Browse Source

Strict confinement related fixes

(Not complete strict confinement, but these don't break anything
devmode related, and get us closer to having strict confinement
working.)

Added more needed interfaces to snapcraft.yaml.

Created a wrapper around dnsmasq so that we can run as the snap_daemon
user. Added snap_daemon user to snapcraft.yaml.

Added a utility script for connecting interfaces that don't auto
connect (tools/connect.sh). Not useful for production, but saves a lot
of time when testing.

libvirt no longer uses unix sock group "sudo" (can't run setguid in
strict confinement).

Got rid of "find_missing_plugins" in init script. By the time we
release strict confinement to production, all those plugins will auto
connect.

Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3
changes/83/713883/2
Pete Vander Giessen 4 months ago
parent
commit
c123af21d3
7 changed files with 47 additions and 23 deletions
  1. +4
    -0
      patches/neutron/dnsmasq
  2. +1
    -1
      snap-overlay/templates/libvirtd.conf.j2
  3. +0
    -5
      snap-wrappers/ovs/ovs-wrapper
  4. +24
    -0
      snapcraft.yaml
  5. +2
    -2
      tests/framework.py
  6. +15
    -0
      tools/connect.sh
  7. +1
    -15
      tools/init/init/main.py

+ 4
- 0
patches/neutron/dnsmasq View File

@@ -0,0 +1,4 @@
#!/bin/bash
# Wrapper for dnsmasq

exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@

+ 1
- 1
snap-overlay/templates/libvirtd.conf.j2 View File

@@ -82,7 +82,7 @@
# without becoming root.
#
# This is restricted to 'root' by default.
unix_sock_group = "sudo"
# unix_sock_group = "sudo"

# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only


+ 0
- 5
snap-wrappers/ovs/ovs-wrapper View File

@@ -13,9 +13,4 @@ mkdir -p ${OVS_LOGDIR}
mkdir -p ${OVS_RUNDIR}
mkdir -p ${OVS_SYSCONFDIR}/openvswitch

# if ! snapctl is-connected openvswitch-support; then
# echo "openvswitch-support is not connected. Exiting."
# exit 0
# fi

exec $@

+ 24
- 0
snapcraft.yaml View File

@@ -12,6 +12,9 @@ environment:
PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/

system-usernames:
snap_daemon: shared

layout:
# Libvirt/Qemu libs
/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/ceph:
@@ -265,6 +268,13 @@ apps:
- network-control
- netlink-connector
- netlink-audit
- libvirt
- opengl
- raw-usb
- hardware-observe
- kvm
- kernel-module-observe

virtlogd:
command: virtlogd --pid $SNAP_DATA/virtlogd.pid
daemon: simple
@@ -365,6 +375,7 @@ apps:
command: microstack_launch
plugs:
- network
- network-control # could also be mount-observe

# Cluster
cluster-server:
@@ -573,6 +584,7 @@ parts:
snapcraftctl build
organize:
'*' : patches/
'usr/sbin/dnsmasq': patches/neutron/dnsmasq
prime:
- -*

@@ -766,6 +778,8 @@ parts:
- --firmwarepath=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/seabios:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/qemu:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/lib/ipxe/qemu
- --disable-user
- --disable-linux-user
- --disable-bsd-user
- --disable-vhost-user
- --enable-system
- --target-list=x86_64-softmmu
override-build: |
@@ -855,7 +869,17 @@ parts:
apt source libvirt
# Fix issue with running apt source as root
dpkg-source --before-build libvirt-5.0.0
# Prevent libvirt from attempting to run setgroups
echo "

#undef HAVE_SETGROUPS
#undef HAVE_SETEUID
" >> libvirt-5.0.0/config-post.h

# Build
snapcraftctl build
organize:
'usr/sbin/dnsmasq-orig': usr/sbin/dnsmasq

# MySQL
mysql-server:


+ 2
- 2
tests/framework.py View File

@@ -96,8 +96,8 @@ class Host():
snap = self.snap
print("Installing {}".format(snap))

check(*self.prefix, 'sudo', 'snap', 'install',
'--devmode', '--{}'.format(channel), snap)
check(*self.prefix, 'sudo', 'snap', 'install', '--devmode',
'--{}'.format(channel), snap)

def init(self, flag='auto'):
print("Initializing the snap with --{}".format(flag))


+ 15
- 0
tools/connect.sh View File

@@ -0,0 +1,15 @@
#!/bin/bash
#
# Utility script for connecting all the interfaces that MicroStack
# wants. Useful for testing strict confinement. Not useful for use in
# the deployed snap, as it can run from within a snap.

set -e

for i in `sudo snap connections microstack`; do
if [[ $i =~ ^microstack:.* ]]; then
echo $i;
sudo snap connect $i;
fi
done


+ 1
- 15
tools/init/init/main.py View File

@@ -38,7 +38,7 @@ import sys
from functools import wraps

from init.config import log
from init.shell import default_network, call, check, check_output
from init.shell import default_network, check, check_output

from init import questions

@@ -103,25 +103,11 @@ def process_init_args(args):
return auto


def find_missing_plugs():
missing = []
if not call('snapctl', 'is-connected', 'openvswitch-support'):
missing.append("microstack:openvswitch-support")
return missing


@requires_sudo
def init() -> None:
args = parse_init_args()
auto = process_init_args(args)

# missing_plugs = find_missing_plugs()
# for plug in missing_plugs:
# log.critical("Missing {plug}. Please run snap connect "
# "{plug} to continue".format(plug=plug))
# if missing_plugs:
# sys.exit(1)

question_list = [
questions.Clustering(),
questions.Dns(),


Loading…
Cancel
Save