Make /usr readonly to support OSTree

OSTree structure requires /usr to be readonly as OSTree's dracut
hook creates a read-only bind mount over /usr.

1. deploy validate_postgresql_connection.sh directly to
   /usr/local/bin. It was copied to the location after
   installation.
2. move /usr/local/etc/ldapscripts to /etc/ldapscripts, files
   need writable.
3. move /usr/libexec/cni to /opt/cni/bin. Plugins are installed
   at runtime.

TCs:
   provision aio-dx centos with /usr mount to readonly fs.
   unlocked host
   provision aio-sx debian and unlocked host.
   upgrade AIO-DX from 21.12
   upgrade AIO-SX from 21.12
   successfully apply cert-manager and nginx-ingress-controller

Story: 2009101
Task: 44314

Change-Id: I99231f3f7db3d2d8eaceba137e13dea650370f71
Signed-off-by: Bin Qian <bin.qian@windriver.com>
This commit is contained in:
Bin Qian 2022-01-10 12:09:52 -05:00
parent c55c77ee88
commit 54f2f7d6c6
10 changed files with 160 additions and 22 deletions

View File

@ -29,6 +29,8 @@ Requires: puppet-concat
%description %description
A Puppet module for managing PostgreSQL databases A Puppet module for managing PostgreSQL databases
%define local_bindir /usr/local/bin
%prep %prep
%setup -n %{prefix}-%{module_dir} %setup -n %{prefix}-%{module_dir}
%patch0001 -p1 %patch0001 -p1
@ -45,8 +47,10 @@ find . \( -name spec -o -name ext \) | xargs rm -rf
rm -rf %{buildroot} rm -rf %{buildroot}
install -d -m 0755 %{buildroot}/%{_datadir}/puppet/modules/%{module_dir} install -d -m 0755 %{buildroot}/%{_datadir}/puppet/modules/%{module_dir}
cp -rp * %{buildroot}/%{_datadir}/puppet/modules/%{module_dir}/ cp -rp * %{buildroot}/%{_datadir}/puppet/modules/%{module_dir}/
install -d -m 0755 %{buildroot}%{local_bindir}/
install -p -D -m 755 files/validate_postgresql_connection.sh %{buildroot}%{local_bindir}/
%files %files
%license %{_datadir}/puppet/modules/%{module_dir}/LICENSE %license %{_datadir}/puppet/modules/%{module_dir}/LICENSE
%{_datadir}/puppet/modules/%{module_dir} %{_datadir}/puppet/modules/%{module_dir}
%{local_bindir}/validate_postgresql_connection.sh

View File

@ -77,8 +77,8 @@ for d in $PLUGINS; do
done done
%install %install
install -d -p %{buildroot}%{_libexecdir}/cni/ install -d -p %{buildroot}/opt/cni/bin
install -p -m 0755 bin/* %{buildroot}/%{_libexecdir}/cni install -p -m 0755 bin/* %{buildroot}/opt/cni/bin
%check %check
%if 0%{?with_check} %if 0%{?with_check}
@ -119,8 +119,8 @@ install -p -m 0755 bin/* %{buildroot}/%{_libexecdir}/cni
%files %files
%license LICENSE %license LICENSE
%doc *.md %doc *.md
%dir %{_libexecdir}/cni %dir /opt/cni/bin
%{_libexecdir}/cni/* /opt/cni/bin/*
%changelog %changelog
* Thu Feb 17 2022 Steven Webster <steven.webster@windriver.com> - 1.0.1 * Thu Feb 17 2022 Steven Webster <steven.webster@windriver.com> - 1.0.1

View File

@ -1 +1 @@
usr/bin/* usr/libexec/cni/ usr/bin/* opt/cni/bin

View File

@ -20,6 +20,7 @@ Patch1: sudo-delete-support.patch
Patch2: log_timestamp.patch Patch2: log_timestamp.patch
Patch3: ldap-user-setup-support.patch Patch3: ldap-user-setup-support.patch
Patch4: allow-anonymous-bind-for-ldap-search.patch Patch4: allow-anonymous-bind-for-ldap-search.patch
Patch5: install-ldapscripts-files-to-etc.patch
%define debug_package %{nil} %define debug_package %{nil}
@ -36,6 +37,7 @@ Shell scripts that allow to manage POSIX accounts (users, groups, machines) in a
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%build %build
@ -46,21 +48,22 @@ rm -Rf %{buildroot}/usr/local/man
rm -f %{buildroot}/usr/local/sbin/*machine* rm -f %{buildroot}/usr/local/sbin/*machine*
rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample
install -d %{buildroot}/usr/local/etc/ install -d %{buildroot}/usr/local/etc/
install -m 644 %{SOURCE1} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.conf install -d %{buildroot}/etc/ldapscripts/
install -m 644 %{SOURCE2} %{buildroot}/usr/local/etc/ldapscripts/ldapadduser.template.cgcs install -m 644 %{SOURCE1} %{buildroot}/etc/ldapscripts/ldapscripts.conf
install -m 644 %{SOURCE3} %{buildroot}/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs install -m 644 %{SOURCE2} %{buildroot}/etc/ldapscripts/ldapadduser.template.cgcs
install -m 644 %{SOURCE4} %{buildroot}/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs install -m 644 %{SOURCE3} %{buildroot}/etc/ldapscripts/ldapaddgroup.template.cgcs
install -m 644 %{SOURCE5} %{buildroot}/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs install -m 644 %{SOURCE4} %{buildroot}/etc/ldapscripts/ldapmoduser.template.cgcs
install -m 644 %{SOURCE6} %{buildroot}/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs install -m 644 %{SOURCE5} %{buildroot}/etc/ldapscripts/ldapaddsudo.template.cgcs
install -m 600 %{SOURCE7} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.passwd install -m 644 %{SOURCE6} %{buildroot}/etc/ldapscripts/ldapmodsudo.template.cgcs
install -m 600 %{SOURCE7} %{buildroot}/etc/ldapscripts/ldapscripts.passwd
%files %files
%defattr(-,root,root,-) %defattr(-,root,root,-)
%dir /usr/local/etc/ldapscripts/ %dir /etc/ldapscripts/
%dir /usr/local/lib/ldapscripts/ %dir /usr/local/lib/ldapscripts/
/usr/local/sbin/* /usr/local/sbin/*
%config(noreplace) /usr/local/etc/ldapscripts/ldapscripts.passwd %config(noreplace) /etc/ldapscripts/ldapscripts.passwd
/usr/local/etc/ldapscripts/* /etc/ldapscripts/*
/usr/local/lib/ldapscripts/* /usr/local/lib/ldapscripts/*

View File

@ -0,0 +1,53 @@
From c3f8f0bae32fb59eb9f7e4be7b88e9e8931a9711 Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Wed, 27 Apr 2022 22:08:59 +0000
Subject: [PATCH] install ldapscripts files to /etc
Install ldapscripts files to /etc where they originally deployed to.
As /usr needs to be readonly to support OSTree
Signed-off-by: Bin Qian <bin.qian@windriver.com>
---
debian/rules | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/debian/rules b/debian/rules
index cad1a0f..1388e4c 100755
--- a/debian/rules
+++ b/debian/rules
@@ -9,14 +9,14 @@ override_dh_auto_install:
$(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts LIBDIR=/usr/share/ldapscripts MANDIR=/usr/share/man
cp debian/runtime.debian debian/ldapscripts/usr/share/ldapscripts
rm debian/ldapscripts/etc/ldapscripts/*.sample
- $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/usr/local/etc/ldapscripts
- install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 644 ldapadduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 644 ldapmoduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts
- install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts
+ $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts
+ install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/etc/ldapscripts
+ install -m 644 ldapadduser.template.cgcs debian/ldapscripts/etc/ldapscripts
+ install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/etc/ldapscripts
+ install -m 644 ldapmoduser.template.cgcs debian/ldapscripts//etc/ldapscripts
+ install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/etc/ldapscripts
+ install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/etc/ldapscripts
+ install -m 600 ldapscripts.passwd debian/ldapscripts/etc/ldapscripts
rm -rf ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddmachine.template.sample
override_dh_installdocs:
@@ -31,6 +31,6 @@ override_dh_installexamples:
override_dh_fixperms:
dh_fixperms --exclude etc/ldapscripts/ldapscripts.passwd
chmod 440 ./debian/ldapscripts/usr/lib/ldapscripts/runtime
- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddgroup.template.sample
- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapadduser.template.sample
- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapscripts.conf.sample
+ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapaddgroup.template.sample
+ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapadduser.template.sample
+ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapscripts.conf.sample
--
2.30.2

View File

@ -1,2 +1,3 @@
debian-install-cgcs-files.patch debian-install-cgcs-files.patch
debian-align-permission-with-centos.patch debian-align-permission-with-centos.patch
install-ldapscripts-files-to-etc.patch

View File

@ -0,0 +1,38 @@
From afac530d7bd2754980d519e479777b918db18cd0 Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Wed, 27 Apr 2022 22:06:27 +0000
Subject: [PATCH] install ldapscripts files to /etc
Deploy ldapscripts config files to /etc/ldapscripts as it was done
originally. We no longer need to use sed to modify the path.
Signed-off-by: Bin Qian <bin.qian@windriver.com>
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index d490f9e..ba1d93e 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ VERSION = 2.0.8
# Default installation paths
SBINDIR = $(PREFIX)/sbin
MANDIR = $(PREFIX)/man
-ETCDIR = $(PREFIX)/etc/$(NAME)
+ETCDIR = /etc/$(NAME)
LIBDIR = $(PREFIX)/lib/$(NAME)
# Files to install
@@ -84,7 +84,7 @@ help:
configure:
@echo -n 'Configuring scripts... '
@sed 's|^BINDPWDFILE=.*|BINDPWDFILE="$(ETCDIR)/$(PWDFILE)"|g' 'etc/$(ETCFILE)' > 'etc/$(ETCFILE).patched'
- @sed '/^_CONFIGFILE=/s|^\(.*"\).*\(".*\)|\1$(ETCDIR)/$(ETCFILE)\2|g' 'lib/$(RUNFILE)' > 'lib/$(RUNFILE).patched'
+ @cp 'lib/$(RUNFILE)' 'lib/$(RUNFILE).patched'
@for i in $(SBINFILES) ; do \
sed 's|^_RUNTIMEFILE=.*|_RUNTIMEFILE="$(LIBDIR)/$(RUNFILE)"|g' "sbin/$$i" > "sbin/$$i.patched" ; \
done
--
2.30.2

View File

@ -4,3 +4,4 @@ log_timestamp.patch
ldap-user-setup-support.patch ldap-user-setup-support.patch
allow-anonymous-bind-for-ldap-search.patch allow-anonymous-bind-for-ldap-search.patch
ldapscripts-templates.patch ldapscripts-templates.patch
install-ldapscripts-files-to-etc.patch

View File

@ -0,0 +1,38 @@
From ff3f64dadeb81a9224acaf62ce564d940f582d7c Mon Sep 17 00:00:00 2001
From: Bin Qian <bin.qian@windriver.com>
Date: Fri, 29 Apr 2022 10:54:08 -0400
Subject: [PATCH] install ldapscripts files to /etc
Deploy ldapscripts config files to /etc/ldapscripts as it was done
originally. We no longer need to use sed to modify the path.
Signed-off-by: Bin Qian <bin.qian@windriver.com>
---
Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile b/Makefile
index 6e5b193..7585602 100644
--- a/Makefile
+++ b/Makefile
@@ -30,7 +30,7 @@ VERSION = 2.0.8
# Default installation paths
SBINDIR = $(PREFIX)/sbin
MANDIR = $(PREFIX)/man
-ETCDIR = $(PREFIX)/etc/$(NAME)
+ETCDIR = /etc/$(NAME)
LIBDIR = $(PREFIX)/lib/$(NAME)
# Files to install
@@ -85,7 +85,7 @@ help:
configure:
@echo -n 'Configuring scripts... '
@sed 's|^BINDPWDFILE=.*|BINDPWDFILE="$(ETCDIR)/$(PWDFILE)"|g' 'etc/$(ETCFILE)' > 'etc/$(ETCFILE).patched'
- @sed '/^_CONFIGFILE=/s|^\(.*"\).*\(".*\)|\1$(ETCDIR)/$(ETCFILE)\2|g' 'lib/$(RUNFILE)' > 'lib/$(RUNFILE).patched'
+ @cp 'lib/$(RUNFILE)' 'lib/$(RUNFILE).patched'
@for i in $(SBINFILES) ; do \
sed 's|^_RUNTIMEFILE=.*|_RUNTIMEFILE="$(LIBDIR)/$(RUNFILE)"|g' "sbin/$$i" > "sbin/$$i.patched" ; \
done
--
2.29.2

View File

@ -37,7 +37,7 @@ BINDDN="cn=ldapadmin,dc=cgcs,dc=local"
# The following file contains the raw password of the BINDDN # The following file contains the raw password of the BINDDN
# Create it with something like : echo -n 'secret' > $BINDPWDFILE # Create it with something like : echo -n 'secret' > $BINDPWDFILE
# WARNING !!!! Be careful not to make this file world-readable # WARNING !!!! Be careful not to make this file world-readable
BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd" BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
# For older versions of OpenLDAP, it is still possible to use # For older versions of OpenLDAP, it is still possible to use
# unsecure command-line passwords by defining the following option # unsecure command-line passwords by defining the following option
# AND commenting the previous one (BINDPWDFILE takes precedence) # AND commenting the previous one (BINDPWDFILE takes precedence)
@ -144,9 +144,9 @@ GETENTGRCMD="getent group"
#GTEMPLATE="/path/to/ldapaddgroup.template" #GTEMPLATE="/path/to/ldapaddgroup.template"
#UTEMPLATE="/path/to/ldapadduser.template" #UTEMPLATE="/path/to/ldapadduser.template"
#MTEMPLATE="/path/to/ldapaddmachine.template" #MTEMPLATE="/path/to/ldapaddmachine.template"
GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs" GTEMPLATE="/etc/ldapscripts/ldapaddgroup.template.cgcs"
UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs" UTEMPLATE="/etc/ldapscripts/ldapadduser.template.cgcs"
UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs" UMTEMPLATE="/etc/ldapscripts/ldapmoduser.template.cgcs"
STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs" STEMPLATE="/etc/ldapscripts/ldapaddsudo.template.cgcs"
SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs" SMTEMPLATE="/etc/ldapscripts/ldapmodsudo.template.cgcs"
MTEMPLATE="" MTEMPLATE=""