Skip to content

Commit

Permalink
feat: add apparmor pkg
Browse files Browse the repository at this point in the history
Bring in AppArmor pkg from `pkgs` which would add
`/sbin/apparmor_parser` which would get picked by containerd.

Signed-off-by: Noel Georgi <git@frezbo.dev>
  • Loading branch information
konrader authored and frezbo committed Jun 27, 2024
1 parent 71857fd commit bd34f71
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 3 deletions.
6 changes: 6 additions & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ ARG PKG_LIBAIO
ARG PKG_MUSL
ARG PKG_RUNC
ARG PKG_XFSPROGS
ARG PKG_APPARMOR
ARG PKG_UTIL_LINUX
ARG PKG_KMOD
ARG PKG_KERNEL
Expand All @@ -40,6 +41,9 @@ ARG PKG_TALOSCTL_CNI_BUNDLE_INSTALL
FROM ${PKG_FHS} AS pkg-fhs
FROM ${PKG_CA_CERTIFICATES} AS pkg-ca-certificates

FROM --platform=amd64 ${PKG_APPARMOR} AS pkg-apparmor-amd64
FROM --platform=arm64 ${PKG_APPARMOR} AS pkg-apparmor-arm64

FROM --platform=amd64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-amd64
FROM --platform=arm64 ${PKG_CRYPTSETUP} AS pkg-cryptsetup-arm64

Expand Down Expand Up @@ -558,6 +562,7 @@ COPY --from=depmod-arm64 /build/lib/modules /lib/modules
FROM build AS rootfs-base-amd64
COPY --link --from=pkg-fhs / /rootfs
COPY --link --from=pkg-ca-certificates / /rootfs
COPY --link --from=pkg-apparmor-amd64 / /rootfs
COPY --link --from=pkg-cryptsetup-amd64 / /rootfs
COPY --link --from=pkg-containerd-amd64 / /rootfs
COPY --link --from=pkg-dosfstools-amd64 / /rootfs
Expand Down Expand Up @@ -622,6 +627,7 @@ END
FROM build AS rootfs-base-arm64
COPY --link --from=pkg-fhs / /rootfs
COPY --link --from=pkg-ca-certificates / /rootfs
COPY --link --from=pkg-apparmor-arm64 / /rootfs
COPY --link --from=pkg-cryptsetup-arm64 / /rootfs
COPY --link --from=pkg-containerd-arm64 / /rootfs
COPY --link --from=pkg-dosfstools-arm64 / /rootfs
Expand Down
4 changes: 3 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -18,14 +18,15 @@ ARTIFACTS := _out
TOOLS ?= ghcr.io/siderolabs/tools:v1.8.0-alpha.0-5-gd2746e5

PKGS_PREFIX ?= ghcr.io/siderolabs
PKGS ?= v1.8.0-alpha.0-23-gc309452
PKGS ?= v1.8.0-alpha.0-29-g84bad89
EXTRAS ?= v1.8.0-alpha.0-2-g0efb05f

KRES_IMAGE ?= ghcr.io/siderolabs/kres:latest
CONFORMANCE_IMAGE ?= ghcr.io/siderolabs/conform:latest

PKG_FHS ?= $(PKGS_PREFIX)/fhs:$(PKGS)
PKG_CA_CERTIFICATES ?= $(PKGS_PREFIX)/ca-certificates:$(PKGS)
PKG_APPARMOR ?= $(PKGS_PREFIX)/apparmor:$(PKGS)
PKG_CRYPTSETUP ?= $(PKGS_PREFIX)/cryptsetup:$(PKGS)
PKG_CONTAINERD ?= $(PKGS_PREFIX)/containerd:$(PKGS)
PKG_DOSFSTOOLS ?= $(PKGS_PREFIX)/dosfstools:$(PKGS)
Expand Down Expand Up @@ -177,6 +178,7 @@ COMMON_ARGS += --build-arg=REGISTRY=$(REGISTRY)
COMMON_ARGS += --build-arg=PKGS_PREFIX=$(PKGS_PREFIX)
COMMON_ARGS += --build-arg=PKG_FHS=$(PKG_FHS)
COMMON_ARGS += --build-arg=PKG_CA_CERTIFICATES=$(PKG_CA_CERTIFICATES)
COMMON_ARGS += --build-arg=PKG_APPARMOR=$(PKG_APPARMOR)
COMMON_ARGS += --build-arg=PKG_CRYPTSETUP=$(PKG_CRYPTSETUP)
COMMON_ARGS += --build-arg=PKG_CONTAINERD=$(PKG_CONTAINERD)
COMMON_ARGS += --build-arg=PKG_DOSFSTOOLS=$(PKG_DOSFSTOOLS)
Expand Down
14 changes: 14 additions & 0 deletions hack/release.toml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,20 @@ Flannel: 0.25.3
Talos is built with Go 1.22.4.
"""

[notes.apparmor]
title = "Workload Apparmor Profile"
description = """\
Talos Linux can now apply the default AppArmor profiles to all workloads started via containerd, if the machine is installed with the AppArmor LSM enforced via the extraKernelArgs.
Eg:
```yaml
machine:
install:
extraKernelArgs:
- security=apparmor
```
"""

[notes.zstd]
title = "ZSTD Compression"
Expand Down
2 changes: 1 addition & 1 deletion pkg/machinery/constants/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ import (

const (
// DefaultKernelVersion is the default Linux kernel version.
DefaultKernelVersion = "6.6.32-talos"
DefaultKernelVersion = "6.6.33-talos"

// KernelModulesPath is the default path to the kernel modules without the kernel version.
KernelModulesPath = "/lib/modules"
Expand Down
2 changes: 1 addition & 1 deletion pkg/machinery/gendata/data/pkgs
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v1.8.0-alpha.0-23-gc309452
v1.8.0-alpha.0-29-g84bad89

0 comments on commit bd34f71

Please sign in to comment.