Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Factory:PowerPC
rke2-selinux
rke2-selinux-0.18.stable.1.obscpio
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File rke2-selinux-0.18.stable.1.obscpio of Package rke2-selinux
07070100000000000081A4000000000000000000000001662AB820000028A5000000000000000000000000000000000000002600000000rke2-selinux-0.18.stable.1/.drone.yml--- kind: pipeline name: RPM Build EL7 platform: os: linux arch: amd64 steps: - name: Build EL7 image: rancher/dapper:v0.6.0 commands: - dapper -f Dockerfile.centos7.dapper policy/centos7/scripts/build volumes: - name: docker path: /var/run/docker.sock - name: Sign RPM EL7 image: centos:7 environment: PRIVATE_KEY: from_secret: private_key PRIVATE_KEY_PASS_PHRASE: from_secret: private_key_pass_phrase TESTING_PRIVATE_KEY: from_secret: testing_private_key TESTING_PRIVATE_KEY_PASS_PHRASE: from_secret: testing_private_key_pass_phrase commands: - policy/centos7/scripts/sign when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: Yum Repo Upload EL7 image: centos:7 environment: AWS_S3_BUCKET: from_secret: aws_s3_bucket AWS_ACCESS_KEY_ID: from_secret: aws_access_key_id AWS_SECRET_ACCESS_KEY: from_secret: aws_secret_access_key TESTING_AWS_S3_BUCKET: from_secret: testing_aws_s3_bucket TESTING_AWS_ACCESS_KEY_ID: from_secret: testing_aws_access_key_id TESTING_AWS_SECRET_ACCESS_KEY: from_secret: testing_aws_secret_access_key commands: - policy/centos7/scripts/upload-repo when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: GitHub Release EL7 image: plugins/github-release settings: api_key: from_secret: github_token prerelease: true checksum: - sha256 checksum_file: CHECKSUMsum-centos7-noarch.txt checksum_flatten: true files: - "dist/centos7/**/*.rpm" when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag volumes: - name: docker host: path: /var/run/docker.sock --- kind: pipeline name: RPM Build EL8 platform: os: linux arch: amd64 steps: - name: Build EL8 image: rancher/dapper:v0.6.0 commands: - dapper -f Dockerfile.centos8.dapper policy/centos8/scripts/build volumes: - name: docker path: /var/run/docker.sock - name: Sign RPM EL8 image: centos:7 environment: PRIVATE_KEY: from_secret: private_key PRIVATE_KEY_PASS_PHRASE: from_secret: private_key_pass_phrase TESTING_PRIVATE_KEY: from_secret: testing_private_key TESTING_PRIVATE_KEY_PASS_PHRASE: from_secret: testing_private_key_pass_phrase commands: - policy/centos8/scripts/sign when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: Yum Repo Upload EL8 image: centos:7 environment: AWS_S3_BUCKET: from_secret: aws_s3_bucket AWS_ACCESS_KEY_ID: from_secret: aws_access_key_id AWS_SECRET_ACCESS_KEY: from_secret: aws_secret_access_key TESTING_AWS_S3_BUCKET: from_secret: testing_aws_s3_bucket TESTING_AWS_ACCESS_KEY_ID: from_secret: testing_aws_access_key_id TESTING_AWS_SECRET_ACCESS_KEY: from_secret: testing_aws_secret_access_key commands: - policy/centos8/scripts/upload-repo when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: GitHub Release EL8 image: plugins/github-release settings: api_key: from_secret: github_token prerelease: true checksum: - sha256 checksum_file: CHECKSUMsum-centos8-noarch.txt checksum_flatten: true files: - "dist/centos8/**/*.rpm" when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag volumes: - name: docker host: path: /var/run/docker.sock --- kind: pipeline name: RPM Build EL9 platform: os: linux arch: amd64 steps: - name: Build EL9 image: rancher/dapper:v0.6.0 commands: - dapper -f Dockerfile.centos9.dapper policy/centos9/scripts/build volumes: - name: docker path: /var/run/docker.sock - name: Sign RPM EL9 image: centos:7 environment: PRIVATE_KEY: from_secret: private_key PRIVATE_KEY_PASS_PHRASE: from_secret: private_key_pass_phrase TESTING_PRIVATE_KEY: from_secret: testing_private_key TESTING_PRIVATE_KEY_PASS_PHRASE: from_secret: testing_private_key_pass_phrase commands: - policy/centos9/scripts/sign when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: Yum Repo Upload EL9 image: centos:7 environment: AWS_S3_BUCKET: from_secret: aws_s3_bucket AWS_ACCESS_KEY_ID: from_secret: aws_access_key_id AWS_SECRET_ACCESS_KEY: from_secret: aws_secret_access_key TESTING_AWS_S3_BUCKET: from_secret: testing_aws_s3_bucket TESTING_AWS_ACCESS_KEY_ID: from_secret: testing_aws_access_key_id TESTING_AWS_SECRET_ACCESS_KEY: from_secret: testing_aws_secret_access_key commands: - policy/centos9/scripts/upload-repo when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: GitHub Release EL9 image: plugins/github-release settings: api_key: from_secret: github_token prerelease: true checksum: - sha256 checksum_file: CHECKSUMsum-centos9-noarch.txt checksum_flatten: true files: - "dist/centos9/**/*.rpm" when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag volumes: - name: docker host: path: /var/run/docker.sock --- kind: pipeline name: RPM Build SLE platform: os: linux arch: amd64 steps: - name: Build SLE image: rancher/dapper:v0.6.0 commands: - dapper -f Dockerfile.microos.dapper policy/microos/scripts/build volumes: - name: docker path: /var/run/docker.sock - name: Sign RPM SLE image: centos:7 environment: PRIVATE_KEY: from_secret: private_key PRIVATE_KEY_PASS_PHRASE: from_secret: private_key_pass_phrase TESTING_PRIVATE_KEY: from_secret: testing_private_key TESTING_PRIVATE_KEY_PASS_PHRASE: from_secret: testing_private_key_pass_phrase commands: - policy/microos/scripts/sign when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: Yum Repo Upload SLE image: centos:7 environment: AWS_S3_BUCKET: from_secret: aws_s3_bucket AWS_ACCESS_KEY_ID: from_secret: aws_access_key_id AWS_SECRET_ACCESS_KEY: from_secret: aws_secret_access_key TESTING_AWS_S3_BUCKET: from_secret: testing_aws_s3_bucket TESTING_AWS_ACCESS_KEY_ID: from_secret: testing_aws_access_key_id TESTING_AWS_SECRET_ACCESS_KEY: from_secret: testing_aws_secret_access_key commands: - policy/microos/scripts/upload-repo when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: GitHub Release SLE image: plugins/github-release settings: api_key: from_secret: github_token prerelease: true checksum: - sha256 checksum_file: CHECKSUMsum-microos-noarch.txt checksum_flatten: true files: - "dist/microos/**/*.rpm" when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag volumes: - name: docker host: path: /var/run/docker.sock --- kind: pipeline name: RPM Build SLE MICRO platform: os: linux arch: amd64 steps: - name: Build SLE MICRO image: rancher/dapper:v0.6.0 commands: - dapper -f Dockerfile.slemicro.dapper policy/slemicro/scripts/build volumes: - name: docker path: /var/run/docker.sock - name: Sign RPM SLE MICRO image: centos:7 environment: PRIVATE_KEY: from_secret: private_key PRIVATE_KEY_PASS_PHRASE: from_secret: private_key_pass_phrase TESTING_PRIVATE_KEY: from_secret: testing_private_key TESTING_PRIVATE_KEY_PASS_PHRASE: from_secret: testing_private_key_pass_phrase commands: - policy/slemicro/scripts/sign when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: Yum Repo Upload SLE MICRO image: centos:7 environment: AWS_S3_BUCKET: from_secret: aws_s3_bucket AWS_ACCESS_KEY_ID: from_secret: aws_access_key_id AWS_SECRET_ACCESS_KEY: from_secret: aws_secret_access_key TESTING_AWS_S3_BUCKET: from_secret: testing_aws_s3_bucket TESTING_AWS_ACCESS_KEY_ID: from_secret: testing_aws_access_key_id TESTING_AWS_SECRET_ACCESS_KEY: from_secret: testing_aws_secret_access_key commands: - policy/slemicro/scripts/upload-repo when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag - name: GitHub Release SLE MICRO image: plugins/github-release settings: api_key: from_secret: github_token prerelease: true checksum: - sha256 checksum_file: CHECKSUMsum-slemicro-noarch.txt checksum_flatten: true files: - "dist/slemicro/**/*.rpm" when: instance: - drone-publish.rancher.io ref: - refs/head/master - refs/tags/* event: - tag volumes: - name: docker host: path: /var/run/docker.sock07070100000001000081A4000000000000000000000001662AB8200000001E000000000000000000000000000000000000002600000000rke2-selinux-0.18.stable.1/.gitignore/dist *.rpm .dapper .vagrant/ 07070100000002000081A4000000000000000000000001662AB8200000013F000000000000000000000000000000000000003500000000rke2-selinux-0.18.stable.1/Dockerfile.centos7.dapperFROM centos:7 RUN yum install -y epel-release \ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist ENV DAPPER_ENV COMBARCH DRONE_TAG TAG ENV HOME ${DAPPER_SOURCE} WORKDIR ${DAPPER_SOURCE} ENTRYPOINT ["./policy/centos7/scripts/entry"] 07070100000003000081A4000000000000000000000001662AB82000000143000000000000000000000000000000000000003500000000rke2-selinux-0.18.stable.1/Dockerfile.centos8.dapperFROM rockylinux:8 RUN yum install -y epel-release \ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist ENV DAPPER_ENV COMBARCH DRONE_TAG TAG ENV HOME ${DAPPER_SOURCE} WORKDIR ${DAPPER_SOURCE} ENTRYPOINT ["./policy/centos8/scripts/entry"] 07070100000004000081A4000000000000000000000001662AB82000000154000000000000000000000000000000000000003500000000rke2-selinux-0.18.stable.1/Dockerfile.centos9.dapperFROM quay.io/centos/centos:stream9 RUN yum install -y epel-release \ && yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist ENV DAPPER_ENV COMBARCH DRONE_TAG TAG ENV HOME ${DAPPER_SOURCE} WORKDIR ${DAPPER_SOURCE} ENTRYPOINT ["./policy/centos9/scripts/entry"] 07070100000005000081A4000000000000000000000001662AB8200000022E000000000000000000000000000000000000003500000000rke2-selinux-0.18.stable.1/Dockerfile.microos.dapperARG TUMBLEWEED=opensuse/tumbleweed FROM ${TUMBLEWEED} ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround RUN chmod +x /bin/clone3-workaround SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"] RUN zypper install -y container-selinux git rpm-build selinux-policy-devel ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist ENV DAPPER_ENV COMBARCH DRONE_TAG TAG ENV HOME ${DAPPER_SOURCE} WORKDIR ${DAPPER_SOURCE} ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"] 07070100000006000081A4000000000000000000000001662AB820000001D7000000000000000000000000000000000000003600000000rke2-selinux-0.18.stable.1/Dockerfile.slemicro.dapperFROM registry.suse.com/bci/bci-base:15.4 RUN zypper addrepo https://download.opensuse.org/repositories/security:/SELinux/15.4/security:SELinux.repo RUN zypper --gpg-auto-import-keys refresh RUN zypper in -y -n --force-resolution container-selinux git rpm-build selinux-policy-devel ENV DAPPER_SOURCE /source ENV DAPPER_OUTPUT ./dist ENV DAPPER_ENV COMBARCH DRONE_TAG TAG ENV HOME ${DAPPER_SOURCE} WORKDIR ${DAPPER_SOURCE} ENTRYPOINT ["./policy/slemicro/scripts/entry"]07070100000007000081A4000000000000000000000001662AB820000027BF000000000000000000000000000000000000002300000000rke2-selinux-0.18.stable.1/LICENSE Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS 07070100000008000081A4000000000000000000000001662AB820000003E7000000000000000000000000000000000000002400000000rke2-selinux-0.18.stable.1/MakefileCENTOS7_TARGETS := $(addprefix centos7-,$(shell ls policy/centos7/scripts)) CENTOS8_TARGETS := $(addprefix centos8-,$(shell ls policy/centos8/scripts)) MICROOS_TARGETS := $(addprefix microos-,$(shell ls policy/microos/scripts)) SLEMICRO_TARGETS := $(addprefix slemicro-,$(shell ls policy/slemicro/scripts)) .dapper: @echo Downloading dapper @curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp @@chmod +x .dapper.tmp @./.dapper.tmp -v @mv .dapper.tmp .dapper $(CENTOS7_TARGETS): .dapper ./.dapper -f Dockerfile.centos7.dapper $(@:centos7-%=%) $(CENTOS8_TARGETS): .dapper ./.dapper -f Dockerfile.centos8.dapper $(@:centos8-%=%) $(MICROOS_TARGETS): .dapper ./.dapper -f Dockerfile.microos.dapper $(@:microos-%=%) $(SLEMICRO_TARGETS): .dapper ./.dapper -f Dockerfile.slemicro.dapper $(@:slemicro-%=%) clean: rm -rf dist/ Dockerfile.*.dapper[0-9]* .PHONY: $(CENTOS7_TARGETS) $(CENTOS8_TARGETS) $(MICROOS_TARGETS) $(SLEMICRO_TARGETS) clean 07070100000009000081A4000000000000000000000001662AB8200000048A000000000000000000000000000000000000002500000000rke2-selinux-0.18.stable.1/README.md# rke2-selinux RKE2 selinux policy repository ## Signing Keys - https://rpm.rancher.io/public.key - https://rpm-testing.rancher.io/public.key ## Versioning/Tagging The version parsing logic for `rancher/rke2-selinux` expects tags to be of a certain format (that directly correlates to RPM naming) The tag format should be as follows: `v{rke2-selinux version}.{rpm channel}.{rpm release}` where rke2-selinux-version is like `0.1`, `0.2`, etc. rpm channel is like `testing`, `latest`, `stable` rpm release is like `1`, `2` rpm release should index from `1` for released RPM's The following list shows the expected tag to (example) transformation for RPM's |Tag|Tree State|Output RPM|RPM Channel|Notes| |:--|:---------|:---------|:----------|:----| | master (no tag) | Clean | `rke2-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing || | master (no tag) | Dirty | `rke2-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing || | v0.2.testing.1 | Clean | `rke2-selinux-0.2-1.el7_8.noarch.rpm` | Testing || | v0.2.latest.1 | Clean | `rke2-selinux-0.2-1.el7_8.noarch.rpm` | Latest || | v0.2.latest.2 | Clean | `rke2-selinux-0.2-2.el7_8.noarch.rpm` | Latest || 0707010000000A000081A4000000000000000000000001662AB82000002BD2000000000000000000000000000000000000002700000000rke2-selinux-0.18.stable.1/Vagrantfile# -*- mode: ruby -*- # vi: set ft=ruby : CPUS = (ENV['VAGRANT_RKE2_SELINUX_CPUS'] || 2).to_i MEMORY = (ENV['VAGRANT_RKE2_SELINUX_MEMORY'] || 2048).to_i # Adapted from https://github.com/containerd/containerd/pull/4451 Vagrant.configure("2") do |config| config.vm.box = "centos/7" config.vm.provider :virtualbox do |v| config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.VirtualBox.box" v.memory = MEMORY v.cpus = CPUS end config.vm.provider :libvirt do |v| config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.LibVirt.box" v.memory = MEMORY v.cpus = CPUS end # Disabled by default. To run: # vagrant up --provision-with=upgrade-packages # To upgrade only specific packages: # UPGRADE_PACKAGES=selinux vagrant up --provision-with=upgrade-packages # config.vm.provision "upgrade-packages", type: "shell", run: "never" do |sh| sh.upload_path = "/tmp/vagrant-upgrade-packages" sh.env = { 'UPGRADE_PACKAGES': ENV['UPGRADE_PACKAGES'], } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail yum -y upgrade ${UPGRADE_PACKAGES} SHELL end # Disabled by default. To run: # vagrant provision --provision-with=kernel-mainline config.vm.provision "kernel-mainline", type: "shell", run: "never" do |sh| sh.upload_path = "/tmp/vagrant-kernel-mainline" sh.inline = <<~SHELL #!/usr/bin/env bash yum -y install \ https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm yum --enablerepo=elrepo-kernel -y install kernel-ml sed -i -e "s|GRUB_DEFAULT.*$|GRUB_DEFAULT=0|" /etc/default/grub grub2-mkconfig -o /boot/grub2/grub.cfg SHELL sh.reboot = true end # To re-run, installing CNI from RPM: # INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages # config.vm.provision "install-packages", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-packages" sh.env = { 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail yum -y install \ bzip2 \ container-selinux \ curl \ gcc \ git \ iptables \ libseccomp-devel \ libselinux-devel \ lsof \ make \ selinux-policy-devel \ socat \ ${INSTALL_PACKAGES} SHELL end config.vm.provision "install-policy", type: "shell", run: "always" do |sh| sh.upload_path = "/tmp/vagrant-install-policy" sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail pushd /vagrant yum install -y yum-utils rpm-build yum-builddep -y container-selinux yum -y remove rke2-selinux # TODO build yum -y install ./dist/centos7/noarch/*.rpm SHELL end # To re-run this provisioner, installing a different version of go: # GO_VERSION="1.15rc2" vagrant up --provision-with=install-golang # config.vm.provision "install-golang", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-golang" sh.env = { 'GO_VERSION': ENV['GO_VERSION'] || "1.13.15", } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/lib ln -fnsv /usr/lib/go/bin/{go,gofmt} /usr/bin SHELL end config.vm.provision "install-runc", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-runc" sh.env = { 'GOPATH': "/usr", 'RUNC_VERSION': ENV['RUNC_VERSION'] || "v1.0.0-rc92", } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail go get -d github.com/opencontainers/runc pushd ${GOPATH}/src/github.com/opencontainers/runc git checkout ${RUNC_VERSION} make BUILDTAGS='apparmor seccomp selinux' runc make BINDIR=${GOPATH}/bin install type runc runc --version restorecon -v $(type -ap runc) SHELL end config.vm.provision "install-cni", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-cni" sh.env = { 'GOPATH': "/usr", 'CNI_DIR': "/opt/cni", 'CNI_CONFIG_DIR': "/etc/cni/net.d", 'CNI_PLUGINS_VERSION': ENV['CNI_PLUGINS_VERSION'] || "v0.7.6", 'CNI_PLUGINS_BINARIES': 'bridge dhcp flannel host-device host-local ipvlan loopback macvlan portmap ptp tuning vlan', } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail go get -d github.com/containernetworking/plugins/... pushd "$GOPATH"/src/github.com/containernetworking/plugins git checkout $CNI_PLUGINS_VERSION FASTBUILD=true ./build.sh sudo mkdir -p $CNI_DIR sudo cp -r ./bin $CNI_DIR sudo mkdir -p $CNI_CONFIG_DIR PATH=/opt/cni/bin:$PATH type ${CNI_PLUGINS_BINARIES} || true cat <<EOF | sudo tee $CNI_CONFIG_DIR/10-containerd-net.conflist { "cniVersion": "0.3.1", "name": "containerd-net", "plugins": [ { "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "promiscMode": true, "ipam": { "type": "host-local", "subnet": "10.88.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } }, { "type": "portmap", "capabilities": {"portMappings": true} } ] } EOF SHELL end config.vm.provision "install-containerd", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-containerd" sh.env = { 'GOPATH': "/usr", 'CONTAINERD_REPO': ENV['CONTAINERD_REPO'] || "github.com/rancher/containerd", 'CONTAINERD_VERSION': ENV['CONTAINERD_VERSION'] || "v1.3.6-k3s2", } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail if [ ! -d ${GOPATH}/src/github.com/containerd/containerd ]; then git clone https://${CONTAINERD_REPO}.git ${GOPATH}/src/github.com/containerd/containerd fi pushd ${GOPATH}/src/github.com/containerd/containerd git checkout ${CONTAINERD_VERSION} make PACKAGE=${CONTAINERD_REPO} \ DESTDIR=${GOPATH} \ BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" \ binaries install type containerd containerd --version restorecon -v /usr/bin/{containerd,containerd-shim*} SHELL end config.vm.provision "install-cri-tools", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-cri-tools" sh.env = { 'GOPATH': "/usr", 'CRI_TOOLS_VERSION': ENV['CRI_TOOLS_VERSION'] || 'master', } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail go get -u github.com/onsi/ginkgo/ginkgo go get -d github.com/kubernetes-sigs/cri-tools/... pushd ${GOPATH}/src/github.com/kubernetes-sigs/cri-tools git checkout $CRI_TOOLS_VERSION make sudo make BINDIR=${GOPATH}/bin install cat << EOF | sudo tee /etc/crictl.yaml runtime-endpoint: unix:///run/k3s/containerd/containerd.sock EOF type crictl critest ginkgo critest --version SHELL end # SELinux is Enforcing by default. # To set SELinux as Disabled on a VM that has already been provisioned: # SELINUX=Disabled vagrant up --provision-with=selinux # To set SELinux as Permissive on a VM that has already been provsioned # SELINUX=Permissive vagrant up --provision-with=selinux config.vm.provision "selinux", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-selinux" sh.env = { 'SELINUX': ENV['SELINUX'] || "Enforcing" } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail if ! type -p getenforce setenforce &>/dev/null; then echo SELinux is Disabled exit 0 fi case "${SELINUX}" in Disabled) if mountpoint -q /sys/fs/selinux; then setenforce 0 umount -v /sys/fs/selinux fi ;; Enforcing) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 1 ;; Permissive) mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux setenforce 0 ;; *) echo "SELinux mode not supported: ${SELINUX}" >&2 exit 1 ;; esac echo SELinux is $(getenforce) SHELL end # SELinux is permissive by default (via provisioning) in this VM. To re-run with SELinux enforcing: # vagrant up --provision-with=selinux-enforcing,test-cri # config.vm.provision "test-cri", type: "shell", run: "never" do |sh| sh.upload_path = "/tmp/test-cri" sh.env = { 'CRITEST_ARGS': ENV['CRITEST_ARGS'], } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail cat << EOF > /vagrant/containerd.service [Unit] Description=rke2 containerd Documentation=https://github.com/rancher/rke2 After=network.target local-fs.target [Service] ExecStartPre=-/sbin/modprobe overlay ExecStart=/usr/bin/containerd \ -c /var/lib/rancher/rke2/agent/etc/containerd/config.toml \ -a /run/k3s/containerd/containerd.sock \ --state /run/k3s/containerd \ --root /var/lib/rancher/rke2/agent/containerd \ Delegate=yes KillMode=process Restart=always LimitNPROC=infinity LimitCORE=infinity LimitNOFILE=1048576 TasksMax=infinity [Install] WantedBy=multi-user.target EOF systemctl disable --now containerd || true rm -rf /var/lib/rancher/rke2 /run/rke2 enable_selinux=false if [[ $(getenforce) != Disabled ]]; then enable_selinux=true fi mkdir -p /var/lib/rancher/rke2/agent/etc/containerd cat << EOF | sudo tee /var/lib/rancher/rke2/agent/etc/containerd/config.toml version = 2 [plugins] [plugins."io.containerd.grpc.v1.cri"] enable_selinux = ${enable_selinux} EOF chcon -v -t container_unit_file_t /vagrant/containerd.service systemctl enable --now /vagrant/containerd.service function cleanup() { journalctl -u containerd > /tmp/containerd.log systemctl stop containerd } trap cleanup EXIT ctr --address /run/k3s/containerd/containerd.sock version critest --parallel=$(nproc) --ginkgo.skip='runtime should support HostIpc is true' ${CRITEST_ARGS} SHELL end config.vm.provision "rke2", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-rke2" sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail curl -sfL https://get.rke2.io | sh - SHELL end end 0707010000000B000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002200000000rke2-selinux-0.18.stable.1/policy0707010000000C000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002A00000000rke2-selinux-0.18.stable.1/policy/centos70707010000000D000081A4000000000000000000000001662AB82000000A7D000000000000000000000000000000000000003C00000000rke2-selinux-0.18.stable.1/policy/centos7/rke2-selinux.spec# vim: sw=4:ts=4:et %define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /opt/cni; \ mkdir -p /etc/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ mkdir -p /var/lib/rancher/rke2/data; \ mkdir -p /var/run/flannel; \ mkdir -p /var/run/k3s; \ restorecon -R -i /etc/systemd/system/rke2*; \ restorecon -R -i /usr/lib/systemd/system/rke2*; \ restorecon -R /var/lib/cni; \ restorecon -R /opt/cni; \ restorecon -R /etc/cni; \ restorecon -R /var/lib/kubelet; \ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel %define selinux_policyver 3.13.1-252 %define container_policyver 2.107-3 %define container_policy_epoch 2 %define container_policy_schism 2.164.2 Name: rke2-selinux Version: %{rke2_selinux_version} Release: %{rke2_selinux_release}.el7 Summary: SELinux policy module for rke2 Group: System Environment/Base License: ASL 2.0 URL: https://rke2.io Source0: rke2.pp Source1: rke2.if BuildArch: noarch BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism} BuildRequires: git BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, libselinux-utils Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism} Requires(postun): policycoreutils Provides: %{name} = %{version}-%{release} Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux %description This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ %pre %selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %rke2_relabel_files fi; %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall rke2 fi; %posttrans %selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog 0707010000000E000081A4000000000000000000000001662AB82000000BA9000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos7/rke2.fc# vim: sw=8:ts=8:et /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) /var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) /var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)0707010000000F000081A4000000000000000000000001662AB820000008F2000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos7/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 interface(`rke2_filetrans_named_content',` gen_require(` type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; type container_runtime_tmpfs_t; type container_share_t; type container_var_lib_t; type container_var_run_t; type var_lib_t; type var_log_t; type rke2_tls_t; ') #container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "snapshots") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls") ') template(`rke2_service_domain_template',` container_domain_template($1, container) virt_sandbox_domain($1_t) gen_require(` attribute container_domain, container_net_domain; attribute sandbox_net_domain; ') typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; virt_default_capabilities($1_t) kernel_read_messages($1_t) logging_send_syslog_msg($1_t) corenet_unconfined($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_raw_bind_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_udp_bind_all_ports($1_t) corenet_tcp_bind_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) miscfiles_read_all_certs($1_t) admin_pattern($1_t, container_log_t) admin_pattern($1_t, rke2_tls_t) ') 07070100000010000081A4000000000000000000000001662AB820000004B5000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos7/rke2.tepolicy_module(rke2, 1.0.0) gen_require(` type container_runtime_t, iptables_t, spc_t, unconfined_service_t, iscsid_t; class capability dac_override; class bpf { map_create map_read map_write prog_load prog_run }; ') rke2_filetrans_named_content(container_runtime_t) rke2_filetrans_named_content(unconfined_service_t) ####################### # type rke2_service_t # ####################### rke2_service_domain_template(rke2_service) container_read_lib_files(rke2_service_t) ########################## # type rke2_service_db_t # ########################## rke2_service_domain_template(rke2_service_db) container_manage_lib_dirs(rke2_service_db_t) container_manage_lib_files(rke2_service_db_t) allow rke2_service_db_t container_var_lib_t:file { map }; ########## # Cilium # ########## fs_list_cgroup_dirs(iptables_t) allow spc_t self:bpf { map_create map_read map_write prog_load prog_run }; ######################### # Longhorn ISCSID_T FIX # ######################### # https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183 allow iscsid_t self:capability dac_override; ################### # type rke2_tls_t # ################### type rke2_tls_t; files_type(rke2_tls_t);07070100000011000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos7/scripts07070100000012000081ED000000000000000000000001662AB82000000222000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos7/scripts/build#!/bin/bash set -e -x cd $(dirname $0)/.. . ./scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp rpmbuild \ --define "rke2_selinux_version ${RPM_VERSION}" \ --define "rke2_selinux_release ${RPM_RELEASE}" \ --define "_sourcedir $PWD" \ --define "_specdir $PWD" \ --define "_builddir $PWD" \ --define "_srcrpmdir ${PWD}/dist/source" \ --define "_buildrootdir $PWD/.build" \ --define "_rpmdir ${PWD}/dist" \ -ba rke2-selinux.spec mkdir -p /source/dist/centos7 cp -r dist/* /source/dist/centos7 07070100000013000081ED000000000000000000000001662AB820000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos7/scripts/entry#!/bin/sh set -ex if [ -e ./policy/centos7/scripts/"$1" ]; then ./policy/centos7/scripts/"$@" else exec "$@" fi if [ "$DAPPER_UID" -ne "-1" ]; then chown -R $DAPPER_UID:$DAPPER_GID . fi 07070100000014000081ED000000000000000000000001662AB8200000050B000000000000000000000000000000000000003700000000rke2-selinux-0.18.stable.1/policy/centos7/scripts/sign#!/bin/bash set -e -x yum install -y rpm-sign expect git pushd $(dirname $0)/.. . ./scripts/version popd cat <<\EOF >~/.rpmmacros %_signature gpg %_gpg_name ci@rancher.com %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} %_source_filedigest_algorithm 8 %_binary_filedigest_algorithm 8 EOF case "$RPM_CHANNEL" in "testing") export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$TESTING_PRIVATE_KEY" ;; "latest"|"stable") if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then echo "PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$PRIVATE_KEY" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac expect <<EOF set timeout 60 spawn sh -c "rpmsign --addsign dist/centos7/**/rke2-*.rpm" expect "Enter pass phrase:" send -- "$PRIVATE_KEY_PASS_PHRASE\r" expect eof lassign [wait] _ _ _ code exit \$code EOF 07070100000015000081ED000000000000000000000001662AB820000007A3000000000000000000000000000000000000003E00000000rke2-selinux-0.18.stable.1/policy/centos7/scripts/upload-repo#!/bin/bash set -e -x pushd $(dirname $0)/.. . ./scripts/version popd yum install -y epel-release yum install -y git python2-pip python-deltarpm pip install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0' pip install --cache-dir=/var/cache/pip/ \ git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e if [ -z "$RPM_CHANNEL" ]; then echo "RPM_CHANNEL not defined, failing rpm upload" exit 1 fi TARGET_EL7_S3_PATH="rke2/$RPM_CHANNEL/common/centos/7/noarch" TARGET_EL7_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/7/source" case "$RPM_CHANNEL" in "testing") if [ -z "$TESTING_AWS_S3_BUCKET" ]; then echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET ;; "latest"|"stable") if [ -z "$AWS_S3_BUCKET" ]; then echo "AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_ACCESS_KEY_ID" ]; then echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL7_S3_PATH --keep 100000 dist/centos7/noarch/rke2-*.rpm rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL7_SOURCE_S3_PATH --keep 100000 dist/centos7/source/rke2-*src.rpm 07070100000016000081ED000000000000000000000001662AB820000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.18.stable.1/policy/centos7/scripts/version#!/bin/bash TREE_STATE=clean COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} if [ -d ${DAPPER_SOURCE}/.git ]; then pushd ${DAPPER_SOURCE} if [ -n "$(git status --porcelain --untracked-files=no)" ]; then DIRTY="dirty" TREE_STATE=dirty fi if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit fi COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) if [ -z "$COMMIT" ]; then COMMIT=$(git rev-parse HEAD || true) fi popd fi if [[ -n "$TAG" ]]; then if [[ "$TREE_STATE" = "clean" ]]; then VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. fi else VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then echo "Version $VERSION does not match our expected format. Exiting." exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in "testing"|"latest"|"stable") echo "RPM_CHANNEL matched our expected variants" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac 07070100000017000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002A00000000rke2-selinux-0.18.stable.1/policy/centos807070100000018000081A4000000000000000000000001662AB820000009A5000000000000000000000000000000000000003C00000000rke2-selinux-0.18.stable.1/policy/centos8/rke2-selinux.spec# vim: sw=4:ts=4:et %define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /opt/cni; \ mkdir -p /etc/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ mkdir -p /var/lib/rancher/rke2/data; \ mkdir -p /var/run/flannel; \ mkdir -p /var/run/k3s; \ restorecon -R -i /etc/systemd/system/rke2*; \ restorecon -R -i /usr/lib/systemd/system/rke2*; \ restorecon -R /var/lib/cni; \ restorecon -R /opt/cni; \ restorecon -R /etc/cni; \ restorecon -R /var/lib/kubelet; \ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel %define selinux_policyver 3.13.1-252 %define container_policyver 2.167.0-1 %define container_policy_epoch 2 Name: rke2-selinux Version: %{rke2_selinux_version} Release: %{rke2_selinux_release}.el8 Summary: SELinux policy module for rke2 Group: System Environment/Base License: ASL 2.0 URL: https://rke2.io Source0: rke2.pp Source1: rke2.if BuildArch: noarch BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} BuildRequires: git BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, libselinux-utils Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} Requires(postun): policycoreutils Provides: %{name} = %{version}-%{release} Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux %description This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ %pre %selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %rke2_relabel_files fi; %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall rke2 fi; %posttrans %selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog 07070100000019000081A4000000000000000000000001662AB82000000CD7000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos8/rke2.fc# vim: sw=8:ts=8:et # commented items are lines retained for parity when comparing policy between target distributions. # these are commented because they will cause conflict and/or crash when attempting to install with upstream # container-selinux: https://github.com/containers/container-selinux/pull/140/files /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) #/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) #/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) #/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) #/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 0707010000001A000081A4000000000000000000000001662AB8200000086E000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos8/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 interface(`rke2_filetrans_named_content',` gen_require(` type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; type container_runtime_tmpfs_t; type container_share_t; type container_var_lib_t; type container_var_run_t; type container_kvm_var_run_t; type var_lib_t; type var_log_t; type rke2_tls_t; ') #container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls") ') template(`rke2_service_domain_template',` container_domain_template($1, container) virt_sandbox_domain($1_t) gen_require(` attribute container_domain, container_net_domain; attribute sandbox_net_domain; ') typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; virt_default_capabilities($1_t) kernel_read_messages($1_t) logging_send_syslog_msg($1_t) corenet_unconfined($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_raw_bind_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_udp_bind_all_ports($1_t) corenet_tcp_bind_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) miscfiles_read_all_certs($1_t) admin_pattern($1_t, container_log_t) admin_pattern($1_t, rke2_tls_t) ') 0707010000001B000081A4000000000000000000000001662AB820000003D2000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos8/rke2.tepolicy_module(rke2, 1.0.0) gen_require(` type container_runtime_t, unconfined_service_t, iscsid_t; class capability dac_override; ') rke2_filetrans_named_content(container_runtime_t) rke2_filetrans_named_content(unconfined_service_t) ####################### # type rke2_service_t # ####################### rke2_service_domain_template(rke2_service) container_read_lib_files(rke2_service_t) ########################## # type rke2_service_db_t # ########################## rke2_service_domain_template(rke2_service_db) container_manage_lib_dirs(rke2_service_db_t) container_manage_lib_files(rke2_service_db_t) allow rke2_service_db_t container_var_lib_t:file { map }; ######################### # Longhorn ISCSID_T FIX # ######################### # https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183 allow iscsid_t self:capability dac_override; ################### # type rke2_tls_t # ################### type rke2_tls_t; files_type(rke2_tls_t); 0707010000001C000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos8/scripts0707010000001D000081ED000000000000000000000001662AB82000000222000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos8/scripts/build#!/bin/bash set -e -x cd $(dirname $0)/.. . ./scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp rpmbuild \ --define "rke2_selinux_version ${RPM_VERSION}" \ --define "rke2_selinux_release ${RPM_RELEASE}" \ --define "_sourcedir $PWD" \ --define "_specdir $PWD" \ --define "_builddir $PWD" \ --define "_srcrpmdir ${PWD}/dist/source" \ --define "_buildrootdir $PWD/.build" \ --define "_rpmdir ${PWD}/dist" \ -ba rke2-selinux.spec mkdir -p /source/dist/centos8 cp -r dist/* /source/dist/centos8 0707010000001E000081ED000000000000000000000001662AB820000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos8/scripts/entry#!/bin/sh set -ex if [ -e ./policy/centos8/scripts/"$1" ]; then ./policy/centos8/scripts/"$@" else exec "$@" fi if [ "$DAPPER_UID" -ne "-1" ]; then chown -R $DAPPER_UID:$DAPPER_GID . fi 0707010000001F000081ED000000000000000000000001662AB8200000050B000000000000000000000000000000000000003700000000rke2-selinux-0.18.stable.1/policy/centos8/scripts/sign#!/bin/bash set -e -x yum install -y rpm-sign expect git pushd $(dirname $0)/.. . ./scripts/version popd cat <<\EOF >~/.rpmmacros %_signature gpg %_gpg_name ci@rancher.com %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} %_source_filedigest_algorithm 8 %_binary_filedigest_algorithm 8 EOF case "$RPM_CHANNEL" in "testing") export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$TESTING_PRIVATE_KEY" ;; "latest"|"stable") if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then echo "PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$PRIVATE_KEY" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac expect <<EOF set timeout 60 spawn sh -c "rpmsign --addsign dist/centos8/**/rke2-*.rpm" expect "Enter pass phrase:" send -- "$PRIVATE_KEY_PASS_PHRASE\r" expect eof lassign [wait] _ _ _ code exit \$code EOF 07070100000020000081ED000000000000000000000001662AB820000007A4000000000000000000000000000000000000003E00000000rke2-selinux-0.18.stable.1/policy/centos8/scripts/upload-repo#!/bin/bash set -e -x pushd $(dirname $0)/.. . ./scripts/version popd yum install -y epel-release yum install -y git python2-pip python-deltarpm pip install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0' pip install --cache-dir=/var/cache/pip/ \ git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e if [ -z "$RPM_CHANNEL" ]; then echo "RPM_CHANNEL not defined, failing rpm upload" exit 1 fi TARGET_EL8_S3_PATH="rke2/$RPM_CHANNEL/common/centos/8/noarch" TARGET_EL8_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/8/source" case "$RPM_CHANNEL" in "testing") if [ -z "$TESTING_AWS_S3_BUCKET" ]; then echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET ;; "latest"|"stable") if [ -z "$AWS_S3_BUCKET" ]; then echo "AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_ACCESS_KEY_ID" ]; then echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL8_S3_PATH --keep 100000 dist/centos8/noarch/rke2-*.rpm rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL8_SOURCE_S3_PATH --keep 100000 dist/centos8/source/rke2-*src.rpm 07070100000021000081ED000000000000000000000001662AB820000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.18.stable.1/policy/centos8/scripts/version#!/bin/bash TREE_STATE=clean COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} if [ -d ${DAPPER_SOURCE}/.git ]; then pushd ${DAPPER_SOURCE} if [ -n "$(git status --porcelain --untracked-files=no)" ]; then DIRTY="dirty" TREE_STATE=dirty fi if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit fi COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) if [ -z "$COMMIT" ]; then COMMIT=$(git rev-parse HEAD || true) fi popd fi if [[ -n "$TAG" ]]; then if [[ "$TREE_STATE" = "clean" ]]; then VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. fi else VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then echo "Version $VERSION does not match our expected format. Exiting." exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in "testing"|"latest"|"stable") echo "RPM_CHANNEL matched our expected variants" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac 07070100000022000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002A00000000rke2-selinux-0.18.stable.1/policy/centos907070100000023000081A4000000000000000000000001662AB820000009DD000000000000000000000000000000000000003C00000000rke2-selinux-0.18.stable.1/policy/centos9/rke2-selinux.spec# vim: sw=4:ts=4:et %define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /opt/cni; \ mkdir -p /etc/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ mkdir -p /var/lib/rancher/rke2/data; \ mkdir -p /var/run/flannel; \ mkdir -p /var/run/k3s; \ restorecon -R -i /etc/systemd/system/rke2*; \ restorecon -R -i /usr/local/lib/systemd/system/rke2*; \ restorecon -R -i /usr/lib/systemd/system/rke2*; \ restorecon -R /var/lib/cni; \ restorecon -R /opt/cni; \ restorecon -R /etc/cni; \ restorecon -R /var/lib/kubelet; \ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel %define selinux_policyver 3.13.1-252 %define container_policyver 2.191.0-1 %define container_policy_epoch 3 Name: rke2-selinux Version: %{rke2_selinux_version} Release: %{rke2_selinux_release}.el9 Summary: SELinux policy module for rke2 Group: System Environment/Base License: ASL 2.0 URL: https://rke2.io Source0: rke2.pp Source1: rke2.if BuildArch: noarch BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver} BuildRequires: git BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, libselinux-utils Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver} Requires(postun): policycoreutils Provides: %{name} = %{version}-%{release} Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux %description This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ %pre %selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %rke2_relabel_files fi; %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall rke2 fi; %posttrans %selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog 07070100000024000081A4000000000000000000000001662AB82000000CD7000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos9/rke2.fc# vim: sw=8:ts=8:et # commented items are lines retained for parity when comparing policy between target distributions. # these are commented because they will cause conflict and/or crash when attempting to install with upstream # container-selinux: https://github.com/containers/container-selinux/pull/140/files /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) #/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) #/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) #/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) #/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 07070100000025000081A4000000000000000000000001662AB8200000086E000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos9/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 interface(`rke2_filetrans_named_content',` gen_require(` type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; type container_runtime_tmpfs_t; type container_share_t; type container_var_lib_t; type container_var_run_t; type container_kvm_var_run_t; type var_lib_t; type var_log_t; type rke2_tls_t; ') #container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls") ') template(`rke2_service_domain_template',` container_domain_template($1, container) virt_sandbox_domain($1_t) gen_require(` attribute container_domain, container_net_domain; attribute sandbox_net_domain; ') typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; virt_default_capabilities($1_t) kernel_read_messages($1_t) logging_send_syslog_msg($1_t) corenet_unconfined($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_raw_bind_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_udp_bind_all_ports($1_t) corenet_tcp_bind_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) miscfiles_read_all_certs($1_t) admin_pattern($1_t, container_log_t) admin_pattern($1_t, rke2_tls_t) ') 07070100000026000081A4000000000000000000000001662AB8200000040E000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos9/rke2.tepolicy_module(rke2, 1.0.0) gen_require(` type container_runtime_t, unconfined_service_t, iscsid_t; class capability dac_override; ') rke2_filetrans_named_content(container_runtime_t) rke2_filetrans_named_content(unconfined_service_t) ####################### # type rke2_service_t # ####################### rke2_service_domain_template(rke2_service) container_read_lib_files(rke2_service_t) allow rke2_service_t container_var_lib_t:file { watch }; ########################## # type rke2_service_db_t # ########################## rke2_service_domain_template(rke2_service_db) container_manage_lib_dirs(rke2_service_db_t) container_manage_lib_files(rke2_service_db_t) allow rke2_service_db_t container_var_lib_t:file { map }; ######################### # Longhorn ISCSID_T FIX # ######################### # https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183 allow iscsid_t self:capability dac_override; ################### # type rke2_tls_t # ################### type rke2_tls_t; container_file(rke2_tls_t);07070100000027000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/centos9/scripts07070100000028000081ED000000000000000000000001662AB82000000222000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos9/scripts/build#!/bin/bash set -e -x cd $(dirname $0)/.. . ./scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp rpmbuild \ --define "rke2_selinux_version ${RPM_VERSION}" \ --define "rke2_selinux_release ${RPM_RELEASE}" \ --define "_sourcedir $PWD" \ --define "_specdir $PWD" \ --define "_builddir $PWD" \ --define "_srcrpmdir ${PWD}/dist/source" \ --define "_buildrootdir $PWD/.build" \ --define "_rpmdir ${PWD}/dist" \ -ba rke2-selinux.spec mkdir -p /source/dist/centos9 cp -r dist/* /source/dist/centos9 07070100000029000081ED000000000000000000000001662AB820000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/centos9/scripts/entry#!/bin/sh set -ex if [ -e ./policy/centos9/scripts/"$1" ]; then ./policy/centos9/scripts/"$@" else exec "$@" fi if [ "$DAPPER_UID" -ne "-1" ]; then chown -R $DAPPER_UID:$DAPPER_GID . fi 0707010000002A000081ED000000000000000000000001662AB8200000050B000000000000000000000000000000000000003700000000rke2-selinux-0.18.stable.1/policy/centos9/scripts/sign#!/bin/bash set -e -x yum install -y rpm-sign expect git pushd $(dirname $0)/.. . ./scripts/version popd cat <<\EOF >~/.rpmmacros %_signature gpg %_gpg_name ci@rancher.com %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} %_source_filedigest_algorithm 8 %_binary_filedigest_algorithm 8 EOF case "$RPM_CHANNEL" in "testing") export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$TESTING_PRIVATE_KEY" ;; "latest"|"stable") if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then echo "PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$PRIVATE_KEY" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac expect <<EOF set timeout 60 spawn sh -c "rpmsign --addsign dist/centos9/**/rke2-*.rpm" expect "Enter pass phrase:" send -- "$PRIVATE_KEY_PASS_PHRASE\r" expect eof lassign [wait] _ _ _ code exit \$code EOF 0707010000002B000081ED000000000000000000000001662AB820000007A4000000000000000000000000000000000000003E00000000rke2-selinux-0.18.stable.1/policy/centos9/scripts/upload-repo#!/bin/bash set -e -x pushd $(dirname $0)/.. . ./scripts/version popd yum install -y epel-release yum install -y git python2-pip python-deltarpm pip install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0' pip install --cache-dir=/var/cache/pip/ \ git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e if [ -z "$RPM_CHANNEL" ]; then echo "RPM_CHANNEL not defined, failing rpm upload" exit 1 fi TARGET_EL9_S3_PATH="rke2/$RPM_CHANNEL/common/centos/9/noarch" TARGET_EL9_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/9/source" case "$RPM_CHANNEL" in "testing") if [ -z "$TESTING_AWS_S3_BUCKET" ]; then echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET ;; "latest"|"stable") if [ -z "$AWS_S3_BUCKET" ]; then echo "AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_ACCESS_KEY_ID" ]; then echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL9_S3_PATH --keep 100000 dist/centos9/noarch/rke2-*.rpm rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL9_SOURCE_S3_PATH --keep 100000 dist/centos9/source/rke2-*src.rpm 0707010000002C000081ED000000000000000000000001662AB820000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.18.stable.1/policy/centos9/scripts/version#!/bin/bash TREE_STATE=clean COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} if [ -d ${DAPPER_SOURCE}/.git ]; then pushd ${DAPPER_SOURCE} if [ -n "$(git status --porcelain --untracked-files=no)" ]; then DIRTY="dirty" TREE_STATE=dirty fi if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit fi COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) if [ -z "$COMMIT" ]; then COMMIT=$(git rev-parse HEAD || true) fi popd fi if [[ -n "$TAG" ]]; then if [[ "$TREE_STATE" = "clean" ]]; then VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. fi else VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then echo "Version $VERSION does not match our expected format. Exiting." exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in "testing"|"latest"|"stable") echo "RPM_CHANNEL matched our expected variants" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac 0707010000002D000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002A00000000rke2-selinux-0.18.stable.1/policy/microos0707010000002E000081A4000000000000000000000001662AB82000000951000000000000000000000000000000000000003C00000000rke2-selinux-0.18.stable.1/policy/microos/rke2-selinux.spec# vim: sw=4:ts=4:et %define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /opt/cni; \ mkdir -p /etc/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ mkdir -p /var/lib/rancher/rke2/data; \ mkdir -p /var/run/flannel; \ mkdir -p /var/run/k3s; \ restorecon -R -i /etc/systemd/system/rke2*; \ restorecon -R -i /usr/lib/systemd/system/rke2*; \ restorecon -R /var/lib/cni; \ restorecon -R /opt/cni; \ restorecon -R /etc/cni; \ restorecon -R /var/lib/kubelet; \ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel %define selinux_policyver 20210716-3.1 %define container_policyver 2.164.2-1.1 Name: rke2-selinux Version: %{rke2_selinux_version} Release: %{rke2_selinux_release}.sle Summary: SELinux policy module for rke2 Group: System Environment/Base License: ASL 2.0 URL: https://rke2.io Source0: rke2.pp Source1: rke2.if BuildArch: noarch BuildRequires: container-selinux >= %{container_policyver} BuildRequires: git BuildRequires: selinux-policy >= %{selinux_policyver} BuildRequires: selinux-policy-devel >= %{selinux_policyver} Requires: policycoreutils, selinux-tools Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): container-selinux >= %{container_policyver} Requires(postun): policycoreutils Provides: %{name} = %{version}-%{release} Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux %description This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ %pre %selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %rke2_relabel_files fi; %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall rke2 fi; %posttrans %selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog 0707010000002F000081A4000000000000000000000001662AB82000000CD9000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/microos/rke2.fc# vim: sw=8:ts=8:et # commented items are lines retained for parity when comparing policy between target distributions. # these are commented because they will cause conflict and/or crash when attempting to install with upstream # container-selinux: https://github.com/containers/container-selinux/pull/140/files /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) #/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) #/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) #/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) #/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 07070100000030000081A4000000000000000000000001662AB8200000086E000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/microos/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 interface(`rke2_filetrans_named_content',` gen_require(` type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; type container_runtime_tmpfs_t; type container_share_t; type container_var_lib_t; type container_var_run_t; type container_kvm_var_run_t; type var_lib_t; type var_log_t; type rke2_tls_t; ') #container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls") ') template(`rke2_service_domain_template',` container_domain_template($1, container) virt_sandbox_domain($1_t) gen_require(` attribute container_domain, container_net_domain; attribute sandbox_net_domain; ') typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; virt_default_capabilities($1_t) kernel_read_messages($1_t) logging_send_syslog_msg($1_t) corenet_unconfined($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_raw_bind_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_udp_bind_all_ports($1_t) corenet_tcp_bind_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) miscfiles_read_all_certs($1_t) admin_pattern($1_t, container_log_t) admin_pattern($1_t, rke2_tls_t) ') 07070100000031000081A4000000000000000000000001662AB820000003D5000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/microos/rke2.tepolicy_module(rke2, 1.0.0) gen_require(` type container_runtime_t, unconfined_service_t, iscsid_t; class capability dac_override; ') rke2_filetrans_named_content(container_runtime_t) rke2_filetrans_named_content(unconfined_service_t) ####################### # type rke2_service_t # ####################### rke2_service_domain_template(rke2_service) container_read_lib_files(rke2_service_t) ########################## # type rke2_service_db_t # ########################## rke2_service_domain_template(rke2_service_db) container_manage_lib_dirs(rke2_service_db_t) container_manage_lib_files(rke2_service_db_t) allow rke2_service_db_t container_var_lib_t:file { map }; ######################### # Longhorn ISCSID_T FIX # ######################### # https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183 allow iscsid_t self:capability dac_override; ################### # type rke2_tls_t # ################### type rke2_tls_t; container_file(rke2_tls_t);07070100000032000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000003200000000rke2-selinux-0.18.stable.1/policy/microos/scripts07070100000033000081ED000000000000000000000001662AB82000000222000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/microos/scripts/build#!/bin/bash set -e -x cd $(dirname $0)/.. . ./scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp rpmbuild \ --define "rke2_selinux_version ${RPM_VERSION}" \ --define "rke2_selinux_release ${RPM_RELEASE}" \ --define "_sourcedir $PWD" \ --define "_specdir $PWD" \ --define "_builddir $PWD" \ --define "_srcrpmdir ${PWD}/dist/source" \ --define "_buildrootdir $PWD/.build" \ --define "_rpmdir ${PWD}/dist" \ -ba rke2-selinux.spec mkdir -p /source/dist/microos cp -r dist/* /source/dist/microos 07070100000034000081ED000000000000000000000001662AB820000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/microos/scripts/entry#!/bin/sh set -ex if [ -e ./policy/microos/scripts/"$1" ]; then ./policy/microos/scripts/"$@" else exec "$@" fi if [ "$DAPPER_UID" -ne "-1" ]; then chown -R $DAPPER_UID:$DAPPER_GID . fi 07070100000035000081ED000000000000000000000001662AB8200000050B000000000000000000000000000000000000003700000000rke2-selinux-0.18.stable.1/policy/microos/scripts/sign#!/bin/bash set -e -x yum install -y rpm-sign expect git pushd $(dirname $0)/.. . ./scripts/version popd cat <<\EOF >~/.rpmmacros %_signature gpg %_gpg_name ci@rancher.com %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} %_source_filedigest_algorithm 8 %_binary_filedigest_algorithm 8 EOF case "$RPM_CHANNEL" in "testing") export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$TESTING_PRIVATE_KEY" ;; "latest"|"stable") if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then echo "PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$PRIVATE_KEY" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac expect <<EOF set timeout 60 spawn sh -c "rpmsign --addsign dist/microos/**/rke2-*.rpm" expect "Enter pass phrase:" send -- "$PRIVATE_KEY_PASS_PHRASE\r" expect eof lassign [wait] _ _ _ code exit \$code EOF 07070100000036000081ED000000000000000000000001662AB820000007A1000000000000000000000000000000000000003E00000000rke2-selinux-0.18.stable.1/policy/microos/scripts/upload-repo#!/bin/bash set -e -x pushd $(dirname $0)/.. . ./scripts/version popd yum install -y epel-release yum install -y git python2-pip python-deltarpm pip install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0' pip install --cache-dir=/var/cache/pip/ \ git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e if [ -z "$RPM_CHANNEL" ]; then echo "RPM_CHANNEL not defined, failing rpm upload" exit 1 fi TARGET_SLE_S3_PATH="rke2/$RPM_CHANNEL/common/microos/noarch" TARGET_SLE_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/microos/source" case "$RPM_CHANNEL" in "testing") if [ -z "$TESTING_AWS_S3_BUCKET" ]; then echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET ;; "latest"|"stable") if [ -z "$AWS_S3_BUCKET" ]; then echo "AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_ACCESS_KEY_ID" ]; then echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_S3_PATH --keep 100000 dist/microos/noarch/rke2-*.rpm rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_SOURCE_S3_PATH --keep 100000 dist/microos/source/rke2-*src.rpm 07070100000037000081ED000000000000000000000001662AB820000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.18.stable.1/policy/microos/scripts/version#!/bin/bash TREE_STATE=clean COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} if [ -d ${DAPPER_SOURCE}/.git ]; then pushd ${DAPPER_SOURCE} if [ -n "$(git status --porcelain --untracked-files=no)" ]; then DIRTY="dirty" TREE_STATE=dirty fi if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit fi COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) if [ -z "$COMMIT" ]; then COMMIT=$(git rev-parse HEAD || true) fi popd fi if [[ -n "$TAG" ]]; then if [[ "$TREE_STATE" = "clean" ]]; then VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. fi else VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then echo "Version $VERSION does not match our expected format. Exiting." exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in "testing"|"latest"|"stable") echo "RPM_CHANNEL matched our expected variants" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac 07070100000038000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002B00000000rke2-selinux-0.18.stable.1/policy/slemicro07070100000039000081A4000000000000000000000001662AB8200000098D000000000000000000000000000000000000003D00000000rke2-selinux-0.18.stable.1/policy/slemicro/rke2-selinux.spec# vim: sw=4:ts=4:et %define rke2_relabel_files() \ mkdir -p /var/lib/cni; \ mkdir -p /opt/cni; \ mkdir -p /etc/cni; \ mkdir -p /var/lib/kubelet/pods; \ mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \ mkdir -p /var/lib/rancher/rke2/data; \ mkdir -p /var/run/flannel; \ mkdir -p /var/run/k3s; \ restorecon -R -i /etc/systemd/system/rke2*; \ restorecon -R -i /usr/lib/systemd/system/rke2*; \ restorecon -R /var/lib/cni; \ restorecon -R /opt/cni; \ restorecon -R /etc/cni; \ restorecon -R /var/lib/kubelet; \ restorecon -R /var/lib/rancher; \ restorecon -R /var/run/k3s; \ restorecon -R /var/run/flannel %define selinux_policyver 20210716-3.1 %define selinux_policyver_build 3.13.1-252 %define container_policyver 2.164.2-1.1 Name: rke2-selinux Version: %{rke2_selinux_version} Release: %{rke2_selinux_release}.slemicro Summary: SELinux policy module for rke2 Group: System Environment/Base License: ASL 2.0 URL: https://rke2.io Source0: rke2.pp Source1: rke2.if BuildArch: noarch BuildRequires: container-selinux >= %{container_policyver} BuildRequires: git BuildRequires: selinux-policy >= %{selinux_policyver_build} BuildRequires: selinux-policy-devel >= %{selinux_policyver_build} Requires: policycoreutils, selinux-tools Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): policycoreutils Requires(post): container-selinux >= %{container_policyver} Requires(postun): policycoreutils Provides: %{name} = %{version}-%{release} Obsoletes: rke2-selinux < 0.9 Conflicts: k3s-selinux %description This package installs and sets up the SELinux policy security module for rke2. %install install -d %{buildroot}%{_datadir}/selinux/packages install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/ install -d %{buildroot}/etc/selinux/targeted/contexts/users/ %pre %selinux_relabel_pre %post semodule -n -i %{_datadir}/selinux/packages/rke2.pp if /usr/sbin/selinuxenabled ; then /usr/sbin/load_policy %rke2_relabel_files fi; %postun if [ $1 -eq 0 ]; then %selinux_modules_uninstall rke2 fi; %posttrans %selinux_relabel_post %files %attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp %{_datadir}/selinux/devel/include/contrib/rke2.if %changelog 0707010000003A000081A4000000000000000000000001662AB82000000D5C000000000000000000000000000000000000003300000000rke2-selinux-0.18.stable.1/policy/slemicro/rke2.fc# vim: sw=8:ts=8:et # commented items are lines retained for parity when comparing policy between target distributions. # these are commented because they will cause conflict and/or crash when attempting to install with upstream # container-selinux: https://github.com/containers/container-selinux/pull/140/files /etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0) /usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) /opt/rke2/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0) #/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0) #/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0) /var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0) /var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0) /var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>> /var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0) /var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0) /var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0) #/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0) #/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0) #/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0) #/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0) 0707010000003B000081A4000000000000000000000001662AB8200000086F000000000000000000000000000000000000003300000000rke2-selinux-0.18.stable.1/policy/slemicro/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484 interface(`rke2_filetrans_named_content',` gen_require(` type container_config_t; type container_file_t; type container_log_t; type container_runtime_exec_t; type container_runtime_tmpfs_t; type container_share_t; type container_var_lib_t; type container_var_run_t; type container_kvm_var_run_t; type var_lib_t; type var_log_t; type rke2_tls_t; ') #container_filetrans_named_content($1) files_pid_filetrans($1, container_var_run_t, dir, "rke2") filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data") filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts") filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods") filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet") filetrans_pattern($1, var_log_t, container_log_t, dir, "pods") filetrans_pattern($1, var_log_t, container_log_t, dir, "containers") filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs") filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls") ') template(`rke2_service_domain_template',` container_domain_template($1, container) virt_sandbox_domain($1_t) gen_require(` attribute container_domain, container_net_domain; attribute sandbox_net_domain; ') typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain; virt_default_capabilities($1_t) kernel_read_messages($1_t) logging_send_syslog_msg($1_t) corenet_unconfined($1_t) corenet_tcp_bind_generic_node($1_t) corenet_udp_bind_generic_node($1_t) corenet_raw_bind_generic_node($1_t) corenet_tcp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1_t) corenet_udp_bind_all_ports($1_t) corenet_tcp_bind_all_ports($1_t) corenet_tcp_connect_all_ports($1_t) miscfiles_read_all_certs($1_t) admin_pattern($1_t, container_log_t) admin_pattern($1_t, rke2_tls_t) ') 0707010000003C000081A4000000000000000000000001662AB8200000040A000000000000000000000000000000000000003300000000rke2-selinux-0.18.stable.1/policy/slemicro/rke2.tepolicy_module(rke2, 1.0.0) gen_require(` type container_runtime_t, unconfined_service_t, iscsid_t; class capability dac_override; ') rke2_filetrans_named_content(container_runtime_t) rke2_filetrans_named_content(unconfined_service_t) ####################### # type rke2_service_t # ####################### rke2_service_domain_template(rke2_service) container_read_lib_files(rke2_service_t) allow rke2_service_t container_var_lib_t:file { watch }; ########################## # type rke2_service_db_t # ########################## rke2_service_domain_template(rke2_service_db) container_manage_lib_dirs(rke2_service_db_t) container_manage_lib_files(rke2_service_db_t) allow rke2_service_db_t container_var_lib_t:file { map }; ######################### # Longhorn ISCSID_T FIX # ######################### # https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183 allow iscsid_t self:capability dac_override; ################### # type rke2_tls_t # ################### type rke2_tls_t; files_type(rke2_tls_t);0707010000003D000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000003300000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts0707010000003E000081ED000000000000000000000001662AB82000000224000000000000000000000000000000000000003900000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts/build#!/bin/bash set -e -x cd $(dirname $0)/.. . ./scripts/version make -f /usr/share/selinux/devel/Makefile rke2.pp rpmbuild \ --define "rke2_selinux_version ${RPM_VERSION}" \ --define "rke2_selinux_release ${RPM_RELEASE}" \ --define "_sourcedir $PWD" \ --define "_specdir $PWD" \ --define "_builddir $PWD" \ --define "_srcrpmdir ${PWD}/dist/source" \ --define "_buildrootdir $PWD/.build" \ --define "_rpmdir ${PWD}/dist" \ -ba rke2-selinux.spec mkdir -p /source/dist/slemicro cp -r dist/* /source/dist/slemicro 0707010000003F000081ED000000000000000000000001662AB820000000C8000000000000000000000000000000000000003900000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts/entry#!/bin/sh set -ex if [ -e ./policy/slemicro/scripts/"$1" ]; then ./policy/slemicro/scripts/"$@" else exec "$@" fi if [ "$DAPPER_UID" -ne "-1" ]; then chown -R $DAPPER_UID:$DAPPER_GID . fi 07070100000040000081ED000000000000000000000001662AB8200000050C000000000000000000000000000000000000003800000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts/sign#!/bin/bash set -e -x yum install -y rpm-sign expect git pushd $(dirname $0)/.. . ./scripts/version popd cat <<\EOF >~/.rpmmacros %_signature gpg %_gpg_name ci@rancher.com %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename} %_source_filedigest_algorithm 8 %_binary_filedigest_algorithm 8 EOF case "$RPM_CHANNEL" in "testing") export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then echo "TESTING_PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$TESTING_PRIVATE_KEY" ;; "latest"|"stable") if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then echo "PRIVATE_KEY not defined, failing rpm sign" exit 1 fi gpg --import - <<<"$PRIVATE_KEY" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac expect <<EOF set timeout 60 spawn sh -c "rpmsign --addsign dist/slemicro/**/rke2-*.rpm" expect "Enter pass phrase:" send -- "$PRIVATE_KEY_PASS_PHRASE\r" expect eof lassign [wait] _ _ _ code exit \$code EOF 07070100000041000081ED000000000000000000000001662AB820000007A5000000000000000000000000000000000000003F00000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts/upload-repo#!/bin/bash set -e -x pushd $(dirname $0)/.. . ./scripts/version popd yum install -y epel-release yum install -y git python2-pip python-deltarpm pip install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0' pip install --cache-dir=/var/cache/pip/ \ git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e if [ -z "$RPM_CHANNEL" ]; then echo "RPM_CHANNEL not defined, failing rpm upload" exit 1 fi TARGET_SLE_S3_PATH="rke2/$RPM_CHANNEL/common/slemicro/noarch" TARGET_SLE_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/slemicro/source" case "$RPM_CHANNEL" in "testing") if [ -z "$TESTING_AWS_S3_BUCKET" ]; then echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET ;; "latest"|"stable") if [ -z "$AWS_S3_BUCKET" ]; then echo "AWS_S3_BUCKET not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_ACCESS_KEY_ID" ]; then echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload" exit 1 fi if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload" exit 1 fi ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_S3_PATH --keep 100000 dist/slemicro/noarch/rke2-*.rpm rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_SOURCE_S3_PATH --keep 100000 dist/slemicro/source/rke2-*src.rpm 07070100000042000081ED000000000000000000000001662AB820000007C2000000000000000000000000000000000000003B00000000rke2-selinux-0.18.stable.1/policy/slemicro/scripts/version#!/bin/bash TREE_STATE=clean COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}} TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}} if [ -d ${DAPPER_SOURCE}/.git ]; then pushd ${DAPPER_SOURCE} if [ -n "$(git status --porcelain --untracked-files=no)" ]; then DIRTY="dirty" TREE_STATE=dirty fi if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit fi COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1) if [ -z "$COMMIT" ]; then COMMIT=$(git rev-parse HEAD || true) fi popd fi if [[ -n "$TAG" ]]; then if [[ "$TREE_STATE" = "clean" ]]; then VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined. fi else VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0" fi # v0.1.testing.1 if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then echo "Version $VERSION does not match our expected format. Exiting." exit 1 fi rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;' rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;' rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;' RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION") RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION") RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION") if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing" RPM_CHANNEL="testing" fi case "$RPM_CHANNEL" in "testing"|"latest"|"stable") echo "RPM_CHANNEL matched our expected variants" ;; *) echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]" exit 1 ;; esac 07070100000043000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002000000000rke2-selinux-0.18.stable.1/test07070100000044000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002400000000rke2-selinux-0.18.stable.1/test/el707070100000045000081A4000000000000000000000001662AB82000000127000000000000000000000000000000000000002E00000000rke2-selinux-0.18.stable.1/test/el7/README.mdrke2-selinux for el7 --- The Vagrant box in use supports these providers: - `libvirt` - `virtualbox` - `vmware_desktop` To spin up a VM to test locally built rke2-selinux RPM: ```shell cp -vf ../../dist/centos7/noarch/*.rpm . INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up ``` 07070100000046000081A4000000000000000000000001662AB820000015F3000000000000000000000000000000000000003000000000rke2-selinux-0.18.stable.1/test/el7/Vagrantfile# -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "dweomer/centos-7.9-amd64" config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false %w[libvirt virtualbox vmware_desktop].each do |p| config.vm.provider p do |v, o| v.memory = "2048" v.cpus = 2 end end config.vm.define "rke2-selinux-el7", primary: true do |test| test.vm.hostname = "test-el7" test.vm.provision "install-rke2", type: "shell", run: "once" do |sh| sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({ :INSTALL_RKE2_TYPE => 'server', :RKE2_KUBECONFIG_MODE => '0664', :RKE2_TOKEN => 'vagrant', }) sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail curl -fsSL https://get.rke2.io | sh - echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} systemctl enable --now rke2-${INSTALL_RKE2_TYPE} SHELL sh.upload_path = "/tmp/vagrant-install-rke2" end test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail echo 'Waiting for node (and static pods) to be ready ...' time { timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' } kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep SHELL end end config.vm.provision "install-packages", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-packages" sh.env = { 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail yum -y install \ curl \ iptables \ less \ lsof \ nc \ socat \ ${INSTALL_PACKAGES} SHELL end config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash cat <<-EOF > /etc/profile.d/rke2.sh export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin EOF SHELL end end 07070100000047000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002400000000rke2-selinux-0.18.stable.1/test/el807070100000048000081A4000000000000000000000001662AB82000000127000000000000000000000000000000000000002E00000000rke2-selinux-0.18.stable.1/test/el8/README.mdrke2-selinux for el8 --- The Vagrant box in use supports these providers: - `libvirt` - `virtualbox` - `vmware_desktop` To spin up a VM to test locally built rke2-selinux RPM: ```shell cp -vf ../../dist/centos8/noarch/*.rpm . INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up ``` 07070100000049000081A4000000000000000000000001662AB820000015F3000000000000000000000000000000000000003000000000rke2-selinux-0.18.stable.1/test/el8/Vagrantfile# -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "dweomer/centos-8.4-amd64" config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false %w[libvirt virtualbox vmware_desktop].each do |p| config.vm.provider p do |v, o| v.memory = "2048" v.cpus = 2 end end config.vm.define "rke2-selinux-el8", primary: true do |test| test.vm.hostname = "test-el8" test.vm.provision "install-rke2", type: "shell", run: "once" do |sh| sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({ :INSTALL_RKE2_TYPE => 'server', :RKE2_KUBECONFIG_MODE => '0664', :RKE2_TOKEN => 'vagrant', }) sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail curl -fsSL https://get.rke2.io | sh - echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} systemctl enable --now rke2-${INSTALL_RKE2_TYPE} SHELL sh.upload_path = "/tmp/vagrant-install-rke2" end test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail echo 'Waiting for node (and static pods) to be ready ...' time { timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' } kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep SHELL end end config.vm.provision "install-packages", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-packages" sh.env = { 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], } sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail dnf -y install \ curl \ iptables \ less \ lsof \ nc \ socat \ ${INSTALL_PACKAGES} SHELL end config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash cat <<-EOF > /etc/profile.d/rke2.sh export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin EOF SHELL end end 0707010000004A000041ED000000000000000000000002662AB82000000000000000000000000000000000000000000000002400000000rke2-selinux-0.18.stable.1/test/sle0707010000004B000081A4000000000000000000000001662AB82000000127000000000000000000000000000000000000002E00000000rke2-selinux-0.18.stable.1/test/sle/README.mdrke2-selinux for sle --- The Vagrant box in use supports these providers: - `libvirt` - `virtualbox` - `vmware_desktop` To spin up a VM to test locally built rke2-selinux RPM: ```shell cp -vf ../../dist/microos/noarch/*.rpm . INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up ``` 0707010000004C000081A4000000000000000000000001662AB82000001798000000000000000000000000000000000000003000000000rke2-selinux-0.18.stable.1/test/sle/Vagrantfile# -*- mode: ruby -*- # vi: set ft=ruby : Vagrant.configure("2") do |config| config.vm.box = "dweomer/microos.amd64" config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false %w[libvirt virtualbox vmware_desktop].each do |p| config.vm.provider p do |v, o| v.memory = "2048" v.cpus = 2 end end config.vm.define "rke2-selinux-sle", primary: true do |test| test.vm.hostname = "test-sle" test.vm.provision "install-rke2", type: "shell", run: "once" do |sh| sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({ :INSTALL_RKE2_TYPE => 'server', :RKE2_KUBECONFIG_MODE => '0664', :RKE2_TOKEN => 'vagrant', }) sh.inline = <<~SHELL #!/usr/bin/env bash set -eux -o pipefail curl -fsSL https://get.rke2.io | sh - echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE} systemctl enable --now rke2-${INSTALL_RKE2_TYPE} SHELL sh.upload_path = "/tmp/vagrant-install-rke2" end test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eu -o pipefail echo 'Waiting for node (and static pods) to be ready ...' time { timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done' } kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done' timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eu -o pipefail time { timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done' } SHELL end test.vm.provision "rke2-status", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eux -o pipefail kubectl get node,all -A -o wide SHELL end test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eux -o pipefail ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep SHELL end end config.vm.provision "install-packages", type: "shell", run: "once" do |sh| sh.upload_path = "/tmp/vagrant-install-packages" sh.env = { 'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'], } sh.inline = <<~SHELL #!/usr/bin/env bash source /etc/profile.d/rke2.sh set -eux -o pipefail transactional-update --no-selfupdate -d pkg install -y --allow-unsigned-rpm \ curl \ iptables \ less \ lsof \ socat \ ${INSTALL_PACKAGES} SHELL end config.vm.provision "install-packages-reload", type: "reload", run: "once" config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v" config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh| sh.inline = <<~SHELL #!/usr/bin/env bash cat <<-EOF > /etc/profile.d/rke2.sh export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin EOF SHELL end end 07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!277 blocks
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor