diff --git a/.drone.yml b/.drone.yml index 83fc39f..b2ff368 100644 --- a/.drone.yml +++ b/.drone.yml @@ -7,87 +7,87 @@ platform: arch: amd64 steps: -- name: Build EL7 - image: rancher/dapper:v0.5.0 - commands: - - dapper -f Dockerfile.centos7.dapper policy/centos7/scripts/build - volumes: - - name: docker - path: /var/run/docker.sock - -- name: Sign RPM EL7 - image: centos:7 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos7/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Yum Repo Upload EL7 - image: centos:7 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos7/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release EL7 - image: ibuildthecloud/github-release:v0.0.1 - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos7-noarch.txt - checksum_flatten: true - files: - - "dist/centos7/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag + - name: Build EL7 + image: rancher/dapper:v0.5.0 + commands: + - dapper -f Dockerfile.centos7.dapper policy/centos7/scripts/build + volumes: + - name: docker + path: /var/run/docker.sock + + - name: Sign RPM EL7 + image: centos:7 + environment: + PRIVATE_KEY: + from_secret: private_key + PRIVATE_KEY_PASS_PHRASE: + from_secret: private_key_pass_phrase + TESTING_PRIVATE_KEY: + from_secret: testing_private_key + TESTING_PRIVATE_KEY_PASS_PHRASE: + from_secret: testing_private_key_pass_phrase + commands: + - policy/centos7/scripts/sign + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: Yum Repo Upload EL7 + image: centos:7 + environment: + AWS_S3_BUCKET: + from_secret: aws_s3_bucket + AWS_ACCESS_KEY_ID: + from_secret: aws_access_key_id + AWS_SECRET_ACCESS_KEY: + from_secret: aws_secret_access_key + TESTING_AWS_S3_BUCKET: + from_secret: testing_aws_s3_bucket + TESTING_AWS_ACCESS_KEY_ID: + from_secret: testing_aws_access_key_id + TESTING_AWS_SECRET_ACCESS_KEY: + from_secret: testing_aws_secret_access_key + commands: + - policy/centos7/scripts/upload-repo + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: GitHub Release EL7 + image: ibuildthecloud/github-release:v0.0.1 + settings: + api_key: + from_secret: github_token + prerelease: true + checksum: + - sha256 + checksum_file: CHECKSUMsum-centos7-noarch.txt + checksum_flatten: true + files: + - "dist/centos7/**/*.rpm" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag volumes: -- name: docker - host: - path: /var/run/docker.sock + - name: docker + host: + path: /var/run/docker.sock --- kind: pipeline name: RPM Build EL8 @@ -97,84 +97,174 @@ platform: arch: amd64 steps: -- name: Build EL8 - image: rancher/dapper:v0.5.0 - commands: - - dapper -f Dockerfile.centos8.dapper policy/centos8/scripts/build - volumes: + - name: Build EL8 + image: rancher/dapper:v0.5.0 + commands: + - dapper -f Dockerfile.centos8.dapper policy/centos8/scripts/build + volumes: + - name: docker + path: /var/run/docker.sock + + - name: Sign RPM EL8 + image: centos:7 + environment: + PRIVATE_KEY: + from_secret: private_key + PRIVATE_KEY_PASS_PHRASE: + from_secret: private_key_pass_phrase + TESTING_PRIVATE_KEY: + from_secret: testing_private_key + TESTING_PRIVATE_KEY_PASS_PHRASE: + from_secret: testing_private_key_pass_phrase + commands: + - policy/centos8/scripts/sign + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: Yum Repo Upload EL8 + image: centos:7 + environment: + AWS_S3_BUCKET: + from_secret: aws_s3_bucket + AWS_ACCESS_KEY_ID: + from_secret: aws_access_key_id + AWS_SECRET_ACCESS_KEY: + from_secret: aws_secret_access_key + TESTING_AWS_S3_BUCKET: + from_secret: testing_aws_s3_bucket + TESTING_AWS_ACCESS_KEY_ID: + from_secret: testing_aws_access_key_id + TESTING_AWS_SECRET_ACCESS_KEY: + from_secret: testing_aws_secret_access_key + commands: + - policy/centos8/scripts/upload-repo + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: GitHub Release EL8 + image: ibuildthecloud/github-release:v0.0.1 + settings: + api_key: + from_secret: github_token + prerelease: true + checksum: + - sha256 + checksum_file: CHECKSUMsum-centos8-noarch.txt + checksum_flatten: true + files: + - "dist/centos8/**/*.rpm" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + +volumes: - name: docker - path: /var/run/docker.sock - -- name: Sign RPM EL8 - image: centos:7 - environment: - PRIVATE_KEY: - from_secret: private_key - PRIVATE_KEY_PASS_PHRASE: - from_secret: private_key_pass_phrase - TESTING_PRIVATE_KEY: - from_secret: testing_private_key - TESTING_PRIVATE_KEY_PASS_PHRASE: - from_secret: testing_private_key_pass_phrase - commands: - - policy/centos8/scripts/sign - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: Yum Repo Upload EL8 - image: centos:7 - environment: - AWS_S3_BUCKET: - from_secret: aws_s3_bucket - AWS_ACCESS_KEY_ID: - from_secret: aws_access_key_id - AWS_SECRET_ACCESS_KEY: - from_secret: aws_secret_access_key - TESTING_AWS_S3_BUCKET: - from_secret: testing_aws_s3_bucket - TESTING_AWS_ACCESS_KEY_ID: - from_secret: testing_aws_access_key_id - TESTING_AWS_SECRET_ACCESS_KEY: - from_secret: testing_aws_secret_access_key - commands: - - policy/centos8/scripts/upload-repo - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag - -- name: GitHub Release EL8 - image: ibuildthecloud/github-release:v0.0.1 - settings: - api_key: - from_secret: github_token - prerelease: true - checksum: - - sha256 - checksum_file: CHECKSUMsum-centos8-noarch.txt - checksum_flatten: true - files: - - "dist/centos8/**/*.rpm" - when: - instance: - - drone-publish.rancher.io - ref: - - refs/head/master - - refs/tags/* - event: - - tag + host: + path: /var/run/docker.sock +--- +kind: pipeline +name: RPM Build SLE + +platform: + os: linux + arch: amd64 + +steps: + - name: Build SLE + image: rancher/dapper:v0.5.0 + commands: + - dapper -f Dockerfile.microos.dapper policy/microos/scripts/build + volumes: + - name: docker + path: /var/run/docker.sock + + - name: Sign RPM SLE + image: centos:7 + environment: + PRIVATE_KEY: + from_secret: private_key + PRIVATE_KEY_PASS_PHRASE: + from_secret: private_key_pass_phrase + TESTING_PRIVATE_KEY: + from_secret: testing_private_key + TESTING_PRIVATE_KEY_PASS_PHRASE: + from_secret: testing_private_key_pass_phrase + commands: + - policy/microos/scripts/sign + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: Yum Repo Upload SLE + image: centos:7 + environment: + AWS_S3_BUCKET: + from_secret: aws_s3_bucket + AWS_ACCESS_KEY_ID: + from_secret: aws_access_key_id + AWS_SECRET_ACCESS_KEY: + from_secret: aws_secret_access_key + TESTING_AWS_S3_BUCKET: + from_secret: testing_aws_s3_bucket + TESTING_AWS_ACCESS_KEY_ID: + from_secret: testing_aws_access_key_id + TESTING_AWS_SECRET_ACCESS_KEY: + from_secret: testing_aws_secret_access_key + commands: + - policy/microos/scripts/upload-repo + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag + + - name: GitHub Release SLE + image: ibuildthecloud/github-release:v0.0.1 + settings: + api_key: + from_secret: github_token + prerelease: true + checksum: + - sha256 + checksum_file: CHECKSUMsum-microos-noarch.txt + checksum_flatten: true + files: + - "dist/microos/**/*.rpm" + when: + instance: + - drone-publish.rancher.io + ref: + - refs/head/master + - refs/tags/* + event: + - tag volumes: -- name: docker - host: - path: /var/run/docker.sock + - name: docker + host: + path: /var/run/docker.sock diff --git a/.gitignore b/.gitignore index bf0fbe4..ff9bf16 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ -.dapper /dist -/.vagrant/ +*.rpm +.dapper +.vagrant/ diff --git a/Dockerfile.centos7.dapper b/Dockerfile.centos7.dapper index e530660..fde1b42 100644 --- a/Dockerfile.centos7.dapper +++ b/Dockerfile.centos7.dapper @@ -1,6 +1,7 @@ FROM centos:7 -RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq +RUN yum install -y epel-release \ + && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist diff --git a/Dockerfile.centos8.dapper b/Dockerfile.centos8.dapper index 60a6d9e..4ff387d 100644 --- a/Dockerfile.centos8.dapper +++ b/Dockerfile.centos8.dapper @@ -1,6 +1,7 @@ FROM centos:8 -RUN yum install -y epel-release && yum -y install container-selinux selinux-policy-devel yum-utils rpm-build git jq +RUN yum install -y epel-release \ + && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist diff --git a/Dockerfile.microos.dapper b/Dockerfile.microos.dapper new file mode 100644 index 0000000..4595100 --- /dev/null +++ b/Dockerfile.microos.dapper @@ -0,0 +1,15 @@ +ARG TUMBLEWEED=opensuse/tumbleweed +FROM ${TUMBLEWEED} +ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround +RUN chmod +x /bin/clone3-workaround +SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] +RUN zypper install -y container-selinux git rpm-build selinux-policy-devel + + +ENV DAPPER_SOURCE /source +ENV DAPPER_OUTPUT ./dist +ENV DAPPER_ENV COMBARCH DRONE_TAG TAG +ENV HOME ${DAPPER_SOURCE} +WORKDIR ${DAPPER_SOURCE} + +ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"] diff --git a/Makefile b/Makefile index bd9797f..0302492 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,6 @@ CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts)) CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts)) +MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts)) .dapper: @echo Downloading dapper @@ -14,4 +15,10 @@ $(CENTOS7_TARGETS): .dapper $(CENTOS8_TARGETS): .dapper ./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%) -.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) +$(MICROOS_TARGETS): .dapper + ./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%) + +clean: + rm -rf dist/ Dockerfile.*.dapper[0-9]* + +.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(MICROOS_TARGETS) clean diff --git a/README.md b/README.md index 448beb2..eb39ff4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,11 @@ # rke2-selinux RKE2 selinux policy repository +## Signing Keys + +- https://rpm.rancher.io/public.key +- https://rpm-testing.rancher.io/public.key + ## Versioning/Tagging The version parsing logic for `rancher/rke2-selinux` expects tags to be of a certain format (that directly correlates to RPM naming) diff --git a/policy/centos7/rke2-selinux.spec b/policy/centos7/rke2-selinux.spec index 42e5b32..18ddf43 100644 --- a/policy/centos7/rke2-selinux.spec +++ b/policy/centos7/rke2-selinux.spec @@ -1,7 +1,6 @@ # vim: sw=4:ts=4:et - -%define relabel_files() \ +%define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ @@ -16,32 +15,42 @@ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel - %define selinux_policyver 3.13.1-252 %define container_policyver 2.107-3 - -Name: rke2-selinux -Version: %{rke2_selinux_version} -Release: %{rke2_selinux_release}.el7 -Summary: SELinux policy module for rke2 - -Group: System Environment/Base -License: ASL 2.0 -URL: http://rancher.com -Source0: rke2.pp -Source1: rke2.if - +%define container_policy_epoch 2 +%define container_policy_schism 2.164.2 + +Name: rke2-selinux +Version: %{rke2_selinux_version} +Release: %{rke2_selinux_release}.el7 +Summary: SELinux policy module for rke2 + +Group: System Environment/Base +License: ASL 2.0 +URL: https://rke2.io +Source0: rke2.pp +Source1: rke2.if + +BuildArch: noarch +BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} +BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism} +BuildRequires: git +BuildRequires: selinux-policy >= %{selinux_policyver} +BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, libselinux-utils -Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= %{container_policyver} +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): policycoreutils +Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} +Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism} Requires(postun): policycoreutils +Provides: %{name} = %{version}-%{release} +Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux -BuildArch: noarch - %description -This package installs and sets up the SELinux policy security module for rke2. +This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages @@ -50,29 +59,26 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ +%pre +%selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy - %relabel_files - + %rke2_relabel_files fi; -exit 0 %postun if [ $1 -eq 0 ]; then - semodule -n -r rke2 - if /usr/sbin/selinuxenabled ; then - /usr/sbin/load_policy - - fi; + %selinux_modules_uninstall rke2 fi; -exit 0 + +%posttrans +%selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if - %changelog diff --git a/policy/centos7/rke2.fc b/policy/centos7/rke2.fc index 7f25987..1075a7e 100644 --- a/policy/centos7/rke2.fc +++ b/policy/centos7/rke2.fc @@ -1,20 +1,22 @@ # vim: sw=8:ts=8:et + /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) +/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) +/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) -/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) -/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff --git a/policy/centos7/rke2.if b/policy/centos7/rke2.if index 6e7d10f..13e578a 100644 --- a/policy/centos7/rke2.if +++ b/policy/centos7/rke2.if @@ -2,6 +2,7 @@ interface(`rke2_filetrans_named_content',` gen_require(` + type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; @@ -15,6 +16,7 @@ interface(`rke2_filetrans_named_content',` container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") + filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "snapshots") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") diff --git a/policy/centos8/rke2-selinux.spec b/policy/centos8/rke2-selinux.spec index dd8ea20..b56bcb6 100644 --- a/policy/centos8/rke2-selinux.spec +++ b/policy/centos8/rke2-selinux.spec @@ -1,7 +1,6 @@ # vim: sw=4:ts=4:et - -%define relabel_files() \ +%define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ @@ -16,32 +15,39 @@ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel - %define selinux_policyver 3.13.1-252 %define container_policyver 2.167.0-1 +%define container_policy_epoch 2 -Name: rke2-selinux -Version: %{rke2_selinux_version} -Release: %{rke2_selinux_release}.el8 -Summary: SELinux policy module for rke2 +Name: rke2-selinux +Version: %{rke2_selinux_version} +Release: %{rke2_selinux_release}.el8 +Summary: SELinux policy module for rke2 -Group: System Environment/Base -License: ASL 2.0 -URL: http://rancher.com -Source0: rke2.pp -Source1: rke2.if +Group: System Environment/Base +License: ASL 2.0 +URL: https://rke2.io +Source0: rke2.pp +Source1: rke2.if +BuildArch: noarch +BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} +BuildRequires: git +BuildRequires: selinux-policy >= %{selinux_policyver} +BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, libselinux-utils -Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils, container-selinux >= 2:%{container_policyver} +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): policycoreutils +Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} Requires(postun): policycoreutils +Provides: %{name} = %{version}-%{release} +Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux -BuildArch: noarch - %description -This package installs and sets up the SELinux policy security module for rke2. +This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages @@ -50,29 +56,26 @@ install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ +%pre +%selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy - %relabel_files - + %rke2_relabel_files fi; -exit 0 %postun if [ $1 -eq 0 ]; then - semodule -n -r rke2 - if /usr/sbin/selinuxenabled ; then - /usr/sbin/load_policy - - fi; + %selinux_modules_uninstall rke2 fi; -exit 0 + +%posttrans +%selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if - %changelog diff --git a/policy/centos8/rke2.fc b/policy/centos8/rke2.fc index e93189f..362f755 100644 --- a/policy/centos8/rke2.fc +++ b/policy/centos8/rke2.fc @@ -1,13 +1,26 @@ # vim: sw=8:ts=8:et + +# commented items are lines retained for parity when comparing policy between target distributions. +# these are commented because they will cause conflict and/or crash when attempting to install with upstream +# container-selinux: https://github.com/containers/container-selinux/pull/140/files + /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) +/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff --git a/policy/centos8/rke2.if b/policy/centos8/rke2.if index 6bc145e..75a8f1e 100644 --- a/policy/centos8/rke2.if +++ b/policy/centos8/rke2.if @@ -2,6 +2,7 @@ interface(`rke2_filetrans_named_content',` gen_require(` + type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; @@ -16,6 +17,7 @@ interface(`rke2_filetrans_named_content',` container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") + filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") diff --git a/policy/microos/rke2-selinux.spec b/policy/microos/rke2-selinux.spec new file mode 100644 index 0000000..570de7b --- /dev/null +++ b/policy/microos/rke2-selinux.spec @@ -0,0 +1,80 @@ +# vim: sw=4:ts=4:et + +%define rke2_relabel_files() \ +mkdir -p /var/lib/cni; \ +mkdir -p /var/lib/kubelet/pods; \ +mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ +mkdir -p /var/lib/rancher/rke2/data; \ +mkdir -p /var/run/flannel; \ +mkdir -p /var/run/k3s; \ +restorecon -R -i /etc/systemd/system/rke2.service; \ +restorecon -R -i /usr/lib/systemd/system/rke2.service; \ +restorecon -R /var/lib/cni; \ +restorecon -R /var/lib/kubelet; \ +restorecon -R /var/lib/rancher; \ +restorecon -R /var/run/k3s; \ +restorecon -R /var/run/flannel + +%define selinux_policyver 20210716-3.1 +%define container_policyver 2.164.2-1.1 + +Name: rke2-selinux +Version: %{rke2_selinux_version} +Release: %{rke2_selinux_release}.sle +Summary: SELinux policy module for rke2 + +Group: System Environment/Base +License: ASL 2.0 +URL: https://rke2.io +Source0: rke2.pp +Source1: rke2.if + +BuildArch: noarch +BuildRequires: container-selinux >= %{container_policyver} +BuildRequires: git +BuildRequires: selinux-policy >= %{selinux_policyver} +BuildRequires: selinux-policy-devel >= %{selinux_policyver} + +Requires: policycoreutils, selinux-tools +Requires(post): selinux-policy-base >= %{selinux_policyver} +Requires(post): policycoreutils +Requires(post): container-selinux >= %{container_policyver} +Requires(postun): policycoreutils + +Provides: %{name} = %{version}-%{release} +Obsoletes: rke2-selinux < 0.9 +Conflicts: k3s-selinux + +%description +This package installs and sets up the SELinux policy security module for rke2. + +%install +install -d %{buildroot}%{_datadir}/selinux/packages +install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages +install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib +install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ +install -d %{buildroot}/etc/selinux/targeted/contexts/users/ + +%pre +%selinux_relabel_pre + +%post +semodule -n -i %{_datadir}/selinux/packages/rke2.pp +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %rke2_relabel_files +fi; + +%postun +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall rke2 +fi; + +%posttrans +%selinux_relabel_post + +%files +%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp +%{_datadir}/selinux/devel/include/contrib/rke2.if + +%changelog diff --git a/policy/microos/rke2.fc b/policy/microos/rke2.fc new file mode 100644 index 0000000..362f755 --- /dev/null +++ b/policy/microos/rke2.fc @@ -0,0 +1,26 @@ +# vim: sw=8:ts=8:et + +# commented items are lines retained for parity when comparing policy between target distributions. +# these are commented because they will cause conflict and/or crash when attempting to install with upstream +# container-selinux: https://github.com/containers/container-selinux/pull/140/files + +/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) +/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) +#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) +/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) +/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) +/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) +/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) +/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) +/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <> +/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) +/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) +#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) +#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) +#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) diff --git a/policy/microos/rke2.if b/policy/microos/rke2.if new file mode 100644 index 0000000..75a8f1e --- /dev/null +++ b/policy/microos/rke2.if @@ -0,0 +1,55 @@ +# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 +interface(`rke2_filetrans_named_content',` + + gen_require(` + type container_config_t; + type container_file_t; + type container_log_t; + type container_runtime_exec_t; + type container_runtime_tmpfs_t; + type container_share_t; + type container_var_lib_t; + type container_var_run_t; + type container_kvm_var_run_t; + type var_lib_t; + ') + + container_filetrans_named_content($1) + files_pid_filetrans($1, container_var_run_t, dir, "rke2") + filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") + filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") + filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") + filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") + filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") + filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") + filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") +') + +template(`rke2_service_domain_template',` + container_domain_template($1) + virt_sandbox_domain($1_t) + + gen_require(` + attribute container_domain, container_net_domain; + attribute sandbox_net_domain; + ') + typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; + + virt_default_capabilities($1_t) + kernel_read_messages($1_t) + logging_send_syslog_msg($1_t) + + corenet_unconfined($1_t) + corenet_tcp_bind_generic_node($1_t) + corenet_udp_bind_generic_node($1_t) + corenet_raw_bind_generic_node($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_udp_sendrecv_all_ports($1_t) + corenet_udp_bind_all_ports($1_t) + corenet_tcp_bind_all_ports($1_t) + corenet_tcp_connect_all_ports($1_t) + + miscfiles_read_all_certs($1_t) + + admin_pattern($1_t, container_log_t) +') diff --git a/policy/microos/rke2.te b/policy/microos/rke2.te new file mode 100644 index 0000000..acb021a --- /dev/null +++ b/policy/microos/rke2.te @@ -0,0 +1,21 @@ +policy_module(rke2, 1.0.0) + +gen_require(` + type container_runtime_t, unconfined_service_t; +') +rke2_filetrans_named_content(container_runtime_t) +rke2_filetrans_named_content(unconfined_service_t) + +####################### +# type rke2_service_t # +####################### +rke2_service_domain_template(rke2_service) +container_read_lib_files(rke2_service_t) + +########################## +# type rke2_service_db_t # +########################## +rke2_service_domain_template(rke2_service_db) +container_manage_lib_dirs(rke2_service_db_t) +container_manage_lib_files(rke2_service_db_t) +allow rke2_service_db_t container_var_lib_t:file { map }; diff --git a/policy/microos/scripts/build b/policy/microos/scripts/build new file mode 100755 index 0000000..1fecd31 --- /dev/null +++ b/policy/microos/scripts/build @@ -0,0 +1,21 @@ +#!