File rke2-selinux-0.20.stable.1.obscpio of Package rke2-selinux
07070100000000000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002300000000rke2-selinux-0.20.stable.1/.github07070100000001000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002D00000000rke2-selinux-0.20.stable.1/.github/workflows07070100000002000081A40000000000000000000000016855D7C6000003E5000000000000000000000000000000000000003700000000rke2-selinux-0.20.stable.1/.github/workflows/build.ymlon:
push:
branches:
- master
pull_request:
name: Build
permissions:
contents: read
jobs:
build-rpm-el7:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: build-rpm
run: |
make build-centos7
build-rpm-el8:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: build-rpm
run: |
make build-centos8
build-rpm-el9:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: build-rpm
run: |
make build-centos9
build-rpm-slemicro:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: build-rpm
run: |
make build-slemicro
build-rpm-microos:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: build-rpm
run: |
make build-microos07070100000003000081A40000000000000000000000016855D7C6000013B1000000000000000000000000000000000000003900000000rke2-selinux-0.20.stable.1/.github/workflows/release.ymlname: Release
on:
release:
types:
- published
permissions:
contents: write
id-token: write
jobs:
publish:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os:
- "centos7"
- "centos8"
- "centos9"
- "microos"
- "slemicro"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: "Read secrets"
uses: rancher-eio/read-vault-secrets@main
env:
GH_TOKEN: ${{ github.token }}
with:
secrets: |
secret/data/github/repo/${{ github.repository }}/private-key/credentials privateKey | PRIVATE_KEY ;
secret/data/github/repo/${{ github.repository }}/private-key-pass-phrase/credentials token | PRIVATE_KEY_PASS_PHRASE ;
secret/data/github/repo/${{ github.repository }}/testing-private-key/credentials privateKey | TESTING_PRIVATE_KEY ;
secret/data/github/repo/${{ github.repository }}/testing-private-key-pass-phrase/credentials token | TESTING_PRIVATE_KEY_PASS_PHRASE ;
secret/data/github/repo/${{ github.repository }}/aws-s3-bucket/credentials token | AWS_S3_BUCKET ;
secret/data/github/repo/${{ github.repository }}/aws-access-key-id/credentials token | AWS_ACCESS_KEY_ID ;
secret/data/github/repo/${{ github.repository }}/aws-secret-access-key/credentials token | AWS_SECRET_ACCESS_KEY ;
secret/data/github/repo/${{ github.repository }}/testing-aws-s3-bucket/credentials token | TESTING_AWS_S3_BUCKET ;
secret/data/github/repo/${{ github.repository }}/testing-aws-access-key-id/credentials token | TESTING_AWS_ACCESS_KEY_ID ;
secret/data/github/repo/${{ github.repository }}/testing-aws-secret-access-key/credentials token | TESTING_AWS_SECRET_ACCESS_KEY ;
- name: Install Dapper
run: |
mkdir -p .local/bin
curl -sL https://releases.rancher.com/dapper/latest/dapper-$(uname -s)-$(uname -m) > .local/bin/dapper
chmod +x .local/bin/dapper
echo ".local/bin" >> $GITHUB_PATH
- name: Build
env:
TAG: ${{ github.ref_name }}
AWS_S3_BUCKET: ${{ env.AWS_S3_BUCKET }}
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
TESTING_AWS_S3_BUCKET: ${{ env.TESTING_AWS_S3_BUCKET }}
TESTING_AWS_ACCESS_KEY_ID: ${{ env.TESTING_AWS_ACCESS_KEY_ID }}
TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
run: |
dapper -f Dockerfile.${{ matrix.os }}.dapper policy/${{ matrix.os }}/scripts/build
- name: Sign and upload to S3
env:
TAG: ${{ github.ref_name }}
PRIVATE_KEY: ${{ env.PRIVATE_KEY }}
PRIVATE_KEY_PASS_PHRASE: ${{ env.PRIVATE_KEY_PASS_PHRASE }}
TESTING_PRIVATE_KEY: ${{ env.TESTING_PRIVATE_KEY }}
TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ env.TESTING_PRIVATE_KEY_PASS_PHRASE }}
AWS_S3_BUCKET: ${{ env.AWS_S3_BUCKET }}
RPM_OS: ${{ matrix.os }}
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
TESTING_AWS_S3_BUCKET: ${{ env.TESTING_AWS_S3_BUCKET }}
TESTING_AWS_ACCESS_KEY_ID: ${{ env.TESTING_AWS_ACCESS_KEY_ID }}
TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
run: |
docker run --rm \
-v "$(pwd):/workspace" \
-w /workspace \
-e TAG="$TAG" \
-e RPM_OS="$RPM_OS" \
-e PRIVATE_KEY="$PRIVATE_KEY" \
-e PRIVATE_KEY_PASS_PHRASE="$PRIVATE_KEY_PASS_PHRASE" \
-e TESTING_PRIVATE_KEY="$TESTING_PRIVATE_KEY" \
-e TESTING_PRIVATE_KEY_PASS_PHRASE="$TESTING_PRIVATE_KEY_PASS_PHRASE" \
-e AWS_S3_BUCKET="$AWS_S3_BUCKET" \
-e AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" \
-e AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" \
-e TESTING_AWS_S3_BUCKET="$TESTING_AWS_S3_BUCKET" \
-e TESTING_AWS_ACCESS_KEY_ID="$TESTING_AWS_ACCESS_KEY_ID" \
-e TESTING_AWS_SECRET_ACCESS_KEY="$TESTING_AWS_SECRET_ACCESS_KEY" \
quay.io/centos/centos:stream9 \
scripts/sign-and-upload
- name: Checksum
run: |
find dist/${{ matrix.os }}/noarch/*.rpm -type f | while read -r file; do
sha256sum "$file" | awk '{print $1 " " $2}' >> "sha256sum-${{ matrix.os }}-noarch.txt"
done
find dist/${{ matrix.os }}/source/*.rpm -type f | while read -r file; do
sha256sum "$file" | awk '{print $1 " " $2}' >> "sha256sum-${{ matrix.os }}-source.txt"
done
- name: Upload to GitHub
env:
GH_TOKEN: ${{ github.token }}
OS: ${{ matrix.os }}
run: |
gh release upload ${{ github.ref_name }} dist/${{ matrix.os }}/noarch/* dist/${{ matrix.os }}/source/*
07070100000004000081A40000000000000000000000016855D7C60000001E000000000000000000000000000000000000002600000000rke2-selinux-0.20.stable.1/.gitignore/dist
*.rpm
.dapper
.vagrant/
07070100000005000081A40000000000000000000000016855D7C6000002E0000000000000000000000000000000000000003500000000rke2-selinux-0.20.stable.1/Dockerfile.centos7.dapperFROM centos:7
RUN sed -i -e "s/mirrorlist.*//g" /etc/yum.repos.d/*
RUN sed -i -e "s/#baseurl=http:\/\/mirror.centos.org/baseurl=http:\/\/linuxsoft.cern.ch\/centos-vault\//g" /etc/yum.repos.d/*
RUN yum install -y epel-release \
&& yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils
ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}
ENTRYPOINT ["./policy/centos7/scripts/entry"]
07070100000006000081A40000000000000000000000016855D7C600000255000000000000000000000000000000000000003500000000rke2-selinux-0.20.stable.1/Dockerfile.centos8.dapperFROM rockylinux:8
RUN yum install -y epel-release \
&& yum install -y container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python2-pip ca-certificates
ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}
ENTRYPOINT ["./policy/centos8/scripts/entry"]
07070100000007000081A40000000000000000000000016855D7C600000265000000000000000000000000000000000000003500000000rke2-selinux-0.20.stable.1/Dockerfile.centos9.dapperFROM quay.io/centos/centos:stream9
RUN yum install -y epel-release \
&& yum -y install container-selinux git rpm-build selinux-policy-devel yum-utils pinentry python-pip ca-certificates
ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}
ENTRYPOINT ["./policy/centos9/scripts/entry"]
07070100000008000081A40000000000000000000000016855D7C60000031B000000000000000000000000000000000000003500000000rke2-selinux-0.20.stable.1/Dockerfile.microos.dapperARG TUMBLEWEED=opensuse/tumbleweed
FROM ${TUMBLEWEED}
ADD https://github.com/AkihiroSuda/clone3-workaround/releases/download/v1.0.0/clone3-workaround.x86_64 /bin/clone3-workaround
RUN chmod +x /bin/clone3-workaround
SHELL ["clone3-workaround", "/usr/bin/env", "bash","-c"]
RUN zypper install -y container-selinux git rpm-build selinux-policy-devel
ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}
ENTRYPOINT ["clone3-workaround", "./policy/microos/scripts/entry"]
07070100000009000081A40000000000000000000000016855D7C6000003C2000000000000000000000000000000000000003600000000rke2-selinux-0.20.stable.1/Dockerfile.slemicro.dapperFROM registry.suse.com/suse/sle-micro/5.5:latest
RUN cat <<EOF >/etc/zypp/repos.d/repo-oss.repo
[repo-oss]
name=Main Repository
enabled=1
autorefresh=1
baseurl=http://download.opensuse.org/distribution/leap/15.6/repo/oss/
EOF
RUN cat <<EOF >/etc/zypp/repos.d/leap-micro.repo
[leap-micro]
name=Leap Updates
enabled=1
autorefresh=1
baseurl=https://download.opensuse.org/update/leap-micro/5.5/sle/
EOF
RUN zypper --gpg-auto-import-keys refresh
RUN zypper in -y -n --force-resolution container-selinux git rpm-build selinux-policy-devel
ENV DAPPER_SOURCE /source
ENV DAPPER_OUTPUT ./dist
ENV DAPPER_ENV COMBARCH CHECKSUM_DIR CHECKSUM_FILE TAG PRIVATE_KEY PRIVATE_KEY_PASS_PHRASE TESTING_PRIVATE_KEY TESTING_PRIVATE_KEY_PASS_PHRASE AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY TESTING_AWS_S3_BUCKET TESTING_AWS_ACCESS_KEY_ID TESTING_AWS_SECRET_ACCESS_KEY
ENV HOME ${DAPPER_SOURCE}
WORKDIR ${DAPPER_SOURCE}
ENTRYPOINT ["./policy/slemicro/scripts/entry"]
0707010000000A000081A40000000000000000000000016855D7C6000027BF000000000000000000000000000000000000002300000000rke2-selinux-0.20.stable.1/LICENSE
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
0707010000000B000081A40000000000000000000000016855D7C600000330000000000000000000000000000000000000002400000000rke2-selinux-0.20.stable.1/MakefileUPLOAD_TARGETS := $(addprefix upload-,$(shell ls policy/))
BUILD_TARGETS := $(addprefix build-,$(shell ls policy/))
SIGN_TARGETS := $(addprefix sign-,$(shell ls policy/))
.dapper:
@echo Downloading dapper
@curl -sL https://releases.rancher.com/dapper/latest/dapper-$$(uname -s)-$$(uname -m) > .dapper.tmp
@@chmod +x .dapper.tmp
@./.dapper.tmp -v
@mv .dapper.tmp .dapper
$(BUILD_TARGETS): .dapper
./.dapper -f Dockerfile.$(@:build-%=%).dapper ./policy/$(@:build-%=%)/scripts/build
$(SIGN_TARGETS): .dapper
./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:sign-%=%)/scripts/sign
$(UPLOAD_TARGETS): .dapper
./.dapper -f Dockerfile.centos7.dapper ./policy/$(@:upload-%=%)/scripts/upload-repo
clean:
rm -rf dist/ Dockerfile.*.dapper[0-9]*
.PHONY: $(UPLOAD_TARGETS) $(BUILD_TARGETS) $(SIGN_TARGETS) clean
0707010000000C000081A40000000000000000000000016855D7C60000048A000000000000000000000000000000000000002500000000rke2-selinux-0.20.stable.1/README.md# rke2-selinux
RKE2 selinux policy repository
## Signing Keys
- https://rpm.rancher.io/public.key
- https://rpm-testing.rancher.io/public.key
## Versioning/Tagging
The version parsing logic for `rancher/rke2-selinux` expects tags to be of a certain format (that directly correlates to RPM naming)
The tag format should be as follows: `v{rke2-selinux version}.{rpm channel}.{rpm release}` where
rke2-selinux-version is like `0.1`, `0.2`, etc.
rpm channel is like `testing`, `latest`, `stable`
rpm release is like `1`, `2`
rpm release should index from `1` for released RPM's
The following list shows the expected tag to (example) transformation for RPM's
|Tag|Tree State|Output RPM|RPM Channel|Notes|
|:--|:---------|:---------|:----------|:----|
| master (no tag) | Clean | `rke2-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing ||
| master (no tag) | Dirty | `rke2-selinux-0.0~0d52f7d8-0.el7_8.noarch.rpm` | Testing ||
| v0.2.testing.1 | Clean | `rke2-selinux-0.2-1.el7_8.noarch.rpm` | Testing ||
| v0.2.latest.1 | Clean | `rke2-selinux-0.2-1.el7_8.noarch.rpm` | Latest ||
| v0.2.latest.2 | Clean | `rke2-selinux-0.2-2.el7_8.noarch.rpm` | Latest ||
0707010000000D000081A40000000000000000000000016855D7C600002BD2000000000000000000000000000000000000002700000000rke2-selinux-0.20.stable.1/Vagrantfile# -*- mode: ruby -*-
# vi: set ft=ruby :
CPUS = (ENV['VAGRANT_RKE2_SELINUX_CPUS'] || 2).to_i
MEMORY = (ENV['VAGRANT_RKE2_SELINUX_MEMORY'] || 2048).to_i
# Adapted from https://github.com/containerd/containerd/pull/4451
Vagrant.configure("2") do |config|
config.vm.box = "centos/7"
config.vm.provider :virtualbox do |v|
config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.VirtualBox.box"
v.memory = MEMORY
v.cpus = CPUS
end
config.vm.provider :libvirt do |v|
config.vm.box_url = "https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-2004_01.LibVirt.box"
v.memory = MEMORY
v.cpus = CPUS
end
# Disabled by default. To run:
# vagrant up --provision-with=upgrade-packages
# To upgrade only specific packages:
# UPGRADE_PACKAGES=selinux vagrant up --provision-with=upgrade-packages
#
config.vm.provision "upgrade-packages", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/vagrant-upgrade-packages"
sh.env = {
'UPGRADE_PACKAGES': ENV['UPGRADE_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
yum -y upgrade ${UPGRADE_PACKAGES}
SHELL
end
# Disabled by default. To run:
# vagrant provision --provision-with=kernel-mainline
config.vm.provision "kernel-mainline", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/vagrant-kernel-mainline"
sh.inline = <<~SHELL
#!/usr/bin/env bash
yum -y install \
https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel -y install kernel-ml
sed -i -e "s|GRUB_DEFAULT.*$|GRUB_DEFAULT=0|" /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg
SHELL
sh.reboot = true
end
# To re-run, installing CNI from RPM:
# INSTALL_PACKAGES="containernetworking-plugins" vagrant up --provision-with=install-packages
#
config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-packages"
sh.env = {
'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
yum -y install \
bzip2 \
container-selinux \
curl \
gcc \
git \
iptables \
libseccomp-devel \
libselinux-devel \
lsof \
make \
selinux-policy-devel \
socat \
${INSTALL_PACKAGES}
SHELL
end
config.vm.provision "install-policy", type: "shell", run: "always" do |sh|
sh.upload_path = "/tmp/vagrant-install-policy"
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
pushd /vagrant
yum install -y yum-utils rpm-build
yum-builddep -y container-selinux
yum -y remove rke2-selinux
# TODO build
yum -y install ./dist/centos7/noarch/*.rpm
SHELL
end
# To re-run this provisioner, installing a different version of go:
# GO_VERSION="1.15rc2" vagrant up --provision-with=install-golang
#
config.vm.provision "install-golang", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-golang"
sh.env = {
'GO_VERSION': ENV['GO_VERSION'] || "1.13.15",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" | tar Cxz /usr/lib
ln -fnsv /usr/lib/go/bin/{go,gofmt} /usr/bin
SHELL
end
config.vm.provision "install-runc", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-runc"
sh.env = {
'GOPATH': "/usr",
'RUNC_VERSION': ENV['RUNC_VERSION'] || "v1.0.0-rc92",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
go get -d github.com/opencontainers/runc
pushd ${GOPATH}/src/github.com/opencontainers/runc
git checkout ${RUNC_VERSION}
make BUILDTAGS='apparmor seccomp selinux' runc
make BINDIR=${GOPATH}/bin install
type runc
runc --version
restorecon -v $(type -ap runc)
SHELL
end
config.vm.provision "install-cni", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-cni"
sh.env = {
'GOPATH': "/usr",
'CNI_DIR': "/opt/cni",
'CNI_CONFIG_DIR': "/etc/cni/net.d",
'CNI_PLUGINS_VERSION': ENV['CNI_PLUGINS_VERSION'] || "v0.7.6",
'CNI_PLUGINS_BINARIES': 'bridge dhcp flannel host-device host-local ipvlan loopback macvlan portmap ptp tuning vlan',
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
go get -d github.com/containernetworking/plugins/...
pushd "$GOPATH"/src/github.com/containernetworking/plugins
git checkout $CNI_PLUGINS_VERSION
FASTBUILD=true ./build.sh
sudo mkdir -p $CNI_DIR
sudo cp -r ./bin $CNI_DIR
sudo mkdir -p $CNI_CONFIG_DIR
PATH=/opt/cni/bin:$PATH type ${CNI_PLUGINS_BINARIES} || true
cat <<EOF | sudo tee $CNI_CONFIG_DIR/10-containerd-net.conflist
{
"cniVersion": "0.3.1",
"name": "containerd-net",
"plugins": [
{
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"promiscMode": true,
"ipam": {
"type": "host-local",
"subnet": "10.88.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
},
{
"type": "portmap",
"capabilities": {"portMappings": true}
}
]
}
EOF
SHELL
end
config.vm.provision "install-containerd", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-containerd"
sh.env = {
'GOPATH': "/usr",
'CONTAINERD_REPO': ENV['CONTAINERD_REPO'] || "github.com/rancher/containerd",
'CONTAINERD_VERSION': ENV['CONTAINERD_VERSION'] || "v1.3.6-k3s2",
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
if [ ! -d ${GOPATH}/src/github.com/containerd/containerd ]; then
git clone https://${CONTAINERD_REPO}.git ${GOPATH}/src/github.com/containerd/containerd
fi
pushd ${GOPATH}/src/github.com/containerd/containerd
git checkout ${CONTAINERD_VERSION}
make PACKAGE=${CONTAINERD_REPO} \
DESTDIR=${GOPATH} \
BUILDTAGS="seccomp selinux no_aufs no_btrfs no_devmapper no_zfs" \
binaries install
type containerd
containerd --version
restorecon -v /usr/bin/{containerd,containerd-shim*}
SHELL
end
config.vm.provision "install-cri-tools", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-cri-tools"
sh.env = {
'GOPATH': "/usr",
'CRI_TOOLS_VERSION': ENV['CRI_TOOLS_VERSION'] || 'master',
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
go get -u github.com/onsi/ginkgo/ginkgo
go get -d github.com/kubernetes-sigs/cri-tools/...
pushd ${GOPATH}/src/github.com/kubernetes-sigs/cri-tools
git checkout $CRI_TOOLS_VERSION
make
sudo make BINDIR=${GOPATH}/bin install
cat << EOF | sudo tee /etc/crictl.yaml
runtime-endpoint: unix:///run/k3s/containerd/containerd.sock
EOF
type crictl critest ginkgo
critest --version
SHELL
end
# SELinux is Enforcing by default.
# To set SELinux as Disabled on a VM that has already been provisioned:
# SELINUX=Disabled vagrant up --provision-with=selinux
# To set SELinux as Permissive on a VM that has already been provsioned
# SELINUX=Permissive vagrant up --provision-with=selinux
config.vm.provision "selinux", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-selinux"
sh.env = {
'SELINUX': ENV['SELINUX'] || "Enforcing"
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
if ! type -p getenforce setenforce &>/dev/null; then
echo SELinux is Disabled
exit 0
fi
case "${SELINUX}" in
Disabled)
if mountpoint -q /sys/fs/selinux; then
setenforce 0
umount -v /sys/fs/selinux
fi
;;
Enforcing)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 1
;;
Permissive)
mountpoint -q /sys/fs/selinux || mount -o rw,relatime -t selinuxfs selinuxfs /sys/fs/selinux
setenforce 0
;;
*)
echo "SELinux mode not supported: ${SELINUX}" >&2
exit 1
;;
esac
echo SELinux is $(getenforce)
SHELL
end
# SELinux is permissive by default (via provisioning) in this VM. To re-run with SELinux enforcing:
# vagrant up --provision-with=selinux-enforcing,test-cri
#
config.vm.provision "test-cri", type: "shell", run: "never" do |sh|
sh.upload_path = "/tmp/test-cri"
sh.env = {
'CRITEST_ARGS': ENV['CRITEST_ARGS'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
cat << EOF > /vagrant/containerd.service
[Unit]
Description=rke2 containerd
Documentation=https://github.com/rancher/rke2
After=network.target local-fs.target
[Service]
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/usr/bin/containerd \
-c /var/lib/rancher/rke2/agent/etc/containerd/config.toml \
-a /run/k3s/containerd/containerd.sock \
--state /run/k3s/containerd \
--root /var/lib/rancher/rke2/agent/containerd \
Delegate=yes
KillMode=process
Restart=always
LimitNPROC=infinity
LimitCORE=infinity
LimitNOFILE=1048576
TasksMax=infinity
[Install]
WantedBy=multi-user.target
EOF
systemctl disable --now containerd || true
rm -rf /var/lib/rancher/rke2 /run/rke2
enable_selinux=false
if [[ $(getenforce) != Disabled ]]; then
enable_selinux=true
fi
mkdir -p /var/lib/rancher/rke2/agent/etc/containerd
cat << EOF | sudo tee /var/lib/rancher/rke2/agent/etc/containerd/config.toml
version = 2
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
enable_selinux = ${enable_selinux}
EOF
chcon -v -t container_unit_file_t /vagrant/containerd.service
systemctl enable --now /vagrant/containerd.service
function cleanup()
{
journalctl -u containerd > /tmp/containerd.log
systemctl stop containerd
}
trap cleanup EXIT
ctr --address /run/k3s/containerd/containerd.sock version
critest --parallel=$(nproc) --ginkgo.skip='runtime should support HostIpc is true' ${CRITEST_ARGS}
SHELL
end
config.vm.provision "rke2", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-rke2"
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -sfL https://get.rke2.io | sh -
SHELL
end
end
0707010000000E000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002200000000rke2-selinux-0.20.stable.1/policy0707010000000F000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002A00000000rke2-selinux-0.20.stable.1/policy/centos707070100000010000081A40000000000000000000000016855D7C600000B23000000000000000000000000000000000000003C00000000rke2-selinux-0.20.stable.1/policy/centos7/rke2-selinux.spec# vim: sw=4:ts=4:et
%define rke2_relabel_files() \
umask 0022; \
mkdir -p /etc/cni; \
mkdir -p /opt/cni; \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet; \
mkdir -p /var/lib/rancher/rke2/data; \
mkdir -p /var/run/flannel; \
umask 0027; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/rke2/agent; \
umask 0066; \
mkdir -p /var/run/k3s; \
umask 0077; \
mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/rke2/server; \
restorecon -R -i /etc/systemd/system/rke2*; \
restorecon -R -i /usr/lib/systemd/system/rke2*; \
restorecon -R /var/lib/cni; \
restorecon -R /opt/cni; \
restorecon -R /etc/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel
%define selinux_policyver 3.13.1-252
%define container_policyver 2.107-3
%define container_policy_epoch 2
%define container_policy_schism 2.164.2
Name: rke2-selinux
Version: %{rke2_selinux_version}
Release: %{rke2_selinux_release}.el7
Summary: SELinux policy module for rke2
Group: System Environment/Base
License: ASL 2.0
URL: https://rke2.io
Source0: rke2.pp
Source1: rke2.if
BuildArch: noarch
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: container-selinux < %{container_policy_epoch}:%{container_policy_schism}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(post): container-selinux < %{container_policy_epoch}:%{container_policy_schism}
Requires(postun): policycoreutils
Provides: %{name} = %{version}-%{release}
Obsoletes: rke2-selinux < 0.9
Conflicts: k3s-selinux
%description
This package installs and sets up the SELinux policy security module for rke2.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%pre
%selinux_relabel_pre
%post
semodule -n -i %{_datadir}/selinux/packages/rke2.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%rke2_relabel_files
fi;
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall rke2
fi;
%posttrans
%selinux_relabel_post
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
%{_datadir}/selinux/devel/include/contrib/rke2.if
%changelog
07070100000011000081A40000000000000000000000016855D7C600000C9D000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos7/rke2.fc# vim: sw=8:ts=8:et
/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/logs/kubelet.log gen_context(system_u:object_r:container_log_t,s0)
/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)07070100000012000081A40000000000000000000000016855D7C6000008F2000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos7/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484
interface(`rke2_filetrans_named_content',`
gen_require(`
type container_config_t;
type container_file_t;
type container_log_t;
type container_runtime_exec_t;
type container_runtime_tmpfs_t;
type container_share_t;
type container_var_lib_t;
type container_var_run_t;
type var_lib_t;
type var_log_t;
type rke2_tls_t;
')
#container_filetrans_named_content($1)
files_pid_filetrans($1, container_var_run_t, dir, "rke2")
filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "snapshots")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
filetrans_pattern($1, container_var_run_t, container_runtime_tmpfs_t, dir, "shm")
filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")
filetrans_pattern($1, var_log_t, container_log_t, dir, "containers")
filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs")
filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls")
')
template(`rke2_service_domain_template',`
container_domain_template($1, container)
virt_sandbox_domain($1_t)
gen_require(`
attribute container_domain, container_net_domain;
attribute sandbox_net_domain;
')
typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain;
virt_default_capabilities($1_t)
kernel_read_messages($1_t)
logging_send_syslog_msg($1_t)
corenet_unconfined($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
miscfiles_read_all_certs($1_t)
admin_pattern($1_t, container_log_t)
admin_pattern($1_t, rke2_tls_t)
')
07070100000013000081A40000000000000000000000016855D7C60000053F000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos7/rke2.tepolicy_module(rke2, 1.0.0)
gen_require(`
type container_runtime_t, iptables_t, spc_t, unconfined_service_t, iscsid_t;
class capability dac_override;
class bpf { map_create map_read map_write prog_load prog_run };
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
#######################
# type rke2_service_t #
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };
##########################
# type rke2_service_db_t #
##########################
rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };
##########
# Cilium #
##########
fs_list_cgroup_dirs(iptables_t)
allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
#########################
# Longhorn ISCSID_T FIX #
#########################
# https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183
allow iscsid_t self:capability dac_override;
###################
# type rke2_tls_t #
###################
type rke2_tls_t;
files_type(rke2_tls_t);
07070100000014000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos7/scripts07070100000015000081ED0000000000000000000000016855D7C600000222000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/build#!/bin/bash
set -e -x
cd $(dirname $0)/..
. ./scripts/version
make -f /usr/share/selinux/devel/Makefile rke2.pp
rpmbuild \
--define "rke2_selinux_version ${RPM_VERSION}" \
--define "rke2_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rke2-selinux.spec
mkdir -p /source/dist/centos7
cp -r dist/* /source/dist/centos7
07070100000016000081ED0000000000000000000000016855D7C6000001D5000000000000000000000000000000000000003B00000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/checksum#!/bin/bash
set -ex
cd $(dirname $0)/..
ls -la
pwd
CHECKSUM_DIR=${CHECKSUM_DIR:-./dist/centos7/noarch/}
CHECKSUM_FILE=${CHECKSUM_FILE:-CHECKSUMsum-centos7-noarch.txt}
DEST_DIR=${DEST_DIR:-${CHECKSUM_DIR}}
sumfile="${DEST_DIR}/${CHECKSUM_FILE}"
touch "${sumfile}"
files=$(ls ${CHECKSUM_DIR} | grep -v "sha256sum")
for file in ${files}; do
sha256sum "${CHECKSUM_DIR}/${file}" | sed "s;$(dirname ${CHECKSUM_DIR}/${file})/;;g" >> "${sumfile}"
done
cat "${sumfile}"07070100000017000081ED0000000000000000000000016855D7C6000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/entry#!/bin/sh
set -ex
if [ -e ./policy/centos7/scripts/"$1" ]; then
./policy/centos7/scripts/"$@"
else
exec "$@"
fi
if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
07070100000018000081ED0000000000000000000000016855D7C600000676000000000000000000000000000000000000003700000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/sign#!/bin/bash
set -e -x
yum install -y rpm-sign expect git
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
;;
"latest"|"stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/centos7/**/rke2-*.rpm"
expect "Enter pass phrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
# checksum rpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos7/noarch CHECKSUM_DIR=../../dist/centos7/noarch CHECKSUM_FILE=sha256sum-centos7-noarch.txt ./scripts/checksum
popd
# checksum srcrpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos7/noarch CHECKSUM_DIR=../../dist/centos7/source CHECKSUM_FILE=sha256sum-centos7-noarch.txt ./scripts/checksum
popd07070100000019000081ED0000000000000000000000016855D7C6000007F1000000000000000000000000000000000000003E00000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/upload-repo#!/bin/bash
set -e -x
pushd $(dirname $0)/..
. ./scripts/version
popd
yum install -y epel-release
yum install -y git python2-pip python-deltarpm ca-certificates
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
pip2 install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0'
pip2 install --cache-dir=/var/cache/pip/ \
git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
TARGET_EL7_S3_PATH="rke2/$RPM_CHANNEL/common/centos/7/noarch"
TARGET_EL7_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/7/source"
case "$RPM_CHANNEL" in
"testing")
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest"|"stable")
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL7_S3_PATH --keep 100000 dist/centos7/noarch/rke2-*.rpm
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL7_SOURCE_S3_PATH --keep 100000 dist/centos7/source/rke2-*src.rpm
0707010000001A000081ED0000000000000000000000016855D7C6000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.20.stable.1/policy/centos7/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
0707010000001B000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002A00000000rke2-selinux-0.20.stable.1/policy/centos80707010000001C000081A40000000000000000000000016855D7C600000A4B000000000000000000000000000000000000003C00000000rke2-selinux-0.20.stable.1/policy/centos8/rke2-selinux.spec# vim: sw=4:ts=4:et
%define rke2_relabel_files() \
umask 0022; \
mkdir -p /etc/cni; \
mkdir -p /opt/cni; \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet; \
mkdir -p /var/lib/rancher/rke2/data; \
mkdir -p /var/run/flannel; \
umask 0027; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/rke2/agent; \
umask 0066; \
mkdir -p /var/run/k3s; \
umask 0077; \
mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/rke2/server; \
restorecon -R -i /etc/systemd/system/rke2*; \
restorecon -R -i /usr/lib/systemd/system/rke2*; \
restorecon -R /var/lib/cni; \
restorecon -R /opt/cni; \
restorecon -R /etc/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel
%define selinux_policyver 3.13.1-252
%define container_policyver 2.167.0-1
%define container_policy_epoch 2
Name: rke2-selinux
Version: %{rke2_selinux_version}
Release: %{rke2_selinux_release}.el8
Summary: SELinux policy module for rke2
Group: System Environment/Base
License: ASL 2.0
URL: https://rke2.io
Source0: rke2.pp
Source1: rke2.if
BuildArch: noarch
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(postun): policycoreutils
Provides: %{name} = %{version}-%{release}
Obsoletes: rke2-selinux < 0.9
Conflicts: k3s-selinux
%description
This package installs and sets up the SELinux policy security module for rke2.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%pre
%selinux_relabel_pre
%post
semodule -n -i %{_datadir}/selinux/packages/rke2.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%rke2_relabel_files
fi;
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall rke2
fi;
%posttrans
%selinux_relabel_post
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
%{_datadir}/selinux/devel/include/contrib/rke2.if
%changelog
0707010000001D000081A40000000000000000000000016855D7C600000DCB000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos8/rke2.fc# vim: sw=8:ts=8:et
# commented items are lines retained for parity when comparing policy between target distributions.
# these are commented because they will cause conflict and/or crash when attempting to install with upstream
# container-selinux: https://github.com/containers/container-selinux/pull/140/files
/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/logs/kubelet.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)
#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
0707010000001E000081A40000000000000000000000016855D7C60000086E000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos8/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484
interface(`rke2_filetrans_named_content',`
gen_require(`
type container_config_t;
type container_file_t;
type container_log_t;
type container_runtime_exec_t;
type container_runtime_tmpfs_t;
type container_share_t;
type container_var_lib_t;
type container_var_run_t;
type container_kvm_var_run_t;
type var_lib_t;
type var_log_t;
type rke2_tls_t;
')
#container_filetrans_named_content($1)
files_pid_filetrans($1, container_var_run_t, dir, "rke2")
filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")
filetrans_pattern($1, var_log_t, container_log_t, dir, "containers")
filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs")
filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls")
')
template(`rke2_service_domain_template',`
container_domain_template($1, container)
virt_sandbox_domain($1_t)
gen_require(`
attribute container_domain, container_net_domain;
attribute sandbox_net_domain;
')
typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain;
virt_default_capabilities($1_t)
kernel_read_messages($1_t)
logging_send_syslog_msg($1_t)
corenet_unconfined($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
miscfiles_read_all_certs($1_t)
admin_pattern($1_t, container_log_t)
admin_pattern($1_t, rke2_tls_t)
')
0707010000001F000081A40000000000000000000000016855D7C60000045B000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos8/rke2.tepolicy_module(rke2, 1.0.0)
gen_require(`
type container_runtime_t, unconfined_service_t, iscsid_t;
class capability dac_override;
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
#######################
# type rke2_service_t #
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };
##########################
# type rke2_service_db_t #
##########################
rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };
#########################
# Longhorn ISCSID_T FIX #
#########################
# https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183
allow iscsid_t self:capability dac_override;
###################
# type rke2_tls_t #
###################
type rke2_tls_t;
files_type(rke2_tls_t);
07070100000020000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos8/scripts07070100000021000081ED0000000000000000000000016855D7C600000222000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/build#!/bin/bash
set -e -x
cd $(dirname $0)/..
. ./scripts/version
make -f /usr/share/selinux/devel/Makefile rke2.pp
rpmbuild \
--define "rke2_selinux_version ${RPM_VERSION}" \
--define "rke2_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rke2-selinux.spec
mkdir -p /source/dist/centos8
cp -r dist/* /source/dist/centos8
07070100000022000081ED0000000000000000000000016855D7C6000001D5000000000000000000000000000000000000003B00000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/checksum#!/bin/bash
set -ex
cd $(dirname $0)/..
ls -la
pwd
CHECKSUM_DIR=${CHECKSUM_DIR:-./dist/centos7/noarch/}
CHECKSUM_FILE=${CHECKSUM_FILE:-CHECKSUMsum-centos7-noarch.txt}
DEST_DIR=${DEST_DIR:-${CHECKSUM_DIR}}
sumfile="${DEST_DIR}/${CHECKSUM_FILE}"
touch "${sumfile}"
files=$(ls ${CHECKSUM_DIR} | grep -v "sha256sum")
for file in ${files}; do
sha256sum "${CHECKSUM_DIR}/${file}" | sed "s;$(dirname ${CHECKSUM_DIR}/${file})/;;g" >> "${sumfile}"
done
cat "${sumfile}"07070100000023000081ED0000000000000000000000016855D7C6000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/entry#!/bin/sh
set -ex
if [ -e ./policy/centos8/scripts/"$1" ]; then
./policy/centos8/scripts/"$@"
else
exec "$@"
fi
if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
07070100000024000081ED0000000000000000000000016855D7C600000678000000000000000000000000000000000000003700000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/sign#!/bin/bash
set -e -x
yum install -y rpm-sign expect git
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
;;
"latest"|"stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/centos8/**/rke2-*.rpm"
expect "Enter pass phrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
# checksum rpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos8/noarch CHECKSUM_DIR=../../dist/centos8/noarch CHECKSUM_FILE=sha256sum-centos8-noarch.txt ./scripts/checksum
popd
# checksum srcrpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos8/noarch CHECKSUM_DIR=../../dist/centos8/source CHECKSUM_FILE=sha256sum-centos8-noarch.txt ./scripts/checksum
popd
07070100000025000081ED0000000000000000000000016855D7C6000007F2000000000000000000000000000000000000003E00000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/upload-repo#!/bin/bash
set -e -x
pushd $(dirname $0)/..
. ./scripts/version
popd
yum install -y epel-release
yum install -y git python2-pip python-deltarpm ca-certificates
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
pip2 install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0'
pip2 install --cache-dir=/var/cache/pip/ \
git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
TARGET_EL8_S3_PATH="rke2/$RPM_CHANNEL/common/centos/8/noarch"
TARGET_EL8_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/8/source"
case "$RPM_CHANNEL" in
"testing")
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest"|"stable")
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL8_S3_PATH --keep 100000 dist/centos8/noarch/rke2-*.rpm
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL8_SOURCE_S3_PATH --keep 100000 dist/centos8/source/rke2-*src.rpm
07070100000026000081ED0000000000000000000000016855D7C6000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.20.stable.1/policy/centos8/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
07070100000027000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002A00000000rke2-selinux-0.20.stable.1/policy/centos907070100000028000081A40000000000000000000000016855D7C600000A83000000000000000000000000000000000000003C00000000rke2-selinux-0.20.stable.1/policy/centos9/rke2-selinux.spec# vim: sw=4:ts=4:et
%define rke2_relabel_files() \
umask 0022; \
mkdir -p /etc/cni; \
mkdir -p /opt/cni; \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet; \
mkdir -p /var/lib/rancher/rke2/data; \
mkdir -p /var/run/flannel; \
umask 0027; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/rke2/agent; \
umask 0066; \
mkdir -p /var/run/k3s; \
umask 0077; \
mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/rke2/server; \
restorecon -R -i /etc/systemd/system/rke2*; \
restorecon -R -i /usr/local/lib/systemd/system/rke2*; \
restorecon -R -i /usr/lib/systemd/system/rke2*; \
restorecon -R /var/lib/cni; \
restorecon -R /opt/cni; \
restorecon -R /etc/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel
%define selinux_policyver 3.13.1-252
%define container_policyver 2.191.0-1
%define container_policy_epoch 3
Name: rke2-selinux
Version: %{rke2_selinux_version}
Release: %{rke2_selinux_release}.el9
Summary: SELinux policy module for rke2
Group: System Environment/Base
License: ASL 2.0
URL: https://rke2.io
Source0: rke2.pp
Source1: rke2.if
BuildArch: noarch
BuildRequires: container-selinux >= %{container_policy_epoch}:%{container_policyver}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
Requires: policycoreutils, libselinux-utils
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): policycoreutils
Requires(post): container-selinux >= %{container_policy_epoch}:%{container_policyver}
Requires(postun): policycoreutils
Provides: %{name} = %{version}-%{release}
Obsoletes: rke2-selinux < 0.9
Conflicts: k3s-selinux
%description
This package installs and sets up the SELinux policy security module for rke2.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%pre
%selinux_relabel_pre
%post
semodule -n -i %{_datadir}/selinux/packages/rke2.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%rke2_relabel_files
fi;
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall rke2
fi;
%posttrans
%selinux_relabel_post
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
%{_datadir}/selinux/devel/include/contrib/rke2.if
%changelog
07070100000029000081A40000000000000000000000016855D7C600000DCB000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos9/rke2.fc# vim: sw=8:ts=8:et
# commented items are lines retained for parity when comparing policy between target distributions.
# these are commented because they will cause conflict and/or crash when attempting to install with upstream
# container-selinux: https://github.com/containers/container-selinux/pull/140/files
/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/logs/kubelet.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)
#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
0707010000002A000081A40000000000000000000000016855D7C60000086E000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos9/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484
interface(`rke2_filetrans_named_content',`
gen_require(`
type container_config_t;
type container_file_t;
type container_log_t;
type container_runtime_exec_t;
type container_runtime_tmpfs_t;
type container_share_t;
type container_var_lib_t;
type container_var_run_t;
type container_kvm_var_run_t;
type var_lib_t;
type var_log_t;
type rke2_tls_t;
')
#container_filetrans_named_content($1)
files_pid_filetrans($1, container_var_run_t, dir, "rke2")
filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")
filetrans_pattern($1, var_log_t, container_log_t, dir, "containers")
filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs")
filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls")
')
template(`rke2_service_domain_template',`
container_domain_template($1, container)
virt_sandbox_domain($1_t)
gen_require(`
attribute container_domain, container_net_domain;
attribute sandbox_net_domain;
')
typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain;
virt_default_capabilities($1_t)
kernel_read_messages($1_t)
logging_send_syslog_msg($1_t)
corenet_unconfined($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
miscfiles_read_all_certs($1_t)
admin_pattern($1_t, container_log_t)
admin_pattern($1_t, rke2_tls_t)
')
0707010000002B000081A40000000000000000000000016855D7C600000498000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos9/rke2.tepolicy_module(rke2, 1.0.0)
gen_require(`
type container_runtime_t, unconfined_service_t, iscsid_t;
class capability dac_override;
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
#######################
# type rke2_service_t #
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:file { watch };
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };
##########################
# type rke2_service_db_t #
##########################
rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };
#########################
# Longhorn ISCSID_T FIX #
#########################
# https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183
allow iscsid_t self:capability dac_override;
###################
# type rke2_tls_t #
###################
type rke2_tls_t;
container_file(rke2_tls_t);
0707010000002C000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/centos9/scripts0707010000002D000081ED0000000000000000000000016855D7C600000222000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/build#!/bin/bash
set -e -x
cd $(dirname $0)/..
. ./scripts/version
make -f /usr/share/selinux/devel/Makefile rke2.pp
rpmbuild \
--define "rke2_selinux_version ${RPM_VERSION}" \
--define "rke2_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rke2-selinux.spec
mkdir -p /source/dist/centos9
cp -r dist/* /source/dist/centos9
0707010000002E000081ED0000000000000000000000016855D7C6000001D5000000000000000000000000000000000000003B00000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/checksum#!/bin/bash
set -ex
cd $(dirname $0)/..
ls -la
pwd
CHECKSUM_DIR=${CHECKSUM_DIR:-./dist/centos7/noarch/}
CHECKSUM_FILE=${CHECKSUM_FILE:-CHECKSUMsum-centos7-noarch.txt}
DEST_DIR=${DEST_DIR:-${CHECKSUM_DIR}}
sumfile="${DEST_DIR}/${CHECKSUM_FILE}"
touch "${sumfile}"
files=$(ls ${CHECKSUM_DIR} | grep -v "sha256sum")
for file in ${files}; do
sha256sum "${CHECKSUM_DIR}/${file}" | sed "s;$(dirname ${CHECKSUM_DIR}/${file})/;;g" >> "${sumfile}"
done
cat "${sumfile}"0707010000002F000081ED0000000000000000000000016855D7C6000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/entry#!/bin/sh
set -ex
if [ -e ./policy/centos9/scripts/"$1" ]; then
./policy/centos9/scripts/"$@"
else
exec "$@"
fi
if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
07070100000030000081ED0000000000000000000000016855D7C600000676000000000000000000000000000000000000003700000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/sign#!/bin/bash
set -e -x
yum install -y rpm-sign expect git
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
;;
"latest"|"stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/centos9/**/rke2-*.rpm"
expect "Enter pass phrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
# checksum rpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos9/noarch CHECKSUM_DIR=../../dist/centos9/noarch CHECKSUM_FILE=sha256sum-centos9-noarch.txt ./scripts/checksum
popd
# checksum srcrpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/centos9/noarch CHECKSUM_DIR=../../dist/centos9/source CHECKSUM_FILE=sha256sum-centos9-noarch.txt ./scripts/checksum
popd07070100000031000081ED0000000000000000000000016855D7C6000007F2000000000000000000000000000000000000003E00000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/upload-repo#!/bin/bash
set -e -x
pushd $(dirname $0)/..
. ./scripts/version
popd
yum install -y epel-release
yum install -y git python2-pip python-deltarpm ca-certificates
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
pip2 install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0'
pip2 install --cache-dir=/var/cache/pip/ \
git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
TARGET_EL9_S3_PATH="rke2/$RPM_CHANNEL/common/centos/9/noarch"
TARGET_EL9_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/centos/9/source"
case "$RPM_CHANNEL" in
"testing")
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest"|"stable")
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL9_S3_PATH --keep 100000 dist/centos9/noarch/rke2-*.rpm
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_EL9_SOURCE_S3_PATH --keep 100000 dist/centos9/source/rke2-*src.rpm
07070100000032000081ED0000000000000000000000016855D7C6000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.20.stable.1/policy/centos9/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
07070100000033000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002A00000000rke2-selinux-0.20.stable.1/policy/microos07070100000034000081A40000000000000000000000016855D7C6000009F7000000000000000000000000000000000000003C00000000rke2-selinux-0.20.stable.1/policy/microos/rke2-selinux.spec# vim: sw=4:ts=4:et
%define rke2_relabel_files() \
umask 0022; \
mkdir -p /etc/cni; \
mkdir -p /opt/cni; \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet; \
mkdir -p /var/lib/rancher/rke2/data; \
mkdir -p /var/run/flannel; \
umask 0027; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/rke2/agent; \
umask 0066; \
mkdir -p /var/run/k3s; \
umask 0077; \
mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/rke2/server; \
restorecon -R -i /etc/systemd/system/rke2*; \
restorecon -R -i /usr/lib/systemd/system/rke2*; \
restorecon -R /var/lib/cni; \
restorecon -R /opt/cni; \
restorecon -R /etc/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel
%define selinux_policyver 20210716-3.1
%define container_policyver 2.164.2-1.1
Name: rke2-selinux
Version: %{rke2_selinux_version}
Release: %{rke2_selinux_release}.sle
Summary: SELinux policy module for rke2
Group: System Environment/Base
License: ASL 2.0
URL: https://rke2.io
Source0: rke2.pp
Source1: rke2.if
BuildArch: noarch
BuildRequires: container-selinux >= %{container_policyver}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver}
BuildRequires: selinux-policy-devel >= %{selinux_policyver}
Requires: policycoreutils, selinux-tools
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): policycoreutils
Requires(post): container-selinux >= %{container_policyver}
Requires(postun): policycoreutils
Provides: %{name} = %{version}-%{release}
Obsoletes: rke2-selinux < 0.9
Conflicts: k3s-selinux
%description
This package installs and sets up the SELinux policy security module for rke2.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%pre
%selinux_relabel_pre
%post
semodule -n -i %{_datadir}/selinux/packages/rke2.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%rke2_relabel_files
fi;
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall rke2
fi;
%posttrans
%selinux_relabel_post
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
%{_datadir}/selinux/devel/include/contrib/rke2.if
%changelog
07070100000035000081A40000000000000000000000016855D7C600000DCD000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/microos/rke2.fc# vim: sw=8:ts=8:et
# commented items are lines retained for parity when comparing policy between target distributions.
# these are commented because they will cause conflict and/or crash when attempting to install with upstream
# container-selinux: https://github.com/containers/container-selinux/pull/140/files
/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/logs/kubelet.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)
#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
07070100000036000081A40000000000000000000000016855D7C60000086E000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/microos/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484
interface(`rke2_filetrans_named_content',`
gen_require(`
type container_config_t;
type container_file_t;
type container_log_t;
type container_runtime_exec_t;
type container_runtime_tmpfs_t;
type container_share_t;
type container_var_lib_t;
type container_var_run_t;
type container_kvm_var_run_t;
type var_lib_t;
type var_log_t;
type rke2_tls_t;
')
#container_filetrans_named_content($1)
files_pid_filetrans($1, container_var_run_t, dir, "rke2")
filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")
filetrans_pattern($1, var_log_t, container_log_t, dir, "containers")
filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs")
filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls")
')
template(`rke2_service_domain_template',`
container_domain_template($1, container)
virt_sandbox_domain($1_t)
gen_require(`
attribute container_domain, container_net_domain;
attribute sandbox_net_domain;
')
typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain;
virt_default_capabilities($1_t)
kernel_read_messages($1_t)
logging_send_syslog_msg($1_t)
corenet_unconfined($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
miscfiles_read_all_certs($1_t)
admin_pattern($1_t, container_log_t)
admin_pattern($1_t, rke2_tls_t)
')
07070100000037000081A40000000000000000000000016855D7C60000045F000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/microos/rke2.tepolicy_module(rke2, 1.0.0)
gen_require(`
type container_runtime_t, unconfined_service_t, iscsid_t;
class capability dac_override;
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
#######################
# type rke2_service_t #
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };
##########################
# type rke2_service_db_t #
##########################
rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };
#########################
# Longhorn ISCSID_T FIX #
#########################
# https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183
allow iscsid_t self:capability dac_override;
###################
# type rke2_tls_t #
###################
type rke2_tls_t;
container_file(rke2_tls_t);
07070100000038000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000003200000000rke2-selinux-0.20.stable.1/policy/microos/scripts07070100000039000081ED0000000000000000000000016855D7C600000222000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/microos/scripts/build#!/bin/bash
set -e -x
cd $(dirname $0)/..
. ./scripts/version
make -f /usr/share/selinux/devel/Makefile rke2.pp
rpmbuild \
--define "rke2_selinux_version ${RPM_VERSION}" \
--define "rke2_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rke2-selinux.spec
mkdir -p /source/dist/microos
cp -r dist/* /source/dist/microos
0707010000003A000081ED0000000000000000000000016855D7C6000001D5000000000000000000000000000000000000003B00000000rke2-selinux-0.20.stable.1/policy/microos/scripts/checksum#!/bin/bash
set -ex
cd $(dirname $0)/..
ls -la
pwd
CHECKSUM_DIR=${CHECKSUM_DIR:-./dist/centos7/noarch/}
CHECKSUM_FILE=${CHECKSUM_FILE:-CHECKSUMsum-centos7-noarch.txt}
DEST_DIR=${DEST_DIR:-${CHECKSUM_DIR}}
sumfile="${DEST_DIR}/${CHECKSUM_FILE}"
touch "${sumfile}"
files=$(ls ${CHECKSUM_DIR} | grep -v "sha256sum")
for file in ${files}; do
sha256sum "${CHECKSUM_DIR}/${file}" | sed "s;$(dirname ${CHECKSUM_DIR}/${file})/;;g" >> "${sumfile}"
done
cat "${sumfile}"0707010000003B000081ED0000000000000000000000016855D7C6000000C6000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/microos/scripts/entry#!/bin/sh
set -ex
if [ -e ./policy/microos/scripts/"$1" ]; then
./policy/microos/scripts/"$@"
else
exec "$@"
fi
if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
0707010000003C000081ED0000000000000000000000016855D7C600000676000000000000000000000000000000000000003700000000rke2-selinux-0.20.stable.1/policy/microos/scripts/sign#!/bin/bash
set -e -x
yum install -y rpm-sign expect git
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
;;
"latest"|"stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/microos/**/rke2-*.rpm"
expect "Enter pass phrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
# checksum rpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/microos/noarch CHECKSUM_DIR=../../dist/microos/noarch CHECKSUM_FILE=sha256sum-microos-noarch.txt ./scripts/checksum
popd
# checksum srcrpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/microos/noarch CHECKSUM_DIR=../../dist/microos/source CHECKSUM_FILE=sha256sum-microos-noarch.txt ./scripts/checksum
popd0707010000003D000081ED0000000000000000000000016855D7C6000007EF000000000000000000000000000000000000003E00000000rke2-selinux-0.20.stable.1/policy/microos/scripts/upload-repo#!/bin/bash
set -e -x
pushd $(dirname $0)/..
. ./scripts/version
popd
yum install -y epel-release
yum install -y git python2-pip python-deltarpm ca-certificates
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
pip2 install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0'
pip2 install --cache-dir=/var/cache/pip/ \
git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
TARGET_SLE_S3_PATH="rke2/$RPM_CHANNEL/common/microos/noarch"
TARGET_SLE_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/microos/source"
case "$RPM_CHANNEL" in
"testing")
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest"|"stable")
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_S3_PATH --keep 100000 dist/microos/noarch/rke2-*.rpm
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_SOURCE_S3_PATH --keep 100000 dist/microos/source/rke2-*src.rpm
0707010000003E000081ED0000000000000000000000016855D7C6000007C2000000000000000000000000000000000000003A00000000rke2-selinux-0.20.stable.1/policy/microos/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
0707010000003F000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002B00000000rke2-selinux-0.20.stable.1/policy/slemicro07070100000040000081A40000000000000000000000016855D7C600000A33000000000000000000000000000000000000003D00000000rke2-selinux-0.20.stable.1/policy/slemicro/rke2-selinux.spec# vim: sw=4:ts=4:et
%define rke2_relabel_files() \
umask 0022; \
mkdir -p /etc/cni; \
mkdir -p /opt/cni; \
mkdir -p /var/lib/cni; \
mkdir -p /var/lib/kubelet; \
mkdir -p /var/lib/rancher/rke2/data; \
mkdir -p /var/run/flannel; \
umask 0027; \
mkdir -p /var/lib/kubelet/pods; \
mkdir -p /var/lib/rancher/rke2/agent; \
umask 0066; \
mkdir -p /var/run/k3s; \
umask 0077; \
mkdir -p /var/lib/rancher/rke2/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots; \
mkdir -p /var/lib/rancher/rke2/server; \
restorecon -R -i /etc/systemd/system/rke2*; \
restorecon -R -i /usr/lib/systemd/system/rke2*; \
restorecon -R /var/lib/cni; \
restorecon -R /opt/cni; \
restorecon -R /etc/cni; \
restorecon -R /var/lib/kubelet; \
restorecon -R /var/lib/rancher; \
restorecon -R /var/run/k3s; \
restorecon -R /var/run/flannel
%define selinux_policyver 20210716-3.1
%define selinux_policyver_build 3.13.1-252
%define container_policyver 2.164.2-1.1
Name: rke2-selinux
Version: %{rke2_selinux_version}
Release: %{rke2_selinux_release}.slemicro
Summary: SELinux policy module for rke2
Group: System Environment/Base
License: ASL 2.0
URL: https://rke2.io
Source0: rke2.pp
Source1: rke2.if
BuildArch: noarch
BuildRequires: container-selinux >= %{container_policyver}
BuildRequires: git
BuildRequires: selinux-policy >= %{selinux_policyver_build}
BuildRequires: selinux-policy-devel >= %{selinux_policyver_build}
Requires: policycoreutils, selinux-tools
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): policycoreutils
Requires(post): container-selinux >= %{container_policyver}
Requires(postun): policycoreutils
Provides: %{name} = %{version}-%{release}
Obsoletes: rke2-selinux < 0.9
Conflicts: k3s-selinux
%description
This package installs and sets up the SELinux policy security module for rke2.
%install
install -d %{buildroot}%{_datadir}/selinux/packages
install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
install -d %{buildroot}/etc/selinux/targeted/contexts/users/
%pre
%selinux_relabel_pre
%post
semodule -n -i %{_datadir}/selinux/packages/rke2.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%rke2_relabel_files
fi;
%postun
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall rke2
fi;
%posttrans
%selinux_relabel_post
%files
%attr(0600,root,root) %{_datadir}/selinux/packages/rke2.pp
%{_datadir}/selinux/devel/include/contrib/rke2.if
%changelog
07070100000041000081A40000000000000000000000016855D7C600000E50000000000000000000000000000000000000003300000000rke2-selinux-0.20.stable.1/policy/slemicro/rke2.fc# vim: sw=8:ts=8:et
# commented items are lines retained for parity when comparing policy between target distributions.
# these are commented because they will cause conflict and/or crash when attempting to install with upstream
# container-selinux: https://github.com/containers/container-selinux/pull/140/files
/etc/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/local/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/lib/systemd/system/rke2.* -- gen_context(system_u:object_r:container_unit_file_t,s0)
/usr/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/usr/local/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
/opt/rke2/bin/rke2 -- gen_context(system_u:object_r:container_runtime_exec_t,s0)
#/var/lib/cni(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/opt/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/etc/cni(/.*)? gen_context(system_u:object_r:container_file_t,s0)
#/var/lib/kubelet/pods(/.*)? gen_context(system_u:object_r:container_file_t,s0)
/var/lib/rancher/rke2(/.*)? gen_context(system_u:object_r:container_var_lib_t,s0)
/var/lib/rancher/rke2/data(/.*)? gen_context(system_u:object_r:container_runtime_exec_t,s0)
/var/lib/rancher/rke2/data/[^/]*/charts(/.*)? gen_context(system_u:object_r:container_config_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]* -d gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/agent/containerd/[^/]*/snapshots/[^/]*/.* <<none>>
/var/lib/rancher/rke2/agent/containerd/[^/]*/sandboxes(/.*)? gen_context(system_u:object_r:container_share_t,s0)
/var/lib/rancher/rke2/server/logs(/.*)? gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/containerd/containerd.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/agent/logs/kubelet.log gen_context(system_u:object_r:container_log_t,s0)
/var/lib/rancher/rke2/server/tls(/.*)? gen_context(system_u:object_r:rke2_tls_t,s0)
#/var/run/flannel(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s(/.*)? gen_context(system_u:object_r:container_var_run_t,s0)
#/var/run/k3s/containerd/[^/]*/sandboxes/[^/]*/shm(/.*)? gen_context(system_u:object_r:container_runtime_tmpfs_t,s0)
#/var/log/containers(/.*)? gen_context(system_u:object_r:container_log_t,s0)
#/var/log/pods(/.*)? gen_context(system_u:object_r:container_log_t,s0)
07070100000042000081A40000000000000000000000016855D7C60000086F000000000000000000000000000000000000003300000000rke2-selinux-0.20.stable.1/policy/slemicro/rke2.if# adapted from https://github.com/containers/container-selinux/blob/v2.143.0/container.if#L484
interface(`rke2_filetrans_named_content',`
gen_require(`
type container_config_t;
type container_file_t;
type container_log_t;
type container_runtime_exec_t;
type container_runtime_tmpfs_t;
type container_share_t;
type container_var_lib_t;
type container_var_run_t;
type container_kvm_var_run_t;
type var_lib_t;
type var_log_t;
type rke2_tls_t;
')
#container_filetrans_named_content($1)
files_pid_filetrans($1, container_var_run_t, dir, "rke2")
filetrans_pattern($1, container_var_lib_t, container_runtime_exec_t, dir, "data")
filetrans_pattern($1, container_runtime_exec_t, container_config_t, dir, "charts")
filetrans_pattern($1, container_var_lib_t, container_file_t, dir, "pods")
filetrans_pattern($1, var_lib_t, container_var_lib_t, dir, "kubelet")
filetrans_pattern($1, var_log_t, container_log_t, dir, "pods")
filetrans_pattern($1, var_log_t, container_log_t, dir, "containers")
filetrans_pattern($1, container_var_lib_t, container_log_t, dir, "logs")
filetrans_pattern($1, container_var_lib_t, rke2_tls_t, dir, "tls")
')
template(`rke2_service_domain_template',`
container_domain_template($1, container)
virt_sandbox_domain($1_t)
gen_require(`
attribute container_domain, container_net_domain;
attribute sandbox_net_domain;
')
typeattribute $1_t container_domain, container_net_domain, sandbox_net_domain;
virt_default_capabilities($1_t)
kernel_read_messages($1_t)
logging_send_syslog_msg($1_t)
corenet_unconfined($1_t)
corenet_tcp_bind_generic_node($1_t)
corenet_udp_bind_generic_node($1_t)
corenet_raw_bind_generic_node($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_udp_bind_all_ports($1_t)
corenet_tcp_bind_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
miscfiles_read_all_certs($1_t)
admin_pattern($1_t, container_log_t)
admin_pattern($1_t, rke2_tls_t)
')
07070100000043000081A40000000000000000000000016855D7C600000494000000000000000000000000000000000000003300000000rke2-selinux-0.20.stable.1/policy/slemicro/rke2.tepolicy_module(rke2, 1.0.0)
gen_require(`
type container_runtime_t, unconfined_service_t, iscsid_t;
class capability dac_override;
')
rke2_filetrans_named_content(container_runtime_t)
rke2_filetrans_named_content(unconfined_service_t)
#######################
# type rke2_service_t #
#######################
rke2_service_domain_template(rke2_service)
container_read_lib_files(rke2_service_t)
allow rke2_service_t container_var_lib_t:file { watch };
allow rke2_service_t container_var_lib_t:sock_file { write };
allow rke2_service_t container_runtime_t:unix_stream_socket { connectto };
##########################
# type rke2_service_db_t #
##########################
rke2_service_domain_template(rke2_service_db)
container_manage_lib_dirs(rke2_service_db_t)
container_manage_lib_files(rke2_service_db_t)
allow rke2_service_db_t container_var_lib_t:file { map };
#########################
# Longhorn ISCSID_T FIX #
#########################
# https://github.com/longhorn/longhorn/issues/5627#issuecomment-1577498183
allow iscsid_t self:capability dac_override;
###################
# type rke2_tls_t #
###################
type rke2_tls_t;
files_type(rke2_tls_t);
07070100000044000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000003300000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts07070100000045000081ED0000000000000000000000016855D7C600000224000000000000000000000000000000000000003900000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/build#!/bin/bash
set -e -x
cd $(dirname $0)/..
. ./scripts/version
make -f /usr/share/selinux/devel/Makefile rke2.pp
rpmbuild \
--define "rke2_selinux_version ${RPM_VERSION}" \
--define "rke2_selinux_release ${RPM_RELEASE}" \
--define "_sourcedir $PWD" \
--define "_specdir $PWD" \
--define "_builddir $PWD" \
--define "_srcrpmdir ${PWD}/dist/source" \
--define "_buildrootdir $PWD/.build" \
--define "_rpmdir ${PWD}/dist" \
-ba rke2-selinux.spec
mkdir -p /source/dist/slemicro
cp -r dist/* /source/dist/slemicro
07070100000046000081ED0000000000000000000000016855D7C6000001D5000000000000000000000000000000000000003C00000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/checksum#!/bin/bash
set -ex
cd $(dirname $0)/..
ls -la
pwd
CHECKSUM_DIR=${CHECKSUM_DIR:-./dist/centos7/noarch/}
CHECKSUM_FILE=${CHECKSUM_FILE:-CHECKSUMsum-centos7-noarch.txt}
DEST_DIR=${DEST_DIR:-${CHECKSUM_DIR}}
sumfile="${DEST_DIR}/${CHECKSUM_FILE}"
touch "${sumfile}"
files=$(ls ${CHECKSUM_DIR} | grep -v "sha256sum")
for file in ${files}; do
sha256sum "${CHECKSUM_DIR}/${file}" | sed "s;$(dirname ${CHECKSUM_DIR}/${file})/;;g" >> "${sumfile}"
done
cat "${sumfile}"07070100000047000081ED0000000000000000000000016855D7C6000000C8000000000000000000000000000000000000003900000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/entry#!/bin/sh
set -ex
if [ -e ./policy/slemicro/scripts/"$1" ]; then
./policy/slemicro/scripts/"$@"
else
exec "$@"
fi
if [ "$DAPPER_UID" -ne "-1" ]; then
chown -R $DAPPER_UID:$DAPPER_GID .
fi
07070100000048000081ED0000000000000000000000016855D7C600000680000000000000000000000000000000000000003800000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/sign#!/bin/bash
set -e -x
yum install -y rpm-sign expect git
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$TESTING_PRIVATE_KEY"
;;
"latest"|"stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
gpg --import - <<<"$PRIVATE_KEY"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
expect <<EOF
set timeout 60
spawn sh -c "rpmsign --addsign dist/slemicro/**/rke2-*.rpm"
expect "Enter pass phrase:"
send -- "$PRIVATE_KEY_PASS_PHRASE\r"
expect eof
lassign [wait] _ _ _ code
exit \$code
EOF
# checksum rpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/slemicro/noarch CHECKSUM_DIR=../../dist/slemicro/noarch CHECKSUM_FILE=sha256sum-slemicro-noarch.txt ./scripts/checksum
popd
# checksum srcrpms
pushd $(dirname $0)/..
DEST_DIR=../../dist/slemicro/noarch CHECKSUM_DIR=../../dist/slemicro/source CHECKSUM_FILE=sha256sum-slemicro-noarch.txt ./scripts/checksum
popd07070100000049000081ED0000000000000000000000016855D7C6000007F3000000000000000000000000000000000000003F00000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/upload-repo#!/bin/bash
set -e -x
pushd $(dirname $0)/..
. ./scripts/version
popd
yum install -y epel-release
yum install -y git python2-pip python-deltarpm ca-certificates
export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
pip2 install --cache-dir=/var/cache/pip --upgrade 'boto3==1.17.112' 'pip<21.0' 'setuptools<45.0'
pip2 install --cache-dir=/var/cache/pip/ \
git+https://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
TARGET_SLE_S3_PATH="rke2/$RPM_CHANNEL/common/slemicro/noarch"
TARGET_SLE_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/slemicro/source"
case "$RPM_CHANNEL" in
"testing")
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest"|"stable")
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_S3_PATH --keep 100000 dist/slemicro/noarch/rke2-*.rpm
rpm-s3 --bucket $AWS_S3_BUCKET -p $TARGET_SLE_SOURCE_S3_PATH --keep 100000 dist/slemicro/source/rke2-*src.rpm
0707010000004A000081ED0000000000000000000000016855D7C6000007C2000000000000000000000000000000000000003B00000000rke2-selinux-0.20.stable.1/policy/slemicro/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
0707010000004B000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002300000000rke2-selinux-0.20.stable.1/scripts0707010000004C000081ED0000000000000000000000016855D7C600000C47000000000000000000000000000000000000003300000000rke2-selinux-0.20.stable.1/scripts/sign-and-upload#!/bin/bash
set -e -x
dnf install -y epel-release wget
dnf install -y python3 python3-pip python3-devel \
rpm-sign expect git
dnf install -y ca-certificates createrepo_c pinentry pinentry-curses
pip install --upgrade boto3 pexpect
pushd $(dirname $0)/..
. ./scripts/version
popd
cat <<\EOF >~/.rpmmacros
%_signature gpg
%_gpg_name ci@rancher.com
%__gpg_sign_cmd %{__gpg} gpg --pinentry-mode loopback --force-v3-sigs --verbose --no-armor -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
EOF
if [ -z "$RPM_CHANNEL" ]; then
echo "RPM_CHANNEL not defined, failing rpm upload"
exit 1
fi
if [ -z "$RPM_OS" ]; then
echo "RPM_OS not defined, failing rpm upload"
exit 1
fi
TARGET_S3_PATH="rke2/$RPM_CHANNEL/common/${RPM_OS/centos/centos\/}/noarch"
TARGET_SOURCE_S3_PATH="rke2/$RPM_CHANNEL/common/${RPM_OS/centos/centos\/}/source"
case "$RPM_CHANNEL" in
"testing")
export PRIVATE_KEY_PASS_PHRASE=$TESTING_PRIVATE_KEY_PASS_PHRASE
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$TESTING_PRIVATE_KEY"; then
echo "TESTING_PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
echo "$TESTING_PRIVATE_KEY" >key.gpg
gpg --batch --passphrase "$PRIVATE_KEY_PASS_PHRASE" --import key.gpg
if [ -z "$TESTING_AWS_S3_BUCKET" ]; then
echo "TESTING_AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_ACCESS_KEY_ID" ]; then
echo "TESTING_AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$TESTING_AWS_SECRET_ACCESS_KEY" ]; then
echo "TESTING_AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
export AWS_ACCESS_KEY_ID=$TESTING_AWS_ACCESS_KEY_ID
export AWS_SECRET_ACCESS_KEY=$TESTING_AWS_SECRET_ACCESS_KEY
export AWS_S3_BUCKET=$TESTING_AWS_S3_BUCKET
;;
"latest" | "stable")
if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
echo "PRIVATE_KEY not defined, failing rpm sign"
exit 1
fi
echo "$PRIVATE_KEY" >key.gpg
gpg --batch --passphrase "$PRIVATE_KEY_PASS_PHRASE" --import key.gpg
if [ -z "$AWS_S3_BUCKET" ]; then
echo "AWS_S3_BUCKET not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_ACCESS_KEY_ID" ]; then
echo "AWS_ACCESS_KEY_ID not defined, failing rpm upload"
exit 1
fi
if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
echo "AWS_SECRET_ACCESS_KEY not defined, failing rpm upload"
exit 1
fi
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
wget https://raw.githubusercontent.com/rancher/ecm-distro-tools/master/bin/rpm_tooling
chmod +x rpm_tooling
mv ./rpm_tooling /usr/bin
rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_S3_PATH --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_SECRET_ACCESS_KEY dist/$RPM_OS/noarch/rke2-*.rpm
rpm_tooling --bucket $AWS_S3_BUCKET/$TARGET_SOURCE_S3_PATH --sign --sign-pass $PRIVATE_KEY_PASS_PHRASE --aws-access-key $AWS_ACCESS_KEY_ID --aws-secret-key $AWS_SECRET_ACCESS_KEY dist/$RPM_OS/source/rke2-*src.rpm
0707010000004D000081A40000000000000000000000016855D7C6000007C1000000000000000000000000000000000000002B00000000rke2-selinux-0.20.stable.1/scripts/version#!/bin/bash
TREE_STATE=clean
COMMIT=${COMMIT:-${DRONE_COMMIT:-${GITHUB_SHA:-unknown}}}
TAG=${TAG:-${DRONE_TAG:-$GITHUB_TAG}}
if [ -d ${DAPPER_SOURCE}/.git ]; then
pushd ${DAPPER_SOURCE}
if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
DIRTY="dirty"
TREE_STATE=dirty
fi
if [[ "$TREE_STATE" == "clean" && -z "$TAG" ]]; then
TAG=$(git tag -l --contains HEAD | head -n 1) # this is going to not work if you have multiple tags pointing to the same commit
fi
COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\ | head -1)
if [ -z "$COMMIT" ]; then
COMMIT=$(git rev-parse HEAD || true)
fi
popd
fi
if [[ -n "$TAG" ]]; then
if [[ "$TREE_STATE" = "clean" ]]; then
VERSION=$TAG # We will only accept the tag as our version if the tree state is clean and the tag is in fact defined.
fi
else
VERSION="v0.0~${COMMIT:0:8}${DIRTY}.testing.0"
fi
# v0.1.testing.1
if ! [[ $VERSION =~ ^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.[0-9]+$ ]]; then
echo "Version $VERSION does not match our expected format. Exiting."
exit 1
fi
rpm_version_regex='s/\-/~/g; s/^v([0-9]+\.[0-9]+[-~a-zA-Z0-9]*)\.[a-z]+\.[0-9]+$/\1/;'
rpm_channel_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.([a-z]+)\.[0-9]+$/\1/;'
rpm_release_regex='s/^v[0-9]+\.[0-9]+[-~a-zA-Z0-9]*\.[a-z]+\.([0-9]+)$/\1/;'
RPM_VERSION=$(sed -E -e "$rpm_version_regex" <<<"$VERSION")
RPM_RELEASE=$(sed -E -e "$rpm_release_regex" <<<"$VERSION")
RPM_CHANNEL=$(sed -E -e "$rpm_channel_regex" <<<"$VERSION")
if [[ "$RPM_CHANNEL" == "$VERSION" ]]; then
echo "Unknown RPM_CHANNEL found: $RPM_CHANNEL but defaulting to testing"
RPM_CHANNEL="testing"
fi
case "$RPM_CHANNEL" in
"testing"|"latest"|"stable")
echo "RPM_CHANNEL matched our expected variants"
;;
*)
echo "RPM_CHANNEL $RPM_CHANNEL does not match one of: [testing, latest, stable]"
exit 1
;;
esac
0707010000004E000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002000000000rke2-selinux-0.20.stable.1/test0707010000004F000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002400000000rke2-selinux-0.20.stable.1/test/el707070100000050000081A40000000000000000000000016855D7C600000127000000000000000000000000000000000000002E00000000rke2-selinux-0.20.stable.1/test/el7/README.mdrke2-selinux for el7
---
The Vagrant box in use supports these providers:
- `libvirt`
- `virtualbox`
- `vmware_desktop`
To spin up a VM to test locally built rke2-selinux RPM:
```shell
cp -vf ../../dist/centos7/noarch/*.rpm .
INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up
```
07070100000051000081A40000000000000000000000016855D7C6000015F3000000000000000000000000000000000000003000000000rke2-selinux-0.20.stable.1/test/el7/Vagrantfile# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "dweomer/centos-7.9-amd64"
config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false
%w[libvirt virtualbox vmware_desktop].each do |p|
config.vm.provider p do |v, o|
v.memory = "2048"
v.cpus = 2
end
end
config.vm.define "rke2-selinux-el7", primary: true do |test|
test.vm.hostname = "test-el7"
test.vm.provision "install-rke2", type: "shell", run: "once" do |sh|
sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({
:INSTALL_RKE2_TYPE => 'server',
:RKE2_KUBECONFIG_MODE => '0664',
:RKE2_TOKEN => 'vagrant',
})
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -fsSL https://get.rke2.io | sh -
echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
systemctl enable --now rke2-${INSTALL_RKE2_TYPE}
SHELL
sh.upload_path = "/tmp/vagrant-install-rke2"
end
test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
echo 'Waiting for node (and static pods) to be ready ...'
time {
timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
}
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-status", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep
SHELL
end
end
config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-packages"
sh.env = {
'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
yum -y install \
curl \
iptables \
less \
lsof \
nc \
socat \
${INSTALL_PACKAGES}
SHELL
end
config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v"
config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
cat <<-EOF > /etc/profile.d/rke2.sh
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin
EOF
SHELL
end
end
07070100000052000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002400000000rke2-selinux-0.20.stable.1/test/el807070100000053000081A40000000000000000000000016855D7C600000127000000000000000000000000000000000000002E00000000rke2-selinux-0.20.stable.1/test/el8/README.mdrke2-selinux for el8
---
The Vagrant box in use supports these providers:
- `libvirt`
- `virtualbox`
- `vmware_desktop`
To spin up a VM to test locally built rke2-selinux RPM:
```shell
cp -vf ../../dist/centos8/noarch/*.rpm .
INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up
```
07070100000054000081A40000000000000000000000016855D7C6000015F3000000000000000000000000000000000000003000000000rke2-selinux-0.20.stable.1/test/el8/Vagrantfile# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "dweomer/centos-8.4-amd64"
config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false
%w[libvirt virtualbox vmware_desktop].each do |p|
config.vm.provider p do |v, o|
v.memory = "2048"
v.cpus = 2
end
end
config.vm.define "rke2-selinux-el8", primary: true do |test|
test.vm.hostname = "test-el8"
test.vm.provision "install-rke2", type: "shell", run: "once" do |sh|
sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({
:INSTALL_RKE2_TYPE => 'server',
:RKE2_KUBECONFIG_MODE => '0664',
:RKE2_TOKEN => 'vagrant',
})
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -fsSL https://get.rke2.io | sh -
echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
systemctl enable --now rke2-${INSTALL_RKE2_TYPE}
SHELL
sh.upload_path = "/tmp/vagrant-install-rke2"
end
test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
echo 'Waiting for node (and static pods) to be ready ...'
time {
timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
}
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-status", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep
SHELL
end
end
config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-packages"
sh.env = {
'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
dnf -y install \
curl \
iptables \
less \
lsof \
nc \
socat \
${INSTALL_PACKAGES}
SHELL
end
config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v"
config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
cat <<-EOF > /etc/profile.d/rke2.sh
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin
EOF
SHELL
end
end
07070100000055000041ED0000000000000000000000026855D7C600000000000000000000000000000000000000000000002400000000rke2-selinux-0.20.stable.1/test/sle07070100000056000081A40000000000000000000000016855D7C600000127000000000000000000000000000000000000002E00000000rke2-selinux-0.20.stable.1/test/sle/README.mdrke2-selinux for sle
---
The Vagrant box in use supports these providers:
- `libvirt`
- `virtualbox`
- `vmware_desktop`
To spin up a VM to test locally built rke2-selinux RPM:
```shell
cp -vf ../../dist/microos/noarch/*.rpm .
INSTALL_PACKAGES=/vagrant/rke2-selinux-*.noarch.rpm vagrant up
```
07070100000057000081A40000000000000000000000016855D7C600001798000000000000000000000000000000000000003000000000rke2-selinux-0.20.stable.1/test/sle/Vagrantfile# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do |config|
config.vm.box = "dweomer/microos.amd64"
config.vm.synced_folder '.', '/vagrant', type: 'rsync', disabled: false
%w[libvirt virtualbox vmware_desktop].each do |p|
config.vm.provider p do |v, o|
v.memory = "2048"
v.cpus = 2
end
end
config.vm.define "rke2-selinux-sle", primary: true do |test|
test.vm.hostname = "test-sle"
test.vm.provision "install-rke2", type: "shell", run: "once" do |sh|
sh.env = ENV.select{|k,v| k.start_with?('RKE2_') || k.start_with?('INSTALL_RKE2_')}.merge({
:INSTALL_RKE2_TYPE => 'server',
:RKE2_KUBECONFIG_MODE => '0664',
:RKE2_TOKEN => 'vagrant',
})
sh.inline = <<~SHELL
#!/usr/bin/env bash
set -eux -o pipefail
curl -fsSL https://get.rke2.io | sh -
echo >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
bash +x -ec 'sh -c export | while read x v; do echo $v; done | grep -E "^(RKE2|CONTAINERD)_"' >> /etc/sysconfig/rke2-${INSTALL_RKE2_TYPE}
systemctl enable --now rke2-${INSTALL_RKE2_TYPE}
SHELL
sh.upload_path = "/tmp/vagrant-install-rke2"
end
test.vm.provision "rke2-wait-for-node", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eu -o pipefail
echo 'Waiting for node (and static pods) to be ready ...'
time {
timeout 180 bash -c 'while ! (kubectl wait --for condition=ready node/$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/etcd-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-apiserver-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-scheduler-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-proxy-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/kube-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl wait --for condition=ready -n kube-system pod/cloud-controller-manager-$(hostname) 2>/dev/null); do sleep 5; done'
}
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-wait-for-canal", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-canal 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-coredns", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns 2>/dev/null); do sleep 5; done'
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-coredns-rke2-coredns-autoscaler 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-ingress-nginx", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s daemonset/rke2-ingress-nginx-controller 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-wait-for-metrics-server", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eu -o pipefail
time {
timeout 120 bash -c 'while ! (kubectl --namespace kube-system rollout status --timeout 10s deploy/rke2-metrics-server 2>/dev/null); do sleep 5; done'
}
SHELL
end
test.vm.provision "rke2-status", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eux -o pipefail
kubectl get node,all -A -o wide
SHELL
end
test.vm.provision "rke2-status-selinux", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eux -o pipefail
ps auxZ | grep -E 'etcd|kube|rke2|container|spc_t|unconfined_t' | grep -v grep
SHELL
end
end
config.vm.provision "install-packages", type: "shell", run: "once" do |sh|
sh.upload_path = "/tmp/vagrant-install-packages"
sh.env = {
'INSTALL_PACKAGES': ENV['INSTALL_PACKAGES'],
}
sh.inline = <<~SHELL
#!/usr/bin/env bash
source /etc/profile.d/rke2.sh
set -eux -o pipefail
transactional-update --no-selfupdate -d pkg install -y --allow-unsigned-rpm \
curl \
iptables \
less \
lsof \
socat \
${INSTALL_PACKAGES}
SHELL
end
config.vm.provision "install-packages-reload", type: "reload", run: "once"
config.vm.provision "selinux-status", type: "shell", run: "once", inline: "sestatus -v"
config.vm.provision "install-rke2-profile", type: "shell", run: "once" do |sh|
sh.inline = <<~SHELL
#!/usr/bin/env bash
cat <<-EOF > /etc/profile.d/rke2.sh
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=/usr/local/bin:$PATH:/var/lib/rancher/rke2/bin
EOF
SHELL
end
end
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!299 blocks
