2b67ffaefb
- Add a shellcheck linter for the scripts in the multinode framework - Update all scripting to comply with shellcheck - Move linting job to Ubuntu Bionic as the multinode gate now requires Bionic versions of libvirt Change-Id: Ibee645331421e1e6cecd4e3daa8e9c321dce5523
174 lines
5.3 KiB
Bash
Executable File
174 lines
5.3 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Copyright 2019 AT&T Intellectual Property. All other rights reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
|
|
###############################################################################
|
|
# Helper functions
|
|
###############################################################################
|
|
|
|
# Key/value lookups from manifests
|
|
manifests_lookup(){
|
|
local file="$1"
|
|
local schema="$2"
|
|
local mdata_name="$3"
|
|
local key_path="$4"
|
|
local oper="$5"
|
|
local allow_fail="$6"
|
|
|
|
FAIL=false
|
|
RESULT=$(python3 -c "
|
|
import yaml,sys
|
|
y = yaml.load_all(open('$file'))
|
|
for x in y:
|
|
if x.get('schema') == '$schema':
|
|
if x['metadata']['name'] == '$mdata_name':
|
|
if isinstance(x$key_path,list):
|
|
if '$oper' == 'get_size':
|
|
print(len(x$key_path))
|
|
break
|
|
else:
|
|
for i in x$key_path:
|
|
print(i)
|
|
break
|
|
else:
|
|
if '$oper' == 'dict_keys':
|
|
print(' '.join(x$key_path.keys()))
|
|
break
|
|
else:
|
|
print(x$key_path)
|
|
break
|
|
else:
|
|
sys.exit(1)" 2>&1) || FAIL=true
|
|
|
|
if [[ $FAIL = true ]] && [[ $allow_fail != true ]]; then
|
|
echo "Lookup failed for schema '$schema', metadata.name '$mdata_name', key path '$key_path'"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
|
|
install_file(){
|
|
local path="$1"
|
|
local content="$2"
|
|
local permissions="$3"
|
|
local dirname
|
|
dirname=$(dirname "$path")
|
|
|
|
if [[ ! -d $dirname ]]; then
|
|
mkdir -p "$dirname"
|
|
fi
|
|
|
|
if [[ ! -f $path ]] || [ "$(cat "$path")" != "$content" ]; then
|
|
echo "$content" > "$path"
|
|
chmod "$permissions" "$path"
|
|
export FILE_UPDATED=true
|
|
else
|
|
export FILE_UPDATED=false
|
|
fi
|
|
}
|
|
|
|
|
|
###############################################################################
|
|
# Script inputs and validations
|
|
###############################################################################
|
|
|
|
if [[ $EUID -ne 0 ]]; then
|
|
echo "This script must be run as sudo/root"
|
|
exit 1
|
|
fi
|
|
|
|
if ([[ -z $1 ]] && [[ -z $RENDERED ]]) || [[ $1 =~ .*[hH][eE][lL][pP].* ]]; then
|
|
echo "Missing required script argument"
|
|
echo "Usage: ./$(basename "${BASH_SOURCE[0]}") /path/to/rendered/site/manifest.yaml"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ -n $1 ]]; then
|
|
rendered_file="$1"
|
|
else
|
|
rendered_file="$RENDERED"
|
|
fi
|
|
if [[ ! -f $rendered_file ]]; then
|
|
echo "Specified rendered manifests file '$rendered_file' does not exist"
|
|
exit 1
|
|
fi
|
|
echo "Using rendered manifests file '$rendered_file'"
|
|
|
|
# env vars which can be set if you want to disable
|
|
: "${DISABLE_SECCOMP_PROFILE:=}"
|
|
: "${DISABLE_APPARMOR_PROFILES:=}"
|
|
|
|
|
|
###############################################################################
|
|
# bootaction: seccomp-profiles
|
|
###############################################################################
|
|
|
|
if [[ ! $DISABLE_SECCOMP_PROFILE ]]; then
|
|
|
|
# Fetch seccomp profile data
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"seccomp-profiles" "['data']['assets'][0]['path']"
|
|
path="$RESULT"
|
|
echo "seccomp profiles asset[0] path located: '$path'"
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"seccomp-profiles" "['data']['assets'][0]['permissions']"
|
|
permissions="$RESULT"
|
|
echo "seccomp profiles asset[0] permissions located: '$permissions'"
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"seccomp-profiles" "['data']['assets'][0]['data']"
|
|
content="$RESULT"
|
|
echo "seccomp profiles assets[0] data located: '$content'"
|
|
|
|
# seccomp_default
|
|
install_file "$path" "$content" "$permissions"
|
|
fi
|
|
|
|
###############################################################################
|
|
# bootaction: apparmor-profiles
|
|
###############################################################################
|
|
|
|
if [[ ! $DISABLE_APPARMOR_PROFILES ]]; then
|
|
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"apparmor-profiles" "['data']['assets']" "get_size" "true"
|
|
|
|
if [[ -n "$RESULT" ]] && [[ $RESULT -gt 0 ]]; then
|
|
|
|
# Fetch apparmor profile data
|
|
LAST=$(( RESULT - 1 ))
|
|
for i in $(seq 0 $LAST); do
|
|
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"apparmor-profiles" "['data']['assets'][$i]['path']"
|
|
path="$RESULT"
|
|
echo "apparmor profiles asset[$i] path located: '$path'"
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"apparmor-profiles" "['data']['assets'][$i]['permissions']"
|
|
permissions="$RESULT"
|
|
echo "apparmor profiles asset[$i] permissions located: '$permissions'"
|
|
manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
|
|
"apparmor-profiles" "['data']['assets'][$i]['data']"
|
|
content="$RESULT"
|
|
echo "apparmor profiles assets[$i] data located: '$content'"
|
|
|
|
install_file "$path" "$content" "$permissions"
|
|
done
|
|
|
|
# reload all apparmor profiles
|
|
systemctl reload apparmor.service
|
|
fi
|
|
fi
|