From 0abf9d2b20ce0b47857bc02f39c64013d68dd683 Mon Sep 17 00:00:00 2001 From: Steve Wilkerson Date: Thu, 4 Apr 2019 10:10:41 -0500 Subject: [PATCH] Add nonvoting apparmor check job to openstack-helm This adds a nonvoting apparmor check job to openstack-helm, which allows for the removal of default apparmor profiles from the nova chart. This job also includes overrides for using the default docker apparmor profile for the neutron chart Change-Id: I8f407f24b7f10c5d7cf10f21f73671f7e6c72767 --- nova/values.yaml | 4 - tools/deployment/apparmor/compute-kit.sh | 106 +++++++++++++++++++++++ zuul.d/jobs-openstack-helm.yaml | 19 ++++ zuul.d/project.yaml | 2 + 4 files changed, 127 insertions(+), 4 deletions(-) create mode 100755 tools/deployment/apparmor/compute-kit.sh diff --git a/nova/values.yaml b/nova/values.yaml index 7cb4d553c2..497f0e6789 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1956,10 +1956,6 @@ endpoints: namespace: kube-public pod: - mandatory_access_control: - type: apparmor - nova-compute-default: - nova-compute-default: localhost/docker-default user: nova: uid: 42424 diff --git a/tools/deployment/apparmor/compute-kit.sh b/tools/deployment/apparmor/compute-kit.sh new file mode 100755 index 0000000000..eaadcfbe57 --- /dev/null +++ b/tools/deployment/apparmor/compute-kit.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +#NOTE: Lint and package chart +make nova +make neutron + +#NOTE: Deploy nova +: ${OSH_EXTRA_HELM_ARGS:=""} +tee /tmp/nova.yaml << EOF +conf: + ceph: + enabled: false +pod: + mandatory_access_control: + type: apparmor + nova-compute-default: + nova-compute-default: localhost/docker-default +EOF +if [ "x$(systemd-detect-virt)" == "xnone" ]; then + echo 'OSH is not being deployed in virtualized environment' + helm upgrade --install nova ./nova \ + --namespace=openstack \ + --values=/tmp/nova.yaml \ + ${OSH_EXTRA_HELM_ARGS} \ + ${OSH_EXTRA_HELM_ARGS_NOVA} +else + echo 'OSH is being deployed in virtualized environment, using qemu for nova' + helm upgrade --install nova ./nova \ + --namespace=openstack \ + --set conf.nova.libvirt.virt_type=qemu \ + --set conf.nova.libvirt.cpu_mode=none \ + --values=/tmp/nova.yaml + ${OSH_EXTRA_HELM_ARGS} \ + ${OSH_EXTRA_HELM_ARGS_NOVA} +fi + +#NOTE: Deploy neutron +tee /tmp/neutron.yaml << EOF +pod: + mandatory_access_control: + type: apparmor + neutron-dhcp-agent-default: + neutron-dhcp-agent-default: localhost/docker-default + neutron-l3-agent-default: + neutron-l3-agent-default: localhost/docker-default + neutron-lb-agent-default: + neutron-lb-agent-default: localhost/docker-default + neutron-metadata-agent-default: + neutron-metadata-agent-default: localhost/docker-default + neutron-ovs-agent-default: + neutron-ovs-agent-default: localhost/docker-default + neutron-sriov-agent-default: + neutron-sriov-agent-default: localhost/docker-default +network: + interface: + tunnel: docker0 +conf: + neutron: + DEFAULT: + l3_ha: False + max_l3_agents_per_router: 1 + l3_ha_network_type: vxlan + dhcp_agents_per_network: 1 + plugins: + ml2_conf: + ml2_type_flat: + flat_networks: public + openvswitch_agent: + agent: + tunnel_types: vxlan + ovs: + bridge_mappings: public:br-ex + linuxbridge_agent: + linux_bridge: + bridge_mappings: public:br-ex +EOF +helm upgrade --install neutron ./neutron \ + --namespace=openstack \ + --values=/tmp/neutron.yaml \ + ${OSH_EXTRA_HELM_ARGS} \ + ${OSH_EXTRA_HELM_ARGS_NEUTRON} + +#NOTE: Wait for deploy +./tools/deployment/common/wait-for-pods.sh openstack + +#NOTE: Validate Deployment info +export OS_CLOUD=openstack_helm +openstack service list +sleep 30 #NOTE(portdirect): Wait for ingress controller to update rules and restart Nginx +openstack compute service list +openstack network agent list diff --git a/zuul.d/jobs-openstack-helm.yaml b/zuul.d/jobs-openstack-helm.yaml index 50c853ab21..b76e068aa8 100644 --- a/zuul.d/jobs-openstack-helm.yaml +++ b/zuul.d/jobs-openstack-helm.yaml @@ -151,6 +151,25 @@ - ./tools/deployment/component/compute-kit/openvswitch.sh - ./tools/deployment/component/compute-kit/libvirt.sh - ./tools/deployment/component/compute-kit/compute-kit.sh +- job: + name: openstack-helm-apparmor + parent: openstack-helm-chart-deploy + run: tools/gate/playbooks/osh-gate-runner.yaml + vars: + gate_scripts: + - ./tools/deployment/common/install-packages.sh + - ./tools/deployment/common/deploy-k8s.sh + - ./tools/deployment/common/setup-client.sh + - ./tools/deployment/component/common/ingress.sh + - ./tools/deployment/component/common/mariadb.sh + - ./tools/deployment/component/common/memcached.sh + - ./tools/deployment/component/common/rabbitmq.sh + - ./tools/deployment/component/nfs-provisioner/nfs-provisioner.sh + - ./tools/deployment/component/keystone/keystone.sh + - ./tools/deployment/component/glance/glance.sh + - ./tools/deployment/component/compute-kit/openvswitch.sh + - ./tools/deployment/component/compute-kit/libvirt.sh + - ./tools/deployment/apparmor/compute-kit.sh - job: name: openstack-helm-multinode-temp diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index aa6c9a20ed..cadc575430 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -31,6 +31,8 @@ - openstack-helm-heat - openstack-helm-cinder - openstack-helm-compute-kit + - openstack-helm-apparmor: + voting: false gate: jobs: - openstack-helm-lint