Remove RHC credentials from the system after registration (HMS-3814) #627
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thozza
previously approved these changes
Apr 23, 2024
Add the distro.ImageOptions struct to the build configs used by the build and gen-manifests commands. Annotate it with json tags to control the serialised keys.
Move "ostree" under "options". Update test scripts that read or set configs to follow the new structure.
The function was incorrectly named New...StageOptions but it was creating a Stage.
Update the options of the org.osbuild.systemd.unit.create stage with the new After option.
Replace the org.osbuild.first-boot stage with an org.osbuild.systemd.unit.create stage that runs the same commands. Add the 'rm' command that gets added by the first-boot stage, but put it at the end. Also, unlike the service created by osbuild's first-boot stage, our current service also includes an install section. The file name and service description are changed to describe the purpose of the service. Otherwise the two are functionally identical.
Create the file in /etc that will act as both the EnvironmentFile and the ConditionPathExists for the service. This file includes the org ID and activation key. When the service runs, the file is removed so that the service doesn't run again (only runs on first boot) and the org ID and key are removed from the system. Rename the file to osbuild-subscription-register.env to make its purpose clearer.
Update subscription stage tests to match the commands run by the systemd.unit.create stage (was first-boot). Prepend the rm command to all command lists passed to the CheckSystemdStageOptions() function and verify the ConditionPathExists value and the file being rm-ed are the same.
Update osbuild commit ID to include osbuild/osbuild#1741
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
|
This will need to be rebased once #632 is merged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR swaps out the
org.osbuild.first-bootstage with anorg.osbuild.systemd.unit.createstage that runs the same commands and explicitly adds thermcommand for the condition file as the last command. The file name and service description are changed to describe the purpose of the service.The stage is functionally identical with the previous one with one main difference: the organisation ID and the activation key are not included in the service file but in a separate environment file in
/etcwhich also acts as the condition file and gets removed after the service runs for the first time.Not that on ostree-based systems, putting the environment file in
/etcprior to building the commit and thenrming it on boot means that the file remains in/usr/etc, in the base system, until a system update removes it.