Switch back to strict confinement

The following are included in the switch to strict confinement: * Set snapcraft.yaml confinement to strict and restore/update plugs * Drop building of python as it's not required for strict snaps * Switch back to running apps under root * Build bridge-utils, iptables, iproute2, and libxml2 into snap Change-Id: I58bc68a946b832ddba5630abf9f2fd5174afed65
2017-06-12 22:19:43 +00:00 · 2017-06-12 22:19:43 +00:00 · 5e028582ce
commit 5e028582ce
parent 90b0ac1560
3 changed files with 105 additions and 79 deletions
--- a/README.md
+++ b/README.md
@ -20,7 +20,7 @@ Neutron plugin.
 The nova-hypervisor snap can be installed directly from the snap store:
-    sudo snap install --edge --classic nova-hypervisor
+    sudo snap install --edge nova-hypervisor
 The nova-hypervisor snap is working towards publication across tracks for
 OpenStack releases. The edge channel for each track will contain the tip
@ -30,8 +30,8 @@ will be published progressively to beta, then candidate, and then stable once
 CI validation completes for the channel. This should result in an experience
 such as:
-    sudo snap install --classic --channel=ocata/stable nova-hypervisor
+    sudo snap install --channel=ocata/stable nova-hypervisor
-    sudo snap install --classic --channel=pike/edge nova-hypervisor
+    sudo snap install --channel=pike/edge nova-hypervisor
 This snap makes use of libvirt and openvswitch daemons running on the host
 operating system, so these packages must be installed for a functional
@ -39,6 +39,12 @@ hypervisor:
    sudo apt install libvirt-bin qemu-kvm openvswitch-switch
 In addition, the libvirt apparmor helper must be placed into complain mode
 until [bug 1644507](https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1644507)
 is resolved:
    sudo aa-complain /usr/lib/libvirt/virt-aa-helper
 ## Configuring Nova and Neutron
 The nova-hypervisor snap gets its default configuration from the following $SNAP
@ -103,10 +109,19 @@ The services for the nova-hypervisor snap will log to its $SNAP_COMMON writable
 ## Managing nova-hypervisor
-The nova-hypervisor snap will drop privileges to run daemons and commands
+The nova-hypervisor snap uses privileged interfaces that are not auto-connected
-under a regular user named snap-nova-hypervisor. Additionally, permissions
+at install time. In order to grant access to these privileged interfaces, the
-and ownership of files and directories in /var/snap/nova-hypervisor/common/
+following plugs and slots must be connected:
-are modified to restrict access from other users.
+
    sudo snap connect nova-hypervisor:system-trace core:system-trace
    sudo snap connect nova-hypervisor:hardware-observe core:hardware-observe
    sudo snap connect nova-hypervisor:system-observe core:system-observe
    sudo snap connect nova-hypervisor:process-control core:process-control
    sudo snap connect nova-hypervisor:openvswitch core:openvswitch
    sudo snap connect nova-hypervisor:libvirt core:libvirt
    sudo snap connect nova-hypervisor:network-observe core:network-observe
    sudo snap connect nova-hypervisor:network-control core:network-control
    sudo snap connect nova-hypervisor:firewall-control core:firewall-control
 The nova-hypervisor snap has alias support that enables use of the well-known
 neutron-netns-cleanup and neutron-ovs-cleanup commands. To enable the aliases,
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@ -1,12 +1,6 @@
 setup:
  users:
    snap-nova-hypervisor: [snap-nova-hypervisor]
  default-owner: "root:snap-nova-hypervisor"
  dirs:
    - "{snap_common}/etc"
    - "{snap_common}/etc/nova"
    - "{snap_common}/etc/nova/nova.conf.d"
    - "{snap_common}/etc/neutron"
    - "{snap_common}/etc/neutron/neutron.conf.d"
    - "{snap_common}/etc/neutron/plugins"
    - "{snap_common}/etc/neutron/plugins/ml2"
@ -18,12 +12,8 @@ setup:
  templates:
    nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf"
    neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf"
-  rchown:
+  chmod:
-    "{snap_common}/instances": "snap-nova-hypervisor:snap-nova-hypervisor"
+    "{snap_common}/instances": 0755
    "{snap_common}/lib": "snap-nova-hypervisor:snap-nova-hypervisor"
    "{snap_common}/lock": "snap-nova-hypervisor:snap-nova-hypervisor"
    "{snap_common}/log": "snap-nova-hypervisor:snap-nova-hypervisor"
    "{snap_common}/run": "snap-nova-hypervisor:snap-nova-hypervisor"
 entry_points:
  nova-compute:
    binary: "{snap}/bin/nova-compute"
@ -34,8 +24,6 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/nova/nova.conf.d"
    log-file: "{snap_common}/log/nova-compute.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  nova-api-metadata:
    binary: "{snap}/bin/nova-api-metadata"
    config-files:
@ -45,8 +33,6 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/nova/nova.conf.d"
    log-file: "{snap_common}/log/nova-api-metadata.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-openvswitch-agent:
    binary: "{snap}/bin/neutron-openvswitch-agent"
    config-files:
@ -58,8 +44,6 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    log-file: "{snap_common}/log/neutron-openvswitch-agent.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-ovs-cleanup:
    binary: "{snap}/bin/neutron-ovs-cleanup"
    config-files:
@ -68,8 +52,6 @@ entry_points:
      - "{snap_common}/etc/neutron/neutron.conf"
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-netns-cleanup:
    binary: "{snap}/bin/neutron-netns-cleanup"
    config-files:
@ -78,8 +60,6 @@ entry_points:
      - "{snap_common}/etc/neutron/neutron.conf"
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-l3-agent:
    binary: "{snap}/bin/neutron-l3-agent"
    config-files:
@ -91,8 +71,6 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    log-file: "{snap_common}/log/neutron-l3-agent.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-dhcp-agent:
    binary: "{snap}/bin/neutron-dhcp-agent"
    config-files:
@ -104,8 +82,6 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    log-file: "{snap_common}/log/neutron-dhcp-agent.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
  neutron-metadata-agent:
    binary: "{snap}/bin/neutron-metadata-agent"
    config-files:
@ -117,5 +93,3 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    log-file: "{snap_common}/log/neutron-metadata-agent.log"
    run-as:
      snap-nova-hypervisor: [snap-nova-hypervisor]
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -15,53 +15,106 @@ description: |
  This snap provides the hypervisor component of an OpenStack
  deployment, configured to use Libvirt/KVM + Open vSwitch
  installed using debian packages on the hosting server.
