From 7d540c988b4b8b34bd5ae0bafdfe03e66ead7ec0 Mon Sep 17 00:00:00 2001 From: Corey Bryant Date: Tue, 21 Mar 2017 13:15:46 +0000 Subject: [PATCH] Switch to classic confinement Classic confinement drops apparmor/seccomp sandboxing and enables dropping privileges to a regular user when running services. We will continue to store all of the snap's files in $SNAP* directories and $SNAP_COMMON is used as the root directory where setup dirs, templates, and copyfiles are installed. Change-Id: I3d8d2160a2fd6fadae65491fcd4e479b7a6d66b6 --- bindep.txt | 1 + snap/snap-openstack.yaml | 45 ++++++++----------- snap/templates/neutron-snap.conf.j2 | 2 +- snap/templates/nova-snap.conf.j2 | 2 +- snapcraft.yaml | 67 +++-------------------------- tox.ini | 4 ++ 6 files changed, 32 insertions(+), 89 deletions(-) diff --git a/bindep.txt b/bindep.txt index 5816a55..8d8c1a2 100644 --- a/bindep.txt +++ b/bindep.txt @@ -1 +1,2 @@ snapcraft [platform:dpkg] +snapd [platform:dpkg] diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml index 6b105a1..ca532ed 100644 --- a/snap/snap-openstack.yaml +++ b/snap/snap-openstack.yaml @@ -1,84 +1,75 @@ setup: dirs: - - "{snap_common}/etc/nova.conf.d" - - "{snap_common}/etc/nova" - - "{snap_common}/etc/neutron.conf.d" - - "{snap_common}/etc/neutron" + - "{snap_common}/etc/nova/conf.d" + - "{snap_common}/etc/neutron/conf.d" + - "{snap_common}/etc/neutron/plugins/ml2" + - "{snap_common}/instances" + - "{snap_common}/lib" - "{snap_common}/log" - "{snap_common}/lock" - "{snap_common}/run" - - "{snap_common}/instances" templates: - "nova-snap.conf.j2": "{snap_common}/etc/nova.conf.d/nova-snap.conf" - "neutron-snap.conf.j2": "{snap_common}/etc/neutron.conf.d/neutron-snap.conf" + nova-snap.conf.j2: "{snap_common}/etc/nova/conf.d/nova-snap.conf" + neutron-snap.conf.j2: "{snap_common}/etc/neutron/conf.d/neutron-snap.conf" + copyfiles: + "{snap}/etc/nova": "{snap_common}/etc/nova" + "{snap}/etc/neutron": "{snap_common}/etc/neutron" entry_points: nova-compute: binary: nova-compute config-files: - - "{snap}/etc/nova/nova.conf" - "{snap_common}/etc/nova/nova.conf" config-dirs: - - "{snap_common}/etc/nova.conf.d" + - "{snap_common}/etc/nova/conf.d" log-file: "{snap_common}/log/nova-compute.log" nova-api-metadata: binary: nova-api-metadata config-files: - - "{snap}/etc/nova/nova.conf" - "{snap_common}/etc/nova/nova.conf" config-dirs: - - "{snap_common}/etc/nova.conf.d" + - "{snap_common}/etc/nova/conf.d" log-file: "{snap_common}/log/nova-api-metadata.log" neutron-openvswitch-agent: binary: neutron-openvswitch-agent config-files: - - "{snap}/etc/neutron/neutron.conf" - - "{snap}/etc/neutron/plugins/ml2/openvswitch_agent.ini" - "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/plugins/ml2/openvswitch_agent.ini" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" log-file: "{snap_common}/log/neutron-openvswitch-agent.log" neutron-ovs-cleanup: binary: neutron-ovs-cleanup config-files: - - "{snap}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/neutron.conf" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" neutron-netns-cleanup: binary: neutron-netns-cleanup config-files: - - "{snap}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/neutron.conf" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" neutron-l3-agent: binary: neutron-l3-agent config-files: - - "{snap}/etc/neutron/neutron.conf" - - "{snap}/etc/neutron/l3_agent.ini" - "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/l3_agent.ini" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" log-file: "{snap_common}/log/neutron-l3-agent.log" neutron-dhcp-agent: binary: neutron-dhcp-agent config-files: - - "{snap}/etc/neutron/neutron.conf" - - "{snap}/etc/neutron/dhcp_agent.ini" - "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/dhcp_agent.ini" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" log-file: "{snap_common}/log/neutron-dhcp-agent.log" neutron-metadata-agent: binary: neutron-metadata-agent config-files: - - "{snap}/etc/neutron/neutron.conf" - - "{snap}/etc/neutron/metadata_agent.ini" - "{snap_common}/etc/neutron/neutron.conf" - "{snap_common}/etc/neutron/metadata_agent.ini" config-dirs: - - "{snap_common}/etc/neutron.conf.d" + - "{snap_common}/etc/neutron/conf.d" log-file: "{snap_common}/log/neutron-metadata-agent.log" diff --git a/snap/templates/neutron-snap.conf.j2 b/snap/templates/neutron-snap.conf.j2 index 4f538cd..f683970 100644 --- a/snap/templates/neutron-snap.conf.j2 +++ b/snap/templates/neutron-snap.conf.j2 @@ -1,6 +1,6 @@ [DEFAULT] # Set state path to writable directory -state_path = {{ snap_common }} +state_path = {{ snap_common }}/lib [oslo_concurrency] # Oslo Concurrency lock path diff --git a/snap/templates/nova-snap.conf.j2 b/snap/templates/nova-snap.conf.j2 index 4f538cd..f683970 100644 --- a/snap/templates/nova-snap.conf.j2 +++ b/snap/templates/nova-snap.conf.j2 @@ -1,6 +1,6 @@ [DEFAULT] # Set state path to writable directory -state_path = {{ snap_common }} +state_path = {{ snap_common }}/lib [oslo_concurrency] # Oslo Concurrency lock path diff --git a/snapcraft.yaml b/snapcraft.yaml index b38f0bb..5dd6681 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -15,78 +15,32 @@ description: | This snap provides the hypervisor component of an OpenStack deployment, configured to use Libvirt/KVM + Open vSwitch installed using debian packages on the hosting server. -confinement: devmode +confinement: classic grade: devel apps: nova-compute: command: snap-openstack nova-compute daemon: simple - plugs: - - network - - network-control - - firewall-control - - system-trace - - hardware-observe - - libvirt - - openvswitch nova-api-metadata: command: snap-openstack nova-api-metadata daemon: simple - plugs: - - network - - network-bind - - firewall-control neutron-openvswitch-agent: command: snap-openstack neutron-openvswitch-agent daemon: simple - plugs: - - network - - network-bind - - network-control - - firewall-control - - process-control - - system-trace - - system-observe - - openvswitch neutron-l3-agent: command: snap-openstack neutron-l3-agent daemon: simple - plugs: - - network - - network-control - - firewall-control - - process-control - - system-trace - - system-observe - - openvswitch neutron-dhcp-agent: command: snap-openstack neutron-dhcp-agent daemon: simple - plugs: - - network - - network-control - - process-control - - system-trace - - system-observe - - openvswitch neutron-metadata-agent: command: snap-openstack neutron-metadata-agent daemon: simple - plugs: - - network - - network-bind neutron-ovs-cleanup: command: snap-openstack neutron-ovs-cleanup - plugs: - - network - - network-control - - openvswitch neutron-netns-cleanup: command: snap-openstack neutron-netns-cleanup - plugs: - - network - - network-control parts: ipset: source: http://ipset.netfilter.org/ipset-6.30.tar.bz2 @@ -130,8 +84,7 @@ parts: stage: [$bin] snap: [$bin] nova: - after: - - openvswitch + after: [openvswitch] plugin: python python-version: python2 source: http://tarballs.openstack.org/nova/nova-master.tar.gz @@ -141,26 +94,21 @@ parts: - python-memcached - http://tarballs.openstack.org/neutron/neutron-master.tar.gz - http://tarballs.openstack.org/nova-lxd/nova-lxd-master.tar.gz - - git+https://github.com/openstack-snaps/snap.openstack#egg=snap.openstack + - git+https://github.com/openstack/snap.openstack#egg=snap.openstack constraints: https://raw.githubusercontent.com/openstack/requirements/master/upper-constraints.txt build-packages: + - gcc - libffi-dev - libssl-dev - - libxml2-dev - - libxslt1-dev - libvirt-dev - - pkg-config - - gcc stage-packages: - qemu-utils templates: - after: - - nova + after: [nova] plugin: dump source: snap config-nova: - after: - - nova + after: [nova] plugin: dump source: http://tarballs.openstack.org/nova/nova-master.tar.gz filesets: @@ -169,8 +117,7 @@ parts: stage: [$etc] snap: [$etc] config-neutron: - after: - - nova + after: [nova] plugin: dump source: http://tarballs.openstack.org/neutron/neutron-master.tar.gz organize: diff --git a/tox.ini b/tox.ini index 997c257..7360ffc 100644 --- a/tox.ini +++ b/tox.ini @@ -6,9 +6,13 @@ skipsdist = True basepython = python3.5 install_command = pip install {opts} {packages} passenv = HOME TERM +whitelist_externals = + sudo + snapcraft [testenv:snap] deps = -r{toxinidir}/requirements.txt commands = + sudo snap install core snapcraft clean snapcraft snap