On Thu, Dec 12, 2013 at 03:18:31PM +0100, Vitaly Kuznetsov wrote:
ami-3b361952 : us-east-1 image for i386 ami-1337187a : us-east-1 image for x86_64
Compared to TC5 images:
- iptables-services package is missing in RC1
This is intentional and by popular demand -- in an IaaS environment, the cloud provider's security groups or equivalent concept provides the firewall. If one wants defense-in-depth it's easy to install iptables-services or firewalld with cloud-init.
- SELinux contexts. It gets better :-)
In TC5 if you remember we had: # restorecon -R -v -n -e /proc -e /sys -e /tmp -e /run -e /dev / restorecon reset /boot/extlinux/ldlinux.sys context system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0 restorecon reset /var/cache/yum context system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0 restorecon reset /var/log/boot.log context system_u:object_r:var_log_t:s0->system_u:object_r:plymouthd_var_log_t:s0 restorecon reset /var/log/cron context system_u:object_r:var_log_t:s0->system_u:object_r:cron_log_t:s0
I'm pre-creating the two log files, so they end up right.
In RC1 we have only these: # restorecon -R -v -n -e /proc -e /sys -e /tmp -e /run -e /dev / restorecon reset /var/cache/yum context system_u:object_r:file_t:s0->system_u:object_r:rpm_var_cache_t:s0 restorecon reset /boot/extlinux/ldlinux.sys context system_u:object_r:file_t:s0->system_u:object_r:boot_t:s0
I tried to be clever with changing ldlinux.sys from immutable and back again but apparently that doesn't do it. (Since this isn't ever actually run on the system, only _before_ the system, and not on EC2 at all, the side-effects of a wrong context should be small.)
I'm more concerned about /var/cache/yum, since that is already precreated and should already be right.