From 5e028582cebcad6cc6a16c8c11f8bd9f2083b572 Mon Sep 17 00:00:00 2001 From: Corey Bryant Date: Mon, 12 Jun 2017 22:19:43 +0000 Subject: [PATCH] Switch back to strict confinement The following are included in the switch to strict confinement: * Set snapcraft.yaml confinement to strict and restore/update plugs * Drop building of python as it's not required for strict snaps * Switch back to running apps under root * Build bridge-utils, iptables, iproute2, and libxml2 into snap Change-Id: I58bc68a946b832ddba5630abf9f2fd5174afed65 --- README.md | 29 ++++++--- snap/snap-openstack.yaml | 30 +--------- snapcraft.yaml | 125 +++++++++++++++++++++++++-------------- 3 files changed, 105 insertions(+), 79 deletions(-) diff --git a/README.md b/README.md index 4ebffae..3347be6 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ Neutron plugin. The nova-hypervisor snap can be installed directly from the snap store: - sudo snap install --edge --classic nova-hypervisor + sudo snap install --edge nova-hypervisor The nova-hypervisor snap is working towards publication across tracks for OpenStack releases. The edge channel for each track will contain the tip @@ -30,8 +30,8 @@ will be published progressively to beta, then candidate, and then stable once CI validation completes for the channel. This should result in an experience such as: - sudo snap install --classic --channel=ocata/stable nova-hypervisor - sudo snap install --classic --channel=pike/edge nova-hypervisor + sudo snap install --channel=ocata/stable nova-hypervisor + sudo snap install --channel=pike/edge nova-hypervisor This snap makes use of libvirt and openvswitch daemons running on the host operating system, so these packages must be installed for a functional @@ -39,6 +39,12 @@ hypervisor: sudo apt install libvirt-bin qemu-kvm openvswitch-switch +In addition, the libvirt apparmor helper must be placed into complain mode +until [bug 1644507](https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1644507) +is resolved: + + sudo aa-complain /usr/lib/libvirt/virt-aa-helper + ## Configuring Nova and Neutron The nova-hypervisor snap gets its default configuration from the following $SNAP @@ -103,10 +109,19 @@ The services for the nova-hypervisor snap will log to its $SNAP_COMMON writable ## Managing nova-hypervisor -The nova-hypervisor snap will drop privileges to run daemons and commands -under a regular user named snap-nova-hypervisor. Additionally, permissions -and ownership of files and directories in /var/snap/nova-hypervisor/common/ -are modified to restrict access from other users. +The nova-hypervisor snap uses privileged interfaces that are not auto-connected +at install time. In order to grant access to these privileged interfaces, the +following plugs and slots must be connected: + + sudo snap connect nova-hypervisor:system-trace core:system-trace + sudo snap connect nova-hypervisor:hardware-observe core:hardware-observe + sudo snap connect nova-hypervisor:system-observe core:system-observe + sudo snap connect nova-hypervisor:process-control core:process-control + sudo snap connect nova-hypervisor:openvswitch core:openvswitch + sudo snap connect nova-hypervisor:libvirt core:libvirt + sudo snap connect nova-hypervisor:network-observe core:network-observe + sudo snap connect nova-hypervisor:network-control core:network-control + sudo snap connect nova-hypervisor:firewall-control core:firewall-control The nova-hypervisor snap has alias support that enables use of the well-known neutron-netns-cleanup and neutron-ovs-cleanup commands. To enable the aliases, diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml index 5a84192..870ee08 100644 --- a/snap/snap-openstack.yaml +++ b/snap/snap-openstack.yaml @@ -1,12 +1,6 @@ setup: - users: - snap-nova-hypervisor: [snap-nova-hypervisor] - default-owner: "root:snap-nova-hypervisor" dirs: - - "{snap_common}/etc" - - "{snap_common}/etc/nova" - "{snap_common}/etc/nova/nova.conf.d" - - "{snap_common}/etc/neutron" - "{snap_common}/etc/neutron/neutron.conf.d" - "{snap_common}/etc/neutron/plugins" - "{snap_common}/etc/neutron/plugins/ml2" @@ -18,12 +12,8 @@ setup: templates: nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf" neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf" - rchown: - "{snap_common}/instances": "snap-nova-hypervisor:snap-nova-hypervisor" - "{snap_common}/lib": "snap-nova-hypervisor:snap-nova-hypervisor" - "{snap_common}/lock": "snap-nova-hypervisor:snap-nova-hypervisor" - "{snap_common}/log": "snap-nova-hypervisor:snap-nova-hypervisor" - "{snap_common}/run": "snap-nova-hypervisor:snap-nova-hypervisor" + chmod: + "{snap_common}/instances": 0755 entry_points: nova-compute: binary: "{snap}/bin/nova-compute" @@ -34,8 +24,6 @@ entry_points: config-dirs: - "{snap_common}/etc/nova/nova.conf.d" log-file: "{snap_common}/log/nova-compute.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] nova-api-metadata: binary: "{snap}/bin/nova-api-metadata" config-files: @@ -45,8 +33,6 @@ entry_points: config-dirs: - "{snap_common}/etc/nova/nova.conf.d" log-file: "{snap_common}/log/nova-api-metadata.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-openvswitch-agent: binary: "{snap}/bin/neutron-openvswitch-agent" config-files: @@ -58,8 +44,6 @@ entry_points: config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" log-file: "{snap_common}/log/neutron-openvswitch-agent.