Bug 1338741
| Summary: | [RFE] GCE image not prepared for use on Google Compute Platform | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Lutz Lange <llange> | |
| Component: | Build | Assignee: | Satoe Imaishi <simaishi> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Kyrylo Zvyagintsev <kzvyahin> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.6.0 | CC: | abellott, cpelland, jhardy, obarenbo | |
| Target Milestone: | GA | Keywords: | FutureFeature, TestOnly, ZStream | |
| Target Release: | 5.7.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 5.7.0.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1346443 (view as bug list) | Environment: | ||
| Last Closed: | 2017-01-11 20:27:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1346443 | |||
New commit detected on ManageIQ/manageiq-appliance-build/master: https://github.com/ManageIQ/manageiq-appliance-build/commit/d180f448ba0c22900c88098d21c670c835cbb30a commit d180f448ba0c22900c88098d21c670c835cbb30a Author: Satoe Imaishi <simaishi> AuthorDate: Thu Jun 16 11:56:28 2016 -0400 Commit: Satoe Imaishi <simaishi> CommitDate: Thu Jun 16 14:42:32 2016 -0400 Secure GCE image - Add sshd/ssh configuration - Lock root account - Install Google image packages (google-compute-engine and google-config) - Remove kernel security settings as google image package provides them - Remove cloud-init https://bugzilla.redhat.com/show_bug.cgi?id=1338741 kickstarts/base.ks.erb | 6 ++--- kickstarts/partials/main/repos.ks.erb | 3 +++ kickstarts/partials/packages/includes.ks.erb | 5 ++++- kickstarts/partials/post/gce.ks.erb | 33 +++++++++++++--------------- kickstarts/partials/post/repos.ks.erb | 13 +++++++++++ kickstarts/partials/post/systemd.ks.erb | 2 +- 6 files changed, 39 insertions(+), 23 deletions(-) New commit detected on cfme_productization/master: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme_productization.git;a=commit;h=0d69003c95e3774dfe79398471a2a2a6268ec949 commit 0d69003c95e3774dfe79398471a2a2a6268ec949 Author: Satoe Imaishi <simaishi> AuthorDate: Thu Jun 16 14:40:10 2016 -0400 Commit: Satoe Imaishi <simaishi> CommitDate: Fri Jun 17 11:00:31 2016 -0400 Secure GCE image - Remove cloud-init - Add google-compute-engine and google-config https://bugzilla.redhat.com/show_bug.cgi?id=1338741 manageiq-appliance-build/productization/kickstarts/base.ks.erb | 10 +++++----- .../kickstarts/partials/packages/includes.ks.erb | 7 ++++++- 2 files changed, 11 insertions(+), 6 deletions(-) |
Description of problem: cfme-gce-5.6.0.7-1.x86_64.tar.gz is not secured properly and not running the required Google Startup Scripts or Daemons. Please lock down the root account and provide the expected Scripts and Daemons out of the box. Version-Release number of selected component (if applicable): cfme-gce-5.6.0.7-1.x86_64.tar.gz Additional info: I have an update to this. This image is insecurely configured. I could log in with the root account ( and smartvm) . While this might be acceptable for on premise appliances, it is not for public clouds. I do recommend to add the following settings : Adjust /etc/hosts # echo 169.254.169.254 metadata.google.internal metadata >>/etc/hosts Adjust network settings # echo MTU=1460 >> /etc/sysconfig/network-scripts/ifcfg-eth0 # echo PERSISTENT_DHCLIENT="y" >> /etc/sysconfig/network-scripts/ifcfg-eth0 Lock Root Account # usermod -L root Configure SSH in /etc/ssh/ssh_config Host * ServerAliveInterval 420 ForwardAgent no ForwardX11 no HostbasedAuthentication no StrictHostKeyChecking no GSSAPIAuthentication yes Configure SSHD in /etc/ssh/sshd_config PasswordAuthentication no PermitRootLogin no PermitTunnel no AllowTcpForwarding yes X11Forwarding no ClientAliveInterval 420 Install the Google Compute Startup Scripts and Google Daemon see https://github.com/GoogleCloudPlatform/compute-image-packages/releases rpm -Uhv https://github.com/GoogleCloudPlatform/compute-image-packages/releases/download/1.3.3 /google-compute-daemon-1.3.3-1.noarch.rpm https://github.com/GoogleCloudPlatform/compute-image-packages/releases/downl oad/1.3.3/google-startup-scripts-1.3.3-1.noarch.rpm Retrieving https://github.com/GoogleCloudPlatform/compute-image-packages/releases/download/1.3.3/google-compute-daemon -1.3.3-1.noarch.rpm