From e606cf9754da29a9780a3b70d5d70bc336936879 Mon Sep 17 00:00:00 2001 From: Luna Das Date: Wed, 6 Mar 2019 21:17:46 +0530 Subject: [PATCH] Add init container to load apparmor profile for libvirt Change-Id: Ie94e57725fefc8ef5584af9c1a66231c6bc2b91b --- libvirt/templates/configmap-apparmor.yaml | 17 +++ libvirt/templates/daemonset-libvirt.yaml | 3 + tools/deployment/apparmor/050-libvirt.sh | 173 ++++++++++++++++++++++ zuul.d/jobs.yaml | 15 ++ zuul.d/project.yaml | 2 + 5 files changed, 210 insertions(+) create mode 100644 libvirt/templates/configmap-apparmor.yaml create mode 100755 tools/deployment/apparmor/050-libvirt.sh diff --git a/libvirt/templates/configmap-apparmor.yaml b/libvirt/templates/configmap-apparmor.yaml new file mode 100644 index 000000000..1a8aefc84 --- /dev/null +++ b/libvirt/templates/configmap-apparmor.yaml @@ -0,0 +1,17 @@ +{{/* +Copyright 2017-2018 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- dict "envAll" . "component" "libvirt" | include "helm-toolkit.snippets.kubernetes_apparmor_configmap" }} diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml index 74e6091d2..117f0ce3a 100644 --- a/libvirt/templates/daemonset-libvirt.yaml +++ b/libvirt/templates/daemonset-libvirt.yaml @@ -43,6 +43,7 @@ spec: labels: {{ tuple $envAll "libvirt" "libvirt" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} annotations: +{{- dict "envAll" $envAll "podName" "libvirt" "containerNames" (list "libvirt") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }} configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }} configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }} spec: @@ -55,6 +56,7 @@ spec: dnsPolicy: ClusterFirstWithHostNet initContainers: {{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} +{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }} {{- if .Values.conf.ceph.enabled }} {{- if empty .Values.conf.ceph.cinder.keyring }} - name: ceph-admin-keyring-placement @@ -235,5 +237,6 @@ spec: - name: etc-libvirt-qemu hostPath: path: /etc/libvirt/qemu +{{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }} {{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }} {{- end }} diff --git a/tools/deployment/apparmor/050-libvirt.sh b/tools/deployment/apparmor/050-libvirt.sh new file mode 100755 index 000000000..089bf9571 --- /dev/null +++ b/tools/deployment/apparmor/050-libvirt.sh @@ -0,0 +1,173 @@ +#!/bin/bash + +# Copyright 2017 The Openstack-Helm Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +#NOTE: Lint and package chart +make libvirt + +tee /tmp/libvirt.yaml < + @{LIBVIRT}="libvirt" + profile my-apparmor-v1 flags=(attach_disconnected) { + #include + #include + + capability kill, + capability audit_write, + capability audit_control, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + + # Needed for vfio + capability sys_resource, + + mount options=(rw,rslave) -> /, + mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + + mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/, + mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/, + mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/, + mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/, + + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (trace) peer=unconfined, + ptrace (trace) peer=/usr/sbin/libvirtd, + ptrace (trace) peer=/usr/sbin/dnsmasq, + ptrace (trace) peer=libvirt-*, + + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + signal (send) set=("kill", "term") peer=unconfined, + + # For communication/control to qemu-bridge-helper + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd//qemu_bridge_helper), + signal (send) set=("term") peer=/usr/sbin/libvirtd//qemu_bridge_helper, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/virtlogd pix, + /usr/sbin/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/{lib,lib64}/libvirt/* PUxr, + /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, + /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + # For communication/control from libvirtd + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + signal (receive) set=("term") peer=/usr/sbin/libvirtd, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } + } +EOF + +#NOTE: Deploy command +helm upgrade --install libvirt ./libvirt \ + --namespace=openstack \ + --values=/tmp/libvirt.yaml \ + --set network.backend="null" + +#NOTE: Validate Deployment info +helm status libvirt diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml index 75269da61..d53c28994 100644 --- a/zuul.d/jobs.yaml +++ b/zuul.d/jobs.yaml @@ -209,6 +209,21 @@ - ./tools/deployment/apparmor/005-deploy-k8s.sh - ./tools/deployment/apparmor/040-memcached.sh +- job: + name: openstack-helm-infra-apparmor-libvirt + parent: openstack-helm-infra-functional + timeout: 7200 + pre-run: playbooks/osh-infra-upgrade-host.yaml + run: playbooks/osh-infra-gate-runner.yaml + post-run: playbooks/osh-infra-collect-logs.yaml + nodeset: openstack-helm-single-node + vars: + gate_scripts: + - ./tools/deployment/apparmor/000-install-packages.sh + - ./tools/deployment/apparmor/001-setup-apparmor-profiles.sh + - ./tools/deployment/apparmor/005-deploy-k8s.sh + - ./tools/deployment/apparmor/050-libvirt.sh + - job: name: openstack-helm-infra-openstack-support parent: openstack-helm-infra-functional diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml index 453c0cb04..ea41e3f91 100644 --- a/zuul.d/project.yaml +++ b/zuul.d/project.yaml @@ -32,6 +32,8 @@ - openstack-helm-infra-aio-podsecuritypolicy - openstack-helm-infra-apparmor: voting: false + - openstack-helm-infra-apparmor-libvirt: + voting: false gate: jobs: - openstack-helm-lint