From 7e868649bb5359b0e21bc9d790b2c06b5e0a7e8c Mon Sep 17 00:00:00 2001 From: dt241s Date: Mon, 25 Mar 2019 18:57:43 -0500 Subject: [PATCH] Add Docker default AppArmor profile to Ceph-osd Change apparmor for ceph-osd into gate script Change-Id: I587c98dd6e55b8eb7af0c8100f2cb3cb1be96438 --- ceph-osd/templates/daemonset-osd.yaml | 1 + tools/deployment/apparmor/020-ceph.sh | 221 ++++++++++++++++++++++++++ zuul.d/jobs.yaml | 1 + 3 files changed, 223 insertions(+) create mode 100755 tools/deployment/apparmor/020-ceph.sh diff --git a/ceph-osd/templates/daemonset-osd.yaml b/ceph-osd/templates/daemonset-osd.yaml index 64230e6c5..69b1dff88 100644 --- a/ceph-osd/templates/daemonset-osd.yaml +++ b/ceph-osd/templates/daemonset-osd.yaml @@ -40,6 +40,7 @@ spec: {{ tuple $envAll "ceph" "osd" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} +{{ dict "envAll" $envAll "podName" "ceph-osd-default" "containerNames" (list "ceph-osd-default") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} {{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }} spec: serviceAccountName: {{ $serviceAccountName }} diff --git a/tools/deployment/apparmor/020-ceph.sh b/tools/deployment/apparmor/020-ceph.sh new file mode 100755 index 000000000..bf3b86a0a --- /dev/null +++ b/tools/deployment/apparmor/020-ceph.sh @@ -0,0 +1,221 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +set -xe + +#NOTE: Lint and package chart +for CHART in ceph-mon ceph-client ceph-provisioners; do + make "${CHART}" +done + +#NOTE: Deploy command +: ${OSH_EXTRA_HELM_ARGS:=""} +[ -s /tmp/ceph-fs-uuid.txt ] || uuidgen > /tmp/ceph-fs-uuid.txt +CEPH_FS_ID="$(cat /tmp/ceph-fs-uuid.txt)" +#NOTE(portdirect): to use RBD devices with Ubuntu kernels < 4.5 this +# should be set to 'hammer' +. /etc/os-release +if [ "x${ID}" == "xubuntu" ] && \ + [ "$(uname -r | awk -F "." '{ print $2 }')" -lt "5" ]; then + CRUSH_TUNABLES=hammer +else + CRUSH_TUNABLES=null +fi +tee /tmp/ceph.yaml <