script to ensure that AppArmor is enabled

AppArmor is disabled on hosts by default. This change introduces the `host-cis-benchmark-apparmor-setup.sh` script, which can be used to enable AppArmor on a host if it is not already enabled. The script checks the current AppArmor status and only performs changes if necessary. Test Plan: PASS: Build an ISO and deploy an AIO-SX environment. PASS: Verify that `host-cis-benchmark-apparmor-setup.sh` exists at `/usr/local/bin` in the AIO-SX setup. PASS: Execute `host-cis-benchmark-apparmor-setup.sh` and verify that AppArmor status changes to 'enabled'. PASS: Run `aa-status` to confirm AppArmor is enabled after the script runs and host is unlocked. PASS: Execute the script when AppArmor is already enabled on the host and confirm that the script exits gracefully without changes. Story: 2011253 Task: 51257 Change-Id: Ia96bd1203c7e47ee29292b0328dfc25a888f49cb Signed-off-by: Jagatguru Prasad Mishra <jagatguruprasad.mishra@windriver.com>
2024-11-04 06:34:30 -05:00 · 2024-11-04 06:34:30 -05:00 · c5db739bfb
commit c5db739bfb
parent dfe4c155cd
4 changed files with 99 additions and 0 deletions
--- a/utilities/platform-util/debian/deb_folder/controller.install
+++ b/utilities/platform-util/debian/deb_folder/controller.install
@ -12,4 +12,5 @@ scripts/local_starlingxrc usr/local/bin
 scripts/kubeconfig-setup usr/local/bin
 scripts/enroll-init-cleanup usr/local/bin
 scripts/enroll-init-reconfigure usr/local/bin
+scripts/host-cis-benchmark-apparmor-setup.sh usr/local/bin
 scripts/apiserver_cis_compliance.sh usr/local/bin
--- a/utilities/platform-util/debian/deb_folder/platform-util-controller.install
+++ b/utilities/platform-util/debian/deb_folder/platform-util-controller.install
@ -12,4 +12,5 @@
 /usr/local/bin/kubeconfig-setup
 /usr/local/bin/enroll-init-cleanup
 /usr/local/bin/enroll-init-reconfigure
+/usr/local/bin/host-cis-benchmark-apparmor-setup.sh
 /usr/local/bin/apiserver_cis_compliance.sh
--- a/utilities/platform-util/debian/deb_folder/rules
+++ b/utilities/platform-util/debian/deb_folder/rules
@ -46,6 +46,7 @@ override_dh_auto_install:
 	install -m 750 scripts/set_keystone_user_option.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 750 scripts/enroll-init-cleanup $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 750 scripts/enroll-init-reconfigure $(DEBIAN_BUILDDIR)/usr/local/bin/
+	install -m 750 scripts/host-cis-benchmark-apparmor-setup.sh $(DEBIAN_BUILDDIR)/usr/local/bin/
 	install -m 750 scripts/apiserver_cis_compliance.sh $(DEBIAN_BUILDDIR)/usr/local/bin/

 	install -d $(DEBIAN_BUILDDIR)/usr/local/sbin/
--- a/utilities/platform-util/scripts/host-cis-benchmark-apparmor-setup.sh
+++ b/utilities/platform-util/scripts/host-cis-benchmark-apparmor-setup.sh
@ -0,0 +1,96 @@
+#!/bin/bash
+#
+# Copyright (c) 2025 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+# script to enable apparmor on a host
+#
+
+# Check if the script argument is provided
+if [ -z "$1" ]; then
+    echo "Usage: $0 <host-name>"
+    exit 1
+fi
+
+# Set the host name from the script argument
+HOST=$1
+
+# Source the platform environment
+source /etc/platform/openrc
+
+# Check the current AppArmor status
+apparmor_status=$(system host-show $HOST | grep "apparmor" | awk '{print $4}')
+if [ "$apparmor_status" == "enabled" ]; then
+    echo "AppArmor is already enabled on $HOST."
+    exit 0
+else
+    echo "AppArmor is not enabled on $HOST. Proceeding with the script execution."
+fi
+
+# Lock the host
+echo "Locking the host $HOST..."
+system host-lock $HOST
+
+# Wait for the host status to change to 'locked' with up to 3 attempts
+max_lock_retries=3
+lock_attempt=1
+while [ $lock_attempt -le $max_lock_retries ]; do
+    echo "Attempt $lock_attempt: Checking if the host $HOST is locked..."
+    status=$(system host-show $HOST | grep "administrative" | awk '{print $4}')
+    if [ "$status" == "locked" ]; then
+        echo "Host $HOST is now locked."
+        break
+    else
+        echo "Host $HOST is not yet locked. Retrying..."
+        lock_attempt=$((lock_attempt + 1))
+        sleep 10
+    fi
+done
+
+# Check if locking failed after all attempts
+if [ $lock_attempt -gt $max_lock_retries ]; then
+    echo "Failed to lock the host $HOST after $max_lock_retries attempts. Please check manually."
+    exit 1
+fi
+
+# Run the host update command
+echo "Updating AppArmor status on the host $HOST..."
+system host-update $HOST apparmor=enabled
+
+# Verify if AppArmor is enabled after the update
+apparmor_status=$(system host-show $HOST | grep "apparmor" | awk '{print $4}')
+if [ "$apparmor_status" == "enabled" ]; then
+    echo "AppArmor has been successfully enabled on $HOST."
+else
+    echo "Failed to enable AppArmor on $HOST. Please check manually."
+    exit 1
+fi
+
+# Unlock the host with up to 3 retry attempts
+max_unlock_retries=3
+unlock_attempt=1
+while [ $unlock_attempt -le $max_unlock_retries ]; do
+    echo "Attempt $unlock_attempt: Unlocking the host $HOST..."
+    system host-unlock $HOST
+    sleep 10
+
+    # Check if the host is unlocked
+    status=$(system host-show $HOST | grep "administrative" | awk '{print $4}')
+    if [ "$status" == "unlocked" ]; then
+        echo "Host $HOST is now unlocked."
+        break
+    else
+        echo "Attempt $unlock_attempt failed. Retrying..."
+        unlock_attempt=$((unlock_attempt + 1))
+    fi
+done
+
+# Check if the host is still locked after all attempts
+if [ $unlock_attempt -gt $max_unlock_retries ]; then
+    echo "Failed to unlock the host $HOST after $max_unlock_retries attempts. Please check manually."
+    exit 1
+fi
+
+echo "Script completed. Host may take some time to become available "
+