Rockstor on Vanilla MicroOS openSUSE - AppArmor

Hey there

I really do like the concept of Rockstor
… although I am also a big fan of openSUSE’s new MicroOS for servers with it’s atomic transactional updates.
Unfortunately there is no installer for Rockstor on openSUSE MicroOS (jet), but I though about installing Rockstor on a “Vanilla” MicroOS installation as explained in the Documentation.
(MicroOS is built from the same codebase as tumbleweed - every application that runs on tumbleweed should run on MicroOS with no issue as well.)

But my main question is about disabling AppArmor.
I am somewhat uncomfortable about disabling it completely as suggested in the documentation.

Are there any discussions around this “issue”, why it is necessary in the first place? (I didn’t find any reasoning here in the forum or in the documentation)

I am not an expert in AppArmor, in fact I have never touched it so far.
But I read a bit in the openSUSE Documentation about AppArmor and if I understand it correctly, unknown applications have to be manually confined by AppArmor, not empowered.

I am not (so much) concerned about allowing Rockstor to do everything, as I am to disable AppArmor for the whole system.
Are there any discussions / resources regarding Rockstor I can have a look at?

Cheers
Simon

@simon-77 I defer to @phillxnet as the expert here really, but if I remember correctly, the intent is to eventually get aligned with apparmor down the road. So, for now Rockstor is somewhat incompatible with apparmor, but when time/resources/interest (maybe you want to get into it?) allow, Rockstor will be enabled to work with apparmor enabled again. Historically, during the process of changing distributions from CentOS to OpenSUSE, I think the decision was made to not make this part of the transition a priority.

Follow up question:

I just noticed that openSUSE has switched with MicroOS from AppArmor to SELinux.
This might be interesting if you would plan to build Rockstor on MicroOS eventually

As Rockstor was running previously on CentOS with SELinux you where dealing with it previousely. If I understand it correctly, SELinux was also simply disabled to get Rockstor running?

Are there any resources / discussion / … for Rockstor around SELinux (regarding the old CentOS version) that I can have a look at to play arround with openSUSE MicroOS?

Cheers
Simon

Hi @simon-77

Thanks for all the discussion and your willingness to “play around” with Rockstor; that’s great to see! I don’t have all the answers you seek but I see that @Hooverdan already answered much of it :-). I still wanted to chip in a bit in the hopes it can still provide you with additional elements of answers.

I do believe that being able to support transactional updates was part of @phillxnet’s plan when he worked on moving the Project from Centos to openSUSE. This was with the “transactional server” role offered to Leap at the time (15.1, I believe?) in mind. This does come with its own particularities about the BTRFS organization/structure for the OS, though, which given the already massive task of moving between OSes was left to a future plan. Now that the “transactional server” role is not really the future and that MicroOS will/does address this need, there was indeed some interest in it.
We’ve had a brief discussion on the matter in our rockstor-core repo, for instance:

You’ll find a lot of “historical” resources and references in @phillxnet’s input there, alongside a detailed explanation of confirmation on the interest in being able to support transactional updates.

Of course, with the coming of ALP, things may change again in the near future so we’re keeping an eye on how the future of Leap looks like so that we can adapt accordingly.

@Hooverdan is entirely correct. We actually had AppArmor on in the early openSUSE builds, but we hit issues with it and had to disable it, with the intent on turning it back on once ready. The dev thread below should give you a good idea on what happened exactly (search for Apparmor as that can be quite long):

Oh good to know! I knew there were discussions on switching to SELinux but didn’t it already happened!

@phillxnet would most likely be the most knowledgeable on that; I unfortunately was not knowledgeable enough during our CentOS days, I’m afraid.

When looking at the MicroOS design, I am not entirely sure that this is a complete switch, when checking:
https://en.opensuse.org/Portal:MicroOS/Design

in particular this section,

image1280×410 29.8 KB

it seems to me, that they’re just offering more options, and if MicroOS is to be more cloud-oriented and to fit into a heterogenous landscape, it seems to make sense to fully support multiple options there?

Oh OK… that’s more motivating then .

