x/snap-nova
Code Issues Proposed changes

Switch back to strict confinement

Browse Source 
The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Switch back to running apps under root
* Patch setgroups from ngnix since it's not covered by a plug
* Build libxml into snap

Change-Id: Ibd2e3c625ceb92cb4b6dd9f0c9a9012baf7c53a5
This commit is contained in:
Corey Bryant 2017-06-20 18:00:44 +00:00
parent f011198f5b
commit da4138e3f5
5 changed files with 95 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -10,7 +10,7 @@ snap based OpenStack deployment.
The nova snap can be installed directly from the snap store: The nova snap can be installed directly from the snap store:
sudo snap install --edge --classic nova sudo snap install --edge nova
The nova snap is working towards publication across tracks for The nova snap is working towards publication across tracks for
OpenStack releases. The edge channel for each track will contain the tip OpenStack releases. The edge channel for each track will contain the tip
@ -20,8 +20,8 @@ will be published progressively to beta, then candidate, and then stable once
CI validation completes for the channel. This should result in an experience CI validation completes for the channel. This should result in an experience
such as: such as:
sudo snap install --classic --channel=ocata/stable nova sudo snap install --channel=ocata/stable nova
sudo snap install --classic --channel=pike/edge nova sudo snap install --channel=pike/edge nova
## Configuring nova ## Configuring nova
@ -93,11 +93,6 @@ The services for the nova snap will log to its $SNAP_COMMON writable area:
## Managing nova ## Managing nova
The nova snap will drop privileges to run daemons and commands under
a regular user named snap-nova. Additionally, permissions and ownership
of files and directories in /var/snap/nova/common/ are modified to
restrict access from other users.
The nova snap has alias support that enables use of the well-known The nova snap has alias support that enables use of the well-known
nova-manage command. To enable the alias, run the following prior to nova-manage command. To enable the alias, run the following prior to
using the command: using the command:

57
patches/drop-nginx-setgroups.patch Normal file
View File

@ -0,0 +1,57 @@
Description: Drop code where nginx drops privileges for worker
processes. While setuid is covered by the browser-support plug,
setgroups isn't covered by any plugs. This code isn't required
because in strict mode we run worker processes as root:root.
The seccomp violation follows:
= Seccomp =
Time: Jun 16 01:13:15
Log: auid=4294967295 uid=0 gid=0 ses=4294967295 pid=6087 comm="nginx"
exe="/snap/nova/x1/usr/sbin/nginx" sig=31 arch=c000003e
116(setgroups) compat=0 ip=0x7f40e288af09 code=0x0
Syscall: setgroups
Suggestion:
* adjust program to not use 'setgroups' until per-snap user/groups
are supported (https://launchpad.net/bugs/1446748)
Author: Corey Bryant <corey.bryant@canonical.com>
Forwarded: no
---
src/os/unix/ngx_process_cycle.c | 22 ----------------------
1 file changed, 22 deletions(-)
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index 1710ea8..c428673 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -824,28 +824,6 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker)
}
}
- if (geteuid() == 0) {
- if (setgid(ccf->group) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "setgid(%d) failed", ccf->group);
- /* fatal */
- exit(2);
- }
-
- if (initgroups(ccf->username, ccf->group) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "initgroups(%s, %d) failed",
- ccf->username, ccf->group);
- }
-
- if (setuid(ccf->user) == -1) {
- ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno,
- "setuid(%d) failed", ccf->user);
- /* fatal */
- exit(2);
- }
- }
-
if (worker >= 0) {
cpu_affinity = ngx_get_cpu_affinity(worker);
--
2.7.4

24
snap/snap-openstack.yaml
View File

@ -1,16 +1,9 @@
setup: setup:
users:
snap-nova: [snap-nova]
default-owner: "root:snap-nova"
dirs: dirs:
- "{snap_common}/etc"
- "{snap_common}/etc/nova"
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
- "{snap_common}/etc/nginx"
- "{snap_common}/etc/nginx/sites-enabled" - "{snap_common}/etc/nginx/sites-enabled"
- "{snap_common}/etc/nginx/snap" - "{snap_common}/etc/nginx/snap"
- "{snap_common}/etc/nginx/snap/sites-enabled" - "{snap_common}/etc/nginx/snap/sites-enabled"
- "{snap_common}/etc/uwsgi"
- "{snap_common}/etc/uwsgi/snap" - "{snap_common}/etc/uwsgi/snap"
- "{snap_common}/lib" - "{snap_common}/lib"
- "{snap_common}/lock" - "{snap_common}/lock"
@ -20,11 +13,6 @@ setup:
nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf" nova-snap.conf.j2: "{snap_common}/etc/nova/nova.conf.d/nova-snap.conf"
nova-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/nova.conf" nova-nginx.conf.j2: "{snap_common}/etc/nginx/snap/sites-enabled/nova.conf"
nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf" nginx.conf.j2: "{snap_common}/etc/nginx/snap/nginx.conf"
rchown:
"{snap_common}/lib": "snap-nova:snap-nova"
"{snap_common}/lock": "snap-nova:snap-nova"
"{snap_common}/log": "snap-nova:snap-nova"
"{snap_common}/run": "snap-nova:snap-nova"
entry_points: entry_points:
nova-api-os-compute: nova-api-os-compute:
binary: "{snap}/bin/nova-api-os-compute" binary: "{snap}/bin/nova-api-os-compute"
@ -35,8 +23,6 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
log-file: "{snap_common}/log/nova-api-os-compute.log" log-file: "{snap_common}/log/nova-api-os-compute.log"
run-as:
snap-nova: [snap-nova]
nova-uwsgi: nova-uwsgi:
type: uwsgi type: uwsgi
uwsgi-dir: "{snap_common}/etc/uwsgi/snap" uwsgi-dir: "{snap_common}/etc/uwsgi/snap"
@ -52,8 +38,6 @@ entry_points:
templates: templates:
nova-placement-api.ini.j2: nova-placement-api.ini.j2:
"{snap_common}/etc/uwsgi/snap/nova-placement-api.ini" "{snap_common}/etc/uwsgi/snap/nova-placement-api.ini"
run-as:
snap-nova: [snap-nova]
nova-nginx: nova-nginx:
type: nginx type: nginx
config-file: "{snap_common}/etc/nginx/snap/nginx.conf" config-file: "{snap_common}/etc/nginx/snap/nginx.conf"
@ -67,8 +51,6 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
log-file: "{snap_common}/log/nova-conductor.log" log-file: "{snap_common}/log/nova-conductor.log"
run-as:
snap-nova: [snap-nova]
nova-scheduler: nova-scheduler:
binary: "{snap}/bin/nova-scheduler" binary: "{snap}/bin/nova-scheduler"
config-files: config-files:
@ -78,8 +60,6 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
log-file: "{snap_common}/log/nova-scheduler.log" log-file: "{snap_common}/log/nova-scheduler.log"
run-as:
snap-nova: [snap-nova]
nova-consoleauth: nova-consoleauth:
binary: "{snap}/bin/nova-consoleauth" binary: "{snap}/bin/nova-consoleauth"
config-files: config-files:
@ -89,8 +69,6 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
log-file: "{snap_common}/log/nova-consoleauth.log" log-file: "{snap_common}/log/nova-consoleauth.log"
run-as:
snap-nova: [snap-nova]
nova-manage: nova-manage:
binary: "{snap}/bin/nova-manage" binary: "{snap}/bin/nova-manage"
config-files: config-files:
@ -99,5 +77,3 @@ entry_points:
- "{snap_common}/etc/nova/nova.conf" - "{snap_common}/etc/nova/nova.conf"
config-dirs: config-dirs:
- "{snap_common}/etc/nova/nova.conf.d" - "{snap_common}/etc/nova/nova.conf.d"
run-as:
snap-nova: [snap-nova]

