-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal for adding to the blueprint customizations #634
Conversation
I like what's going on here - definitely feels like the right set of customizations - but I have a couple thoughts about config syntax/schema to make sure we retain flexibility, but still without going Full Kickstart First: I feel like it's generally a good idea if values under Looking at Ansible's timezone role, though, the only thing it really uses is But [customizations.locale]
lang="en_US.utf8" As for Lastly, [[customizations.firewall]]
port = "4222/tcp"
state = "enabled"
[[customizations.firewall]]
port = "22/tcp"
state = "disabled" Or, following the [customizations.firewall.ports]
enabled = ["4022/tcp"]
disabled = ["22/tcp"] But I'm worried about |
That helps keep things limited :) ButI see your point.
Yeah, that makes sense if we want to allow setting multiple locales, etc. My plan for that was to give them just enough to get the system setup so they can use it in their native language and apply customizations later.
Yeah, that's fine.
The thought process there is that everything is disabled by default, other than things like ssh that enable themselves. I suppose there may be cases where you want to disable things opened by a service (eg. 3rd party package that doesn't meet your security requirements)
I like this form better, keeps it consistent with service.
Not that I know of. The list doesn't match /etc/services, and I tried reading the firewalld code to see where it gets the list but it was 4 layers of abstraction before I gave up. I'd lean towards just having ports available, but I think some of the services support dynamic port assignment so it's probably a good idea to keep that in there and direct them to the distribution's firewalld documentation. |
b3417c1
to
902eaf9
Compare
Pull Request Test Coverage Report for Build 1520
💛 - Coveralls |
902eaf9
to
eafa479
Compare
I need someone who understands Anaconda's use of keyboard to check the locale commit, I wrote it thinking I could use the same values for |
550eb40
to
4ced799
Compare
I think it's ready, but it needs to be reviewed in detail. Lots of new code added. |
0000190
to
0d69f2f
Compare
Updated with locale keyboard feedback from mkolman. |
0d69f2f
to
8331003
Compare
The goal here is to do the minimum needed to get the images setup for use so they can have more complex customizations applied later. I think this list is a pretty good minimal set of features without going full kickstart.
For example: [customizations.timezone] timezone = "US/Samoa" ntpservers = ["0.pool.ntp.org"] Also includes tests. This removes the timezone kickstart command from all of the templates except for google.ks which needs to set it's own ntp servers and timezone. If timezone isn't included in the blueprint, and it is not already in a template, it will be set to 'timezone UTC' by default. If timezone is set in a template it is left as-is, under the assumption that the image type requires it to boot correctly.
This fixes the customizations list problem earlier than in add_customizations. In the recipe it should be [customizations] not [[customizations]] which creates a list. If it was used that way grab the first element and replace the list with it.
You can now set the keyboard layout and language. Eg. [customizations.locale] languages = ["en_CA.utf8", "en_HK.utf8"] keyboard = "de (dvorak)" Existing entries in the kickstart templates are replaced with the new ones. If there are no entries then it will default to 'keyboard us' and 'lang en_US.UTF-8' Includes tests, and leaves the existing keyboard and lang entries in the templates with a note that they can be replaced by the blueprint.
You can now open ports in the firewall, using port numbers or service names: [customizations.firewall] ports = ["22:tcp", "80:tcp", "imap:tcp", "53:tcp", "53:udp"] Or enable/disable services registered with firewalld: [customizations.firewall.services] enabled = ["ftp", "ntp", "dhcp"] disabled = ["telnet"] If the template contains firewall --disabled it cannot be overridden, under the assumption that it is required for the image to boot in the selected environment.
There is a problem with rpmfluff and the current version of rpm in rawhide. Changes are upstream, but no new build has been done yet.
Add support for enabling and disabling systemd services in the blueprint. It works like this: [customizations.services] enabled = ["sshd", "cockpit.socket", "httpd"] disabled = ["postfix", "telnetd"] They are *added* to any existing settings in the kickstart templates.
Make it clear that the services are added to services already listed in the image templates, and that you can specify any systemd unit filename. Older releases are more restrictive, and this documentation will need to be updated when these changes are backported.
To maintain consistency with the other options this changes firewall to combine the existing settings from the image template with the settings from the blueprint. Also updated the docs, added a new test for it, and sorted the output for consistency.
8331003
to
72ff8e7
Compare
The goal here is to do the minimum needed to get the images setup for
use so they can have more complex customizations applied later.
I think this list is a pretty good minimal set of features without going
full kickstart.