Strict confinement related fixes

(Not complete strict confinement, but these don't break anything
devmode related, and get us closer to having strict confinement
working.)

Added more needed interfaces to snapcraft.yaml.

Created a wrapper around dnsmasq so that we can run as the snap_daemon
user. Added snap_daemon user to snapcraft.yaml.

Added a utility script for connecting interfaces that don't auto
connect (tools/connect.sh). Not useful for production, but saves a lot
of time when testing.

libvirt no longer uses unix sock group "sudo" (can't run setguid in
strict confinement).

Got rid of "find_missing_plugins" in init script. By the time we
release strict confinement to production, all those plugins will auto
connect.

Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3

patches/neutron/dnsmasq

@@ -0,0 +1,4 @@
+#!/bin/bash
+# Wrapper for dnsmasq
+
+exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@

snap-overlay/templates/libvirtd.conf.j2

@@ -82,7 +82,7 @@
 # without becoming root.
 #
 # This is restricted to 'root' by default.
-unix_sock_group = "sudo"
+# unix_sock_group = "sudo"
 
 # Set the UNIX socket permissions for the R/O socket. This is used
 # for monitoring VM status only

snap-wrappers/ovs/ovs-wrapper

@@ -13,9 +13,4 @@ mkdir -p ${OVS_LOGDIR}
 mkdir -p ${OVS_RUNDIR}
 mkdir -p ${OVS_SYSCONFDIR}/openvswitch
 
-# if ! snapctl is-connected openvswitch-support; then
-#    echo "openvswitch-support is not connected. Exiting."
-#    exit 0
-# fi
-
 exec $@

snapcraft.yaml

@@ -12,6 +12,9 @@ environment:
   PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
   OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/
 
+system-usernames:
+  snap_daemon: shared
+
 layout:
   # Libvirt/Qemu libs
   /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/ceph:
@@ -265,6 +268,13 @@ apps:
       - network-control
       - netlink-connector
       - netlink-audit
+      - libvirt
+      - opengl
+      - raw-usb
+      - hardware-observe
+      - kvm
+      - kernel-module-observe
+
   virtlogd:
     command: virtlogd --pid $SNAP_DATA/virtlogd.pid
     daemon: simple
@@ -365,6 +375,7 @@ apps:
     command: microstack_launch
     plugs:
       - network
+      - network-control  # could also be mount-observe
 
   # Cluster
   cluster-server:
@@ -573,6 +584,7 @@ parts:
       snapcraftctl build
     organize:
       '*' : patches/
+      'usr/sbin/dnsmasq': patches/neutron/dnsmasq
     prime:
       - -*
 
@@ -766,6 +778,8 @@ parts:
       - --firmwarepath=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/seabios:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/qemu:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/lib/ipxe/qemu
       - --disable-user
       - --disable-linux-user
+      - --disable-bsd-user
+      - --disable-vhost-user
       - --enable-system
       - --target-list=x86_64-softmmu
     override-build: |
@@ -855,7 +869,17 @@ parts:
       apt source libvirt
       # Fix issue with running apt source as root
       dpkg-source --before-build libvirt-5.0.0
+      # Prevent libvirt from attempting to run setgroups
+      echo "
+
+      #undef HAVE_SETGROUPS
+      #undef HAVE_SETEUID
+      " >> libvirt-5.0.0/config-post.h
+
+      # Build
       snapcraftctl build
+    organize:
+      'usr/sbin/dnsmasq-orig': usr/sbin/dnsmasq
 
   # MySQL
   mysql-server:

tests/framework.py

@@ -96,8 +96,8 @@ class Host():
             snap = self.snap
         print("Installing {}".format(snap))
 
-        check(*self.prefix, 'sudo', 'snap', 'install',
-              '--devmode', '--{}'.format(channel), snap)
+        check(*self.prefix, 'sudo', 'snap', 'install', '--devmode',
+              '--{}'.format(channel), snap)
 
     def init(self, flag='auto'):
         print("Initializing the snap with --{}".format(flag))

tools/connect.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# Utility script for connecting all the interfaces that MicroStack
+# wants. Useful for testing strict confinement. Not useful for use in
+# the deployed snap, as it can run from within a snap.
+
+set -e
+
+for i in `sudo snap connections microstack`; do
+    if [[ $i =~ ^microstack:.* ]]; then
+        echo $i;
+        sudo snap connect $i;
+    fi
+done
+

tools/init/init/main.py

@@ -38,7 +38,7 @@ import sys
 from functools import wraps
 
 from init.config import log
-from init.shell import default_network, call, check, check_output
+from init.shell import default_network, check, check_output
 
 from init import questions
 
@@ -103,25 +103,11 @@ def process_init_args(args):
     return auto
 
 
-def find_missing_plugs():
-    missing = []
-    if not call('snapctl', 'is-connected', 'openvswitch-support'):
-        missing.append("microstack:openvswitch-support")
-    return missing
-
-
 @requires_sudo
 def init() -> None:
     args = parse_init_args()
     auto = process_init_args(args)
 
-    # missing_plugs = find_missing_plugs()
-    # for plug in missing_plugs:
-    #    log.critical("Missing {plug}. Please run snap connect "
-    #                 "{plug} to continue".format(plug=plug))
-    # if missing_plugs:
-    #   sys.exit(1)
-
     question_list = [
         questions.Clustering(),
         questions.Dns(),