forked from coreos/fedora-coreos-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfedora-coreos-base.yaml
161 lines (147 loc) · 4.85 KB
/
fedora-coreos-base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# This file is most of a Fedora CoreOS like system; it inherits from "core".
# Add things in this file which are somewhat "opinionated", not necessarily
# core functionality.
include:
- ignition-and-ostree.yaml
initramfs-args:
- --no-hostonly
# We don't support root on NFS, so we don't need it in the initramfs. It also
# conflicts with /var mount support in ignition because NFS tries to mount stuff
# in /var/ and then ignition can't cleanly unmount it. For example:
# https://github.com/dracutdevs/dracut/blob/1856ae95c873a6fe855b3dccd0144f1a96b9e71c/modules.d/95nfs/nfs-start-rpc.sh#L7
# See also discussion in https://github.com/coreos/fedora-coreos-config/pull/60
- --omit=nfs
# Omit these since we don't use them
- --omit=lvm
- --omit=multipath
- --omit=iscsi
# Be minimal
recommends: false
ignore-removed-users:
- root
ignore-removed-groups:
- root
etc-group-members:
- wheel
- sudo
- systemd-journal
- adm
check-passwd:
type: "file"
filename: "passwd"
check-groups:
type: "file"
filename: "group"
default-target: multi-user.target
remove-from-packages:
# We're not using resolved yet.
- [systemd, /usr/lib/systemd/systemd-resolved,
/usr/lib/systemd/system/systemd-resolved.service]
# We're not using networkd.
- [systemd, /etc/systemd/networkd.conf,
/usr/lib/systemd/systemd-networkd,
/usr/lib/systemd/systemd-networkd-wait-online,
/usr/lib/systemd/network/.*,
/usr/lib/systemd/system/systemd-networkd.service,
/usr/lib/systemd/system/systemd-networkd.socket,
/usr/lib/systemd/system/systemd-networkd-wait-online.service]
- [systemd-container, /usr/lib/systemd/network/.*]
- [systemd-udev, /usr/lib/systemd/network/.*]
remove-files:
# We don't ship man(1) or info(1)
- usr/share/info
- usr/share/man
# Drop text docs too
- usr/share/doc
# ⚠⚠⚠ ONLY TEMPORARY HACKS ALLOWED HERE; ALL ENTRIES NEED TRACKER LINKS ⚠⚠⚠
# See also the version of this in fedora-coreos.yaml
postprocess:
# This will be dropped once rpm-ostree because module-aware.
# https://github.com/projectatomic/rpm-ostree/issues/1542#issuecomment-419684977
# https://github.com/projectatomic/rpm-ostree/issues/1435
- |
#!/usr/bin/env bash
set -xeuo pipefail
for x in /etc/yum.repos.d/*modular.repo; do
sed -i -e 's,enabled=[01],enabled=0,' ${x}
done
# Read the Ignition 2 and Afterburn SSH key fragments, pending better tooling
# https://github.com/coreos/fedora-coreos-tracker/issues/139
- |
#!/usr/bin/env bash
set -xeuo pipefail
sed -i 's/^AuthorizedKeysFile[[:blank:]]/#&/' /etc/ssh/sshd_config
echo -e '\n# Read authorized_keys fragments written by Ignition and Afterburn\nAuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys.d/ignition .ssh/authorized_keys.d/afterburn' >> /etc/ssh/sshd_config
# Enable SELinux booleans used by OpenShift
# https://github.com/coreos/fedora-coreos-tracker/issues/284
- |
#!/usr/bin/env bash
set -xeuo pipefail
setsebool -P -N container_use_cephfs on # RHBZ#1692369
setsebool -P -N virt_use_samba on # RHBZ#1754825
packages:
# Security
- selinux-policy-targeted
- polkit
# System setup
- afterburn
- afterburn-dracut
- passwd
# SSH
- openssh-server openssh-clients
# Containers
- podman skopeo runc systemd-container
- fuse-overlayfs slirp4netns
# Remote IPC for podman
- libvarlink-util
# Networking
- nfs-utils-coreos
- NetworkManager hostname
- iproute-tc
- adcli
# Static firewalling
- iptables nftables iptables-nft iptables-services
# Storage
- cloud-utils-growpart
- lvm2 iscsi-initiator-utils sg3_utils
- device-mapper-multipath
- xfsprogs e2fsprogs mdadm
- cryptsetup
- cifs-utils
# Time sync
- chrony timedatex
# Extra runtime
- sssd shadow-utils
- logrotate
# Used by admins interactively
- sudo coreutils less tar xz gzip bzip2
- nmap-ncat net-tools bind-utils
- bash-completion
- openssl
- vim-minimal
# Moving files around and verifying them
- rsync fuse-sshfs
- gnupg2
# User experience
- console-login-helper-messages-issuegen
- console-login-helper-messages-motdgen
- console-login-helper-messages-profile
# CoreOS Installer
- coreos-installer coreos-installer-dracut
# i18n
- kbd
- whois-nls
# Parsing/Interacting with JSON data
- jq
# This thing is crying out to be pulled into systemd, but that hasn't happened
# yet. Also we may want to add to rpm-ostree something like arch negation;
# basically right now it doesn't exist on s390x.
# Anyways, it was requested by the Red Hat perf team for RHCOS, so we have it here.
# https://serverfault.com/questions/513807/is-there-still-a-use-for-irqbalance-on-modern-hardware
# https://access.redhat.com/solutions/41535
packages-x86_64:
- irqbalance
packages-ppc64le:
- irqbalance
packages-aarch64:
- irqbalance