modular.repo; do
sed -i -e 's,enabled=[01],enabled=0,' ${x}
done
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
# NOTE: Also remove 01_fallback_counting once we move to f30
rm -v /etc/grub.d/01_menu_auto_hide
rm -v /usr/lib/systemd/user/grub-boot-success*
# See machineid-compat in host-base.yaml.
# Since that makes presets run on boot, we need to have our defaults in /usr
ln -sfr /usr/lib/systemd/system/{multi-user,default}.target
# Persistent journal by default
echo 'Storage=persistent' >> /etc/systemd/journald.conf
# https://github.com/openshift/os/issues/96
# sudo group https://github.com/openshift/os/issues/96
echo '%sudo ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/coreos-sudo-group
# We're not using resolved yet
rm -f /usr/lib/systemd/system/systemd-resolved.service
# https://github.com/openshift/os/issues/191
# install default PATH file to expand non-login shells PATH for kola
cat > /etc/profile.d/path.sh << 'EOF'
pathmunge /bin
pathmunge /sbin
pathmunge /usr/bin
pathmunge /usr/sbin
pathmunge /usr/local/bin
pathmunge /usr/local/sbin
EOF
# https://github.com/coreos/fedora-coreos-tracker/issues/18
# See also image.ks.
# Growpart /, until we can fix Ignition for separate /var
# (And eventually we want ignition-disks)
cat > /usr/libexec/coreos-growpart << 'EOF'
#!/bin/bash
set -euo pipefail
path=$1
shift
majmin=$(findmnt -nvr -o MAJ:MIN $path)
devpath=$(realpath /sys/dev/block/$majmin)
partition=$(cat $devpath/partition)
parent_path=$(dirname $devpath)
parent_device=/dev/$(basename ${parent_path})
# TODO: make this idempotent, and don't error out if
# we can't resize.
growpart ${parent_device} ${partition} || true
xfs_growfs /sysroot # this is already idempotent
touch /var/lib/coreos-growpart.stamp
EOF
chmod a+x /usr/libexec/coreos-growpart
cat > /usr/lib/systemd/system/coreos-growpart.service <<'EOF'
[Unit]
ConditionPathExists=!/var/lib/coreos-growpart.stamp
Before=sshd.service
[Service]
ExecStart=/usr/libexec/coreos-growpart /
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
# See https://github.com/coreos/ignition/issues/600
# which originated from https://github.com/coreos/coreos-metadata/pull/90#discussion_r202438581
cat > /usr/lib/systemd/system/coreos-useradd-core.service <<'EOF'
[Unit]
ConditionFirstBoot=true
Before=sshd.service
[Service]
ExecStart=/usr/bin/sh -c 'if !getent passwd core &>/dev/null; then /usr/sbin/useradd -G wheel,sudo,adm,systemd-journal core; fi'
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
cat >/usr/lib/systemd/system-preset/42-coreos.preset << EOF
# Presets here that eventually should live in the generic fedora presets
# This one is from https://github.com/coreos/ignition-dracut
enable ignition-firstboot-complete.service
enable coreos-growpart.service
enable coreos-useradd-core.service
enable console-login-helper-messages-*.service
enable console-login-helper-messages-*.path
EOF
# Let's have a non-boring motd, just like CL (although theirs is more subdued
# nowadays compared to early versions with ASCII art). One thing we do here
# is add --- as a "separator"; the idea is that any "dynamic" information should
# be below that.
cat > /etc/motd <<EOF
Fedora CoreOS (preview)
https://github.com/coreos/fedora-coreos-tracker
WARNING: All aspects subject to change, highly experimental
---
EOF
# And mark as preview in the os-release too, this then shows up in eg. GRUB2
sed -i -e 's/CoreOS/CoreOS preview/' $(realpath /etc/os-release)
packages:
# SELinux
- selinux-policy-targeted policycoreutils-python
- setools-console
# System setup
- ignition ignition-dracut
- dracut-network
- passwd
# SSH
- openssh-server openssh-clients
# Containers
- podman skopeo runc moby-engine
# Networking
- bridge-utils nfs-utils iptables-services
- NetworkManager dnsmasq hostname
# Storage
- cloud-utils-growpart
- lvm2 iscsi-initiator-utils sg3_utils
- device-mapper-multipath
- xfsprogs e2fsprogs mdadm
- cryptsetup
# Time sync
- chrony
# Extra runtime
- authconfig sssd shadow-utils
- logrotate
# Used by admins interactively
- sudo coreutils less tar xz gzip bzip2 tmux
- nmap-ncat net-tools bind-utils
- bash-completion
# Moving files around
- rsync fuse-sshfs
# User experience
- console-login-helper-messages
- console-login-helper-messages-motdgen
- console-login-helper-messages-issuegen
- console-login-helper-messages-profile