-confinement: classic
+confinement: strict
 grade: devel
 apps:
  nova-compute:
-    command: >
+    command: snap-openstack nova-compute
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-compute
    daemon: simple
    plugs:
      - network
      - network-bind
      - firewall-control
      - system-trace
      - hardware-observe
      - libvirt
      - openvswitch
  nova-api-metadata:
-    command: >
+    command: snap-openstack nova-api-metadata
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-api-metadata
    daemon: simple
    plugs:
      - network
      - network-bind
      - firewall-control
  neutron-openvswitch-agent:
-    command: >
+    command: snap-openstack neutron-openvswitch-agent
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-openvswitch-agent
    daemon: simple
    plugs:
      - network
      - network-bind
      - network-control
      - network-observe
      - firewall-control
      - process-control
      - system-trace
      - system-observe
      - openvswitch
  neutron-l3-agent:
-    command: >
+    command: snap-openstack neutron-l3-agent
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-l3-agent
    daemon: simple
    plugs:
      - network
      - network-bind
      - network-control
      - network-observe
      - firewall-control
      - process-control
      - system-trace
      - system-observe
      - openvswitch
  neutron-dhcp-agent:
-    command: >
+    command: snap-openstack neutron-dhcp-agent
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-dhcp-agent
    daemon: simple
    plugs:
      - network
      - network-bind
      - network-control
      - network-observe
      - process-control
      - system-trace
      - system-observe
      - openvswitch
  neutron-metadata-agent:
-    command: >
+    command: snap-openstack neutron-metadata-agent
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-metadata-agent
    daemon: simple
    plugs:
      - network
      - network-bind
      - network-control
  neutron-ovs-cleanup:
-    command: >
+    command: snap-openstack neutron-ovs-cleanup
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-ovs-cleanup
    aliases:
      - neutron-ovs-cleanup
    plugs:
      - network
      - network-control
      - openvswitch
  neutron-netns-cleanup:
-    command: >
+    command: snap-openstack neutron-netns-cleanup
      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-netns-cleanup
    aliases:
      - neutron-netns-cleanup
    plugs:
      - network
      - network-control
 parts:
  bridge-utils:
    source: https://www.kernel.org/pub/linux/utils/net/bridge-utils/bridge-utils-1.6.tar.gz
    plugin: autotools
  iproute2:
    source: https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.9.0.tar.gz
    plugin: autotools
    build-packages:
      - bison
      - flex
      - libdb5.3-dev
  iptables:
    source: http://iptables.netfilter.org/projects/iptables/files/iptables-1.6.0.tar.bz2
    plugin: autotools
    build-packages:
      - libnftnl-dev
    configflags:
      - --disable-nftables
  ipset:
    source: http://ipset.netfilter.org/ipset-6.30.tar.bz2
    plugin: autotools
@ -70,6 +123,9 @@ parts:
      - libmnl-dev
    configflags:
      - "--with-kmod=no"
  libxml2:
    source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz
    plugin: autotools
  dnsmasq:
    source: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.76.tar.xz
    plugin: make
@ -105,7 +161,6 @@ parts:
    snap: [$bin]
  nova:
    after:
      - python
      - openvswitch
    plugin: python
    python-version: python2
@ -127,11 +182,6 @@ parts:
      - libxslt1-dev
    stage-packages:
      - qemu-utils
    stage:
      - -usr/bin/2to3
      - -usr/bin/pydoc
      - -usr/bin/python2.7
      - -usr/lib/python2.7
    install: |
      touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
      touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@ -165,16 +215,3 @@ parts:
        - etc/neutron/*
    stage: [$etc]
    snap: [$etc]
  python:
    source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
    plugin: autotools
    configflags:
      - --prefix=/usr
      - --enable-shared
      - --enable-unicode=ucs4
    build-packages:
      - libssl-dev
    prime:
      - -usr/include
    install:
      $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip