From e66c3f5d4e877b537a162c469ea21ccaae31458e Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 14:12:08 -0500 Subject: [PATCH 1/7] github: add tests job Signed-off-by: Simon Deziel --- .github/workflows/tests.yml | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/tests.yml diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml new file mode 100644 index 000000000..b2a8b32bd --- /dev/null +++ b/.github/workflows/tests.yml @@ -0,0 +1,39 @@ +name: Tests +on: + push: + pull_request: + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +defaults: + run: + # Make sure bash is always invoked with `-eo pipefail` + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsshell + shell: bash + +jobs: + code-tests: + name: Code + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - id: ShellCheck + name: Differential ShellCheck + uses: redhat-plumbers-in-action/differential-shellcheck@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + if: github.event_name == 'pull_request' + + - name: Upload artifact with ShellCheck defects in SARIF format + uses: actions/upload-artifact@v4 + with: + name: Differential ShellCheck SARIF + path: ${{ steps.ShellCheck.outputs.sarif }} + if: github.event_name == 'pull_request' From 2a0b3669249c966835b09782079a64d55953ddc5 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 11:45:18 -0500 Subject: [PATCH 2/7] snapcraft: alpha sort LXD snap config keys Signed-off-by: Simon Deziel --- snapcraft.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/snapcraft.yaml b/snapcraft.yaml index 4e83573aa..e527a178b 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -45,11 +45,11 @@ description: |- - lxcfs.loadavg: Start tracking per-container load average [default=false] - lxcfs.cfs: Consider CPU shares for CPU usage [default=false] - lxcfs.debug: Increase logging to debug level [default=false] + - minio.path: Path to the minio binary to use with LXD [default=""] - openvswitch.builtin: Run a snap-specific OVS daemon [default=false] - openvswitch.external: Use the system's OVS tools (ignores openvswitch.builtin) [default=false] - ovn.builtin: Use snap-specific OVN configuration [default=false] - ui.enable: Enable the web interface [default=true] - - minio.path: Path to the minio binary to use with LXD [default=""] For system-wide configuration of the CLI, place your configuration in /var/snap/lxd/common/global-conf/ (config.yml and servercerts) From e5a7917154a91db8c14cb2030f905f4710583a4d Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 14:42:28 -0500 Subject: [PATCH 3/7] snapcraft: add apparmor.unprivileged-restrictions-disable config key Signed-off-by: Simon Deziel --- snapcraft.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/snapcraft.yaml b/snapcraft.yaml index e527a178b..6fd6b6341 100644 --- a/snapcraft.yaml +++ b/snapcraft.yaml @@ -31,6 +31,7 @@ description: |- Supported configuration options for the snap (snap set lxd [=...]): + - apparmor.unprivileged-restrictions-disable: Whether to disable restrictions on unprivileged user namespaces [default=true] - ceph.builtin: Use snap-specific Ceph configuration [default=false] - ceph.external: Use the system's ceph tools (ignores ceph.builtin) [default=false] - criu.enable: Enable experimental live-migration support [default=false] From f5ccef81bf395b66b78a7fa053f2d0f7e667e826 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 13:56:16 -0500 Subject: [PATCH 4/7] snapcraft/hooks/configure: alpha sort config keys Signed-off-by: Simon Deziel --- snapcraft/hooks/configure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/snapcraft/hooks/configure b/snapcraft/hooks/configure index e1b7f3f3f..56dfef352 100755 --- a/snapcraft/hooks/configure +++ b/snapcraft/hooks/configure @@ -52,11 +52,11 @@ lxcfs_loadavg=$(get_bool "$(snapctl get lxcfs.loadavg)") lxcfs_pidfd=$(get_bool "$(snapctl get lxcfs.pidfd)") lxcfs_cfs=$(get_bool "$(snapctl get lxcfs.cfs)") lxcfs_debug=$(get_bool "$(snapctl get lxcfs.debug)") +minio_path="$(snapctl get minio.path)" openvswitch_builtin=$(get_bool "$(snapctl get openvswitch.builtin)") openvswitch_external=$(get_bool "$(snapctl get openvswitch.external)") ovn_builtin=$(get_bool "$(snapctl get ovn.builtin)") ui_enable=$(get_bool "$(snapctl get ui.enable)") -minio_path="$(snapctl get minio.path)" # Special-handling of daemon.preseed daemon_preseed=$(snapctl get daemon.preseed) @@ -82,11 +82,11 @@ config="${SNAP_COMMON}/config" echo "lxcfs_pidfd=${lxcfs_pidfd:-"false"}" echo "lxcfs_cfs=${lxcfs_cfs:-"false"}" echo "lxcfs_debug=${lxcfs_debug:-"false"}" + echo "minio_path=${minio_path:-""}" echo "openvswitch_builtin=${openvswitch_builtin:-"false"}" echo "openvswitch_external=${openvswitch_external:-"false"}" echo "ovn_builtin=${ovn_builtin:-"false"}" echo "ui_enable=${ui_enable:-"true"}" - echo "minio_path=${minio_path:-""}" } > "${config}" # Set socket ownership in case it changed From 07c9f121b6ae4d091cbfda2b92e37560123c57b3 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 14:02:56 -0500 Subject: [PATCH 5/7] snapcraft/hooks/configure: generate the whole config file with a single cat Signed-off-by: Simon Deziel --- snapcraft/hooks/configure | 42 +++++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/snapcraft/hooks/configure b/snapcraft/hooks/configure index 56dfef352..64af87687 100755 --- a/snapcraft/hooks/configure +++ b/snapcraft/hooks/configure @@ -67,27 +67,27 @@ fi # Generate the config config="${SNAP_COMMON}/config" -{ - echo "# This file is auto-generated, do NOT manually edit" - echo "ceph_builtin=${ceph_builtin:-"false"}" - echo "ceph_external=${ceph_external:-"false"}" - echo "criu_enable=${criu_enable:-"false"}" - echo "daemon_debug=${daemon_debug:-"false"}" - echo "daemon_group=${daemon_group:-"lxd"}" - echo "daemon_user_group=${daemon_user_group:-"lxd"}" - echo "daemon_syslog=${daemon_syslog:-"false"}" - echo "daemon_verbose=${daemon_verbose:-"false"}" - echo "lvm_external=${lvm_external:-"false"}" - echo "lxcfs_loadavg=${lxcfs_loadavg:-"false"}" - echo "lxcfs_pidfd=${lxcfs_pidfd:-"false"}" - echo "lxcfs_cfs=${lxcfs_cfs:-"false"}" - echo "lxcfs_debug=${lxcfs_debug:-"false"}" - echo "minio_path=${minio_path:-""}" - echo "openvswitch_builtin=${openvswitch_builtin:-"false"}" - echo "openvswitch_external=${openvswitch_external:-"false"}" - echo "ovn_builtin=${ovn_builtin:-"false"}" - echo "ui_enable=${ui_enable:-"true"}" -} > "${config}" +cat << EOC > "${config}" +# This file is auto-generated, do NOT manually edit +ceph_builtin=${ceph_builtin:-"false"} +ceph_external=${ceph_external:-"false"} +criu_enable=${criu_enable:-"false"} +daemon_debug=${daemon_debug:-"false"} +daemon_group=${daemon_group:-"lxd"} +daemon_syslog=${daemon_syslog:-"false"} +daemon_user_group=${daemon_user_group:-"lxd"} +daemon_verbose=${daemon_verbose:-"false"} +lvm_external=${lvm_external:-"false"} +lxcfs_cfs=${lxcfs_cfs:-"false"} +lxcfs_debug=${lxcfs_debug:-"false"} +lxcfs_loadavg=${lxcfs_loadavg:-"false"} +lxcfs_pidfd=${lxcfs_pidfd:-"false"} +minio_path=${minio_path:-""} +openvswitch_builtin=${openvswitch_builtin:-"false"} +openvswitch_external=${openvswitch_external:-"false"} +ovn_builtin=${ovn_builtin:-"false"} +ui_enable=${ui_enable:-"true"} +EOC # Set socket ownership in case it changed if getent group "${daemon_group}" >/dev/null 2>&1; then From 5c8bce98f1279b33fd1e37234d8becb62040091b Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 14:39:45 -0500 Subject: [PATCH 6/7] snapcraft/hooks/configure: save apparmor.unprivileged-restrictions-disable in config Signed-off-by: Simon Deziel --- snapcraft/hooks/configure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/snapcraft/hooks/configure b/snapcraft/hooks/configure index 64af87687..62e074d81 100755 --- a/snapcraft/hooks/configure +++ b/snapcraft/hooks/configure @@ -39,6 +39,7 @@ if [ ! -e /run/snapd-snap.socket ]; then fi # Get the current config +apparmor_unprivileged_restrictions_disable=$(get_bool "$(snapctl get apparmor.unprivileged-restrictions-disable)") ceph_builtin=$(get_bool "$(snapctl get ceph.builtin)") ceph_external=$(get_bool "$(snapctl get ceph.external)") criu_enable=$(get_bool "$(snapctl get criu.enable)") @@ -69,6 +70,7 @@ config="${SNAP_COMMON}/config" cat << EOC > "${config}" # This file is auto-generated, do NOT manually edit +apparmor_unprivileged_restrictions_disable=${apparmor_unprivileged_restrictions_disable:-"true"} ceph_builtin=${ceph_builtin:-"false"} ceph_external=${ceph_external:-"false"} criu_enable=${criu_enable:-"false"} From 170c8352d1f56092a234616a7b76f64194d858e6 Mon Sep 17 00:00:00 2001 From: Simon Deziel Date: Tue, 13 Feb 2024 14:40:52 -0500 Subject: [PATCH 7/7] snapcraft/commands/daemon.start: check apparmor_unprivileged_restrictions_disable config before disabling related sysctl Signed-off-by: Simon Deziel --- snapcraft/commands/daemon.start | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/snapcraft/commands/daemon.start b/snapcraft/commands/daemon.start index 2389ec810..63ca53752 100755 --- a/snapcraft/commands/daemon.start +++ b/snapcraft/commands/daemon.start @@ -420,6 +420,22 @@ if [ "$(stat -c '%u' /proc)" = 0 ]; then echo 1 > /proc/sys/kernel/unprivileged_userns_clone || true fi fi + + if [ "${apparmor_unprivileged_restrictions_disable:-"true"}" = "true" ]; then + if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then + if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then + echo "==> Disabling Apparmor unprivileged userns mediation" + echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_userns || true + fi + fi + + if [ -e /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined ]; then + if [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined)" = "1" ]; then + echo "==> Disabling Apparmor unprivileged unconfined mediation" + echo 0 > /proc/sys/kernel/apparmor_restrict_unprivileged_unconfined || true + fi + fi + fi fi # Setup CRIU