Switch back to strict confinement
The following are included in the switch to strict confinement: * Set snapcraft.yaml confinement to strict and restore/update plugs * Drop building of python as it's not required for strict snaps * Switch back to running apps under root Change-Id: I4704cac75230df5514ce42cdd6cde2b7ad9ed9b3
This commit is contained in:
Corey Bryant
parent
6ff4a7c6b4
commit
05001ec249
11
README.md
11
README.md
|
|
@ -7,7 +7,7 @@ service, Glance.
|
|||
|
||||
The glance snap can be installed directly from the snap store:
|
||||
|
||||
sudo snap install --edge --classic glance
|
||||
sudo snap install --edge glance
|
||||
|
||||
The glance snap is working towards publication across tracks for
|
||||
OpenStack releases. The edge channel for each track will contain the tip
|
||||
|
|
@ -17,8 +17,8 @@ will be published progressively to beta, then candidate, and then stable once
|
|||
CI validation completes for the channel. This should result in an experience
|
||||
such as:
|
||||
|
||||
sudo snap install --classic --channel=ocata/stable glance
|
||||
sudo snap install --classic --channel=pike/edge glance
|
||||
sudo snap install --channel=ocata/stable glance
|
||||
sudo snap install --channel=pike/edge glance
|
||||
|
||||
## Configuring glance
|
||||
|
||||
|
|
@ -64,11 +64,6 @@ The services for the glance snap will log to its $SNAP_COMMON writable area:
|
|||
|
||||
## Managing glance
|
||||
|
||||
The glance snap will drop privileges to run daemons and commands under
|
||||
a regular user named snap-glance. Additionally, permissions and ownership
|
||||
of files and directories in /var/snap/glance/common/ are modified to
|
||||
restrict access from other users.
|
||||
|
||||
The glance snap has alias support that enables use of the well-known
|
||||
glance-manage command. To enable the alias, run the following prior to
|
||||
using the command:
|
||||
|
|
|
|||
|
|
@ -1,20 +1,11 @@
|
|||
setup:
|
||||
users:
|
||||
snap-glance: [snap-glance]
|
||||
default-owner: "root:snap-glance"
|
||||
dirs:
|
||||
- "{snap_common}/etc"
|
||||
- "{snap_common}/etc/glance/glance.conf.d"
|
||||
- "{snap_common}/lib"
|
||||
- "{snap_common}/lib/images"
|
||||
- "{snap_common}/lock"
|
||||
- "{snap_common}/log"
|
||||
templates:
|
||||
glance-snap.conf.j2: "{snap_common}/etc/glance/glance.conf.d/glance-snap.conf"
|
||||
rchown:
|
||||
"{snap_common}/lib": "snap-glance:snap-glance"
|
||||
"{snap_common}/lock": "snap-glance:snap-glance"
|
||||
"{snap_common}/log": "snap-glance:snap-glance"
|
||||
entry_points:
|
||||
glance-manage:
|
||||
binary: "{snap}/bin/glance-manage"
|
||||
|
|
@ -24,8 +15,6 @@ entry_points:
|
|||
- "{snap_common}/etc/glance/glance-manage.conf"
|
||||
config-dirs:
|
||||
- "{snap_common}/etc/glance/glance.conf.d"
|
||||
run-as:
|
||||
snap-glance: [snap-glance]
|
||||
glance-registry:
|
||||
binary: "{snap}/bin/glance-registry"
|
||||
config-files:
|
||||
|
|
@ -35,8 +24,6 @@ entry_points:
|
|||
config-dirs:
|
||||
- "{snap_common}/etc/glance/glance.conf.d"
|
||||
log-file: "{snap_common}/log/glance-registry.log"
|
||||
run-as:
|
||||
snap-glance: [snap-glance]
|
||||
glance-api:
|
||||
binary: "{snap}/bin/glance-api"
|
||||
config-files:
|
||||
|
|
@ -46,5 +33,3 @@ entry_points:
|
|||
config-dirs:
|
||||
- "{snap_common}/etc/glance/glance.conf.d"
|
||||
log-file: "{snap_common}/log/glance-api.log"
|
||||
run-as:
|
||||
snap-glance: [snap-glance]
|
||||
|
|
|
|||
|
|
@ -6,30 +6,30 @@ description: |
|
|||
to store, browse, share, distribute and manage bootable disk images,
|
||||
other data closely associated with initializing compute resources,
|
||||
and metadata definitions.
|
||||
confinement: classic
|
||||
confinement: strict
|
||||
grade: devel
|
||||
|
||||
apps:
|
||||
api:
|
||||
command: >
|
||||
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
|
||||
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-api
|
||||
command: snap-openstack glance-api
|
||||
daemon: simple
|
||||
plugs:
|
||||
- network-bind
|
||||
registry:
|
||||
command: >
|
||||
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
|
||||
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-registry
|
||||
command: snap-openstack glance-registry
|
||||
daemon: simple
|
||||
plugs:
|
||||
- network
|
||||
- network-bind
|
||||
manage:
|
||||
command: >
|
||||
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
|
||||
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack glance-manage
|
||||
command: snap-openstack glance-manage
|
||||
aliases:
|
||||
- glance-manage
|
||||
plugs:
|
||||
- network
|
||||
|
||||
parts:
|
||||
glance:
|
||||
after: [python]
|
||||
plugin: python
|
||||
python-version: python2
|
||||
source: http://tarballs.openstack.org/glance/glance-stable-ocata.tar.gz
|
||||
|
|
@ -50,11 +50,6 @@ parts:
|
|||
- libssl-dev
|
||||
- libxml2-dev
|
||||
- libxslt1-dev
|
||||
stage:
|
||||
- -usr/bin/2to3
|
||||
- -usr/bin/pydoc
|
||||
- -usr/bin/python2.7
|
||||
- -usr/lib/python2.7
|
||||
install: |
|
||||
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
|
||||
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
|
||||
|
|
@ -65,7 +60,6 @@ parts:
|
|||
after: [glance]
|
||||
plugin: dump
|
||||
source: snap
|
||||
# TODO: replace below with scriplets once implemented in snapcraft
|
||||
config:
|
||||
after: [glance]
|
||||
plugin: dump
|
||||
|
|
@ -81,16 +75,3 @@ parts:
|
|||
- etc/glance/*.json
|
||||
stage: [$etc]
|
||||
prime: [$etc]
|
||||
python:
|
||||
source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
|
||||
plugin: autotools
|
||||
configflags:
|
||||
- --prefix=/usr
|
||||
- --enable-shared
|
||||
- --enable-unicode=ucs4
|
||||
build-packages:
|
||||
- libssl-dev
|
||||
prime:
|
||||
- -usr/include
|
||||
install:
|
||||
$SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip
|
||||
|
|
|
|||
Loading…
Reference in New Issue