From 39490ec321ba7d8397a34bfeee2fcedc52f2c569 Mon Sep 17 00:00:00 2001 From: Karuboniru Date: Wed, 24 Jan 2024 15:09:37 +0000 Subject: [PATCH] add selinux modification update services container related conf add systemd IP/IO accounting Cleanup unused packages don't use fedora-common-ostree-pkgs Don't use resolved build using fedora-testing env change package organization --- .github/workflows/docker-publish.yml | 2 +- cils/adguardhome.cil | 25 ++ cils/cloudflare_with_socket_access.cil | 11 + cils/comiclib.cil | 7 + cils/container_caddy.cil | 11 + cils/container_hath.cil | 14 + cils/container_rohome_allbind.cil | 7 + cils/container_rwhome_allbind.cil | 7 + cils/container_wireguard.cil | 7 + etc/containers/containers.conf | 4 + etc/containers/networks/podman.json | 23 ++ etc/containers/storage.conf | 239 ++++++++++++++ etc/systemd/system.conf.d/accounting.conf | 4 + fedora-common-ostree.yaml | 14 +- server.yaml | 359 +++++++++++++--------- 15 files changed, 574 insertions(+), 160 deletions(-) create mode 100644 cils/adguardhome.cil create mode 100644 cils/cloudflare_with_socket_access.cil create mode 100644 cils/comiclib.cil create mode 100644 cils/container_caddy.cil create mode 100644 cils/container_hath.cil create mode 100644 cils/container_rohome_allbind.cil create mode 100644 cils/container_rwhome_allbind.cil create mode 100644 cils/container_wireguard.cil create mode 100644 etc/containers/containers.conf create mode 100644 etc/containers/networks/podman.json create mode 100644 etc/containers/storage.conf create mode 100644 etc/systemd/system.conf.d/accounting.conf diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index dffa7a4..918809e 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -41,7 +41,7 @@ jobs: tag: ${{ github.ref_name }} composefile: server.yaml run: | - dnf -y install rpm-ostree skopeo selinux-policy-targeted + dnf -y install rpm-ostree skopeo selinux-policy-targeted --enablerepo=updates-testing skopeo login -u $username -p $password $registry mkdir -p repo cache ostree init --repo=repo --mode=archive diff --git a/cils/adguardhome.cil b/cils/adguardhome.cil new file mode 100644 index 0000000..08927ec --- /dev/null +++ b/cils/adguardhome.cil @@ -0,0 +1,25 @@ +(block adguardhome + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process dns_port_t ( tcp_socket ( name_bind ))) + (allow process dns_port_t ( udp_socket ( name_bind ))) + (allow process dhcpd_port_t ( udp_socket ( name_bind ))) + (allow process dhcpc_port_t ( udp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process reserved_port_t ( udp_socket ( name_bind ))) + (allow process hi_reserved_port_t ( udp_socket ( name_bind ))) + (allow process ntop_port_t ( tcp_socket ( name_bind ))) + (allow process ntop_port_t ( udp_socket ( name_bind ))) + (allow process unreserved_port_t ( tcp_socket ( name_bind ))) + (allow process unreserved_port_t ( udp_socket ( name_bind ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process cert_t ( dir ( watch getattr open read search ))) + (allow process cert_t ( file ( watch getattr open read ))) + (allow process cert_t ( lnk_file ( read ))) +) diff --git a/cils/cloudflare_with_socket_access.cil b/cils/cloudflare_with_socket_access.cil new file mode 100644 index 0000000..4d93a88 --- /dev/null +++ b/cils/cloudflare_with_socket_access.cil @@ -0,0 +1,11 @@ +(block cloudflare_with_socket_access + (blockinherit container) + (blockinherit net_container) + + (allow process node_t ( icmp_socket ( node_bind ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process comiclib.process ( unix_stream_socket ( connectto ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) + (allow process container_caddy.process ( unix_stream_socket ( connectto ))) +) diff --git a/cils/comiclib.cil b/cils/comiclib.cil new file mode 100644 index 0000000..7863747 --- /dev/null +++ b/cils/comiclib.cil @@ -0,0 +1,7 @@ +(block comiclib + (blockinherit container) + + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) +) diff --git a/cils/container_caddy.cil b/cils/container_caddy.cil new file mode 100644 index 0000000..a948c50 --- /dev/null +++ b/cils/container_caddy.cil @@ -0,0 +1,11 @@ +(block container_caddy + (blockinherit container) + (blockinherit net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) +) diff --git a/cils/container_hath.cil b/cils/container_hath.cil new file mode 100644 index 