From 56ec124f25404c57518053da31f9dd2c67f297ac Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sat, 24 Aug 2024 14:39:56 -0500 Subject: [PATCH 1/3] fix: gssproxy.service failing to start Fixes: #165 This workaround should correct the gssproxy.service failure to start by using tmpfiles to create the missing directories in /var/lib and a service to restore the selinux labels on them. --- ucore/post-install-ucore-minimal.sh | 2 ++ .../lib/systemd/system/gssproxy-workaround.service | 12 ++++++++++++ .../usr/lib/tmpfiles.d/gssproxy-workaround.conf | 3 +++ 3 files changed, 17 insertions(+) create mode 100644 ucore/system_files/usr/lib/systemd/system/gssproxy-workaround.service create mode 100644 ucore/system_files/usr/lib/tmpfiles.d/gssproxy-workaround.conf diff --git a/ucore/post-install-ucore-minimal.sh b/ucore/post-install-ucore-minimal.sh index 0143d38..17d73c2 100755 --- a/ucore/post-install-ucore-minimal.sh +++ b/ucore/post-install-ucore-minimal.sh @@ -23,6 +23,8 @@ ln -s /usr/libexec/docker/cli-plugins/docker-compose /usr/bin/docker-compose systemctl disable docker.socket systemctl disable zincati.service +systemctl enable gssproxy-workaround.service + systemctl enable ucore-paths-provision.service systemctl enable rpm-ostreed-automatic.timer diff --git a/ucore/system_files/usr/lib/systemd/system/gssproxy-workaround.service b/ucore/system_files/usr/lib/systemd/system/gssproxy-workaround.service new file mode 100644 index 0000000..f7cdccb --- /dev/null +++ b/ucore/system_files/usr/lib/systemd/system/gssproxy-workaround.service @@ -0,0 +1,12 @@ +[Unit] +Description=Workaround to relabel gssproxy files and directories +ConditionPathIsDirectory=/var/lib/gssproxy/ +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=-/usr/sbin/restorecon -Rv /var/lib/gssproxy/ +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/ucore/system_files/usr/lib/tmpfiles.d/gssproxy-workaround.conf b/ucore/system_files/usr/lib/tmpfiles.d/gssproxy-workaround.conf new file mode 100644 index 0000000..4fdd48b --- /dev/null +++ b/ucore/system_files/usr/lib/tmpfiles.d/gssproxy-workaround.conf @@ -0,0 +1,3 @@ +d /var/lib/gssproxy 0755 root root - +d /var/lib/gssproxy/clients 0755 root root - +d /var/lib/gssproxy/rcache 0755 root root - \ No newline at end of file From c1595176ab1e1b907546c17d95ce11145c717b26 Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sat, 24 Aug 2024 15:47:16 -0500 Subject: [PATCH 2/3] fix: swtpm and libvirt selinux issues on ucore-hci Fixes: #190 I've run into the swtpm issue on my ucore installs and others have hit libvirt log dir issues. These workarounds were already present in Bluefin. Borrowed the fixes from there. --- ucore/post-install-ucore-minimal.sh | 3 +++ .../systemd/system/libvirt-workaround.service | 13 ++++++++++++ .../systemd/system/swtpm-workaround.service | 20 +++++++++++++++++++ .../lib/tmpfiles.d/libvirt-workaround.conf | 1 + .../usr/lib/tmpfiles.d/swtpm-workaround.conf | 2 ++ 5 files changed, 39 insertions(+) create mode 100644 ucore/system_files/usr/lib/systemd/system/libvirt-workaround.service create mode 100644 ucore/system_files/usr/lib/systemd/system/swtpm-workaround.service create mode 100644 ucore/system_files/usr/lib/tmpfiles.d/libvirt-workaround.conf create mode 100644 ucore/system_files/usr/lib/tmpfiles.d/swtpm-workaround.conf diff --git a/ucore/post-install-ucore-minimal.sh b/ucore/post-install-ucore-minimal.sh index 17d73c2..7d4aa89 100755 --- a/ucore/post-install-ucore-minimal.sh +++ b/ucore/post-install-ucore-minimal.sh @@ -24,6 +24,9 @@ systemctl disable docker.socket systemctl disable zincati.service systemctl enable gssproxy-workaround.service +systemctl enable libvirt-workaround.service +systemctl enable swtpm-workaround.service + systemctl enable ucore-paths-provision.service systemctl enable rpm-ostreed-automatic.timer diff --git a/ucore/system_files/usr/lib/systemd/system/libvirt-workaround.service b/ucore/system_files/usr/lib/systemd/system/libvirt-workaround.service new file mode 100644 index 0000000..440e056 --- /dev/null +++ b/ucore/system_files/usr/lib/systemd/system/libvirt-workaround.service @@ -0,0 +1,13 @@ +[Unit] +Description=Workaround to relabel libvirt files and directories +ConditionPathIsDirectory=/var/lib/libvirt/ +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=-/usr/sbin/restorecon -Rv /var/lib/libvirt/ +ExecStart=-/usr/sbin/restorecon -Rv /var/log/libvirt/ +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ucore/system_files/usr/lib/systemd/system/swtpm-workaround.service b/ucore/system_files/usr/lib/systemd/system/swtpm-workaround.service new file mode 100644 index 0000000..b4cd40d --- /dev/null +++ b/ucore/system_files/usr/lib/systemd/system/swtpm-workaround.service @@ -0,0 +1,20 @@ +[Unit] +Description=Workaround swtpm not having the correct label +ConditionFileIsExecutable=/usr/bin/swtpm +After=local-fs.target + +[Service] +Type=oneshot +# Copy if it doesn't exist +ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/overrides/swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/overrides/swtpm" +# This is faster than using .mount unit. Also allows for the previous line/cleanup +ExecStartPre=/usr/bin/mount --bind /usr/local/bin/overrides/swtpm /usr/bin/swtpm +# Fix SELinux label +ExecStart=/usr/sbin/restorecon /usr/bin/swtpm +# Clean-up after ourselves +ExecStop=/usr/bin/umount /usr/bin/swtpm +ExecStop=/usr/bin/rm /usr/local/bin/overrides/swtpm +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ucore/system_files/usr/lib/tmpfiles.d/libvirt-workaround.conf b/ucore/system_files/usr/lib/tmpfiles.d/libvirt-workaround.conf new file mode 100644 index 0000000..4af298b --- /dev/null +++ b/ucore/system_files/usr/lib/tmpfiles.d/libvirt-workaround.conf @@ -0,0 +1 @@ +d /var/log/libvirt 0750 - - - - diff --git a/ucore/system_files/usr/lib/tmpfiles.d/swtpm-workaround.conf b/ucore/system_files/usr/lib/tmpfiles.d/swtpm-workaround.conf new file mode 100644 index 0000000..62147f4 --- /dev/null +++ b/ucore/system_files/usr/lib/tmpfiles.d/swtpm-workaround.conf @@ -0,0 +1,2 @@ +C /usr/local/bin/overrides/swtpm - - - - /usr/bin/swtpm +d /var/lib/swtpm-localca 0750 tss tss - - From 8b77b36ed6f57a0c296a113f2cd88aebdcb7be4b Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Sat, 24 Aug 2024 17:20:39 -0500 Subject: [PATCH 3/3] fix: cleanup journal noise for selinux errors Fixes: #193 It may be debatable to fix this... it is log noise, but maybe we should leave it for a more "real" fix? Pushing PR to get feedback. --- .../usr/lib/tmpfiles.d/selinux-noise-workaround.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 ucore/system_files/usr/lib/tmpfiles.d/selinux-noise-workaround.conf diff --git a/ucore/system_files/usr/lib/tmpfiles.d/selinux-noise-workaround.conf b/ucore/system_files/usr/lib/tmpfiles.d/selinux-noise-workaround.conf new file mode 100644 index 0000000..8f2a9ce --- /dev/null +++ b/ucore/system_files/usr/lib/tmpfiles.d/selinux-noise-workaround.conf @@ -0,0 +1 @@ +d /var/lib/selinux/targeted/active/modules 0755 - - - -