Fix PAM module configuration issue
pam-auth-update doesn't store local configuration, and it's meant to be used by packages only. Because libpam-systemd was getting uninstalled afterwards, this caused tacplus to get re-enabled. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
This commit is contained in:
parent
51d71a296f
commit
cdced98331
@ -256,24 +256,19 @@ sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apparmor
|
|||||||
sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
|
sudo cp files/image_config/ntp/ntp-apparmor $FILESYSTEM_ROOT/etc/apparmor.d/local/usr.sbin.ntpd
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install apt-transport-https \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl
|
||||||
gnupg2 \
|
|
||||||
software-properties-common
|
|
||||||
if [[ $CONFIGURED_ARCH == armhf ]]; then
|
if [[ $CONFIGURED_ARCH == armhf ]]; then
|
||||||
# update ssl ca certificates for secure pem
|
# update ssl ca certificates for secure pem
|
||||||
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT c_rehash
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT c_rehash
|
||||||
fi
|
fi
|
||||||
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/docker.asc -fsSL https://download.docker.com/linux/debian/gpg
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -o /tmp/docker.asc -fsSL https://download.docker.com/linux/debian/gpg
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT mv /tmp/docker.asc /etc/apt/trusted.gpg.d/
|
sudo LANG=C chroot $FILESYSTEM_ROOT mv /tmp/docker.asc /etc/apt/trusted.gpg.d/
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT add-apt-repository \
|
sudo tee $FILESYSTEM_ROOT/etc/apt/sources.list.d/docker.list >/dev/null <<EOF
|
||||||
"deb [arch=$CONFIGURED_ARCH] https://download.docker.com/linux/debian $IMAGE_DISTRO stable"
|
deb [arch=$CONFIGURED_ARCH] https://download.docker.com/linux/debian $IMAGE_DISTRO stable
|
||||||
|
EOF
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install docker-ce=${DOCKER_VERSION} docker-ce-cli=${DOCKER_VERSION} containerd.io=${CONTAINERD_IO_VERSION}
|
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install docker-ce=${DOCKER_VERSION} docker-ce-cli=${DOCKER_VERSION} containerd.io=${CONTAINERD_IO_VERSION}
|
||||||
|
|
||||||
# Uninstall 'python3-gi' installed as part of 'software-properties-common' to remove debian version of 'PyGObject'
|
|
||||||
# pip version of 'PyGObject' will be installed during installation of 'sonic-host-services'
|
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y remove software-properties-common gnupg2 python3-gi
|
|
||||||
|
|
||||||
install_kubernetes () {
|
install_kubernetes () {
|
||||||
local ver="$1"
|
local ver="$1"
|
||||||
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -fsSL \
|
sudo https_proxy=$https_proxy LANG=C chroot $FILESYSTEM_ROOT curl -fsSL \
|
||||||
|
@ -281,6 +281,12 @@ sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/bash-tacplus_*.deb || \
|
|||||||
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/audisp-tacplus_*.deb || \
|
sudo dpkg --root=$FILESYSTEM_ROOT -i $debs_path/audisp-tacplus_*.deb || \
|
||||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f
|
||||||
# Disable tacplus by default
|
# Disable tacplus by default
|
||||||
|
## NOTE: this syntax of pam-auth-update is meant to be used when the package gets removed, not for specifying
|
||||||
|
## some local configuration of a PAM module. Currently, there's no clean way of noninteractively specifying
|
||||||
|
## whether some PAM module needs to be enabled or disabled on a system (there are hacky ways, though).
|
||||||
|
##
|
||||||
|
## If there is some PAM module that's installed/removed after this point, then this setting will end up having
|
||||||
|
## no impact, and there may be errors/test failures related to authentication.
|
||||||
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
|
sudo LANG=C chroot $FILESYSTEM_ROOT pam-auth-update --remove tacplus
|
||||||
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
|
sudo sed -i -e '/^passwd/s/ tacplus//' $FILESYSTEM_ROOT/etc/nsswitch.conf
|
||||||
|
|
||||||
|
@ -294,7 +294,7 @@ if [ -f $FIRST_BOOT_FILE ]; then
|
|||||||
# Use only the trivial repo and apt to support lazy package dependencies
|
# Use only the trivial repo and apt to support lazy package dependencies
|
||||||
mv /etc/apt/sources.list /etc/apt/sources.list.rc-local
|
mv /etc/apt/sources.list /etc/apt/sources.list.rc-local
|
||||||
echo "deb [trusted=yes] file:///host/image-$SONIC_VERSION/platform/common /" > /etc/apt/sources.list.d/sonic_debian_extension.list
|
echo "deb [trusted=yes] file:///host/image-$SONIC_VERSION/platform/common /" > /etc/apt/sources.list.d/sonic_debian_extension.list
|
||||||
LANG=C DEBIAN_FRONTEND=noninteractive apt-get update
|
LANG=C DEBIAN_FRONTEND=noninteractive apt-get -o Acquire::Retries=1 update
|
||||||
LANG=C DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Path=$PATH:/usr/local/bin -y install /host/image-$SONIC_VERSION/platform/$platform/*.deb
|
LANG=C DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Path=$PATH:/usr/local/bin -y install /host/image-$SONIC_VERSION/platform/$platform/*.deb
|
||||||
# Cleanup
|
# Cleanup
|
||||||
rm -f /etc/apt/sources.list.d/sonic_debian_extension.list
|
rm -f /etc/apt/sources.list.d/sonic_debian_extension.list
|
||||||
|
Loading…
Reference in New Issue
Block a user