From cef86a8a62df7b00eb360ba7c437f8a2f3915658 Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Thu, 8 Aug 2024 17:51:20 +0200 Subject: [PATCH 1/4] docs(files): Recommend to put files in `/etc/` instead in ` This also modifies build-time part of modules to work with `/etc/` instead of `/usr/etc/` --- modules/brew/brew-nofile-limits-logic.sh | 12 +++------ modules/brew/brew.sh | 24 ++++++++--------- modules/default-flatpaks/default-flatpaks.sh | 12 ++++----- modules/files/README.md | 28 +++++++++----------- modules/signing/signing.sh | 10 +++---- modules/yafti/yafti.sh | 2 +- 6 files changed, 40 insertions(+), 48 deletions(-) diff --git a/modules/brew/brew-nofile-limits-logic.sh b/modules/brew/brew-nofile-limits-logic.sh index 8950af1..7189be3 100644 --- a/modules/brew/brew-nofile-limits-logic.sh +++ b/modules/brew/brew-nofile-limits-logic.sh @@ -9,7 +9,7 @@ set -euo pipefail DESIRED_SOFT_LIMIT=4096 DESIRED_HARD_LIMIT=524288 -BREW_LIMITS_D_CONFIG="/usr/etc/security/limits.d/zz1-brew-limits.conf" +BREW_LIMITS_D_CONFIG="/etc/security/limits.d/zz1-brew-limits.conf" BREW_SYSTEMD_SYSTEM_CONFIG="/usr/lib/systemd/system.conf.d/zz1-brew-limits.conf" BREW_SYSTEMD_USER_CONFIG="/usr/lib/systemd/user.conf.d/zz1-brew-limits.conf" @@ -17,8 +17,6 @@ BREW_SYSTEMD_USER_CONFIG="/usr/lib/systemd/user.conf.d/zz1-brew-limits.conf" # From least to most preferred SSH_TTY_LIMIT_ORDER=( -"/usr/etc/security/limits.conf" -"/usr/etc/security/limits.d/" "/etc/security/limits.conf" "/etc/security/limits.d/" ) @@ -54,8 +52,6 @@ fi SYSTEMD_SYSTEM_LIMIT_ORDER=( "/usr/lib/systemd/system.conf" "/usr/lib/systemd/system.conf.d/" -"/usr/etc/systemd/system.conf" -"/usr/etc/systemd/system.conf.d/" "/etc/systemd/system.conf" "/etc/systemd/system.conf.d/" ) @@ -87,8 +83,6 @@ fi SYSTEMD_USER_LIMIT_ORDER=( "/usr/lib/systemd/user.conf" "/usr/lib/systemd/user.conf.d/" -"/usr/etc/systemd/user.conf" -"/usr/etc/systemd/user.conf.d/" "/etc/systemd/user.conf" "/etc/systemd/user.conf.d/" ) @@ -140,8 +134,8 @@ echo "SystemD user hard nofile limit: $(check_and_print ${CURRENT_SYSTEMD_USER_H # Write SSH/TTY nolimit values if [[ "${CURRENT_SSH_TTY_SOFT_VALUE}" -lt "${DESIRED_SOFT_LIMIT}" ]] || [[ "${CURRENT_SSH_TTY_HARD_VALUE}" -lt "${DESIRED_HARD_LIMIT}" ]]; then - if [[ ! -d "/usr/etc/security/limits.d/" ]]; then - mkdir -p "/usr/etc/security/limits.d/" + if [[ ! -d "/etc/security/limits.d/" ]]; then + mkdir -p "/etc/security/limits.d/" fi echo "# This file sets the resource limits for users logged in via PAM, # more specifically, users logged in via SSH or tty (console). diff --git a/modules/brew/brew.sh b/modules/brew/brew.sh index 3b1831a..a10402d 100644 --- a/modules/brew/brew.sh +++ b/modules/brew/brew.sh @@ -188,19 +188,19 @@ EOF # Fish already includes this fix in brew-fish-completions.sh # By default Brew applies the shell environment changes globally, which causes path conflicts between system & brew installed programs with same name. # Universal Blue images include this same fix -if [[ ! -d "/usr/etc/profile.d/" ]]; then - mkdir -p "/usr/etc/profile.d/" +if [[ ! -d "/etc/profile.d/" ]]; then + mkdir -p "/etc/profile.d/" fi -if [[ ! -f "/usr/etc/profile.d/brew.sh" ]]; then +if [[ ! -f "/etc/profile.d/brew.sh" ]]; then echo "Apply brew path export fix, to solve path conflicts between system & brew programs with same name" echo "#!