[Ovirt-devel] Re: [PATCH] Add additional blacklisting and rpm removal to managed node
Perry N. Myers
pmyers at redhat.com
Fri Jul 11 13:54:38 UTC 2008
Alan Pevec wrote:
> From: Perry Myers <pmyers at redhat.com>
>
> A few important notes:
> 1. /lib/modules was scoured for things that didn't seem necessary, however
> my notion of not necessary may not be correct. Please review the list
> of modules that I'm removing and if you see one that we need to add back
> in, comment.
> 2. /boot is removed as we don't need an initrd and kernel image inside of
> the livecd initrd.
> 3. The blacklisting method is a hack. What we need is an appliance creator
> that has black/whitelisting capabilities... (hint, hint to our AOS
> friends out there)
>
> NOTE: This patch is revised from my patch last week. I incorporated
> suggestions from Chris regarding reinclusion of some kernel modules and
> fixed an issue with i386 builds by not wiping out /lib/security. With
> this patch both i386 and x86_64 managed nodes boot and work.
>
> Signed-off-by: Perry Myers <pmyers at redhat.com>
>
> - use lib{,64} in the blacklist
> - drop copying /etc/timezone, fixed in livecd-tools >= 0.17.1
> check for RPM version in Makefile
>
> Signed-off-by: Alan Pevec <apevec at redhat.com>
ACK. This patch has gone back and forth enough now... I'm going to
commit/push this.
Perry
> ---
> ovirt-host-creator/Makefile | 1 +
> ovirt-host-creator/common-post.ks | 99 +++++++++++++++++++++++--------------
> ovirt-host-creator/rpm-compare.py | 39 ++++++++++++++
> 3 files changed, 101 insertions(+), 38 deletions(-)
> create mode 100755 ovirt-host-creator/rpm-compare.py
>
> diff --git a/ovirt-host-creator/Makefile b/ovirt-host-creator/Makefile
> index 6ebdfbd..1f0122f 100644
> --- a/ovirt-host-creator/Makefile
> +++ b/ovirt-host-creator/Makefile
> @@ -13,6 +13,7 @@ repos.ks: repos.ks.in
> sed "s/@@ARCH@@/$(ARCH)/" repos.ks.in > repos.ks
>
> build: ovirt.ks common-install.ks common-pkgs.ks common-post.ks repos.ks
> + ./rpm-compare.py GE 0 livecd-tools 017.1 1
> ./ovirt-cd > ovirt-cd.log 2>&1
>
> tar: clean build
> diff --git a/ovirt-host-creator/common-post.ks b/ovirt-host-creator/common-post.ks
> index 2f7b612..b21f52c 100644
> --- a/ovirt-host-creator/common-post.ks
> +++ b/ovirt-host-creator/common-post.ks
> @@ -9,13 +9,6 @@ echo "Creating shadow files"
> pwconv
> grpconv
>
> -echo "Re-creating cracklib dicts"
> -# cracklib-dicts is 8MB. We probably don't need to have strict password
> -# checking on the ovirt host
> -# unfortunately we can't create an empty cracklib dict, so we create it
> -# with a single entry "1"
> -echo 1 | packer >& /dev/null
> -
> echo "Forcing C locale"
> # force logins (via ssh, etc) to use C locale, since we remove locales
> cat >> /etc/profile << \EOF
> @@ -41,9 +34,6 @@ cat > /etc/sysconfig/iptables << \EOF
> COMMIT
> EOF
>
> -# here, remove a bunch of files we don't need that are just eating up space.
