From c8ed2bb7989cdb89d0254bb950031ecf70b52355 Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Sat, 30 May 2020 09:19:05 +0300
Subject: [PATCH 1/2] deployments: qat: add an overlay for Apparmor annotations

Some Ubuntu systems may run with Apparmor LSM policy enformements making
the default QAT daemonset to fail with (un)bind errors.

This commit adds a sample kustomize overlay to deploy the QAT daemonset with
Apparmor uconfined policy.

Fixes: #381

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 .../add-apparmor-unconfined-intel-qat.yaml               | 9 +++++++++
 .../overlays/apparmor_unconfined/kustomization.yaml      | 4 ++++
 2 files changed, 13 insertions(+)
 create mode 100644 deployments/qat_plugin/overlays/apparmor_unconfined/add-apparmor-unconfined-intel-qat.yaml
 create mode 100644 deployments/qat_plugin/overlays/apparmor_unconfined/kustomization.yaml

diff --git a/deployments/qat_plugin/overlays/apparmor_unconfined/add-apparmor-unconfined-intel-qat.yaml b/deployments/qat_plugin/overlays/apparmor_unconfined/add-apparmor-unconfined-intel-qat.yaml
new file mode 100644
index 000000000..082916034
--- /dev/null
+++ b/deployments/qat_plugin/overlays/apparmor_unconfined/add-apparmor-unconfined-intel-qat.yaml
@@ -0,0 +1,9 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: intel-qat-plugin
+spec:
+  template:
+    metadata:
+      annotations:
+        container.apparmor.security.beta.kubernetes.io/intel-qat-plugin: unconfined
diff --git a/deployments/qat_plugin/overlays/apparmor_unconfined/kustomization.yaml b/deployments/qat_plugin/overlays/apparmor_unconfined/kustomization.yaml
new file mode 100644
index 000000000..9ac41de14
--- /dev/null
+++ b/deployments/qat_plugin/overlays/apparmor_unconfined/kustomization.yaml
@@ -0,0 +1,4 @@
+bases:
+  - ../../base
+patches:
+- add-apparmor-unconfined-intel-qat.yaml

From de529da631486f636a854642b1dc25091f8248dc Mon Sep 17 00:00:00 2001
From: Mikko Ylinen <mikko.ylinen@intel.com>
Date: Mon, 1 Jun 2020 10:50:32 +0300
Subject: [PATCH 2/2] demo: opae-nlb-demo: restore Clear Linux workaround

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
---
 demo/opae-nlb-demo/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/demo/opae-nlb-demo/Dockerfile b/demo/opae-nlb-demo/Dockerfile
index 4ca4238f2..7ff47f5de 100644
--- a/demo/opae-nlb-demo/Dockerfile
+++ b/demo/opae-nlb-demo/Dockerfile
@@ -17,6 +17,8 @@ RUN swupd update --no-boot-update ${CLEAR_LINUX_VERSION} && \
 # Fetch dependencies and source code
 ARG OPAE_RELEASE=1.4.0-1
 
+# workaround for a swupd failure discussed in https://github.com/clearlinux/distribution/issues/831
+RUN ldconfig
 RUN mkdir -p /usr/src/opae && \
     cd /usr/src/opae && \
     wget https://github.com/OPAE/opae-sdk/archive/${OPAE_RELEASE}.tar.gz && \