Fixes the Apparmor gate for libvirt and memcached

This updates the apparmor job to only use the docker default profile for memcached, as the custom apparmor profiles used didnt allow for a successful deployment. This also updates the libvirt overrides, as the current change to use daemonset-overrides required updating the container name. Co-authored-by: wilkers.steve@gmail.com Co-authored-by: ld366r@att.com Change-Id: I00cb4c62a38e0e1178e45b4e34c946b3b53da6d5
2019-04-04 16:32:55 +00:00 · 2019-04-04 16:32:55 +00:00 · 3aa89c55f3
commit 3aa89c55f3
parent aae64213c9
2 changed files with 8 additions and 62 deletions
--- a/tools/deployment/apparmor/040-memcached.sh
+++ b/tools/deployment/apparmor/040-memcached.sh
@ -28,65 +28,8 @@ images:
 pod:
  mandatory_access_control:
    type: apparmor
-    configmap_apparmor: true
    memcached:
-      memcached: localhost/my-apparmor-v1
-      apparmor-loader: unconfined
-conf:
-  apparmor_profiles:
-    my-apparmor-v1.profile: |-
-      #include <tunables/global>
-      profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
-        #include <abstractions/base>
-        network inet tcp,
-        network inet udp,
-        network inet icmp,
-        deny network raw,
-        deny network packet,
-        file,
-        umount,
-        deny /bin/** wl,
-        deny /boot/** wl,
-        deny /dev/** wl,
-        deny /etc/** wl,
-        deny /home/** wl,
-        deny /lib/** wl,
-        deny /lib64/** wl,
-        deny /media/** wl,
-        deny /mnt/** wl,
-        deny /opt/** wl,
-        deny /proc/** wl,
-        deny /root/** wl,
-        deny /sbin/** wl,
-        deny /srv/** wl,
-        deny /tmp/** wl,
-        deny /sys/** wl,
-        deny /usr/** wl,
-        audit /** w,
-        /var/run/nginx.pid w,
-        /usr/sbin/nginx ix,
-        deny /bin/dash mrwklx,
-        deny /bin/sh mrwklx,
-        deny /usr/bin/top mrwklx,
-        capability chown,
-        capability dac_override,
-        capability setuid,
-        capability setgid,
-        capability net_bind_service,
-        deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
-        deny @{PROC}/sysrq-trigger rwklx,
-        deny @{PROC}/mem rwklx,
-        deny @{PROC}/kmem rwklx,
-        deny @{PROC}/kcore rwklx,
-        deny mount,
-        deny /sys/[^f]*/** wklx,
-        deny /sys/f[^s]*/** wklx,
-        deny /sys/fs/[^c]*/** wklx,
-        deny /sys/fs/c[^g]*/** wklx,
-        deny /sys/fs/cg[^r]*/** wklx,
-        deny /sys/firmware/efi/efivars/** rwklx,
-        deny /sys/kernel/security/** rwklx,
-      }
+      memcached: localhost/docker-default
 EOF

 # NOTE: Deploy command
@ -110,7 +53,7 @@ helm status memcached
 pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}')
 unsorted_process_file="/tmp/unsorted_proc_list"
 sorted_process_file="/tmp/proc_list"
-expected_profile="my-apparmor-v1 (enforce)"
+expected_profile="docker-default (enforce)"

 # Grab the processes (numbered directories) from the /proc directory,
 # and then sort them. Highest proc number indicates most recent process.
--- a/tools/deployment/apparmor/050-libvirt.sh
+++ b/tools/deployment/apparmor/050-libvirt.sh
@ -26,8 +26,8 @@ pod:
  mandatory_access_control:
    type: apparmor
    configmap_apparmor: true
-    libvirt:
-      libvirt: localhost/my-apparmor-v1
+    libvirt-libvirt-default:
+      libvirt-libvirt-default: localhost/my-apparmor-v1
      apparmor-loader: unconfined
 conf:
  apparmor_profiles:
@ -164,10 +164,13 @@ conf:
 EOF

 #NOTE: Deploy command
+
 helm upgrade --install libvirt ./libvirt \
  --namespace=openstack \
  --values=/tmp/libvirt.yaml \
  --set network.backend="null"

 #NOTE: Validate Deployment info
-helm status libvirt
+./tools/deployment/common/wait-for-pods.sh openstack
+
+helm status libvirt