Proposal for adding to the blueprint customizations #634
The goal here is to do the minimum needed to get the images setup for
The text was updated successfully, but these errors were encountered:
I like what's going on here - definitely feels like the right set of customizations - but I have a couple thoughts about config syntax/schema to make sure we retain flexibility, but still without going Full Kickstart
First: I feel like it's generally a good idea if values under
Looking at Ansible's timezone role, though, the only thing it really uses is
[[customizations.firewall]] port = "4222/tcp" state = "enabled" [[customizations.firewall]] port = "22/tcp" state = "disabled"
Or, following the
[customizations.firewall.ports] enabled = ["4022/tcp"] disabled = ["22/tcp"]
But I'm worried about
That helps keep things limited :) ButI see your point.
Yeah, that makes sense if we want to allow setting multiple locales, etc. My plan for that was to give them just enough to get the system setup so they can use it in their native language and apply customizations later.
Yeah, that's fine.
The thought process there is that everything is disabled by default, other than things like ssh that enable themselves. I suppose there may be cases where you want to disable things opened by a service (eg. 3rd party package that doesn't meet your security requirements)
I like this form better, keeps it consistent with service.
Not that I know of. The list doesn't match /etc/services, and I tried reading the firewalld code to see where it gets the list but it was 4 layers of abstraction before I gave up. I'd lean towards just having ports available, but I think some of the services support dynamic port assignment so it's probably a good idea to keep that in there and direct them to the distribution's firewalld documentation.
Pull Request Test Coverage Report for Build 1520
I need someone who understands Anaconda's use of keyboard to check the locale commit, I wrote it thinking I could use the same values for
The goal here is to do the minimum needed to get the images setup for use so they can have more complex customizations applied later. I think this list is a pretty good minimal set of features without going full kickstart.
For example: [customizations.timezone] timezone = "US/Samoa" ntpservers = ["0.pool.ntp.org"] Also includes tests. This removes the timezone kickstart command from all of the templates except for google.ks which needs to set it's own ntp servers and timezone. If timezone isn't included in the blueprint, and it is not already in a template, it will be set to 'timezone UTC' by default. If timezone is set in a template it is left as-is, under the assumption that the image type requires it to boot correctly.
This fixes the customizations list problem earlier than in add_customizations. In the recipe it should be [customizations] not [[customizations]] which creates a list. If it was used that way grab the first element and replace the list with it.
You can now set the keyboard layout and language. Eg. [customizations.locale] languages = ["en_CA.utf8", "en_HK.utf8"] keyboard = "de (dvorak)" Existing entries in the kickstart templates are replaced with the new ones. If there are no entries then it will default to 'keyboard us' and 'lang en_US.UTF-8' Includes tests, and leaves the existing keyboard and lang entries in the templates with a note that they can be replaced by the blueprint.
You can now open ports in the firewall, using port numbers or service names: [customizations.firewall] ports = ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"] Or enable/disable services registered with firewalld: [customizations.firewall.services] enabled = ["ftp", "ntp", "dhcp"] disabled = ["telnet"] If the template contains firewall --disabled it cannot be overridden, under the assumption that it is required for the image to boot in the selected environment.
Add support for enabling and disabling systemd services in the blueprint. It works like this: [customizations.services] enabled = ["sshd", "cockpit.socket", "httpd"] disabled = ["postfix", "telnetd"] They are *added* to any existing settings in the kickstart templates.
Make it clear that the services are added to services already listed in the image templates, and that you can specify any systemd unit filename. Older releases are more restrictive, and this documentation will need to be updated when these changes are backported.
To maintain consistency with the other options this changes firewall to combine the existing settings from the image template with the settings from the blueprint. Also updated the docs, added a new test for it, and sorted the output for consistency.