@simon-77, I would believe the best documentation you can get for either of these would be from openSUSE docs themselves as we really try to remain as close as possible from our upstream defaults:

• AppArmor on Leap: openSUSE Leap 15.4 | Security and Hardening Guide | Introducing AppArmor
• SELinux on Leap: openSUSE Leap 15.4 | Security and Hardening Guide | Configuring SELinux
• SELinux on MicroOS: the link You provided: Portal:MicroOS/SELinux - openSUSE Wiki
  There also is a guide written by one of our users for how to setup SELinux in Rockstor from our CentOS days: Security Hardening (SELinux)

It doesn’t seem to apply to MicroOS, but in Leap, it appears no policy is provided and one has to make it: openSUSE Leap 15.4 | Security and Hardening Guide | Configuring SELinux

A policy is not included, and you must build your own.

Based on discussions on features to add to Leap, it appears a policy won’t be provided in Leap 15, but maybe in Leap 16: Issue #36: SELinux as 'tech preview'? - features - Pagure for openSUSE

I know that’s not very helpful, but hopefully it still provides you with some elements to begin somewhere.

Thank you for the extensive replies and the links to further resources

It is great to read all the ongoing discussions about Security (AppArmor) and transactional systems (MicroOS).

Yesterday I played a bit around and tried to install Rockstor on a plain openSUSE MircoOS. Although I eventually got stuck I got some insights.

During installation of openSUSE MircoOS I selected the System Role: MicroOS (there are other System Roles as well, with either a podman container runtime or with a desktop environment)

• NetworkManager is enabled by default (as opposed to wicked for Leap I assume)
• The default Security Module is SELinux - AppArmor can be selected instead during installation, but the required packages must also be selected manually

After installation the manual installation must be done via transactional-update shell - which will open a new shell for persistent changes:

zypper --non-interactive addrepo --refresh -p105 https://download.opensuse.org/repositories/home:/rockstor/openSUSE_Tumbleweed/ home_rockstor
zypper --non-interactive addrepo --refresh -p97 https://download.opensuse.org/repositories/home:/rockstor:/branches:/Base:/System/openSUSE_Tumbleweed/ home_rockstor_branches_Base_System
rpm --import https://raw.githubusercontent.com/rockstor/rockstor-core/master/conf/ROCKSTOR-GPG-KEY
zypper addrepo -f http://updates.rockstor.com:8999/rockstor-testing/tumbleweed/ Rockstor-Testing
zypper --non-interactive --gpg-auto-import-keys refresh
zypper install docker rockstor

I changed the repos from this guide to the tumbleweed repos.
During installation there was one conflict regarding the installed package busybox-which - but the suggested solution (deinstallation of busybox-which) resolved without further issues.

As transactional-updates need a reboot to be visible, a reboot is required before the systemd-services can be enabled:

systemctl enable --now docker
systemctl enable --now rockstor-bootstrap

I also put SELinux (which I left unchanged during installation) into permissive mode, but unfortunately the rockstor-pre service did not start with an Permission denied error …

Screenshot_20230729_2120551023×385 109 KB

I did a quick google search for this Permission denied error but did not find something similar.
As I am not that familiar with Linux that I can resolve the issue on my own I eventually stopped this experiment and installed Rockstor openSUSE Leap 15.4 again - which I will use now.

In the beginning I read a bit about AppArmor and SELinux (both the openSUSE documentation and the discussions here). As I was not able to get Rockstor running without them on MicroOS, I did not try anything further regarding AppArmor or SELinux.

I also noticed that these things are much more complicated than my limited knowledge of Linux.

A few more remarks regarding MicroOS:

• AppArmor is an option during installation and I assume it will stay fully supported as @Hooverdan pointed out. From the way the documentation is written and the installer is built, I assume that SELinux is nevertheless the advocated Security Model.
  (I don’t want to discourage the use of AppArmor, as I have no idea how complicated it would be to support SELinux in comparison to AppArmor)
• I am also looking forward what ALP will bring to openSUSE. I assume that openSUSE MicroOS will stay around as rolling-release version with transactional-updates. But I am also looking forward to see what will replace openSUSE Leap … let’s wait for an announcement.