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-ovs-cleanup: binary: "{snap}/bin/neutron-ovs-cleanup" config-files: @@ -68,8 +52,6 @@ entry_points: - "{snap_common}/etc/neutron/neutron.conf" config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-netns-cleanup: binary: "{snap}/bin/neutron-netns-cleanup" config-files: @@ -78,8 +60,6 @@ entry_points: - "{snap_common}/etc/neutron/neutron.conf" config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-l3-agent: binary: "{snap}/bin/neutron-l3-agent" config-files: @@ -91,8 +71,6 @@ entry_points: config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" log-file: "{snap_common}/log/neutron-l3-agent.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-dhcp-agent: binary: "{snap}/bin/neutron-dhcp-agent" config-files: @@ -104,8 +82,6 @@ entry_points: config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" log-file: "{snap_common}/log/neutron-dhcp-agent.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] neutron-metadata-agent: binary: "{snap}/bin/neutron-metadata-agent" config-files: @@ -117,5 +93,3 @@ entry_points: config-dirs: - "{snap_common}/etc/neutron/neutron.conf.d" log-file: "{snap_common}/log/neutron-metadata-agent.log" - run-as: - snap-nova-hypervisor: [snap-nova-hypervisor] diff --git a/snapcraft.yaml b/snapcraft.yaml index ae17ffd..a97f2d5 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -15,53 +15,106 @@ description: | This snap provides the hypervisor component of an OpenStack deployment, configured to use Libvirt/KVM + Open vSwitch installed using debian packages on the hosting server. -confinement: classic +confinement: strict grade: devel apps: nova-compute: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-compute + command: snap-openstack nova-compute daemon: simple + plugs: + - network + - network-bind + - firewall-control + - system-trace + - hardware-observe + - libvirt + - openvswitch nova-api-metadata: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-api-metadata + command: snap-openstack nova-api-metadata daemon: simple + plugs: + - network + - network-bind + - firewall-control neutron-openvswitch-agent: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-openvswitch-agent + command: snap-openstack neutron-openvswitch-agent daemon: simple + plugs: + - network + - network-bind + - network-control + - network-observe + - firewall-control + - process-control + - system-trace + - system-observe + - openvswitch neutron-l3-agent: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-l3-agent + command: snap-openstack neutron-l3-agent daemon: simple + plugs: + - network + - network-bind + - network-control + - network-observe + - firewall-control + - process-control + - system-trace + - system-observe + - openvswitch neutron-dhcp-agent: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-dhcp-agent + command: snap-openstack neutron-dhcp-agent daemon: simple + plugs: + - network + - network-bind + - network-control + - network-observe + - process-control + - system-trace + - system-observe + - openvswitch neutron-metadata-agent: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-metadata-agent + command: snap-openstack neutron-metadata-agent daemon: simple + plugs: + - network + - network-bind + - network-control neutron-ovs-cleanup: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-ovs-cleanup + command: snap-openstack neutron-ovs-cleanup aliases: - neutron-ovs-cleanup + plugs: + - network + - network-control + - openvswitch neutron-netns-cleanup: - command: > - env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages - $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-netns-cleanup + command: snap-openstack neutron-netns-cleanup aliases: - neutron-netns-cleanup + plugs: + - network + - network-control parts: + bridge-utils: + source: https://www.kernel.org/pub/linux/utils/net/bridge-utils/bridge-utils-1.6.tar.gz + plugin: autotools + iproute2: + source: https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.9.0.tar.gz + plugin: autotools + build-packages: + - bison + - flex + - libdb5.3-dev + iptables: + source: http://iptables.netfilter.org/projects/iptables/files/iptables-1.6.0.tar.bz2 + plugin: autotools + build-packages: + - libnftnl-dev + configflags: + - --disable-nftables ipset: source: http://ipset.netfilter.org/ipset-6.30.tar.bz2 plugin: autotools @@ -70,6 +123,9 @@ parts: - libmnl-dev configflags: - "--with-kmod=no" + libxml2: + source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz + plugin: autotools dnsmasq: source: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.76.tar.xz plugin: make @@ -105,7 +161,6 @@ parts: snap: [$bin] nova: after: - - python - openvswitch plugin: python python-version: python2 @@ -127,11 +182,6 @@ parts: - libxslt1-dev stage-packages: - qemu-utils - stage: - - -usr/bin/2to3 - - -usr/bin/pydoc - - -usr/bin/python2.7 - - -usr/lib/python2.7 install: | touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py @@ -165,16 +215,3 @@ parts: - etc/neutron/* stage: [$etc] snap: [$etc] - python: - source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz - plugin: autotools - configflags: - - --prefix=/usr - - --enable-shared - - --enable-unicode=ucs4 - build-packages: - - libssl-dev - prime: - - -usr/include - install: - $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip