Skip to content

Commit

Permalink
Merge pull request #18 from vadorovsky/cilium-centos-7
Browse files Browse the repository at this point in the history 
Add rules for Cilium
  • Loading branch information
@vadorovsky
vadorovsky authored Jul 30, 2021
2 parents a23b220 + ce5f16a commit 22a1dd5
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 9 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
.dapper
/dist
/.vagrant/
43 changes: 35 additions & 8 deletions Vagrantfile
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,21 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :

CPUS = (ENV['VAGRANT_RKE2_SELINUX_CPUS'] || 2).to_i
MEMORY = (ENV['VAGRANT_RKE2_SELINUX_MEMORY'] || 2048).to_i

# Adapted from https://github.com/containerd/containerd/pull/4451
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.provider :virtualbox do |v|
config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.VirtualBox.box"
v.memory = 2048
v.cpus = 2
v.memory = MEMORY
v.cpus = CPUS
end
config.vm.provider :libvirt do |v|
config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.LibVirt.box"
v.memory = 2048
v.cpus = 2
v.memory = MEMORY
v.cpus = CPUS
end

# Disabled by default. To run:
Expand All @@ -32,6 +35,21 @@ Vagrant.configure("2") do |config|
SHELL
end

# Disabled by default. To run:
# vagrant provision --provision-with=kernel-mainline
config.vm.provision "kernel-mainline", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/vagrant-kernel-mainline"
sh.inline = <<~SHELL
#!/usr/bin/env bash
yum -y install \
https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel -y install kernel-ml
sed -i -e "s|GRUB_DEFAULT.*$|GRUB_DEFAULT=0|" /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
SHELL
sh.reboot = true
end

# To re-run, installing CNI from RPM:
# INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages
#
Expand Down Expand Up @@ -66,11 +84,11 @@ Vagrant.configure("2") do |config|
#!/usr/bin/env bash
set -eux -o pipefail
pushd /vagrant
rm -rf dist
./scripts/build-setup
yum install -y yum-utils rpm-build
yum-builddep -y container-selinux
yum -y remove rke2-selinux
COMMIT=$(git rev-parse HEAD) ./scripts/build
yum -y install dist/rpm/noarch/*.rpm
# TODO build
yum -y install ./dist/centos7/noarch/*.rpm
SHELL
end

Expand Down Expand Up @@ -314,4 +332,13 @@ EOF
SHELL
end

config.vm.provision "rke2", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-rke2"
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -sfL https://get.rke2.io | sh -
SHELL
end

end
9 changes: 8 additions & 1 deletion policy/centos7/rke2.te
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
policy_module(rke2, 1.0.0)

gen_require(`
type container_runtime_t, unconfined_service_t;
type container_runtime_t, iptables_t, spc_t, unconfined_service_t;
class bpf { map_create map_read map_write prog_load prog_run };
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
Expand All @@ -19,3 +20,9 @@ rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };

##########
# Cilium #
##########
fs_list_cgroup_dirs(iptables_t)
allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };

0 comments on commit 22a1dd5

Please sign in to comment.