Switch to classic confinement
Classic confinement drops apparmor/seccomp sandboxing and enables dropping privileges to a regular user when running services. We will continue to store all of the snap's files in $SNAP* directories and $SNAP_COMMON is used as the root directory where setup dirs, templates, and copyfiles are installed. Change-Id: I3d8d2160a2fd6fadae65491fcd4e479b7a6d66b6
This commit is contained in:
Corey Bryant
parent
67273af6d7
commit
7d540c988b
@ -1 +1,2 @@
|
|||||||
snapcraft [platform:dpkg]
|
snapcraft [platform:dpkg]
|
||||||
|
snapd [platform:dpkg]
|
||||||
|
|||||||
@ -1,84 +1,75 @@
|
|||||||
setup:
|
setup:
|
||||||
dirs:
|
dirs:
|
||||||
- "{snap_common}/etc/nova.conf.d"
|
- "{snap_common}/etc/nova/conf.d"
|
||||||
- "{snap_common}/etc/nova"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/plugins/ml2"
|
||||||
- "{snap_common}/etc/neutron"
|
- "{snap_common}/instances"
|
||||||
|
- "{snap_common}/lib"
|
||||||
- "{snap_common}/log"
|
- "{snap_common}/log"
|
||||||
- "{snap_common}/lock"
|
- "{snap_common}/lock"
|
||||||
- "{snap_common}/run"
|
- "{snap_common}/run"
|
||||||
- "{snap_common}/instances"
|
|
||||||
templates:
|
templates:
|
||||||
"nova-snap.conf.j2": "{snap_common}/etc/nova.conf.d/nova-snap.conf"
|
nova-snap.conf.j2: "{snap_common}/etc/nova/conf.d/nova-snap.conf"
|
||||||
"neutron-snap.conf.j2": "{snap_common}/etc/neutron.conf.d/neutron-snap.conf"
|
neutron-snap.conf.j2: "{snap_common}/etc/neutron/conf.d/neutron-snap.conf"
|
||||||
|
copyfiles:
|
||||||
|
"{snap}/etc/nova": "{snap_common}/etc/nova"
|
||||||
|
"{snap}/etc/neutron": "{snap_common}/etc/neutron"
|
||||||
entry_points:
|
entry_points:
|
||||||
nova-compute:
|
nova-compute:
|
||||||
binary: nova-compute
|
binary: nova-compute
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/nova/nova.conf"
|
|
||||||
- "{snap_common}/etc/nova/nova.conf"
|
- "{snap_common}/etc/nova/nova.conf"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/nova.conf.d"
|
- "{snap_common}/etc/nova/conf.d"
|
||||||
log-file: "{snap_common}/log/nova-compute.log"
|
log-file: "{snap_common}/log/nova-compute.log"
|
||||||
nova-api-metadata:
|
nova-api-metadata:
|
||||||
binary: nova-api-metadata
|
binary: nova-api-metadata
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/nova/nova.conf"
|
|
||||||
- "{snap_common}/etc/nova/nova.conf"
|
- "{snap_common}/etc/nova/nova.conf"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/nova.conf.d"
|
- "{snap_common}/etc/nova/conf.d"
|
||||||
log-file: "{snap_common}/log/nova-api-metadata.log"
|
log-file: "{snap_common}/log/nova-api-metadata.log"
|
||||||
neutron-openvswitch-agent:
|
neutron-openvswitch-agent:
|
||||||
binary: neutron-openvswitch-agent
|
binary: neutron-openvswitch-agent
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap}/etc/neutron/plugins/ml2/openvswitch_agent.ini"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
- "{snap_common}/etc/neutron/plugins/ml2/openvswitch_agent.ini"
|
- "{snap_common}/etc/neutron/plugins/ml2/openvswitch_agent.ini"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
log-file: "{snap_common}/log/neutron-openvswitch-agent.log"
|
log-file: "{snap_common}/log/neutron-openvswitch-agent.log"
|
||||||
neutron-ovs-cleanup:
|
neutron-ovs-cleanup:
|
||||||
binary: neutron-ovs-cleanup
|
binary: neutron-ovs-cleanup
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
neutron-netns-cleanup:
|
neutron-netns-cleanup:
|
||||||
binary: neutron-netns-cleanup
|
binary: neutron-netns-cleanup
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
neutron-l3-agent:
|
neutron-l3-agent:
|
||||||
binary: neutron-l3-agent
|
binary: neutron-l3-agent
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap}/etc/neutron/l3_agent.ini"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
- "{snap_common}/etc/neutron/l3_agent.ini"
|
- "{snap_common}/etc/neutron/l3_agent.ini"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
log-file: "{snap_common}/log/neutron-l3-agent.log"
|
log-file: "{snap_common}/log/neutron-l3-agent.log"