> -# it breaks rpm slightly, but it's not too bad
> -
> echo "Removing excess RPMs"
>
> # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
> @@ -54,36 +44,30 @@ rpm -e system-config-firewall-tui system-config-network-tui rhpl \
> rpm-python dbus-python kudzu newt-python newt
> rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
>
> +RPM="rpm -v -e --nodeps"
> +
> # Sigh. ntp has a silly dependency on perl because of auxiliary scripts which
> # we don't need to use. Forcibly remove it here
> -rpm -e --nodeps perl perl-libs perl-Module-Pluggable perl-version \
> +$RPM perl perl-libs perl-Module-Pluggable perl-version \
> perl-Pod-Simple perl-Pod-Escapes
>
> -RM="rm -rf"
> +# Remove additional RPMs forcefully
> +$RPM gamin pm-utils kbd libuser passwd usermode \
> + openssh-clients vbetool ConsoleKit hdparm \
> + efibootmgr krb5-workstation linux-atm-libs fedora-release-notes \
> + slang psmisc gdbm cryptsetup-luks pciutils mtools syslinux db4 \
> + wireless-tools radeontool cracklib-dicts cracklib
>
> -echo "Removing docs and internationalization"
> -$RM /usr/share/omf
> -$RM /usr/share/gnome
> -$RM /usr/share/doc
> -$RM /usr/share/locale
> -$RM /usr/share/libthai
> -$RM /usr/share/man
> -$RM /usr/share/terminfo
> -$RM /usr/share/X11
> -$RM /usr/share/i18n
> +# Things we could probably remove if libvirt didn't link against them
> +#$RPM avahi PolicyKit xen-libs
>
> -find /usr/share/zoneinfo -regextype egrep -type f \
> - ! -regex ".*/UTC" -exec $RM {} \;
> -# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
> -cp /usr/share/zoneinfo/UTC /etc/localtime
> -
> -$RM /usr/lib/locale
> -$RM /usr/lib/syslinux
> -$RM /usr/lib64/gconv
> -$RM /usr/lib64/pango
> -$RM /usr/lib64/libpango*
> -$RM /etc/pango
> -$RM /usr/bin/pango*
> +# Things we could probably remove if qemu-kvm didn't link against them
> +#$RPM SDL alsa-lib
> +
> +# Pam complains when this is missing
> +#$RPM ConsoleKit-libs
> +
> +RM="rm -rf"
>
> echo "Removing excess kernel modules"
> MODULES="/lib/modules/*/kernel"
> @@ -101,16 +85,55 @@ fs_mods="fs/nls fs/9p fs/affs fs/autofs fs/autofs4 fs/befs fs/bfs fs/cifs \
> net_mods="net/802 net/8021q net/9p net/appletalk net/atm net/ax25 \
> net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx net/irda \
> net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc \
> - net/wanrouter net/wireless drivers/auxdisplay drivers/net/appletalk \
> + net/wanrouter net/wireless"
> +
> +driver_mods="drivers/auxdisplay drivers/net/appletalk \
> drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
> - drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm"
> + drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \
> + drivers/acpi drivers/char/drm drivers/char/mwave \
> + drivers/char/ipmp drivers/char/pcmcia drivers/crypto drivers/dca \
> + drivers/firmware drivers/memstick drivers/mmc drivers/mfs \
> + drivers/parport drivers/video drivers/watchdog drivers/net/ppp* \
> + drivers/usb/serial drivers/usb/misc drivers/usb/class \
> + drivers/usb/image drivers/rtc"
>
> misc_mods="drivers/bluetooth drivers/firewire drivers/i2c drivers/isdn \
> drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1 sound \
> - drivers/input drivers/pcmcia drivers/scsi/pcmcia"
> + drivers/input drivers/pcmcia drivers/scsi/pcmcia crypto lib"
>
> -for mods in $fs_mods $net_mods $misc_mods ; do
> +for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do
> $RM $MODULES/$mods
> done
>
> +echo "Removing all timezones except for UTC"
> +find /usr/share/zoneinfo -regextype egrep -type f \
> + ! -regex ".*/UTC|.*/GMT" -exec $RM {} \;
> +
> +echo "Removing blacklisted files and directories"
> +blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
> + /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \
> + /usr/share/hwdata/videodrivers /usr/share/fedora-release \
> + /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
> + /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
> + /usr/src /usr/etc /usr/games /usr/include /usr/local /usr/lib{,64}/python2.5 \
> + /usr/{,lib64}/tc /usr/lib{,64}/tls /usr/lib{,64}/sse2 /usr/lib{,64}/pkgconfig \
> + /usr/lib{,64}/nss /usr/lib{,64}/X11 /usr/lib{,64}/games /usr/lib{,64}/alsa-lib \
> + /usr/lib{,64}/fs/reiserfs /usr/lib{,64}/krb5 /usr/lib{,64}/hal /usr/lib{,64}/gio \
> + /usr/bin/hal-device /usr/bin/hal-disable-polling \
> + /usr/bin/hal-find-by-capability /usr/bin/hal-find-by-property \
> + /usr/bin/hal-is-caller-locked-out /usr/bin/hal-is-caller-privileged \
> + /usr/bin/hal-lock /usr/bin/hal-set-property /usr/bin/hal-setup-keymap \
> + /usr/sbin/dell* /lib/terminfo/d /lib/terminfo/v /lib/terminfo/a \
> + /lib/firmware /usr/lib/locale /usr/lib/syslinux /usr/lib{,64}/gconv \
> + /usr/lib{,64}/pango /usr/lib{,64}/libpango* /etc/pango /usr/bin/pango*"
> +
> +docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
> + /usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \
> + /usr/share/X11 /usr/share/i18n"
> +
> +$RM $blacklist $docs_blacklist
> +
> +echo "Cleanup empty directory structures in /usr/share"
> +find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
> +
> echo "Finished Kickstart Post"
> diff --git a/ovirt-host-creator/rpm-compare.py b/ovirt-host-creator/rpm-compare.py
> new file mode 100755
> index 0000000..f91b02f
> --- /dev/null
> +++ b/ovirt-host-creator/rpm-compare.py
> @@ -0,0 +1,39 @@
> +#!/usr/bin/python
> +#
> +# rpm-compare.py - return 0 if installed package version satisfies condition
> +
> +import sys
> +import rpm
> +import rpmUtils.miscutils as rpmutils
> +# pkgTupleFromHeader(hdr) -> (name, arch, epoch, ver, rel)
> +# rangeCheck(reqtuple, pkgtuple) reqtuple := (reqn, reqf, (reqe, reqv, reqr))
> +
> +def usage():
> + print "usage: %s {GE|GT|EQ|LE|LT} epoch name ver rel \n" % sys.argv[0]
> + sys.exit(1)
> +
> +if len(sys.argv) < 6:
> + usage()
> +
> +cond = sys.argv[1]
> +epoch = sys.argv[2]
> +name = sys.argv[3]
> +ver = sys.argv[4]
> +rel = sys.argv[5]
> +
> +if cond not in ('GE','GT','EQ','LE','LT'):
> + usage()
> +
> +#broken from pkgs with - in the name
> +#name, ver, rel, epoch, arch = rpmutils.splitFilename(rpmname)
> +##print "epoch %s name %s ver %s rel %s" % (epoch, name, ver, rel)
> +
> +ts = rpm.TransactionSet()
> +for hdr in ts.dbMatch('name', name):
> + (n, a, e, v, r) = rpmutils.pkgTupleFromHeader(hdr)
> + ##print (n, a, e, v, r)
> + if rpmutils.rangeCheck((name, cond, (epoch, ver, rel)), (n, a, e, v, r)) == 1:
> + exit(0)
> +print 'RPM condition not satisfied'
> +exit(1)
> +
--
|=- Red Hat, Engineering, Emerging Technologies, Boston -=|
|=- Email: pmyers at redhat.com -=|
|=- Office: +1 412 474 3552 Mobile: +1 703 362 9622 -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|
More information about the ovirt-devel
mailing list