From b98e2b1349a48b8d997c16471f6bb2cac2cb02ee Mon Sep 17 00:00:00 2001 From: Ned Petrov Date: Tue, 9 Jun 2026 07:42:52 +0300 Subject: [PATCH] Remove CentOS-specific code and assets CentOS stemcells are no longer built, so this drops dead stages, assets, and code paths. Also removes the default_su_directive override (already removed on ubuntu-noble), which silently overrode the correct 'su root syslog' set globally in ubuntu-logrotate.conf. --- bosh-stemcell/lib/shellout_types/service.rb | 2 +- .../spec/support/stemcell_shared_examples.rb | 8 --- .../stages/bosh_audit_centos/apply.sh | 32 ---------- .../stages/image_install_grub/apply.sh | 6 +- .../stages/image_install_grub_efi/apply.sh | 6 +- .../apply.sh | 6 +- .../stages/logrotate_config/apply.sh | 5 -- .../assets/centos-logrotate.conf | 58 ------------------- .../assets/default_su_directive | 5 -- .../assets/centos/password-auth.patch | 6 -- .../assets/centos/system-auth.patch | 13 ----- .../stages/system_open_vm_tools/apply.sh | 1 - 12 files changed, 10 insertions(+), 138 deletions(-) delete mode 100755 stemcell_builder/stages/bosh_audit_centos/apply.sh delete mode 100644 stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf delete mode 100644 stemcell_builder/stages/logrotate_config/assets/default_su_directive delete mode 100644 stemcell_builder/stages/password_policies/assets/centos/password-auth.patch delete mode 100644 stemcell_builder/stages/password_policies/assets/centos/system-auth.patch diff --git a/bosh-stemcell/lib/shellout_types/service.rb b/bosh-stemcell/lib/shellout_types/service.rb index ef80fa174d..476b7b4ada 100644 --- a/bosh-stemcell/lib/shellout_types/service.rb +++ b/bosh-stemcell/lib/shellout_types/service.rb @@ -27,7 +27,7 @@ def check_service_enabled(runlevel) stdout, stderr, status = @chroot.run("cat", "/etc/*release") raise stderr.to_s if status != 0 - raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|CentOS|openSUSE/.match?(stdout) + raise "Cannot determine Linux distribution: #{stdout}" unless /Ubuntu|openSUSE/.match?(stdout) check_is_enabled_systemctl end diff --git a/bosh-stemcell/spec/support/stemcell_shared_examples.rb b/bosh-stemcell/spec/support/stemcell_shared_examples.rb index 232c596366..477a1a7329 100644 --- a/bosh-stemcell/spec/support/stemcell_shared_examples.rb +++ b/bosh-stemcell/spec/support/stemcell_shared_examples.rb @@ -160,13 +160,5 @@ end end end - - describe "default su directive" do - describe file("/etc/logrotate.d/default_su_directive") do - it "does `su root root` after any leading comments" do - expect(subject.content).to match(/\A(#.*\n)*su root root\Z/) - end - end - end end end diff --git a/stemcell_builder/stages/bosh_audit_centos/apply.sh b/stemcell_builder/stages/bosh_audit_centos/apply.sh deleted file mode 100755 index 21614455c6..0000000000 --- a/stemcell_builder/stages/bosh_audit_centos/apply.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/usr/bin/env bash - -set -e - -base_dir=$(readlink -nf $(dirname $0)/../..) -source $base_dir/stages/bosh_audit/shared_functions.bash -source $base_dir/lib/prelude_bosh.bash - -pkg_mgr install audit - -run_in_bosh_chroot $chroot "systemctl disable auditd.service" - -write_shared_audit_rules - -echo ' --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/lib64/dbus-1/dbus-daemon-launch-helper -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/openssh/ssh-keysign -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/krb5_child -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/ldap_child -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/p11_child -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/proxy_child -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/sssd/selinux_child -k privileged --a always,exit -F perm=x -F auid>=500 -F auid!=4294967295 -F path=/usr/libexec/utempter/utempter -k privileged -' >> $chroot/etc/audit/rules.d/audit.rules - -# for stig V-38663: brings file permissions in aligment with what is declared by the RPM database -# this is techinically not necessary as per the stig definition, but our tests are not as lenient as the stig is -chmod 640 $chroot/etc/audit/rules.d/audit.rules - -record_use_of_privileged_binaries - -override_default_audit_variables diff --git a/stemcell_builder/stages/image_install_grub/apply.sh b/stemcell_builder/stages/image_install_grub/apply.sh index 470122f7d1..af271b0496 100755 --- a/stemcell_builder/stages/image_install_grub/apply.sh +++ b/stemcell_builder/stages/image_install_grub/apply.sh @@ -37,15 +37,15 @@ add_on_exit "umount ${image_mount_point}" # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot) # work: the base working directory outside the chroot -# eg: /mnt/stemcells/aws/xen/centos/work/work +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work # disk_image: path to the stemcell disk image -# eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw # device: path to the loopback devide mapped to the entire disk image # eg: /dev/loop0 # loopback_dev: device node mapped to the main partition in disk_image # eg: /dev/mapper/loop0p1 # image_mount_point: place where loopback_dev is mounted as a filesystem -# eg: /mnt/stemcells/aws/xen/centos/work/work/mnt +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt # Generate random password random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16) diff --git a/stemcell_builder/stages/image_install_grub_efi/apply.sh b/stemcell_builder/stages/image_install_grub_efi/apply.sh index 01a23c2125..9c18196db0 100755 --- a/stemcell_builder/stages/image_install_grub_efi/apply.sh +++ b/stemcell_builder/stages/image_install_grub_efi/apply.sh @@ -38,9 +38,9 @@ add_on_exit "umount ${image_mount_point}/boot/efi" # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot) # work: the base working directory outside the chroot -# eg: /mnt/stemcells/aws/xen/centos/work/work +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work # disk_image: path to the stemcell disk image -# eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw # device: path to the loopback devide mapped to the entire disk image # eg: /dev/loop0 # loopback_efi_dev: device node mapped to the EFI boot ("/boot/efi") partition in disk_image @@ -48,7 +48,7 @@ add_on_exit "umount ${image_mount_point}/boot/efi" # loopback_root_dev: device node mapped to the root partition ("/") in disk_image # eg: /dev/mapper/loop0p2 # image_mount_point: place where loopback_dev is mounted as a filesystem -# eg: /mnt/stemcells/aws/xen/centos/work/work/mnt +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt # Generate random password random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16) diff --git a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh index 094911477b..184c836ab7 100755 --- a/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh +++ b/stemcell_builder/stages/image_install_grub_softlayer_two_partitions/apply.sh @@ -42,15 +42,15 @@ add_on_exit "umount ${image_mount_point}/boot" # == Guide to variables in this script (all paths are defined relative to the real root dir, not the chroot) # work: the base working directory outside the chroot -# eg: /mnt/stemcells/aws/xen/centos/work/work +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work # disk_image: path to the stemcell disk image -# eg: /mnt/stemcells/aws/xen/centos/work/work/aws-xen-centos.raw +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/aws-xen-ubuntu.raw # device: path to the loopback devide mapped to the entire disk image # eg: /dev/loop0 # loopback_dev: device node mapped to the main partition in disk_image # eg: /dev/mapper/loop0p1 # image_mount_point: place where loopback_dev is mounted as a filesystem -# eg: /mnt/stemcells/aws/xen/centos/work/work/mnt +# eg: /mnt/stemcells/aws/xen/ubuntu/work/work/mnt # Generate random password random_password=$(tr -dc A-Za-z0-9_ < /dev/urandom | head -c 16) diff --git a/stemcell_builder/stages/logrotate_config/apply.sh b/stemcell_builder/stages/logrotate_config/apply.sh index 9d0dccc124..91058a9d70 100755 --- a/stemcell_builder/stages/logrotate_config/apply.sh +++ b/stemcell_builder/stages/logrotate_config/apply.sh @@ -32,15 +32,10 @@ install_logrotate_cron_script() { sed -i -e 's/^\s*\(\/usr\/sbin\/logrotate\)\b/nice -n 19 ionice -c3 \1/' "$chroot/usr/bin/logrotate-cron" } -install_default_su_directive() { - cp -f "$assets_dir/default_su_directive" "$chroot/etc/logrotate.d/default_su_directive" -} - install_logrotate_conf install_setup_logrotate_script seed_default_logrotate_cronjob install_logrotate_cron_script -install_default_su_directive ## TODO: either remove /etc/logrotate.d/{wtmp,btmp} ## or remove it from logrotate.conf and copy over the default created wtmp,btmp files diff --git a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf b/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf deleted file mode 100644 index d7b4e4d00f..0000000000 --- a/stemcell_builder/stages/logrotate_config/assets/centos-logrotate.conf +++ /dev/null @@ -1,58 +0,0 @@ -# see "man logrotate" for details -# rotate log files weekly -weekly - -# keep 4 weeks worth of backlogs -rotate 4 - -# create new (empty) log files after rotating old ones -create - -# use date as a suffix of the rotated file -dateext - -# uncomment this if you want your log files compressed -#compress - -# RPM packages drop log rotation information into this directory -include /etc/logrotate.d - -## no packages own wtmp and btmp -- we'll rotate them here -#/var/log/wtmp { -# monthly -# create 0664 root utmp -# minsize 1M -# rotate 1 -#} -# -#/var/log/btmp { -# missingok -# monthly -# create 0600 root utmp -# rotate 1 -#} - -# no packages own wtmp and btmp -- we'll rotate them here -/var/log/wtmp { - missingok - create 0664 root utmp - rotate 4 - nodateext - size 5M - notifempty - compress - delaycompress -} - -/var/log/btmp { - missingok - create 0600 root utmp - rotate 4 - nodateext - size 5M - notifempty - compress - delaycompress -} - -# system-specific logs may be also be configured here. \ No newline at end of file diff --git a/stemcell_builder/stages/logrotate_config/assets/default_su_directive b/stemcell_builder/stages/logrotate_config/assets/default_su_directive deleted file mode 100644 index 0e7331f8be..0000000000 --- a/stemcell_builder/stages/logrotate_config/assets/default_su_directive +++ /dev/null @@ -1,5 +0,0 @@ -# logrotate on CentOS refuses to rotate logs in /var/log because the -# directory is owned by root:syslog and not root:root. -# logrotate is placated by the su directive, telling syslog what user:group -# to rotate files with. Defaulting to root:root -su root root diff --git a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch deleted file mode 100644 index 9de29cdd99..0000000000 --- a/stemcell_builder/stages/password_policies/assets/centos/password-auth.patch +++ /dev/null @@ -1,6 +0,0 @@ -5c5,7 -< auth sufficient pam_unix.so try_first_pass ---- -> auth [success=1 default=bad] pam_unix.so try_first_pass -> auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900 -> auth sufficient pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900 diff --git a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch b/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch deleted file mode 100644 index 73f091439b..0000000000 --- a/stemcell_builder/stages/password_policies/assets/centos/system-auth.patch +++ /dev/null @@ -1,13 +0,0 @@ -5c5,7 -< auth sufficient pam_unix.so try_first_pass ---- -> auth [success=1 default=bad] pam_unix.so try_first_pass -> auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 fail_interval=900 -> auth sufficient pam_faillock.so authsucc deny=5 unlock_time=900 fail_interval=900 -11c13,14 -< password sufficient pam_unix.so try_first_pass use_authtok sha512 shadow ---- -> password required pam_cracklib.so retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 -> password sufficient pam_unix.so try_first_pass use_authtok sha512 shadow remember=24 minlen=14 -18a19 -> session required pam_lastlog.so showfailed diff --git a/stemcell_builder/stages/system_open_vm_tools/apply.sh b/stemcell_builder/stages/system_open_vm_tools/apply.sh index d2adf6a224..e11b27ff5e 100755 --- a/stemcell_builder/stages/system_open_vm_tools/apply.sh +++ b/stemcell_builder/stages/system_open_vm_tools/apply.sh @@ -6,7 +6,6 @@ base_dir=$(readlink -nf $(dirname $0)/../..) source $base_dir/lib/prelude_apply.bash source $base_dir/lib/prelude_bosh.bash -# Installation on CentOS requires v7 pkg_mgr install open-vm-tools # open-vm-tools installs unwanted fusermount binary