*** Wartungsfenster jeden ersten Mittwoch vormittag im Monat ***

Skip to content
Snippets Groups Projects
Commit 0ea50edd authored by Rödig, Constanze's avatar Rödig, Constanze
Browse files

Merge branch 'features/rocky9_selinux' into 'rocky/main' 

Rocky 9 Implementation/Selinux Rewrite

See merge request ADLS/infrastructure/adls.osrancher!15
parents ff182599 8ed0a4d6
Branches
No related tags found
1 merge request!1Restore main as the default branch
Hide whitespace changes
Inline Side-by-side
Showing
with 155 additions and 44 deletions
roles/rke2/selinux/my-iptables.te deleted 100644 → 0
+ 0
10
View file @ ff182599
module my-iptables 1.0;
require {
type iptables_t;
type cgroup_t;
class dir ioctl;
}
#============= iptables_t ==============
allow iptables_t cgroup_t:dir ioctl;
\ No newline at end of file
roles/rke2/selinux/my-kata.te deleted 100644 → 0
+ 0
3
View file @ ff182599
#============= container_t ==============
allow container_t init_var_run_t:sock_file write;
allow container_t system_dbusd_var_run_t:sock_file write;
\ No newline at end of file
roles/rke2/selinux/my-node-exporter.cil 0 → 100644
+ 8
0
View file @ 0ea50edd
(block my-node-exporter
(blockinherit container)
(allow my-node-exporter.process init_t (dir (search)))
(allow my-node-exporter.process init_t (file (read open)))
(allow my-node-exporter.process node_t (tcp_socket (node_bind)))
(allow my-node-exporter.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-node-exporter.process self (tcp_socket (listen)))
)
roles/rke2/selinux/my-openstack-ccm.cil 0 → 100644
+ 14
0
View file @ 0ea50edd
(block my-openstack-ccm
(blockinherit container)
(allow my-openstack-ccm.process commplex_main_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process node_t (tcp_socket (node_bind)))
(allow my-openstack-ccm.process unreserved_port_t (tcp_socket (name_bind)))
(allow my-openstack-ccm.process self (tcp_socket (listen)))
(allow my-openstack-ccm.process http_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process osapi_compute_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process neutron_port_t (tcp_socket (name_connect)))
(allow my-openstack-ccm.process cert_t (dir (read)))
(allow my-openstack-ccm.process cert_t (lnk_file (read)))
(allow my-openstack-ccm.process cert_t (file (open read write)))
)
roles/rke2/selinux/my-openstack.te deleted 100644 → 0
+ 0
16
View file @ ff182599
module my-openstack 1.0;
require {
type cert_t;
type container_t;
class dir read;
class lnk_file read;
class file read;
class file write;
class file open;
}
#============= container_t ==============
allow container_t cert_t:dir read;
allow container_t cert_t:lnk_file read;
allow container_t cert_t:file {open read write};
\ No newline at end of file
roles/rke2/selinux/my-rke2.te 0 → 100644
+ 11
0
View file @ 0ea50edd
module my-rke2 1.0;
require {
type container_var_lib_t;
type rke2_service_t;
class file watch;
}
#============= rke2_service_t ==============
allow rke2_service_t container_var_lib_t:file watch;
roles/rke2/selinux/udica/base-container.cil 0 → 100644
+ 14
0
View file @ 0ea50edd
(block container
(type process)
(type socket)
(roletype system_r process)
(typeattributeset domain (process ))
(typeattributeset container_domain (process ))
(typeattributeset svirt_sandbox_domain (process ))
(typeattributeset mcs_constrained_type (process ))
(typeattributeset file_type (socket ))
(allow process socket (sock_file (create open getattr setattr read write rename link unlink ioctl lock append)))
(allow process proc_type (file (getattr open read)))
(allow process cpu_online_t (file (getattr open read)))
(allow container_runtime_t process (key (create link read search setattr view write)))
)
roles/rke2/tasks/install_rke2.yml
+ 23
0
View file @ 0ea50edd
...@@ -5,6 +5,10 @@ ...@@ -5,6 +5,10 @@
mode: '0755' mode: '0755'
when: not rke2_installed.stat.exists or upgrade when: not rke2_installed.stat.exists or upgrade
- name: Update crypto-policy to allow SHA1
shell: update-crypto-policies --set DEFAULT:SHA1
when: not rke2_installed.stat.exists or upgrade
- name: Install RKE2 - name: Install RKE2
command: "/tmp/rke2.sh" command: "/tmp/rke2.sh"
args: args:
...@@ -16,6 +20,11 @@ ...@@ -16,6 +20,11 @@
notify: notify:
- restart rke2 - restart rke2
- name: Revert crypto-policy
shell: update-crypto-policies --set DEFAULT:NO-SHA1
when: not rke2_installed.stat.exists or upgrade
# - name: install RHEL RKE2 packages to use latest minor version (otherwise cilium breaks Dont ask why) # - name: install RHEL RKE2 packages to use latest minor version (otherwise cilium breaks Dont ask why)
# dnf: # dnf:
# name: # name:
...@@ -27,3 +36,17 @@ ...@@ -27,3 +36,17 @@
file: file:
path: /tmp/rke2.sh path: /tmp/rke2.sh
state: absent state: absent
- name: Copy SELinux Policies (rke2)
template:
src: ../selinux/my-rke2.te
dest: /etc/selinux/targeted/policy/my-rke2.te
when: ( 'control-plane' in group_names )
- name: Build SELinux exception module (rke2)
shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-rke2.mod /etc/selinux/targeted/policy/my-rke2.te
semodule_package -o /etc/selinux/targeted/policy/my-rke2.pp -m /etc/selinux/targeted/policy/my-rke2.mod
semodule -i /etc/selinux/targeted/policy/my-rke2.pp
when: ( 'control-plane' in group_names )
roles/rke2/tasks/setup_host.yml
+ 73
14
View file @ 0ea50edd
...@@ -7,6 +7,49 @@ ...@@ -7,6 +7,49 @@
backup: yes backup: yes
loop: "{{ groups['all'] }}" loop: "{{ groups['all'] }}"
- name: install RHEL packages
dnf:
name:
- sssd-ldap
- container-selinux
- cloud-utils-growpart
- fapolicyd
state: latest
- name: disable firewalld
ansible.builtin.systemd:
name: "firewalld"
enabled: no
masked: no
state: stopped
- name: enable nftables
ansible.builtin.systemd:
name: "nftables"
enabled: yes
state: started
masked: no
- name: add kernel params
template:
src: kernel_params.conf.j2
dest: /etc/sysctl.d/rke2_kernel_params.conf
register: kernel_params
- name: load kernel params
shell: sysctl --system
when: kernel_params.changed
- name: add group - etcd
group:
name: etcd
state: present
- name: add user - etcd
user:
name: etcd
group: etcd
- name: remove rocky user at uid 1000 - name: remove rocky user at uid 1000
user: user:
name: rocky name: rocky
...@@ -14,34 +57,50 @@ ...@@ -14,34 +57,50 @@
remove: yes remove: yes
ignore_errors: True ignore_errors: True
- name: Download root CA
get_url:
url: https://curl.se/ca/cacert.pem
dest: /etc/ssl/certs
- name: Update CA trust
shell: update-ca-trust
- name: Resize the disks if volume was expanded (experimental) - name: Resize the disks if volume was expanded (experimental)
shell: | shell: |
/usr/bin/growpart /dev/vda 2 /usr/bin/growpart /dev/vda 2
/usr/sbin/pvresize -y -q /dev/vda2 /usr/sbin/pvresize -y -q /dev/vda2
/usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root /usr/sbin/lvresize -y -q -r -l +100%FREE /dev/mapper/*root
- name: Disable SELinux - name: Copy udica Base Container SELinux Policies
selinux: template:
policy: targeted src: ../selinux/udica/base-container.cil
state: permissive dest: /etc/selinux/targeted/policy/base-container.cil
- name: Copy SELinux Policies (prometheus/node_exporter)
template:
src: ../selinux/my-node-exporter.cil
dest: /etc/selinux/targeted/policy/my-node-exporter.cil
- name: Copy SELinux Policies - name: Copy SELinux Policies
template: template:
src: ../selinux/my-openstack.te src: ../selinux/my-openstack-ccm.cil
dest: /etc/selinux/targeted/policy/my-openstack.te dest: /etc/selinux/targeted/policy/my-openstack-ccm.cil
when: ( 'control-plane' in group_names ) when: ( 'control-plane' in group_names )
- name: Build SELinux exception module & allow openstack CCM to mount the /etc/ssl/certs files - name: Build SELinux exception modules
shell: | shell: |
checkmodule -M -m -o /etc/selinux/targeted/policy/my-openstack.mod /etc/selinux/targeted/policy/my-openstack.te semodule -i /etc/selinux/targeted/policy/my-node-exporter.cil /etc/selinux/targeted/policy/base-container.cil
semodule_package -o /etc/selinux/targeted/policy/my-openstack.pp -m /etc/selinux/targeted/policy/my-openstack.mod
semodule -i /etc/selinux/targeted/policy/my-openstack.pp
when: ( 'control-plane' in group_names )
- name: Enable container_use_cephfs - name: Build SELinux exception modules
shell: | shell: |
setsebool -P container_use_cephfs 1 semodule -i /etc/selinux/targeted/policy/my-openstack-ccm.cil /etc/selinux/targeted/policy/base-container.cil
when: ( 'agents' in group_names ) when: ( 'control-plane' in group_names )
- name: Disable SELinux
selinux:
policy: targeted
state: permissive
- name: Ensure /var/lib/rancher/rke2/server/manifests - name: Ensure /var/lib/rancher/rke2/server/manifests
file: file:
......
roles/rke2/templates/manifests/deploy-openstack-ccm.j2
+ 6
1
View file @ 0ea50edd
...@@ -20,6 +20,10 @@ spec: ...@@ -20,6 +20,10 @@ spec:
bootstrap: True bootstrap: True
targetNamespace: kube-system targetNamespace: kube-system
valuesContent: |- valuesContent: |-
podSecurityContext:
seLinuxOptions:
type: my-openstack-ccm.process
secret: secret:
create: false create: false
name: cloud-config name: cloud-config
...@@ -55,4 +59,5 @@ spec: ...@@ -55,4 +59,5 @@ spec:
{#resources: {#resources:
# requests: # requests:
# cpu: 200m # cpu: 200m
#} #}
\ No newline at end of file
roles/rke2/templates/manifests/deploy-rancher-monitoring.j2
+ 6
0
View file @ 0ea50edd
...@@ -30,3 +30,9 @@ spec: ...@@ -30,3 +30,9 @@ spec:
chart: rancher-monitoring chart: rancher-monitoring
version: {{ item.value.version | default("100.1.0+up19.0.3") }} version: {{ item.value.version | default("100.1.0+up19.0.3") }}
targetNamespace: cattle-monitoring-system targetNamespace: cattle-monitoring-system
valuesContent: |-
prometheus-node-exporter:
securityContext:
seLinuxOptions:
type: my-node-exporter.process
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment

[ 4.Dec 11h : 4,578 users | 1,095 groups | 6,478 projects ]