/usr/bin/env bash -[[ -d /home/linuxbrew/.linuxbrew && $- == *i* ]] && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"" > "/usr/etc/profile.d/brew.sh" +[[ -d /home/linuxbrew/.linuxbrew && $- == *i* ]] && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"" > "/etc/profile.d/brew.sh" fi # Copy shell configuration files echo "Copying Brew bash & fish shell completions" cp -r "${MODULE_DIRECTORY}"/brew/brew-fish-completions.fish /usr/share/fish/vendor_conf.d/brew-fish-completions.fish -cp -r "${MODULE_DIRECTORY}"/brew/brew-bash-completions.sh /usr/etc/profile.d/brew-bash-completions.sh +cp -r "${MODULE_DIRECTORY}"/brew/brew-bash-completions.sh /etc/profile.d/brew-bash-completions.sh # Register path symlink # We do this via tmpfiles.d so that it is created by the live system. @@ -240,24 +240,24 @@ fi # Disable homebrew analytics if the flag is set to false # like secureblue: https://github.com/secureblue/secureblue/blob/live/config/scripts/homebrewanalyticsoptout.sh if [[ "${BREW_ANALYTICS}" == false ]]; then - if [[ ! -f "/usr/etc/environment" ]]; then - echo "" > "/usr/etc/environment" # touch fails for some reason, probably a bug with it + if [[ ! -f "/etc/environment" ]]; then + echo "" > "/etc/environment" # touch fails for some reason, probably a bug with it fi - CURRENT_ENVIRONMENT=$(cat "/usr/etc/environment") - CURRENT_HOMEBREW_CONFIG=$(awk -F= '/HOMEBREW_NO_ANALYTICS/ {print $0}' "/usr/etc/environment") + CURRENT_ENVIRONMENT=$(cat "/etc/environment") + CURRENT_HOMEBREW_CONFIG=$(awk -F= '/HOMEBREW_NO_ANALYTICS/ {print $0}' "/etc/environment") if [[ -n "${CURRENT_ENVIRONMENT}" ]]; then if [[ "${CURRENT_HOMEBREW_CONFIG}" == "HOMEBREW_NO_ANALYTICS=0" ]]; then echo "Disabling Brew analytics" - sed -i 's/HOMEBREW_NO_ANALYTICS=0/HOMEBREW_NO_ANALYTICS=1/' "/usr/etc/environment" + sed -i 's/HOMEBREW_NO_ANALYTICS=0/HOMEBREW_NO_ANALYTICS=1/' "/etc/environment" elif [[ -z "${CURRENT_HOMEBREW_CONFIG}" ]]; then echo "Disabling Brew analytics" - echo "HOMEBREW_NO_ANALYTICS=1" >> "/usr/etc/environment" + echo "HOMEBREW_NO_ANALYTICS=1" >> "/etc/environment" elif [[ "${CURRENT_HOMEBREW_CONFIG}" == "HOMEBREW_NO_ANALYTICS=1" ]]; then echo "Brew analytics are already disabled!" fi elif [[ -z "${CURRENT_ENVIRONMENT}" ]]; then echo "Disabling Brew analytics" - echo "HOMEBREW_NO_ANALYTICS=1" > "/usr/etc/environment" + echo "HOMEBREW_NO_ANALYTICS=1" > "/etc/environment" fi fi diff --git a/modules/default-flatpaks/default-flatpaks.sh b/modules/default-flatpaks/default-flatpaks.sh index 18af9b1..b1ca239 100644 --- a/modules/default-flatpaks/default-flatpaks.sh +++ b/modules/default-flatpaks/default-flatpaks.sh @@ -145,7 +145,7 @@ check_flatpak_id_validity_from_flathub () { echo "Enabling flatpaks module" mkdir -p /usr/share/bluebuild/default-flatpaks/{system,user} -mkdir -p /usr/etc/bluebuild/default-flatpaks/{system,user} +mkdir -p /etc/bluebuild/default-flatpaks/{system,user} systemctl enable -f system-flatpak-setup.service systemctl enable -f --global user-flatpak-setup.service @@ -185,8 +185,8 @@ echo "$NOTIFICATIONS" >> "$CONFIG_NOTIFICATIONS" echo "Copying user modification template files" -cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/system/install /usr/etc/bluebuild/default-flatpaks/system/install -cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/system/remove /usr/etc/bluebuild/default-flatpaks/system/remove -cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/user/install /usr/etc/bluebuild/default-flatpaks/user/install -cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/user/remove /usr/etc/bluebuild/default-flatpaks/user/remove -cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/notifications /usr/etc/bluebuild/default-flatpaks/notifications +cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/system/install /etc/bluebuild/default-flatpaks/system/install +cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/system/remove /etc/bluebuild/default-flatpaks/system/remove +cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/user/install /etc/bluebuild/default-flatpaks/user/install +cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/user/remove /etc/bluebuild/default-flatpaks/user/remove +cp -r "$MODULE_DIRECTORY"/default-flatpaks/user-config/notifications /etc/bluebuild/default-flatpaks/notifications diff --git a/modules/files/README.md b/modules/files/README.md index 84b6ef0..cadcb75 100644 --- a/modules/files/README.md +++ b/modules/files/README.md @@ -1,27 +1,25 @@ # `files` The `files` module can be used to copy directories from `files/` to -any location in your image at build time, as long as the location exists at -build time (e.g. you can't put files in `/home//`, because users +any location in your image at build-time, as long as the location exists at +build-time (e.g. you can't put files in `/home//`, because users haven't been created yet prior to first boot). :::note -If you want to place files into `/etc/`, there are two ways to do it: +Don't copy files directly to `/usr/etc/` in build-time, but copy those to `/etc/` instead, +due to the nature of how `ostree` handles `/usr/etc/` & `/etc/` relationship. -1. copying a directory in `files/` directly to `/etc` to add all of its - files at build time, or -2. putting the files you want there in `/usr/etc/` as part of copying things - over to `/usr/`, which `rpm-ostree` will then copy to `/etc/` at runtime/boot. +`/usr/etc/` is empty in build-time, while `/etc/` is populated from the base image & changes that you do to it afterwards. +`/etc/` is then automatically merged to `/usr/etc/` in build-time by `ostree`. -Typically, you will want to use the latter option (putting files in `/usr/etc/`) -in almost all cases, since that is the proper directory for "system" +So this means that copying files to `/etc/` in build-time is actually copying it to `/usr/etc/` as an end result. + +While copying files to `/usr/etc/` directly in build-time didn't cause any harm, +the mentioned way above is the more correct one. + +In run-time, `/usr/etc/` is the directory for "system" configuration templates on atomic Fedora distros, whereas `/etc/` is meant for -manual overrides and editing by the machine's admin *after* installation (see -issue https://github.com/blue-build/legacy-template/issues/28). However, if you -really need something to be in `/etc/` *at build time* --- for instance, if you -for some reason need to place a repo file in `/etc/yum.repos.d/` in such a way -that it is used by a `rpm-ostree` module later on --- then the former option -will be necessary. +manual overrides and editing by the machine's admin *after* installation. ::: :::caution diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 42081bc..dec5691 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -3,7 +3,7 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/usr/etc/containers" +CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" @@ -18,16 +18,16 @@ if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" +if ! [ -f "/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then + cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/$IMAGE_NAME_FILE.pub" fi POLICY_FILE="$CONTAINER_DIR/policy.json" diff --git a/modules/yafti/yafti.sh b/modules/yafti/yafti.sh index b51ccd2..3bedc6c 100644 --- a/modules/yafti/yafti.sh +++ b/modules/yafti/yafti.sh @@ -14,7 +14,7 @@ cp -n "$MODULE_DIRECTORY/yafti/yafti.yml" "$FIRSTBOOT_DATA/yafti.yml" || true cp -r "$MODULE_DIRECTORY/yafti/launcher/" "$FIRSTBOOT_DATA" FIRSTBOOT_SCRIPT="${FIRSTBOOT_DATA}/launcher/login-profile.sh" -PROFILED_DIR="/usr/etc/profile.d" +PROFILED_DIR="/etc/profile.d" FIRSTBOOT_LINK="${PROFILED_DIR}/ublue-firstboot.sh" echo "Installing python3-pip and libadwaita" From c37f2181ea3f86fb1b993cfe56a13e7d715471ae Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Thu, 8 Aug 2024 18:02:01 +0200 Subject: [PATCH 2/4] docs(files): Revert the `/usr/etc/` & `/etc/` docs --- modules/files/README.md | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/modules/files/README.md b/modules/files/README.md index cadcb75..ac000d7 100644 --- a/modules/files/README.md +++ b/modules/files/README.md @@ -6,17 +6,6 @@ build-time (e.g. you can't put files in `/home//`, because users haven't been created yet prior to first boot). :::note -Don't copy files directly to `/usr/etc/` in build-time, but copy those to `/etc/` instead, -due to the nature of how `ostree` handles `/usr/etc/` & `/etc/` relationship. - -`/usr/etc/` is empty in build-time, while `/etc/` is populated from the base image & changes that you do to it afterwards. -`/etc/` is then automatically merged to `/usr/etc/` in build-time by `ostree`. - -So this means that copying files to `/etc/` in build-time is actually copying it to `/usr/etc/` as an end result. - -While copying files to `/usr/etc/` directly in build-time didn't cause any harm, -the mentioned way above is the more correct one. - In run-time, `/usr/etc/` is the directory for "system" configuration templates on atomic Fedora distros, whereas `/etc/` is meant for manual overrides and editing by the machine's admin *after* installation. From 904229d014aa0eae0e654786646d96aac1708dad Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sat, 10 Aug 2024 22:33:50 +0200 Subject: [PATCH 3/4] chore: Revert `signing` module transition due to upstream issue --- modules/signing/signing.sh | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index dec5691..fb7132d 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -3,7 +3,9 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/etc/containers" +# Don't migrate this module from utilizing `/usr/etc/` to `/etc/` yet, as Ublue needs to solve this issue +# https://github.com/ublue-os/config/pull/311 +CONTAINER_DIR="/usr/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" @@ -18,16 +20,16 @@ if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi -if ! [ -d "/etc/pki/containers" ]; then - mkdir -p "/etc/pki/containers" +if ! [ -d "/usr/etc/pki/containers" ]; then + mkdir -p "/usr/etc/pki/containers" fi if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -if ! [ -f "/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/$IMAGE_NAME_FILE.pub" +if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then + cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" fi POLICY_FILE="$CONTAINER_DIR/policy.json" From 5a9c87ed1ae052ba0a498d91c4ace8e2c187e6cb Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sat, 10 Aug 2024 22:45:32 +0200 Subject: [PATCH 4/4] docs: Clarify note better regarding /etc --- modules/files/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/files/README.md b/modules/files/README.md index ac000d7..70e9b85 100644 --- a/modules/files/README.md +++ b/modules/files/README.md @@ -9,6 +9,11 @@ haven't been created yet prior to first boot). In run-time, `/usr/etc/` is the directory for "system" configuration templates on atomic Fedora distros, whereas `/etc/` is meant for manual overrides and editing by the machine's admin *after* installation. + +In build-time, as a custom-image maintainer, you want to copy files to `/etc/`, +as those are automatically moved to system directory `/usr/etc/` during atomic Fedora image deployment. +Check out this blog post for more details about this: +https://blue-build.org/blog/preferring-system-etc/ ::: :::caution