Ovirt devel - Jun 2008 - [PATCH] Add additional blacklisting and rpm removal to managed node

A few important notes:
1. /lib/modules was scoured for things that didn't seem necessary, however
   my notion of not necessary may not be correct.  Please review the list
   of modules that I'm removing and if you see one that we need to add back
   in, comment.
2. /boot is removed as we don't need an initrd and kernel image inside of
   the livecd initrd.
3. The blacklisting method is a hack.  What we need is an appliance creator
   that has black/whitelisting capabilities...  (hint, hint to our AOS
   friends out there)

The ISO image RPM is down to 45MB
PXE image RPM is at 52MB
Running filesystem is 130MB

Signed-off-by: Perry Myers <pmyers at redhat.com>
---
 ovirt-host-creator/common-post.ks |  109 +++++++++++++++++++++++--------------
 1 files changed, 68 insertions(+), 41 deletions(-)

diff --git a/ovirt-host-creator/common-post.ks
b/ovirt-host-creator/common-post.ks
index 723b838..c3bf35a 100644
--- a/ovirt-host-creator/common-post.ks
+++ b/ovirt-host-creator/common-post.ks
@@ -1,4 +1,4 @@
-echo "Starting Kickstart Post"
+echo "Starting Kickstart Common Post"
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 export PATH
 
@@ -364,13 +364,6 @@ echo "Creating shadow files"
 pwconv
 grpconv
 
-echo "Re-creating cracklib dicts"
-# cracklib-dicts is 8MB.  We probably don't need to have strict password
-# checking on the ovirt host
-# unfortunately we can't create an empty cracklib dict, so we create it
-# with a single entry "1"
-echo 1 | packer >& /dev/null
-
 echo "Forcing C locale"
 # force logins (via ssh, etc) to use C locale, since we remove locales
 cat >> /etc/profile << \EOF
@@ -378,49 +371,39 @@ cat >> /etc/profile << \EOF
 export LC_ALL=C LANG=C
 EOF
 
-# here, remove a bunch of files we don't need that are just eating up
space.
-# it breaks rpm slightly, but it's not too bad
-
 echo "Removing excess RPMs"
+RPM="rpm -v -e --nodeps"
 
 # kernel pulls in mkinitrd which pulls in isomd5sum which pulls in python,
 # and livecd-tools needs lokkit to disable SELinux.
 # However, this is just an install-time dependency; we can remove
 # it afterwards, which we do here
-rpm -e system-config-firewall-tui system-config-network-tui rhpl \
+$RPM system-config-firewall-tui system-config-network-tui rhpl \
     rpm-python dbus-python kudzu newt-python newt
-rpm -e qemu kpartx mkinitrd isomd5sum dmraid python python-libs
+$RPM qemu kpartx mkinitrd isomd5sum dmraid python python-libs
 
 # Sigh.  ntp has a silly dependency on perl because of auxiliary scripts which
 # we don't need to use.  Forcibly remove it here
-rpm -e --nodeps perl perl-libs perl-Module-Pluggable perl-version \
+$RPM perl perl-libs perl-Module-Pluggable perl-version \
     perl-Pod-Simple perl-Pod-Escapes
 
-RM="rm -rf"
+# Remove additional RPMs forcefully
+$RPM gamin pm-utils kbd libuser passwd usermode \
+    openssh-clients vbetool ConsoleKit hdparm \
+    efibootmgr krb5-workstation linux-atm-libs fedora-release-notes \
+    slang psmisc gdbm cryptsetup-luks pciutils mtools syslinux db4 \
+    wireless-tools radeontool cracklib-dicts cracklib
 
-echo "Removing docs and internationalization"
-$RM /usr/share/omf
-$RM /usr/share/gnome
-$RM /usr/share/doc
-$RM /usr/share/locale
-$RM /usr/share/libthai
-$RM /usr/share/man
-$RM /usr/share/terminfo
-$RM /usr/share/X11
-$RM /usr/share/i18n
+# Things we could probably remove if libvirt didn't link against them
+#$RPM avahi PolicyKit xen-libs
 
-find /usr/share/zoneinfo -regextype egrep -type f \
-  ! -regex ".*/UTC" -exec $RM {} \;
-# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
-cp /usr/share/zoneinfo/UTC /etc/localtime
+# Things we could probably remove if qemu-kvm didn't link against them
+#$RPM SDL alsa-lib
 
-$RM /usr/lib/locale
-$RM /usr/lib/syslinux
-$RM /usr/lib64/gconv
-$RM /usr/lib64/pango
-$RM /usr/lib64/libpango*
-$RM /etc/pango
-$RM /usr/bin/pango*
+# Pam complains when this is missing
+#$RPM ConsoleKit-libs
+
+RM="rm -rf"
 
 echo "Removing excess kernel modules"
 MODULES="/lib/modules/*/kernel"
@@ -438,16 +421,60 @@ fs_mods="fs/nls fs/9p fs/affs fs/autofs fs/autofs4
fs/befs fs/bfs fs/cifs \
 net_mods="net/802 net/8021q net/9p net/appletalk net/atm net/ax25 \
        net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx net/irda \
        net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc \
-       net/wanrouter net/wireless drivers/auxdisplay drivers/net/appletalk \
+       net/wanrouter net/wireless"
+
+driver_mods="drivers/auxdisplay drivers/net/appletalk \
        drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
-       drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm"
+       drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \
+       drivers/acpi drivers/char/drm drivers/char/hw_random drivers/char/mwave
\
+       drivers/char/ipmp drivers/char/pcmcia drivers/crypto drivers/dca \
+       drivers/dma drivers/edac drivers/firmware drivers/hwmon
+       drivers/memstick drivers/mmc drivers/mfs drivers/parport \
+       drivers/serial drivers/video drivers/watchdog drivers/net/ppp* \
+       drivers/usb/serial drivers/usb/misc drivers/usb/class \
+       drivers/usb/image drivers/rtc"
 
 misc_mods="drivers/bluetooth drivers/firewire drivers/i2c drivers/isdn \
        drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1 sound \
-       drivers/input drivers/pcmcia drivers/scsi/pcmcia"
+       drivers/input drivers/pcmcia drivers/scsi/pcmcia arch/x86/oprofile \
+       crypto lib"
 
-for mods in $fs_mods $net_mods $misc_mods ; do
+for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do
     $RM $MODULES/$mods
 done
 
-echo "Finished Kickstart Post"
+echo "Removing all timezones except for UTC"
+find /usr/share/zoneinfo -regextype egrep -type f \
+  ! -regex ".*/UTC" -exec $RM {} \;
+# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
+cp /usr/share/zoneinfo/UTC /etc/localtime
+
+echo "Removing blacklisted files and directories"
+blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
+    /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \
+    /usr/share/hwdata/videodrivers /usr/share/fedora-release \
+    /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
+    /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
+    /usr/src /usr/etc /usr/games /usr/include /usr/local /usr/lib64/python2.5 \
+    /usr/lib64/tc /usr/lib64/tls /usr/lib64/sse2 /usr/lib64/pkgconfig \
+    /usr/lib64/nss /usr/lib64/X11 /usr/lib64/games /usr/lib64/alsa-lib \
+    /usr/lib64/fs/reiserfs /usr/lib64/krb5 /usr/lib64/hal /usr/lib64/gio \
+    /usr/bin/hal-device /usr/bin/hal-disable-polling \
+    /usr/bin/hal-find-by-capability /usr/bin/hal-find-by-property \
+    /usr/bin/hal-is-caller-locked-out /usr/bin/hal-is-caller-privileged \
+    /usr/bin/hal-lock /usr/bin/hal-set-property /usr/bin/hal-setup-keymap \
+    /usr/sbin/dell* /lib/terminfo/d /lib/terminfo/v /lib/terminfo/a \
+    /lib/firmware /lib/security /usr/lib/locale /usr/lib/syslinux \
+    /usr/lib64/gconv /usr/lib64/pango /usr/lib64/libpango* /etc/pango \
+    /usr/bin/pango*"
+
+docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
+    /usr/share/locale /usr/share/libthai /usr/share/man /usr/share/terminfo \
+    /usr/share/X11 /usr/share/i18n"
+
+$RM $blacklist $docs_blacklist
+
+echo "Cleanup empty directory structures in /usr/share"
+find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
+
+echo "Finished Kickstart Common Post"
-- 
1.5.5.1

Perry Myers wrote:
> A few important notes:
> 1. /lib/modules was scoured for things that didn't seem necessary,
however
>    my notion of not necessary may not be correct.  Please review the list
>    of modules that I'm removing and if you see one that we need to add
back
>    in, comment.
> 2. /boot is removed as we don't need an initrd and kernel image inside
of
>    the livecd initrd.
Ah yes, good to remove this, since it is superflous.
> 3. The blacklisting method is a hack.  What we need is an appliance creator
>    that has black/whitelisting capabilities...  (hint, hint to our AOS
>    friends out there)
> 
> The ISO image RPM is down to 45MB
> PXE image RPM is at 52MB
> Running filesystem is 130MB
My question is: so?  I don't really see how it's much of an improvement
over
what we already have.  Or rather, it's an improvement, but in my opinion the
cost (breaking RPM, breaking RPM dependencies, etc) is too high.
>  echo "Removing excess kernel modules"
>  MODULES="/lib/modules/*/kernel"
> @@ -438,16 +421,60 @@ fs_mods="fs/nls fs/9p fs/affs fs/autofs
fs/autofs4 fs/befs fs/bfs fs/cifs \
>  net_mods="net/802 net/8021q net/9p net/appletalk net/atm net/ax25 \
>         net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx net/irda \
>         net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc \
> -       net/wanrouter net/wireless drivers/auxdisplay drivers/net/appletalk
\
> +       net/wanrouter net/wireless"
> +
> +driver_mods="drivers/auxdisplay drivers/net/appletalk \
>         drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
> -       drivers/net/wireless drivers/net/irda drivers/atm
drivers/usb/atm"
> +       drivers/net/wireless drivers/net/irda drivers/atm drivers/usb/atm \
> +       drivers/acpi drivers/char/drm drivers/char/hw_random
drivers/char/mwave \
We probably want to keep hw_random for feeding the random number generator in
the future, especially because: a) we don't keep our entropy pool across
reboots, b) we might be running diskless, and c) not all NIC devices contribute
entropy.
> +       drivers/char/ipmp drivers/char/pcmcia drivers/crypto drivers/dca \
> +       drivers/dma drivers/edac drivers/firmware drivers/hwmon
We definitely need to keep drivers/edac around for reporting errors.  Same goes
for drivers/hwmon
> +       drivers/memstick drivers/mmc drivers/mfs drivers/parport \
> +       drivers/serial drivers/video drivers/watchdog drivers/net/ppp* \
> +       drivers/usb/serial drivers/usb/misc drivers/usb/class \
> +       drivers/usb/image drivers/rtc"
The serial stuff will be useful for debugging, and some administrators might
want to use a serial concentrator to see what's going on with their nodes.
>  
>  misc_mods="drivers/bluetooth drivers/firewire drivers/i2c
drivers/isdn \
>         drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1
sound \
> -       drivers/input drivers/pcmcia drivers/scsi/pcmcia"
> +       drivers/input drivers/pcmcia drivers/scsi/pcmcia arch/x86/oprofile
\
> +       crypto lib"
oprofile might be useful in the future, for profiling the nodes, but we
haven't
given any thought to it yet.
>  
> -for mods in $fs_mods $net_mods $misc_mods ; do
> +for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do
>      $RM $MODULES/$mods
>  done
>  
> -echo "Finished Kickstart Post"
> +echo "Removing all timezones except for UTC"
> +find /usr/share/zoneinfo -regextype egrep -type f \
> +  ! -regex ".*/UTC" -exec $RM {} \;
> +# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
> +cp /usr/share/zoneinfo/UTC /etc/localtime
> +
> +echo "Removing blacklisted files and directories"
> +blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB \
> +    /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \
> +    /usr/share/hwdata/videodrivers /usr/share/fedora-release \
> +    /usr/share/tabset /usr/share/libvirt /usr/share/augeas/lenses/tests \
> +    /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
> +    /usr/src /usr/etc /usr/games /usr/include /usr/local
/usr/lib64/python2.5 \
> +    /usr/lib64/tc /usr/lib64/tls /usr/lib64/sse2 /usr/lib64/pkgconfig \
> +    /usr/lib64/nss /usr/lib64/X11 /usr/lib64/games /usr/lib64/alsa-lib \
> +    /usr/lib64/fs/reiserfs /usr/lib64/krb5 /usr/lib64/hal /usr/lib64/gio \
> +    /usr/bin/hal-device /usr/bin/hal-disable-polling \
> +    /usr/bin/hal-find-by-capability /usr/bin/hal-find-by-property \
> +    /usr/bin/hal-is-caller-locked-out /usr/bin/hal-is-caller-privileged \
> +    /usr/bin/hal-lock /usr/bin/hal-set-property /usr/bin/hal-setup-keymap
\
> +    /usr/sbin/dell* /lib/terminfo/d /lib/terminfo/v /lib/terminfo/a \
> +    /lib/firmware /lib/security /usr/lib/locale /usr/lib/syslinux \
> +    /usr/lib64/gconv /usr/lib64/pango /usr/lib64/libpango* /etc/pango \
> +    /usr/bin/pango*"
> +
> +docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
> +    /usr/share/locale /usr/share/libthai /usr/share/man
/usr/share/terminfo \
> +    /usr/share/X11 /usr/share/i18n"
> +
> +$RM $blacklist $docs_blacklist
> +
> +echo "Cleanup empty directory structures in /usr/share"
> +find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
> +
> +echo "Finished Kickstart Common Post"
Overall, seems to be breaking a lot of debug and reproducibility functionality
for very little gain.

