ec2/fedora-18-i386-ec2.ks | 37 +++++++++++++++++++++++++++++++------
ec2/fedora-18-x86_64-ec2.ks | 3 +++
2 files changed, 34 insertions(+), 6 deletions(-)
New commits:
commit 327bbe79ed8c493828ea14d1f1351fe5d4933377
Author: Matthew Miller <mattdm@xxxxxxxxxx>
Date: Wed Jan 2 09:04:37 2013 -0500
amazon is still carrying this tweak in their own images
diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks
index 32da6cc..2584f6d 100644
--- a/ec2/fedora-18-i386-ec2.ks
+++ b/ec2/fedora-18-i386-ec2.ks
@@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1
EOF
echo .
+# workaround xen performance issue (bz 651861)
+echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf
+
echo -n "Grub tweaks"
echo GRUB_TIMEOUT=0 > /etc/default/grub
sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
diff --git a/ec2/fedora-18-x86_64-ec2.ks b/ec2/fedora-18-x86_64-ec2.ks
index 8e33752..7e78e37 100644
--- a/ec2/fedora-18-x86_64-ec2.ks
+++ b/ec2/fedora-18-x86_64-ec2.ks
@@ -70,6 +70,9 @@ LABEL=_/ / ext4 defaults 1 1
EOF
echo .
+# workaround xen performance issue (bz 651861)
+echo "hwcap 1 nosegneg" > /etc/ld.so.conf.d/libc6-xen.conf
+
echo -n "Grub tweaks"
echo GRUB_TIMEOUT=0 > /etc/default/grub
sed -i '1i# This file is for use with pv-grub; legacy grub is not installed in this image' /boot/grub/grub.conf
commit 855c218eb387bcb9defed1acb95d0524e3c999c3
Author: Matthew Miller <mattdm@xxxxxxxxxx>
Date: Wed Jan 2 09:00:46 2013 -0500
bring in changes from x86_64 config
diff --git a/ec2/fedora-18-i386-ec2.ks b/ec2/fedora-18-i386-ec2.ks
index 1f0dcbb..32da6cc 100644
--- a/ec2/fedora-18-i386-ec2.ks
+++ b/ec2/fedora-18-i386-ec2.ks
@@ -6,11 +6,6 @@
#
# Note that unlike the standard F18 install, this image has /tmp on disk
# rather than in tmpfs, since memory is usually at a premium.
-#
-# It additionally configures _no_ local firewall, in line with EC2
-# recommendations that security groups be used instead.
-
-
lang en_US.UTF-8
keyboard us
@@ -19,7 +14,9 @@ timezone --utc America/New_York
auth --useshadow --enablemd5
selinux --enforcing
-firewall --disabled
+# this is actually not used, but a static firewall
+# matching these rules is generated below.
+firewall --service=ssh
bootloader --timeout=0 --location=mbr --driveorder=sda
@@ -46,6 +43,10 @@ cloud-init
# Needed initially, but removed below.
firewalld
+# Basic firewall. If you're going to rely on your cloud service's
+# security groups you can remove this.
+iptables-services
+
# cherry-pick a few things from @standard
tmpwatch
tar
@@ -104,6 +105,27 @@ yum -C -y remove linux-firmware
echo "Removing firewalld."
yum -C -y remove firewalld
+# Non-firewalld-firewall
+echo -n "Writing static firewall"
+cat <<EOF > /etc/sysconfig/iptables
+# Simple static firewall loaded by iptables.service. Replace
+# this with your own custom rules, run lokkit, or switch to
+# shorewall or firewalld as your needs dictate.
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
+#-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+EOF
+echo .
# Because memory is scarce resource in most cloud/virt environments,
# and because this impedes forensics, we are differing from the Fedora
_______________________________________________
cloud mailing list
cloud@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/cloud
