x/snap-nova-hypervisor
Code Issues Proposed changes

Switch to classic confinement

Browse Source 
Classic confinement drops apparmor/seccomp sandboxing and enables
dropping privileges to a regular user when running services.

We will continue to store all of the snap's files in $SNAP* directories
and $SNAP_COMMON is used as the root directory where setup dirs,
templates, and copyfiles are installed.

Change-Id: I3d8d2160a2fd6fadae65491fcd4e479b7a6d66b6
This commit is contained in:
Corey Bryant 2017-03-21 13:15:46 +00:00
parent 67273af6d7
commit 7d540c988b
6 changed files with 32 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bindep.txt
View File

@ -1 +1,2 @@
snapcraft [platform:dpkg]
snapd [platform:dpkg]

45
snap/snap-openstack.yaml
View File

@ -1,84 +1,75 @@
setup:
dirs:
- "{snap_common}/etc/nova.conf.d"
- "{snap_common}/etc/nova"
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron"
- "{snap_common}/etc/nova/conf.d"
- "{snap_common}/etc/neutron/conf.d"
- "{snap_common}/etc/neutron/plugins/ml2"
- "{snap_common}/instances"
- "{snap_common}/lib"
- "{snap_common}/log"
- "{snap_common}/lock"
- "{snap_common}/run"
- "{snap_common}/instances"
templates:
"nova-snap.conf.j2": "{snap_common}/etc/nova.conf.d/nova-snap.conf"
"neutron-snap.conf.j2": "{snap_common}/etc/neutron.conf.d/neutron-snap.conf"
nova-snap.conf.j2: "{snap_common}/etc/nova/conf.d/nova-snap.conf"
neutron-snap.conf.j2: "{snap_common}/etc/neutron/conf.d/neutron-snap.conf"
copyfiles:
"{snap}/etc/nova": "{snap_common}/etc/nova"
"{snap}/etc/neutron": "{snap_common}/etc/neutron"
entry_points:
nova-compute:
binary: nova-compute
config-files:
- "{snap}/etc/nova/nova.conf"
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova.conf.d"
- "{snap_common}/etc/nova/conf.d"
log-file: "{snap_common}/log/nova-compute.log"
nova-api-metadata:
binary: nova-api-metadata
config-files:
- "{snap}/etc/nova/nova.conf"
- "{snap_common}/etc/nova/nova.conf"
config-dirs:
- "{snap_common}/etc/nova.conf.d"
- "{snap_common}/etc/nova/conf.d"
log-file: "{snap_common}/log/nova-api-metadata.log"
neutron-openvswitch-agent:
binary: neutron-openvswitch-agent
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/plugins/ml2/openvswitch_agent.ini"
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/plugins/ml2/openvswitch_agent.ini"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-openvswitch-agent.log"
neutron-ovs-cleanup:
binary: neutron-ovs-cleanup
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/neutron.conf"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
neutron-netns-cleanup:
binary: neutron-netns-cleanup
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/neutron.conf"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
neutron-l3-agent:
binary: neutron-l3-agent
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/l3_agent.ini"
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/l3_agent.ini"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-l3-agent.log"
neutron-dhcp-agent:
binary: neutron-dhcp-agent
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/dhcp_agent.ini"
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/dhcp_agent.ini"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-dhcp-agent.log"
neutron-metadata-agent:
binary: neutron-metadata-agent
config-files:
- "{snap}/etc/neutron/neutron.conf"
- "{snap}/etc/neutron/metadata_agent.ini"
- "{snap_common}/etc/neutron/neutron.conf"
- "{snap_common}/etc/neutron/metadata_agent.ini"
config-dirs:
- "{snap_common}/etc/neutron.conf.d"
- "{snap_common}/etc/neutron/conf.d"
log-file: "{snap_common}/log/neutron-metadata-agent.log"

