fedora-kickstarts/fedora-docker-base.ks

# This is a minimal Fedora install designed to serve as a Docker base image.
#
# To keep this image minimal it only installs English language. You need to change
# dnf configuration in order to enable other languages.
#
###  Hacking on this image ###
# This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),
# but you can run imagefactory locally too.
#
# To do so, testing local changes, first you'll need a TDL file.  I store one here:
# https://git.fedorahosted.org/cgit/fedora-atomic.git/tree/fedora-atomic-rawhide.tdl
#
# Then, once you have imagefactory and imagefactory-plugins installed, run:
#
#   imagefactory --debug target_image --template /path/to/fedora-atomic-rawhide.tdl --parameter offline_icicle true --file-parameter install_script $(pwd)/fedora-docker-base.ks docker
#

text # don't use cmdline -- https://github.com/rhinstaller/anaconda/issues/931
bootloader --disabled
timezone --isUtc --nontp Etc/UTC
rootpw --lock --iscrypted locked
keyboard us
network --bootproto=dhcp --device=link --activate --onboot=on
reboot

# boot partitions are irrelevant as none of that content is taken into the final docker image
# We will be able to move to autopart when new pykickstart lands which adds option for noswap/noboot (fixed upstream)
zerombr
clearpart --all
part /boot/efi --fstype="vfat" --size=100
part / --fstype ext4 --grow

%packages --excludedocs --instLangs=en --nocore
bash
tar # https://bugzilla.redhat.com/show_bug.cgi?id=1409920
fedora-release
rootfiles
vim-minimal
dnf
dnf-yum  # https://fedorahosted.org/fesco/ticket/1312#comment:29
sssd-client
#fakesystemd #TODO: waiting for review https://bugzilla.redhat.com/show_bug.cgi?id=1118740
-kernel


%end

%post --erroronfail --log=/root/anaconda-post.log
set -eux

# Set install langs macro so that new rpms that get installed will
# only install langs that we limit it to.
LANG="en_US"
echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf

# https://bugzilla.redhat.com/show_bug.cgi?id=1400682
echo "Import RPM GPG key"
releasever=$(rpm -q --qf '%{version}\n' fedora-release)
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-primary

echo "# fstab intentionally empty for containers" > /etc/fstab

# remove some extraneous files
rm -rf /var/cache/dnf/*
rm -rf /tmp/*

#Mask mount units and getty service so that we don't get login prompt
systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service

# https://bugzilla.redhat.com/show_bug.cgi?id=1343138
# Fix /run/lock breakage since it's not tmpfs in docker
# This unmounts /run (tmpfs) and then recreates the files
# in the /run directory on the root filesystem of the container
umount /run
systemd-tmpfiles --create --boot

# Remove machine-id on pre generated images
rm -f /etc/machine-id
touch /etc/machine-id

%end
fix missing /run/lock in docker base image BZ#1343138 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2016-07-22 15:26:49 -05:00			`# This is a minimal Fedora install designed to serve as a Docker base image.`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`#`
			`# To keep this image minimal it only installs English language. You need to change`
docker-min,docker-base: remove reference to yum in kickstart 2017-01-23 10:54:01 -05:00			`# dnf configuration in order to enable other languages.`
docker-base: Add some instructions for local builds 2015-03-19 17:41:48 -04:00			`#`
			`### Hacking on this image ###`
			`# This kickstart is processed using Anaconda-in-ImageFactory (via Koji typically),`
			`# but you can run imagefactory locally too.`
			`#`
			`# To do so, testing local changes, first you'll need a TDL file. I store one here:`
			`# https://git.fedorahosted.org/cgit/fedora-atomic.git/tree/fedora-atomic-rawhide.tdl`
fix missing /run/lock in docker base image BZ#1343138 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2016-07-22 15:26:49 -05:00			`#`
docker-base: Add some instructions for local builds 2015-03-19 17:41:48 -04:00			`# Then, once you have imagefactory and imagefactory-plugins installed, run:`
fix missing /run/lock in docker base image BZ#1343138 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2016-07-22 15:26:49 -05:00			`#`
docker-base: Add some instructions for local builds 2015-03-19 17:41:48 -04:00			`# imagefactory --debug target_image --template /path/to/fedora-atomic-rawhide.tdl --parameter offline_icicle true --file-parameter install_script $(pwd)/fedora-docker-base.ks docker`
			`#`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00
docker, cloud: don't use cmdline for install mode cmdline makes it so that %post --erroronfail won't actually stop the installation in a way that imagefactory will detect the problem and fail the build. See [1] for more details. [1] https://github.com/rhinstaller/anaconda/issues/931 2017-01-19 15:46:44 -05:00			`text # don't use cmdline -- https://github.com/rhinstaller/anaconda/issues/931`
docker: Use bootloader --none to work around Anaconda regression We were getting grub2 in the base image again. Apparently for a while Anaconda has supported a cleaner syntax for this, and since it fixes the bug, let's use it. https://bugzilla.redhat.com/show_bug.cgi?id=1222132 2015-05-15 17:35:52 -04:00			`bootloader --disabled`
Updates the timezone in docker image to UTC. Closes trac #91. 2015-01-28 14:08:40 +05:30			`timezone --isUtc --nontp Etc/UTC`
docker: Don't use a hardcoded root password Best practice is to use unprivileged service daemons inside Docker containers. But with this hardcoded root password, in the case of remote code execution, an attacker could trivially escalate their privileges to root/uid 0. And while that's uid 0 inside a container, that's a much larger attack surface. Instead, do the same thing we're doing for the Cloud images: lock the root password, create a user to make Anaconda happy, then delete the user in %post. https://bugzilla.redhat.com/show_bug.cgi?id=1175997 2014-12-16 16:26:01 -05:00			`rootpw --lock --iscrypted locked`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`keyboard us`
Adjust docker-base ks for aarch64 Add the EFI partition in so anaconda doesn't lose it. Ulimately doesn't affect docker image size as boot and friends are discarded as part of the process. Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org> 2017-03-23 17:02:45 +00:00			`network --bootproto=dhcp --device=link --activate --onboot=on`
			`reboot`

add comment about boot parts on cloud/docker images Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org> 2017-03-23 17:08:24 +00:00			`# boot partitions are irrelevant as none of that content is taken into the final docker image`
			`# We will be able to move to autopart when new pykickstart lands which adds option for noswap/noboot (fixed upstream)`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`zerombr`
			`clearpart --all`
Adjust docker-base ks for aarch64 Add the EFI partition in so anaconda doesn't lose it. Ulimately doesn't affect docker image size as boot and friends are discarded as part of the process. Signed-off-by: Peter Robinson <pbrobinson@fedoraproject.org> 2017-03-23 17:02:45 +00:00			`part /boot/efi --fstype="vfat" --size=100`
Docker: Base: add arm config, use includes for ppc config 2016-04-12 15:43:09 +01:00			`part / --fstype ext4 --grow`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00
			`%packages --excludedocs --instLangs=en --nocore`
			`bash`
add tar to address BZ#1409920 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2017-01-04 15:34:16 -06:00			`tar # https://bugzilla.redhat.com/show_bug.cgi?id=1409920`
Remove the firewall line as it causes anaconda to add firewalld to the package set. revert back to fedora-release 2015-03-13 13:36:10 -05:00			`fedora-release`
fedora-docker-base: Add rootfiles and regenerate locale after removal https://fedorahosted.org/cloud/ticket/92 2015-01-12 12:42:18 +01:00			`rootfiles`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`vim-minimal`
switch teh docker base image to dnf 2015-03-07 11:12:24 -06:00			`dnf`
Revert "we can not install dnf-yum until FESCo signs off on it being allowed" It's now agreed. This reverts commit c3c01cfa0ad385ee105d76e2c50461cebef2ccfa. 2015-03-25 15:33:35 -04:00			`dnf-yum # https://fedorahosted.org/fesco/ticket/1312#comment:29`
Add sssd-client with .so's for easy integration with SSSD container. 2015-10-30 15:06:48 +01:00			`sssd-client`
Revert "docker: Add fakesystemd to %packages to keep systemd out of base image" This reverts commit f42fe5d85aab6526db1dd847c49ceac0fea05443. 2014-09-10 13:03:29 -05:00			`#fakesystemd #TODO: waiting for review https://bugzilla.redhat.com/show_bug.cgi?id=1118740`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`-kernel`


			`%end`

docker: add --erroronfail to %post If %post fails we want the whole install to fail. 2017-01-19 14:19:24 -05:00			`%post --erroronfail --log=/root/anaconda-post.log`
docker: error on unset vars and more verbose logs for %post 2017-01-19 14:24:35 -05:00			`set -eux`
Make the %post fail when its commands no longer pass. 2016-06-08 21:00:09 +02:00
docker: fixup comment about install_langs macro 2017-01-19 15:30:43 -05:00			`# Set install langs macro so that new rpms that get installed will`
			`# only install langs that we limit it to.`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`LANG="en_US"`
Don't hack 'override_install_langs' yum option This shouldn't be needed, re-defining %_install_langs should be enough. 2016-11-24 11:15:39 +01:00			`echo "%_install_langs $LANG" > /etc/rpm/macros.image-language-conf`
add tsflags=nodocs to dnf.conf as well as yum.conf 2015-09-01 15:55:14 -05:00
docker: add some more comments to %post script Putting in references to BZ's so that we can determine if we can remove these pieces of the %post in the future. 2017-01-19 15:31:38 -05:00			`# https://bugzilla.redhat.com/show_bug.cgi?id=1400682`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`echo "Import RPM GPG key"`
			`releasever=$(rpm -q --qf '%{version}\n' fedora-release)`
import just the primary rpm gpg key anaconda apparently fails now if the scriptlet fails which happens on 32 bit arm: Error There was an error running the kickstart script at line 28. This is a fatal error and installation will be aborted. The details of this error are: + LANG=en_US + echo '%_install_langs en_US' + echo 'Import RPM GPG key' Import RPM GPG key ++ rpm -q --qf '%{version}\n' fedora-release + releasever=27 ++ uname -i + basearch=armv7l + rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-armv7l error: /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-27-armv7l: import read failed(2). Press ENTER to exit: systemd-localed.service: Got notification message from PID 2286 (STOPPING=1) as all the rpms in f26 for arches that will have containers ase signed with the one key lets just import that Signed-off-by: Dennis Gilmore <dennis@ausil.us> 2017-03-10 17:50:40 -06:00			`rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-primary`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00
1343111 - Purge fstab to stop systemd from attempting to mount filesystems. 2016-06-07 09:11:29 +02:00			`echo "# fstab intentionally empty for containers" > /etc/fstab`
fedora-docker-base: Add rootfiles and regenerate locale after removal https://fedorahosted.org/cloud/ticket/92 2015-01-12 12:42:18 +01:00
docker: fix some paths on file cleanup Point to dnf cache and clean up everything in tmp. 2017-01-19 14:32:47 -05:00			`# remove some extraneous files`
			`rm -rf /var/cache/dnf/*`
			`rm -rf /tmp/*`
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00
fedora-docker-base: adjust dbus.service to run in a container, mask some units to get rid of fails in boot transaction 2015-01-21 10:17:49 +01:00			`#Mask mount units and getty service so that we don't get login prompt`
			`systemctl mask systemd-remount-fs.service dev-hugepages.mount sys-fs-fuse-connections.mount systemd-logind.service getty.target console-getty.service`

docker: add some more comments to %post script Putting in references to BZ's so that we can determine if we can remove these pieces of the %post in the future. 2017-01-19 15:31:38 -05:00			`# https://bugzilla.redhat.com/show_bug.cgi?id=1343138`
fix missing /run/lock in docker base image BZ#1343138 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2016-07-22 15:26:49 -05:00			`# Fix /run/lock breakage since it's not tmpfs in docker`
docker: add some more comments to %post script Putting in references to BZ's so that we can determine if we can remove these pieces of the %post in the future. 2017-01-19 15:31:38 -05:00			`# This unmounts /run (tmpfs) and then recreates the files`
			`# in the /run directory on the root filesystem of the container`
fix missing /run/lock in docker base image BZ#1343138 Signed-off-by: Adam Miller <maxamillion@fedoraproject.org> 2016-07-22 15:26:49 -05:00			`umount /run`
			`systemd-tmpfiles --create --boot`

Remove machine-id on pre generated images so it's unique on each deployed device As referenced on the arm list [1] and as already being done on the docker image we should remove the unique /etc/machine-id file on compose artifacts to ensure it's regenerated and unique on each deployed host/device. This unifies the process across all base ks so it's inherited for each artifact. [1] https://lists.fedoraproject.org/archives/list/arm@lists.fedoraproject.org/message/Q3YZVF5P2OLLPUJQ2LYZSTKWGGDIU6QO/ Signed-off-by: Peter Robinson <pbrobinson@gmail.com> 2016-09-13 08:55:44 +01:00			`# Remove machine-id on pre generated images`
fedora-docker-base: remove machine-id after installation so that systemd can set it properly 2015-02-06 13:43:59 +01:00			`rm -f /etc/machine-id`
Touch the machine-id file So is seems that if you remove the machine-id file it won't regenerate the file but if you touch the file and leave it empty on boot it'll put a new machine-id in the empty file. So work around this bug ("feature"?) by touching the file so we don't have other issues in the process. We're track the outcome of this in RHBZ 1379800 2016-09-27 20:17:46 +01:00			`touch /etc/machine-id`
fedora-docker-base: adjust dbus.service to run in a container, mask some units to get rid of fails in boot transaction 2015-01-21 10:17:49 +01:00
Add kickstart for Docker base image 2014-07-29 14:30:03 +02:00			`%end`