x/snap-neutron
Code Issues Proposed changes

Switch back to strict confinement

Browse Source 
The following are included in the switch to strict confinement:
* Set snapcraft.yaml confinement to strict and restore/update plugs
* Drop building of python as it's not required for strict snaps
* Switch back to running apps under root

Change-Id: I2a985ecea36c82f9b08f145015219911e0ec0616
This commit is contained in:
Corey Bryant 2017-06-15 18:56:35 +00:00
parent 7463004662
commit 07454aaa2c
3 changed files with 10 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@ -10,7 +10,7 @@ snap based OpenStack deployment.
The neutron snap can be installed directly from the snap store: The neutron snap can be installed directly from the snap store:
sudo snap install --edge --classic neutron sudo snap install --edge neutron
The neutron snap is working towards publication across tracks for The neutron snap is working towards publication across tracks for
OpenStack releases. The edge channel for each track will contain the tip OpenStack releases. The edge channel for each track will contain the tip
@ -20,8 +20,8 @@ will be published progressively to beta, then candidate, and then stable once
CI validation completes for the channel. This should result in an experience CI validation completes for the channel. This should result in an experience
such as: such as:
sudo snap install --classic --channel=ocata/stable neutron sudo snap install --channel=ocata/stable neutron
sudo snap install --classic --channel=pike/edge neutron sudo snap install --channel=pike/edge neutron
## Configuring neutron ## Configuring neutron
@ -71,11 +71,6 @@ The services for the neutron snap will log to its $SNAP_COMMON writable area:
## Managing neutron ## Managing neutron
The neutron snap will drop privileges to run daemons and commands under
a regular user named snap-neutron. Additionally, permissions and ownership
of files and directories in /var/snap/neutron/common/ are modified to
restrict access from other users.
The neutron snap has alias support that enables use of the well-known The neutron snap has alias support that enables use of the well-known
neutron-db-manage command. To enable the alias, run the following prior to neutron-db-manage command. To enable the alias, run the following prior to
using the command: using the command:

13
snap/snap-openstack.yaml
View File

@ -1,10 +1,5 @@
setup: setup:
users:
snap-neutron: [snap-neutron]
default-owner: "root:snap-neutron"
dirs: dirs:
- "{snap_common}/etc"
- "{snap_common}/etc/neutron"
- "{snap_common}/etc/neutron/neutron.conf.d" - "{snap_common}/etc/neutron/neutron.conf.d"
- "{snap_common}/etc/neutron/plugins/ml2" - "{snap_common}/etc/neutron/plugins/ml2"
- "{snap_common}/etc/neutron/policy.d" - "{snap_common}/etc/neutron/policy.d"
@ -14,10 +9,6 @@ setup:
- "{snap_common}/lock" - "{snap_common}/lock"
templates: templates:
neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf" neutron-snap.conf.j2: "{snap_common}/etc/neutron/neutron.conf.d/neutron-snap.conf"
rchown:
"{snap_common}/lock": "snap-neutron:snap-neutron"
"{snap_common}/log": "snap-neutron:snap-neutron"
"{snap_common}/lib": "snap-neutron:snap-neutron"
entry_points: entry_points:
neutron-db-manage: neutron-db-manage:
binary: "{snap}/bin/neutron-db-manage" binary: "{snap}/bin/neutron-db-manage"
@ -29,8 +20,6 @@ entry_points:
- "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini" - "{snap_common}/etc/neutron/plugins/ml2/ml2_conf.ini"
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d" - "{snap_common}/etc/neutron/neutron.conf.d"
run-as:
snap-neutron: [snap-neutron]
neutron-server: neutron-server:
binary: "{snap}/bin/neutron-server" binary: "{snap}/bin/neutron-server"
config-files: config-files:
@ -42,5 +31,3 @@ entry_points:
config-dirs: config-dirs:
- "{snap_common}/etc/neutron/neutron.conf.d" - "{snap_common}/etc/neutron/neutron.conf.d"
log-file: "{snap_common}/log/neutron-server.log" log-file: "{snap_common}/log/neutron-server.log"
run-as:
snap-neutron: [snap-neutron]

33
snapcraft.yaml
View File

@ -2,25 +2,24 @@ name: neutron
version: ocata version: ocata
summary: OpenStack Network Service (neutron) summary: OpenStack Network Service (neutron)
description: OpenStack Network Service (neutron) description: OpenStack Network Service (neutron)
confinement: classic confinement: strict
grade: devel grade: devel
apps: apps:
api: api:
command: > command: snap-openstack neutron-server
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-server
daemon: simple daemon: simple
plugs:
- network-bind
manage: manage:
command: > command: snap-openstack neutron-db-manage
env PYTHONPATH=$PYTHONPATH:$SNAP/lib/python2.7/site-packages
$SNAP/usr/bin/python2 $SNAP/bin/snap-openstack neutron-db-manage
aliases: aliases:
- neutron-db-manage - neutron-db-manage
plugs:
- network
parts: parts:
neutron: neutron:
after: [python]
plugin: python plugin: python
python-version: python2 python-version: python2
source: http://tarballs.openstack.org/neutron/neutron-stable-ocata.tar.gz source: http://tarballs.openstack.org/neutron/neutron-stable-ocata.tar.gz
@ -33,11 +32,6 @@ parts:
- gcc - gcc
- libffi-dev - libffi-dev
- libssl-dev - libssl-dev
stage:
- -usr/bin/2to3
- -usr/bin/pydoc
- -usr/bin/python2.7
- -usr/lib/python2.7
install: | install: |
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/paste/__init__.py
touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py touch $SNAPCRAFT_PART_INSTALL/lib/python2.7/site-packages/repoze/__init__.py
@ -62,16 +56,3 @@ parts:
- etc/neutron/* - etc/neutron/*
stage: [$etc] stage: [$etc]
prime: [$etc] prime: [$etc]
python:
source: https://www.python.org/ftp/python/2.7.13/Python-2.7.13.tar.xz
plugin: autotools
configflags:
- --prefix=/usr
- --enable-shared
- --enable-unicode=ucs4
build-packages:
- libssl-dev
prime:
- -usr/include
install:
$SNAPCRAFT_PART_INSTALL/usr/bin/python2 -m ensurepip