quarta-feira, 21 de fevereiro de 2018

Creating custom ISO images for Fedora, CentOS or RHEL

TL;DR: This post is about creating custom ISO images with custom made RPM packages.

Motivation: My motivation was VERY specific. I had to debug a package that had an issue only on first execution after a fresh clean installation - https://bugzilla.redhat.com/show_bug.cgi?id=1518498. This means I had to create a new package and include it on a new custom ISO image every time I wanted to debug a new line or test a new solution.

Also, during the course of this, I faced error messages like:

09:58:3,721 DEBUG packaging: Member: hypervkvpd.x86_64 0:0-0.32.20161211git.e17 - u

09:58:3,727 ERR packaging: Error populating transaction after 10 anaconda retries: 
failure: Packages/hypervkvpd-0-0.32.20161211git.e17.x86_64.rpm from anaconda: 
[Errno 256] Mo more mirrors to try

09:58:3,727 DEBUG packaging: file:///run/install/repo/Packages/hypervkvpd-0-0.32.
20161211git.e17.x86_64.rpm: [Errno -1] Header is not complete.


The trick is very simple, first create your RPM package - here I assume you already know how to do that. Make sure your package has the same name and same dependencies than the one you want to replace. After that, you're ready to start building the new custom ISO image:

1. Download and mount the ISO image you want to customize:
# mount -t iso9660 -o loop RHEL-7.5-20180206.n.0-Server-x86_64-dvd1.iso temp/






2. Create the root directory for the new ISO image:
# mkdir iso_build

3. Copy everything from the original ISO to your newly created root directory:
# cp -pRf temp* iso_build/

4. Place your newly created RPM inside the iso_build/Packages/ directory;

5. Remove all hash data from repodata/ directory, but KEEP the comps file:
# rm -rfv repodata/*.gz repodata/*.bz2;

6. Create the new repository hash information, using as a reference the old comps file you didn't delete:
# createrepo /root/iso_build/Packages -g /iso_build/repodata/ -o /iso_build/ \
-u file:///run/install/repo/Packages/;

7. From inside iso_build/, generate the new ISO image:
# genisoimage -U -r -v -T -J -joliet-long -V 'RHEL-7.5 Server.x86_64'         \
-volset 'RHEL-7.5 Server.x86_64' -A 'RHEL-7.5 Server.x86_64'                  \
-b isolinux/isolinux.bin -c isolinux/boot.cat -no-emul-boot                   \
-boot-load-size 4 -boot-info-table -eltorito-alt-boot                         \
-e images/efiboot.img -no-emul-boot -o /RHEL-7.5-DEBUG-Server-x86_64-dvd1.iso .

Special thanks to Arx Cruz and Edjunior Machado who helped me on this issue.

Enjoy your debugging.

sexta-feira, 9 de fevereiro de 2018

QEMU Sandboxing for dummies

DevConf is an annual conference that takes place in Brno, Czech Republic. This year I applied for a talk to go over my work that I develop since mid 2012: Security on QEMU/KVM Virtual Machines using SECCOMP. Since then I became the maintainer of this feature on QEMU and released the second and better version not long ago. On this post you'll find the slides and the full video of the presentation.



So here we go, very first experience lecturing in English, what a catastrophe! In my defense the audience was very peculiar, not only the guy that very started libseccomp was there, but my manager and the director of the department as well. Anxiety apart, I think it was an outstanding experience, would do it again in the future. :-)