Add init container to load apparmor profile for libvirt
Change-Id: Ie94e57725fefc8ef5584af9c1a66231c6bc2b91b
This commit is contained in:
parent
d9af8205c0
commit
e606cf9754
17
libvirt/templates/configmap-apparmor.yaml
Normal file
17
libvirt/templates/configmap-apparmor.yaml
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
{{/*
|
||||||
|
Copyright 2017-2018 The Openstack-Helm Authors.
|
||||||
|
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- dict "envAll" . "component" "libvirt" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }}
|
@ -43,6 +43,7 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
{{ tuple $envAll "libvirt" "libvirt" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
{{ tuple $envAll "libvirt" "libvirt" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
|
||||||
annotations:
|
annotations:
|
||||||
|
{{- dict "envAll" $envAll "podName" "libvirt" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
|
||||||
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
|
||||||
spec:
|
spec:
|
||||||
@ -55,6 +56,7 @@ spec:
|
|||||||
dnsPolicy: ClusterFirstWithHostNet
|
dnsPolicy: ClusterFirstWithHostNet
|
||||||
initContainers:
|
initContainers:
|
||||||
{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
|
||||||
|
{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
|
||||||
{{- if .Values.conf.ceph.enabled }}
|
{{- if .Values.conf.ceph.enabled }}
|
||||||
{{- if empty .Values.conf.ceph.cinder.keyring }}
|
{{- if empty .Values.conf.ceph.cinder.keyring }}
|
||||||
- name: ceph-admin-keyring-placement
|
- name: ceph-admin-keyring-placement
|
||||||
@ -235,5 +237,6 @@ spec:
|
|||||||
- name: etc-libvirt-qemu
|
- name: etc-libvirt-qemu
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /etc/libvirt/qemu
|
path: /etc/libvirt/qemu
|
||||||
|
{{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
|
||||||
{{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
|
{{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
173
tools/deployment/apparmor/050-libvirt.sh
Executable file
173
tools/deployment/apparmor/050-libvirt.sh
Executable file
@ -0,0 +1,173 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2017 The Openstack-Helm Authors.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
# not use this file except in compliance with the License. You may obtain
|
||||||
|
# a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||||
|
# License for the specific language governing permissions and limitations
|
||||||
|
# under the License.
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
#NOTE: Lint and package chart
|
||||||
|
make libvirt
|
||||||
|
|
||||||
|
tee /tmp/libvirt.yaml <<EOF
|
||||||
|
images:
|
||||||
|
tags:
|
||||||
|
apparmor_loader: google/apparmor-loader:latest
|
||||||
|
pod:
|
||||||
|
mandatory_access_control:
|
||||||
|
type: apparmor
|
||||||
|
configmap_apparmor: true
|
||||||
|
libvirt:
|
||||||
|
libvirt: localhost/my-apparmor-v1
|
||||||
|
apparmor-loader: unconfined
|
||||||
|
conf:
|
||||||
|
apparmor_profiles:
|
||||||
|
my-apparmor-v1.profile: |-
|
||||||
|
#include <tunables/global>
|
||||||
|
@{LIBVIRT}="libvirt"
|
||||||
|
profile my-apparmor-v1 flags=(attach_disconnected) {
|
||||||
|
#include <abstractions/base>
|
||||||
|
#include <abstractions/dbus>
|
||||||
|
|
||||||
|
capability kill,
|
||||||
|
capability audit_write,
|
||||||
|
capability audit_control,
|
||||||
|
capability net_admin,
|
||||||
|
capability net_raw,
|
||||||
|
capability setgid,
|
||||||
|
capability sys_admin,
|
||||||
|
capability sys_module,
|
||||||
|
capability sys_ptrace,
|
||||||
|
capability sys_pacct,
|
||||||
|
capability sys_nice,
|
||||||
|
capability sys_chroot,
|
||||||
|
capability setuid,
|
||||||
|
capability dac_override,
|
||||||
|
capability dac_read_search,
|
||||||
|
capability fowner,
|
||||||
|
capability chown,
|
||||||
|
capability setpcap,
|
||||||
|
capability mknod,
|
||||||
|
capability fsetid,
|
||||||
|
capability audit_write,
|
||||||
|
capability ipc_lock,
|
||||||
|
|
||||||
|
# Needed for vfio
|
||||||
|
capability sys_resource,
|
||||||
|
|
||||||
|
mount options=(rw,rslave) -> /,
|
||||||
|
mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
|
||||||
|
|
||||||
|
mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
|
||||||
|
mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
|
||||||
|
mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/,
|
||||||
|
mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/,
|
||||||
|
mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
|
||||||
|
|
||||||
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
|
||||||
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
|
||||||
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/,
|
||||||
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/,
|
||||||
|
mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
|
||||||
|
|
||||||
|
network inet stream,
|
||||||
|
network inet dgram,
|
||||||
|
network inet6 stream,
|
||||||
|
network inet6 dgram,
|
||||||
|
network netlink raw,
|
||||||
|
network packet dgram,
|
||||||
|
network packet raw,
|
||||||
|
|
||||||
|
# for --p2p migrations
|
||||||
|
unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
|
||||||
|
|
||||||
|
ptrace (trace) peer=unconfined,
|
||||||
|
ptrace (trace) peer=/usr/sbin/libvirtd,
|
||||||
|
ptrace (trace) peer=/usr/sbin/dnsmasq,
|
||||||
|
ptrace (trace) peer=libvirt-*,
|
||||||
|
|
||||||
|
signal (send) peer=/usr/sbin/dnsmasq,
|
||||||
|
signal (read, send) peer=libvirt-*,
|
||||||
|
signal (send) set=("kill", "term") peer=unconfined,
|
||||||
|
|
||||||
|
# For communication/control to qemu-bridge-helper
|
||||||
|
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper),
|
||||||
|
signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper,
|
||||||
|
|
||||||
|
# Very lenient profile for libvirtd since we want to first focus on confining
|
||||||
|
# the guests. Guests will have a very restricted profile.
|
||||||
|
/ r,
|
||||||
|
/** rwmkl,
|
||||||
|
|
||||||
|
/bin/* PUx,
|
||||||
|
/sbin/* PUx,
|
||||||
|
/usr/bin/* PUx,
|
||||||
|
/usr/sbin/virtlogd pix,
|
||||||
|
/usr/sbin/* PUx,
|
||||||
|
/{usr/,}lib/udev/scsi_id PUx,
|
||||||
|
/usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
|
||||||
|
/usr/{lib,lib64}/xen/bin/* Ux,
|
||||||
|
/usr/lib/xen-*/bin/libxl-save-helper PUx,
|
||||||
|
|
||||||
|
# Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
|
||||||
|
# read and run an ebtables script.
|
||||||
|
/var/lib/libvirt/virtd* ixr,
|
||||||
|
|
||||||
|
# force the use of virt-aa-helper
|
||||||
|
audit deny /{usr/,}sbin/apparmor_parser rwxl,
|
||||||
|
audit deny /etc/apparmor.d/libvirt/** wxl,
|
||||||
|
audit deny /sys/kernel/security/apparmor/features rwxl,
|
||||||
|
audit deny /sys/kernel/security/apparmor/matching rwxl,
|
||||||
|
audit deny /sys/kernel/security/apparmor/.* rwxl,
|
||||||
|
/sys/kernel/security/apparmor/profiles r,
|
||||||
|
/usr/{lib,lib64}/libvirt/* PUxr,
|
||||||
|
/usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
|
||||||
|
/usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
|
||||||
|
/etc/libvirt/hooks/** rmix,
|
||||||
|
/etc/xen/scripts/** rmix,
|
||||||
|
|
||||||
|
# allow changing to our UUID-based named profiles
|
||||||
|
change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
|
||||||
|
|
||||||
|
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
|
||||||
|
# child profile for bridge helper process
|
||||||
|
profile qemu_bridge_helper {
|
||||||
|
#include <abstractions/base>
|
||||||
|
|
||||||
|
capability setuid,
|
||||||
|
capability setgid,
|
||||||
|
capability setpcap,
|
||||||
|
capability net_admin,
|
||||||
|
|
||||||
|
network inet stream,
|
||||||
|
|
||||||
|
# For communication/control from libvirtd
|
||||||
|
unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
|
||||||
|
signal (receive) set=("term") peer=/usr/sbin/libvirtd,
|
||||||
|
|
||||||
|
/dev/net/tun rw,
|
||||||
|
/etc/qemu/** r,
|
||||||
|
owner @{PROC}/*/status r,
|
||||||
|
|
||||||
|
/usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#NOTE: Deploy command
|
||||||
|
helm upgrade --install libvirt ./libvirt \
|
||||||
|
--namespace=openstack \
|
||||||
|
--values=/tmp/libvirt.yaml \
|
||||||
|
--set network.backend="null"
|
||||||
|
|
||||||
|
#NOTE: Validate Deployment info
|
||||||
|
helm status libvirt
|
@ -209,6 +209,21 @@
|
|||||||
- ./tools/deployment/apparmor/005-deploy-k8s.sh
|
- ./tools/deployment/apparmor/005-deploy-k8s.sh
|
||||||
- ./tools/deployment/apparmor/040-memcached.sh
|
- ./tools/deployment/apparmor/040-memcached.sh
|
||||||
|
|
||||||
|
- job:
|
||||||
|
name: openstack-helm-infra-apparmor-libvirt
|
||||||
|
parent: openstack-helm-infra-functional
|
||||||
|
timeout: 7200
|
||||||
|
pre-run: playbooks/osh-infra-upgrade-host.yaml
|
||||||
|
run: playbooks/osh-infra-gate-runner.yaml
|
||||||
|
post-run: playbooks/osh-infra-collect-logs.yaml
|
||||||
|
nodeset: openstack-helm-single-node
|
||||||
|
vars:
|
||||||
|
gate_scripts:
|
||||||
|
- ./tools/deployment/apparmor/000-install-packages.sh
|
||||||
|
- ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh
|
||||||
|
- ./tools/deployment/apparmor/005-deploy-k8s.sh
|
||||||
|
- ./tools/deployment/apparmor/050-libvirt.sh
|
||||||
|
|
||||||
- job:
|
- job:
|
||||||
name: openstack-helm-infra-openstack-support
|
name: openstack-helm-infra-openstack-support
|
||||||
parent: openstack-helm-infra-functional
|
parent: openstack-helm-infra-functional
|
||||||
|
@ -32,6 +32,8 @@
|
|||||||
- openstack-helm-infra-aio-podsecuritypolicy
|
- openstack-helm-infra-aio-podsecuritypolicy
|
||||||
- openstack-helm-infra-apparmor:
|
- openstack-helm-infra-apparmor:
|
||||||
voting: false
|
voting: false
|
||||||
|
- openstack-helm-infra-apparmor-libvirt:
|
||||||
|
voting: false
|
||||||
gate:
|
gate:
|
||||||
jobs:
|
jobs:
|
||||||
- openstack-helm-lint
|
- openstack-helm-lint
|
||||||
|
Loading…
Reference in New Issue
Block a user