diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bea965e..c3a2619 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -8,11 +8,15 @@ stages: .base: parallel: matrix: - - TIER: [tier-1] + - TIER: + - tier-0 + - tier-1 OS: centos VERSION: [stream9] VARIANT: ["", "-rt"] - - TIER: [tier-1] + - TIER: + - tier-0 + - tier-1 OS: fedora VERSION: [38] VARIANT: [""] diff --git a/centos-base.yaml b/centos-base.yaml deleted file mode 100644 index ce43b67..0000000 --- a/centos-base.yaml +++ /dev/null @@ -1,13 +0,0 @@ -releasever: stream9 - -repos: - - baseos - - appstream - -metadata: - name: c9s-boot-tier1 - summary: CentOS 9 Bootable Tier 1 - -include: - - tier-1/manifest.yaml - diff --git a/centos-stream-9.yaml b/centos-stream-9.yaml new file mode 100644 index 0000000..c691de1 --- /dev/null +++ b/centos-stream-9.yaml @@ -0,0 +1,5 @@ +releasever: stream9 + +repos: + - baseos + - appstream diff --git a/centos-tier-0-rt-stream9.yaml b/centos-tier-0-rt-stream9.yaml new file mode 100644 index 0000000..987118c --- /dev/null +++ b/centos-tier-0-rt-stream9.yaml @@ -0,0 +1,5 @@ +include: + - centos-stream-9.yaml + - tier-0/kernel-rt.yaml + - tier-0/manifest.yaml + diff --git a/centos-tier-0-stream9.yaml b/centos-tier-0-stream9.yaml new file mode 100644 index 0000000..3983dcf --- /dev/null +++ b/centos-tier-0-stream9.yaml @@ -0,0 +1,5 @@ +include: + - centos-stream-9.yaml + - tier-0/kernel.yaml + - tier-0/manifest.yaml + diff --git a/centos-tier-1-rt-stream9.yaml b/centos-tier-1-rt-stream9.yaml index 3fe78fb..7fd0264 100644 --- a/centos-tier-1-rt-stream9.yaml +++ b/centos-tier-1-rt-stream9.yaml @@ -1,3 +1,4 @@ include: - - centos-base.yaml - - tier-1/kernel-rt.yaml + - centos-stream-9.yaml + - tier-0/kernel-rt.yaml + - tier-1/manifest.yaml diff --git a/centos-tier-1-stream9.yaml b/centos-tier-1-stream9.yaml index 36f4b3c..b5a94c9 100644 --- a/centos-tier-1-stream9.yaml +++ b/centos-tier-1-stream9.yaml @@ -1,4 +1,5 @@ include: - - centos-base.yaml + - centos-stream-9.yaml - tier-1/kernel.yaml + - tier-1/manifest.yaml diff --git a/fedora-tier-0-38.yaml b/fedora-tier-0-38.yaml new file mode 100644 index 0000000..65fb17c --- /dev/null +++ b/fedora-tier-0-38.yaml @@ -0,0 +1,9 @@ +releasever: 38 + +repos: + - fedora + - fedora-updates + +include: + - tier-0/manifest.yaml + - tier-0/kernel.yaml diff --git a/tier-0/bootc.yaml b/tier-0/bootc.yaml new file mode 100644 index 0000000..bd82101 --- /dev/null +++ b/tier-0/bootc.yaml @@ -0,0 +1,25 @@ +# A relatively minimal base, but we also do include linux-firmware so +# we can be directly booted on metal. +packages: + - systemd + # linux-firmware now a recommends so let's explicitly include it + # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b + # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide + - linux-firmware + - ostree + # For now this will be shipped in rpm-ostree + # - bootc + # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk + - gdisk xfsprogs e2fsprogs dosfstools + +exclude-packages: + # Exclude kernel-debug-core to make sure that it doesn't somehow get + # chosen as the package to satisfy the `kernel-core` dependency from + # the kernel package. + - kernel-debug-core + +# rpm-ostree can be an alias for bootc, we want to enable that here. +postprocess: + - | + #!