2
snap/templates/nginx.conf.j2
View File

@ -1,4 +1,4 @@
user snap-nova snap-nova; user root root;
worker_processes auto; worker_processes auto;
pid {{ snap_common }}/run/nginx.pid; pid {{ snap_common }}/run/nginx.pid;

75
snapcraft.yaml
View File

@ -14,52 +14,51 @@ description: |
. .
This snap provides the Nova controller component of an OpenStack This snap provides the Nova controller component of an OpenStack
deployment. deployment.
confinement: classic confinement: strict
grade: devel grade: devel
apps: apps:
api: api:
command: > command: snap-openstack nova-api-os-compute
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-api-os-compute
daemon: simple daemon: simple
plugs:
- network-bind
uwsgi: uwsgi:
command: > command: snap-openstack nova-uwsgi
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-uwsgi
daemon: simple daemon: simple
environment: environment:
OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/ OS_PLACEMENT_CONFIG_DIR: $SNAP/etc/nova/
plugs:
- network-bind
nginx: nginx:
command: > command: snap-openstack nova-nginx
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
LD_LIBRARY_PATH=$SNAP/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-nginx
daemon: forking daemon: forking
plugs:
- browser-support
- network-bind
conductor: conductor:
command: > command: snap-openstack nova-conductor
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-conductor
daemon: simple daemon: simple
plugs:
- network
scheduler: scheduler:
command: > command: snap-openstack nova-scheduler
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-scheduler
daemon: simple daemon: simple
plugs:
- network
consoleauth: consoleauth:
command: > command: snap-openstack nova-consoleauth
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-consoleauth
daemon: simple daemon: simple
plugs:
- network
manage: manage:
command: > command: snap-openstack nova-manage
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack nova-manage
aliases: aliases:
- nova-manage - nova-manage
plugs:
- network
parts: parts:
nova: nova:
after: [python]
plugin: python plugin: python
python-version: python2 python-version: python2
source: http://tarballs.openstack.org/nova/nova-stable-ocata.tar.gz source: http://tarballs.openstack.org/nova/nova-stable-ocata.tar.gz
@ -75,11 +74,6 @@ parts:
- libssl-dev - libssl-dev
- libxml2-dev - libxml2-dev
- libxslt1-dev - libxslt1-dev
stage:
- -usr/bin/2to3
- -usr/bin/pydoc
- -usr/bin/python2.7
- -usr/lib/python2.7
install: | install: |
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@ -111,19 +105,18 @@ parts:
- --error-log-path=/var/snap/nova/common/log/nginx-error.log - --error-log-path=/var/snap/nova/common/log/nginx-error.log
- --lock-path=/var/snap/nova/common/lock/nginx.lock - --lock-path=/var/snap/nova/common/lock/nginx.lock
- --pid-path=/var/snap/nova/common/run/nginx.pid - --pid-path=/var/snap/nova/common/run/nginx.pid
- --http-client-body-temp-path=/var/snap/nova/common/lib/nginx_client_body
- --http-proxy-temp-path=/var/snap/nova/common/lib/nginx_proxy
- --http-fastcgi-temp-path=/var/snap/nova/common/lib/nginx_fastcgi
- --http-uwsgi-temp-path=/var/snap/nova/common/lib/nginx_uwsgi
- --http-scgi-temp-path=/var/snap/nova/common/lib/nginx_scgi
build-packages: build-packages:
- libpcre3-dev - libpcre3-dev
- libssl-dev - libssl-dev
python: prepare: |
source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz export SNAP_ROOT="../../../"
export SNAP_SOURCE="$SNAP_ROOT/parts/nginx/build"
patch -d $SNAP_SOURCE -p1 < $SNAP_ROOT/patches/drop-nginx-setgroups.patch
libxml2:
source: http://xmlsoft.org/sources/libxml2-2.9.4.tar.gz
plugin: autotools plugin: autotools
configflags:
- --prefix=/usr
- --enable-shared
- --enable-unicode=ucs4
build-packages:
- libssl-dev
prime:
- -usr/include
install:
$SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip