* interfaces: introduce SnapAppSet and forward one to the security backends
* snap: implement methods on snap.Info for getting apps and hooks for slots and plugs
This will enable us to remove the Hooks fields from the SlotInfo and
PlugInfo structs.
* interfaces: implement methods on SnapAppSet in terms of methods on snap.Info
* snap, interfaces: replace usage of {Plug,Slot}Info.SecurityTags with methods on SnapAppSet
* i/builtin: replace slotAppLabelExpr and plugAppLabelExpr with corresponding methods on SnapAppSet
* snap, o/snapstate, interfaces: remove Hooks field on snap.PlugInfo and snap.SlotInfo
* builtin, interfaces: fix tests that use Specification that now have a SnapAppSet
* snap: add tests for new methods on Info
* interfaces, i/builtin: port over some tests for SnapAppSet methods {Plug,Slot}LabelExpression
* interfaces: test PlugSecurityTags and SlotSecurityTags methods
* interfaces: add doc comments to SnapAppSet and methods
* i/builtin: remove ported over tests
* interfaces, many: require that SnapAppSet methods for getting security tags are called with plug/slot that comes from correct snap
Many tests did not properly adhere to this requirment, so they had to be
modifed to modify this rule.
Additionally, a hack was inroduced in the methods for getting label
expressions on the SnapAppSet. If a plug/slot did not originate from the
same snap that the SnapAppSet was created from, then we will use the
snap.Info that the plug/slot carries in the method instead. This will
fail to work once component hooks are introduced, so this will need to
be resolved by then.
* interfaces: test fallback for using LabelExpr methods with mismatch plug/slot
* snap: correct placement of TODOs to preserve doc comments
* snap: add doc comments for Plug/Slot.Unscoped
* interfaces: test for using SecurityTagsForPlug and SecurityTagsForSlot with wrong snap
* interfaces: tweak error messages in SnapAppSet SecurityTags methods
* i/builtin: fix missed conflict
* i/apparmor: add doc comment to Specification.appSet
* snap: fix doc coment on PlugInfo.Unscoped
* interfaces/microstack-support: set controlsDeviceCgroup to true
This will prevent us from generating any udev rules which in turn should
entirely disable the enforcement of the device cgroup for processes in the
snap.
This is justified by the snap already managing cgroups of its containers and
VM's with the Delegate=true setting in serviceSnippets.
See also LP bug: https://bugs.launchpad.net/snapd/+bug/1892895 which is
partially addressed by this commit, specifically for the microstack snap which
uses the microstack-support interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests: add spread test for microstack cgroup delegation
* tests/main/interfaces-microstack-support: use snap restart
This fixes the test by making it fail on master without the change to use
controlsDeviceCgroup, but passes in the branch enabling that for the interface.
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
* tests: fix microstack-support test for cgroup v2
* i/b/microstack_support: add comment about delegation
* tests/microstack: make the service more verbose
Making the service more verbose might help debugging; these lines will
end up in journald.
* interfaces/udev/spec.go: leave TODO about cgroup interaction w/ Delegate=true
Signed-off-by: Ian Johnson <ian.johnson@canonical.com>
Co-authored-by: Alberto Mardegan <alberto.mardegan@canonical.com>
Some distros such as openSUSE or Fedora use /usr/libexec. Fix unit tests to
behave correctly if one runs them on such system.
Signed-off-by: Maciej Borzecki <maciej.zenon.borzecki@canonical.com>
* Add microstack-support interface
Add an interface to enable MicroStack to work in a confined environment.
* Address review comments
* add rules necessary for LVM use
* Add rules required for the usage of iSCSI
OpenStack relies on the following components when working with LVM
volumes:
* tgtd - a daemon that exposes block devices via iSCSI;
* scsid - a control plane daemon for the iSCSI initiator data plane
implemented in the iscsi_tcp module;
* iscsi_tcp kernel module.
Working with the iSCSI kernel stack requires a more privileged access to
sysfs to that iscsi-adm and iscsid can do their job.
* Adjust the policy based on functional testing
After several tempest test runs, based on the kernel logs, it became
apparent that libvirt requires a wider rw access to the hierarchy under
/sys/fs/cgroup/*/machine.
* Fix test coverage for the microstack-support iface
* fix formatting in basedeclaration_test.go
* Fix comment typos/inconsistencies
* Replace tgtd rules with LIO ones
* fix a static check failure
* Address points raised in the review
* refactoring;
* added Delegate=true since libvirt manages its own cgroup subtree.
* Replace /dev/* rw with less privileged rules
The snapd team requested a less permissive rule to be used for block
device access. While MicroStack considers volume support experimental
due to https://bugs.launchpad.net/snapd/+bug/1892895, it seems
acceptable to limit the set of VG names to the ones prefixed with
"microstack-" to avoid blocking the whole review on this. Lifting this
naming restriction will be a consideration for the future versions of
this interface.
* Address review comments
* Fix indentation to avoid a static check failure
* TestKModConnectedPlug: expect the vfio-pci module
* Address security review comments
* Address review comments
* Remove the unused import
