github-personal/ucore
1
0
Fork 0
mirror of https://github.com/outbackdingo/ucore.git synced 2026-01-27 18:20:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: disable non-default services by default (#4)

Browse Source
This commit is contained in:
Benjamin Sherman
2023-03-19 20:08:33 -05:00
committed by GitHub
parent 2cf0bdaee9
commit 7434db02c3
2 changed files with 12 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Containerfile
View File

@@ -37,7 +37,7 @@ RUN cd /etc/yum.repos.d/ \
RUN sed -i 's/#AutomaticUpdatePolicy.*/AutomaticUpdatePolicy=stage/' /etc/rpm-ostreed.conf && \
sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=60s/' /etc/systemd/user.conf && \
sed -i 's/#DefaultTimeoutStopSec.*/DefaultTimeoutStopSec=60s/' /etc/systemd/system.conf && \
systemctl enable cockpit.service && \
systemctl disable docker.socket && \
systemctl enable ensure-var-log-audit-dir.service && \
systemctl enable rpm-ostreed-automatic.timer && \
rm /etc/ssh/sshd_config.d/40-disable-passwords.conf && \

18
README.md
View File

@@ -26,21 +26,25 @@ WARNING: This image has **not** been heavily tested, though the underlying compo
One can layer packages directly on a machine running uCore or use this image as a base for further customized OCI builds.
Note: per [cockpit instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is available as a podman container. This image has pre-configured cockpit to run on system boot, but it can be disabled:
```bash
sudo systemctl disable --now cockpit.service
```
This image should be suitable for use on bare metal or on virtual machines where you wish to run containerized workloads.
Note: per [cockpit instructions](https://cockpit-project.org/running.html#coreos) the cockpit-ws RPM is **not** installed, rather it is available as a podman container.
## Tips and Tricks
These images are immutable, you can't, and really shouldn't, install packages like in a mutable "normal" distribution.
CoreOS expects the user to run services using [podman](https://podman.io). `moby-engine`, the free Docker implementation, is installed for those who desire docker instead of podman.
NOTE: CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time) running podman and docker containers at the same time.
To maintain this image's suitability as a minimal container host, most add-on services are not auto-enabled.
To activate any of the pre-installed `cockpit`, `docker`, or `tailscaled` services:
```bash
sudo systemctl enable --now SERVICENAME.service
```
NOTE: CoreOS [cautions against](https://docs.fedoraproject.org/en-US/fedora-coreos/faq/#_can_i_run_containers_via_docker_and_podman_at_the_same_time) running podman and docker containers at the same time. Thus, `docker.socket` is disabled by default to prevent accidental activate of docker daemon, given podman is the default.
Users may use [distrobox](https://github.com/89luca89/distrobox) to run images of mutable distributions where applications can be installed with traditional package managers. This may be useful for installing interactive utilities such has `htop`, `nmap`, etc. As stated above, however, *services* should run as containers.