Fixes the Apparmor gate for libvirt and memcached
This updates the apparmor job to only use the docker default profile for memcached, as the custom apparmor profiles used didnt allow for a successful deployment. This also updates the libvirt overrides, as the current change to use daemonset-overrides required updating the container name. Co-authored-by: wilkers.steve@gmail.com Co-authored-by: ld366r@att.com Change-Id: I00cb4c62a38e0e1178e45b4e34c946b3b53da6d5
This commit is contained in:
parent
aae64213c9
commit
3aa89c55f3
@ -28,65 +28,8 @@ images:
|
|||||||
pod:
|
pod:
|
||||||
mandatory_access_control:
|
mandatory_access_control:
|
||||||
type: apparmor
|
type: apparmor
|
||||||
configmap_apparmor: true
|
|
||||||
memcached:
|
memcached:
|
||||||
memcached: localhost/my-apparmor-v1
|
memcached: localhost/docker-default
|
||||||
apparmor-loader: unconfined
|
|
||||||
conf:
|
|
||||||
apparmor_profiles:
|
|
||||||
my-apparmor-v1.profile: |-
|
|
||||||
#include <tunables/global>
|
|
||||||
profile my-apparmor-v1 flags=(attach_disconnected,mediate_deleted) {
|
|
||||||
#include <abstractions/base>
|
|
||||||
network inet tcp,
|
|
||||||
network inet udp,
|
|
||||||
network inet icmp,
|
|
||||||
deny network raw,
|
|
||||||
deny network packet,
|
|
||||||
file,
|
|
||||||
umount,
|
|
||||||
deny /bin/** wl,
|
|
||||||
deny /boot/** wl,
|
|
||||||
deny /dev/** wl,
|
|
||||||
deny /etc/** wl,
|
|
||||||
deny /home/** wl,
|
|
||||||
deny /lib/** wl,
|
|
||||||
deny /lib64/** wl,
|
|
||||||
deny /media/** wl,
|
|
||||||
deny /mnt/** wl,
|
|
||||||
deny /opt/** wl,
|
|
||||||
deny /proc/** wl,
|
|
||||||
deny /root/** wl,
|
|
||||||
deny /sbin/** wl,
|
|
||||||
deny /srv/** wl,
|
|
||||||
deny /tmp/** wl,
|
|
||||||
deny /sys/** wl,
|
|
||||||
deny /usr/** wl,
|
|
||||||
audit /** w,
|
|
||||||
/var/run/nginx.pid w,
|
|
||||||
/usr/sbin/nginx ix,
|
|
||||||
deny /bin/dash mrwklx,
|
|
||||||
deny /bin/sh mrwklx,
|
|
||||||
deny /usr/bin/top mrwklx,
|
|
||||||
capability chown,
|
|
||||||
capability dac_override,
|
|
||||||
capability setuid,
|
|
||||||
capability setgid,
|
|
||||||
capability net_bind_service,
|
|
||||||
deny @{PROC}/{*,**^[0-9*],sys/kernel/shm*} wkx,
|
|
||||||
deny @{PROC}/sysrq-trigger rwklx,
|
|
||||||
deny @{PROC}/mem rwklx,
|
|
||||||
deny @{PROC}/kmem rwklx,
|
|
||||||
deny @{PROC}/kcore rwklx,
|
|
||||||
deny mount,
|
|
||||||
deny /sys/[^f]*/** wklx,
|
|
||||||
deny /sys/f[^s]*/** wklx,
|
|
||||||
deny /sys/fs/[^c]*/** wklx,
|
|
||||||
deny /sys/fs/c[^g]*/** wklx,
|
|
||||||
deny /sys/fs/cg[^r]*/** wklx,
|
|
||||||
deny /sys/firmware/efi/efivars/** rwklx,
|
|
||||||
deny /sys/kernel/security/** rwklx,
|
|
||||||
}
|
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# NOTE: Deploy command
|
# NOTE: Deploy command
|
||||||
@ -110,7 +53,7 @@ helm status memcached
|
|||||||
pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}')
|
pod=$(kubectl -n $namespace get pod | grep memcached | awk '{print $1}')
|
||||||
unsorted_process_file="/tmp/unsorted_proc_list"
|
unsorted_process_file="/tmp/unsorted_proc_list"
|
||||||
sorted_process_file="/tmp/proc_list"
|
sorted_process_file="/tmp/proc_list"
|
||||||
expected_profile="my-apparmor-v1 (enforce)"
|
expected_profile="docker-default (enforce)"
|
||||||
|
|
||||||
# Grab the processes (numbered directories) from the /proc directory,
|
# Grab the processes (numbered directories) from the /proc directory,
|
||||||
# and then sort them. Highest proc number indicates most recent process.
|
# and then sort them. Highest proc number indicates most recent process.
|
||||||
|
@ -26,8 +26,8 @@ pod:
|
|||||||
mandatory_access_control:
|
mandatory_access_control:
|
||||||
type: apparmor
|
type: apparmor
|
||||||
configmap_apparmor: true
|
configmap_apparmor: true
|
||||||
libvirt:
|
libvirt-libvirt-default:
|
||||||
libvirt: localhost/my-apparmor-v1
|
libvirt-libvirt-default: localhost/my-apparmor-v1
|
||||||
apparmor-loader: unconfined
|
apparmor-loader: unconfined
|
||||||
conf:
|
conf:
|
||||||
apparmor_profiles:
|
apparmor_profiles:
|
||||||
@ -164,10 +164,13 @@ conf:
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
#NOTE: Deploy command
|
#NOTE: Deploy command
|
||||||
|
|
||||||
helm upgrade --install libvirt ./libvirt \
|
helm upgrade --install libvirt ./libvirt \
|
||||||
--namespace=openstack \
|
--namespace=openstack \
|
||||||
--values=/tmp/libvirt.yaml \
|
--values=/tmp/libvirt.yaml \
|
||||||
--set network.backend="null"
|
--set network.backend="null"
|
||||||
|
|
||||||
#NOTE: Validate Deployment info
|
#NOTE: Validate Deployment info
|
||||||
|
./tools/deployment/common/wait-for-pods.sh openstack
|
||||||
|
|
||||||
helm status libvirt
|
helm status libvirt
|
Loading…
Reference in New Issue
Block a user