From da4138e3f5a5bc8bb9d2e7a7c7e7625f3d92ad76 Mon Sep 17 00:00:00 2001
From: Corey Bryant <corey.bryant@canonical.com>
Date: Tue, 20 Jun 2017 18:00:44 +0000
Subject: [PATCH] Switch back to strict confinement

The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Switch back to running apps under root
* Patch setgroups from ngnix since it's not covered by a plug
* Build libxml into snap

Change-Id: Ibd2e3c625ceb92cb4b6dd9f0c9a9012baf7c53a5
---
 README.md                          | 11 ++---
 patches/drop-nginx-setgroups.patch | 57 +++++++++++++++++++++++
 snap/snap-openstack.yaml           | 24 ----------
 snap/templates/nginx.conf.j2       |  2 +-
 snapcraft.yaml                     | 75 ++++++++++++++----------------
 5 files changed, 95 insertions(+), 74 deletions(-)
 create mode 100644 patches/drop-nginx-setgroups.patch

diff --git a/README.md b/README.md
index b3139da..11ca21f 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ snap based OpenStack deployment.
 
 The nova snap can be installed directly from the snap store:
 
-    sudo snap install --edge --classic nova
+    sudo snap install --edge nova
 
 The nova snap is working towards publication across tracks for
 OpenStack releases. The edge channel for each track will contain the tip
@@ -20,8 +20,8 @@ will be published progressively to beta, then candidate, and then stable once
 CI validation completes for the channel. This should result in an experience
 such as:
 
-    sudo snap install --classic --channel=ocata/stable nova
-    sudo snap install --classic --channel=pike/edge nova
+    sudo snap install --channel=ocata/stable nova
+    sudo snap install --channel=pike/edge nova
 
 ## Configuring nova
 
@@ -93,11 +93,6 @@ The services for the nova snap will log to its $SNAP_COMMON writable area:
 
 ## Managing nova
 
-The nova snap will drop privileges to run daemons and commands under
-a regular user named snap-nova. Additionally, permissions and ownership
-of files and directories in /var/snap/nova/common/ are modified to
-restrict access from other users.
-
 The nova snap has alias support that enables use of the well-known
 nova-manage command. To enable the alias, run the following prior to
 using the command:
diff --git a/patches/drop-nginx-setgroups.patch b/patches/drop-nginx-setgroups.patch
new file mode 100644
index 0000000..1a541e4
--- /dev/null
+++ b/patches/drop-nginx-setgroups.patch
@@ -0,0 +1,57 @@
+Description: Drop code where nginx drops privileges for worker
+  processes. While setuid is covered by the browser-support plug,
+  setgroups isn't covered by any plugs. This code isn't required
+  because in strict mode we run worker processes as root:root.
+  The seccomp violation follows:
+  = Seccomp =
+  Time: Jun 16 01:13:15
+  Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx"
+       exe="/snap/nova/x1/usr/sbin/nginx" sig=31 arch=c000003e
+       116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0
+  Syscall: setgroups
+  Suggestion:
+  * adjust program to not use 'setgroups' until per-snap user/groups
+    are supported (https://launchpad.net/bugs/1446748)
+Author: Corey Bryant <corey.bryant@canonical.com>
+Forwarded: no
+
+---
+ src/os/unix/ngx_process_cycle.c | 22 ----------------------
+ 1 file changed, 22 deletions(-)
+
+diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
+index 1710ea8..c428673 100644
+--- a/src/os/unix/ngx_process_cycle.c
++++ b/src/os/unix/ngx_process_cycle.c
+@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
+         }
+     }
+ 
+-    if (geteuid() == 0) {
+-        if (setgid(ccf->group) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "setgid(%d) failed", ccf->group);
+-            /* fatal */
+-            exit(2);
+-        }
+-
+-        if (initgroups(ccf->username, ccf->group) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "initgroups(%s, %d) failed",
+-                          ccf->username, ccf->group);
+-        }
+-
+-        if (setuid(ccf->user) == -1) {
+-            ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
+-                          "setuid(%d) failed", ccf->user);
+-            /* fatal */
+-            exit(2);
+-        }
+-    }
+-
+     if (worker >= 0) {
+         cpu_affinity = ngx_get_cpu_affinity(worker);
+ 
+-- 
+2.7.4
+
diff --git a/snap/snap-openstack.yaml b/snap/snap-openstack.yaml
index ef25a76..3154221 100644
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@@ -1,16 +1,9 @@
 setup:
-  users:
-    snap-nova: [snap-nova]
-  default-owner: "root:snap-nova"
   dirs:
-    - "{snap_common}/etc"
-    - "{snap_common}/etc/nova"
     - "{snap_common}/etc/nova/nova.conf.d"
-    - "{snap_common}/etc/nginx"
     - "{snap_common}/etc/nginx/sites-enabled"
     - "{snap_common}/etc/nginx/snap"
     - "{snap_common}/etc/nginx/snap/sites-enabled"
-    - "{snap_common}/etc/uwsgi"
     - "{snap_common}/etc/uwsgi/snap"
     - "{snap_common}/lib"
     - "{snap_common}/lock"
@@ -20,11 +13,6 @@ setup:
     nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf"
     nova-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/nova.conf"
     nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf"
-  rchown:
-    "{snap_common}/lib": "snap-nova:snap-nova"
-    "{snap_common}/lock": "snap-nova:snap-nova"
-    "{snap_common}/log": "snap-nova:snap-nova"
-    "{snap_common}/run": "snap-nova:snap-nova"
 entry_points:
   nova-api-os-compute:
     binary: "{snap}/bin/nova-api-os-compute"
@@ -35,8 +23,6 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/nova/nova.conf.d"
     log-file: "{snap_common}/log/nova-api-os-compute.log"
-    run-as:
-      snap-nova: [snap-nova]
   nova-uwsgi:
     type: uwsgi
     uwsgi-dir: "{snap_common}/etc/uwsgi/snap"
@@ -52,8 +38,6 @@ entry_points:
     templates:
       nova-placement-api.ini.j2:
         "{snap_common}/etc/uwsgi/snap/nova-placement-api.ini"
-    run-as:
-      snap-nova: [snap-nova]
   nova-nginx:
     type: nginx
     config-file: "{snap_common}/etc/nginx/snap/nginx.conf"
@@ -67,8 +51,6 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/nova/nova.conf.d"
     log-file: "{snap_common}/log/nova-conductor.log"
-    run-as:
-      snap-nova: [snap-nova]
   nova-scheduler:
     binary: "{snap}/bin/nova-scheduler"
     config-files:
@@ -78,8 +60,6 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/nova/nova.conf.d"
     log-file: "{snap_common}/log/nova-scheduler.log"
-    run-as:
-      snap-nova: [snap-nova]
   nova-consoleauth:
     binary: "{snap}/bin/nova-consoleauth"
     config-files:
@@ -89,8 +69,6 @@ entry_points:
     config-dirs:
       - "{snap_common}/etc/nova/nova.conf.d"
     log-file: "{snap_common}/log/nova-consoleauth.log"
-    run-as:
-      snap-nova: [snap-nova]
   nova-manage:
     binary: "{snap}/bin/nova-manage"
     config-files:
@@ -99,5 +77,3 @@ entry_points:
       - "{snap_common}/etc/nova/nova.conf"
     config-dirs:
       - "{snap_common}/etc/nova/nova.conf.d"
-    run-as:
-      snap-nova: [snap-nova]
diff --git a/snap/templates/nginx.conf.j2 b/snap/templates/nginx.conf.j2
index c46bc64..e982ff3 100644
--- a/snap/templates/nginx.conf.j2
+++ b/snap/templates/nginx.conf.j2
@@ -1,4 +1,4 @@
-user snap-nova snap-nova;
+user root root;
 worker_processes auto;
 pid {{ snap_common }}/run/nginx.pid;
 
diff --git a/snapcraft.yaml b/snapcraft.yaml
index 48db599..f615e51 100644
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@@ -14,52 +14,51 @@ description: |
   .
   This snap provides the Nova controller component of an OpenStack
   deployment.
-confinement: classic
+confinement: strict
 grade: devel
 
 apps:
   api:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-api-os-compute
+    command: snap-openstack nova-api-os-compute
     daemon: simple
+    plugs:
+      - network-bind
   uwsgi:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-uwsgi
+    command: snap-openstack nova-uwsgi
     daemon: simple
     environment:
       OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/
+    plugs:
+      - network-bind
   nginx:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      LD_LIBRARY_PATH=$SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-nginx
+    command: snap-openstack nova-nginx
     daemon: forking
+    plugs:
+      - browser-support
+      - network-bind
   conductor:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-conductor
+    command: snap-openstack nova-conductor
     daemon: simple
+    plugs:
+      - network
   scheduler:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-scheduler
+    command: snap-openstack nova-scheduler
     daemon: simple
+    plugs:
+      - network
   consoleauth:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-consoleauth
+    command: snap-openstack nova-consoleauth
     daemon: simple
+    plugs:
+      - network
   manage:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-manage
+    command: snap-openstack nova-manage
     aliases:
       - nova-manage
+    plugs:
+      - network
 parts:
   nova:
-    after: [python]
     plugin: python
     python-version: python2
     source: http://tarballs.openstack.org/nova/nova-stable-ocata.tar.gz
@@ -75,11 +74,6 @@ parts:
       - libssl-dev
       - libxml2-dev
       - libxslt1-dev
-    stage:
-      - -usr/bin/2to3
-      - -usr/bin/pydoc
-      - -usr/bin/python2.7
-      - -usr/lib/python2.7
     install: |
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
       touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@@ -111,19 +105,18 @@ parts:
       - --error-log-path=/var/snap/nova/common/log/nginx-error.log
       - --lock-path=/var/snap/nova/common/lock/nginx.lock
       - --pid-path=/var/snap/nova/common/run/nginx.pid
+      - --http-client-body-temp-path=/var/snap/nova/common/lib/nginx_client_body
+      - --http-proxy-temp-path=/var/snap/nova/common/lib/nginx_proxy
+      - --http-fastcgi-temp-path=/var/snap/nova/common/lib/nginx_fastcgi
+      - --http-uwsgi-temp-path=/var/snap/nova/common/lib/nginx_uwsgi
+      - --http-scgi-temp-path=/var/snap/nova/common/lib/nginx_scgi
     build-packages:
       - libpcre3-dev
       - libssl-dev
-  python:
-    source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
+    prepare: |
+      export SNAP_ROOT="../../../"
+      export SNAP_SOURCE="$SNAP_ROOT/parts/nginx/build"
+      patch -d $SNAP_SOURCE -p1 < $SNAP_ROOT/patches/drop-nginx-setgroups.patch
+  libxml2:
+    source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz
     plugin: autotools
-    configflags:
-      - --prefix=/usr
-      - --enable-shared
-      - --enable-unicode=ucs4
-    build-packages:
-      - libssl-dev
-    prime:
-      - -usr/include
-    install:
-      $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip