90 lines
2.5 KiB
Bash
90 lines
2.5 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
set -ex
|
|
|
|
VENV=${1:-"fullstack"}
|
|
|
|
# Taken from neutron_dynamic_router's gate hook
|
|
function configure_docker_test_env {
|
|
local docker_pkg
|
|
|
|
sudo bash -c 'echo "tempest ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
|
|
sudo apt-get update
|
|
sudo apt-get install -y docker-engine || sudo apt-get install -y docker.io
|
|
sudo service docker restart
|
|
}
|
|
|
|
# Taken from neutron_dynamic_router's gate hook
|
|
# NOTE(kakuma)
|
|
# Check apparmor to avoid the following error for docker operation.
|
|
# "oci runtime error: apparmor failed to apply profile: no such file or directory"
|
|
# This is a temporary solution. This needs to be fixed in a better way.
|
|
function check_apparmor_for_docker {
|
|
if [[ -d $APPARMOR_PROFILE_PATH ]]
|
|
then
|
|
if [[ ! -f $APPARMOR_PROFILE_PATH/docker ]]
|
|
then
|
|
cat << EOF > /tmp/docker
|
|
#include <tunables/global>
|
|
|
|
|
|
profile docker-default flags=(attach_disconnected,mediate_deleted) {
|
|
|
|
#include <abstractions/base>
|
|
|
|
|
|
network,
|
|
capability,
|
|
file,
|
|
umount,
|
|
|
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
|
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
|
|
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
|
|
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
|
|
deny @{PROC}/sysrq-trigger rwklx,
|
|
deny @{PROC}/mem rwklx,
|
|
deny @{PROC}/kmem rwklx,
|
|
deny @{PROC}/kcore rwklx,
|
|
|
|
deny mount,
|
|
|
|
deny /sys/[^f]*/** wklx,
|
|
deny /sys/f[^s]*/** wklx,
|
|
deny /sys/fs/[^c]*/** wklx,
|
|
deny /sys/fs/c[^g]*/** wklx,
|
|
deny /sys/fs/cg[^r]*/** wklx,
|
|
deny /sys/firmware/efi/efivars/** rwklx,
|
|
deny /sys/kernel/security/** rwklx,
|
|
|
|
|
|
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
|
|
ptrace (trace,read) peer=docker-default,
|
|
|
|
}
|
|
EOF
|
|
chmod 0644 /tmp/docker
|
|
sudo chown root:root /tmp/docker
|
|
sudo mv /tmp/docker $APPARMOR_PROFILE_PATH/docker
|
|
sudo service apparmor restart
|
|
sudo service docker restart
|
|
fi
|
|
fi
|
|
}
|
|
|
|
if [ "$VENV" == "fullstack" ]; then
|
|
GATE_DEST=$BASE/new
|
|
DEVSTACK_PATH=$GATE_DEST/devstack
|
|
elif [ "$VENV" == "tempest" ]; then
|
|
sudo apt-get update
|
|
sudo apt-get install -y --reinstall apparmor
|
|
configure_docker_test_env
|
|
check_apparmor_for_docker
|
|
else
|
|
echo >&2 "Unknown gate-hook environment: $VENV"
|
|
exit 1
|
|
fi
|
|
|
|
$BASE/new/devstack-gate/devstack-vm-gate.sh
|