From 54f2f7d6c667e0d26211e713d0b1fd44a527cdaa Mon Sep 17 00:00:00 2001 From: Bin Qian Date: Mon, 10 Jan 2022 12:09:52 -0500 Subject: [PATCH] Make /usr readonly to support OSTree OSTree structure requires /usr to be readonly as OSTree's dracut hook creates a read-only bind mount over /usr. 1. deploy validate_postgresql_connection.sh directly to /usr/local/bin. It was copied to the location after installation. 2. move /usr/local/etc/ldapscripts to /etc/ldapscripts, files need writable. 3. move /usr/libexec/cni to /opt/cni/bin. Plugins are installed at runtime. TCs: provision aio-dx centos with /usr mount to readonly fs. unlocked host provision aio-sx debian and unlocked host. upgrade AIO-DX from 21.12 upgrade AIO-SX from 21.12 successfully apply cert-manager and nginx-ingress-controller Story: 2009101 Task: 44314 Change-Id: I99231f3f7db3d2d8eaceba137e13dea650370f71 Signed-off-by: Bin Qian --- .../centos/puppet-postgresql.spec | 6 ++- .../centos/containernetworking-plugins.spec | 8 +-- .../containernetworking-plugins.install | 2 +- ldap/ldapscripts/centos/ldapscripts.spec | 23 ++++---- .../install-ldapscripts-files-to-etc.patch | 53 +++++++++++++++++++ ldap/ldapscripts/debian/deb_patches/series | 1 + .../install-ldapscripts-files-to-etc.patch | 38 +++++++++++++ ldap/ldapscripts/debian/patches/series | 1 + .../install-ldapscripts-files-to-etc.patch | 38 +++++++++++++ ldap/ldapscripts/files/ldapscripts.conf.cgcs | 12 ++--- 10 files changed, 160 insertions(+), 22 deletions(-) create mode 100644 ldap/ldapscripts/debian/deb_patches/install-ldapscripts-files-to-etc.patch create mode 100644 ldap/ldapscripts/debian/patches/install-ldapscripts-files-to-etc.patch create mode 100644 ldap/ldapscripts/files/install-ldapscripts-files-to-etc.patch diff --git a/config/puppet-modules/puppet-postgresql-4.8.0/centos/puppet-postgresql.spec b/config/puppet-modules/puppet-postgresql-4.8.0/centos/puppet-postgresql.spec index e794318c7..7f8c524f5 100644 --- a/config/puppet-modules/puppet-postgresql-4.8.0/centos/puppet-postgresql.spec +++ b/config/puppet-modules/puppet-postgresql-4.8.0/centos/puppet-postgresql.spec @@ -29,6 +29,8 @@ Requires: puppet-concat %description A Puppet module for managing PostgreSQL databases +%define local_bindir /usr/local/bin + %prep %setup -n %{prefix}-%{module_dir} %patch0001 -p1 @@ -45,8 +47,10 @@ find . \( -name spec -o -name ext \) | xargs rm -rf rm -rf %{buildroot} install -d -m 0755 %{buildroot}/%{_datadir}/puppet/modules/%{module_dir} cp -rp * %{buildroot}/%{_datadir}/puppet/modules/%{module_dir}/ +install -d -m 0755 %{buildroot}%{local_bindir}/ +install -p -D -m 755 files/validate_postgresql_connection.sh %{buildroot}%{local_bindir}/ %files %license %{_datadir}/puppet/modules/%{module_dir}/LICENSE %{_datadir}/puppet/modules/%{module_dir} - +%{local_bindir}/validate_postgresql_connection.sh diff --git a/kubernetes/cni/plugins/centos/containernetworking-plugins.spec b/kubernetes/cni/plugins/centos/containernetworking-plugins.spec index 8ab5f1012..d82bf4732 100644 --- a/kubernetes/cni/plugins/centos/containernetworking-plugins.spec +++ b/kubernetes/cni/plugins/centos/containernetworking-plugins.spec @@ -77,8 +77,8 @@ for d in $PLUGINS; do done %install -install -d -p %{buildroot}%{_libexecdir}/cni/ -install -p -m 0755 bin/* %{buildroot}/%{_libexecdir}/cni +install -d -p %{buildroot}/opt/cni/bin +install -p -m 0755 bin/* %{buildroot}/opt/cni/bin %check %if 0%{?with_check} @@ -119,8 +119,8 @@ install -p -m 0755 bin/* %{buildroot}/%{_libexecdir}/cni %files %license LICENSE %doc *.md -%dir %{_libexecdir}/cni -%{_libexecdir}/cni/* +%dir /opt/cni/bin +/opt/cni/bin/* %changelog * Thu Feb 17 2022 Steven Webster - 1.0.1 diff --git