From 5c4043f5d200e18bdf74ae66939ec1aba7765691 Mon Sep 17 00:00:00 2001 From: Andrew Grimberg Date: Fri, 7 Nov 2014 14:57:55 -0800 Subject: [PATCH] Handle base images that have selinux disabled The CentOS 6 base image has selinux set to disabled. Because of this, it requires a stepping through permissive with a relabel during a reboot. Unfortunately you can't have the scripts issue the reboot without vagrant getting annoyed. Change-Id: Ia46348162df9dc5deabf3a6d1907ca54cbd97b33 Signed-off-by: Andrew Grimberg --- vagrant/rackspace-convert-base/Vagrantfile | 6 ++--- vagrant/rackspace-convert-base/bootstrap.sh | 24 ++++++++++++++----- .../remove_requiretty.sh | 5 +++- .../rackspace-convert-base/system_reseal.sh | 11 +++++++++ 4 files changed, 36 insertions(+), 10 deletions(-) diff --git a/vagrant/rackspace-convert-base/Vagrantfile b/vagrant/rackspace-convert-base/Vagrantfile index 9581545ae..f9da867dd 100644 --- a/vagrant/rackspace-convert-base/Vagrantfile +++ b/vagrant/rackspace-convert-base/Vagrantfile @@ -49,13 +49,13 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| end end - # disable the default requiretty for sudo that Fedora and CentOS have - config.vm.provision 'shell', path: 'remove_requiretty.sh' - # Do a full system update and force enforcing on (it's in permissive # by default in the rackspace base images) config.vm.provision 'shell', path: 'bootstrap.sh' + # disable the default requiretty for sudo that Fedora and CentOS have + config.vm.provision 'shell', path: 'remove_requiretty.sh' + # Execute a system clean-up in prep for imaging so that this base # image can be used for other Rackspace Vagrant configurations config.vm.provision 'shell', path: 'system_reseal.sh' diff --git a/vagrant/rackspace-convert-base/bootstrap.sh b/vagrant/rackspace-convert-base/bootstrap.sh index 76c3d685d..7590f33c9 100644 --- a/vagrant/rackspace-convert-base/bootstrap.sh +++ b/vagrant/rackspace-convert-base/bootstrap.sh @@ -1,10 +1,22 @@ #!/bin/bash -# enable enforcing mode from the very start -setenforce enforcing +# vim: ts=4 sw=4 sts=4 et : -# configure system for enforcing mode on next boot -sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config +# Handle the occurance where SELINUX is actually disabled +if [ `grep SELINUX=permissive /etc/selinux/config` ]; then + # enable enforcing mode from the very start + setenforce enforcing -yum clean all -yum update -y + # configure system for enforcing mode on next boot + sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config +else + sed -i 's/SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config + touch /.autorelabel + + echo "*******************************************" + echo "** SYSTEM REQUIRES A RESTART FOR SELINUX **" + echo "*******************************************" +fi + +yum clean all -q +yum update -y -q diff --git a/vagrant/rackspace-convert-base/remove_requiretty.sh b/vagrant/rackspace-convert-base/remove_requiretty.sh index a624cac14..d6544a60a 100644 --- a/vagrant/rackspace-convert-base/remove_requiretty.sh +++ b/vagrant/rackspace-convert-base/remove_requiretty.sh @@ -1,2 +1,5 @@ #!/bin/bash -/bin/sed -i 's/requiretty/!requiretty/' /etc/sudoers; + +# Make sure we have the leading space so multiple runs +# are idempotent +/bin/sed -i 's/ requiretty/ !requiretty/' /etc/sudoers; diff --git a/vagrant/rackspace-convert-base/system_reseal.sh b/vagrant/rackspace-convert-base/system_reseal.sh index ba54ce2f1..95811fa78 100644 --- a/vagrant/rackspace-convert-base/system_reseal.sh +++ b/vagrant/rackspace-convert-base/system_reseal.sh @@ -1,5 +1,16 @@ #!/bin/bash +# vim: sw=2 ts=2 sts=2 et : + +if [ -f /.autorelabel ]; then + echo "**********************************************" + echo "* SYSTEM REQUIRES RELABELING SKIPPING RESEAL *" + echo "* PLEASE RESTART SYSTEM AND RERUN *" + echo "* PROVISIONING SCRIPTS *" + echo "**********************************************" + exit 1; +fi + # clean-up from any prior cloud-init networking rm -rf /etc/sysconfig/network-scripts/{ifcfg,route}-eth* -- 2.36.6