Chris Lalancette

Chris Lalancette wrote:
> Perry Myers wrote:
>> A few important notes:
>> 1. /lib/modules was scoured for things that didn't seem necessary,
however
>>    my notion of not necessary may not be correct.  Please review the
list
>>    of modules that I'm removing and if you see one that we need to
add back
>>    in, comment.
>> 2. /boot is removed as we don't need an initrd and kernel image
inside of
>>    the livecd initrd.
> 
> Ah yes, good to remove this, since it is superflous.
> 
>> 3. The blacklisting method is a hack.  What we need is an appliance
creator
>>    that has black/whitelisting capabilities...  (hint, hint to our AOS
>>    friends out there)
>>
>> The ISO image RPM is down to 45MB
>> PXE image RPM is at 52MB
>> Running filesystem is 130MB
> 
> My question is: so?  I don't really see how it's much of an
improvement over
> what we already have.  Or rather, it's an improvement, but in my
opinion the
> cost (breaking RPM, breaking RPM dependencies, etc) is too high.
This patch doesn't break RPM.  It does break some dependencies since
we're
doing rpm -e --nodeps on a handful of packages.  But this is necessary if 
we want the embedded hypervisor to live up to its name (i.e. embedded). 
As to whether or not living up to the embedded moniker is important, 
that's a completely different issue.
>>  echo "Removing excess kernel modules"
>>  MODULES="/lib/modules/*/kernel"
>> @@ -438,16 +421,60 @@ fs_mods="fs/nls fs/9p fs/affs fs/autofs
fs/autofs4 fs/befs fs/bfs fs/cifs \
>>  net_mods="net/802 net/8021q net/9p net/appletalk net/atm net/ax25
\
>>         net/bluetooth net/dccp net/decnet net/ieee80211 net/ipx
net/irda \
>>         net/mac80211 net/netrom net/rfkill net/rose net/sched net/tipc
\
>> -       net/wanrouter net/wireless drivers/auxdisplay
drivers/net/appletalk \
>> +       net/wanrouter net/wireless"
>> +
>> +driver_mods="drivers/auxdisplay drivers/net/appletalk \
>>         drivers/net/hamradio drivers/net/pcmcia drivers/net/tokenring \
>> -       drivers/net/wireless drivers/net/irda drivers/atm
drivers/usb/atm"
>> +       drivers/net/wireless drivers/net/irda drivers/atm
drivers/usb/atm \
>> +       drivers/acpi drivers/char/drm drivers/char/hw_random
drivers/char/mwave \
> 
> We probably want to keep hw_random for feeding the random number generator
in
> the future, especially because: a) we don't keep our entropy pool
across
> reboots, b) we might be running diskless, and c) not all NIC devices
contribute
> entropy.
I'll add these back in and resubmit the patch.
>> +       drivers/char/ipmp drivers/char/pcmcia drivers/crypto
drivers/dca \
>> +       drivers/dma drivers/edac drivers/firmware drivers/hwmon
> 
> We definitely need to keep drivers/edac around for reporting errors.  Same
goes
> for drivers/hwmon
Ditto
>> +       drivers/memstick drivers/mmc drivers/mfs drivers/parport \
>> +       drivers/serial drivers/video drivers/watchdog drivers/net/ppp*
\
>> +       drivers/usb/serial drivers/usb/misc drivers/usb/class \
>> +       drivers/usb/image drivers/rtc"
> 
> The serial stuff will be useful for debugging, and some administrators
might
> want to use a serial concentrator to see what's going on with their
nodes.
Ditto, though we don't provide a way to change the boot options so that 
serial console is enabled.  Should we do this by default perhaps?  I'd be 
tempted to put drivers/serial in but not drivers/usb/serial as that's sort 
of a fringe case.  Most people are going to have real serial ports on 
servers, probably not needing USB serial devices.
>>  
>>  misc_mods="drivers/bluetooth drivers/firewire drivers/i2c
drivers/isdn \
>>         drivers/media drivers/misc drivers/leds drivers/mtd drivers/w1
sound \
>> -       drivers/input drivers/pcmcia drivers/scsi/pcmcia"
>> +       drivers/input drivers/pcmcia drivers/scsi/pcmcia
arch/x86/oprofile \
>> +       crypto lib"
> 
> oprofile might be useful in the future, for profiling the nodes, but we
haven't
> given any thought to it yet.
It's small anyhow.  I'll add it back in.
>>  
>> -for mods in $fs_mods $net_mods $misc_mods ; do
>> +for mods in $fs_mods $net_mods $misc_mods $driver_mods ; do
>>      $RM $MODULES/$mods
>>  done
>>  
>> -echo "Finished Kickstart Post"
>> +echo "Removing all timezones except for UTC"
>> +find /usr/share/zoneinfo -regextype egrep -type f \
>> +  ! -regex ".*/UTC" -exec $RM {} \;
>> +# XXX anaconda/timezone.py does it, missing in imgcreate/kickstart.py
>> +cp /usr/share/zoneinfo/UTC /etc/localtime
>> +
>> +echo "Removing blacklisted files and directories"
>> +blacklist="/boot /etc/alsa /etc/pki /usr/share/hwdata/MonitorsDB
\
>> +    /usr/share/hwdata/oui.txt /usr/share/hwdata/videoaliases \
>> +    /usr/share/hwdata/videodrivers /usr/share/fedora-release \
>> +    /usr/share/tabset /usr/share/libvirt
/usr/share/augeas/lenses/tests \
>> +    /usr/share/tc /usr/share/emacs /usr/share/info /usr/kerberos \
>> +    /usr/src /usr/etc /usr/games /usr/include /usr/local
/usr/lib64/python2.5 \
>> +    /usr/lib64/tc /usr/lib64/tls /usr/lib64/sse2 /usr/lib64/pkgconfig
\
>> +    /usr/lib64/nss /usr/lib64/X11 /usr/lib64/games /usr/lib64/alsa-lib
\
>> +    /usr/lib64/fs/reiserfs /usr/lib64/krb5 /usr/lib64/hal
/usr/lib64/gio \
>> +    /usr/bin/hal-device /usr/bin/hal-disable-polling \
>> +    /usr/bin/hal-find-by-capability /usr/bin/hal-find-by-property \
>> +    /usr/bin/hal-is-caller-locked-out
/usr/bin/hal-is-caller-privileged \
>> +    /usr/bin/hal-lock /usr/bin/hal-set-property
/usr/bin/hal-setup-keymap \
>> +    /usr/sbin/dell* /lib/terminfo/d /lib/terminfo/v /lib/terminfo/a \
>> +    /lib/firmware /lib/security /usr/lib/locale /usr/lib/syslinux \
>> +    /usr/lib64/gconv /usr/lib64/pango /usr/lib64/libpango* /etc/pango
\
>> +    /usr/bin/pango*"
>> +
>> +docs_blacklist="/usr/share/omf /usr/share/gnome /usr/share/doc \
>> +    /usr/share/locale /usr/share/libthai /usr/share/man
/usr/share/terminfo \
>> +    /usr/share/X11 /usr/share/i18n"
>> +
>> +$RM $blacklist $docs_blacklist
>> +
>> +echo "Cleanup empty directory structures in /usr/share"
>> +find /usr/share -type d -exec rmdir {} \; > /dev/null 2>&1
>> +
>> +echo "Finished Kickstart Common Post"
> 
> Overall, seems to be breaking a lot of debug and reproducibility
functionality
> for very little gain.
I don't see how this break reproducibility.  There will be one image, just 
stripped down to be smaller.  As for breaking debug, I'll add 
serial/oprofile mods back in, so with those added back do you feel that 
anything else breaks debugging support?

Perry

-- 
|=-        Red Hat, Engineering, Emerging Technologies, Boston        -=|
|=-                     Email: pmyers at redhat.com                      -=|
|=-         Office: +1 412 474 3552   Mobile: +1 703 362 9622         -=|
|=- GnuPG: E65E4F3D 88F9 F1C9 C2F3 1303 01FE 817C C5D2 8B91 E65E 4F3D -=|