/usr/bin/env bash + ln -sr /usr/bin/{rpm-ostree,bootc} diff --git a/tier-0/bootupd.yaml b/tier-0/bootupd.yaml new file mode 100644 index 0000000..cb9d662 --- /dev/null +++ b/tier-0/bootupd.yaml @@ -0,0 +1,31 @@ +# Integration with https://github.com/coreos/bootupd and bootloader logic +# xref https://github.com/coreos/fedora-coreos-tracker/issues/510 +packages: + - bootupd + +# bootloader +packages-aarch64: + - grub2-efi-aa64 efibootmgr shim +packages-ppc64le: + - grub2 ostree-grub2 +packages-s390x: + # On Fedora, this is provided by s390utils-core. on RHEL, this is for now + # provided by s390utils-base, but soon will be -core too. + - /usr/sbin/zipl +packages-x86_64: + - grub2 grub2-efi-x64 efibootmgr shim + - microcode_ctl + +conditional-include: + - if: basearch != "s390x" + # And remove some cruft from grub2 + include: grub2-removals.yaml + +postprocess: + - | + #!/bin/bash + set -xeuo pipefail + # Until we have https://github.com/coreos/rpm-ostree/pull/2275 + mkdir -p /run + # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload + /usr/bin/bootupctl backend generate-update-metadata / diff --git a/tier-0/group b/tier-0/group new file mode 100644 index 0000000..2fd197c --- /dev/null +++ b/tier-0/group @@ -0,0 +1,46 @@ +root:x:0: +bin:x:1: +daemon:x:2: +sys:x:3: +adm:x:4: +tty:x:5: +disk:x:6: +lp:x:7: +mem:x:8: +kmem:x:9: +wheel:x:10: +cdrom:x:11: +mail:x:12: +man:x:15: +sudo:x:16: +dialout:x:18: +floppy:x:19: +games:x:20: +tape:x:33: +video:x:39: +ftp:x:50: +lock:x:54: +audio:x:63: +nobody:x:99: +users:x:100: +ssh_keys:x:999: +systemd-journal:x:190: +polkitd:x:998: +etcd:x:997: +dip:x:40: +cgred:x:996: +avahi-autoipd:x:170: +sssd:x:993: +dockerroot:x:986: +rpcuser:x:29: +nfsnobody:x:65534: +kube:x:994: +chrony:x:992: +tcpdump:x:72: +ceph:x:167: +input:x:104: +systemd-timesync:x:991: +systemd-network:x:990: +systemd-resolve:x:989: +systemd-bus-proxy:x:988: +cockpit-ws:x:987: diff --git a/tier-0/grub2-removals.yaml b/tier-0/grub2-removals.yaml new file mode 100644 index 0000000..f4800dd --- /dev/null +++ b/tier-0/grub2-removals.yaml @@ -0,0 +1,8 @@ +remove-from-packages: + # The grub bits are mainly designed for desktops, and IMO haven't seen + # enough testing in concert with ostree. At some point we'll flesh out + # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47 + - [grub2-tools, /etc/grub.d/08_fallback_counting, + /etc/grub.d/10_reset_boot_success, + /etc/grub.d/12_menu_auto_hide, + /usr/lib/systemd/.*] diff --git a/tier-0/initramfs.yaml b/tier-0/initramfs.yaml new file mode 100644 index 0000000..dc7bf5c --- /dev/null +++ b/tier-0/initramfs.yaml @@ -0,0 +1,14 @@ +# Configuration for the initramfs +postprocess: + - | + #!/usr/bin/env bash + mkdir -p /usr/lib/dracut/dracut.conf.d + cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf + # We want a generic image; hostonly makes no sense as part of a server side build + hostonly=no + EOF + cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF' + # We want this for systemd-cryptsetup tpm2 locking + dracutmodules+=" tpm2-tss " + EOF + \ No newline at end of file diff --git a/tier-1/kernel-rt.yaml b/tier-0/kernel-rt.yaml similarity index 100% rename from tier-1/kernel-rt.yaml rename to tier-0/kernel-rt.yaml diff --git a/tier-0/kernel.yaml b/tier-0/kernel.yaml new file mode 100644 index 0000000..0dd777d --- /dev/null +++ b/tier-0/kernel.yaml @@ -0,0 +1,6 @@ +# Enable the Linux kernel; see also kernel-rt. +packages: + - kernel + +exclude-packages: + - kernel-debug diff --git a/tier-0/manifest.yaml b/tier-0/manifest.yaml new file mode 100644 index 0000000..f67f0a8 --- /dev/null +++ b/tier-0/manifest.yaml @@ -0,0 +1,62 @@ + +# Modern defaults we want +boot-location: modules +tmp-is-dir: true +# This one at least historically broke compatibility with Anaconda, but +# let's use