From 62b4a0088648b17529103da5731d14b7cb15f435 Mon Sep 17 00:00:00 2001 From: Qiyu Yan Date: Sat, 31 Aug 2024 15:00:30 +0800 Subject: [PATCH] build container for f41 container --- .github/workflows/docker-publish.yml | 53 ++++ cils/adguardhome.cil | 25 ++ cils/cloudflare_with_socket_access.cil | 11 + cils/comiclib.cil | 8 + cils/container_alist.cil | 10 + cils/container_caddy.cil | 10 + cils/container_hath.cil | 14 ++ cils/container_jellyfin.cil | 9 + cils/container_rohome_allbind.cil | 7 + cils/container_rwhome_allbind.cil | 7 + cils/container_wireguard.cil | 8 + common.yaml | 4 +- etc/containers/containers.conf | 4 + etc/containers/networks/podman.json | 23 ++ etc/containers/storage.conf | 239 ++++++++++++++++++ etc/systemd/system.conf.d/accounting.conf | 4 + pythia6.repo | 10 + root-pythia6.yaml | 43 ++++ server.yaml | 289 ++++++++++++++++++++++ 19 files changed, 776 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/docker-publish.yml create mode 100644 cils/adguardhome.cil create mode 100644 cils/cloudflare_with_socket_access.cil create mode 100644 cils/comiclib.cil create mode 100644 cils/container_alist.cil create mode 100644 cils/container_caddy.cil create mode 100644 cils/container_hath.cil create mode 100644 cils/container_jellyfin.cil create mode 100644 cils/container_rohome_allbind.cil create mode 100644 cils/container_rwhome_allbind.cil create mode 100644 cils/container_wireguard.cil create mode 100644 etc/containers/containers.conf create mode 100644 etc/containers/networks/podman.json create mode 100644 etc/containers/storage.conf create mode 100644 etc/systemd/system.conf.d/accounting.conf create mode 100644 pythia6.repo create mode 100644 root-pythia6.yaml create mode 100644 server.yaml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..918809e --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,53 @@ +name: Build Ostree Container Image + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '00 9 * * 1' + push: + branches: [ '*' ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + +jobs: + build: + runs-on: ubuntu-latest + container: + image: fedora:latest + options: --privileged + permissions: + contents: read + packages: write + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Build + env: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + image: ${{ env.IMAGE_NAME }} + tag: ${{ github.ref_name }} + composefile: server.yaml + run: | + dnf -y install rpm-ostree skopeo selinux-policy-targeted --enablerepo=updates-testing + skopeo login -u $username -p $password $registry + mkdir -p repo cache + ostree init --repo=repo --mode=archive + rpm-ostree compose image --initialize-mode=if-not-exists \ + --format registry --layer-repo repo --cachedir=cache \ + $composefile \ + $registry/$image:$tag + + \ No newline at end of file diff --git a/cils/adguardhome.cil b/cils/adguardhome.cil new file mode 100644 index 0000000..08927ec --- /dev/null +++ b/cils/adguardhome.cil @@ -0,0 +1,25 @@ +(block adguardhome + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process dns_port_t ( tcp_socket ( name_bind ))) + (allow process dns_port_t ( udp_socket ( name_bind ))) + (allow process dhcpd_port_t ( udp_socket ( name_bind ))) + (allow process dhcpc_port_t ( udp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process http_port_t ( tcp_socket ( name_bind ))) + (allow process reserved_port_t ( udp_socket ( name_bind ))) + (allow process hi_reserved_port_t ( udp_socket ( name_bind ))) + (allow process ntop_port_t ( tcp_socket ( name_bind ))) + (allow process ntop_port_t ( udp_socket ( name_bind ))) + (allow process unreserved_port_t ( tcp_socket ( name_bind ))) + (allow process unreserved_port_t ( udp_socket ( name_bind ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process cert_t ( dir ( watch getattr open read search ))) + (allow process cert_t ( file ( watch getattr open read ))) + (allow process cert_t ( lnk_file ( read ))) +) diff --git a/cils/cloudflare_with_socket_access.cil b/cils/cloudflare_with_socket_access.cil new file mode 100644 index 0000000..4d93a88 --- /dev/null +++ b/cils/cloudflare_with_socket_access.cil @@ -0,0 +1,11 @@ +(block cloudflare_with_socket_access + (blockinherit container) + (blockinherit net_container) + + (allow process node_t ( icmp_socket ( node_bind ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process comiclib.process ( unix_stream_socket ( connectto ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) + (allow process container_caddy.process ( unix_stream_socket ( connectto ))) +) diff --git a/cils/comiclib.cil b/cils/comiclib.cil new file mode 100644 index 0000000..e2ead8d --- /dev/null +++ b/cils/comiclib.cil @@ -0,0 +1,8 @@ +(block comiclib + (blockinherit container) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) + + (dontaudit process node_t ( tcp_socket ( node_bind ) ) ) +) diff --git a/cils/container_alist.cil b/cils/container_alist.cil new file mode 100644 index 0000000..901cdaf --- /dev/null +++ b/cils/container_alist.cil @@ -0,0 +1,10 @@ +(block container_alist + (blockinherit container) + (blockinherit restricted_net_container) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) +) diff --git a/cils/container_caddy.cil b/cils/container_caddy.cil new file mode 100644 index 0000000..52a9821 --- /dev/null +++ b/cils/container_caddy.cil @@ -0,0 +1,10 @@ +(block container_caddy + (blockinherit container) + (blockinherit net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process var_run_t ( sock_file ( write ))) + (allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) + (allow process container_alist.process ( unix_stream_socket ( connectto ))) + (allow process comiclib.process ( unix_stream_socket ( connectto ))) +) diff --git a/cils/container_hath.cil b/cils/container_hath.cil new file mode 100644 index 0000000..2ca0f9b --- /dev/null +++ b/cils/container_hath.cil @@ -0,0 +1,14 @@ +(block container_hath + (blockinherit container) + (blockinherit restricted_net_container) + (allow process process ( capability ( net_bind_service ))) + + (allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) + (allow process port_type ( udp_socket ( recv_msg send_msg ))) + + (allow process http_port_t ( tcp_socket ( name_bind ))) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) + +) diff --git a/cils/container_jellyfin.cil b/cils/container_jellyfin.cil new file mode 100644 index 0000000..7fe8bb4 --- /dev/null +++ b/cils/container_jellyfin.cil @@ -0,0 +1,9 @@ +(block container_jellyfin + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) + + (allow process tmpfs_t (file (execute map))) +) diff --git a/cils/container_rohome_allbind.cil b/cils/container_rohome_allbind.cil new file mode 100644 index 0000000..6e4b08c --- /dev/null +++ b/cils/container_rohome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rohome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) + (allow process user_home_t ( file ( watch getattr ioctl lock open read ))) +) diff --git a/cils/container_rwhome_allbind.cil b/cils/container_rwhome_allbind.cil new file mode 100644 index 0000000..f701d7a --- /dev/null +++ b/cils/container_rwhome_allbind.cil @@ -0,0 +1,7 @@ +(block container_rwhome_allbind + (blockinherit container) + (blockinherit net_container) + + (allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) + (allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) +) diff --git a/cils/container_wireguard.cil b/cils/container_wireguard.cil new file mode 100644 index 0000000..ca18544 --- /dev/null +++ b/cils/container_wireguard.cil @@ -0,0 +1,8 @@ +(block container_wireguard + (blockinherit container) + (allow process process ( capability ( net_admin ))) + + (allow process container_wireguard.process ( netlink_route_socket ( nlmsg_write ))) + + (dontaudit process cgroup_t (dir (write) )) +) diff --git a/common.yaml b/common.yaml index 8de00a5..c624c28 100644 --- a/common.yaml +++ b/common.yaml @@ -8,7 +8,7 @@ container-cmd: include: # Packages common to all variants - - common-packages.yaml + # - common-packages.yaml # See: https://gitlab.com/fedora/ostree/sig/-/issues/1 - bootupd.yaml # Dracut configuration for the initramfs @@ -164,4 +164,4 @@ postprocess: # Fix triggerin for samba-client in cups package (not supported by rpm-ostree yet) # https://github.com/fedora-silverblue/issue-tracker/issues/532 - ln -snf /usr/libexec/samba/cups_backend_smb /usr/lib/cups/backend/smb + # ln -snf /usr/libexec/samba/cups_backend_smb /usr/lib/cups/backend/smb diff --git a/etc/containers/containers.conf b/etc/containers/containers.conf new file mode 100644 index 0000000..5416db8 --- /dev/null +++ b/etc/containers/containers.conf @@ -0,0 +1,4 @@ +[containers] +userns = "auto" + + diff --git a/etc/containers/networks/podman.json b/etc/containers/networks/podman.json new file mode 100644 index 0000000..fd1694c --- /dev/null +++ b/etc/containers/networks/podman.json @@ -0,0 +1,23 @@ +{ + "name": "podman", + "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9", + "driver": "bridge", + "network_interface": "podman0", + "created": "2022-08-27T13:25:16.808341191+08:00", + "subnets": [ + { + "subnet": "10.88.0.0/16", + "gateway": "10.88.0.1" + }, + { + "subnet": "fccc::/64", + "gateway": "fccc::1" + } + ], + "ipv6_enabled": true, + "internal": false, + "dns_enabled": true, + "ipam_options": { + "driver": "host-local" + } +} diff --git a/etc/containers/storage.conf b/etc/containers/storage.conf new file mode 100644 index 0000000..a2dd9e9 --- /dev/null +++ b/etc/containers/storage.conf @@ -0,0 +1,239 @@ +# This file is the configuration file for all tools +# that use the containers/storage library. The storage.conf file +# overrides all other storage.conf files. Container engines using the +# container/storage library do not inherit fields from other storage.conf +# files. +# +# Note: The storage.conf file overrides other storage.conf files based on this precedence: +# /usr/containers/storage.conf +# /etc/containers/storage.conf +# $HOME/.config/containers/storage.conf +# $XDG_CONFIG_HOME/containers/storage.conf (If XDG_CONFIG_HOME is set) +# See man 5 containers-storage.conf for more information +# The "container storage" table contains all of the server options. +[storage] + +# Default Storage Driver, Must be set for proper operation. +driver = "btrfs" + +# Temporary storage location +runroot = "/run/containers/storage" + +# Primary Read/Write location of container storage +# When changing the graphroot location on an SELINUX system, you must +# ensure the labeling matches the default locations labels with the +# following commands: +# semanage fcontext -a -e /var/lib/containers/storage /NEWSTORAGEPATH +# restorecon -R -v /NEWSTORAGEPATH +graphroot = "/var/lib/containers/storage" + + +# Storage path for rootless users +# +# rootless_storage_path = "$HOME/.local/share/containers/storage" + +# Transient store mode makes all container metadata be saved in temporary storage +# (i.e. runroot above). This is faster, but doesn't persist across reboots. +# Additional garbage collection must also be performed at boot-time, so this +# option should remain disabled in most configurations. +# transient_store = true + +[storage.options] +# Storage options to be passed to underlying storage drivers + +# AdditionalImageStores is used to pass paths to additional Read/Only image stores +# Must be comma separated list. +additionalimagestores = [ +] + +# Allows specification of how storage is populated when pulling images. This +# option can speed the pulling process of images compressed with format +# zstd:chunked. Containers/storage looks for files within images that are being +# pulled from a container registry that were previously pulled to the host. It +# can copy or create a hard link to the existing file when it finds them, +# eliminating the need to pull them from the container registry. These options +# can deduplicate pulling of content, disk storage of content and can allow the +# kernel to use less memory when running containers. + +# containers/storage supports three keys +# * enable_partial_images="true" | "false" +# Tells containers/storage to look for files previously pulled in storage +# rather then always pulling them from the container registry. +# * use_hard_links = "false" | "true" +# Tells containers/storage to use hard links rather then create new files in +# the image, if an identical file already existed in storage. +# * ostree_repos = "" +# Tells containers/storage where an ostree repository exists that might have +# previously pulled content which can be used when attempting to avoid +# pulling content from the container registry +pull_options = {enable_partial_images = "false", use_hard_links = "false", ostree_repos=""} + +# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of +# a container, to the UIDs/GIDs as they should appear outside of the container, +# and the length of the range of UIDs/GIDs. Additional mapped sets can be +# listed and will be heeded by libraries, but there are limits to the number of +# mappings which the kernel will allow when you later attempt to run a +# container. +# +# remap-uids = "0:1668442479:65536" +# remap-gids = "0:1668442479:65536" + +# Remap-User/Group is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid or /etc/subgid file. Mappings are set up starting +# with an in-container ID of 0 and then a host-level ID taken from the lowest +# range that matches the specified name, and using the length of that range. +# Additional ranges are then assigned, using the ranges which specify the +# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID, +# until all of the entries have been used for maps. This setting overrides the +# Remap-UIDs/GIDs setting. +# +remap-user = "containers" +remap-group = "containers" + +# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID +# ranges in the /etc/subuid and /etc/subgid file. These ranges will be partitioned +# to containers configured to create automatically a user namespace. Containers +# configured to automatically create a user namespace can still overlap with containers +# having an explicit mapping set. +# This setting is ignored when running as rootless. +# root-auto-userns-user = "storage" +# +# Auto-userns-min-size is the minimum size for a user namespace created automatically. +# auto-userns-min-size=1024 +# +# Auto-userns-max-size is the maximum size for a user namespace created automatically. +# auto-userns-max-size=65536 + +[storage.options.overlay] +# ignore_chown_errors can be set to allow a non privileged user running with +# a single UID within a user namespace to run containers. The user can pull +# and use any image even those with multiple uids. Note multiple UIDs will be +# squashed down to the default uid in the container. These images will have no +# separation between the users in the container. Only supported for the overlay +# and vfs drivers. +#ignore_chown_errors = "false" + +# Inodes is used to set a maximum inodes of the container image. +# inodes = "" + +# Path to an helper program to use for mounting the file system instead of mounting it +# directly. +#mount_program = "/usr/bin/fuse-overlayfs" + +# mountopt specifies comma separated list of extra mount options +mountopt = "nodev,metacopy=on" + +# Set to skip a PRIVATE bind mount on the storage home directory. +# skip_mount_home = "false" + +# Size is used to set a maximum size of the container image. +# size = "" + +# ForceMask specifies the permissions mask that is used for new files and +# directories. +# +# The values "shared" and "private" are accepted. +# Octal permission masks are also accepted. +# +# "": No value specified. +# All files/directories, get set with the permissions identified within the +# image. +# "private": it is equivalent to 0700. +# All files/directories get set with 0700 permissions. The owner has rwx +# access to the files. No other users on the system can access the files. +# This setting could be used with networked based homedirs. +# "shared": it is equivalent to 0755. +# The owner has rwx access to the files and everyone else can read, access +# and execute them. This setting is useful for sharing containers storage +# with other users. For instance have a storage owned by root but shared +# to rootless users as an additional store. +# NOTE: All files within the image are made readable and executable by any +# user on the system. Even /etc/shadow within your image is now readable by +# any user. +# +# OCTAL: Users can experiment with other OCTAL Permissions. +# +# Note: The force_mask Flag is an experimental feature, it could change in the +# future. When "force_mask" is set the original permission mask is stored in +# the "user.containers.override_stat" xattr and the "mount_program" option must +# be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the +# extended attribute permissions to processes within containers rather than the +# "force_mask" permissions. +# +# force_mask = "" + +[storage.options.thinpool] +# Storage Options for thinpool + +# autoextend_percent determines the amount by which pool needs to be +# grown. This is specified in terms of % of pool size. So a value of 20 means +# that when threshold is hit, pool will be grown by 20% of existing +# pool size. +# autoextend_percent = "20" + +# autoextend_threshold determines the pool extension threshold in terms +# of percentage of pool size. For example, if threshold is 60, that means when +# pool is 60% full, threshold has been hit. +# autoextend_threshold = "80" + +# basesize specifies the size to use when creating the base device, which +# limits the size of images and containers. +# basesize = "10G" + +# blocksize specifies a custom blocksize to use for the thin pool. +# blocksize="64k" + +# directlvm_device specifies a custom block storage device to use for the +# thin pool. Required if you setup devicemapper. +# directlvm_device = "" + +# directlvm_device_force wipes device even if device already has a