0000000..2ca0f9b --- /dev/null +++ b/cils/container_hath.cil @@ -0,0 +1,14 @@ +(block container_hath + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process http_port_t ( tcp_socket ( name_bind ))) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) + +) diff --git a/cils/container_rohome_allbind.cil b/cils/container_rohome_allbind.cil new file mode 100644 index 0000000..6e4b08c --- /dev/null +++ b/cils/container_rohome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rohome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) +) diff --git a/cils/container_rwhome_allbind.cil b/cils/container_rwhome_allbind.cil new file mode 100644 index 0000000..f701d7a --- /dev/null +++ b/cils/container_rwhome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rwhome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) +) diff --git a/cils/container_wireguard.cil b/cils/container_wireguard.cil new file mode 100644 index 0000000..b9c6e00 --- /dev/null +++ b/cils/container_wireguard.cil @@ -0,0 +1,7 @@ +(block container_wireguard + (blockinherit container) + (allow process process ( capability ( net_admin ))) + + (allow process container_wireguard.process ( netlink_route_socket ( nlmsg_write ))) + +) diff --git a/etc/containers/containers.conf b/etc/containers/containers.conf new file mode 100644 index 0000000..5416db8 --- /dev/null +++ b/etc/containers/containers.conf @@ -0,0 +1,4 @@ +[containers] +userns = "auto" + + diff --git a/etc/containers/networks/podman.json b/etc/containers/networks/podman.json new file mode 100644 index 0000000..fd1694c --- /dev/null +++ b/etc/containers/networks/podman.json @@ -0,0 +1,23 @@ +{ + "name": "podman", + "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9", + "driver": "bridge", + "network_interface": "podman0", + "created": "2022-08-27T13:25:16.808341191+08:00", + "subnets": [ + { + "subnet": "10.88.0.0/16", + "gateway": "10.88.0.1" + }, + { + "subnet": "fccc::/64", + "gateway": "fccc::1" + } + ], + "ipv6_enabled": true, + "internal": false, + "dns_enabled": true, + "ipam_options": { + "driver": "host-local" + } +} diff --git a/etc/containers/storage.conf b/etc/containers/storage.conf new file mode 100644 index 0000000..a2dd9e9 --- /dev/null +++ b/etc/containers/storage.conf @@ -0,0 +1,239 @@ +# This file is the configuration file for all tools +# that use the containers/storage library. The storage.conf file +# overrides all other storage.conf files. Container engines using the +# container/storage library do not inherit fields from other storage.conf +# files. +# +# Note: The storage.conf file overrides other storage.conf files based on this precedence: +# /usr/containers/storage.conf +# /etc/containers/storage.conf +# $HOME/.config/containers/storage.conf +# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) +# See man 5 containers-storage.conf for more information +# The "container storage" table contains all of the server options. +[storage] + +# Default Storage Driver, Must be set for proper operation. +driver = "btrfs" + +# Temporary storage location +runroot = "/run/containers/storage" + +# Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH +graphroot = "/var/lib/containers/storage" + + +# Storage path for rootless users +# +# rootless_storage_path = "$HOME/.local/share/containers/storage" + +# Transient store mode makes all container metadata be saved in temporary storage +# (i.e. runroot above). This is faster, but doesn't persist across reboots. +# Additional garbage collection must also be performed at boot-time, so this +# option should remain disabled in most configurations. +# transient_store = true + +[storage.options] +# Storage options to be passed to underlying storage drivers + +# AdditionalImageStores is used to pass paths to additional Read/Only image stores +# Must be comma separated list. +additionalimagestores = [ +] + +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports three keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of +# a container, to the UIDs/GIDs as they should appear outside of the container, +# and the length of the range of UIDs/GIDs. Additional mapped sets can be +# listed and will be heeded by libraries, but there are limits to the number of +# mappings which the kernel will allow when you later attempt to run a +# container. +# +# remap-uids = "0:1668442479:65536" +# remap-gids = "0:1668442479:65536" + +# Remap-User/Group is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting +# with an in-container ID of 0 and then a host-level ID taken from the lowest +# range that matches the specified name, and using the length of that range. +# Additional ranges are then assigned, using the ranges which specify the +# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, +# until all of the entries have been used for maps. This setting overrides the +# Remap-UIDs/GIDs setting. +# +remap-user = "containers" +remap-group = "containers" + +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the maximum size for a user namespace created automatically. +# auto-userns-max-size=65536 + +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +#mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev,metacopy=on" + +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather than the +# "force_mask" permissions. +# +# force_mask = "" + +[storage.options.thinpool] +# Storage Options for thinpool + +# autoextend_percent determines the amount by which pool needs to be +# grown. This is specified in terms of % of pool size. So a value of 20 means +# that when threshold is hit, pool will be grown by 20% of existing +# pool size. +# autoextend_percent = "20" + +# autoextend_threshold determines the pool extension threshold in terms +# of percentage of pool size. For example, if threshold is 60, that means when +# pool is 60% full, threshold has been hit. +# autoextend_threshold = "80" + +# basesize specifies the size to use when creating the base device, which +# limits the size of images and containers. +# basesize = "10G" + +# blocksize specifies a custom blocksize to use for the thin pool. +# blocksize="64k" + +# directlvm_device specifies a custom block storage device to use for the +# thin pool. Required if you setup devicemapper. +# directlvm_device = "" + +# directlvm_device_force wipes device even if device already has a filesystem. +# directlvm_device_force = "True" + +# fs specifies the filesystem type to use for the base device. +# fs="xfs" + +# log_level sets the log level of devicemapper. +# 0: LogLevelSuppress 0 (Default) +# 2: LogLevelFatal +# 3: LogLevelErr +# 4: LogLevelWarn +# 5: LogLevelNotice +# 6: LogLevelInfo +# 7: LogLevelDebug +# log_level = "7" + +# min_free_space specifies the min free space percent in a thin pool require for +# new device creation to succeed. Valid values are from 0% - 99%. +# Value 0% disables +# min_free_space = "10%" + +# mkfsarg specifies extra mkfs arguments to be used when creating the base +# device. +# mkfsarg = "" + +# metadata_size is used to set the `pvcreate --metadatasize` options when +# creating thin devices. Default is 128k +# metadata_size = "" + +# Size is used to set a maximum size of the container image. +# size = "" + +# use_deferred_removal marks devicemapper block device for deferred removal. +# If the thinpool is in use when the driver attempts to remove it, the driver +# tells the kernel to remove it as soon as possible. Note this does not free +# up the disk space, use deferred deletion to fully remove the thinpool. +# use_deferred_removal = "True" + +# use_deferred_deletion marks thinpool device for deferred deletion. +# If the device is busy when the driver attempts to delete it, the driver +# will attempt to delete device every 30 seconds until successful. +# If the program using the driver exits, the driver will continue attempting +# to cleanup the next time the driver is used. Deferred deletion permanently +# deletes the device and all data stored in device will be lost. +# use_deferred_deletion = "True" + +# xfs_nospace_max_retries specifies the maximum number of retries XFS should +# attempt to complete IO when ENOSPC (no space) error is returned by +# underlying storage device. +# xfs_nospace_max_retries = "0" diff --git a/etc/systemd/system.conf.d/accounting.conf b/etc/systemd/system.conf.d/accounting.conf new file mode 100644 index 0000000..97642c2 --- /dev/null +++ b/etc/systemd/system.conf.d/accounting.conf @@ -0,0 +1,4 @@ +[Manager] +DefaultIOAccounting=yes +DefaultIPAccounting=yes + diff --git a/fedora-common-ostree.yaml b/fedora-common-ostree.yaml index bc45493..f7e17bb 100644 --- a/fedora-common-ostree.yaml +++ b/fedora-common-ostree.yaml @@ -7,7 +7,9 @@ mutate-os-release: "39" container-cmd: - /usr/bin/bash -include: fedora-common-ostree-pkgs.yaml +# don't include the default package list as +# this for GUI systems +# include: fedora-common-ostree-pkgs.yaml # See https://github.com/coreos/bootupd # TODO: Disabled until we use use unified-core or native container flow @@ -21,11 +23,7 @@ packages: - git-core # Explicitely add Git docs - git-core-doc - - lvm2 - rpm-ostree - # Required for compatibility with old bootloaders until we have bootupd - # See https://github.com/fedora-silverblue/issue-tracker/issues/120 - - ostree-grub2 # Container management - buildah - podman @@ -33,12 +31,6 @@ packages: - toolbox # Provides terminal tools like clear, reset, tput, and tset - ncurses - # Flatpak support - - flatpak - - xdg-desktop-portal - # HFS filesystem tools for Apple hardware - # See https://github.com/projectatomic/rpm-ostree/issues/1380 - - hfsplus-tools # Contains default ostree remote config to be used on client's # system for fetching ostree update - fedora-repos-ostree diff --git a/server.yaml b/server.yaml index 2c9677c..e3a0619 100644 --- a/server.yaml +++ b/server.yaml @@ -8,211 +8,233 @@ repos: - fedora-39-updates packages: - - NetworkManager-bluetooth - - NetworkManager-l2tp - - NetworkManager-libreswan - - NetworkManager-openconnect - - NetworkManager-vpnc - - NetworkManager-wifi - - abattis-cantarell-fonts - - acl - - alsa-sof-firmware - - apcupsd - - appstream-data - - attr - - bash-color-prompt - - bat - - bear - - bind-utils + # devel - boost-devel - - bootc - - borgbackup - - buildah - - certbot - checksec - - chrony - - cifs-utils - - cifs-utils-info - clang - clang-tools-extra - cmake - cmake-data + - copr-cli + - eigen3-devel + - gcc-gdb-plugin + - gcc-gfortran + - gdb + - gsl-devel + - lhapdf-devel + - libXext-devel + - libXft-devel + - libXpm-devel + - libnsl2-devel + - libasan + - libtool + - libubsan + - liburing-devel + - strace + - log4cpp-devel + - ninja-build + - openblas-devel + - openssl-devel + - pythia8-devel + - rust2rpm + - bear + - perf + - tbb-devel + - git + - perl-Git + - ltrace + - valgrind + - patchutils + + # system management & base functions + - NetworkManager + - NetworkManager-wifi + - acl + - attr + - bind-utils + - chrony + - bootc - cockpit - cockpit-file-sharing - cockpit-kdump - cockpit-machines - cockpit-navigator - - cockpit-pcp - cockpit-podman - cockpit-selinux - - compsize - - conntrack-tools - - copr-cli - - default-editor - dhcp-client - - dos2unix - - dracut-config-rescue - efibootmgr - - eigen3-devel - firewalld - - flexiblas-openblas-serial - - flexiblas-openblas-serial64 - - flexiblas-openblas-threads - - flexiblas-openblas-threads64 + - grub2-tools-efi + - grub2-tools-extra + - hdparm + - ipmitool + - irqbalance + - kernel-tools + - numactl + - nvme-cli + - radvd + - smartmontools + - shim-x64 + - setserial + - setools-console + - sssd-kcm + - rpm-ostree + - sudo + - sudo-python-plugin + - usb_modeswitch + - usb_modeswitch-data + - iputils + - kernel + - kernel-modules-extra + - linux-firmware + - nss-mdns + - nss-altfiles + - openssh-server + - openssh-clients + - passwd + - shadow-utils + - selinux-policy-targeted + - sssd + - sssd-common + + # useful tools + - which + - wget + - rsync + - lsof + - mtr + - pinfo + - compsize + - conntrack-tools + - borgbackup - fpaste - - fwupd - - fwupd-plugin-flashrom - - fwupd-plugin-modem-manager - - fwupd-plugin-uefi-capsule-data - - fzf - - gawk-all-langpacks - - gcc-gdb-plugin - - gcc-gfortran - - gdb + - opensc - ghostscript - ghostscript-tools-fonts - ghostscript-tools-printing - - git - - perl-Git + - fzf - glances - - gnome-keyring - - grub2-tools-efi - - grub2-tools-extra - - gsl-devel - - gstreamer1-plugins-bad-free-libs - - hdparm + - bat - htop - - hunspell-en - iotop - iperf3 - - ipmitool - iptraf-ng - - iptstate - - irqbalance - - iwlegacy-firmware - - iwlwifi-dvm-firmware - - iwlwifi-mvm-firmware - jwhois - - kernel - - kernel - - kernel - - kernel-modules-extra - - kernel-modules-extra - - kernel-modules-extra - - kernel-tools - - langpacks-zh_CN - - lhapdf-devel - - libXext-devel - - libXft-devel - - libXpm-devel - - libasan - - libdovi - - libertas-firmware - - libnsl2-devel - - libtool - - libubsan - - liburing-devel - lm_sensors - - log4cpp-devel - lsof - - ltrace - - man-pages - - man-pages-zh-CN - mcelog - microcode_ctl - mtr - net-tools - - nginx-mod-stream - - ninja-build - nmap - - ntfs2btrfs - - numactl - - nvme-cli - - openblas-devel - - opensc - - openssh-server - - openssl-devel - - p7zip - pandoc - - passwdqc - - patchutils - pciutils - - perf - - perl-FindBin - - perl-Unicode-Normalize - - perl-YAML-Tiny - - perl-sigtrap - - pipewire-alsa - - pipewire-pulseaudio - - plymouth - - plymouth-scripts - - podman-docker - - podman-plugins - powertop - - pythia8-devel - - python3-certbot-dns-cloudflare - - python3-pwntools - - python3-rangehttpserver - - python3-root - - qemu-kvm - - radvd - rclone - - remove-retired-packages - - root-genvector - - root-geom - - root-gui-webgui6 - - root-hist-factory - - root-minuit2 - - root-montecarlo-pythia8 - - root-netx - - root-roofit-more - - root-smatrix - - root-spectrum - - root-tutorial - - root-unfold - - rootfiles - - rpm-ostree - - rust2rpm - - samba-client - - setools-console - - setserial - - shim-x64 - - smartmontools - softnet-stat - - sssd-kcm - - strace - stress - - sudo - - sudo-python-plugin - - systemd-oomd-defaults - - systemd-container - targetcli - - tbb-devel - tcpdump - time - tmux - toolbox - - tpm2-pkcs11 - - tpm2-pkcs11-tools - traceroute - tree - udica + - whois - unar - - usb_modeswitch - - usb_modeswitch-data - usbutils - - valgrind - vim-minimal - waypipe - whois - wireguard-tools - wol + - dnsmasq + - curl + - less + + # container & VM + - podman-docker + - podman-plugins + - podman + - skopeo + - buildah + - qemu-kvm + - systemd-container + # fs tools/storage + - nfs-utils + - cifs-utils + - cifs-utils-info + - ntfs2btrfs + - samba-client + - ntfs-3g + - ntfsprogs + - exfatprogs + - f2fs-tools + - xfsprogs + - mdadm + - lvm2 + - btrfs-progs + - cockpit-storaged + + # other + - flexiblas-openblas-serial + - flexiblas-openblas-serial64 + - flexiblas-openblas-threads + - flexiblas-openblas-threads64 + - default-editor + - bash-completion + - bash-color-prompt + - langpacks-zh_CN + - man-pages-zh-CN + - man-pages + - man-db + - opensc + - openssh-server + - passwdqc + - perl-FindBin + - perl-Unicode-Normalize + - perl-YAML-Tiny + - perl-sigtrap + - plymouth + - plymouth-scripts + - systemd-oomd-defaults + - rootfiles + - tpm2-pkcs11 + - tpm2-pkcs11-tools - words - xorg-x11-xauth - - xrootd-client - - xrootd-voms - zram-generator-defaults - zsh + - distribution-gpg-keys + - glibc-all-langpacks + - plymouth-system-theme + + # HEP + - python3-root + - root-genvector + - root-geom + - root-gui-webgui6 + - root-hist-factory + - root-minuit2 + - root-montecarlo-pythia8 + - root-netx + - root-roofit-more + - root-smatrix + - root-spectrum + - root-tutorial + - root-unfold + - xrootd-client + - xrootd-voms + + +exclude-packages: + - firefox + - pipewire + - pipewire-utils + - qt5-qtbase + - qt5-qtbase-common + - systemd-resolved postprocess: - | @@ -222,4 +244,45 @@ postprocess: echo "root" | passwd --stdin root mkdir -p /etc/ssh/sshd_config.d echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/99-password-authentication.conf - \ No newline at end of file + # selinux modification + semanage fcontext -a -f a -t user_home_t -r 's0' '/media/storage(/.*)?' + semodule -i /etc/cils/*.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} + rm -rf /etc/cils + # Services + systemctl enable cockpit.socket + systemctl disable sshd + systemctl enable sshd.socket + # subuid for containers + echo containers:2147483647:2147483648 > /etc/subuid + echo containers:2147483647:2147483648 > /etc/subgid + +add-files: + [ + ["cils/adguardhome.cil", "/etc/cils/adguardhome.cil"], + [ + "cils/cloudflare_with_socket_access.cil", + "/etc/cils/cloudflare_with_socket_access.cil", + ], + ["cils/comiclib.cil", "/etc/cils/comiclib.cil"], + ["cils/container_caddy.cil", "/etc/cils/container_caddy.cil"], + ["cils/container_hath.cil", "/etc/cils/container_hath.cil"], + [ + "cils/container_rohome_allbind.cil", + "/etc/cils/container_rohome_allbind.cil", + ], + [ + "cils/container_rwhome_allbind.cil", + "/etc/cils/container_rwhome_allbind.cil", + ], + ["cils/container_wireguard.cil", "/etc/cils/container_wireguard.cil"], + ["etc/containers/containers.conf", "/etc/containers/containers.conf"], + ["etc/containers/storage.conf", "/etc/containers/storage.conf"], + [ + "etc/containers/networks/podman.json", + "/etc/containers/networks/podman.json", + ], + [ + "etc/systemd/system.conf.d/accounting.conf", + "/etc/systemd/system.conf.d/accounting.conf", + ], + ]