Add apparmor profiles on genesis node in multinode gate

The bootactions which will be deployed via Drydock on nodes need to be performed on Genesis node as well. This should be done as part of pre-genesis setup before genesis.sh is executed. This patchset allows apparmor profiles to be staged on the genesis node in the same manner as seccomp profiles. Change-Id: I418c955a131dc8e23ab5f4d900ae5ea4f7985468 Reference: https://review.opendev.org/644824
2019-08-14 17:48:16 -07:00 · 2019-08-14 17:48:16 -07:00 · c5044663e0
parent aca670aa5f
commit c5044663e0
1 changed files with 37 additions and 0 deletions
--- a/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh
+++ b/tools/multi_nodes_gate/airship_gate/lib/bootaction-runner.sh
@ -107,6 +107,7 @@ echo "Using rendered manifests file '$rendered_file'"

 # env vars which can be set if you want to disable
 : ${DISABLE_SECCOMP_PROFILE:=}
+: ${DISABLE_APPARMOR_PROFILES:=}


 ###############################################################################
@ -132,3 +133,39 @@ if [[ ! $DISABLE_SECCOMP_PROFILE ]]; then
  # seccomp_default
  install_file "$path" "$content" "$permissions"
 fi
+
+###############################################################################
+# bootaction: apparmor-profiles
+###############################################################################
+
+if [[ ! $DISABLE_APPARMOR_PROFILES ]]; then
+
+  manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                   "apparmor-profiles" "['data']['assets']" "get_size"
+
+  if [[ -n "$RESULT" ]] && [[ $RESULT -gt 0 ]]; then
+
+    # Fetch apparmor profile data
+    LAST=$(( $RESULT - 1 ))
+    for i in `seq 0 $LAST`; do
+
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['path']"
+      path="$RESULT"
+      echo "apparmor profiles asset[$i] path located: '$path'"
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['permissions']"
+      permissions="$RESULT"
+      echo "apparmor profiles asset[$i] permissions located: '$permissions'"
+      manifests_lookup "$rendered_file" "drydock/BootAction/v1" \
+                       "apparmor-profiles" "['data']['assets'][$i]['data']"
+      content="$RESULT"
+      echo "apparmor profiles assets[$i] data located: '$content'"
+
+      install_file "$path" "$content" "$permissions"
+    done
+
+    # reload all apparmor profiles
+    systemctl reload apparmor.service
+  fi
+fi