From cecbc860dd2d161ac663ee3ee6db00984a533260 Mon Sep 17 00:00:00 2001 From: Dmitry Tantsur Date: Mon, 30 Sep 2019 10:57:36 +0200 Subject: [PATCH] DIB: allow disabling rescue mode Change-Id: Ife73d59b8e5c4454634d0e6c4f23daaf7cc9fb66 --- dib/ironic-python-agent-ramdisk/README.rst | 4 +--- .../post-install.d/80-ironic-python-agent-ramdisk | 12 +++++++++--- doc/source/admin/dib.rst | 11 +++++++++++ 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/dib/ironic-python-agent-ramdisk/README.rst b/dib/ironic-python-agent-ramdisk/README.rst index 10fc583..d348823 100644 --- a/dib/ironic-python-agent-ramdisk/README.rst +++ b/dib/ironic-python-agent-ramdisk/README.rst @@ -24,15 +24,13 @@ Beyond installing the ironic-python-agent, this element does the following: ``DIB_IPA_COMPRESS_CMD``, which is 'gzip' by default. This command should listen for raw data from stdin and write compressed data to stdout. Command can be with arguments. +* Configures rescue mode if ``DIB_IPA_ENABLE_RESCUE`` is not set to ``false``. This element outputs three files: - ``$IMAGE-NAME.initramfs``: The deploy ramdisk file containing the ironic-python-agent (IPA) service. - ``$IMAGE-NAME.kernel``: The kernel binary file. -- ``$IMAGE-NAME.vmlinuz``: A hard link pointing to the ``$IMAGE-NAME.kernel`` - file; this is just a backward compatibility layer, please do not rely - on this file. .. note:: The package based install currently only enables the service when using the diff --git a/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk b/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk index 6f0384b..d87cd29 100755 --- a/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk +++ b/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk @@ -6,12 +6,16 @@ fi set -eu set -o pipefail +DIB_IPA_ENABLE_RESCUE=${DIB_IPA_ENABLE_RESCUE:-true} + install-packages -e cloud-init rm -rf /tmp/ironic-python-agent -# Make sure rescue works -mkdir -p /etc/ipa-rescue-config +if $DIB_IPA_ENABLE_RESCUE; then + # Make sure rescue works + mkdir -p /etc/ipa-rescue-config +fi case "$DIB_INIT_SYSTEM" in upstart) @@ -27,7 +31,9 @@ case "$DIB_INIT_SYSTEM" in systemctl disable iptables.service fi systemctl enable $(svc-map ironic-python-agent).service - systemctl enable ironic-agent-create-rescue-user.path + if $DIB_IPA_ENABLE_RESCUE; then + systemctl enable ironic-agent-create-rescue-user.path + fi ;; sysv) update-rc.d iptables disable diff --git a/doc/source/admin/dib.rst b/doc/source/admin/dib.rst index 18007e6..68d9a9b 100644 --- a/doc/source/admin/dib.rst +++ b/doc/source/admin/dib.rst @@ -85,6 +85,17 @@ a suitable ISO for booting, and so should work against any IPA ramdisk. Advanced options ---------------- +Disabling rescue +~~~~~~~~~~~~~~~~ + +By default rescue mode is enabled in the images. Since it allows to set root +password on the ramdisk by anyone on the network, you may disable it if the +rescue feature is not supported. Set the following before building the image: + +.. code-block:: bash + + export DIB_IPA_ENABLE_RESCUE=false + SSH access ~~~~~~~~~~