Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix policies to work with the container-selinux > 2.189.0 #37

Merged
merged 5 commits into from
Feb 8, 2023
Merged

Fix policies to work with the container-selinux > 2.189.0 #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
168854e
Add slemicro and fedora coreos policies
galal-hussein Jan 26, 2023
15caa53
Add maximum version requirement for centos8 policy
galal-hussein Jan 26, 2023
6bf3a2c
fix microos policy to work with the new container-selinux
galal-hussein Jan 26, 2023
0035684
Fixes
galal-hussein Jan 27, 2023
e0fb415
Add drone support for slemicro and fedora coreos
galal-hussein Jan 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
192 changes: 187 additions & 5 deletions .drone.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,22 +180,113 @@ volumes:
path: /var/run/docker.sock
---
kind: pipeline
name: RPM Build SLE
name: RPM Build SLE Micro

platform:
os: linux
arch: amd64

steps:
- name: Build SLE
- name: Build SLE Micro
image: rancher/dapper:v0.5.7
commands:
- dapper -f Dockerfile.microos.dapper policy/microos/scripts/build
- dapper -f Dockerfile.slemicro.dapper policy/slemicro/scripts/build
volumes:
- name: docker
path: /var/run/docker.sock

- name: Sign RPM SLE
image: centos:7
environment:
PRIVATE_KEY:
from_secret: private_key
PRIVATE_KEY_PASS_PHRASE:
from_secret: private_key_pass_phrase
TESTING_PRIVATE_KEY:
from_secret: testing_private_key
TESTING_PRIVATE_KEY_PASS_PHRASE:
from_secret: testing_private_key_pass_phrase
commands:
- policy/slemicro/scripts/sign
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: Yum Repo Upload SLE Micro
image: centos:7
environment:
AWS_S3_BUCKET:
from_secret: aws_s3_bucket
AWS_ACCESS_KEY_ID:
from_secret: aws_access_key_id
AWS_SECRET_ACCESS_KEY:
from_secret: aws_secret_access_key
TESTING_AWS_S3_BUCKET:
from_secret: testing_aws_s3_bucket
TESTING_AWS_ACCESS_KEY_ID:
from_secret: testing_aws_access_key_id
TESTING_AWS_SECRET_ACCESS_KEY:
from_secret: testing_aws_secret_access_key
commands:
- policy/slemicro/scripts/upload-repo
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: GitHub Release SLE Micro
image: ibuildthecloud/github-release:v0.0.1
settings:
api_key:
from_secret: github_token
prerelease: true
checksum:
- sha256
checksum_file: CHECKSUMsum-microos-noarch.txt
checksum_flatten: true
files:
- "dist/slemicro/**/*.rpm"
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

volumes:
- name: docker
host:
path: /var/run/docker.sock

---
kind: pipeline
name: RPM Build Microos

platform:
os: linux
arch: amd64

steps:
- name: Build MicroOS
image: rancher/dapper:v0.5.7
commands:
- dapper -f Dockerfile.microos.dapper policy/microos/scripts/build
volumes:
- name: docker
path: /var/run/docker.sock

- name: Sign RPM MicroOS
image: centos:7
environment:
PRIVATE_KEY:
Expand All @@ -217,7 +308,7 @@ steps:
event:
- tag

- name: Yum Repo Upload SLE
- name: Yum Repo Upload MicroOS
image: centos:7
environment:
AWS_S3_BUCKET:
Expand All @@ -243,7 +334,7 @@ steps:
event:
- tag

- name: GitHub Release SLE
- name: GitHub Release MicroOS
image: ibuildthecloud/github-release:v0.0.1
settings:
api_key:
Expand All @@ -268,3 +359,94 @@ volumes:
- name: docker
host:
path: /var/run/docker.sock

---
kind: pipeline
name: RPM Build Fedora CoreOS

platform:
os: linux
arch: amd64

steps:
- name: Build Fedora CoreOS
image: rancher/dapper:v0.5.7
commands:
- dapper -f Dockerfile.coreos.dapper policy/coreos/scripts/build
volumes:
- name: docker
path: /var/run/docker.sock

- name: Sign RPM Fedora CoreOS
image: centos:7
environment:
PRIVATE_KEY:
from_secret: private_key
PRIVATE_KEY_PASS_PHRASE:
from_secret: private_key_pass_phrase
TESTING_PRIVATE_KEY:
from_secret: testing_private_key
TESTING_PRIVATE_KEY_PASS_PHRASE:
from_secret: testing_private_key_pass_phrase
commands:
- policy/coreos/scripts/sign
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: Yum Repo Upload Fedora CoreOS
image: centos:7
environment:
AWS_S3_BUCKET:
from_secret: aws_s3_bucket
AWS_ACCESS_KEY_ID:
from_secret: aws_access_key_id
AWS_SECRET_ACCESS_KEY:
from_secret: aws_secret_access_key
TESTING_AWS_S3_BUCKET:
from_secret: testing_aws_s3_bucket
TESTING_AWS_ACCESS_KEY_ID:
from_secret: testing_aws_access_key_id
TESTING_AWS_SECRET_ACCESS_KEY:
from_secret: testing_aws_secret_access_key
commands:
- policy/coreos/scripts/upload-repo
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

- name: GitHub Release Fedora CoreOS
image: ibuildthecloud/github-release:v0.0.1
settings:
api_key:
from_secret: github_token
prerelease: true
checksum:
- sha256
checksum_file: CHECKSUMsum-microos-noarch.txt
checksum_flatten: true
files:
- "dist/coreos/**/*.rpm"
when:
instance:
- drone-publish.k3s.io
ref:
- refs/head/master
- refs/tags/*
event:
- tag

volumes:
- name: docker
host:
path: /var/run/docker.sock
13 changes: 13 additions & 0 deletions Dockerfile.coreos.dapper
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
FROM fedora:37

RUN find /etc/yum.repos.d -type f -name '*.repo' -exec \
sed -i -e '/mirrorlist.*/d' -e 's%#baseurl=http://mirror.centos.org%baseurl=http://vault.centos.org%g' {} \;
RUN yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils

ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}

ENTRYPOINT ["./policy/coreos/scripts/entry"]
15 changes: 15 additions & 0 deletions Dockerfile.slemicro.dapper
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
ARG TUMBLEWEED=opensuse/tumbleweed
FROM ${TUMBLEWEED}
ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
RUN chmod +x /bin/clone3-workaround
SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
RUN zypper install -y container-selinux git rpm-build selinux-policy-devel


ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH DRONE_TAG TAG
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}

ENTRYPOINT ["clone3-workaround", "./policy/slemicro/scripts/entry"]
8 changes: 8 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
CENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts))
CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts))
MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts))
SLEMICRO_TARGETS := $(addprefix slemicro-,$(shell ls policy/slemicro/scripts))
COREOS_TARGETS := $(addprefix coreos-,$(shell ls policy/coreos/scripts))

.dapper:
@echo Downloading dapper
Expand All @@ -18,4 +20,10 @@ $(CENTOS8_TARGETS): .dapper
$(MICROOS_TARGETS): .dapper
./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%)

$(SLEMICRO_TARGETS): .dapper
./.dapper -f Dockerfile.slemicro.dapper $(@:slemicro-%=%)

$(COREOS_TARGETS): .dapper
./.dapper -f Dockerfile.coreos.dapper $(@:coreos-%=%)

.PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS)
2 changes: 1 addition & 1 deletion policy/centos7/k3s-selinux.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ Summary: SELinux policy module for k3s

Group: System Environment/Base
License: ASL 2.0
URL: http://k3s.io
URL: https://k3s.io
Source0: k3s.pp
Source1: k3s.if

Expand Down
7 changes: 4 additions & 3 deletions policy/centos8/k3s-selinux.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@

%define selinux_policyver 3.14.3-67
%define container_policyver 2.167.0-1
%define container_policyver_max 2.191.0-1
%define container_policy_epoch 2

Name: k3s-selinux
Expand All @@ -26,19 +27,19 @@ Summary: SELinux policy module for k3s

Group: System Environment/Base
License: ASL 2.0
URL: http://k3s.io
URL: https://k3s.io
Source0: k3s.pp
Source1: k3s.if

BuildArch: noarch
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}, container-selinux < %{container_policy_epoch}:%{container_policyver_max}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}

Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}, container-selinux < %{container_policy_epoch}:%{container_policyver_max}
Requires(postun): policycoreutils

Provides: %{name} = %{version}-%{release}
Expand Down
Loading