| blob | 36d601d5ac8e241ab3318f873fa78481f16efa0c |
1 # ovirt-install-node-stateless
2 # ovirt_setup_libvirtd()
3 # just to get a boot warning to shut up
4 touch /etc/resolv.conf
6 # make libvirtd listen on the external interfaces
7 sed -i -e 's/^#\(LIBVIRTD_ARGS="--listen"\).*/\1/' \
8 /etc/sysconfig/libvirtd
10 # set up qemu daemon to allow outside VNC connections
11 sed -i -e 's/^[[:space:]]*#[[:space:]]*\(vnc_listen = "0.0.0.0"\).*/\1/' \
12 /etc/libvirt/qemu.conf
13 # set up libvirtd to listen on TCP (for kerberos)
14 sed -i -e "s/^[[:space:]]*#[[:space:]]*\(listen_tcp\)\>.*/\1 = 1/" \
15 -e "s/^[[:space:]]*#[[:space:]]*\(listen_tls\)\>.*/\1 = 0/" \
16 /etc/libvirt/libvirtd.conf
18 #ovirt_setup_anyterm()
19 # configure anyterm
20 cat >> /etc/sysconfig/anyterm << \EOF_anyterm
21 ANYTERM_CMD="sudo /usr/bin/virsh console %p"
22 ANYTERM_LOCAL_ONLY=false
23 EOF_anyterm
25 # permit it to run the virsh console
26 echo "anyterm ALL=NOPASSWD: /usr/bin/virsh console *" >> /etc/sudoers
28 # systemd configuration
29 # set default runlevel to multi-user(3)
31 rm -rf /etc/systemd/system/default.target
32 ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
34 # setup ovirt-firstboot multi-user dependency
35 cat >> /lib/systemd/system/ovirt-firstboot.service << \EOF_firstboot
36 [Unit]
37 Description=firstboot configuration program (text mode)
38 After=plymouth-quit.service
39 Before=getty@tty1.service
41 [Service]
42 Environment=RUNLEVEL=3
43 ExecStartPre=-/bin/plymouth quit
44 ExecStart=/etc/init.d/ovirt-firstboot start
45 TimeoutSec=0
46 RemainAfterExit=yes
47 Type=oneshot
48 SysVStartPriority=99
49 StandardInput=tty-force
51 [Install]
52 WantedBy=multi-user.target
53 EOF_firstboot
55 systemctl enable ovirt-firstboot.service >/dev/null 2>&1
56 chkconfig --del ovirt-firstboot
58 echo "Configuring IPTables"
59 # here, we need to punch the appropriate holes in the firewall
60 cat > /etc/sysconfig/iptables << \EOF
61 # oVirt automatically generated firewall configuration
62 *filter
63 :INPUT ACCEPT [0:0]
64 :FORWARD ACCEPT [0:0]
65 :OUTPUT ACCEPT [0:0]
66 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
67 -A INPUT -p icmp -j ACCEPT
68 -A INPUT -i lo -j ACCEPT
69 # SSH
70 -A INPUT -p tcp --dport 22 -j ACCEPT
71 # guest consoles
72 -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
73 # migration
74 -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
75 # snmp
76 -A INPUT -p udp --dport 161 -j ACCEPT
77 #
78 -A INPUT -j REJECT --reject-with icmp-host-prohibited
79 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
80 COMMIT
81 EOF
82 # configure IPv6 firewall, default is all ACCEPT
83 cat > /etc/sysconfig/ip6tables << \EOF
84 # oVirt automatically generated firewall configuration
85 *filter
86 :INPUT ACCEPT [0:0]
87 :FORWARD ACCEPT [0:0]
88 :OUTPUT ACCEPT [0:0]
89 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
90 -A INPUT -p ipv6-icmp -j ACCEPT
91 -A INPUT -i lo -j ACCEPT
92 # SSH
93 -A INPUT -p tcp --dport 22 -j ACCEPT
94 # guest consoles
95 -A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT
96 # migration
97 -A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
98 # snmp
99 -A INPUT -p udp --dport 161 -j ACCEPT
100 # unblock ipv6 dhcp response
101 -A INPUT -p udp --dport 546 -j ACCEPT
102 -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
103 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited
104 COMMIT
105 EOF
107 python -m compileall /usr/share/virt-manager
109 echo "Configuring SELinux"
110 # custom module for node specific rules
111 mkdir /tmp/SELinux
112 cd /tmp/SELinux
113 cat > ovirt.te << \EOF_OVIRT_TE
114 module ovirt 1.0;
115 require {
116 type initrc_t;
117 type initrc_tmp_t;
118 type mount_t;
119 type setfiles_t;
120 type shadow_t;
121 type unconfined_t;
122 class file { append mounton open getattr read execute ioctl lock entrypoint };
123 class fd { use };
124 class process { sigchld signull transition noatsecure siginh rlimitinh getattr };
125 class fifo_file { getattr open read write append lock ioctl };
126 class filesystem getattr;
127 class dir { getattr search open read lock ioctl };
128 class socket { read write };
129 class tcp_socket { read write };
130 class udp_socket { read write };
131 class rawip_socket { read write };
132 class netlink_socket { read write };
133 class packet_socket { read write };
134 class unix_stream_socket { read write create ioctl getattr lock setattr append bind connect getopt setopt shutdown connectto };
135 class unix_dgram_socket { read write };
136 class appletalk_socket { read write };
137 class netlink_route_socket { read write };
138 class netlink_firewall_socket { read write };
139 class netlink_tcpdiag_socket { read write };
140 class netlink_nflog_socket { read write };
141 class netlink_xfrm_socket { read write };
142 class netlink_selinux_socket { read write };
143 class netlink_audit_socket { read write };
144 class netlink_ip6fw_socket { read write };
145 class netlink_dnrt_socket { read write };
146 class netlink_kobject_uevent_socket { read write };
147 class tun_socket { read write };
148 class chr_file { getattr read write append ioctl lock open };
149 class lnk_file { getattr read };
150 class sock_file { getattr write open append };
151 }
152 allow mount_t shadow_t:file mounton;
153 allow setfiles_t initrc_tmp_t:file append;
154 type ovirt_exec_t;
155 init_daemon_domain(unconfined_t,ovirt_exec_t)
156 EOF_OVIRT_TE
157 cat > ovirt.fc << \EOF_OVIRT_FC
158 /etc/rc\.d/init\.d/ovirt-firstboot -- gen_context(system_u:object_r:ovirt_exec_t)
159 /etc/rc\.d/init\.d/ovirt-post -- gen_context(system_u:object_r:ovirt_exec_t)
160 EOF_OVIRT_FC
161 make NAME=targeted -f /usr/share/selinux/devel/Makefile
162 semodule -v -i ovirt.pp
163 cd /
164 rm -rf /tmp/SELinux
166 # Workaround for rhbz#755464
167 /sbin/service zfs-fuse stop 2>/dev/null