|
||||||
neutron-dhcp-agent:
|
neutron-dhcp-agent:
|
||||||
binary: neutron-dhcp-agent
|
binary: neutron-dhcp-agent
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap}/etc/neutron/dhcp_agent.ini"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
- "{snap_common}/etc/neutron/dhcp_agent.ini"
|
- "{snap_common}/etc/neutron/dhcp_agent.ini"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
log-file: "{snap_common}/log/neutron-dhcp-agent.log"
|
log-file: "{snap_common}/log/neutron-dhcp-agent.log"
|
||||||
neutron-metadata-agent:
|
neutron-metadata-agent:
|
||||||
binary: neutron-metadata-agent
|
binary: neutron-metadata-agent
|
||||||
config-files:
|
config-files:
|
||||||
- "{snap}/etc/neutron/neutron.conf"
|
|
||||||
- "{snap}/etc/neutron/metadata_agent.ini"
|
|
||||||
- "{snap_common}/etc/neutron/neutron.conf"
|
- "{snap_common}/etc/neutron/neutron.conf"
|
||||||
- "{snap_common}/etc/neutron/metadata_agent.ini"
|
- "{snap_common}/etc/neutron/metadata_agent.ini"
|
||||||
config-dirs:
|
config-dirs:
|
||||||
- "{snap_common}/etc/neutron.conf.d"
|
- "{snap_common}/etc/neutron/conf.d"
|
||||||
log-file: "{snap_common}/log/neutron-metadata-agent.log"
|
log-file: "{snap_common}/log/neutron-metadata-agent.log"
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
# Set state path to writable directory
|
# Set state path to writable directory
|
||||||
state_path = {{ snap_common }}
|
state_path = {{ snap_common }}/lib
|
||||||
|
|
||||||
[oslo_concurrency]
|
[oslo_concurrency]
|
||||||
# Oslo Concurrency lock path
|
# Oslo Concurrency lock path
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
[DEFAULT]
|
[DEFAULT]
|
||||||
# Set state path to writable directory
|
# Set state path to writable directory
|
||||||
state_path = {{ snap_common }}
|
state_path = {{ snap_common }}/lib
|
||||||
|
|
||||||
[oslo_concurrency]
|
[oslo_concurrency]
|
||||||
# Oslo Concurrency lock path
|
# Oslo Concurrency lock path
|
||||||
|
|||||||
@ -15,78 +15,32 @@ description: |
|
|||||||
This snap provides the hypervisor component of an OpenStack
|
This snap provides the hypervisor component of an OpenStack
|
||||||
deployment, configured to use Libvirt/KVM + Open vSwitch
|
deployment, configured to use Libvirt/KVM + Open vSwitch
|
||||||
installed using debian packages on the hosting server.
|
installed using debian packages on the hosting server.
|
||||||
confinement: devmode
|
confinement: classic
|
||||||
grade: devel
|
grade: devel
|
||||||
|
|
||||||
apps:
|
apps:
|
||||||
nova-compute:
|
nova-compute:
|
||||||
command: snap-openstack nova-compute
|
command: snap-openstack nova-compute
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-control
|
|
||||||
- firewall-control
|
|
||||||
- system-trace
|
|
||||||
- hardware-observe
|
|
||||||
- libvirt
|
|
||||||
- openvswitch
|
|
||||||
nova-api-metadata:
|
nova-api-metadata:
|
||||||
command: snap-openstack nova-api-metadata
|
command: snap-openstack nova-api-metadata
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-bind
|
|
||||||
- firewall-control
|
|
||||||
neutron-openvswitch-agent:
|
neutron-openvswitch-agent:
|
||||||
command: snap-openstack neutron-openvswitch-agent
|
command: snap-openstack neutron-openvswitch-agent
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-bind
|
|
||||||
- network-control
|
|
||||||
- firewall-control
|
|
||||||
- process-control
|
|
||||||
- system-trace
|
|
||||||
- system-observe
|
|
||||||
- openvswitch
|
|
||||||
neutron-l3-agent:
|
neutron-l3-agent:
|
||||||
command: snap-openstack neutron-l3-agent
|
command: snap-openstack neutron-l3-agent
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-control
|
|
||||||
- firewall-control
|
|
||||||
- process-control
|
|
||||||
- system-trace
|
|
||||||
- system-observe
|
|
||||||
- openvswitch
|
|
||||||
neutron-dhcp-agent:
|
neutron-dhcp-agent:
|
||||||
command: snap-openstack neutron-dhcp-agent
|
command: snap-openstack neutron-dhcp-agent
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-control
|
|
||||||
- process-control
|
|
||||||
- system-trace
|
|
||||||
- system-observe
|
|
||||||
- openvswitch
|
|
||||||
neutron-metadata-agent:
|
neutron-metadata-agent:
|
||||||
command: snap-openstack neutron-metadata-agent
|
command: snap-openstack neutron-metadata-agent
|
||||||
daemon: simple
|
daemon: simple
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-bind
|
|
||||||
neutron-ovs-cleanup:
|
neutron-ovs-cleanup:
|
||||||
command: snap-openstack neutron-ovs-cleanup
|
command: snap-openstack neutron-ovs-cleanup
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-control
|
|
||||||
- openvswitch
|
|
||||||
neutron-netns-cleanup:
|
neutron-netns-cleanup:
|
||||||
command: snap-openstack neutron-netns-cleanup
|
command: snap-openstack neutron-netns-cleanup
|
||||||
plugs:
|
|
||||||
- network
|
|
||||||
- network-control
|
|
||||||
parts:
|
parts:
|
||||||
ipset:
|
ipset:
|
||||||
source: http://ipset.netfilter.org/ipset-6.30.tar.bz2
|
source: http://ipset.netfilter.org/ipset-6.30.tar.bz2
|
||||||
@ -130,8 +84,7 @@ parts:
|
|||||||
stage: [$bin]
|
stage: [$bin]
|
||||||
snap: [$bin]
|
snap: [$bin]
|
||||||
nova:
|
nova:
|
||||||
after:
|
after: [openvswitch]
|
||||||
- openvswitch
|
|
||||||
plugin: python
|
plugin: python
|
||||||
python-version: python2
|
python-version: python2
|
||||||
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
|
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
|
||||||
@ -141,26 +94,21 @@ parts:
|
|||||||
- python-memcached
|
- python-memcached
|
||||||
- http://tarballs.openstack.org/neutron/neutron-master.tar.gz
|
- http://tarballs.openstack.org/neutron/neutron-master.tar.gz
|
||||||
- http://tarballs.openstack.org/nova-lxd/nova-lxd-master.tar.gz
|
- http://tarballs.openstack.org/nova-lxd/nova-lxd-master.tar.gz
|
||||||
- git+https://github.com/openstack-snaps/snap.openstack#egg=snap.openstack
|
- git+https://github.com/openstack/snap.openstack#egg=snap.openstack
|
||||||
constraints: https://raw.githubusercontent.com/openstack/requirements/master/upper-constraints.txt
|
constraints: https://raw.githubusercontent.com/openstack/requirements/master/upper-constraints.txt
|
||||||
build-packages:
|
build-packages:
|
||||||
|
- gcc
|
||||||
- libffi-dev
|
- libffi-dev
|
||||||
- libssl-dev
|
- libssl-dev
|
||||||
- libxml2-dev
|
|
||||||
- libxslt1-dev
|
|
||||||
- libvirt-dev
|
- libvirt-dev
|
||||||
- pkg-config
|
|
||||||
- gcc
|
|
||||||
stage-packages:
|
stage-packages:
|
||||||
- qemu-utils
|
- qemu-utils
|
||||||
templates:
|
templates:
|
||||||
after:
|
after: [nova]
|
||||||
- nova
|
|
||||||
plugin: dump
|
plugin: dump
|
||||||
source: snap
|
source: snap
|
||||||
config-nova:
|
config-nova:
|
||||||
after:
|
after: [nova]
|
||||||
- nova
|
|
||||||
plugin: dump
|
plugin: dump
|
||||||
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
|
source: http://tarballs.openstack.org/nova/nova-master.tar.gz
|
||||||
filesets:
|
filesets:
|
||||||
@ -169,8 +117,7 @@ parts:
|
|||||||
stage: [$etc]
|
stage: [$etc]
|
||||||
snap: [$etc]
|
snap: [$etc]
|
||||||
config-neutron:
|
config-neutron:
|
||||||
after:
|
after: [nova]
|
||||||
- nova
|
|
||||||
plugin: dump
|
plugin: dump
|
||||||
source: http://tarballs.openstack.org/neutron/neutron-master.tar.gz
|
source: http://tarballs.openstack.org/neutron/neutron-master.tar.gz
|
||||||
organize:
|
organize:
|
||||||
|
|||||||
4
tox.ini
4
tox.ini
@ -6,9 +6,13 @@ skipsdist = True
|
|||||||
basepython = python3.5
|
basepython = python3.5
|
||||||
install_command = pip install {opts} {packages}
|
install_command = pip install {opts} {packages}
|
||||||
passenv = HOME TERM
|
passenv = HOME TERM
|
||||||
|
whitelist_externals =
|
||||||
|
sudo
|
||||||
|
snapcraft
|
||||||
|
|
||||||
[testenv:snap]
|
[testenv:snap]
|
||||||
deps = -r{toxinidir}/requirements.txt
|
deps = -r{toxinidir}/requirements.txt
|
||||||
commands =
|
commands =
|
||||||
|
sudo snap install core
|
||||||
snapcraft clean
|
snapcraft clean
|
||||||
snapcraft snap
|
snapcraft snap
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user