Switch back to strict confinement

The following are included in the switch to strict confinement: * Set snapcraft.yaml confinement to strict and restore/update plugs * Drop building of python as it's not required for strict snaps * Switch back to running apps under root Change-Id: I2a985ecea36c82f9b08f145015219911e0ec0616
2017-06-15 18:56:35 +00:00 · 2017-06-15 18:56:35 +00:00 · 07454aaa2c
commit 07454aaa2c
parent 7463004662
3 changed files with 10 additions and 47 deletions
--- a/README.md
+++ b/README.md
@ -10,7 +10,7 @@ snap based OpenStack deployment.

 The neutron snap can be installed directly from the snap store:

-    sudo snap install --edge --classic neutron
+    sudo snap install --edge neutron

 The neutron snap is working towards publication across tracks for
 OpenStack releases. The edge channel for each track will contain the tip
@ -20,8 +20,8 @@ will be published progressively to beta, then candidate, and then stable once
 CI validation completes for the channel. This should result in an experience
 such as:

-    sudo snap install --classic --channel=ocata/stable neutron
-    sudo snap install --classic --channel=pike/edge neutron
+    sudo snap install --channel=ocata/stable neutron
+    sudo snap install --channel=pike/edge neutron

 ## Configuring neutron

@ -71,11 +71,6 @@ The services for the neutron snap will log to its $SNAP_COMMON writable area:

 ## Managing neutron

-The neutron snap will drop privileges to run daemons and commands under
-a regular user named snap-neutron. Additionally, permissions and ownership
-of files and directories in /var/snap/neutron/common/ are modified to
-restrict access from other users.
-
 The neutron snap has alias support that enables use of the well-known
 neutron-db-manage command. To enable the alias, run the following prior to
 using the command:
--- a/snap/snap-openstack.yaml
+++ b/snap/snap-openstack.yaml
@ -1,10 +1,5 @@
 setup:
-  users:
-    snap-neutron: [snap-neutron]
-  default-owner: "root:snap-neutron"
  dirs:
-    - "{snap_common}/etc"
-    - "{snap_common}/etc/neutron"
    - "{snap_common}/etc/neutron/neutron.conf.d"
    - "{snap_common}/etc/neutron/plugins/ml2"
    - "{snap_common}/etc/neutron/policy.d"
@ -14,10 +9,6 @@ setup:
    - "{snap_common}/lock"
  templates:
    neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf"
-  rchown:
-    "{snap_common}/lock": "snap-neutron:snap-neutron"
-    "{snap_common}/log": "snap-neutron:snap-neutron"
-    "{snap_common}/lib": "snap-neutron:snap-neutron"
 entry_points:
  neutron-db-manage:
    binary: "{snap}/bin/neutron-db-manage"
@ -29,8 +20,6 @@ entry_points:
      - "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini"
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
-    run-as:
-      snap-neutron: [snap-neutron]
  neutron-server:
    binary: "{snap}/bin/neutron-server"
    config-files:
@ -42,5 +31,3 @@ entry_points:
    config-dirs:
      - "{snap_common}/etc/neutron/neutron.conf.d"
    log-file: "{snap_common}/log/neutron-server.log"
-    run-as:
-      snap-neutron: [snap-neutron]
--- a/snapcraft.yaml
+++ b/snapcraft.yaml
@ -2,25 +2,24 @@ name: neutron
 version: ocata
 summary: OpenStack Network Service (neutron)
 description: OpenStack Network Service (neutron)
-confinement: classic
+confinement: strict
 grade: devel

 apps:
  api:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-server
+    command: snap-openstack neutron-server
    daemon: simple
+    plugs:
+      - network-bind
  manage:
-    command: >
-      env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
-      $SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-db-manage
+    command: snap-openstack neutron-db-manage
    aliases:
      - neutron-db-manage
+    plugs:
+      - network

 parts:
  neutron:
-    after: [python]
    plugin: python
    python-version: python2
    source: http://tarballs.openstack.org/neutron/neutron-stable-ocata.tar.gz
@ -33,11 +32,6 @@ parts:
      - gcc
      - libffi-dev
      - libssl-dev
-    stage:
-      - -usr/bin/2to3
-      - -usr/bin/pydoc
-      - -usr/bin/python2.7
-      - -usr/lib/python2.7
    install: |
      touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
      touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@ -62,16 +56,3 @@ parts:
        - etc/neutron/*
    stage: [$etc]
    prime: [$etc]
-  python:
-    source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
-    plugin: autotools
-    configflags:
-      - --prefix=/usr
-      - --enable-shared
-      - --enable-unicode=ucs4
-    build-packages:
-      - libssl-dev
-    prime:
-      - -usr/include
-    install:
-      $SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip