Hello,
I am trying to build my own CentOS cloud image, one reason is to better understand this process and learn from it, but am having troubles completing a fully functional image.
I have read various how-to and other documentation but I keep running in to the same issue, maybe a bug? Very interested in how the CentOS cloud images were created and if the people building these ran in to the same issue.
I am following these few steps:
1. create new CentOS 7 installation using virt-install and a kickstart to create base_image. nothing special is done, just using the CentOS 7 iso contents to do a minimal install + cloud-init
2. run virt-sysprep on this created base_image
3. create new kvm vm using a copy of the sysprepped disk file
Because I do this all locally on my laptop I am using a config-drive iso that cloud-init is using to read meta-data and user-data files.
The newly created vm is booted up, console connected, and the arrives at the prompt without having completed the various cloud-init steps.
<snip boot messages> [ 6.683676] ip_tables: (C) 2000-2006 Netfilter Core Team [ 6.823284] nf_conntrack version 0.5.0 (7947 buckets, 31788 max) [ 6.885987] ip6_tables: (C) 2000-2006 Netfilter Core Team [ 7.076775] Ebtables v2.0 registered [ 7.099351] Bridge firewalling registered cloud-init[576]: Cloud-init v. 0.7.5 running 'init-local' at Fri, 11 Sep 2015 20:02:31 +0000. Up 7.13 seconds.
CentOS Linux 7 (Core) Kernel 3.10.0-229.el7.x86_64 on an x86_64
localhost login:
And then nothing..
investigating
[root@localhost ~]# systemctl status cloud-init-local.service -l
cloud-init-local.service - Initial cloud-init job (pre-networking) Loaded: loaded (/usr/lib/systemd/system/cloud-init-local.service; enabled) Active: activating (start) since Fri 2015-09-11 22:18:45 CEST; 41s ago Main PID: 583 (cloud-init) CGroup: /system.slice/cloud-init-local.service ├─ 583 /usr/bin/python /usr/bin/cloud-init init --local ├─ 879 tee -a /var/log/cloud-init-output.log ├─1114 /bin/bash /etc/sysconfig/network-scripts/ifup-eth ifcfg-eth0 └─4433 /usr/bin/python -Es /usr/bin/firewall-cmd --zone= --change-interface=eth0
Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Writing to /etc/sysconfig/network-scripts/ifcfg-eth0 - wb: [420] 253 bytes Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network-scripts/ifcfg-eth0 (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Reading from /etc/sysconfig/network (quiet=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Read 37 bytes from /etc/sysconfig/network Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Writing to /etc/sysconfig/network - wb: [420] 52 bytes Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Restoring selinux mode for /etc/sysconfig/network (recursive=False) Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] __init__.py[DEBUG]: Attempting to run bring up interface eth0 using command ['ifup', 'eth0'] Sep 11 22:18:47 localhost.localdomain cloud-init[583]: [CLOUDINIT] util.py[DEBUG]: Running command ['ifup', 'eth0'] with allowed return codes [0] (shell=False, capture=True)
[root@localhost ~]# grep denied /var/log/audit/audit.log
type=USER_AVC msg=audit(1442002754.912:331): pid=589 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.4 spid=578 tpid=4433 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
[root@localhost ~]# audit2allow -a -M test
module test 1.0;
require { type cloud_init_t; type firewalld_t; class dbus send_msg; }
#============= firewalld_t ============== allow firewalld_t cloud_init_t:dbus send_msg;
Now with SElinux disabled everything works fine; but thats not really something I prefer to do outside of initial testing.
Googling: 'Running command ['ifup', 'eth0'] with allowed return codes [0] (shell=False, capture=True)' returned this: https://bugzilla.redhat.com/show_bug.cgi?id=1126096
But that bug report is now 1 year old...
Either I am doing something wrong or other people have run in to this same issue no?