Use systemd units section to disable kdump and debug-shell

Signed-off-by: Tommy <contact@tommytran.io>
Add missing stamp for postinst2
2024-11-22 17:21:34 -05:00 · 2024-02-27 21:56:58 -07:00 · 2024-02-27 18:48:17 -07:00 · 2024-02-27 18:41:02 -07:00
5 changed files with 36 additions and 26 deletions
--- a/UTM-Chrony.ign
+++ b/UTM-Chrony.ign
@ -191,14 +191,6 @@
      {
        "path": "/etc/systemd/system/multi-user.target.wants/tuned.service",
        "target": "/usr/lib/systemd/system/tuned.service"
      },
      {
        "path": "/etc/systemd/system/kdump.service",
        "target": "/dev/null"
      },
      {
        "path": "/etc/systemd/system/debug-shell.service",
        "target": "/dev/null"
      }
    ]
  },
@ -243,6 +235,16 @@
      {
        "enabled": true,
        "name": "sshd.socket"
      },
      {
        "enabled": false,
        "mask": true,
        "name": "kdump.service"
      },
      {
        "enabled": false,
        "mask": true,
        "name": "debug-shell.service"
      }
    ]
  }
--- a/UTM-Chrony.yml
+++ b/UTM-Chrony.yml
@ -100,6 +100,12 @@ systemd:
      enabled: false
    - name: sshd.socket
      enabled: true
    - name: kdump.service
      enabled: false
      mask: true
    - name: debug-shell.service
      enabled: false
      mask: true
 storage:
  files:
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
@ -178,10 +184,6 @@ storage:
      target: /usr/lib/systemd/system/unbound.service
    - path: /etc/systemd/system/multi-user.target.wants/tuned.service
      target: /usr/lib/systemd/system/tuned.service
    - path: /etc/systemd/system/kdump.service
      target: /dev/null
    - path: /etc/systemd/system/debug-shell.service
      target: /dev/null
 kernel_arguments:
  should_exist:
    - mitigations=auto,nosmt
--- a/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
+++ b/etc/pki/rpm-gpg/RPM-GPG-KEY-divested
@ -26,3 +26,4 @@ ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
 ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
 EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
 =qpX+
 -----END PGP PUBLIC KEY BLOCK-----
--- a/x86-QEMU-Docker.ign
+++ b/x86-QEMU-Docker.ign
@ -217,14 +217,6 @@
      {
        "path": "/etc/systemd/system/multi-user.target.wants/tuned.service",
        "target": "/usr/lib/systemd/system/tuned.service"
      },
      {
        "path": "/etc/systemd/system/kdump.service",
        "target": "/dev/null"
      },
      {
        "path": "/etc/systemd/system/debug-shell.service",
        "target": "/dev/null"
      }
    ]
  },
@ -236,7 +228,7 @@
        "name": "postinst.service"
      },
      {
-        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
+        "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
        "enabled": true,
        "name": "postinst2.service"
      },
@ -284,6 +276,16 @@
      {
        "enabled": true,
        "name": "sshd.socket"
      },
      {
        "enabled": false,
        "mask": true,
        "name": "kdump.service"
      },
      {
        "enabled": false,
        "mask": true,
        "name": "debug-shell.service"
      }
    ]
  }
--- a/x86-QEMU-Docker.yml
+++ b/x86-QEMU-Docker.yml
@ -72,6 +72,7 @@ systemd:
        ExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload
        ExecStart=/usr/bin/systemctl enable --now firewalld
        ExecStart=/usr/bin/firewall-cmd --lockdown-on
        ExecStart=/usr/bin/touch /var/lib/%N.stamp
        ExecStart=/usr/bin/systemctl --no-block reboot
        [Install]
@ -156,6 +157,12 @@ systemd:
      enabled: false
    - name: sshd.socket
      enabled: true
    - name: kdump.service
      enabled: false
      mask: true
    - name: debug-shell.service
      enabled: false
      mask: true
 storage:
  files:
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
@ -244,10 +251,6 @@ storage:
      target: /usr/lib/systemd/system/unbound.service
    - path: /etc/systemd/system/multi-user.target.wants/tuned.service
      target: /usr/lib/systemd/system/tuned.service
    - path: /etc/systemd/system/kdump.service
      target: /dev/null
    - path: /etc/systemd/system/debug-shell.service
      target: /dev/null
 kernel_arguments:
  should_exist:
    - mitigations=auto,nosmt
Author	SHA1	Message	Date
Tommy	3f8465e696	Use systemd units section to disable kdump and debug-shell Signed-off-by: Tommy <contact@tommytran.io>	2024-02-27 21:56:58 -07:00
Tommy	0adadc1932	Add missing stamp for postinst2 Signed-off-by: Tommy <contact@tommytran.io>	2024-02-27 18:48:17 -07:00
Tommy	bf92773f86	Fix GPG signature Signed-off-by: Tommy <contact@tommytran.io>	2024-02-27 18:41:02 -07:00