it by default now. +machineid-compat: false +# Be minimal +recommends: false + +ignore-removed-users: + - root +ignore-removed-groups: + - root +etc-group-members: + - wheel + - sudo + - systemd-journal + - adm + +# Note that the default for c9s+ is sqlite; we can't rely on rpm being +# in the target (it isn't in tier-0!) so turn this to host here. This +# does break the "hermetic build" aspect a bit. Maybe eventually +# what we should do is special case this and actually install RPM temporarily +# and then remove it... +rpmdb: host + +check-passwd: + type: "file" + filename: "passwd" +check-groups: + type: "file" + filename: "group" + +automatic-version-prefix: "${releasever}." +mutate-os-release: "${releasever}" + +remove-from-packages: + # Generally we expect other tools to do this (e.g. Ignition or cloud-init) + - [systemd, /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service] + # We don't want auto-generated mount units. See also + # https://github.com/systemd/systemd/issues/13099 + - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator] + # Drop some buggy sysusers fragments which do not match static IDs allocation: + # https://bugzilla.redhat.com/show_bug.cgi?id=2105177 + - [dbus-common, /usr/lib/sysusers.d/dbus.conf] + +include: + - bootc.yaml + - initramfs.yaml + +packages: + # Even in tier-0, we have this. If you don't want SELinux today, you'll need + # to build a custom image. + - selinux-policy-targeted + # Needed for tpm2 bound luks + - tpm2-tools + +# See https://github.com/coreos/bootupd +arch-include: + x86_64: bootupd.yaml + aarch64: bootupd.yaml diff --git a/tier-0/passwd b/tier-0/passwd new file mode 100644 index 0000000..ea84802 --- /dev/null +++ b/tier-0/passwd @@ -0,0 +1,32 @@ +adm:x:3:4:adm:/var/adm:/usr/sbin/nologin +avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin +bin:x:1:1:bin:/bin:/usr/sbin/nologin +ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin +chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin +cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin +daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin +dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin +dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin +etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin +ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin +games:x:12:100:games:/usr/games:/usr/sbin/nologin +halt:x:7:0:halt:/sbin:/sbin/halt +kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin +lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin +mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin +nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin +nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin +operator:x:11:0:operator:/root:/usr/sbin/nologin +polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin +root:x:0:0:Super User:/root:/bin/bash +rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin +rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin +shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown +sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin +sssd:x:995:993:User for sssd:/:/usr/sbin/nologin +sync:x:5:0:sync:/sbin:/bin/sync +systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin +systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin +systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin +systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin +tcpdump:x:72:72::/:/usr/sbin/nologin diff --git a/tier-1/bootc.yaml b/tier-1/bootc.yaml deleted file mode 100644 index 2bee9fc..0000000 --- a/tier-1/bootc.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# A relatively minimal base, but we also do include linux-firmware so -# we can be directly booted on metal. -packages: - - systemd - # linux-firmware now a recommends so let's explicitly include it - # https://gitlab.com/cki-project/kernel-ark/-/commit/32271d0cd9bd52d386eb35497c4876a8f041f70b - # https://src.fedoraproject.org/rpms/kernel/c/f55c3e9ed8605ff28cb9a922efbab1055947e213?branch=rawhide - - linux-firmware - # For now this will be shipped in rpm-ostree - # - bootc - # Required by bootc install today, though we'll likely switch bootc to use a Rust crate instead of sgdisk - - gdisk xfsprogs e2fsprogs dosfstools - -exclude-packages: - # Exclude kernel-debug-core to make sure that it doesn't somehow get - # chosen as the package to satisfy the `kernel-core` dependency from - # the kernel package. - - kernel-debug-core - -# rpm-ostree can be an alias for bootc, we want to enable that here. -postprocess: - - | - #!/usr/bin/env bash - ln -sr /usr/bin/{rpm-ostree,bootc} diff --git a/tier-1/bootc.yaml b/tier-1/bootc.yaml new file mode 120000 index 0000000..e4ff72c --- /dev/null +++ b/tier-1/bootc.yaml @@ -0,0 +1 @@ +../tier-0/bootc.yaml \ No newline at end of file diff --git a/tier-1/bootupd.yaml b/tier-1/bootupd.yaml deleted file mode 100644 index cb9d662..0000000 --- a/tier-1/bootupd.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Integration with https://github.com/coreos/bootupd and bootloader logic -# xref https://github.com/coreos/fedora-coreos-tracker/issues/510 -packages: - - bootupd - -# bootloader -packages-aarch64: - - grub2-efi-aa64 efibootmgr shim -packages-ppc64le: - - grub2 ostree-grub2 -packages-s390x: - # On Fedora, this is provided by s390utils-core. on RHEL, this is for now - # provided by s390utils-base, but soon will be -core too. - - /usr/sbin/zipl -packages-x86_64: - - grub2 grub2-efi-x64 efibootmgr shim - - microcode_ctl - -conditional-include: - - if: basearch != "s390x" - # And remove some cruft from grub2 - include: grub2-removals.yaml - -postprocess: - - | - #!/bin/bash - set -xeuo pipefail - # Until we have https://github.com/coreos/rpm-ostree/pull/2275 - mkdir -p /run - # Transforms /usr/lib/ostree-boot into a bootupd-compatible update payload - /usr/bin/bootupctl backend generate-update-metadata / diff --git a/tier-1/bootupd.yaml b/tier-1/bootupd.yaml new file mode 120000 index 0000000..6b1db4e --- /dev/null +++ b/tier-1/bootupd.yaml @@ -0,0 +1 @@ +../tier-0/bootupd.yaml \ No newline at end of file diff --git a/tier-1/group b/tier-1/group deleted file mode 100644 index 2fd197c..0000000 --- a/tier-1/group +++ /dev/null @@ -1,46 +0,0 @@ -root:x:0: -bin:x:1: -daemon:x:2: -sys:x:3: -adm:x:4: -tty:x:5: -disk:x:6: -lp:x:7: -mem:x:8: -kmem:x:9: -wheel:x:10: -cdrom:x:11: -mail:x:12: -man:x:15: -sudo:x:16: -dialout:x:18: -floppy:x:19: -games:x:20: -tape:x:33: -video:x:39: -ftp:x:50: -lock:x:54: -audio:x:63: -nobody:x:99: -users:x:100: -ssh_keys:x:999: -systemd-journal:x:190: -polkitd:x:998: -etcd:x:997: -dip:x:40: -cgred:x:996: -avahi-autoipd:x:170: -sssd:x:993: -dockerroot:x:986: -rpcuser:x:29: -nfsnobody:x:65534: -kube:x:994: -chrony:x:992: -tcpdump:x:72: -ceph:x:167: -input:x:104: -systemd-timesync:x:991: -systemd-network:x:990: -systemd-resolve:x:989: -systemd-bus-proxy:x:988: -cockpit-ws:x:987: diff --git a/tier-1/group b/tier-1/group new file mode 120000 index 0000000..f4ca078 --- /dev/null +++ b/tier-1/group @@ -0,0 +1 @@ +../tier-0/group \ No newline at end of file diff --git a/tier-1/grub2-removals.yaml b/tier-1/grub2-removals.yaml deleted file mode 100644 index f4800dd..0000000 --- a/tier-1/grub2-removals.yaml +++ /dev/null @@ -1,8 +0,0 @@ -remove-from-packages: - # The grub bits are mainly designed for desktops, and IMO haven't seen - # enough testing in concert with ostree. At some point we'll flesh out - # the full plan in https://github.com/coreos/fedora-coreos-tracker/issues/47 - - [grub2-tools, /etc/grub.d/08_fallback_counting, - /etc/grub.d/10_reset_boot_success, - /etc/grub.d/12_menu_auto_hide, - /usr/lib/systemd/.*] diff --git a/tier-1/grub2-removals.yaml b/tier-1/grub2-removals.yaml new file mode 120000 index 0000000..7fecbad --- /dev/null +++ b/tier-1/grub2-removals.yaml @@ -0,0 +1 @@ +../tier-0/grub2-removals.yaml \ No newline at end of file diff --git a/tier-1/initramfs.yaml b/tier-1/initramfs.yaml deleted file mode 100644 index dc7bf5c..0000000 --- a/tier-1/initramfs.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# Configuration for the initramfs -postprocess: - - | - #!/usr/bin/env bash - mkdir -p /usr/lib/dracut/dracut.conf.d - cat > /usr/lib/dracut/dracut.conf.d/01-bootc-nohostonly.conf - # We want a generic image; hostonly makes no sense as part of a server side build - hostonly=no - EOF - cat > /usr/lib/dracut/dracut.conf.d/49-tpm2-tss.conf << 'EOF' - # We want this for systemd-cryptsetup tpm2 locking - dracutmodules+=" tpm2-tss " - EOF - \ No newline at end of file diff --git a/tier-1/initramfs.yaml b/tier-1/initramfs.yaml new file mode 120000 index 0000000..c268845 --- /dev/null +++ b/tier-1/initramfs.yaml @@ -0,0 +1 @@ +../tier-0/initramfs.yaml \ No newline at end of file diff --git a/tier-1/kernel.yaml b/tier-1/kernel.yaml deleted file mode 100644 index 0dd777d..0000000 --- a/tier-1/kernel.yaml +++ /dev/null @@ -1,6 +0,0 @@ -# Enable the Linux kernel; see also kernel-rt. -packages: - - kernel - -exclude-packages: - - kernel-debug diff --git a/tier-1/kernel.yaml b/tier-1/kernel.yaml new file mode 120000 index 0000000..d6f64cc --- /dev/null +++ b/tier-1/kernel.yaml @@ -0,0 +1 @@ +../tier-0/kernel.yaml \ No newline at end of file diff --git a/tier-1/manifest-tier-0.yaml b/tier-1/manifest-tier-0.yaml new file mode 120000 index 0000000..8d5a3e1 --- /dev/null +++ b/tier-1/manifest-tier-0.yaml @@ -0,0 +1 @@ +../tier-0/manifest.yaml \ No newline at end of file diff --git a/tier-1/manifest.yaml b/tier-1/manifest.yaml index adccd44..6fa54d1 100644 --- a/tier-1/manifest.yaml +++ b/tier-1/manifest.yaml @@ -1,54 +1,11 @@ -# Modern defaults we want -boot-location: modules -tmp-is-dir: true -# This one at least historically broke compatibility with Anaconda, but -# let's use it by default now. -machineid-compat: false -# Be minimal -recommends: false - -ignore-removed-users: - - root -ignore-removed-groups: - - root -etc-group-members: - - wheel - - sudo - - systemd-journal - - adm - -check-passwd: - type: "file" - filename: "passwd" -check-groups: - type: "file" - filename: "group" - include: - - bootc.yaml - - initramfs.yaml - - bootable-rpm-ostree.yaml + - manifest-tier-0.yaml - networking-tools.yaml - system-configuration.yaml - user-experience.yaml - fwupd.yaml -remove-from-packages: - # Generally we expect other tools to do this (e.g. Ignition or cloud-init) - - [systemd, /usr/bin/systemd-firstboot, - /usr/lib/systemd/system/systemd-firstboot.service, - /usr/lib/systemd/system/sysinit.target.wants/systemd-firstboot.service] - # We don't want auto-generated mount units. See also - # https://github.com/systemd/systemd/issues/13099 - - [systemd-udev, /usr/lib/systemd/system-generators/systemd-gpt-auto-generator] - # Drop some buggy sysusers fragments which do not match static IDs allocation: - # https://bugzilla.redhat.com/show_bug.cgi?id=2105177 - - [dbus-common, /usr/lib/sysusers.d/dbus.conf] - -automatic-version-prefix: "${releasever}." -mutate-os-release: "${releasever}" - packages: # Include and set the default editor - nano @@ -114,11 +71,6 @@ packages-aarch64: packages-s390x: - qemu-user-static-x86 -# See https://github.com/coreos/bootupd -arch-include: - x86_64: bootupd.yaml - aarch64: bootupd.yaml - postprocess: # Undo RPM scripts enabling units; we want the presets to be canonical # https://github.com/projectatomic/rpm-ostree/issues/1803 diff --git a/tier-1/passwd b/tier-1/passwd deleted file mode 100644 index ea84802..0000000 --- a/tier-1/passwd +++ /dev/null @@ -1,32 +0,0 @@ -adm:x:3:4:adm:/var/adm:/usr/sbin/nologin -avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/usr/sbin/nologin -bin:x:1:1:bin:/bin:/usr/sbin/nologin -ceph:x:167:167:Ceph daemons:/var/lib/ceph:/usr/sbin/nologin -chrony:x:994:992::/var/lib/chrony:/usr/sbin/nologin -cockpit-ws:x:988:987:User for cockpit-ws:/:/usr/sbin/nologin -daemon:x:2:2:daemon:/sbin:/usr/sbin/nologin -dbus:x:81:81:System Message Bus:/:/usr/sbin/nologin -dockerroot:x:997:986:Docker User:/var/lib/docker:/usr/sbin/nologin -etcd:x:998:997:etcd user:/var/lib/etcd:/usr/sbin/nologin -ftp:x:14:50:FTP User:/var/ftp:/usr/sbin/nologin -games:x:12:100:games:/usr/games:/usr/sbin/nologin -halt:x:7:0:halt:/sbin:/sbin/halt -kube:x:996:994:Kubernetes user:/:/usr/sbin/nologin -lp:x:4:7:lp:/var/spool/lpd:/usr/sbin/nologin -mail:x:8:12:mail:/var/spool/mail:/usr/sbin/nologin -nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/usr/sbin/nologin -nobody:x:99:99:Kernel Overflow User:/:/usr/sbin/nologin -operator:x:11:0:operator:/root:/usr/sbin/nologin -polkitd:x:999:998:User for polkitd:/:/usr/sbin/nologin -root:x:0:0:Super User:/root:/bin/bash -rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/usr/sbin/nologin -rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/usr/sbin/nologin -shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown -sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/usr/sbin/nologin -sssd:x:995:993:User for sssd:/:/usr/sbin/nologin -sync:x:5:0:sync:/sbin:/bin/sync -systemd-bus-proxy:x:989:988:systemd Bus Proxy:/:/usr/sbin/nologin -systemd-network:x:991:990:systemd Network Management:/:/usr/sbin/nologin -systemd-resolve:x:990:989:systemd Resolver:/:/usr/sbin/nologin -systemd-timesync:x:993:991:systemd Time Synchronization:/:/usr/sbin/nologin -tcpdump:x:72:72::/:/usr/sbin/nologin diff --git a/tier-1/passwd b/tier-1/passwd new file mode 120000 index 0000000..dc62c0b --- /dev/null +++ b/tier-1/passwd @@ -0,0 +1 @@ +../tier-0/passwd \ No newline at end of file diff --git a/tier-1/system-configuration.yaml b/tier-1/system-configuration.yaml index 566efde..0dfec35 100644 --- a/tier-1/system-configuration.yaml +++ b/tier-1/system-configuration.yaml @@ -8,8 +8,6 @@ packages: - chrony # Storage configuration/management - cryptsetup - # Needed for tpm2 bound luks - - tpm2-tools - e2fsprogs - sg3_utils - xfsprogs @@ -19,8 +17,6 @@ packages: - acl # Manipulating the kernel keyring; used by bootc - keyutils - # SELinux policy - - selinux-policy-targeted # There are things that write outside of the journal still (such as the # classic wtmp, etc.). auditd also writes outside the journal but it has its # own log rotation.