diff --git a/Makefile b/Makefile index d74a6ae..8de0978 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ APPLIANCE_VERSION = 1.46.0 # Export LIBGUESTFS_DEBUG=1 to debug all: - LIBRARY_PATH=$(LIBRARY_PATH) CGO_LDFLAGS='-l:libvirt.so.0 -l:libyajl.so.2' go build + LIBRARY_PATH=$(LIBRARY_PATH) go build run: LD_LIBRARY_PATH=$(LIBRARY_PATH) LIBGUESTFS_PATH=$(LIBGUESTFS_PATH) LIBGUESTFS_HV=$(LIBGUESTFS_HV) LIBGUESTFS_BACKEND_SETTINGS=force_tcg ./cloudbuild diff --git a/README.md b/README.md index 9861c7e..a8c4c48 100644 --- a/README.md +++ b/README.md @@ -3,30 +3,18 @@ cloudbuild downloads, modifies and uploads VM templates for the CSC cloud (CloudStack) using publicly available images for common Linux distros. ## Installing dependencies -If you have root access, run +Run the following in a Debian Docker/Podman container. ```sh -sudo apt install golang-guestfs-dev +apt install golang-guestfs-dev scripts/create-libguestfs-module.sh ``` -Otherwise, run -```sh -make deps -``` - ### Optional dependencies If you are developing cloudbuild, you may wish to install [guestfish](https://libguestfs.org/guestfish.1.html), an interactive shell -for guestfs. - -If you have root access, run +for guestfs: ```sh -sudo apt install libguestfs-tools -``` - -Otherwise, run -```sh -make guestfish-deps +apt install libguestfs-tools ``` To run: @@ -77,6 +65,8 @@ export UPLOAD_DIRECTORY=/var/www/csc-cloud-images export UPLOAD_BASE_URL=http://biloba.csclub.uwaterloo.ca/csc-cloud-images # notification emails will be sent here export EMAIL_RECIPIENT=root@csclub.uwaterloo.ca +# directory where SSH keys are stored to SSH into VMs created in CloudStack +export SSH_KEY_PATH=~/.ssh ``` Finally: diff --git a/pkg/distros/almalinux.go b/pkg/distros/almalinux.go index da9cc36..0f3964c 100644 --- a/pkg/distros/almalinux.go +++ b/pkg/distros/almalinux.go @@ -112,5 +112,11 @@ func (mgr *AlmaLinuxTemplateManager) PerformDistroSpecificModifications(handle * if err = mgr.replaceYumMirrorUrls(handle, mgr.transformAlmaLinuxYumRepoBaseUrl); err != nil { return } + if err = mgr.dnfRemoveUnnecessaryPackages(handle); err != nil { + return + } + if err = mgr.setJournaldConf(handle); err != nil { + return + } return } diff --git a/pkg/distros/fedora.go b/pkg/distros/fedora.go index 0fd48c4..4a103ac 100644 --- a/pkg/distros/fedora.go +++ b/pkg/distros/fedora.go @@ -157,5 +157,11 @@ func (mgr *FedoraTemplateManager) PerformDistroSpecificModifications(handle *gue if err = mgr.replaceYumMirrorUrls(handle, mgr.transformFedoraYumRepoBaseUrl); err != nil { return } + if err = mgr.dnfRemoveUnnecessaryPackages(handle); err != nil { + return + } + if err = mgr.setJournaldConf(handle); err != nil { + return + } return } diff --git a/pkg/distros/resources/journald.conf b/pkg/distros/resources/journald.conf new file mode 100644 index 0000000..6bcf1a8 --- /dev/null +++ b/pkg/distros/resources/journald.conf @@ -0,0 +1,7 @@ +[Journal] +# The default on Debian is Audit=no, but the default on Fedora is Audit=yes. +# The audit messages are quite noisy, especially given that the first value +# of kernel.printk (console_loglevel) is 7 on Fedora. To avoid negatively +# impacting disk I/O, I chose to explicitly set this to off. +# Audit records will still be collected if the user decides to install auditd. +Audit=no diff --git a/pkg/distros/template_manager.go b/pkg/distros/template_manager.go index 1a133ac..015484c 100644 --- a/pkg/distros/template_manager.go +++ b/pkg/distros/template_manager.go @@ -563,6 +563,23 @@ func (mgr *TemplateManager) replaceDebianMirrorUrls(handle *guestfs.Guestfs) (er return } +func (mgr *TemplateManager) dnfRemoveUnnecessaryPackages(handle *guestfs.Guestfs) (err error) { + // SSSD is unnecessary in single-user environments and consumes a lot of resources. + // auditd spams the system log and uses lots of disk IO. + args := []string{"dnf", "-C", "remove", "-y", "sssd-common", "audit"} + mgr.logger.Debug().Msg("Running '" + strings.Join(args, " ") + "'") + _, err = handle.Command(args) + if err != nil { + return + } + // Now that we removed SSSD, we also have to make sure that it's not being used in PAM. + // The way to do this on Fedora (and likely other RHEL-based distros) is with authselect. + args = []string{"authselect", "select", "minimal"} + mgr.logger.Debug().Msg("Running '" + strings.Join(args, " ") + "'") + _, err = handle.Command(args) + return err +} + // requires an Augeas handle to be open func (mgr *TemplateManager) updateSshdConfig(handle *guestfs.Guestfs) error { mgr.logger.Debug().Msg("Setting PrintLastLog=no in sshd_config") @@ -577,6 +594,14 @@ func (mgr *TemplateManager) setTimesyncdConf(handle *guestfs.Guestfs) (err error return handle.Write("/etc/systemd/timesyncd.conf.d/csclub.conf", getResource("timesyncd.conf")) } +func (mgr *TemplateManager) setJournaldConf(handle *guestfs.Guestfs) (err error) { + mgr.logger.Debug().Msg("Writing custom journald.conf") + if err = handle.Mkdir_p("/etc/systemd/journald.conf.d"); err != nil { + return + } + return handle.Write("/etc/systemd/journald.conf.d/csclub.conf", getResource("journald.conf")) +} + func (mgr *TemplateManager) setMotd(handle *guestfs.Guestfs) error { mgr.logger.Debug().Msg("Writing to /etc/motd") return handle.Write("/etc/motd", getResource("motd"))