2
snap/templates/neutron-snap.conf.j2
View File

@ -1,6 +1,6 @@
[DEFAULT]
# Set state path to writable directory
state_path = {{ snap_common }}
state_path = {{ snap_common }}/lib
[oslo_concurrency]
# Oslo Concurrency lock path

2
snap/templates/nova-snap.conf.j2
View File

@ -1,6 +1,6 @@
[DEFAULT]
# Set state path to writable directory
state_path = {{ snap_common }}
state_path = {{ snap_common }}/lib
[oslo_concurrency]
# Oslo Concurrency lock path

67
snapcraft.yaml
View File

@ -15,78 +15,32 @@ description: |
This snap provides the hypervisor component of an OpenStack
deployment, configured to use Libvirt/KVM + Open vSwitch
installed using debian packages on the hosting server.
confinement: devmode
confinement: classic
grade: devel
apps:
nova-compute:
command: snap-openstack nova-compute
daemon: simple
plugs:
- network
- network-control
- firewall-control
- system-trace
- hardware-observe
- libvirt
- openvswitch
nova-api-metadata:
command: snap-openstack nova-api-metadata
daemon: simple
plugs:
- network
- network-bind
- firewall-control
neutron-openvswitch-agent:
command: snap-openstack neutron-openvswitch-agent
daemon: simple
plugs:
- network
- network-bind
- network-control
- firewall-control
- process-control
- system-trace
- system-observe
- openvswitch
neutron-l3-agent:
command: snap-openstack neutron-l3-agent
daemon: simple
plugs:
- network
- network-control
- firewall-control
- process-control
- system-trace
- system-observe
- openvswitch
neutron-dhcp-agent:
command: snap-openstack neutron-dhcp-agent
daemon: simple
plugs:
- network
- network-control
- process-control
- system-trace
- system-observe
- openvswitch
neutron-metadata-agent:
command: snap-openstack neutron-metadata-agent
daemon: simple
plugs:
- network
- network-bind
neutron-ovs-cleanup:
command: snap-openstack neutron-ovs-cleanup
plugs:
- network
- network-control
- openvswitch
neutron-netns-cleanup:
command: snap-openstack neutron-netns-cleanup
plugs:
- network
- network-control
parts:
ipset:
source: http://ipset.netfilter.org/ipset-6.30.tar.bz2
@ -130,8 +84,7 @@ parts:
stage: [$bin]
snap: [$bin]
nova:
after:
- openvswitch
after: [openvswitch]
plugin: python
python-version: python2
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
@ -141,26 +94,21 @@ parts:
- python-memcached
- http://tarballs.openstack.org/neutron/neutron-master.tar.gz
- http://tarballs.openstack.org/nova-lxd/nova-lxd-master.tar.gz
- git+https://github.com/openstack-snaps/snap.openstack#egg=snap.openstack
- git+https://github.com/openstack/snap.openstack#egg=snap.openstack
constraints: https://raw.githubusercontent.com/openstack/requirements/master/upper-constraints.txt
build-packages:
- gcc
- libffi-dev
- libssl-dev
- libxml2-dev
- libxslt1-dev
- libvirt-dev
- pkg-config
- gcc
stage-packages:
- qemu-utils
templates:
after:
- nova
after: [nova]
plugin: dump
source: snap
config-nova:
after:
- nova
after: [nova]
plugin: dump
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
filesets:
@ -169,8 +117,7 @@ parts:
stage: [$etc]
snap: [$etc]
config-neutron:
after:
- nova
after: [nova]
plugin: dump
source: http://tarballs.openstack.org/neutron/neutron-master.tar.gz
organize:

4
tox.ini
View File

@ -6,9 +6,13 @@ skipsdist = True
basepython = python3.5
install_command = pip install {opts} {packages}
passenv = HOME TERM
whitelist_externals =
sudo
snapcraft
[testenv:snap]
deps = -r{toxinidir}/requirements.txt
commands =
sudo snap install core
snapcraft clean
snapcraft snap