[Ovirt-devel] [PATCH] Add additional blacklisting and rpm removal to managed node

Chris Lalancette clalance at redhat.com
Mon Jun 30 13:16:23 UTC 2008 

Perry Myers wrote:
> A few important notes:
> 1. /lib/modules was scoured for things that didn't seem necessary, however
>    my notion of not necessary may not be correct.  Please review the list
>    of modules that I'm removing and if you see one that we need to add back
>    in, comment.
> 2. /boot is removed as we don't need an initrd and kernel image inside of
>    the livecd initrd.

Ah yes, good to remove this, since it is superflous.

> 3. The blacklisting method is a hack.  What we need is an appliance creator
>    that has black/whitelisting capabilities...  (hint, hint to our AOS
>    friends out there)
> 
> The ISO image RPM is down to 45MB
> PXE image RPM is at 52MB
> Running filesystem is 130MB

My question is: so?  I don't really see how it's much of an improvement over
what we already have.  Or rather, it's an improvement, but in my opinion the
cost (breaking RPM, breaking RPM dependencies, etc) is too high.

>  echo "Removing excess kernel modules"
>  MODULES="/lib/modules/*/kernel"
> @@ -438,16 +421,60 @@ fs_mods="fs/nls fs/9p fs/affs fs/autofs fs/autofs4 fs/befs fs/bfs fs/cifs \
>  net_mods="net/802 net/8021q net/9p net/appletalk net/atm net/ax25 \
>         net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx net/irda \
>         net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc \
> -       net/wanrouter net/wireless drivers/auxdisplay drivers/net/appletalk \
> +       net/wanrouter net/wireless"
> +
> +driver_mods="drivers/auxdisplay drivers/net/appletalk \
>         drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
> -       drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm"
> +       drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \
> +       drivers/acpi drivers/char/drm drivers/char/hw_random drivers/char/mwave \

We probably want to keep hw_random for feeding the random number generator in
the future, especially because: a) we don't keep our entropy pool across
reboots, b) we might be running diskless, and c) not all NIC devices contribute
entropy.

> +       drivers/char/ipmp drivers/char/pcmcia drivers/crypto drivers/dca \
> +       drivers/dma drivers/edac drivers/firmware drivers/hwmon

We definitely need to keep drivers/edac around for reporting errors.  Same goes
for drivers/hwmon

> +       drivers/memstick drivers/mmc drivers/mfs drivers/parport \
> +       drivers/serial drivers/video drivers/watchdog drivers/net/ppp* \
> +       drivers/usb/serial drivers/usb/misc drivers/usb/class \
> +       drivers/usb/image drivers/rtc"

The serial stuff will be useful for debugging, and some administrators might
want to use a serial concentrator to see what's going on with their nodes.

>  
>  misc_mods="drivers/bluetooth drivers/firewire drivers/i2c drivers/isdn \
>         drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1 sound \
> -       drivers/input drivers/pcmcia drivers/scsi/pcmcia"
> +       drivers/input drivers/pcmcia drivers/scsi/pcmcia arch/x86/oprofile \
> +       crypto lib"

oprofile might be useful in the future, for profiling the nodes, but we haven't
given any thought to it yet.

>  
> -for mods in $fs_mods $net_mods $misc_mods ; do
> +for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do
>      $RM $MODULES/$mods
>  done
>  
> -echo "Finished Kickstart Post"
> +echo "Removing all timezones except for UTC"
> +find /usr/share/zoneinfo -regextype egrep -type f \
> +  ! -regex ".*/UTC" -exec $RM {} \;
> +# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
> +cp /usr/share/zoneinfo/UTC /etc/localtime
> +
> +echo "Removing blacklisted files and directories"
> +blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
> +    /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \
> +    /usr/share/hwdata/videodrivers /usr/share/fedora-release \
> +    /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
> +    /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
> +    /usr/src /usr/etc /usr/games /usr/include /usr/local /usr/lib64/python2.5 \
> +    /usr/lib64/tc /usr/lib64/tls /usr/lib64/sse2 /usr/lib64/pkgconfig \
> +    /usr/lib64/nss /usr/lib64/X11 /usr/lib64/games /usr/lib64/alsa-lib \
> +    /usr/lib64/fs/reiserfs /usr/lib64/krb5 /usr/lib64/hal /usr/lib64/gio \
> +    /usr/bin/hal-device /usr/bin/hal-disable-polling \
> +    /usr/bin/hal-find-by-capability /usr/bin/hal-find-by-property \
> +    /usr/bin/hal-is-caller-locked-out /usr/bin/hal-is-caller-privileged \
> +    /usr/bin/hal-lock /usr/bin/hal-set-property /usr/bin/hal-setup-keymap \
> +    /usr/sbin/dell* /lib/terminfo/d /lib/terminfo/v /lib/terminfo/a \
> +    /lib/firmware /lib/security /usr/lib/locale /usr/lib/syslinux \
> +    /usr/lib64/gconv /usr/lib64/pango /usr/lib64/libpango* /etc/pango \
> +    /usr/bin/pango*"
> +
> +docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
> +    /usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \
> +    /usr/share/X11 /usr/share/i18n"
> +
> +$RM $blacklist $docs_blacklist
> +
> +echo "Cleanup empty directory structures in /usr/share"
> +find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
> +
> +echo "Finished Kickstart Common Post"

Overall, seems to be breaking a lot of debug and reproducibility functionality
for very little gain.

Chris Lalancette

More information about the ovirt-devel mailing list