Browse Source

Add seccomp profile on genesis node in multinode gate

The bootactions which will be deployed via Drydock on nodes need
to be performed on Genesis node as well. This should be done as
part of pre-genesis setup before genesis.sh is executed. This
commit deals with adding seccomp profile to genesis node as part
of pre-genesis setup.

Change-Id: I5ec6a66266181f0dc96161b9a7d9635db6df715a
Hemanth Nakkina 1 month ago
parent
commit
94e8f75930

+ 134
- 0
tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh View File

@@ -0,0 +1,134 @@
1
+#!/usr/bin/env bash
2
+# Copyright 2019 AT&T Intellectual Property.  All other rights reserved.
3
+#
4
+# Licensed under the Apache License, Version 2.0 (the "License");
5
+# you may not use this file except in compliance with the License.
6
+# You may obtain a copy of the License at
7
+#
8
+#     http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+# Unless required by applicable law or agreed to in writing, software
11
+# distributed under the License is distributed on an "AS IS" BASIS,
12
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+# See the License for the specific language governing permissions and
14
+# limitations under the License.
15
+
16
+
17
+###############################################################################
18
+# Helper functions
19
+###############################################################################
20
+
21
+# Key/value lookups from manifests
22
+manifests_lookup(){
23
+  local file="$1"
24
+  local schema="$2"
25
+  local mdata_name="$3"
26
+  local key_path="$4"
27
+  local oper="$5"
28
+  local allow_fail="$6"
29
+
30
+  FAIL=false
31
+  RESULT=`python3 -c "
32
+import yaml,sys
33
+y = yaml.load_all(open('$file'))
34
+for x in y:
35
+  if x.get('schema') == '$schema':
36
+    if x['metadata']['name'] == '$mdata_name':
37
+      if isinstance(x$key_path,list):
38
+        if '$oper' == 'get_size':
39
+          print(len(x$key_path))
40
+          break
41
+        else:
42
+          for i in x$key_path:
43
+            print(i)
44
+          break
45
+      else:
46
+        if '$oper' == 'dict_keys':
47
+          print(' '.join(x$key_path.keys()))
48
+          break
49
+        else:
50
+          print(x$key_path)
51
+          break
52
+else:
53
+  sys.exit(1)" 2>&1` || FAIL=true
54
+
55
+  if [[ $FAIL = true ]] && [[ $allow_fail != true ]]; then
56
+    echo "Lookup failed for schema '$schema', metadata.name '$mdata_name', key path '$key_path'"
57
+    exit 1
58
+  fi
59
+}
60
+
61
+
62
+install_file(){
63
+  local path="$1"
64
+  local content="$2"
65
+  local permissions="$3"
66
+  local dirname=$(dirname "$path")
67
+
68
+  if [[ ! -d $dirname ]]; then
69
+    mkdir -p "$dirname"
70
+  fi
71
+
72
+  if [[ ! -f $path ]] || [ "$(cat "$path")" != "$content" ]; then
73
+    echo "$content" > "$path"
74
+    chmod "$permissions" "$path"
75
+    FILE_UPDATED=true
76
+  else
77
+    FILE_UPDATED=false
78
+  fi
79
+}
80
+
81
+
82
+###############################################################################
83
+# Script inputs and validations
84
+###############################################################################
85
+
86
+if [[ $EUID -ne 0 ]]; then
87
+  echo "This script must be run as sudo/root"
88
+  exit 1
89
+fi
90
+
91
+if ([[ -z $1 ]] && [[ -z $RENDERED ]]) || [[ $1 =~ .*[hH][eE][lL][pP].* ]]; then
92
+  echo "Missing required script argument"
93
+  echo "Usage: ./$(basename $BASH_SOURCE) /path/to/rendered/site/manifest.yaml"
94
+  exit 1
95
+fi
96
+
97
+if [[ -n $1 ]]; then
98
+  rendered_file="$1"
99
+else
100
+  rendered_file="$RENDERED"
101
+fi
102
+if [[ ! -f $rendered_file ]]; then
103
+  echo "Specified rendered manifests file '$rendered_file' does not exist"
104
+  exit 1
105
+fi
106
+echo "Using rendered manifests file '$rendered_file'"
107
+
108
+# env vars which can be set if you want to disable
109
+: ${DISABLE_SECCOMP_PROFILE:=}
110
+
111
+
112
+###############################################################################
113
+# bootaction: seccomp-profiles
114
+###############################################################################
115
+
116
+if [[ ! $DISABLE_SECCOMP_PROFILE ]]; then
117
+
118
+  # Fetch seccomp profile data
119
+  manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
120
+                   "seccomp-profiles" "['data']['assets'][0]['path']"
121
+  path="$RESULT"
122
+  echo "seccomp profiles asset[0] path located: '$path'"
123
+  manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
124
+                   "seccomp-profiles" "['data']['assets'][0]['permissions']"
125
+  permissions="$RESULT"
126
+  echo "seccomp profiles asset[0] permissions located: '$permissions'"
127
+  manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
128
+                   "seccomp-profiles" "['data']['assets'][0]['data']"
129
+  content="$RESULT"
130
+  echo "seccomp profiles assets[0] data located: '$content'"
131
+
132
+  # seccomp_default
133
+  install_file "$path" "$content" "$permissions"
134
+fi

+ 1
- 0
tools/multi_nodes_gate/airship_gate/lib/config.sh View File

@@ -1,5 +1,6 @@
1 1
 export TEMP_DIR=${TEMP_DIR:-$(mktemp -d)}
2 2
 export DEFINITION_DEPOT="${TEMP_DIR}/site_yaml/"
3
+export RENDERED_DEPOT="${TEMP_DIR}/rendered_yaml/"
3 4
 export CERT_DEPOT="${TEMP_DIR}/cert_yaml/"
4 5
 export GATE_DEPOT="${TEMP_DIR}/gate_yaml/"
5 6
 export SCRIPT_DEPOT="${TEMP_DIR}/scripts/"

+ 8
- 0
tools/multi_nodes_gate/airship_gate/manifests/multinode_deploy.json View File

@@ -19,6 +19,10 @@
19 19
       "name": "Pegleg Collection",
20 20
       "script": "pegleg-collect.sh"
21 21
     },
22
+    {
23
+      "name": "Pegleg Render",
24
+      "script": "pegleg-render.sh"
25
+    },
22 26
     {
23 27
       "name": "Generate Certificates",
24 28
       "script": "generate-certificates.sh"
@@ -41,6 +45,10 @@
41 45
       "script": "bgp-router.sh",
42 46
       "arguments": ["build"]
43 47
     },
48
+    {
49
+      "name": "Pre Genesis Setup",
50
+      "script": "genesis-setup.sh"
51
+    },
44 52
     {
45 53
       "name": "Genesis",
46 54
       "script": "genesis.sh",

+ 8
- 0
tools/multi_nodes_gate/airship_gate/manifests/multinode_genesis.json View File

@@ -19,6 +19,10 @@
19 19
       "name": "Pegleg Collection",
20 20
       "script": "pegleg-collect.sh"
21 21
     },
22
+    {
23
+      "name": "Pegleg Render",
24
+      "script": "pegleg-render.sh"
25
+    },
22 26
     {
23 27
       "name": "Generate Certificates",
24 28
       "script": "generate-certificates.sh"
@@ -41,6 +45,10 @@
41 45
       "script": "bgp-router.sh",
42 46
       "arguments": ["build"]
43 47
     },
48
+    {
49
+      "name": "Pre Genesis Setup",
50
+      "script": "genesis-setup.sh"
51
+    },
44 52
     {
45 53
       "name": "Genesis",
46 54
       "script": "genesis.sh",