a/kubernetes/cni/plugins/debian/deb_folder/containernetworking-plugins.install b/kubernetes/cni/plugins/debian/deb_folder/containernetworking-plugins.install index 4de739e40..956deb0cb 100644 --- a/kubernetes/cni/plugins/debian/deb_folder/containernetworking-plugins.install +++ b/kubernetes/cni/plugins/debian/deb_folder/containernetworking-plugins.install @@ -1 +1 @@ -usr/bin/* usr/libexec/cni/ +usr/bin/* opt/cni/bin diff --git a/ldap/ldapscripts/centos/ldapscripts.spec b/ldap/ldapscripts/centos/ldapscripts.spec index 480c7867c..6e5b116cd 100644 --- a/ldap/ldapscripts/centos/ldapscripts.spec +++ b/ldap/ldapscripts/centos/ldapscripts.spec @@ -20,6 +20,7 @@ Patch1: sudo-delete-support.patch Patch2: log_timestamp.patch Patch3: ldap-user-setup-support.patch Patch4: allow-anonymous-bind-for-ldap-search.patch +Patch5: install-ldapscripts-files-to-etc.patch %define debug_package %{nil} @@ -36,6 +37,7 @@ Shell scripts that allow to manage POSIX accounts (users, groups, machines) in a %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %build @@ -46,21 +48,22 @@ rm -Rf %{buildroot}/usr/local/man rm -f %{buildroot}/usr/local/sbin/*machine* rm -f %{buildroot}/usr/local/etc/ldapscripts/ldapaddmachine.template.sample install -d %{buildroot}/usr/local/etc/ -install -m 644 %{SOURCE1} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.conf -install -m 644 %{SOURCE2} %{buildroot}/usr/local/etc/ldapscripts/ldapadduser.template.cgcs -install -m 644 %{SOURCE3} %{buildroot}/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs -install -m 644 %{SOURCE4} %{buildroot}/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs -install -m 644 %{SOURCE5} %{buildroot}/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs -install -m 644 %{SOURCE6} %{buildroot}/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs -install -m 600 %{SOURCE7} %{buildroot}/usr/local/etc/ldapscripts/ldapscripts.passwd +install -d %{buildroot}/etc/ldapscripts/ +install -m 644 %{SOURCE1} %{buildroot}/etc/ldapscripts/ldapscripts.conf +install -m 644 %{SOURCE2} %{buildroot}/etc/ldapscripts/ldapadduser.template.cgcs +install -m 644 %{SOURCE3} %{buildroot}/etc/ldapscripts/ldapaddgroup.template.cgcs +install -m 644 %{SOURCE4} %{buildroot}/etc/ldapscripts/ldapmoduser.template.cgcs +install -m 644 %{SOURCE5} %{buildroot}/etc/ldapscripts/ldapaddsudo.template.cgcs +install -m 644 %{SOURCE6} %{buildroot}/etc/ldapscripts/ldapmodsudo.template.cgcs +install -m 600 %{SOURCE7} %{buildroot}/etc/ldapscripts/ldapscripts.passwd %files %defattr(-,root,root,-) -%dir /usr/local/etc/ldapscripts/ +%dir /etc/ldapscripts/ %dir /usr/local/lib/ldapscripts/ /usr/local/sbin/* -%config(noreplace) /usr/local/etc/ldapscripts/ldapscripts.passwd -/usr/local/etc/ldapscripts/* +%config(noreplace) /etc/ldapscripts/ldapscripts.passwd +/etc/ldapscripts/* /usr/local/lib/ldapscripts/* diff --git a/ldap/ldapscripts/debian/deb_patches/install-ldapscripts-files-to-etc.patch b/ldap/ldapscripts/debian/deb_patches/install-ldapscripts-files-to-etc.patch new file mode 100644 index 000000000..9af22bdf2 --- /dev/null +++ b/ldap/ldapscripts/debian/deb_patches/install-ldapscripts-files-to-etc.patch @@ -0,0 +1,53 @@ +From c3f8f0bae32fb59eb9f7e4be7b88e9e8931a9711 Mon Sep 17 00:00:00 2001 +From: Bin Qian +Date: Wed, 27 Apr 2022 22:08:59 +0000 +Subject: [PATCH] install ldapscripts files to /etc + +Install ldapscripts files to /etc where they originally deployed to. +As /usr needs to be readonly to support OSTree + +Signed-off-by: Bin Qian +--- + debian/rules | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/debian/rules b/debian/rules +index cad1a0f..1388e4c 100755 +--- a/debian/rules ++++ b/debian/rules +@@ -9,14 +9,14 @@ override_dh_auto_install: + $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts LIBDIR=/usr/share/ldapscripts MANDIR=/usr/share/man + cp debian/runtime.debian debian/ldapscripts/usr/share/ldapscripts + rm debian/ldapscripts/etc/ldapscripts/*.sample +- $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/usr/local/etc/ldapscripts +- install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 644 ldapadduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 644 ldapmoduser.