diskimage-builder/elements/rhel
Ian Wienand 672705831f Add a best-effort sudo safety check
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00
..
bin Check python with flake8 instead of dib-lint 2014-11-21 09:04:52 -08:00
environment.d Revert "Correct rhel-common for rhel6" 2016-02-17 22:17:11 +00:00
finalise.d Standarise tracing for scripts 2015-02-12 10:41:32 +11:00
root.d Add a best-effort sudo safety check 2016-05-09 15:41:38 +10:00
element-deps Adds RHEL common element 2014-07-25 14:17:03 -04:00
element-provides Use provides to note an element provides an OS 2014-04-10 14:42:04 +01:00
README.rst Create docs site containing element READMEs 2015-02-10 11:45:35 -08:00

rhel

# Overrides:

## General * Downloading the Red Hat Enterprise Linux cloud image requires a valid Red Hat Network login and a subscription to Red Hat Enterprise Linux 6 Server product. * diskimage-builder does not integrate directly with RHN, so a manual download is required. Please visit https://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=16952 to download the qcow2 file. * Set DIB_CLOUD_IMAGES to "file:///download_path" * Overriding of DIB_RELEASE is necessary when a new version of the RHEL qcow2 image is available and the default image has not yet been updated in diskimage-builder.

## Red Hat Subscription Manager (RHSM)

Certificate-based Red Hat Subscription Management (RHSM) is the default registration type.

  • Set DIB_RHSM_USER and DIB_RHSM_PASSWORD to register the system with RHSM during the image building process. This will apply the associated Red Hat Enterprise Linux Server subscription so the latest package updates can be applied. At the end of the image building process, the system will be unregistered from RHSM.
  • Set DIB_RHSM_POOL to a subscription pool if you do not want the system to use the --auto-attach feature of subscription-manager.
  • Set DIB_RHSM_REPOS to a space-separated list of Red Hat repositories to enable.

## Red Hat Network (RHN)

Set DIB_REG_TYPE=rhn for Red Hat Network (RHN classic) registration. The image building process will register the system to RHN and apply the associated Red Hat Enterprise Linux Server subscription so the latest package updates can be applied. At the end of the image building process, the system will be unregistered from RHN.

  • For RHN username/password authentication set DIB_RHSM_USER and DIB_RHSM_PASSWORD. To use a Satellite server activation key set DIB_SAT_KEY. If adding RHN channels username and password must be set.
  • When registering to Satellite set DIB_SAT_URL to the Satellite server URL and DIB_SAT_CERT_RPM_URL to the Satellite certificate.
  • Set DIB_RHN_CHANNELS to a space-separated list of RHN channels to add. Example: DIB_RHN_CHANNELS=rhel-x86_64-server-6 rhel-x86_64-server-6-rhscl-1. RHN username/password is required for this.