forked from coreos/fedora-coreos-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfedora-coreos-base.yaml
179 lines (165 loc) · 5.71 KB
/
fedora-coreos-base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
# Base packages for a Fedora CoreOS like system
include: minimal.yaml
# Modern defaults we want
boot-location: new
tmp-is-dir: true
initramfs-args:
- --no-hostonly
# We don't support root on NFS, so we don't need it in the initramfs. It also
# conflicts with /var mount support in ignition because NFS tries to mount stuff
# in /var/ and then ignition can't cleanly unmount it. For example:
# https://github.com/dracutdevs/dracut/blob/1856ae95c873a6fe855b3dccd0144f1a96b9e71c/modules.d/95nfs/nfs-start-rpc.sh#L7
# See also discussion in https://github.com/coreos/fedora-coreos-config/pull/60
- --omit=nfs
# Omit these since we don't use them
- --omit=lvm
- --omit=multipath
- --omit=iscsi
# Required by Ignition, and makes the system not compatible with Anaconda
machineid-compat: false
releasever: "30"
automatic-version-prefix: "30"
mutate-os-release: "30"
repos:
- fedora
- fedora-updates
- fedora-coreos-pool
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
default-target: multi-user.target
remove-from-packages:
# We're not using resolved yet.
# We're not using networkd.
# We don't want systemd-firstboot.service. It conceptually conflicts with
# Ignition.
- [systemd, /etc/systemd/networkd.conf,
/usr/bin/systemd-firstboot,
/usr/lib/systemd/systemd-networkd,
/usr/lib/systemd/systemd-networkd-wait-online,
/usr/lib/systemd/systemd-resolved,
/usr/lib/systemd/system/systemd-firstboot.service,
/usr/lib/systemd/system/systemd-networkd.service,
/usr/lib/systemd/system/systemd-networkd.socket,
/usr/lib/systemd/system/systemd-networkd-wait-online.service,
/usr/lib/systemd/system/systemd-resolved.service,
/usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service]
# The grub bits are mainly designed for desktops, and IMO haven't seen
# enough testing in concert with ostree. At some point we'll flesh out
# the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47
- [grub2-tools, /etc/grub.d/08_fallback_counting,
/etc/grub.d/10_reset_boot_success,
/etc/grub.d/12_menu_auto_hide,
/usr/lib/systemd/.*]
# Drop NetworkManager support for ifcfg files.
- [NetworkManager, /usr/lib64/NetworkManager/.*/libnm-settings-plugin-ifcfg-rh.so]
remove-files:
# We don't ship man(1) or info(1)
- usr/share/info
- usr/share/man
# Drop text docs too
- usr/share/doc
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
postprocess:
# This will be dropped once rpm-ostree because module-aware.
# https://github.com/projectatomic/rpm-ostree/issues/1542#issuecomment-419684977
# https://github.com/projectatomic/rpm-ostree/issues/1435
- |
#!/usr/bin/env bash
set -xeuo pipefail
for x in /etc/yum.repos.d/*modular.repo; do
sed -i -e 's,enabled=[01],enabled=0,' ${x}
done
# Read the Ignition 2 and Afterburn SSH key fragments, pending better tooling
# https://github.com/coreos/fedora-coreos-tracker/issues/139
- |
#!/usr/bin/env bash
set -xeuo pipefail
sed -i 's/^AuthorizedKeysFile[[:blank:]]/#&/' /etc/ssh/sshd_config
echo -e '\n# Read authorized_keys fragments written by Ignition and Afterburn\nAuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys.d/ignition .ssh/authorized_keys.d/afterburn' >> /etc/ssh/sshd_config
# Disable SSH password logins by default
# Move to overlay once sshd_config fragments are supported
# https://github.com/coreos/fedora-coreos-tracker/issues/138
- |
#!/usr/bin/env bash
set -xeuo pipefail
sed -Ei 's/^(PasswordAuthentication|PermitRootLogin)[[:blank:]]/#&/' /etc/ssh/sshd_config
echo -e '\n# Disable password logins by default\nPasswordAuthentication no\nPermitRootLogin prohibit-password' >> /etc/ssh/sshd_config
# This will be dropped once FCOS is out of preview.
# See also experimental.motd in overlay/.
# https://github.com/coreos/fedora-coreos-tracker/issues/164
- |
#!/usr/bin/env bash
set -xeuo pipefail
sed -i -e 's/CoreOS/CoreOS preview/' $(realpath /etc/os-release)
# Undo RPM scripts enabling units; we want the presets to be canonical
# https://github.com/projectatomic/rpm-ostree/issues/1803
- |
#!/usr/bin/env bash
set -xeuo pipefail
rm -rf /etc/systemd/system/*
systemctl preset-all
packages:
# Security
- selinux-policy-targeted
- polkit
# System setup
- ignition
- afterburn
- dracut-network
- passwd
# SSH
- openssh-server openssh-clients
# Containers
- podman skopeo runc moby-engine
- fuse-overlayfs slirp4netns
# Networking
- bridge-utils nfs-utils-coreos
- NetworkManager hostname
- iproute-tc
- adcli
# Static firewalling
- iptables nftables iptables-nft iptables-services
# Storage
- cloud-utils-growpart
- lvm2 iscsi-initiator-utils sg3_utils
- device-mapper-multipath
- xfsprogs e2fsprogs mdadm
- cryptsetup
# Time sync
- chrony timedatex
# Extra runtime
- sssd shadow-utils
- logrotate
# Used by admins interactively
- sudo coreutils less tar xz gzip bzip2
- nmap-ncat net-tools bind-utils
- bash-completion
- openssl
- vim-minimal
# Moving files around and verifying them
- rsync fuse-sshfs
- gnupg2
# User experience
- console-login-helper-messages-issuegen
- console-login-helper-messages-motdgen
- console-login-helper-messages-profile
# CoreOS Installer
- coreos-installer coreos-installer-dracut
# i18n
- kbd
- whois-nls