Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2013 01:18 PM, Matthew Miller wrote: container/container-medium-19.ks |3 +++ container/container-medium-20.ks |3 +++ container/container-minimal-19.ks |2 ++ container/container-minimal-20.ks |2 ++ 4 files changed, 10 insertions(+) New commits: commit 813cd55875feaff0e3273fb2b53dc2ed51bdf62a Author: Matthew Miller mat...@mattdm.org Date: Thu Sep 19 12:17:48 2013 -0500 remove /boot contents (created by appliance-creator, not needed) diff --git a/container/container-medium-19.ks b/container/container-medium-19.ks index 2a311fb..2826c43 100644 --- a/container/container-medium-19.ks +++ b/container/container-medium-19.ks @@ -119,6 +119,9 @@ rm -rf /var/lib/yum/history/* yum history new || yum history new truncate -c -s 0 /var/log/yum.log +echo Removing boot, since we don't need that. +rm -rf /boot/* + echo Fixing SELinux contexts. /usr/sbin/fixfiles -R -a restore diff --git a/container/container-medium-20.ks b/container/container-medium-20.ks index 5cec913..4c9b2f5 100644 --- a/container/container-medium-20.ks +++ b/container/container-medium-20.ks @@ -119,6 +119,9 @@ rm -rf /var/lib/yum/history/* yum history new || yum history new truncate -c -s 0 /var/log/yum.log +echo Removing boot, since we don't need that. +rm -rf /boot/* + echo Fixing SELinux contexts. /usr/sbin/fixfiles -R -a restore diff --git a/container/container-minimal-19.ks b/container/container-minimal-19.ks index 2548b44..cf0d311 100644 --- a/container/container-minimal-19.ks +++ b/container/container-minimal-19.ks @@ -110,6 +110,8 @@ yum -C -y remove passwd --setopt=clean_requirements_on_remove=1 yum -C -y remove findutils --setopt=clean_requirements_on_remove=1 yum -C -y remove firewalld --setopt=clean_requirements_on_remove=1 +echo Removing boot, since we don't need that. +rm -rf /boot/* echo Cleaning old yum repodata. yum clean all diff --git a/container/container-minimal-20.ks b/container/container-minimal-20.ks index b6df5b4..653cefb 100644 --- a/container/container-minimal-20.ks +++ b/container/container-minimal-20.ks @@ -110,6 +110,8 @@ yum -C -y remove passwd --setopt=clean_requirements_on_remove=1 yum -C -y remove findutils --setopt=clean_requirements_on_remove=1 yum -C -y remove firewalld --setopt=clean_requirements_on_remove=1 +echo Removing boot, since we don't need that. +rm -rf /boot/* echo Cleaning old yum repodata. yum clean all ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct In a container image, you do not need to install selinux-policy*, since selinux policy is not supported within the container. From the containers point of view SELinux is disabled. Because of this you can probably also eliminate policycoreutils, although other packages might suck it back in. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlI7PjkACgkQrlYvE4MpobOS2gCfW3OOnCi3KkrRhId9joZ58kGE oT8AnjIgKnxMBFnGem3vO/yBdq1DWA2B =sLxT -END PGP SIGNATURE- ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks
On Thu, Sep 19, 2013 at 02:11:05PM -0400, Daniel J Walsh wrote: In a container image, you do not need to install selinux-policy*, since selinux policy is not supported within the container. From the containers point of view SELinux is disabled. Because of this you can probably also eliminate policycoreutils, although other packages might suck it back in. Yeah, the medium container is kind of a work-in-progress on this front. I thought I put selinux-policy on the minus list of packages -- I'll take a look at what's pulling it in. I'm really interested in your thoughts on how selinux might work in this brave new world. :) -- Matthew Miller ☁☁☁ Fedora Cloud Architect ☁☁☁ mat...@fedoraproject.org ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/19/2013 03:10 PM, Matthew Miller wrote: On Thu, Sep 19, 2013 at 02:11:05PM -0400, Daniel J Walsh wrote: In a container image, you do not need to install selinux-policy*, since selinux policy is not supported within the container. From the containers point of view SELinux is disabled. Because of this you can probably also eliminate policycoreutils, although other packages might suck it back in. Yeah, the medium container is kind of a work-in-progress on this front. I thought I put selinux-policy on the minus list of packages -- I'll take a look at what's pulling it in. I'm really interested in your thoughts on how selinux might work in this brave new world. :) Well in its simplest form it would be used to stop one container from messing with another container using MCS Separation. virt-sandbox does this now, as well as openshift and SELinux sandbox tool. Basically you run all processes within the container with a single type container_t. And all the writable content is container_file_t. Then you use a unigue MCS label for each container and its content. container_t:mcs1, can not touch container_t:mcs2. We can also define constraints outside the container like, what ports the container is allowed to use, or what capabilities are available. Whether it can mount, mknod ... We can also do transitions within the container. For example the container runs as container_setup_t and then executes myapp_exec_t it will transition to container_t. But the whole time nothing within the container knows about SELinux. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlI7NagACgkQrlYvE4MpobOieQCgzzbyouPbbb/JIuI5F/xepwRN LCkAoKnKCSAEruAI/eNsWwH1h3w552MA =R1KK -END PGP SIGNATURE- ___ cloud mailing list cloud@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct