/usr/lib/python2.7/dist-packages/neutron_dynamic_routing/tests/contrib/gate_hook.sh is in python-neutron-dynamic-routing 2:12.0.0-0ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 | #!/usr/bin/env bash
set -xe
PROJECT_NAME=neutron-dynamic-routing
GATE_DEST=$BASE/new
NEUTRON_PATH=$GATE_DEST/neutron
DR_PATH=$GATE_DEST/$PROJECT_NAME
DEVSTACK_PATH=$GATE_DEST/devstack
APPARMOR_PROFILE_PATH=/etc/apparmor.d
QUAGGA_CONFIG_PATH=/tmp/ctn_docker
VENV=${1:-"dsvm-functional"}
# NOTE(kakuma)
# Check apparmor to avoid the following error for docker operation.
# "oci runtime error: apparmor failed to apply profile: no such file or directory"
# This is a temporary solution. This needs to be fixed in a better way.
function check_apparmor_for_docker {
if [[ -d $APPARMOR_PROFILE_PATH ]]
then
if [[ ! -f $APPARMOR_PROFILE_PATH/docker ]]
then
cat << EOF > /tmp/docker
#include <tunables/global>
profile docker-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network,
capability,
file,
umount,
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
deny @{PROC}/{[^1-9],[^1-9][^0-9],[^1-9s][^0-9y][^0-9s],[^1-9][^0-9][^0-9][^0-9]*}/** w,
deny @{PROC}/sys/[^k]** w, # deny /proc/sys except /proc/sys/k* (effectively /proc/sys/kernel)
deny @{PROC}/sys/kernel/{?,??,[^s][^h][^m]**} w, # deny everything except shm* in /proc/sys/kernel/
deny @{PROC}/sysrq-trigger rwklx,
deny @{PROC}/mem rwklx,
deny @{PROC}/kmem rwklx,
deny @{PROC}/kcore rwklx,
deny mount,
deny /sys/[^f]*/** wklx,
deny /sys/f[^s]*/** wklx,
deny /sys/fs/[^c]*/** wklx,
deny /sys/fs/c[^g]*/** wklx,
deny /sys/fs/cg[^r]*/** wklx,
deny /sys/firmware/efi/efivars/** rwklx,
deny /sys/kernel/security/** rwklx,
# suppress ptrace denials when using 'docker ps' or using 'ps' inside a container
ptrace (trace,read) peer=docker-default,
}
EOF
chmod 0644 /tmp/docker
sudo chown root:root /tmp/docker
sudo mv /tmp/docker $APPARMOR_PROFILE_PATH/docker
sudo service apparmor restart
sudo service docker restart
fi
fi
}
function configure_docker_test_env {
local docker_pkg
sudo bash -c 'echo "tempest ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
sudo apt-get update
if apt-cache search docker-engine | grep docker-engine; then
docker_pkg=docker-engine
else
docker_pkg=docker.io
fi
sudo apt-get install -y $docker_pkg
}
function do_devstack_gate {
local gate_retval
set +e
$GATE_DEST/devstack-gate/devstack-vm-gate.sh
gate_retval=$?
if [[ -d $QUAGGA_CONFIG_PATH ]]
then
sudo cp -r $QUAGGA_CONFIG_PATH /opt/stack/logs/bgp_dr_docker
fi
set -e
return $gate_retval
}
if [[ "$VENV" == dsvm-functional* ]]
then
# The following need to be set before sourcing
# configure_for_func_testing.
GATE_STACK_USER=stack
IS_GATE=True
source $DEVSTACK_PATH/functions
source $NEUTRON_PATH/devstack/lib/ovs
source $NEUTRON_PATH/tools/configure_for_func_testing.sh
enable_plugin $PROJECT_NAME https://git.openstack.org/openstack/$PROJECT_NAME
# Make the workspace owned by the stack user
sudo chown -R $STACK_USER:$STACK_USER $BASE
elif [[ "$VENV" == dsvm-api* ]]
then
export DEVSTACK_LOCAL_CONFIG+=$'\n'"NETWORK_API_EXTENSIONS=all"
$GATE_DEST/devstack-gate/devstack-vm-gate.sh
elif [[ "$VENV" == dsvm-scenario* ]]
then
sudo apt-get update
sudo apt-get install -y --reinstall apparmor
configure_docker_test_env
check_apparmor_for_docker
DEVSTACK_LOCAL_CONFIG+=$'\n'"NETWORK_API_EXTENSIONS=all"
export DEVSTACK_LOCAL_CONFIG+=$'\n'"BGP_SCHEDULER_DRIVER=neutron_dynamic_routing.services.bgp.scheduler.bgp_dragent_scheduler.ChanceScheduler"
do_devstack_gate
else
echo "Unrecognized environment $VENV".
exit 1
fi
|