This helps us not break when transitioning to using the new version of
snapstack, with the config files for each snap in the individual
steps, rather than in a config step.
Change-Id: Ib5aaae0baca80d396d7517a597e7d897de8075e5
This is part of a transition to storing the config files in the snap,
rather than in snapstack.
Also updated .gitignore to ignore emacs temp files and snapcraft
cruft.
Change-Id: Ic08196c14649ed27178453335935acc7ea990455
Tweaked tox.ini to invoke snapstack, and added test_snapstack.py to
tests dir.
Also added nova-hypervisor.sh to nova-hypervisor/tests, as part of the
plan to move those scripts from snap-test to the individual snaps.
Change-Id: I2e0363d361893a899b6cd4e4683e6d14bac1a0ed
The current snaps now have well-known aliases defined at install time
for commands [1]. This means we can drop the manual alias definition
from snapcraft.yaml and the instructions for setting it up.
When building/installing locally users can still create the aliases
with 'snap alias'.
[1] https://forum.snapcraft.io/t/auto-aliases-for-openstack-base-snaps/1146/6
Change-Id: I2eef1705d5e1c01e4f8b76ebdbbaf64374df7272
Building conntrack from source is failing on ppc64 due to:
"build-aux/config.guess: unable to guess system type". We want to
move as many of the commands to stage-packages as possible to get
the benefit of security team support, so let's move conntrack to
stage-packages as a start.
Change-Id: Icb66d012ca516e55a295da05be59c680879c865e
It appears we don't need to use the account-control and
kernel-module-control interfaces.
* account-control: This is no longer needed, possibly because we've patched
the offending call via patches/drop-use-of-fchownat.patch.
* kernel-module-control: While we get a denial for sys_module, it doesn't
appear to be adversely affecting anything while testing. For more details,
see [1].
[1] https://forum.snapcraft.io/t/auto-connecting-the-nova-hypervisor-interfaces/1145/10
Change-Id: Ifa666d6070dbb746dcf6fa18cad1789ff237f38e
Drop use of setuid and fchownat as they're not covered by any current
plugs and the code isn't required because in strict mode everything runs
as root.
Change-Id: Ic4f0dd6029c869595e35adc343d55e35d50e0d33
* Drop uuid-runtime from openvswitch stage-packages as it doesn't appear to
be required. On a related note, the snap currently requires the openvswitch
Debian package to be installed, which has a dependency on uuid-runtime.
* Add coreutils stage-package to nova part to enable use of /bin/chmod.
Change-Id: If673f37b78e681af79e1de48c4542cc37e2f14ea
* Add account-control plug: This is required to enable chmod calls.
* Add kernel-module-control plug: This is required to enable the sys_module
capability.
* Drop system-trace plug: This was raised during the review for auto-connecting
interfaces for the nova-hypervisor snap [1]. The system-trace plug gives
privileged access to all processes on the system, so ideally we don't want to
connect it. I haven't hit any issues when testing without it.
[1] forum.snapcraft.io/t/auto-connecting-the-nova-hypervisor-interfaces/1145
Change-Id: I9de1b0fff4e98df48a60202af53057f8edf662ba
The launchpad build was failing with the following:
cp: not writing through dangling symlink
'/build/nova-hypervisor/parts/iptables/install/bin/iptables-xml'
Update the cp command to remove existing destination file before
attempting to open it.
Change-Id: I50e6a1e7a1d5a558e502d5613a188f24392554e8
The snap store upload was failing with "package contains external
symlinks: bin/iptables-xml". This is because $SNAP/bin/iptables-xml
was symlinked to /sbin/xtables-multi.
Configflags such as --binddir and --sbindir, among others, don't appear
to help. As a result, just manually copy $SNAP/sbin/xtables-multi to
$SNAP/bin/iptables-xml in the install scriptlet.
Change-Id: I85a2584add41d3e8bad84a4af3914333a05371f7
The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Switch back to running apps under root
* Build bridge-utils, iptables, iproute2, and libxml2 into snap
Change-Id: I58bc68a946b832ddba5630abf9f2fd5174afed65
Enable the ability for default config files to be overridden.
Also refresh the README while documenting how default config files can
be overridden.
Change-Id: I809c98090e68a2ecddf56971da10f13e3eb6000c
Classic python snaps require python to be compiled from source.
Additionally, this change adds environment variables required for
command execution. We'll do this until the environment dictionary
is fully supported by snapd, at which point we can use it instead.
Finally, use a fixed python path in order to get the correct
site-specific config.
These changes were recommended in the following bug:
https://bugs.launchpad.net/snapcraft/+bug/1675479
Change-Id: I09f552c330b5651105c547842b61b3ae737d61ce
This is a work-around for https://bugs.launchpad.net/bugs/1675479,
where namespace packages aren't installed correctly.
Change-Id: I0147c6f3c6b97ba0c67c383e04cebb9b4928961f
Classic confinement drops apparmor/seccomp sandboxing and enables
dropping privileges to a regular user when running services.
We will continue to store all of the snap's files in $SNAP* directories
and $SNAP_COMMON is used as the root directory where setup dirs,
templates, and copyfiles are installed.
Change-Id: I3d8d2160a2fd6fadae65491fcd4e479b7a6d66b6
OpenDev Sysadmins