From 5ba8ce72caf51dd87e3f439fc50dffa4c95e52c3 Mon Sep 17 00:00:00 2001 From: Piotr Skamruk Date: Mon, 26 Nov 2018 16:02:55 +0100 Subject: [PATCH 1/2] Use Mirantis hardened version of libvirt --- images/Dockerfile.build | 2 +- images/Dockerfile.build-base | 2 +- images/Dockerfile.virtlet | 2 +- images/Dockerfile.virtlet-base | 42 +++++++--------------------------- images/image_skel/libvirt.sh | 4 ++-- 5 files changed, 13 insertions(+), 39 deletions(-) diff --git a/images/Dockerfile.build b/images/Dockerfile.build index c8354e68b..8ef303e68 100644 --- a/images/Dockerfile.build +++ b/images/Dockerfile.build @@ -1,7 +1,7 @@ # TODO: generate this tag. unfortunately can't use ARG: # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact # (but add a note about it here for the future) -FROM mirantis/virtlet-build:v1-6f9c7ae7a63974b239cb6967e80521e4 +FROM mirantis/virtlet-build:v1-c646263e8c2fa2e6430f0c48a2acff60 MAINTAINER Ivan Shvedunov LABEL virtlet.image="build" diff --git a/images/Dockerfile.build-base b/images/Dockerfile.build-base index ee695716e..c2b1dc740 100644 --- a/images/Dockerfile.build-base +++ b/images/Dockerfile.build-base @@ -1,7 +1,7 @@ # TODO: generate this tag. unfortunately can't use ARG: # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact # (but add a note about it here for the future) -FROM mirantis/virtlet-base:v1-6f4014188b63faf8b6d48642ad29752f +FROM mirantis/virtlet-base:v1-25f4a227ec03c377ca90c433733c3ff5 MAINTAINER Ivan Shvedunov LABEL virtlet.image="build-base" diff --git a/images/Dockerfile.virtlet b/images/Dockerfile.virtlet index f8ce8fbbb..1ec9eb9cb 100644 --- a/images/Dockerfile.virtlet +++ b/images/Dockerfile.virtlet @@ -1,7 +1,7 @@ # TODO: generate this tag. unfortunately can't use ARG: # https://docs.docker.com/engine/reference/builder/#understand-how-arg-and-from-interact # (but add a note about it here for the future) -FROM mirantis/virtlet-base:v1-6f4014188b63faf8b6d48642ad29752f +FROM mirantis/virtlet-base:v1-25f4a227ec03c377ca90c433733c3ff5 MAINTAINER Ivan Shvedunov LABEL virtlet.image="virtlet" diff --git a/images/Dockerfile.virtlet-base b/images/Dockerfile.virtlet-base index a16098bf7..f39f950f7 100644 --- a/images/Dockerfile.virtlet-base +++ b/images/Dockerfile.virtlet-base @@ -1,38 +1,18 @@ FROM ubuntu:16.04 MAINTAINER Ivan Shvedunov -# BUMP 24.05.2018 +# BUMP 23.11.2018 ENV DEBIAN_FRONTEND noninteractive -RUN echo deb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted >>/etc/apt/sources.list && \ - echo deb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted >>/etc/apt/sources.list +RUN echo deb-src http://archive.ubuntu.com/ubuntu/ xenial main universe restricted >>/etc/apt/sources.list && \ + echo deb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main universe restricted >>/etc/apt/sources.list RUN apt-get -y update && \ - apt-get -y build-dep libvirt && \ apt-get -y build-dep libguestfs && \ apt-get -y build-dep supermin && \ apt-get -y install git libjansson-dev libhivex-ocaml-dev -RUN git clone https://github.com/libvirt/libvirt.git /libvirt && \ - cd /libvirt && \ - git checkout v3.7.0 && \ - ./autogen.sh --prefix=/usr/local \ - --localstatedir=/var \ - --sysconfdir=/etc \ - --without-polkit \ - --without-esx \ - --without-vbox \ - --without-xen \ - --without-libxl \ - --with-qemu \ - --with-qemu-user=libvirt-qemu \ - --with-qemu-group=kvm \ - --without-lxc \ - --without-nwfilter && \ - make -j$(grep -c ^processor /proc/cpuinfo) && \ - make -j$(grep -c ^processor /proc/cpuinfo) install - RUN git clone https://github.com/libguestfs/supermin.git && \ cd supermin && \ git checkout v5.1.19 && \ @@ -57,8 +37,11 @@ COPY --from=0 /usr/local /usr/local ENV DEBIAN_FRONTEND noninteractive -RUN apt-get update && \ - apt-get install -y bridge-utils \ +RUN apt-get update && apt-get install -y curl && \ + echo deb http://mirror.mirantis.com/proposed/openstack-queens/xenial xenial main >>/etc/apt/sources.list && \ + curl http://mirror.mirantis.com/proposed/openstack-queens/xenial/archive-queens.key | apt-key add - && \ + apt-get update && \ + apt-get install -y libvirt-bin libvirt-daemon libvirt-dev bridge-utils \ openssl qemu-kvm \ netbase iptables ebtables vncsnapshot \ socat netcat-openbsd \ @@ -77,15 +60,6 @@ RUN apt-get update && \ dnsmasq libpcap0.8 libnetcf1 dmidecode && \ apt-get clean -RUN if ! getent group libvirtd >/dev/null; then addgroup --system libvirtd; fi && \ - for u in $(getent group admin | sed -e "s/^.*://" -e "s/,/ /g"); do adduser "$u" libvirtd >/dev/null || true; done && \ - for u in $(getent group sudo | sed -e "s/^.*://" -e "s/,/ /g"); do adduser "$u" libvirtd >/dev/null || true; done && \ - if ! getent group kvm >/dev/null; then addgroup --quiet --system kvm; fi && \ - adduser --quiet --system --ingroup kvm --quiet --disabled-login --disabled-password \ - --home /var/lib/libvirt --no-create-home -gecos "Libvirt Qemu" --uid 64055 libvirt-qemu && \ - adduser --quiet --system --ingroup libvirtd --quiet --disabled-login --disabled-password \ - --home /var/lib/libvirt/dnsmasq --no-create-home -gecos "Libvirt Dnsmasq" libvirt-dnsmasq - # TODO: try to go back to alpine # TODO: check which libs are really needed for libvirt / libguestfs / supermin # and which aren't diff --git a/images/image_skel/libvirt.sh b/images/image_skel/libvirt.sh index 4512ba80a..ad3ac01a8 100755 --- a/images/image_skel/libvirt.sh +++ b/images/image_skel/libvirt.sh @@ -59,11 +59,11 @@ chmod ug+s /vmwrapper if [[ ${testmode} ]]; then # leftover socket prevents libvirt from initializing correctly rm -f /var/lib/libvirt/qemu/capabilities.monitor.sock - /usr/local/sbin/libvirtd --listen --daemon + /usr/sbin/libvirtd --listen --daemon else # FIXME: try using exec liveness probe instead while true; do - /usr/local/sbin/libvirtd --listen + /usr/sbin/libvirtd --listen sleep 1 done fi From 8d9607b7b79ea4b47851c12d63532b7587f0919c Mon Sep 17 00:00:00 2001 From: Piotr Skamruk Date: Mon, 26 Nov 2018 19:16:56 +0100 Subject: [PATCH 2/2] Fix memory checking test --- tests/e2e/resources_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/e2e/resources_test.go b/tests/e2e/resources_test.go index 61ca54ae4..d432ac43e 100644 --- a/tests/e2e/resources_test.go +++ b/tests/e2e/resources_test.go @@ -62,7 +62,8 @@ var _ = Describe("VM resources", func() { Expect(m).To(HaveLen(2)) total += do(strconv.Atoi(m[1])).(int) } - Expect(total).To(Equal(1024*(*memoryLimit) - 128)) + Expect(total).To(BeNumerically(">", 1024*(*memoryLimit-1))) + Expect(total).To(BeNumerically("<", 1024*(*memoryLimit))) }) It("Should grow the root volume size if requested", func() {