From 5f59cc0cb46c13fe428f8de3bb3dfd551974de05 Mon Sep 17 00:00:00 2001 From: Lars Karlitski Date: Fri, 7 Jun 2019 13:14:21 +0200 Subject: [PATCH] osbuild: only use /usr from the host Use systemd-nspawn's "volatile" mode, which creates a tmpfs for the root directory. This ensures that we're not accidentally using configuration from the host. The only remaining hole is `/etc/pki`. Anaconda cannot run without its configuation in `/etc`. Recreate the defaults. --- osbuild | 2 + stages/io.weldr.anaconda | 89 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 88 insertions(+), 3 deletions(-) diff --git a/osbuild b/osbuild index 60bb799c..3fc10832 100755 --- a/osbuild +++ b/osbuild @@ -74,10 +74,12 @@ def main(pipeline_path, from_archive, save): try: subprocess.run(["systemd-nspawn", "--link-journal=no", + "--volatile=yes", f"--directory={root}", f"--bind={tree}:/tmp/tree", f"--bind={os.getcwd()}/state/{name}:/tmp/state", f"--bind={os.getcwd()}/stages/{name}:/tmp/stage", + "--bind=/etc/pki", "/tmp/stage"], input=options_str, encoding="utf-8", check=True) except KeyboardInterrupt: diff --git a/stages/io.weldr.anaconda b/stages/io.weldr.anaconda index 05fda56e..87758b65 100755 --- a/stages/io.weldr.anaconda +++ b/stages/io.weldr.anaconda @@ -5,6 +5,71 @@ import os import subprocess import sys +config = """ +[Anaconda] +addons_enabled = True +debug = False +kickstart_modules = + org.fedoraproject.Anaconda.Modules.Timezone + org.fedoraproject.Anaconda.Modules.Network + org.fedoraproject.Anaconda.Modules.Localization + org.fedoraproject.Anaconda.Modules.Security + org.fedoraproject.Anaconda.Modules.Users + org.fedoraproject.Anaconda.Modules.Payload + org.fedoraproject.Anaconda.Modules.Storage + org.fedoraproject.Anaconda.Modules.Services + +[Installation System] +type = UNKNOWN +can_detect_unsupported_hardware = False +can_detect_support_removed = False + +[Installation Target] +type = HARDWARE +physical_root = /mnt/sysimage + +[Network] +default_on_boot = NONE + +[Payload] +default_environment = +ignored_packages = +enable_updates = True +enable_closest_mirror = True +check_supported_locales = False + +[Security] +selinux = -1 + +[Bootloader] +efi_dir = default +menu_auto_hide = False +nonibft_iscsi_boot = False + +[Storage] +dmraid = True +ibft = True +gpt = False +multipath_friendly_names = True +allow_imperfect_devices = False +file_system_type = +default_partitioning = WORKSTATION +luks_version = luks2 + +[User Interface] +custom_stylesheet = +default_help_pages = +blivet_gui_supported = True + +[License] +eula = +""" + +product = """ +[Product] +product_name = Fedora +""" + def main(tree, state, kickstart, skip_package_install=False): with open("/tmp/kickstart.ks", "w") as f: if skip_package_install: @@ -12,6 +77,21 @@ def main(tree, state, kickstart, skip_package_install=False): f.write(f"liveimg --url=file:///tmp/empty.tar\n") f.write(kickstart) + + # Anaconda cannot start without the config existing + os.makedirs("/etc/anaconda/conf.d", exist_ok=True) + os.makedirs("/etc/anaconda/product.d", exist_ok=True) + + with open("/etc/anaconda/anaconda.conf", "w") as f: + f.write(config) + + with open("/etc/anaconda/product.d/fedora.conf", "w") as f: + f.write(product) + + subprocess.run(["ldconfig"], check=True) + subprocess.run(["systemd-sysusers"], check=True) + subprocess.run(["systemd-tmpfiles", "--create"], check=True) + cmd = [ "anaconda", "--cmdline", @@ -23,9 +103,12 @@ def main(tree, state, kickstart, skip_package_install=False): returncode = subprocess.run(cmd).returncode if returncode != 0: - print("\n=== anaconda.log" + "=" * 50) - with open("/tmp/anaconda.log") as f: - print(f.read()) + try: + with open("/tmp/anaconda.log") as f: + print("\n=== anaconda.log" + "=" * 50) + print(f.read()) + except FileNotFoundError: + pass if skip_package_install: os.unlink("/tmp/empty.tar")