From c123af21d3dc81223c8d58fb41be6f112dfa25f0 Mon Sep 17 00:00:00 2001 From: Pete Vander Giessen Date: Thu, 5 Mar 2020 13:38:26 +0000 Subject: [PATCH] Strict confinement related fixes (Not complete strict confinement, but these don't break anything devmode related, and get us closer to having strict confinement working.) Added more needed interfaces to snapcraft.yaml. Created a wrapper around dnsmasq so that we can run as the snap_daemon user. Added snap_daemon user to snapcraft.yaml. Added a utility script for connecting interfaces that don't auto connect (tools/connect.sh). Not useful for production, but saves a lot of time when testing. libvirt no longer uses unix sock group "sudo" (can't run setguid in strict confinement). Got rid of "find_missing_plugins" in init script. By the time we release strict confinement to production, all those plugins will auto connect. Change-Id: I8324ac7bd0332c41cac17703eb15d7301e7babf3 --- patches/neutron/dnsmasq | 4 ++++ snap-overlay/templates/libvirtd.conf.j2 | 2 +- snap-wrappers/ovs/ovs-wrapper | 5 ----- snapcraft.yaml | 24 ++++++++++++++++++++++++ tests/framework.py | 4 ++-- tools/connect.sh | 15 +++++++++++++++ tools/init/init/main.py | 16 +--------------- 7 files changed, 47 insertions(+), 23 deletions(-) create mode 100644 patches/neutron/dnsmasq create mode 100644 tools/connect.sh diff --git a/patches/neutron/dnsmasq b/patches/neutron/dnsmasq new file mode 100644 index 0000000..9923e9a --- /dev/null +++ b/patches/neutron/dnsmasq @@ -0,0 +1,4 @@ +#!/bin/bash +# Wrapper for dnsmasq + +exec $SNAP/usr/sbin/dnsmasq-orig -u snap_daemon -g snap_daemon $@ diff --git a/snap-overlay/templates/libvirtd.conf.j2 b/snap-overlay/templates/libvirtd.conf.j2 index 72f9280..e6621a0 100644 --- a/snap-overlay/templates/libvirtd.conf.j2 +++ b/snap-overlay/templates/libvirtd.conf.j2 @@ -82,7 +82,7 @@ # without becoming root. # # This is restricted to 'root' by default. -unix_sock_group = "sudo" +# unix_sock_group = "sudo" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only diff --git a/snap-wrappers/ovs/ovs-wrapper b/snap-wrappers/ovs/ovs-wrapper index b13aa75..0c276e5 100755 --- a/snap-wrappers/ovs/ovs-wrapper +++ b/snap-wrappers/ovs/ovs-wrapper @@ -13,9 +13,4 @@ mkdir -p ${OVS_LOGDIR} mkdir -p ${OVS_RUNDIR} mkdir -p ${OVS_SYSCONFDIR}/openvswitch -# if ! snapctl is-connected openvswitch-support; then -# echo "openvswitch-support is not connected. Exiting." -# exit 0 -# fi - exec $@ diff --git a/snapcraft.yaml b/snapcraft.yaml index 8a144ce..5d56ddd 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -12,6 +12,9 @@ environment: PATH: $SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/ +system-usernames: + snap_daemon: shared + layout: # Libvirt/Qemu libs /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/ceph: @@ -265,6 +268,13 @@ apps: - network-control - netlink-connector - netlink-audit + - libvirt + - opengl + - raw-usb + - hardware-observe + - kvm + - kernel-module-observe + virtlogd: command: virtlogd --pid $SNAP_DATA/virtlogd.pid daemon: simple @@ -365,6 +375,7 @@ apps: command: microstack_launch plugs: - network + - network-control # could also be mount-observe # Cluster cluster-server: @@ -573,6 +584,7 @@ parts: snapcraftctl build organize: '*' : patches/ + 'usr/sbin/dnsmasq': patches/neutron/dnsmasq prime: - -* @@ -766,6 +778,8 @@ parts: - --firmwarepath=/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/seabios:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/share/qemu:/snap/$SNAPCRAFT_PROJECT_NAME/current/usr/lib/ipxe/qemu - --disable-user - --disable-linux-user + - --disable-bsd-user + - --disable-vhost-user - --enable-system - --target-list=x86_64-softmmu override-build: | @@ -855,7 +869,17 @@ parts: apt source libvirt # Fix issue with running apt source as root dpkg-source --before-build libvirt-5.0.0 + # Prevent libvirt from attempting to run setgroups + echo " + + #undef HAVE_SETGROUPS + #undef HAVE_SETEUID + " >> libvirt-5.0.0/config-post.h + + # Build snapcraftctl build + organize: + 'usr/sbin/dnsmasq-orig': usr/sbin/dnsmasq # MySQL mysql-server: diff --git a/tests/framework.py b/tests/framework.py index 928e378..984b03f 100644 --- a/tests/framework.py +++ b/tests/framework.py @@ -96,8 +96,8 @@ class Host(): snap = self.snap print("Installing {}".format(snap)) - check(*self.prefix, 'sudo', 'snap', 'install', - '--devmode', '--{}'.format(channel), snap) + check(*self.prefix, 'sudo', 'snap', 'install', '--devmode', + '--{}'.format(channel), snap) def init(self, flag='auto'): print("Initializing the snap with --{}".format(flag)) diff --git a/tools/connect.sh b/tools/connect.sh new file mode 100644 index 0000000..bb7c706 --- /dev/null +++ b/tools/connect.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# +# Utility script for connecting all the interfaces that MicroStack +# wants. Useful for testing strict confinement. Not useful for use in +# the deployed snap, as it can run from within a snap. + +set -e + +for i in `sudo snap connections microstack`; do + if [[ $i =~ ^microstack:.* ]]; then + echo $i; + sudo snap connect $i; + fi +done + diff --git a/tools/init/init/main.py b/tools/init/init/main.py index 2692f8b..ac3b33d 100644 --- a/tools/init/init/main.py +++ b/tools/init/init/main.py @@ -38,7 +38,7 @@ import sys from functools import wraps from init.config import log -from init.shell import default_network, call, check, check_output +from init.shell import default_network, check, check_output from init import questions @@ -103,25 +103,11 @@ def process_init_args(args): return auto -def find_missing_plugs(): - missing = [] - if not call('snapctl', 'is-connected', 'openvswitch-support'): - missing.append("microstack:openvswitch-support") - return missing - - @requires_sudo def init() -> None: args = parse_init_args() auto = process_init_args(args) - # missing_plugs = find_missing_plugs() - # for plug in missing_plugs: - # log.critical("Missing {plug}. Please run snap connect " - # "{plug} to continue".format(plug=plug)) - # if missing_plugs: - # sys.exit(1) - question_list = [ questions.Clustering(), questions.Dns(),