/bin/bash +set -e -x + +cd $(dirname $0)/.. +. ./scripts/version + +make -f /usr/share/selinux/devel/Makefile rke2.pp + +rpmbuild \ + --define "rke2_selinux_version ${RPM_VERSION}" \ + --define "rke2_selinux_release ${RPM_RELEASE}" \ + --define "_sourcedir $PWD" \ + --define "_specdir $PWD" \ + --define "_builddir $PWD" \ + --define "_srcrpmdir ${PWD}/dist/source" \ + --define "_buildrootdir $PWD/.build" \ + --define "_rpmdir ${PWD}/dist" \ + -ba rke2-selinux.spec + +mkdir -p /source/dist/microos +cp -r dist/* /source/dist/microos diff --git a/policy/microos/scripts/entry b/policy/microos/scripts/entry new file mode 100755 index 0000000..6fad799 --- /dev/null +++ b/policy/microos/scripts/entry @@ -0,0 +1,12 @@ +#!/bin/sh +set -ex + +if [ -e ./policy/microos/scripts/"$1" ]; then + ./policy/microos/scripts/"$@" +else + exec "$@" +fi + +if [ "$DAPPER_UID" -ne "-1" ]; then + chown -R $DAPPER_UID:$DAPPER_GID . +fi diff --git a/policy/microos/scripts/sign b/policy/microos/scripts/sign new file mode 100755 index 0000000..3d7a1f2 --- /dev/null +++ b/policy/microos/scripts/sign @@ -0,0 +1,45 @@ +#!/bin/bash +set -e -x + +yum install -y rpm-sign expect git + +pushd $(dirname $0)/.. +. ./scripts/version +popd + +cat <<\EOF >~/.rpmmacros +%_signature gpg +%_gpg_name ci@rancher.com +EOF + +case "$RPM_CHANNEL" in + "testing") + export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE + if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then + echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" + exit 1 + fi + gpg --import - <<<"$TESTING_PRIVATE_KEY" + ;; + "latest"|"stable") + if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then + echo "PRIVATE_KEY not defined, failing rpm sign" + exit 1 + fi + gpg --import - <<<"$PRIVATE_KEY" + ;; + *) + echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" + exit 1 + ;; +esac + +expect < 'server', + :RKE2_KUBECONFIG_MODE => '0664', + :RKE2_TOKEN => 'vagrant', + }) + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + curl -fsSL https://get.rke2.io | sh - + echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + systemctl enable --now rke2-${INSTALL_RKE2_TYPE} + SHELL + sh.upload_path = "/tmp/vagrant-install-rke2" + end + test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + echo 'Waiting for node (and static pods) to be ready ...' + time { + timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + } + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep + SHELL + end + end + + config.vm.provision "install-packages", type: "shell", run: "once" do |sh| + sh.upload_path = "/tmp/vagrant-install-packages" + sh.env = { + 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], + } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + yum -y install \ + curl \ + iptables \ + less \ + lsof \ + nc \ + socat \ + ${INSTALL_PACKAGES} + SHELL + end + + config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" + config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + cat <<-EOF > /etc/profile.d/rke2.sh +export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin +EOF + SHELL + end + +end diff --git a/test/el8/README.md b/test/el8/README.md new file mode 100644 index 0000000..1ce10b4 --- /dev/null +++ b/test/el8/README.md @@ -0,0 +1,13 @@ +rke2-selinux for el8 +--- + +The Vagrant box in use supports these providers: +- `libvirt` +- `virtualbox` +- `vmware_desktop` + +To spin up a VM to test locally built rke2-selinux RPM: +```shell +cp -vf ../../dist/centos8/noarch/*.rpm . +INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up +``` diff --git a/test/el8/Vagrantfile b/test/el8/Vagrantfile new file mode 100644 index 0000000..3ffbc8a --- /dev/null +++ b/test/el8/Vagrantfile @@ -0,0 +1,131 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "dweomer/centos-8.4-amd64" + config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false + %w[libvirt virtualbox vmware_desktop].each do |p| + config.vm.provider p do |v, o| + v.memory = "2048" + v.cpus = 2 + end + end + + config.vm.define "rke2-selinux-el8", primary: true do |test| + test.vm.hostname = "test-el8" + test.vm.provision "install-rke2", type: "shell", run: "once" do |sh| + sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({ + :INSTALL_RKE2_TYPE => 'server', + :RKE2_KUBECONFIG_MODE => '0664', + :RKE2_TOKEN => 'vagrant', + }) + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + curl -fsSL https://get.rke2.io | sh - + echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + systemctl enable --now rke2-${INSTALL_RKE2_TYPE} + SHELL + sh.upload_path = "/tmp/vagrant-install-rke2" + end + test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + echo 'Waiting for node (and static pods) to be ready ...' + time { + timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + } + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep + SHELL + end + end + + config.vm.provision "install-packages", type: "shell", run: "once" do |sh| + sh.upload_path = "/tmp/vagrant-install-packages" + sh.env = { + 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], + } + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + dnf -y install \ + curl \ + iptables \ + less \ + lsof \ + nc \ + socat \ + ${INSTALL_PACKAGES} + SHELL + end + + config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" + config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + cat <<-EOF > /etc/profile.d/rke2.sh +export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin +EOF + SHELL + end + +end diff --git a/test/sle/README.md b/test/sle/README.md new file mode 100644 index 0000000..aeff4d3 --- /dev/null +++ b/test/sle/README.md @@ -0,0 +1,13 @@ +rke2-selinux for sle +--- + +The Vagrant box in use supports these providers: +- `libvirt` +- `virtualbox` +- `vmware_desktop` + +To spin up a VM to test locally built rke2-selinux RPM: +```shell +cp -vf ../../dist/microos/noarch/*.rpm . +INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up +``` diff --git a/test/sle/Vagrantfile b/test/sle/Vagrantfile new file mode 100644 index 0000000..c2b5b4e --- /dev/null +++ b/test/sle/Vagrantfile @@ -0,0 +1,138 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +Vagrant.configure("2") do |config| + config.vm.box = "dweomer/microos.amd64" + config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false + %w[libvirt virtualbox vmware_desktop].each do |p| + config.vm.provider p do |v, o| + v.memory = "2048" + v.cpus = 2 + end + end + + config.vm.define "rke2-selinux-sle", primary: true do |test| + test.vm.hostname = "test-sle" + test.vm.provision "install-rke2", type: "shell", run: "once" do |sh| + sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({ + :INSTALL_RKE2_TYPE => 'server', + :RKE2_KUBECONFIG_MODE => '0664', + :RKE2_TOKEN => 'vagrant', + }) + sh.inline = <<~SHELL + #!/usr/bin/env bash + set -eux -o pipefail + curl -fsSL https://get.rke2.io | sh - + echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} + systemctl enable --now rke2-${INSTALL_RKE2_TYPE} + SHELL + sh.upload_path = "/tmp/vagrant-install-rke2" + end + test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eu -o pipefail + echo 'Waiting for node (and static pods) to be ready ...' + time { + timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' + } + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eu -o pipefail + time { + timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' + } + SHELL + end + test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eux -o pipefail + kubectl get node,all -A -o wide + SHELL + end + test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eux -o pipefail + ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep + SHELL + end + end + + config.vm.provision "install-packages", type: "shell", run: "once" do |sh| + sh.upload_path = "/tmp/vagrant-install-packages" + sh.env = { + 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], + } + sh.inline = <<~SHELL + #!/usr/bin/env bash + source /etc/profile.d/rke2.sh + set -eux -o pipefail + transactional-update --no-selfupdate -d pkg install -y --allow-unsigned-rpm \ + curl \ + iptables \ + less \ + lsof \ + socat \ + ${INSTALL_PACKAGES} + SHELL + end + config.vm.provision "install-packages-reload", type: "reload", run: "once" + config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" + config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| + sh.inline = <<~SHELL + #!/usr/bin/env bash + cat <<-EOF > /etc/profile.d/rke2.sh +export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin +EOF + SHELL + end + +end