openstack
/
fuel-library
Code Issues Proposed changes

Merge "Enable libvirt AppArmor protection"

This commit is contained in:
Jenkins 2015-11-20 11:06:42 +00:00 committed by Gerrit Code Review
parent fca6dae455 252ec9fd63
commit ff23253d23
5 changed files with 55 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
deployment/puppet/openstack/manifests/compute.pp
View File

@ -421,11 +421,35 @@ class openstack::compute (
on packages update": }
}
file_line { 'no_qemu_selinux':
path => '/etc/libvirt/qemu.conf',
line => 'security_driver = "none"',
require => Package[$::nova::params::libvirt_package_name],
notify => Service['libvirt']
case $::osfamily {
'RedHat': {
file_line { 'no_qemu_selinux':
path => '/etc/libvirt/qemu.conf',
line => 'security_driver = "none"',
require => Package[$::nova::params::libvirt_package_name],
notify => Service['libvirt']
}
}
'Debian': {
file_line { 'qemu_apparmor':
path => '/etc/libvirt/qemu.conf',
line => 'security_driver = "apparmor"',
require => Package[$::nova::params::libvirt_package_name],
notify => Service['libvirt']
}
file_line { 'apparmor_libvirtd':
path => '/etc/apparmor.d/usr.sbin.libvirtd',
line => "# unix, # shouldn't be used for libvirt/qemu",
match => '^[#[:space:]]*unix',
}
exec { 'refresh_apparmor':
refreshonly => true,
command => '/sbin/apparmor_parser -r /etc/apparmor.d/usr.sbin.libvirtd',
subscribe => File_line['apparmor_libvirtd'],
}
}
}
nova_config {

7
deployment/puppet/openstack/spec/classes/openstack_compute_spec.rb
View File

@ -142,7 +142,12 @@ describe 'openstack::compute' do
:compute_driver => p[:compute_driver],
:libvirt_service_name => 'libvirtd'
)
should contain_file_line('no_qemu_selinux')
if facts[:osfamily] == 'RedHat'
should contain_file_line('no_qemu_selinux')
elsif facts[:osfamily] == 'Debian'
should contain_file_line('qemu_apparmor')
should contain_file_line('apparmor_libvirtd')
end
should contain_class('nova::client')
should contain_install_ssh_keys('nova_ssh_key_for_migration')
should contain_file('/var/lib/nova/.ssh/config')

6
deployment/puppet/osnailyfacter/modular/openstack-network/compute-nova.pp
View File

@ -55,12 +55,6 @@ if $use_neutron {
notify => Service['libvirt']
}
file_line { 'no_qemu_selinux':
path => '/etc/libvirt/qemu.conf',
line => 'security_driver = "none"',
notify => Service['libvirt']
}
class { 'nova::compute::neutron':
libvirt_vif_driver => $libvirt_vif_driver,
}

6
tests/noop/spec/hosts/openstack-network/compute-nova_spec.rb
View File

@ -107,12 +107,6 @@ describe manifest do
)}
it { expect(subject).to contain_file_line('clear_emulator_capabilities').that_notifies('Service[libvirt]') }
#
it { expect(subject).to contain_file_line('no_qemu_selinux').with(
:path => '/etc/libvirt/qemu.conf',
:line => 'security_driver = "none"',
)}
it { expect(subject).to contain_file_line('no_qemu_selinux').that_notifies('Service[libvirt]') }
#
it { expect(subject).to contain_class('nova::compute::neutron').with(
:libvirt_vif_driver => libvirt_vif_driver,
)}

20
tests/noop/spec/hosts/roles/compute_spec.rb
View File

@ -17,6 +17,26 @@ describe manifest do
)
end
# libvirt/qemu with(out) selinux/apparmor
it 'libvirt/qemu config should have proper security_driver and apparmor configuration' do
if facts[:osfamily] == 'RedHat'
should contain_file_line('no_qemu_selinux').with(
'path' => '/etc/libvirt/qemu.conf',
'line' => 'security_driver = "none"',
).that_notifies('Service[libvirt]')
elsif facts[:osfamily] == 'Debian'
should contain_file_line('qemu_apparmor').with(
'path' => '/etc/libvirt/qemu.conf',
'line' => 'security_driver = "apparmor"',
).that_notifies('Service[libvirt]')
should contain_file_line('apparmor_libvirtd').with(
'path' => '/etc/apparmor.d/usr.sbin.libvirtd',
'line' => "# unix, # shouldn't be used for libvirt/qemu",
)
should contain_exec('refresh_apparmor').that_subscribes_to('File_line[apparmor_libvirtd]')
end
end
# Nova.config options
it 'nova config should have proper live_migration_flag' do
should contain_nova_config('libvirt/live_migration_flag').with(