+ 26
- 0
tools/multi_nodes_gate/airship_gate/stages/genesis-setup.sh View File

@@ -0,0 +1,26 @@
1
+#!/usr/bin/env bash
2
+# Copyright 2019 AT&T Intellectual Property.  All other rights reserved.
3
+#
4
+# Licensed under the Apache License, Version 2.0 (the "License");
5
+# you may not use this file except in compliance with the License.
6
+# You may obtain a copy of the License at
7
+#
8
+#     http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+# Unless required by applicable law or agreed to in writing, software
11
+# distributed under the License is distributed on an "AS IS" BASIS,
12
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+# See the License for the specific language governing permissions and
14
+# limitations under the License.
15
+
16
+set -e
17
+
18
+source "${GATE_UTILS}"
19
+
20
+# Copies script and virtmgr private key to genesis VM
21
+rsync_cmd "${REPO_ROOT}/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh" "${GENESIS_NAME}:/root/airship/"
22
+rsync_cmd "${RENDERED_DEPOT}/rendered.yaml" "${GENESIS_NAME}:/root/airship/"
23
+
24
+set -o pipefail
25
+ssh_cmd "${GENESIS_NAME}" /root/airship/bootaction-runner.sh /root/airship/rendered.yaml 2>&1 | tee -a "${LOG_FILE}"
26
+set +o pipefail

+ 81
- 0
tools/multi_nodes_gate/airship_gate/stages/pegleg-render.sh View File

@@ -0,0 +1,81 @@
1
+#!/usr/bin/env bash
2
+# Copyright 2019 AT&T Intellectual Property.  All other rights reserved.
3
+#
4
+# Licensed under the Apache License, Version 2.0 (the "License");
5
+# you may not use this file except in compliance with the License.
6
+# You may obtain a copy of the License at
7
+#
8
+#     http://www.apache.org/licenses/LICENSE-2.0
9
+#
10
+# Unless required by applicable law or agreed to in writing, software
11
+# distributed under the License is distributed on an "AS IS" BASIS,
12
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+# See the License for the specific language governing permissions and
14
+# limitations under the License.
15
+
16
+set -xe
17
+
18
+source "${GATE_UTILS}"
19
+
20
+mkdir -p "${RENDERED_DEPOT}"
21
+chmod 777 "${RENDERED_DEPOT}"
22
+
23
+render_pegleg_cli() {
24
+    cli_string="pegleg -v site"
25
+
26
+    if [[ "${GERRIT_SSH_USER}" ]]
27
+    then
28
+      cli_string+=" -u ${GERRIT_SSH_USER}"
29
+    fi
30
+
31
+    if [[ "${GERRIT_SSH_KEY}" ]]
32
+    then
33
+      cli_string+=" -k /workspace/${GERRIT_SSH_KEY}"
34
+    fi
35
+
36
+    primary_repo=$(config_pegleg_primary_repo)
37
+
38
+    if [[ -d "${REPO_ROOT}/${primary_repo}" ]]
39
+    then
40
+      # NOTE: to get latest pegleg colllect to work
41
+      # airship-in-bottle repo has versions (v1.0demo, v1.0dev) within global
42
+      # and that is preventing pegleg to collect documents.
43
+      # It complains with duplicate data
44
+      $(find ${REPO_ROOT}/${primary_repo}  -name "v1.0dev" -type d \
45
+        -exec rm -r {} +)
46
+      cli_string="${cli_string} -r /workspace/${primary_repo}"
47
+    else
48
+      log "${primary_repo} not a valid primary repository"
49
+      return 1
50
+    fi
51
+
52
+    aux_repos=($(config_pegleg_aux_repos))
53
+
54
+    if [[ ${#aux_repos[@]} -gt 0 ]]
55
+    then
56
+        for r in ${aux_repos[*]}
57
+        do
58
+          cli_string="${cli_string} -e ${r}=/workspace/${r}"
59
+        done
60
+    fi
61
+
62
+    cli_string="${cli_string} render -o /collect/rendered.yaml"
63
+
64
+    cli_string="${cli_string} $(config_pegleg_sitename)"
65
+
66
+    echo ${cli_string}
67
+}
68
+
69
+collect_rendered_doc() {
70
+  docker run \
71
+    --rm -t \
72
+    --network host \
73
+    -v "${HOME}/.ssh":/root/.ssh \
74
+    -v "${REPO_ROOT}":/workspace \
75
+    -v "${RENDERED_DEPOT}":/collect \
76
+    "${IMAGE_PEGLEG_CLI}" \
77
+    $(render_pegleg_cli)
78
+}
79
+
80
+log "Collecting rendered document to ${RENDERED_DEPOT}"
81
+collect_rendered_doc

Loading…
Cancel
Save