1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-09 11:41:34 -05:00

Compare commits

...

3 Commits

Author SHA1 Message Date
3f8465e696
Use systemd units section to disable kdump and debug-shell
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-27 21:56:58 -07:00
0adadc1932
Add missing stamp for postinst2
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-27 18:48:17 -07:00
bf92773f86
Fix GPG signature
Signed-off-by: Tommy <contact@tommytran.io>
2024-02-27 18:41:02 -07:00
5 changed files with 36 additions and 26 deletions

View File

@ -191,14 +191,6 @@
{ {
"path": "/etc/systemd/system/multi-user.target.wants/tuned.service", "path": "/etc/systemd/system/multi-user.target.wants/tuned.service",
"target": "/usr/lib/systemd/system/tuned.service" "target": "/usr/lib/systemd/system/tuned.service"
},
{
"path": "/etc/systemd/system/kdump.service",
"target": "/dev/null"
},
{
"path": "/etc/systemd/system/debug-shell.service",
"target": "/dev/null"
} }
] ]
}, },
@ -243,6 +235,16 @@
{ {
"enabled": true, "enabled": true,
"name": "sshd.socket" "name": "sshd.socket"
},
{
"enabled": false,
"mask": true,
"name": "kdump.service"
},
{
"enabled": false,
"mask": true,
"name": "debug-shell.service"
} }
] ]
} }

View File

@ -100,6 +100,12 @@ systemd:
enabled: false enabled: false
- name: sshd.socket - name: sshd.socket
enabled: true enabled: true
- name: kdump.service
enabled: false
mask: true
- name: debug-shell.service
enabled: false
mask: true
storage: storage:
files: files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml - path: /etc/zincati/config.d/51-rollout-wariness.toml
@ -178,10 +184,6 @@ storage:
target: /usr/lib/systemd/system/unbound.service target: /usr/lib/systemd/system/unbound.service
- path: /etc/systemd/system/multi-user.target.wants/tuned.service - path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service target: /usr/lib/systemd/system/tuned.service
- path: /etc/systemd/system/kdump.service
target: /dev/null
- path: /etc/systemd/system/debug-shell.service
target: /dev/null
kernel_arguments: kernel_arguments:
should_exist: should_exist:
- mitigations=auto,nosmt - mitigations=auto,nosmt

View File

@ -26,3 +26,4 @@ ayf77gecLuCVt+LhCH1rFejeIZrl0QEw+udrTYrPt3BWUK2OOIzF8PqLHfyUF+7W
ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq ZuLgMxj0nGLMqOlPSszrQ6RxmL//GmXkmE3CeDNXV+7SpmMYe07pHzycg8+d/tNq
EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ== EajUfLQJqUYj3m51MnKW2r+QUKjkIYsn4iFfk+2aeY5HX1RalWJ7d4NHJQ==
=qpX+ =qpX+
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -217,14 +217,6 @@
{ {
"path": "/etc/systemd/system/multi-user.target.wants/tuned.service", "path": "/etc/systemd/system/multi-user.target.wants/tuned.service",
"target": "/usr/lib/systemd/system/tuned.service" "target": "/usr/lib/systemd/system/tuned.service"
},
{
"path": "/etc/systemd/system/kdump.service",
"target": "/dev/null"
},
{
"path": "/etc/systemd/system/debug-shell.service",
"target": "/dev/null"
} }
] ]
}, },
@ -236,7 +228,7 @@
"name": "postinst.service" "name": "postinst.service"
}, },
{ {
"contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n", "contents": "[Unit]\nDescription=Initial System Setup Part 2\n# We run this after the packages have been overlayed\nAfter=network-online.target\nConditionPathExists=!/var/lib/%N.stamp\nConditionPathExists=/var/lib/postinst.stamp\n\n[Service]\nType=oneshot\nRemainAfterExit=yes\nExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload\nExecStart=/usr/bin/systemctl enable --now firewalld\nExecStart=/usr/bin/firewall-cmd --lockdown-on\nExecStart=/usr/bin/touch /var/lib/%N.stamp\nExecStart=/usr/bin/systemctl --no-block reboot\n\n[Install]\nWantedBy=multi-user.target\n",
"enabled": true, "enabled": true,
"name": "postinst2.service" "name": "postinst2.service"
}, },
@ -284,6 +276,16 @@
{ {
"enabled": true, "enabled": true,
"name": "sshd.socket" "name": "sshd.socket"
},
{
"enabled": false,
"mask": true,
"name": "kdump.service"
},
{
"enabled": false,
"mask": true,
"name": "debug-shell.service"
} }
] ]
} }

View File

@ -72,6 +72,7 @@ systemd:
ExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload ExecStart=/usr/bin/echo 'libhardened_malloc.so' | tee /etc/ld.so.preload
ExecStart=/usr/bin/systemctl enable --now firewalld ExecStart=/usr/bin/systemctl enable --now firewalld
ExecStart=/usr/bin/firewall-cmd --lockdown-on ExecStart=/usr/bin/firewall-cmd --lockdown-on
ExecStart=/usr/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/systemctl --no-block reboot ExecStart=/usr/bin/systemctl --no-block reboot
[Install] [Install]
@ -156,6 +157,12 @@ systemd:
enabled: false enabled: false
- name: sshd.socket - name: sshd.socket
enabled: true enabled: true
- name: kdump.service
enabled: false
mask: true
- name: debug-shell.service
enabled: false
mask: true
storage: storage:
files: files:
- path: /etc/zincati/config.d/51-rollout-wariness.toml - path: /etc/zincati/config.d/51-rollout-wariness.toml
@ -244,10 +251,6 @@ storage:
target: /usr/lib/systemd/system/unbound.service target: /usr/lib/systemd/system/unbound.service
- path: /etc/systemd/system/multi-user.target.wants/tuned.service - path: /etc/systemd/system/multi-user.target.wants/tuned.service
target: /usr/lib/systemd/system/tuned.service target: /usr/lib/systemd/system/tuned.service
- path: /etc/systemd/system/kdump.service
target: /dev/null
- path: /etc/systemd/system/debug-shell.service
target: /dev/null
kernel_arguments: kernel_arguments:
should_exist: should_exist:
- mitigations=auto,nosmt - mitigations=auto,nosmt