Strict confinement related fixes

(Not complete strict confinement, but these don't break anything devmode related, and get us closer to having strict confinement working.) Added more needed interfaces to snapcraft.yaml. Created a wrapper around dnsmasq so that we can run as the snap_daemon user. Added snap_daemon user to snapcraft.yaml. Added a utility script for connecting interfaces that don't auto connect (tools/connect.sh). Not useful for production, but saves a lot of time when testing. libvirt no longer uses unix sock group "sudo" (can't run setguid in strict confinement). Got rid of "find_missing_plugins" in init script. By the time we release strict confinement to production, all those plugins will auto connect. Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3
2 years ago · c123af21d3
7 changed files with 47 additions and 23 deletions
--- a/patches/neutron/dnsmasq
+++ b/patches/neutron/dnsmasq
@ -0,0 +1,4 @@
+#!/bin/bash
+# Wrapper for dnsmasq
+
+exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@
--- a/snap-overlay/templates/libvirtd.conf.j2
+++ b/snap-overlay/templates/libvirtd.conf.j2
@ -82,7 +82,7 @@
 # without becoming root.
 #
 # This is restricted to 'root' by default.
-unix_sock_group = "sudo"
+# unix_sock_group = "sudo"

 # Set the UNIX socket permissions for the R/O socket. This is used
 # for monitoring VM status only
--- a/snap-wrappers/ovs/ovs-wrapper
+++ b/snap-wrappers/ovs/ovs-wrapper
@ -13,9 +13,4 @@ mkdir -p ${OVS_LOGDIR}
 mkdir -p ${OVS_RUNDIR}
 mkdir -p ${OVS_SYSCONFDIR}/openvswitch

-# if ! snapctl is-connected openvswitch-support; then
-#    echo "openvswitch-support is not connected. Exiting."
-#    exit 0
-# fi
-
 exec $@
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -12,6 +12,9 @@ environment:
  PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH
  OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/

+system-usernames:
+  snap_daemon: shared
+
 layout:
  # Libvirt/Qemu libs
  /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/ceph:
@ -265,6 +268,13 @@ apps:
      - network-control
      - netlink-connector
      - netlink-audit
+      - libvirt
+      - opengl
+      - raw-usb
+      - hardware-observe
+      - kvm
+      - kernel-module-observe
+
  virtlogd:
    command: virtlogd --pid $SNAP_DATA/virtlogd.pid
    daemon: simple
@ -365,6 +375,7 @@ apps:
    command: microstack_launch
    plugs:
      - network
+      - network-control  # could also be mount-observe

  # Cluster
  cluster-server:
@ -573,6 +584,7 @@ parts:
      snapcraftctl build
    organize:
      '*' : patches/
+      'usr/sbin/dnsmasq': patches/neutron/dnsmasq
    prime:
      - -*

@ -766,6 +778,8 @@ parts:
      - --firmwarepath=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/seabios:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/qemu:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/lib/ipxe/qemu
      - --disable-user
      - --disable-linux-user
+      - --disable-bsd-user
+      - --disable-vhost-user
      - --enable-system
      - --target-list=x86_64-softmmu
    override-build: |
@ -855,7 +869,17 @@ parts:
      apt source libvirt
      # Fix issue with running apt source as root
      dpkg-source --before-build libvirt-5.0.0
+      # Prevent libvirt from attempting to run setgroups
+      echo "
+
+      #undef HAVE_SETGROUPS
+      #undef HAVE_SETEUID
+      " >> libvirt-5.0.0/config-post.h
+
+      # Build
      snapcraftctl build
+    organize:
+      'usr/sbin/dnsmasq-orig': usr/sbin/dnsmasq

  # MySQL
  mysql-server:
--- a/tests/framework.py
+++ b/tests/framework.py
@ -96,8 +96,8 @@ class Host():
            snap = self.snap
        print("Installing {}".format(snap))

-        check(*self.prefix, 'sudo', 'snap', 'install',
-              '--devmode', '--{}'.format(channel), snap)
+        check(*self.prefix, 'sudo', 'snap', 'install', '--devmode',
+              '--{}'.format(channel), snap)

    def init(self, flag='auto'):
        print("Initializing the snap with --{}".format(flag))
--- a/tools/connect.sh
+++ b/tools/connect.sh
@ -0,0 +1,15 @@
+#!/bin/bash
+#
+# Utility script for connecting all the interfaces that MicroStack
+# wants. Useful for testing strict confinement. Not useful for use in
+# the deployed snap, as it can run from within a snap.
+
+set -e
+
+for i in `sudo snap connections microstack`; do
+    if [[ $i =~ ^microstack:.* ]]; then
+        echo $i;
+        sudo snap connect $i;
+    fi
+done
+
--- a/tools/init/init/main.py
+++ b/tools/init/init/main.py
@ -38,7 +38,7 @@ import sys
 from functools import wraps

 from init.config import log
-from init.shell import default_network, call, check, check_output
+from init.shell import default_network, check, check_output

 from init import questions

@ -103,25 +103,11 @@ def process_init_args(args):
    return auto


-def find_missing_plugs():
-    missing = []
-    if not call('snapctl', 'is-connected', 'openvswitch-support'):
-        missing.append("microstack:openvswitch-support")
-    return missing
-
-
@requires_sudo
 def init() -> None:
    args = parse_init_args()
    auto = process_init_args(args)

-    # missing_plugs = find_missing_plugs()
-    # for plug in missing_plugs:
-    #    log.critical("Missing {plug}. Please run snap connect "
-    #                 "{plug} to continue".format(plug=plug))
-    # if missing_plugs:
-    #   sys.exit(1)
-
    question_list = [
        questions.Clustering(),
        questions.Dns(),