filesystem. +# directlvm_device_force = "True" + +# fs specifies the filesystem type to use for the base device. +# fs="xfs" + +# log_level sets the log level of devicemapper. +# 0: LogLevelSuppress 0 (Default) +# 2: LogLevelFatal +# 3: LogLevelErr +# 4: LogLevelWarn +# 5: LogLevelNotice +# 6: LogLevelInfo +# 7: LogLevelDebug +# log_level = "7" + +# min_free_space specifies the min free space percent in a thin pool require for +# new device creation to succeed. Valid values are from 0% - 99%. +# Value 0% disables +# min_free_space = "10%" + +# mkfsarg specifies extra mkfs arguments to be used when creating the base +# device. +# mkfsarg = "" + +# metadata_size is used to set the `pvcreate --metadatasize` options when +# creating thin devices. Default is 128k +# metadata_size = "" + +# Size is used to set a maximum size of the container image. +# size = "" + +# use_deferred_removal marks devicemapper block device for deferred removal. +# If the thinpool is in use when the driver attempts to remove it, the driver +# tells the kernel to remove it as soon as possible. Note this does not free +# up the disk space, use deferred deletion to fully remove the thinpool. +# use_deferred_removal = "True" + +# use_deferred_deletion marks thinpool device for deferred deletion. +# If the device is busy when the driver attempts to delete it, the driver +# will attempt to delete device every 30 seconds until successful. +# If the program using the driver exits, the driver will continue attempting +# to cleanup the next time the driver is used. Deferred deletion permanently +# deletes the device and all data stored in device will be lost. +# use_deferred_deletion = "True" + +# xfs_nospace_max_retries specifies the maximum number of retries XFS should +# attempt to complete IO when ENOSPC (no space) error is returned by +# underlying storage device. +# xfs_nospace_max_retries = "0" diff --git a/etc/systemd/system.conf.d/accounting.conf b/etc/systemd/system.conf.d/accounting.conf new file mode 100644 index 0000000..97642c2 --- /dev/null +++ b/etc/systemd/system.conf.d/accounting.conf @@ -0,0 +1,4 @@ +[Manager] +DefaultIOAccounting=yes +DefaultIPAccounting=yes + diff --git a/pythia6.repo b/pythia6.repo new file mode 100644 index 0000000..bc474a8 --- /dev/null +++ b/pythia6.repo @@ -0,0 +1,10 @@ +[pythia6] +name=Pythia6 packages +baseurl=https://download.copr.fedorainfracloud.org/results/yanqiyu/pythia6/fedora-41-$basearch/ +type=rpm-md +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://download.copr.fedorainfracloud.org/results/yanqiyu/pythia6/pubkey.gpg +repo_gpgcheck=0 +enabled=1 +enabled_metadata=1 diff --git a/root-pythia6.yaml b/root-pythia6.yaml new file mode 100644 index 0000000..38dea03 --- /dev/null +++ b/root-pythia6.yaml @@ -0,0 +1,43 @@ +repo-packages: + - repo: pythia6 + packages: + # ROOT with pythia6 + - root-fonts + - root-icons + - root-io + - root-mathmore + - root-graf-postscript + - root-graf-x11 + - root-graf + - root-graf-gpad + - root-graf3d + - root-hist + - root-hist-painter + - root-matrix + - root-mathcore + - root-minuit + - root-multiproc + - root-net + - root-physics + - root-tree + - root-tree-ntuple + - root-graf-asimage + - root-gui + - root-gui-ged + - root-tree-player + - root-tree-dataframe + - root-vecops + - root-core + - root-cling + - root-montecarlo-eg + - root-montecarlo-pythia6 + - root + - root-genvector + - root-geom + - root-netx + - root-smatrix + - pythia6 + - pythia6-devel + +repos: + - pythia6 diff --git a/server.yaml b/server.yaml new file mode 100644 index 0000000..d92a482 --- /dev/null +++ b/server.yaml @@ -0,0 +1,289 @@ +variables: + bootable_container: true + variant: "server" +include: + - common.yaml + - root-pythia6.yaml + +ref: fedora/41/${basearch}/karuboniru-server + +repos: + - fedora-41 + - fedora-41-updates + +packages: + # devel + - boost-devel + - checksec + - clang + - clang-tools-extra + - cmake + - cmake-data + - copr-cli + - eigen3-devel + - gcc-gdb-plugin + - gcc-gfortran + - gdb + - gsl-devel + - lhapdf-devel + - libXext-devel + - libXft-devel + - libXpm-devel + - libnsl2-devel + - libasan + - libtool + - libubsan + - liburing-devel + - strace + - log4cpp-devel + - ninja-build + - openblas-devel + - openssl-devel + - pythia8-devel + - rust2rpm + - bear + - perf + - tbb-devel + - git + - perl-Git + - ltrace + - valgrind + - patchutils + + # system management & base functions + - NetworkManager + - NetworkManager-wifi + - acl + - attr + - bind-utils + - chrony + - bootc + - cockpit + - cockpit-kdump + - cockpit-machines + - cockpit-navigator + - cockpit-podman + - cockpit-selinux + - dhcp-client + - efibootmgr + - firewalld + - grub2-tools-efi + - grub2-tools-extra + - hdparm + - ipmitool + - irqbalance + - kernel-tools + - numactl + - nvme-cli + - radvd + - smartmontools + - shim-x64 + - setserial + - setools-console + - sssd-kcm + - rpm-ostree + - sudo + - sudo-python-plugin + - usb_modeswitch + - usb_modeswitch-data + - iputils + - kernel + - kernel-modules-extra + - linux-firmware + - nss-mdns + - nss-altfiles + - openssh-server + - openssh-clients + - passwd + - shadow-utils + - selinux-policy-targeted + - sssd + - sssd-common + + # useful tools + - which + - wget + - rsync + - lsof + - mtr + - pinfo + - compsize + - conntrack-tools + - borgbackup + - fpaste + - opensc + - ghostscript + - ghostscript-tools-fonts + - ghostscript-tools-printing + - fzf + - glances + - bat + - htop + - iotop + - iperf3 + - iptraf-ng + - jwhois + - lm_sensors + - lsof + - mcelog + - microcode_ctl + - mtr + - net-tools + - nmap + - pandoc + - pciutils + - powertop + - rclone + - softnet-stat + - stress + - targetcli + - tcpdump + - time + - tmux + - toolbox + - traceroute + - tree + - udica + - whois + - unar + - usbutils + - vim-minimal + - waypipe + - whois + - wireguard-tools + - wol + - dnsmasq + - curl + - libcurl + - less + + # container & VM + - podman-docker + - podman + - skopeo + - buildah + - qemu-kvm + - systemd-container + # fs tools/storage + - nfs-utils + - cifs-utils + - cifs-utils-info + - ntfs2btrfs + - samba-client + - samba + - ntfs-3g + - ntfsprogs + - exfatprogs + - f2fs-tools + - xfsprogs + - mdadm + - lvm2 + - btrfs-progs + - cockpit-storaged + + # other + - flexiblas-openblas-serial + - flexiblas-openblas-serial64 + - flexiblas-openblas-threads + - flexiblas-openblas-threads64 + - default-editor + - bash-completion + - bash-color-prompt + - langpacks-zh_CN + - man-pages-zh-CN + - man-pages + - man-db + - opensc + - openssh-server + - passwdqc + - perl-FindBin + - perl-Unicode-Normalize + - perl-YAML-Tiny + - perl-sigtrap + - plymouth + - plymouth-scripts + - systemd-oomd-defaults + - rootfiles + - tpm2-pkcs11 + - tpm2-pkcs11-tools + - words + - xorg-x11-xauth + - zram-generator-defaults + - zsh + - distribution-gpg-keys + - glibc-all-langpacks + - plymouth-system-theme + + # identity file + - fedora-release-identity-server + + # fedora + - koji + - fedpkg + - copr-cli + + # Valor + - gsl-devel + +exclude-packages: + - firefox + - pipewire + - pipewire-utils + - qt5-qtbase + - qt5-qtbase-common + +postprocess: + - | + set -xeuo pipefail + # Enable root login with simple password, to + # make sure user can get access after applying + # image + echo "root" | passwd --stdin root + mkdir -p /etc/ssh/sshd_config.d + echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/99-password-authentication.conf + # selinux modification + semanage fcontext -a -f a -t user_home_t -r 's0' '/media/storage(/.*)?' + semodule -i /etc/cils/*.cil /usr/share/udica/templates/{base_container.cil,net_container.cil} + rm -rf /etc/cils + setsebool -P nis_enabled 1 + setsebool -P samba_enable_home_dirs 1 + # Services + systemctl enable cockpit.socket + systemctl disable sshd + systemctl enable sshd.socket + # subuid for containers + echo containers:2147483647:2147483648 > /etc/subuid + echo containers:2147483647:2147483648 > /etc/subgid + +add-files: + [ + ["cils/adguardhome.cil", "/etc/cils/adguardhome.cil"], + [ + "cils/cloudflare_with_socket_access.cil", + "/etc/cils/cloudflare_with_socket_access.cil", + ], + ["cils/comiclib.cil", "/etc/cils/comiclib.cil"], + ["cils/container_caddy.cil", "/etc/cils/container_caddy.cil"], + ["cils/container_alist.cil", "/etc/cils/container_alist.cil"], + ["cils/container_hath.cil", "/etc/cils/container_hath.cil"], + [ + "cils/container_rohome_allbind.cil", + "/etc/cils/container_rohome_allbind.cil", + ], + [ + "cils/container_rwhome_allbind.cil", + "/etc/cils/container_rwhome_allbind.cil", + ], + ["cils/container_wireguard.cil", "/etc/cils/container_wireguard.cil"], + ["cils/container_jellyfin.cil", "/etc/cils/container_jellyfin.cil"], + ["etc/containers/containers.conf", "/etc/containers/containers.conf"], + ["etc/containers/storage.conf", "/etc/containers/storage.conf"], + [ + "etc/containers/networks/podman.json", + "/etc/containers/networks/podman.json", + ], + [ + "etc/systemd/system.conf.d/accounting.conf", + "/etc/systemd/system.conf.d/accounting.conf", + ], + ]