9b5148e3b5
Whenever a dev node that is not in use is opened with open(O_RDWR)
udev triggers a flush in devtmpfs that briefly remove & recreate all
the nodes for partitions on that device. This leads to commands
accessing dev nodes during the flush to fail. In our case blkid and
lsblk failed.
These failures are hard to reproduce, have devastating effect on
the partitioning operations and are not solved by using 'udevadm settle'
as some of the kernel events are asynchronous.
So, mainly, this commit stops udev from messing up with /dev nodes by
initializing file descriptors for all storage devices then opening
locks on them with flock. Setting locks stops udev triggering kernel
partition rescan.
Locks are set at the start of the partitioning operation and
released at the end.
For more details and similar cases see:
o 02ba8fb335
o http://tracker.ceph.com/issues/14080
o http://tracker.ceph.com/issues/15176
This commit:
o stops udev messing up with /dev nodes;
o aborts install on critical failures;
o adds retry for critical operations such as LVM cleanup or
partition removal and creation.
Closes-Bug: 1888938
Change-Id: Iaaaaaae973ee36f2c4bfd42c327e8c6278d59303
Signed-off-by: Ovidiu Poncea <ovidiu.poncea@windriver.com>
118 lines
3.5 KiB
INI
118 lines
3.5 KiB
INI
%post --nochroot --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
# Change GUID of backup partition
|
|
change_guid=/tmp/backup-guid-change.sh
|
|
if [ -f "$change_guid" ]; then
|
|
sh $change_guid || report_post_failure_with_logfile "ERROR: Failed to update platform backup GUID"
|
|
fi
|
|
|
|
%end
|
|
|
|
%post --erroronfail
|
|
|
|
# Source common functions
|
|
. /tmp/ks-functions.sh
|
|
|
|
# Turn off locale support for i18n if is not installed
|
|
if [ ! -d /usr/share/i18n ] ; then
|
|
rm -f /etc/sysconfig/i18n
|
|
fi
|
|
# Unset the hostname
|
|
rm /etc/hostname
|
|
|
|
# If using a serial install make sure to add a getty on the tty1
|
|
conarg=`cat /proc/cmdline |xargs -n1 echo |grep console= |grep ttyS`
|
|
if [ -n "$conarg" ] ; then
|
|
echo "1:2345:respawn:/sbin/mingetty tty1" >> /etc/inittab
|
|
fi
|
|
|
|
#### SECURITY PROFILE HANDLING (Post Installation) ####
|
|
# Check if the Security profile mode is enabled
|
|
# and load the appropriate kernel modules
|
|
secprofile=`cat /proc/cmdline |xargs -n1 echo |grep security_profile= | grep extended`
|
|
if [ -n "$secprofile" ]; then
|
|
echo "In Extended Security profile mode. Loading IMA kernel module"
|
|
systemctl enable auditd.service
|
|
# Add the securityfs mount for the IMA Runtime measurement list
|
|
echo "securityfs /sys/kernel/security securityfs defaults,nodev 0 0" >> /etc/fstab
|
|
else
|
|
# Disable audit daemon in the Standard Security Profile
|
|
systemctl disable auditd
|
|
fi
|
|
|
|
. /etc/platform/platform.conf
|
|
|
|
# Delete the CentOS yum repo files
|
|
rm -f /etc/yum.repos.d/CentOS-*
|
|
|
|
# Create platform yum repo file
|
|
cat >/etc/yum.repos.d/platform.repo <<EOF
|
|
[platform-base]
|
|
name=platform-base
|
|
baseurl=http://controller:${http_port:-8080}/feed/rel-xxxPLATFORM_RELEASExxx
|
|
gpgcheck=0
|
|
enabled=1
|
|
|
|
[platform-updates]
|
|
name=platform-updates
|
|
baseurl=http://controller:${http_port:-8080}/updates/rel-xxxPLATFORM_RELEASExxx
|
|
gpgcheck=0
|
|
enabled=1
|
|
EOF
|
|
|
|
# Persist the boot device naming as UDEV rules so that if the network device
|
|
# order changes post-install that we will still be able to DHCP from the
|
|
# correct interface to reach the active controller. For most nodes only the
|
|
# management/boot interface needs to be persisted but because we require both
|
|
# controllers to be identically configured and controller-0 and controller-1
|
|
# are installed differently (e.g., controller-0 from USB and controller-1 from
|
|
# network) it is not possible to know which interface to persist for
|
|
# controller-0. The simplest solution is to persist all interfaces.
|
|
#
|
|
mkdir -p /etc/udev/rules.d
|
|
echo "# Persisted network interfaces from anaconda installer" > /etc/udev/rules.d/70-persistent-net.rules
|
|
for dir in /sys/class/net/*; do
|
|
if [ -e ${dir}/device ]; then
|
|
dev=$(basename ${dir})
|
|
mac_address=$(cat /sys/class/net/${dev}/address)
|
|
echo "ACTION==\"add\", SUBSYSTEM==\"net\", DRIVERS==\"?*\", ATTR{address}==\"${mac_address}\", NAME=\"${dev}\"" >> /etc/udev/rules.d/70-persistent-net.rules
|
|
fi
|
|
done
|
|
|
|
# Mark the sysadmin password as expired immediately
|
|
chage -d 0 sysadmin
|
|
|
|
# Lock the root password
|
|
passwd -l root
|
|
|
|
# Enable tmpfs mount for /tmp
|
|
# delete /var/tmp so that it can similinked in
|
|
rm -rf /var/tmp
|
|
systemctl enable tmp.mount
|
|
|
|
# Disable automount of /dev/hugepages
|
|
systemctl mask dev-hugepages.mount
|
|
|
|
# Disable firewall
|
|
systemctl disable firewalld
|
|
|
|
# Disable libvirtd
|
|
systemctl disable libvirtd.service
|
|
|
|
# Enable rsyncd
|
|
systemctl enable rsyncd.service
|
|
|
|
# Allow root to run sudo from a non-tty (for scripts running as root that run sudo cmds)
|
|
echo 'Defaults:root !requiretty' > /etc/sudoers.d/root
|
|
|
|
# Make fstab just root read/writable
|
|
chmod 600 /etc/fstab
|
|
|
|
# Create first_boot flag
|
|
touch /etc/platform/.first_boot
|
|
|
|
%end
|