Make sure /etc/tmpfiles.d is empty in the image.

Man tmpfiles.d(5) says: Packages should install their configuration files in /usr/lib/tmpfiles.d. Files in /etc/tmpfiles.d are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages.
cloyne · Nov 8, 2018 · e1bdd0d · e1bdd0d
1 parent 4220610
commit e1bdd0d
Show file tree

Hide file tree

Showing 14 changed files with 73 additions and 31 deletions.
diff --git a/Dockerfile.centos-7 b/Dockerfile.centos-7
@@ -25,7 +25,7 @@ RUN patch --verbose -p0 --fuzz=0 < /root/basic-centos-7.patch
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
 COPY patches/minimal-centos-7.patch /root/
 RUN patch --verbose -p0 --fuzz=0 < /root/minimal-centos-7.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target

diff --git a/Dockerfile.fedora-23 b/Dockerfile.fedora-23
@@ -19,7 +19,7 @@ STOPSIGNAL RTMIN+3
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
 COPY patches/minimal-fedora-23.patch /root/
 RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-23.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target
@@ -30,8 +30,6 @@ RUN echo 0123456789abcdef0000000000000000 > /etc/machine-id && systemd-tmpfiles
 RUN rm -v /var/lib/systemd/random-seed
 # test: systemd-container-diff.sh list-dependencies-fedora-23.out docker-diff-minimal-fedora-23.exceptions docker-diff-minimal-fedora-23.out
 
-RUN echo 'd0a98590c74bfe36af0ce006f7b25fa60246aecb /etc/tmpfiles.d/opendnssec.conf' | sha1sum --quiet -c && mv -v /etc/tmpfiles.d/opendnssec.conf /usr/lib/tmpfiles.d/opendnssec.conf
-
 RUN /sbin/ldconfig -X
 
 COPY init-data /usr/local/sbin/init

diff --git a/Dockerfile.fedora-24 b/Dockerfile.fedora-24
@@ -19,7 +19,7 @@ STOPSIGNAL RTMIN+3
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
 COPY patches/minimal-fedora-24.patch /root/
 RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-24.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target
@@ -38,8 +38,6 @@ RUN sed -i 's/ips.append(ipautil.CheckedIPAddress(ha, match_local=True))/ips.app
 # Avoid /usr/lib/python3.5/site-packages/SSSDConfig/__pycache__ changes in runtime
 RUN python3 -c 'import SSSDConfig'
 
-RUN echo 'd0a98590c74bfe36af0ce006f7b25fa60246aecb /etc/tmpfiles.d/opendnssec.conf' | sha1sum --quiet -c && mv -v /etc/tmpfiles.d/opendnssec.conf /usr/lib/tmpfiles.d/opendnssec.conf
-
 RUN /sbin/ldconfig -X
 
 COPY init-data /usr/local/sbin/init

diff --git a/Dockerfile.fedora-25 b/Dockerfile.fedora-25
@@ -18,7 +18,7 @@ STOPSIGNAL RTMIN+3
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
 COPY patches/minimal-fedora-25.patch /root/
 RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-25.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target
@@ -37,8 +37,6 @@ RUN sed -i "s/(list, 'ip-local')/(list, 'ip')/" /usr/lib/python2.7/site-packages
 # Workaround https://fedorahosted.org/freeipa/ticket/6518
 RUN sed -i 's/getaddrinfo(fqdn/getaddrinfo(fqdn.rstrip(".")/' /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py && python -m compileall /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py
 
-RUN echo 'd0a98590c74bfe36af0ce006f7b25fa60246aecb /etc/tmpfiles.d/opendnssec.conf' | sha1sum --quiet -c && mv -v /etc/tmpfiles.d/opendnssec.conf /usr/lib/tmpfiles.d/opendnssec.conf
-
 RUN /sbin/ldconfig -X
 
 COPY init-data /usr/local/sbin/init

diff --git a/Dockerfile.fedora-26 b/Dockerfile.fedora-26
@@ -16,9 +16,9 @@ STOPSIGNAL RTMIN+3
 
 # Minimize the systemd setup
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
-COPY patches/minimal-fedora-25.patch /root/
-RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-25.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+COPY patches/minimal-fedora-26.patch /root/
+RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-26.patch
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target

diff --git a/Dockerfile.fedora-27 b/Dockerfile.fedora-27
@@ -20,9 +20,9 @@ STOPSIGNAL RTMIN+3
 
 # Minimize the systemd setup
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
-COPY patches/minimal-fedora-25.patch /root/
-RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-25.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+COPY patches/minimal-fedora-26.patch /root/
+RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-26.patch
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target

diff --git a/Dockerfile.fedora-28 b/Dockerfile.fedora-28
@@ -22,9 +22,9 @@ STOPSIGNAL RTMIN+3
 
 # Minimize the systemd setup
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
-COPY patches/minimal-fedora-25.patch /root/
-RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-25.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+COPY patches/minimal-fedora-26.patch /root/
+RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-26.patch
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target

diff --git a/Dockerfile.fedora-rawhide b/Dockerfile.fedora-rawhide
@@ -20,9 +20,9 @@ STOPSIGNAL RTMIN+3
 
 # Minimize the systemd setup
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
-COPY patches/minimal-fedora-25.patch /root/
-RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-25.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+COPY patches/minimal-fedora-26.patch /root/
+RUN patch --verbose -p0 --fuzz=0 < /root/minimal-fedora-26.patch
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 RUN ln -s /usr/lib/systemd/system/dbus-daemon.service /usr/lib/systemd/system/dbus.service
 COPY container-ipa.target /usr/lib/systemd/system/

diff --git a/Dockerfile.rhel-7 b/Dockerfile.rhel-7
@@ -23,7 +23,7 @@ RUN patch --verbose -p0 --fuzz=0 < /root/basic-centos-7.patch
 RUN find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type l | xargs rm -v
 COPY patches/minimal-centos-7.patch /root/
 RUN patch --verbose -p0 --fuzz=0 < /root/minimal-centos-7.patch
-# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants -type f | grep .
+# debug: RUN ! find /etc/systemd/system /usr/lib/systemd/system/{basic,multi-user,sysinit}.target.wants /etc/tmpfiles.d -type f | grep .
 
 COPY container-ipa.target /usr/lib/systemd/system/
 RUN systemctl set-default container-ipa.target

diff --git a/patches/minimal-fedora-23.patch b/patches/minimal-fedora-23.patch
@@ -50,6 +50,17 @@
 +ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
 +ExecStopPost=-/usr/bin/kdestroy -A
 #
+# Move /etc/tmpfiles.d content to /usr/lib/tmpfiles.d
+#
+--- /etc/tmpfiles.d/opendnssec.conf    2016-02-01 12:14:52.000000000 +0000
++++ /dev/null  2018-09-17 08:06:53.663641878 +0000
+@@ -1 +0,0 @@
+-D /var/run/opendnssec 0755 ods ods -
+--- /dev/null  2018-09-17 08:06:53.663641878 +0000
++++ /usr/lib/tmpfiles.d/opendnssec.conf        2016-02-01 12:14:52.000000000 +0000
+@@ -0,0 +1 @@
++D /var/run/opendnssec 0755 ods ods -
+#
 # Avoid any default dependencies for targets that will be used.
 #
 --- /usr/lib/systemd/system/sysinit.target	2016-02-01 14:04:05.000000000 +0000

diff --git a/patches/minimal-fedora-24.patch b/patches/minimal-fedora-24.patch
@@ -51,6 +51,17 @@
 +ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
 +ExecStopPost=-/usr/bin/kdestroy -A
 #
+# Move /etc/tmpfiles.d content to /usr/lib/tmpfiles.d
+#
+--- /etc/tmpfiles.d/opendnssec.conf    2016-02-01 12:14:52.000000000 +0000
++++ /dev/null  2018-09-17 08:06:53.663641878 +0000
+@@ -1 +0,0 @@
+-D /var/run/opendnssec 0755 ods ods -
+--- /dev/null  2018-09-17 08:06:53.663641878 +0000
++++ /usr/lib/tmpfiles.d/opendnssec.conf        2016-02-01 12:14:52.000000000 +0000
+@@ -0,0 +1 @@
++D /var/run/opendnssec 0755 ods ods -
+#
 # Avoid any default dependencies for targets that will be used.
 #
 --- /usr/lib/systemd/system/sysinit.target	2016-02-01 14:04:05.000000000 +0000

diff --git a/patches/minimal-fedora-25.patch b/patches/minimal-fedora-25.patch
@@ -1,4 +1,15 @@
 #
+# Move /etc/tmpfiles.d content to /usr/lib/tmpfiles.d
+#
+--- /etc/tmpfiles.d/opendnssec.conf    2016-02-01 12:14:52.000000000 +0000
++++ /dev/null  2018-09-17 08:06:53.663641878 +0000
+@@ -1 +0,0 @@
+-D /var/run/opendnssec 0755 ods ods -
+--- /dev/null  2018-09-17 08:06:53.663641878 +0000
++++ /usr/lib/tmpfiles.d/opendnssec.conf        2016-02-01 12:14:52.000000000 +0000
+@@ -0,0 +1 @@
++D /var/run/opendnssec 0755 ods ods -
+#
 # Avoid any default dependencies for targets that will be used.
 #
 --- /usr/lib/systemd/system/sysinit.target	2016-02-01 14:04:05.000000000 +0000

diff --git a/patches/minimal-fedora-26.patch b/patches/minimal-fedora-26.patch
@@ -0,0 +1,23 @@
+#
+# Avoid any default dependencies for targets that will be used.
+#
+--- /usr/lib/systemd/system/sysinit.target	2016-02-01 14:04:05.000000000 +0000
++++ /usr/lib/systemd/system/sysinit.target	2018-10-19 20:05:31.937494953 +0000
+@@ -9,5 +9,5 @@
+ Description=System Initialization
+ Documentation=man:systemd.special(7)
+ Conflicts=emergency.service emergency.target
+-Wants=local-fs.target swap.target
++### Wants=local-fs.target swap.target
+ After=local-fs.target swap.target emergency.service emergency.target
+--- /usr/lib/systemd/system/basic.target	2016-05-30 04:23:03.000000000 +0000
++++ /usr/lib/systemd/system/basic.target	2018-10-21 06:23:01.878251807 +0000
+@@ -9,7 +9,7 @@
+ Description=Basic System
+ Documentation=man:systemd.special(7)
+ Requires=sysinit.target
+-Wants=sockets.target timers.target paths.target slices.target
++### Wants=sockets.target timers.target paths.target slices.target
+ After=sysinit.target sockets.target paths.target slices.target tmp.mount
+
+ # We support /var, /tmp, /var/tmp, being on NFS, but we don't pull in
diff --git a/volume-data-autoupdate b/volume-data-autoupdate
@@ -1,8 +0,0 @@
-5291a0e6e90b53ce2079968b0979afc3b6e3ce8e8844698118401b46ac8ab968  /etc/systemd/system/dbus.service
-77b7dd3dcc6be1fb48d33023a3f0c42c63d3fcfb6a0a329fe5b326fa18fb907c  /etc/systemd/system/dbus.service
-a1f7cdeb88f8cd3a4dad37edfbb7f50752ab868c24524eaddce9f14a7e302eac  /etc/systemd/system/httpd.service
-97d424431247e329b7fe377119b81e45db10a8a57634cce7875adf3ec416e552  /etc/systemd/system/httpd.service
-a687bb2d747213c7f4c44547999b3fb40a66073935dc0a815564fbfcaa2e03fe  /etc/systemd/system/sssd.service.d/journal.conf
-44b1b4ea1402a1168788efb95e3d55325bb7addcacd99dc4002f64ceb71da45b  /etc/tmpfiles.d/jetty.conf
-9624f274d58ad7c622dafe2b90e321e31f33f9520fb4dfaf1b838997d132b435  /etc/tmpfiles.d/opendnssec.conf
-9c162d91f4072af24cb7504e0aa1573959df50a27249eab8e124ed19eb508fae  /etc/tmpfiles.d/named.conf