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/usr/local/etc/ldapscripts +- install -m 600 ldapscripts.passwd debian/ldapscripts/usr/local/etc/ldapscripts ++ $(MAKE) install DESTDIR=debian/ldapscripts PREFIX=/usr ETCDIR=/etc/ldapscripts ++ install -m 644 ldapscripts.conf.cgcs debian/ldapscripts/etc/ldapscripts ++ install -m 644 ldapadduser.template.cgcs debian/ldapscripts/etc/ldapscripts ++ install -m 644 ldapaddgroup.template.cgcs debian/ldapscripts/etc/ldapscripts ++ install -m 644 ldapmoduser.template.cgcs debian/ldapscripts//etc/ldapscripts ++ install -m 644 ldapaddsudo.template.cgcs debian/ldapscripts/etc/ldapscripts ++ install -m 644 ldapmodsudo.template.cgcs debian/ldapscripts/etc/ldapscripts ++ install -m 600 ldapscripts.passwd debian/ldapscripts/etc/ldapscripts + rm -rf ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddmachine.template.sample + + override_dh_installdocs: +@@ -31,6 +31,6 @@ override_dh_installexamples: + override_dh_fixperms: + dh_fixperms --exclude etc/ldapscripts/ldapscripts.passwd + chmod 440 ./debian/ldapscripts/usr/lib/ldapscripts/runtime +- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapaddgroup.template.sample +- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapadduser.template.sample +- chmod 440 ./debian/ldapscripts/usr/local/etc/ldapscripts/ldapscripts.conf.sample ++ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapaddgroup.template.sample ++ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapadduser.template.sample ++ chmod 440 ./debian/ldapscripts/etc/ldapscripts/ldapscripts.conf.sample +-- +2.30.2 + diff --git a/ldap/ldapscripts/debian/deb_patches/series b/ldap/ldapscripts/debian/deb_patches/series index 916363b3f..ba0706b33 100644 --- a/ldap/ldapscripts/debian/deb_patches/series +++ b/ldap/ldapscripts/debian/deb_patches/series @@ -1,2 +1,3 @@ debian-install-cgcs-files.patch debian-align-permission-with-centos.patch +install-ldapscripts-files-to-etc.patch diff --git a/ldap/ldapscripts/debian/patches/install-ldapscripts-files-to-etc.patch b/ldap/ldapscripts/debian/patches/install-ldapscripts-files-to-etc.patch new file mode 100644 index 000000000..c8241baf6 --- /dev/null +++ b/ldap/ldapscripts/debian/patches/install-ldapscripts-files-to-etc.patch @@ -0,0 +1,38 @@ +From afac530d7bd2754980d519e479777b918db18cd0 Mon Sep 17 00:00:00 2001 +From: Bin Qian +Date: Wed, 27 Apr 2022 22:06:27 +0000 +Subject: [PATCH] install ldapscripts files to /etc + +Deploy ldapscripts config files to /etc/ldapscripts as it was done +originally. We no longer need to use sed to modify the path. + +Signed-off-by: Bin Qian +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index d490f9e..ba1d93e 100644 +--- a/Makefile ++++ b/Makefile +@@ -30,7 +30,7 @@ VERSION = 2.0.8 + # Default installation paths + SBINDIR = $(PREFIX)/sbin + MANDIR = $(PREFIX)/man +-ETCDIR = $(PREFIX)/etc/$(NAME) ++ETCDIR = /etc/$(NAME) + LIBDIR = $(PREFIX)/lib/$(NAME) + + # Files to install +@@ -84,7 +84,7 @@ help: + configure: + @echo -n 'Configuring scripts... ' + @sed 's|^BINDPWDFILE=.*|BINDPWDFILE="$(ETCDIR)/$(PWDFILE)"|g' 'etc/$(ETCFILE)' > 'etc/$(ETCFILE).patched' +- @sed '/^_CONFIGFILE=/s|^\(.*"\).*\(".*\)|\1$(ETCDIR)/$(ETCFILE)\2|g' 'lib/$(RUNFILE)' > 'lib/$(RUNFILE).patched' ++ @cp 'lib/$(RUNFILE)' 'lib/$(RUNFILE).patched' + @for i in $(SBINFILES) ; do \ + sed 's|^_RUNTIMEFILE=.*|_RUNTIMEFILE="$(LIBDIR)/$(RUNFILE)"|g' "sbin/$$i" > "sbin/$$i.patched" ; \ + done +-- +2.30.2 + diff --git a/ldap/ldapscripts/debian/patches/series b/ldap/ldapscripts/debian/patches/series index e51d3e41d..1f8162336 100644 --- a/ldap/ldapscripts/debian/patches/series +++ b/ldap/ldapscripts/debian/patches/series @@ -4,3 +4,4 @@ log_timestamp.patch ldap-user-setup-support.patch allow-anonymous-bind-for-ldap-search.patch ldapscripts-templates.patch +install-ldapscripts-files-to-etc.patch diff --git a/ldap/ldapscripts/files/install-ldapscripts-files-to-etc.patch b/ldap/ldapscripts/files/install-ldapscripts-files-to-etc.patch new file mode 100644 index 000000000..25bc5bd5c --- /dev/null +++ b/ldap/ldapscripts/files/install-ldapscripts-files-to-etc.patch @@ -0,0 +1,38 @@ +From ff3f64dadeb81a9224acaf62ce564d940f582d7c Mon Sep 17 00:00:00 2001 +From: Bin Qian +Date: Fri, 29 Apr 2022 10:54:08 -0400 +Subject: [PATCH] install ldapscripts files to /etc + +Deploy ldapscripts config files to /etc/ldapscripts as it was done +originally. We no longer need to use sed to modify the path. + +Signed-off-by: Bin Qian +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 6e5b193..7585602 100644 +--- a/Makefile ++++ b/Makefile +@@ -30,7 +30,7 @@ VERSION = 2.0.8 + # Default installation paths + SBINDIR = $(PREFIX)/sbin + MANDIR = $(PREFIX)/man +-ETCDIR = $(PREFIX)/etc/$(NAME) ++ETCDIR = /etc/$(NAME) + LIBDIR = $(PREFIX)/lib/$(NAME) + + # Files to install +@@ -85,7 +85,7 @@ help: + configure: + @echo -n 'Configuring scripts... ' + @sed 's|^BINDPWDFILE=.*|BINDPWDFILE="$(ETCDIR)/$(PWDFILE)"|g' 'etc/$(ETCFILE)' > 'etc/$(ETCFILE).patched' +- @sed '/^_CONFIGFILE=/s|^\(.*"\).*\(".*\)|\1$(ETCDIR)/$(ETCFILE)\2|g' 'lib/$(RUNFILE)' > 'lib/$(RUNFILE).patched' ++ @cp 'lib/$(RUNFILE)' 'lib/$(RUNFILE).patched' + @for i in $(SBINFILES) ; do \ + sed 's|^_RUNTIMEFILE=.*|_RUNTIMEFILE="$(LIBDIR)/$(RUNFILE)"|g' "sbin/$$i" > "sbin/$$i.patched" ; \ + done +-- +2.29.2 + diff --git a/ldap/ldapscripts/files/ldapscripts.conf.cgcs b/ldap/ldapscripts/files/ldapscripts.conf.cgcs index 9350dd37d..3f879d07d 100755 --- a/ldap/ldapscripts/files/ldapscripts.conf.cgcs +++ b/ldap/ldapscripts/files/ldapscripts.conf.cgcs @@ -37,7 +37,7 @@ BINDDN="cn=ldapadmin,dc=cgcs,dc=local" # The following file contains the raw password of the BINDDN # Create it with something like : echo -n 'secret' > $BINDPWDFILE # WARNING !!!! Be careful not to make this file world-readable -BINDPWDFILE="/usr/local/etc/ldapscripts/ldapscripts.passwd" +BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" # For older versions of OpenLDAP, it is still possible to use # unsecure command-line passwords by defining the following option # AND commenting the previous one (BINDPWDFILE takes precedence) @@ -144,9 +144,9 @@ GETENTGRCMD="getent group" #GTEMPLATE="/path/to/ldapaddgroup.template" #UTEMPLATE="/path/to/ldapadduser.template" #MTEMPLATE="/path/to/ldapaddmachine.template" -GTEMPLATE="/usr/local/etc/ldapscripts/ldapaddgroup.template.cgcs" -UTEMPLATE="/usr/local/etc/ldapscripts/ldapadduser.template.cgcs" -UMTEMPLATE="/usr/local/etc/ldapscripts/ldapmoduser.template.cgcs" -STEMPLATE="/usr/local/etc/ldapscripts/ldapaddsudo.template.cgcs" -SMTEMPLATE="/usr/local/etc/ldapscripts/ldapmodsudo.template.cgcs" +GTEMPLATE="/etc/ldapscripts/ldapaddgroup.template.cgcs" +UTEMPLATE="/etc/ldapscripts/ldapadduser.template.cgcs" +UMTEMPLATE="/etc/ldapscripts/ldapmoduser.template.cgcs" +STEMPLATE="/etc/ldapscripts/ldapaddsudo.template.cgcs" +SMTEMPLATE="/etc/ldapscripts/ldapmodsudo.template.cgcs" MTEMPLATE=""