From 3aa89c55f32824554e1c73025ded0612e23f9b51 Mon Sep 17 00:00:00 2001 From: Randeep Jalli Date: Thu, 4 Apr 2019 16:32:55 +0000 Subject: [PATCH] Fixes the Apparmor gate for libvirt and memcached This updates the apparmor job to only use the docker default profile for memcached, as the custom apparmor profiles used didnt allow for a successful deployment. This also updates the libvirt overrides, as the current change to use daemonset-overrides required updating the container name. Co-authored-by: wilkers.steve@gmail.com Co-authored-by: ld366r@att.com Change-Id: I00cb4c62a38e0e1178e45b4e34c946b3b53da6d5 --- tools/deployment/apparmor/040-memcached.sh | 61 +--------------------- tools/deployment/apparmor/050-libvirt.sh | 9 ++-- 2 files changed, 8 insertions(+), 62 deletions(-) diff --git a/tools/deployment/apparmor/040-memcached.sh b/tools/deployment/apparmor/040-memcached.sh index a09144b26..54e4b92a1 100755 --- a/tools/deployment/apparmor/040-memcached.sh +++ b/tools/deployment/apparmor/040-memcached.sh @@ -28,65 +28,8 @@ images: pod: mandatory_access_control: type: apparmor - configmap_apparmor: true memcached: - memcached: localhost/my-apparmor-v1 - apparmor-loader: unconfined -conf: - apparmor_profiles: - my-apparmor-v1.profile: |- - #include - profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) { - #include - network inet tcp, - network inet udp, - network inet icmp, - deny network raw, - deny network packet, - file, - umount, - deny /bin/** wl, - deny /boot/** wl, - deny /dev/** wl, - deny /etc/** wl, - deny /home/** wl, - deny /lib/** wl, - deny /lib64/** wl, - deny /media/** wl, - deny /mnt/** wl, - deny /opt/** wl, - deny /proc/** wl, - deny /root/** wl, - deny /sbin/** wl, - deny /srv/** wl, - deny /tmp/** wl, - deny /sys/** wl, - deny /usr/** wl, - audit /** w, - /var/run/nginx.pid w, - /usr/sbin/nginx ix, - deny /bin/dash mrwklx, - deny /bin/sh mrwklx, - deny /usr/bin/top mrwklx, - capability chown, - capability dac_override, - capability setuid, - capability setgid, - capability net_bind_service, - deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx, - deny @{PROC}/sysrq-trigger rwklx, - deny @{PROC}/mem rwklx, - deny @{PROC}/kmem rwklx, - deny @{PROC}/kcore rwklx, - deny mount, - deny /sys/[^f]*/** wklx, - deny /sys/f[^s]*/** wklx, - deny /sys/fs/[^c]*/** wklx, - deny /sys/fs/c[^g]*/** wklx, - deny /sys/fs/cg[^r]*/** wklx, - deny /sys/firmware/efi/efivars/** rwklx, - deny /sys/kernel/security/** rwklx, - } + memcached: localhost/docker-default EOF # NOTE: Deploy command @@ -110,7 +53,7 @@ helm status memcached pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}') unsorted_process_file="/tmp/unsorted_proc_list" sorted_process_file="/tmp/proc_list" -expected_profile="my-apparmor-v1 (enforce)" +expected_profile="docker-default (enforce)" # Grab the processes (numbered directories) from the /proc directory, # and then sort them. Highest proc number indicates most recent process. diff --git a/tools/deployment/apparmor/050-libvirt.sh b/tools/deployment/apparmor/050-libvirt.sh index 089bf9571..e05936f3f 100755 --- a/tools/deployment/apparmor/050-libvirt.sh +++ b/tools/deployment/apparmor/050-libvirt.sh @@ -26,8 +26,8 @@ pod: mandatory_access_control: type: apparmor configmap_apparmor: true - libvirt: - libvirt: localhost/my-apparmor-v1 + libvirt-libvirt-default: + libvirt-libvirt-default: localhost/my-apparmor-v1 apparmor-loader: unconfined conf: apparmor_profiles: @@ -164,10 +164,13 @@ conf: EOF #NOTE: Deploy command + helm upgrade --install libvirt ./libvirt \ --namespace=openstack \ --values=/tmp/libvirt.yaml \ --set network.backend="null" #NOTE: Validate Deployment info -helm status libvirt +./tools/deployment/common/wait-for-pods.sh openstack + +helm status libvirt \ No newline at end of file