-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #10 from johanneskastl/20220109_add_microos
add microos
- Loading branch information
Showing
12 changed files
with
476 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| ARG TUMBLEWEED=opensuse/tumbleweed | ||
| FROM ${TUMBLEWEED} | ||
| ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround | ||
| RUN chmod +x /bin/clone3-workaround | ||
| SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] | ||
| RUN zypper install -y container-selinux git rpm-build selinux-policy-devel | ||
|
|
||
|
|
||
| ENV DAPPER_SOURCE /source | ||
| ENV DAPPER_OUTPUT ./dist | ||
| ENV DAPPER_ENV COMBARCH DRONE_TAG TAG | ||
| ENV HOME ${DAPPER_SOURCE} | ||
| WORKDIR ${DAPPER_SOURCE} | ||
|
|
||
| ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| # vim: sw=4:ts=4:et | ||
|
|
||
| %define selinux_policyver 20210716-3.1 | ||
| %define container_policyver 2.164.2-1.1 | ||
|
|
||
| %define relabel_files() \ | ||
| mkdir -p /var/lib/rancher/rke /etc/kubernetes /opt/rke; \ | ||
| restorecon -R /var/lib/rancher /etc/kubernetes /opt/rke; | ||
|
|
||
| Name: rancher-selinux | ||
| Version: %{rancher_selinux_version} | ||
| Release: %{rancher_selinux_release}.sle | ||
| Summary: SELinux policy module for Rancher | ||
|
|
||
| Group: System Environment/Base | ||
| License: ASL 2.0 | ||
| URL: http://rancher.com | ||
| Source0: rancher.pp | ||
|
|
||
| BuildRequires: container-selinux >= %{container_policyver} | ||
|
|
||
| Requires: policycoreutils, selinux-tools | ||
| Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver} | ||
| Requires(postun): policycoreutils | ||
|
|
||
| BuildArch: noarch | ||
|
|
||
| %description | ||
| This package installs and sets up the SELinux policy security module for Rancher. | ||
|
|
||
| %install | ||
| install -d %{buildroot}%{_datadir}/selinux/packages | ||
| install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages | ||
|
|
||
|
|
||
| %post | ||
| semodule -n -i %{_datadir}/selinux/packages/rancher.pp | ||
| if /usr/sbin/selinuxenabled ; then | ||
| /usr/sbin/load_policy | ||
| %relabel_files | ||
| fi; | ||
| exit 0 | ||
|
|
||
| %postun | ||
| if [ $1 -eq 0 ]; then | ||
| semodule -n -r rancher | ||
| if /usr/sbin/selinuxenabled ; then | ||
| /usr/sbin/load_policy | ||
| fi; | ||
| fi; | ||
| exit 0 | ||
|
|
||
| %files | ||
| %attr(0600,root,root) %{_datadir}/selinux/packages/rancher.pp | ||
|
|
||
| %changelog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| /var/lib/rancher/rke(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) | ||
| /opt/rke(/.*)? gen_context(system_u:object_r:rke_opt_t,s0) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| policy_module(rancher, 1.0.0) | ||
|
|
||
| gen_require(` | ||
| type container_runtime_t, unconfined_service_t; | ||
| ') | ||
|
|
||
| ######################## | ||
| # type rke_kubereader_t # | ||
| ######################## | ||
| gen_require(` | ||
| type container_runtime_t, unconfined_service_t; | ||
| type kubernetes_file_t; | ||
| class dir { open read search }; | ||
| class file { getaddr open read }; | ||
| class lnk_file { getattr read }; | ||
| ') | ||
| container_domain_template(rke_kubereader) | ||
| virt_sandbox_domain(rke_kubereader_t) | ||
| corenet_unconfined(rke_kubereader_t) | ||
| allow rke_kubereader_t kubernetes_file_t:dir { open read search }; | ||
| allow rke_kubereader_t kubernetes_file_t:file { getattr open read }; | ||
| allow rke_kubereader_t kubernetes_file_t:lnk_file { getattr read }; | ||
|
|
||
| ######################## | ||
| # type rke_logreader_t # | ||
| ######################## | ||
| gen_require(` | ||
| type container_runtime_t, unconfined_service_t; | ||
| type container_log_t; | ||
| type syslogd_var_run_t; | ||
| type var_log_t; | ||
| class dir { read search }; | ||
| class file { open read }; | ||
| class lnk_file { getattr read }; | ||
| ') | ||
| container_domain_template(rke_logreader) | ||
| virt_sandbox_domain(rke_logreader_t) | ||
| corenet_unconfined(rke_logreader_t) | ||
| allow rke_logreader_t container_log_t:dir { open read search }; | ||
| allow rke_logreader_t container_log_t:lnk_file { getattr read }; | ||
| allow rke_logreader_t container_log_t:file { getattr open read }; | ||
| allow rke_logreader_t container_var_lib_t:dir search; | ||
| allow rke_logreader_t container_var_lib_t:file { getattr open read }; | ||
| allow rke_logreader_t container_var_lib_t:lnk_file { getattr read }; | ||
| allow rke_logreader_t syslogd_var_run_t:dir read; | ||
| allow rke_logreader_t syslogd_var_run_t:file { getattr open read }; | ||
| allow rke_logreader_t var_log_t:dir read; | ||
| allow rke_logreader_t var_log_t:file { getattr open read }; | ||
|
|
||
| ######################## | ||
| # type rke_container_t # | ||
| ######################## | ||
| gen_require(` | ||
| type container_runtime_t, unconfined_service_t; | ||
| type container_log_t; | ||
| type kubernetes_file_t; | ||
| type container_var_run_t; | ||
| class dir { read search }; | ||
| class file { open read }; | ||
| ') | ||
| type rke_opt_t; | ||
| files_type(rke_opt_t) | ||
| container_domain_template(rke_container) | ||
| virt_sandbox_domain(rke_container_t) | ||
| corenet_unconfined(rke_container_t) | ||
| manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t) | ||
| manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t) | ||
| manage_dirs_pattern(rke_container_t, container_log_t, container_log_t) | ||
| manage_files_pattern(rke_container_t, container_log_t, container_log_t) | ||
| manage_dirs_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t) | ||
| manage_files_pattern(rke_container_t, kubernetes_file_t, kubernetes_file_t) | ||
| manage_dirs_pattern(rke_container_t, rke_opt_t, rke_opt_t) | ||
| manage_files_pattern(rke_container_t, rke_opt_t, rke_opt_t) | ||
| manage_dirs_pattern(rke_container_t, container_var_lib_t, container_var_lib_t) | ||
| manage_files_pattern(rke_container_t, container_var_lib_t, container_var_lib_t) | ||
| manage_dirs_pattern(rke_container_t, container_var_run_t, container_var_run_t) | ||
| manage_files_pattern(rke_container_t, container_var_run_t, container_var_run_t) | ||
| allow rke_container_t self:tcp_socket { accept listen }; | ||
| allow rke_container_t container_var_lib_t:file map; | ||
| allow rke_container_t rke_opt_t:file map; | ||
| allow rke_container_t container_var_lib_t:dir { relabelfrom relabelto }; | ||
| allow rke_container_t container_var_lib_t:file { relabelfrom relabelto }; | ||
| allow rke_container_t rke_opt_t:dir { relabelfrom relabelto }; | ||
| allow rke_container_t rke_opt_t:file { relabelfrom relabelto }; | ||
|
|
||
| ######################## | ||
| # type rke_network_t # | ||
| ######################## | ||
| gen_require(` | ||
| type container_runtime_t, unconfined_service_t; | ||
| type iptables_var_run_t; | ||
| type var_run_t; | ||
| type kernel_t; | ||
| ') | ||
| container_domain_template(rke_network) | ||
| virt_sandbox_domain(rke_network_t) | ||
| corenet_unconfined(rke_network_t) | ||
| manage_dirs_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t) | ||
| manage_files_pattern(rke_network_t, iptables_var_run_t, iptables_var_run_t) | ||
| manage_dirs_pattern(rke_network_t, var_run_t, var_run_t) | ||
| manage_files_pattern(rke_network_t, var_run_t, var_run_t) | ||
| allow rke_network_t kernel_t:system module_request; | ||
| allow rke_network_t kernel_t:unix_dgram_socket sendto; | ||
| allow rke_network_t self:netlink_route_socket nlmsg_write; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| #!/bin/bash | ||
| set -e -x | ||
|
|
||
| cd $(dirname $0)/.. | ||
| . ./scripts/version | ||
|
|
||
| make -f /usr/share/selinux/devel/Makefile rancher.pp | ||
|
|
||
| rpmbuild \ | ||
| --define "rancher_selinux_version ${RPM_VERSION}" \ | ||
| --define "rancher_selinux_release ${RPM_RELEASE}" \ | ||
| --define "_sourcedir $PWD" \ | ||
| --define "_specdir $PWD" \ | ||
| --define "_builddir $PWD" \ | ||
| --define "_srcrpmdir ${PWD}/dist/source" \ | ||
| --define "_buildrootdir $PWD/.build" \ | ||
| --define "_rpmdir ${PWD}/dist" \ | ||
| -ba rancher-selinux.spec | ||
|
|
||
| mkdir -p /source/dist/microos | ||
| cp -r dist/* /source/dist/microos |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| #!/bin/sh | ||
| set -ex | ||
|
|
||
| if [ -e ./policy/microos/scripts/"$1" ]; then | ||
| ./policy/microos/scripts/"$@" | ||
| else | ||
| exec "$@" | ||
| fi | ||
|
|
||
| if [ "$DAPPER_UID" -ne "-1" ]; then | ||
| chown -R $DAPPER_UID:$DAPPER_GID . | ||
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| #!/bin/bash | ||
| set -e -x | ||
|
|
||
| yum install -y rpm-sign expect git | ||
|
|
||
| pushd $(dirname $0)/.. | ||
| . ./scripts/version | ||
| popd | ||
|
|
||
| cat <<\EOF >~/.rpmmacros | ||
| %_signature gpg | ||
| %_gpg_name [email protected] | ||
| EOF | ||
|
|
||
| case "$RPM_CHANNEL" in | ||
| "testing") | ||
| export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE | ||
| if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then | ||
| echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" | ||
| exit 1 | ||
| fi | ||
| gpg --import - <<<"$TESTING_PRIVATE_KEY" | ||
| ;; | ||
| "production") | ||
| if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then | ||
| echo "PRIVATE_KEY not defined, failing rpm sign" | ||
| exit 1 | ||
| fi | ||
| gpg --import - <<<"$PRIVATE_KEY" | ||
| ;; | ||
| *) | ||
| echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, production]" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
|
|
||
| expect <<EOF | ||
| set timeout 60 | ||
| spawn sh -c "rpmsign --addsign dist/microos/**/rancher-*.rpm" | ||
| expect "Enter pass phrase:" | ||
| send -- "$PRIVATE_KEY_PASS_PHRASE\r" | ||
| expect eof | ||
| lassign [wait] _ _ _ code | ||
| exit \$code | ||
| EOF |
Oops, something went wrong.