Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security settings #25

Merged
merged 17 commits into from
Sep 28, 2023
Merged

Add security settings #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
2396442
Add security settings
dmitry-ratushnyy Sep 18, 2023
4b128c9
Remove util-linux deb because it packaged in the snap
dmitry-ratushnyy Sep 18, 2023
352ed13
Update formatting
dmitry-ratushnyy Sep 19, 2023
97dab0f
Testing build after removing dpkg
dmitry-ratushnyy Sep 19, 2023
c64c26d
Add settings for deb packages
dmitry-ratushnyy Sep 19, 2023
cb000ac
Add yamllint settings
dmitry-ratushnyy Sep 20, 2023
8ff32cf
Split dbpg command into several steps
dmitry-ratushnyy Sep 25, 2023
494f978
Pin charmcraft version
dmitry-ratushnyy Sep 25, 2023
5ba423f
Pin charmcraft version
dmitry-ratushnyy Sep 25, 2023
f8e5907
Update config for integration tests CI job
dmitry-ratushnyy Sep 26, 2023
291f22d
Update config for integration tests CI job
dmitry-ratushnyy Sep 26, 2023
8cdea45
Pin charmcraft version
dmitry-ratushnyy Sep 26, 2023
69449c3
Update config for intergration tests on CI
dmitry-ratushnyy Sep 27, 2023
470348f
Unpin charmcaft version
dmitry-ratushnyy Sep 27, 2023
0ed4732
Pin charmcaft version
dmitry-ratushnyy Sep 27, 2023
b20ffe1
Unpin charmcaft version
dmitry-ratushnyy Sep 27, 2023
bbff857
Change the order or steps for integration tests
dmitry-ratushnyy Sep 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ jobs:
run: |
sudo snap install yq
sudo snap install rockcraft --classic --edge --revision=687
sudo snap install charmcraft --classic --revision 1349
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noob question: why different charmcraft here than in integration?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AFAIK it is actually the same version, but in this case we install it while in case of integration test we update the installed one

- name: Build ROCK
run: |
app_version=$(yq '.version' rockcraft.yaml)
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/integration.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,19 @@ jobs:
uses: charmed-kubernetes/actions-operator@main
with:
provider: microk8s
channel: "1.27-strict/stable"
bootstrap-constraints: "cores=2 mem=2G"
juju-channel: 3.1/stable
# This is needed until
# https://bugs.launchpad.net/juju/+bug/1977582 is fixed
bootstrap-options: "--agent-version 2.9.29"
bootstrap-options: "--agent-version 3.1.5"
- name: Pin charmcraft version
run: |
sudo snap refresh --channel=2.2 charmcraft
- uses: actions/download-artifact@v3
with:
name: mongodb-rock
- name: Install tox
run: python3 -m pip install tox
- name: Integration Tests
run: sg microk8s -c "tox -e ${{ matrix.env }}"
run: sg snap_microk8s -c "tox -e ${{ matrix.env }}"
100 changes: 57 additions & 43 deletions rockcraft.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,52 +5,66 @@ base: ubuntu:22.04 # the base environment for this ROCK
version: "5.0.14-12" # just for humans. Semantic versioning is recommended
summary: MongoDB in a rock. # 79 char long summary
description: |
MongoDB is a source-available cross-platform
document-oriented database program. Classified
as a NoSQL database program, MongoDB uses JSON
-like documents with optional schemas.
MongoDB is a source-available cross-platform
document-oriented database program. Classified
as a NoSQL database program, MongoDB uses JSON
-like documents with optional schemas.
license: Apache-2.0 # your application's SPDX license
entrypoint:
dmitry-ratushnyy marked this conversation as resolved.
Show resolved Hide resolved
- /usr/bin/setpriv
- --clear-groups
- --reuid
- mongodb
- --regid
- mongodb
- --
- /usr/bin/mongod
- /usr/bin/setpriv
- --clear-groups
- --reuid
- mongodb
- --regid
- mongodb
- --
- /usr/bin/mongod

platforms: # The platforms this ROCK should be built on and run on
amd64:
amd64:

parts:
mongo-snap:
plugin: nil
stage-snaps:
- charmed-mongodb/5/edge
overlay-packages:
- ca-certificates
dep-debs:
plugin: nil
stage-packages:
- util-linux
- libssh-4
- libbrotli1
non-root-user:
plugin: nil
after: [mongo-snap]
overlay-script: |
# Create a user in the $CRAFT_OVERLAY chroot
groupadd -R $CRAFT_OVERLAY -g 584788 mongodb
useradd -R $CRAFT_OVERLAY -M -r -g mongodb -u 584788 mongodb
override-prime: |
craftctl default
# Give permission and create the required directories
mkdir -p $CRAFT_PRIME/data/db
chmod 0755 $CRAFT_PRIME/data/db
chown -R 584788:584788 $CRAFT_PRIME/data/db
rock-license:
plugin: dump
source: licenses
organize:
LICENSE-rock: licenses/LICENSE-rock
mongo-snap:
plugin: nil
stage-snaps:
- charmed-mongodb/5/edge
overlay-packages:
- ca-certificates
dep-debs:
plugin: nil
stage-packages:
- libssh-4
- libbrotli1
non-root-user:
plugin: nil
after: [mongo-snap]
overlay-script: |
# Create a user in the $CRAFT_OVERLAY chroot
groupadd -R $CRAFT_OVERLAY -g 584788 mongodb
useradd -R $CRAFT_OVERLAY -M -r -g mongodb -u 584788 mongodb
override-prime: |
craftctl default
# Give permission and create the required directories
mkdir -p $CRAFT_PRIME/data/db
chmod 0755 $CRAFT_PRIME/data/db
chown -R 584788:584788 $CRAFT_PRIME/data/db
# enable security monitoring
rocks=usr/share/rocks/
mkdir -p ${rocks}
## for deb packages
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit can we have enters after the comments

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can try but linter was complaining about those

Copy link
Contributor

@MiaAltieri MiaAltieri Sep 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm maybe we can copy the linter from opensearch? they seem to have less problems, and then you could have the dpkg command the way you originally intended?

(doesn't have to be now) but would be good long term if we had our linters alligned across products on the NoSQL team

Copy link
Contributor Author

@dmitry-ratushnyy dmitry-ratushnyy Sep 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like opensearch rock does not have a linter (if I am not missing anything)

declare -a arr=()
arr+=('${db:Status-Abbrev},')
arr+=('${binary:Package},')
arr+=('${Version},')
arr+=('${source:Package},')
arr+=('${Source:Version}\n')
dpkg-query -W -f "${arr[*]}" > ${rocks}/dpkg.query
## for snap packages
cp snap.charmed-mongodb/manifest.yaml ${rocks}
cp snap.charmed-mongodb/snapcraft.yaml ${rocks}

rock-license:
plugin: dump
source: licenses
organize:
LICENSE-rock: licenses/LICENSE-rock